Module org.elasticsearch.xcore
Class SimpleRole
java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.SimpleRole
- All Implemented Interfaces:
Role
-
Nested Class Summary
Nested classes/interfaces inherited from interface org.elasticsearch.xpack.core.security.authz.permission.Role
Role.Builder -
Field Summary
FieldsFields inherited from interface org.elasticsearch.xpack.core.security.authz.permission.Role
EMPTY, EMPTY_RESTRICTED_BY_WORKFLOW, REMOTE_USER_ROLE_NAME -
Method Summary
Modifier and TypeMethodDescriptionorg.apache.lucene.util.automaton.AutomatonallowedActionsMatcher(String index) Returns anAutomatonthat matches all action names allowed for the given indexallowedIndicesMatcher(String action) authorize(String action, Set<String> requestedIndicesOrAliases, ProjectMetadata metadata, FieldPermissionsCache fieldPermissionsCache) Returns whether at least one group encapsulated by this indices permissions is authorized to execute the specified action with the requested indices/aliases.voidcacheHasPrivileges(Settings settings, AuthorizationEngine.PrivilegesToCheck privilegesToCheck, AuthorizationEngine.PrivilegesCheckResult privilegesCheckResult) booleancheckApplicationResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.booleancheckClusterAction(String action, TransportRequest request, Authentication authentication) Check if cluster permissions allow for the given action in the context of given authentication.booleancheckIndicesAction(String action) Check if indices permissions allow for the given actionbooleancheckIndicesPrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.checkPrivilegesWithCache(AuthorizationEngine.PrivilegesToCheck privilegesToCheck) booleancheckRunAs(String runAsName) Check if the role is allowed to run-as the given username.cluster()booleanforWorkflow(String workflow) This method returns an effective role for the given workflow if role has workflows restriction (i.e.getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion) Returns the intersection of role descriptors defined for a remote cluster with the given alias.booleangrants(ClusterPrivilege clusterPrivilege) Check if cluster permissions grants the given cluster privilegebooleanWhether the Role has any field or document level security enabled index privilegesinthashCode()booleanindices()String[]names()runAs()toString()
-
Field Details
-
CACHE_SIZE_SETTING
-
-
Method Details
-
names
-
cluster
-
indices
-
application
- Specified by:
applicationin interfaceRole
-
runAs
-
remoteIndices
- Specified by:
remoteIndicesin interfaceRole
-
remoteCluster
- Specified by:
remoteClusterin interfaceRole
-
hasWorkflowsRestriction
public boolean hasWorkflowsRestriction()- Specified by:
hasWorkflowsRestrictionin interfaceRole
-
forWorkflow
Description copied from interface:RoleThis method returns an effective role for the given workflow if role has workflows restriction (i.e.Role.hasWorkflowsRestriction()is true). Otherwise, this method returns an unchanged role. The returned effective role can be anRole.EMPTY_RESTRICTED_BY_WORKFLOWwhen the given workflow is not one of the workflows to which this role is restricted. The workflows to which a role can be restricted are static and defined inWorkflowResolver.- Specified by:
forWorkflowin interfaceRole
-
hasFieldOrDocumentLevelSecurity
public boolean hasFieldOrDocumentLevelSecurity()Description copied from interface:RoleWhether the Role has any field or document level security enabled index privileges- Specified by:
hasFieldOrDocumentLevelSecurityin interfaceRole- Returns:
-
allowedIndicesMatcher
- Specified by:
allowedIndicesMatcherin interfaceRole- Returns:
- A predicate that will match all the indices that this role has the privilege for executing the given action on.
-
allowedActionsMatcher
Description copied from interface:RoleReturns anAutomatonthat matches all action names allowed for the given index- Specified by:
allowedActionsMatcherin interfaceRole
-
checkRunAs
Description copied from interface:RoleCheck if the role is allowed to run-as the given username.- Specified by:
checkRunAsin interfaceRole- Parameters:
runAsName-- Returns:
-
checkIndicesAction
Description copied from interface:RoleCheck if indices permissions allow for the given action- Specified by:
checkIndicesActionin interfaceRole- Parameters:
action- indices action- Returns:
trueif action is allowed else returnsfalse
-
checkIndicesPrivileges
public boolean checkIndicesPrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) Description copied from interface:RoleFor given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.- Specified by:
checkIndicesPrivilegesin interfaceRole- Parameters:
checkForIndexPatterns- check permission grants for the set of index patternsallowRestrictedIndices- iftruethen checks permission grants even for restricted indices by index matchingcheckForPrivileges- check permission grants for the set of index privilegesresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
checkClusterAction
public boolean checkClusterAction(String action, TransportRequest request, Authentication authentication) Description copied from interface:RoleCheck if cluster permissions allow for the given action in the context of given authentication.- Specified by:
checkClusterActionin interfaceRole- Parameters:
action- cluster actionrequest-TransportRequestauthentication-Authentication- Returns:
trueif action is allowed else returnsfalse
-
grants
Description copied from interface:RoleCheck if cluster permissions grants the given cluster privilege -
checkApplicationResourcePrivileges
public boolean checkApplicationResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) Description copied from interface:RoleFor a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.- Specified by:
checkApplicationResourcePrivilegesin interfaceRole- Parameters:
applicationName- checks privileges for the provided application namecheckForResources- check permission grants for the set of resourcescheckForPrivilegeNames- check permission grants for the set of privilege namesstoredPrivileges- storedApplicationPrivilegeDescriptorfor an application against which the access checks are performedresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
authorize
public IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases, ProjectMetadata metadata, FieldPermissionsCache fieldPermissionsCache) Description copied from interface:RoleReturns whether at least one group encapsulated by this indices permissions is authorized to execute the specified action with the requested indices/aliases. At the same time if field and/or document level security is configured for any group also the allowed fields and role queries are resolved. -
getRoleDescriptorsIntersectionForRemoteCluster
public RoleDescriptorsIntersection getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion) Description copied from interface:RoleReturns the intersection of role descriptors defined for a remote cluster with the given alias.- Specified by:
getRoleDescriptorsIntersectionForRemoteClusterin interfaceRole- Parameters:
remoteClusterAlias- the remote cluster alias for which to return a role descriptors intersectionremoteClusterVersion- the version of the remote cluster- Returns:
- an intersection of role descriptors that describe the remote privileges towards a given cluster, otherwise an empty intersection if remote privileges are not defined
-
equals
-
hashCode
public int hashCode() -
toString
-
cacheHasPrivileges
public void cacheHasPrivileges(Settings settings, AuthorizationEngine.PrivilegesToCheck privilegesToCheck, AuthorizationEngine.PrivilegesCheckResult privilegesCheckResult) throws ExecutionException - Throws:
ExecutionException
-
checkPrivilegesWithCache
public AuthorizationEngine.PrivilegesCheckResult checkPrivilegesWithCache(AuthorizationEngine.PrivilegesToCheck privilegesToCheck)
-