java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions
All Implemented Interfaces:
NamedWriteable, Writeable, org.elasticsearch.xcontent.ToXContent, org.elasticsearch.xcontent.ToXContentObject

public class RemoteClusterPermissions extends Object implements NamedWriteable, org.elasticsearch.xcontent.ToXContentObject
Represents the set of permissions for remote clusters. This is intended to be the model for both the RoleDescriptor and Role. This model is intended to be converted to local cluster permissions collapseAndRemoveUnsupportedPrivileges(String, TransportVersion) before sent to the remote cluster. This model also be included in the role descriptors for (normal) API keys sent between nodes/clusters. In both cases the outbound transport version can be used to remove permissions that are not available to older nodes or clusters. The methods removeUnsupportedPrivileges(TransportVersion) and collapseAndRemoveUnsupportedPrivileges(String, TransportVersion) are used to aid in ensuring correct privileges per transport version. For example, on the local/querying cluster this model represents the following: "remote_cluster" : [ { "privileges" : ["foo"], "clusters" : ["clusterA"] }, { "privileges" : ["bar"], "clusters" : ["clusterB"] } ] (RCS 2.0) when sent to the remote cluster "clusterA", the privileges will be converted to the appropriate cluster privileges. For example: "cluster": ["foo"] and (RCS 2.0) when sent to the remote cluster "clusterB", the privileges will be converted to the appropriate cluster privileges. For example: "cluster": ["bar"] For normal API keys and their role descriptors :If the remote cluster does not support the privilege, the privilege will be not be sent. Upstream code performs the removal, but this class owns the business logic for how to remove per outbound version.
  • Field Details

  • Constructor Details

    • RemoteClusterPermissions

      public RemoteClusterPermissions(StreamInput in) throws IOException
      Throws:
      IOException
    • RemoteClusterPermissions

      public RemoteClusterPermissions(List<Map<String,List<String>>> remoteClusters)
    • RemoteClusterPermissions

      public RemoteClusterPermissions()
  • Method Details

    • getSupportedRemoteClusterPermissions

      public static Set<String> getSupportedRemoteClusterPermissions()
    • addGroup

      public RemoteClusterPermissions addGroup(RemoteClusterPermissionGroup remoteClusterPermissionGroup)
    • removeUnsupportedPrivileges

      public RemoteClusterPermissions removeUnsupportedPrivileges(TransportVersion outboundVersion)
      Will remove any unsupported privileges for the provided outbound version. This method will not modify the current instance. This is useful for (normal) API keys role descriptors to help ensure that we don't send unsupported privileges. The result of this method may result in no groups if all privileges are removed. hasAnyPrivileges() can be used to check if there are any privileges left.
      Parameters:
      outboundVersion - The version by which to remove unsupported privileges, this is typically the version of the remote cluster
      Returns:
      a new instance of RemoteClusterPermissions with the unsupported privileges removed
    • collapseAndRemoveUnsupportedPrivileges

      public String[] collapseAndRemoveUnsupportedPrivileges(String remoteClusterAlias, TransportVersion outboundVersion)
      Gets all the privilege names for the remote cluster. This method will collapse all groups to single String[] all lowercase and will only return the appropriate privileges for the provided remote cluster version. This is useful for RCS 2.0 to ensure that we properly convert all the remote_cluster -> cluster privileges per remote cluster.
    • toMap

      public List<Map<String,List<String>>> toMap()
      Converts this object to it's Map representation.
      Returns:
      a list of maps representing the remote cluster permissions
    • validate

      public void validate()
      Validates the remote cluster permissions (regardless of remote cluster version). This method will throw an IllegalArgumentException if the permissions are invalid. Generally, this method is just a safety check and validity should be checked before adding the permissions to this class.
    • hasAnyPrivileges

      public boolean hasAnyPrivileges(String remoteClusterAlias)
    • hasAnyPrivileges

      public boolean hasAnyPrivileges()
    • groups

    • toXContent

      public org.elasticsearch.xcontent.XContentBuilder toXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params) throws IOException
      Specified by:
      toXContent in interface org.elasticsearch.xcontent.ToXContent
      Throws:
      IOException
    • writeTo

      public void writeTo(StreamOutput out) throws IOException
      Specified by:
      writeTo in interface Writeable
      Throws:
      IOException
    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • toString

      public String toString()
      Overrides:
      toString in class Object
    • getWriteableName

      public String getWriteableName()
      Specified by:
      getWriteableName in interface NamedWriteable