Class DeprecationRoleDescriptorConsumer

java.lang.Object
org.elasticsearch.xpack.security.authz.store.DeprecationRoleDescriptorConsumer
All Implemented Interfaces:
Consumer<Collection<RoleDescriptor>>

public final class DeprecationRoleDescriptorConsumer extends Object implements Consumer<Collection<RoleDescriptor>>
Inspects all aliases that have greater privileges than the indices that they point to and logs the role descriptor, granting privileges in this manner, as deprecated and requiring changes. This is done in preparation for the removal of the ability to define privileges over aliases. The log messages are generated asynchronously and do not generate deprecation response headers. One log entry is generated for each role descriptor and alias pair, and it contains all the indices for which privileges are a subset of those of the alias. In this case, the administrator has to adjust the index privileges definition of the respective role such that name patterns do not cover aliases (or rename aliases). If no logging is generated then the roles used for the current indices and aliases are not vulnerable to the subsequent breaking change. However, there could be role descriptors that are not used (not mapped to a user that is currently using the system) which are invisible to this check. Moreover, role descriptors can be dynamically added by role providers. In addition, role descriptors are merged when building the effective role, so a role-alias pair reported as deprecated might not actually have an impact if other role descriptors cover its indices. The check iterates over all indices and aliases for each role descriptor so it is quite expensive computationally. For this reason the check is done only once a day for each role. If the role definitions stay the same, the deprecations can change from one day to another only if aliases or indices are added.