Module org.elasticsearch.security
Class PreAuthorizationUtils
java.lang.Object
org.elasticsearch.xpack.security.authz.PreAuthorizationUtils
-
Field Summary
FieldsModifier and TypeFieldDescriptionThis map holds parent-child action relationships for which we can optimize authorization and skip authorization for child actions if the parent action is successfully authorized. -
Method Summary
Modifier and TypeMethodDescriptionstatic voidmaybeSkipChildrenActionAuthorization(SecurityContext securityContext, AuthorizationEngine.AuthorizationContext parentAuthorizationContext) This method setsAuthorizationEngine.ParentActionAuthorizationas a header in the thread context, which will be used for skipping authorization of child actions if the following conditions are met: parent action is one of the white listed inCHILD_ACTIONS_PRE_AUTHORIZED_BY_PARENTFLS and DLS are not configured RBACEngine was used to authorize parent request and not a custom authorization enginestatic booleanshouldPreAuthorizeChildByParentAction(AuthorizationEngine.RequestInfo childRequestInfo, AuthorizationEngine.AuthorizationInfo childAuthorizationInfo) static booleanshouldRemoveParentAuthorizationFromThreadContext(Optional<String> remoteClusterAlias, String childAction, SecurityContext securityContext)
-
Field Details
-
CHILD_ACTIONS_PRE_AUTHORIZED_BY_PARENT
This map holds parent-child action relationships for which we can optimize authorization and skip authorization for child actions if the parent action is successfully authorized. Normally every action would be authorized on a local node on which it's being executed. Here we define all child actions for which the authorization can be safely skipped on a remote node as they only access a subset of resources.
-
-
Method Details
-
maybeSkipChildrenActionAuthorization
public static void maybeSkipChildrenActionAuthorization(SecurityContext securityContext, AuthorizationEngine.AuthorizationContext parentAuthorizationContext) This method setsAuthorizationEngine.ParentActionAuthorizationas a header in the thread context, which will be used for skipping authorization of child actions if the following conditions are met:- parent action is one of the white listed in
CHILD_ACTIONS_PRE_AUTHORIZED_BY_PARENT - FLS and DLS are not configured
- RBACEngine was used to authorize parent request and not a custom authorization engine
- parent action is one of the white listed in
-
shouldRemoveParentAuthorizationFromThreadContext
public static boolean shouldRemoveParentAuthorizationFromThreadContext(Optional<String> remoteClusterAlias, String childAction, SecurityContext securityContext) -
shouldPreAuthorizeChildByParentAction
public static boolean shouldPreAuthorizeChildByParentAction(AuthorizationEngine.RequestInfo childRequestInfo, AuthorizationEngine.AuthorizationInfo childAuthorizationInfo)
-