Interface AuthorizationEngine


public interface AuthorizationEngine

An AuthorizationEngine is responsible for making the core decisions about whether a request should be authorized or not. The engine can and usually will be called multiple times during the authorization of a request. Security categorizes requests into a few different buckets and uses the action name as the indicator of what a request will perform. Internally, the action name is used to map a TransportRequest to the actual TransportAction that will handle the request.


Requests can be a cluster request or an indices request. Cluster requests are requests that tend to be global in nature; they could affect the whole cluster. Indices requests are those that deal with specific indices; the actions could have the affect of reading data, modifying data, creating an index, deleting an index, or modifying metadata.


Each call to the engine will contain a AuthorizationEngine.RequestInfo object that contains the request, action name, and the authentication associated with the request. This data is provided by the engine so that all information about the request can be used to make the authorization decision.


The methods of the engine will be called in the following order:
  1. resolveAuthorizationInfo(RequestInfo, ActionListener) to retrieve information necessary to authorize the given user. It is important to note that the AuthorizationEngine.RequestInfo may contain an Authentication object that actually has two users when the run as feature is used and this method should resolve the information for both. To check for the presence of run as, use the Authentication.isRunAs() method.
  2. authorizeRunAs(RequestInfo, AuthorizationInfo, ActionListener) if the request is making use of the run as feature. This method is used to ensure the authenticated user can actually impersonate the user running the request.
  3. authorizeClusterAction(RequestInfo, AuthorizationInfo, ActionListener) if the request is a cluster level operation.
  4. authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, Metadata, ActionListener) if the request is a an index action. This method may be called multiple times for a single request as the request may be made up of sub-requests that also need to be authorized. The async supplier for resolved indices will invoke the loadAuthorizedIndices(RequestInfo, AuthorizationInfo, Map, ActionListener) method if it is used as part of the authorization process.

NOTE: the loadAuthorizedIndices(RequestInfo, AuthorizationInfo, Map, ActionListener) method may be called prior to authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, Metadata, ActionListener) in cases where wildcards need to be expanded.


Authorization engines can be called from various threads including network threads that should not be blocked waiting for I/O. Network threads in elasticsearch are limited and we rely on asynchronous processing to ensure optimal use of network threads; this is unlike many other Java based servers that have a thread for each concurrent request and blocking operations could take place on those threads. Given this it is imperative that the implementations used here do not block when calling out to an external service or waiting on some data.