Module org.elasticsearch.xcore
Class ApplicationPermission
java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.ApplicationPermission
A permission that is based on privileges for application (non elasticsearch) capabilities
-
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptionbooleancheckResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.getPrivileges(String application) getResourcePatterns(ApplicationPrivilege privilege) Returns a set of resource patterns that are permitted for the provided privilege.booleangrants(ApplicationPrivilege other, String resource) Determines whether this permission grants the specified privilege on the given resource.toString()
-
Field Details
-
NONE
-
-
Method Details
-
grants
Determines whether this permission grants the specified privilege on the given resource.An
ApplicationPermissionconsists of a sequence of permission entries, where each entry contains a singleApplicationPrivilegeand one or more resource patterns.This method returns
trueif, one or more of those entries meet the following criteria- The entry's application, when interpreted as an
Automatonpatternmatches the application given in the argument (interpreted as a raw string) - The
automaton that defines the entry's actionsentirely covers the automaton given in the argument (that is, the argument is a subset of the entry's automaton) - The entry's resources, when interpreted as an
AutomatonAutomatons.patterns(String...)set of patterns} entirely covers the resource given in the argument (also interpreted as anAutomatonpattern.
- The entry's application, when interpreted as an
-
checkResourcePrivileges
public boolean checkResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.- Parameters:
applicationName- checks privileges for the provided application namecheckForResources- check permission grants for the set of resourcescheckForPrivilegeNames- check permission grants for the set of privilege namesstoredPrivileges- storedApplicationPrivilegeDescriptorfor an application against which the access checks are performedresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
toString
-
getApplicationNames
-
getPrivileges
-
getResourcePatterns
Returns a set of resource patterns that are permitted for the provided privilege. The returned set may include patterns that overlap (e.g. "object/*" and "object/1") and may also include patterns that are defined again a more permissive privilege. e.g. If a permission grants- "my-app", "read", [ "user/*" ]
- "my-app", "all", [ "user/kimchy", "config/*" ]
getResourcePatterns( myAppRead )would return"user/*", "user/kimchy", "config/*".
-