Module org.elasticsearch.xcore
Class RemoteClusterPermissions
java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions
- All Implemented Interfaces:
NamedWriteable,Writeable,org.elasticsearch.xcontent.ToXContent,org.elasticsearch.xcontent.ToXContentObject
public class RemoteClusterPermissions
extends Object
implements NamedWriteable, org.elasticsearch.xcontent.ToXContentObject
Represents the set of permissions for remote clusters. This is intended to be the model for both the
RoleDescriptor
and Role. This model is intended to be converted to local cluster permissions
collapseAndRemoveUnsupportedPrivileges(String, TransportVersion) before sent to the remote cluster. This model also be included
in the role descriptors for (normal) API keys sent between nodes/clusters. In both cases the outbound transport version can be used to
remove permissions that are not available to older nodes or clusters. The methods removeUnsupportedPrivileges(TransportVersion)
and collapseAndRemoveUnsupportedPrivileges(String, TransportVersion) are used to aid in ensuring correct privileges per
transport version.
For example, on the local/querying cluster this model represents the following:
"remote_cluster" : [
{
"privileges" : ["foo"],
"clusters" : ["clusterA"]
},
{
"privileges" : ["bar"],
"clusters" : ["clusterB"]
}
]
(RCS 2.0) when sent to the remote cluster "clusterA", the privileges will be converted to the appropriate cluster privileges.
For example:
"cluster": ["foo"]
and (RCS 2.0) when sent to the remote cluster "clusterB", the privileges will be converted to the appropriate cluster privileges.
For example:
"cluster": ["bar"]
For normal API keys and their role descriptors :If the remote cluster does not support the privilege, the privilege will be not be sent.
Upstream code performs the removal, but this class owns the business logic for how to remove per outbound version.-
Nested Class Summary
Nested classes/interfaces inherited from interface org.elasticsearch.xcontent.ToXContent
org.elasticsearch.xcontent.ToXContent.DelegatingMapParams, org.elasticsearch.xcontent.ToXContent.MapParams, org.elasticsearch.xcontent.ToXContent.ParamsNested classes/interfaces inherited from interface org.elasticsearch.common.io.stream.Writeable
Writeable.Reader<V>, Writeable.Writer<V> -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final RemoteClusterPermissionsstatic final TransportVersionstatic final TransportVersionFields inherited from interface org.elasticsearch.xcontent.ToXContent
EMPTY, EMPTY_PARAMS -
Constructor Summary
ConstructorsConstructorDescription -
Method Summary
Modifier and TypeMethodDescriptionaddGroup(RemoteClusterPermissionGroup remoteClusterPermissionGroup) String[]collapseAndRemoveUnsupportedPrivileges(String remoteClusterAlias, TransportVersion outboundVersion) Gets all the privilege names for the remote cluster.booleangroups()booleanbooleanhasAnyPrivileges(String remoteClusterAlias) inthashCode()removeUnsupportedPrivileges(TransportVersion outboundVersion) Will remove any unsupported privileges for the provided outbound version.toMap()Converts this object to it'sMaprepresentation.toString()org.elasticsearch.xcontent.XContentBuildertoXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params) voidvalidate()Validates the remote cluster permissions (regardless of remote cluster version).voidwriteTo(StreamOutput out) Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, waitMethods inherited from interface org.elasticsearch.xcontent.ToXContentObject
isFragment
-
Field Details
-
ROLE_REMOTE_CLUSTER_PRIVS
-
ROLE_MONITOR_STATS
-
NAME
- See Also:
-
NONE
-
-
Constructor Details
-
RemoteClusterPermissions
- Throws:
IOException
-
RemoteClusterPermissions
-
RemoteClusterPermissions
public RemoteClusterPermissions()
-
-
Method Details
-
getSupportedRemoteClusterPermissions
-
addGroup
-
removeUnsupportedPrivileges
Will remove any unsupported privileges for the provided outbound version. This method will not modify the current instance. This is useful for (normal) API keys role descriptors to help ensure that we don't send unsupported privileges. The result of this method may result in no groups if all privileges are removed.hasAnyPrivileges()can be used to check if there are any privileges left.- Parameters:
outboundVersion- The version by which to remove unsupported privileges, this is typically the version of the remote cluster- Returns:
- a new instance of RemoteClusterPermissions with the unsupported privileges removed
-
collapseAndRemoveUnsupportedPrivileges
public String[] collapseAndRemoveUnsupportedPrivileges(String remoteClusterAlias, TransportVersion outboundVersion) Gets all the privilege names for the remote cluster. This method will collapse all groups to single String[] all lowercase and will only return the appropriate privileges for the provided remote cluster version. This is useful for RCS 2.0 to ensure that we properly convert all the remote_cluster -> cluster privileges per remote cluster. -
toMap
Converts this object to it'sMaprepresentation.- Returns:
- a list of maps representing the remote cluster permissions
-
validate
public void validate()Validates the remote cluster permissions (regardless of remote cluster version). This method will throw anIllegalArgumentExceptionif the permissions are invalid. Generally, this method is just a safety check and validity should be checked before adding the permissions to this class. -
hasAnyPrivileges
-
hasAnyPrivileges
public boolean hasAnyPrivileges() -
groups
-
toXContent
public org.elasticsearch.xcontent.XContentBuilder toXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params) throws IOException - Specified by:
toXContentin interfaceorg.elasticsearch.xcontent.ToXContent- Throws:
IOException
-
writeTo
- Specified by:
writeToin interfaceWriteable- Throws:
IOException
-
equals
-
hashCode
public int hashCode() -
toString
-
getWriteableName
- Specified by:
getWriteableNamein interfaceNamedWriteable
-