java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.LimitedRole
All Implemented Interfaces:
Role

public final class LimitedRole extends Object implements Role
A Role limited by another role.
The effective permissions returned on authorize(String, Set, ProjectMetadata, FieldPermissionsCache) call would be limited by the provided role.
  • Constructor Details

    • LimitedRole

      public LimitedRole(Role baseRole, Role limitedByRole)
      Create a new role defined by given role and the limited role.
      Parameters:
      baseRole - existing role Role
      limitedByRole - restrict the newly formed role to the permissions defined by this limited Role
  • Method Details

    • names

      public String[] names()
      Specified by:
      names in interface Role
    • cluster

      public ClusterPermission cluster()
      Specified by:
      cluster in interface Role
    • indices

      public IndicesPermission indices()
      Specified by:
      indices in interface Role
    • remoteIndices

      public RemoteIndicesPermission remoteIndices()
      Specified by:
      remoteIndices in interface Role
    • remoteCluster

      public RemoteClusterPermissions remoteCluster()
      Specified by:
      remoteCluster in interface Role
    • hasWorkflowsRestriction

      public boolean hasWorkflowsRestriction()
      Specified by:
      hasWorkflowsRestriction in interface Role
    • forWorkflow

      public Role forWorkflow(String workflow)
      Description copied from interface: Role
      This method returns an effective role for the given workflow if role has workflows restriction (i.e. Role.hasWorkflowsRestriction() is true). Otherwise, this method returns an unchanged role. The returned effective role can be an Role.EMPTY_RESTRICTED_BY_WORKFLOW when the given workflow is not one of the workflows to which this role is restricted. The workflows to which a role can be restricted are static and defined in WorkflowResolver.
      Specified by:
      forWorkflow in interface Role
    • application

      public ApplicationPermission application()
      Specified by:
      application in interface Role
    • runAs

      public RunAsPermission runAs()
      Specified by:
      runAs in interface Role
    • hasFieldOrDocumentLevelSecurity

      public boolean hasFieldOrDocumentLevelSecurity()
      Description copied from interface: Role
      Whether the Role has any field or document level security enabled index privileges
      Specified by:
      hasFieldOrDocumentLevelSecurity in interface Role
      Returns:
    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • authorize

      public IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases, ProjectMetadata metadata, FieldPermissionsCache fieldPermissionsCache)
      Description copied from interface: Role
      Returns whether at least one group encapsulated by this indices permissions is authorized to execute the specified action with the requested indices/aliases. At the same time if field and/or document level security is configured for any group also the allowed fields and role queries are resolved.
      Specified by:
      authorize in interface Role
    • getRoleDescriptorsIntersectionForRemoteCluster

      public RoleDescriptorsIntersection getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion)
      Description copied from interface: Role
      Returns the intersection of role descriptors defined for a remote cluster with the given alias.
      Specified by:
      getRoleDescriptorsIntersectionForRemoteCluster in interface Role
      Parameters:
      remoteClusterAlias - the remote cluster alias for which to return a role descriptors intersection
      remoteClusterVersion - the version of the remote cluster
      Returns:
      an intersection of role descriptors that describe the remote privileges towards a given cluster, otherwise an empty intersection if remote privileges are not defined
    • allowedIndicesMatcher

      public IndicesPermission.IsResourceAuthorizedPredicate allowedIndicesMatcher(String action)
      Specified by:
      allowedIndicesMatcher in interface Role
      Returns:
      A predicate that will match all the indices that this role and the limited by role has the privilege for executing the given action on.
    • allowedActionsMatcher

      public org.apache.lucene.util.automaton.Automaton allowedActionsMatcher(String index)
      Description copied from interface: Role
      Returns an Automaton that matches all action names allowed for the given index
      Specified by:
      allowedActionsMatcher in interface Role
    • checkIndicesAction

      public boolean checkIndicesAction(String action)
      Check if indices permissions allow for the given action, also checks whether the limited by role allows the given actions
      Specified by:
      checkIndicesAction in interface Role
      Parameters:
      action - indices action
      Returns:
      true if action is allowed else returns false
    • checkIndicesPrivileges

      public boolean checkIndicesPrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder)
      For given index patterns and index privileges determines allowed privileges and creates an instance of ResourcePrivilegesMap holding a map of resource to ResourcePrivileges where resource is index pattern and the map of index privilege to whether it is allowed or not.
      This one takes intersection of resource privileges with the resource privileges from the limited-by role.
      Specified by:
      checkIndicesPrivileges in interface Role
      Parameters:
      checkForIndexPatterns - check permission grants for the set of index patterns
      allowRestrictedIndices - if true then checks permission grants even for restricted indices by index matching
      checkForPrivileges - check permission grants for the set of index privileges
      resourcePrivilegesMapBuilder - out-parameter for returning the details on which privilege over which resource is granted or not. Can be null when no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.
      Returns:
      true when all the privileges are granted over all the resources, or false otherwise
    • checkClusterAction

      public boolean checkClusterAction(String action, TransportRequest request, Authentication authentication)
      Check if cluster permissions allow for the given action, also checks whether the limited by role allows the given actions in the context of given authentication.
      Specified by:
      checkClusterAction in interface Role
      Parameters:
      action - cluster action
      request - TransportRequest
      authentication - Authentication
      Returns:
      true if action is allowed else returns false
    • grants

      public boolean grants(ClusterPrivilege clusterPrivilege)
      Check if cluster permissions grants the given cluster privilege, also checks whether the limited by role grants the given cluster privilege
      Specified by:
      grants in interface Role
      Parameters:
      clusterPrivilege - cluster privilege
      Returns:
      true if cluster privilege is allowed else returns false
    • checkApplicationResourcePrivileges

      public boolean checkApplicationResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder)
      For a given application, checks for the privileges for resources and returns an instance of ResourcePrivilegesMap holding a map of resource to ResourcePrivileges where the resource is application resource and the map of application privilege to whether it is allowed or not.
      This one takes intersection of resource privileges with the resource privileges from the limited-by role.
      Specified by:
      checkApplicationResourcePrivileges in interface Role
      Parameters:
      applicationName - checks privileges for the provided application name
      checkForResources - check permission grants for the set of resources
      checkForPrivilegeNames - check permission grants for the set of privilege names
      storedPrivileges - stored ApplicationPrivilegeDescriptor for an application against which the access checks are performed
      resourcePrivilegesMapBuilder - out-parameter for returning the details on which privilege over which resource is granted or not. Can be null when no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.
      Returns:
      true when all the privileges are granted over all the resources, or false otherwise
    • checkRunAs

      public boolean checkRunAs(String runAs)
      Description copied from interface: Role
      Check if the role is allowed to run-as the given username.
      Specified by:
      checkRunAs in interface Role
      Parameters:
      runAs -
      Returns: