Module org.elasticsearch.xcore
Class FieldPermissions
java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions
- All Implemented Interfaces:
org.apache.lucene.util.Accountable,CacheKey
public final class FieldPermissions
extends Object
implements org.apache.lucene.util.Accountable, CacheKey
Stores patterns to fields which access is granted or denied to and maintains an automaton that can be used to check if permission is
allowed for a specific field.
Field permissions are configured via a list of strings that are patterns a field has to match. Two lists determine whether or
not a field is granted access to:
1. It has to match the patterns in grantedFieldsArray
2. it must not match the patterns in deniedFieldsArray
-
Field Summary
FieldsFields inherited from interface org.apache.lucene.util.Accountable
NULL_ACCOUNTABLE -
Constructor Summary
ConstructorsConstructorDescriptionFieldPermissions(FieldPermissionsDefinition fieldPermissionsDefinition) Constructor that enables field-level security based on include/exclude rules. -
Method Summary
Modifier and TypeMethodDescriptionvoidstatic org.apache.lucene.util.automaton.AutomatonbuildPermittedFieldsAutomaton(String[] grantedFields, String[] deniedFields) Construct a single automaton to represent the set ofgrantedFieldsexcept for thedeniedFields.booleanorg.apache.lucene.index.DirectoryReaderfilter(org.apache.lucene.index.DirectoryReader reader) Return a wrapped reader that only exposes allowed fields.booleangrantsAccessTo(String fieldName) Returns true if this field permission policy allows access to the field and false if not.booleanReturn whether field-level security is enabled, ie.inthashCode()static org.apache.lucene.util.automaton.AutomatoninitializePermittedFieldsAutomaton(FieldPermissionsDefinition fieldPermissionsDefinition) limitFieldPermissions(FieldPermissions limitedBy) Returns a field permissions instance where it is limited by the given field permissions.
If the current and the other field permissions have field level security then it takes an intersection of permitted fields.
If none of the permissions have field level security enabled, then returns permissions instance where all fields are allowed.longMethods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.lucene.util.Accountable
getChildResources
-
Field Details
-
DEFAULT
-
-
Constructor Details
-
FieldPermissions
Constructor that enables field-level security based on include/exclude rules. Exclude rules have precedence over include rules.
-
-
Method Details
-
initializePermittedFieldsAutomaton
public static org.apache.lucene.util.automaton.Automaton initializePermittedFieldsAutomaton(FieldPermissionsDefinition fieldPermissionsDefinition) -
buildPermittedFieldsAutomaton
public static org.apache.lucene.util.automaton.Automaton buildPermittedFieldsAutomaton(String[] grantedFields, String[] deniedFields) Construct a single automaton to represent the set ofgrantedFieldsexcept for thedeniedFields.- Throws:
ElasticsearchSecurityException- IfdeniedFieldsis not a subset ofgrantedFields.
-
limitFieldPermissions
Returns a field permissions instance where it is limited by the given field permissions.
If the current and the other field permissions have field level security then it takes an intersection of permitted fields.
If none of the permissions have field level security enabled, then returns permissions instance where all fields are allowed.- Parameters:
limitedBy-FieldPermissionsused to limit current field permissions- Returns:
FieldPermissions
-
grantsAccessTo
Returns true if this field permission policy allows access to the field and false if not. fieldName can be a wildcard. -
fieldPredicate
-
getFieldPermissionsDefinitions
-
buildCacheKey
public void buildCacheKey(StreamOutput out, SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext context) throws IOException - Specified by:
buildCacheKeyin interfaceCacheKey- Throws:
IOException
-
hasFieldLevelSecurity
public boolean hasFieldLevelSecurity()Return whether field-level security is enabled, ie. whether any field might be filtered out. -
filter
public org.apache.lucene.index.DirectoryReader filter(org.apache.lucene.index.DirectoryReader reader) throws IOException Return a wrapped reader that only exposes allowed fields.- Throws:
IOException
-
equals
-
hashCode
public int hashCode() -
ramBytesUsed
public long ramBytesUsed()- Specified by:
ramBytesUsedin interfaceorg.apache.lucene.util.Accountable
-