java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions
All Implemented Interfaces:
org.apache.lucene.util.Accountable, CacheKey

public final class FieldPermissions extends Object implements org.apache.lucene.util.Accountable, CacheKey
Stores patterns to fields which access is granted or denied to and maintains an automaton that can be used to check if permission is allowed for a specific field. Field permissions are configured via a list of strings that are patterns a field has to match. Two lists determine whether or not a field is granted access to: 1. It has to match the patterns in grantedFieldsArray 2. it must not match the patterns in deniedFieldsArray
  • Field Details

  • Constructor Details

    • FieldPermissions

      public FieldPermissions(FieldPermissionsDefinition fieldPermissionsDefinition)
      Constructor that enables field-level security based on include/exclude rules. Exclude rules have precedence over include rules.
  • Method Details

    • initializePermittedFieldsAutomaton

      public static org.apache.lucene.util.automaton.Automaton initializePermittedFieldsAutomaton(FieldPermissionsDefinition fieldPermissionsDefinition)
    • buildPermittedFieldsAutomaton

      public static org.apache.lucene.util.automaton.Automaton buildPermittedFieldsAutomaton(String[] grantedFields, String[] deniedFields)
      Construct a single automaton to represent the set of grantedFields except for the deniedFields.
      Throws:
      ElasticsearchSecurityException - If deniedFields is not a subset of grantedFields.
    • limitFieldPermissions

      public FieldPermissions limitFieldPermissions(FieldPermissions limitedBy)
      Returns a field permissions instance where it is limited by the given field permissions.
      If the current and the other field permissions have field level security then it takes an intersection of permitted fields.
      If none of the permissions have field level security enabled, then returns permissions instance where all fields are allowed.
      Parameters:
      limitedBy - FieldPermissions used to limit current field permissions
      Returns:
      FieldPermissions
    • grantsAccessTo

      public boolean grantsAccessTo(String fieldName)
      Returns true if this field permission policy allows access to the field and false if not. fieldName can be a wildcard.
    • fieldPredicate

      public FieldPredicate fieldPredicate()
    • getFieldPermissionsDefinitions

      public List<FieldPermissionsDefinition> getFieldPermissionsDefinitions()
    • buildCacheKey

      public void buildCacheKey(StreamOutput out, SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext context) throws IOException
      Specified by:
      buildCacheKey in interface CacheKey
      Throws:
      IOException
    • hasFieldLevelSecurity

      public boolean hasFieldLevelSecurity()
      Return whether field-level security is enabled, ie. whether any field might be filtered out.
    • filter

      public org.apache.lucene.index.DirectoryReader filter(org.apache.lucene.index.DirectoryReader reader) throws IOException
      Return a wrapped reader that only exposes allowed fields.
      Throws:
      IOException
    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • ramBytesUsed

      public long ramBytesUsed()
      Specified by:
      ramBytesUsed in interface org.apache.lucene.util.Accountable