Module org.elasticsearch.xcore
Class IndicesPermission
java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission
A permission that is based on privileges for index related actions executed
on specific indices
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classstatic classstatic classThis encapsulates the authorization test for resources. -
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptionorg.apache.lucene.util.automaton.AutomatonallowedActionsMatcher(String index) allowedIndicesMatcher(String action) authorize(String action, Set<String> requestedIndicesOrAliases, Metadata metadata, FieldPermissionsCache fieldPermissionsCache) Authorizes the provided action against the provided indices, given the current cluster metadatabooleanChecks if the permission matches the provided action, without looking at indices.booleancheckResourcePrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, boolean combineIndexGroups, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.booleancheckResourcePrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) groups()boolean
-
Field Details
-
NONE
-
-
Method Details
-
groups
-
allowedIndicesMatcher
- Returns:
- A predicate that will match all the indices that this permission has the privilege for executing the given action on.
-
hasFieldOrDocumentLevelSecurity
public boolean hasFieldOrDocumentLevelSecurity() -
check
Checks if the permission matches the provided action, without looking at indices. To be used in very specific cases where indices actions need to be authorized regardless of their indices. The usecase for this is composite actions that are initially only authorized based on the action name (indices are not checked on the coordinating node), and properly authorized later at the shard level checking their indices as well. -
checkResourcePrivileges
public boolean checkResourcePrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) -
checkResourcePrivileges
public boolean checkResourcePrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, boolean combineIndexGroups, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.- Parameters:
checkForIndexPatterns- check permission grants for the set of index patternsallowRestrictedIndices- iftruethen checks permission grants even for restricted indices by index matchingcheckForPrivileges- check permission grants for the set of index privilegescombineIndexGroups- combine index groups to enable checking against regular expressionsresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
allowedActionsMatcher
-
authorize
public IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases, Metadata metadata, FieldPermissionsCache fieldPermissionsCache) Authorizes the provided action against the provided indices, given the current cluster metadata
-