Class SecurityContext

java.lang.Object
org.elasticsearch.xpack.core.security.SecurityContext

public class SecurityContext extends Object
A lightweight utility that can find the current user and authentication information for the local thread.
  • Constructor Details

  • Method Details

    • requireUser

      public User requireUser()
      Returns the current user information, or throws ElasticsearchSecurityException if the current request has no authentication information.
    • getUser

      @Nullable public User getUser()
      Returns the current user information, or null if the current request has no authentication info.
    • getAuthentication

      @Nullable public Authentication getAuthentication()
      Returns the authentication information, or null if the current request has no authentication info.
    • getAuthorizationInfoFromContext

      public AuthorizationEngine.AuthorizationInfo getAuthorizationInfoFromContext()
    • getParentAuthorization

      @Nullable public AuthorizationEngine.ParentActionAuthorization getParentAuthorization()
    • setParentAuthorization

      public void setParentAuthorization(AuthorizationEngine.ParentActionAuthorization parentAuthorization)
    • getSecondaryAuthentication

      public SecondaryAuthentication getSecondaryAuthentication()
      Returns the "secondary authentication" (see SecondaryAuthentication) information, or null if the current request does not have a secondary authentication context
    • getThreadContext

      public ThreadContext getThreadContext()
    • putIndicesAccessControl

      public void putIndicesAccessControl(@Nullable IndicesAccessControl indicesAccessControl)
    • copyIndicesAccessControlToReaderContext

      public void copyIndicesAccessControlToReaderContext(ReaderContext readerContext)
    • copyIndicesAccessControlFromReaderContext

      public void copyIndicesAccessControlFromReaderContext(ReaderContext readerContext)
    • setInternalUser

      public void setInternalUser(InternalUser internalUser, TransportVersion version)
      Sets the user forcefully to the provided user. There must not be an existing user in the ThreadContext otherwise an exception will be thrown. This method is package private for testing.
    • executeAsInternalUser

      public void executeAsInternalUser(InternalUser internalUser, TransportVersion version, Consumer<ThreadContext.StoredContext> consumer)
      Runs the consumer in a new context as the provided user. The original context is provided to the consumer. When this method returns, the original context is restored.
    • executeAsSystemUser

      public void executeAsSystemUser(Consumer<ThreadContext.StoredContext> consumer)
    • executeAsSystemUser

      public void executeAsSystemUser(TransportVersion version, Consumer<ThreadContext.StoredContext> consumer)
    • executeWithAuthentication

      public <T> T executeWithAuthentication(Authentication authentication, Function<ThreadContext.StoredContext,T> consumer)
      Runs the consumer in a new context as the provided user. The original context is provided to the consumer. When this method returns, the original context is restored.
    • executeAfterRewritingAuthentication

      public void executeAfterRewritingAuthentication(Consumer<ThreadContext.StoredContext> consumer, TransportVersion version)
      Runs the consumer in a new context after setting a new version of the authentication that is compatible with the version provided. The original context is provided to the consumer. When this method returns, the original context is restored.
    • executeAfterRemovingParentAuthorization

      public void executeAfterRemovingParentAuthorization(Consumer<ThreadContext.StoredContext> consumer)
      Executes consumer in a new thread context after removing AuthorizationEngine.ParentActionAuthorization. The original context is provided to the consumer. When this method returns, the original context is restored preserving response headers.
    • canIAccessResourcesCreatedBy

      public boolean canIAccessResourcesCreatedBy(@Nullable Authentication resourceCreatorAuthentication)
      Checks whether the user or API key of the passed in authentication can access the resources owned by the user or API key of this authentication. The rules are as follows: * True if the authentications are for the same API key (same API key ID) * True if they are the same username from the same realm - For file and native realm, same realm means the same realm type - For all other realms, same realm means same realm type plus same realm name * An user and its API key cannot access each other's resources * An user and its token can access each other's resources * Two API keys are never able to access each other's resources regardless of their ownership. This check is a best effort and it does not account for certain static and external changes. See also security limitations
    • canIAccessResourcesCreatedWithHeaders

      public boolean canIAccessResourcesCreatedWithHeaders(Map<String,String> resourceCreateRequestHeaders) throws IOException
      Throws:
      IOException