java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.ApplicationPermission

public final class ApplicationPermission extends Object
A permission that is based on privileges for application (non elasticsearch) capabilities
  • Field Details

  • Method Details

    • grants

      public boolean grants(ApplicationPrivilege other, String resource)
      Determines whether this permission grants the specified privilege on the given resource.

      An ApplicationPermission consists of a sequence of permission entries, where each entry contains a single ApplicationPrivilege and one or more resource patterns.

      This method returns true if, one or more of those entries meet the following criteria

      • The entry's application, when interpreted as an Automaton pattern matches the application given in the argument (interpreted as a raw string)
      • The automaton that defines the entry's actions entirely covers the automaton given in the argument (that is, the argument is a subset of the entry's automaton)
      • The entry's resources, when interpreted as an Automaton Automatons.patterns(String...) set of patterns} entirely covers the resource given in the argument (also interpreted as an Automaton pattern.
    • checkResourcePrivileges

      public boolean checkResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder)
      For a given application, checks for the privileges for resources and returns an instance of ResourcePrivilegesMap holding a map of resource to ResourcePrivileges where the resource is application resource and the map of application privilege to whether it is allowed or not.
      Parameters:
      applicationName - checks privileges for the provided application name
      checkForResources - check permission grants for the set of resources
      checkForPrivilegeNames - check permission grants for the set of privilege names
      storedPrivileges - stored ApplicationPrivilegeDescriptor for an application against which the access checks are performed
      resourcePrivilegesMapBuilder - out-parameter for returning the details on which privilege over which resource is granted or not. Can be null when no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.
      Returns:
      true when all the privileges are granted over all the resources, or false otherwise
    • toString

      public String toString()
      Overrides:
      toString in class Object
    • getApplicationNames

      public Set<String> getApplicationNames()
    • getPrivileges

      public Set<ApplicationPrivilege> getPrivileges(String application)
    • getResourcePatterns

      public Set<String> getResourcePatterns(ApplicationPrivilege privilege)
      Returns a set of resource patterns that are permitted for the provided privilege. The returned set may include patterns that overlap (e.g. "object/*" and "object/1") and may also include patterns that are defined again a more permissive privilege. e.g. If a permission grants
      • "my-app", "read", [ "user/*" ]
      • "my-app", "all", [ "user/kimchy", "config/*" ]
      Then getResourcePatterns( myAppRead ) would return "user/*", "user/kimchy", "config/*".