Module org.elasticsearch.xcore
Class LimitedRole
java.lang.Object
org.elasticsearch.xpack.core.security.authz.permission.LimitedRole
- All Implemented Interfaces:
Role
A
The effective permissions returned on
Role limited by another role.The effective permissions returned on
authorize(String, Set, ProjectMetadata, FieldPermissionsCache) call would be limited by the
provided role.-
Nested Class Summary
Nested classes/interfaces inherited from interface org.elasticsearch.xpack.core.security.authz.permission.Role
Role.Builder -
Field Summary
Fields inherited from interface org.elasticsearch.xpack.core.security.authz.permission.Role
EMPTY, EMPTY_RESTRICTED_BY_WORKFLOW, REMOTE_USER_ROLE_NAME -
Constructor Summary
ConstructorsConstructorDescriptionLimitedRole(Role baseRole, Role limitedByRole) Create a new role defined by given role and the limited role. -
Method Summary
Modifier and TypeMethodDescriptionorg.apache.lucene.util.automaton.AutomatonallowedActionsMatcher(String index) Returns anAutomatonthat matches all action names allowed for the given indexallowedIndicesMatcher(String action) authorize(String action, Set<String> requestedIndicesOrAliases, ProjectMetadata metadata, FieldPermissionsCache fieldPermissionsCache) Returns whether at least one group encapsulated by this indices permissions is authorized to execute the specified action with the requested indices/aliases.booleancheckApplicationResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.
This one takes intersection of resource privileges with the resource privileges from the limited-by role.booleancheckClusterAction(String action, TransportRequest request, Authentication authentication) Check if cluster permissions allow for the given action, also checks whether the limited by role allows the given actions in the context of given authentication.booleancheckIndicesAction(String action) Check if indices permissions allow for the given action, also checks whether the limited by role allows the given actionsbooleancheckIndicesPrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.
This one takes intersection of resource privileges with the resource privileges from the limited-by role.booleancheckRunAs(String runAs) Check if the role is allowed to run-as the given username.cluster()booleanforWorkflow(String workflow) This method returns an effective role for the given workflow if role has workflows restriction (i.e.getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion) Returns the intersection of role descriptors defined for a remote cluster with the given alias.booleangrants(ClusterPrivilege clusterPrivilege) Check if cluster permissions grants the given cluster privilege, also checks whether the limited by role grants the given cluster privilegebooleanWhether the Role has any field or document level security enabled index privilegesinthashCode()booleanindices()String[]names()runAs()
-
Constructor Details
-
Method Details
-
names
-
cluster
-
indices
-
remoteIndices
- Specified by:
remoteIndicesin interfaceRole
-
remoteCluster
- Specified by:
remoteClusterin interfaceRole
-
hasWorkflowsRestriction
public boolean hasWorkflowsRestriction()- Specified by:
hasWorkflowsRestrictionin interfaceRole
-
forWorkflow
Description copied from interface:RoleThis method returns an effective role for the given workflow if role has workflows restriction (i.e.Role.hasWorkflowsRestriction()is true). Otherwise, this method returns an unchanged role. The returned effective role can be anRole.EMPTY_RESTRICTED_BY_WORKFLOWwhen the given workflow is not one of the workflows to which this role is restricted. The workflows to which a role can be restricted are static and defined inWorkflowResolver.- Specified by:
forWorkflowin interfaceRole
-
application
- Specified by:
applicationin interfaceRole
-
runAs
-
hasFieldOrDocumentLevelSecurity
public boolean hasFieldOrDocumentLevelSecurity()Description copied from interface:RoleWhether the Role has any field or document level security enabled index privileges- Specified by:
hasFieldOrDocumentLevelSecurityin interfaceRole- Returns:
-
equals
-
hashCode
public int hashCode() -
authorize
public IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases, ProjectMetadata metadata, FieldPermissionsCache fieldPermissionsCache) Description copied from interface:RoleReturns whether at least one group encapsulated by this indices permissions is authorized to execute the specified action with the requested indices/aliases. At the same time if field and/or document level security is configured for any group also the allowed fields and role queries are resolved. -
getRoleDescriptorsIntersectionForRemoteCluster
public RoleDescriptorsIntersection getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion) Description copied from interface:RoleReturns the intersection of role descriptors defined for a remote cluster with the given alias.- Specified by:
getRoleDescriptorsIntersectionForRemoteClusterin interfaceRole- Parameters:
remoteClusterAlias- the remote cluster alias for which to return a role descriptors intersectionremoteClusterVersion- the version of the remote cluster- Returns:
- an intersection of role descriptors that describe the remote privileges towards a given cluster, otherwise an empty intersection if remote privileges are not defined
-
allowedIndicesMatcher
- Specified by:
allowedIndicesMatcherin interfaceRole- Returns:
- A predicate that will match all the indices that this role and the limited by role has the privilege for executing the given action on.
-
allowedActionsMatcher
Description copied from interface:RoleReturns anAutomatonthat matches all action names allowed for the given index- Specified by:
allowedActionsMatcherin interfaceRole
-
checkIndicesAction
Check if indices permissions allow for the given action, also checks whether the limited by role allows the given actions- Specified by:
checkIndicesActionin interfaceRole- Parameters:
action- indices action- Returns:
trueif action is allowed else returnsfalse
-
checkIndicesPrivileges
public boolean checkIndicesPrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.
This one takes intersection of resource privileges with the resource privileges from the limited-by role.- Specified by:
checkIndicesPrivilegesin interfaceRole- Parameters:
checkForIndexPatterns- check permission grants for the set of index patternsallowRestrictedIndices- iftruethen checks permission grants even for restricted indices by index matchingcheckForPrivileges- check permission grants for the set of index privilegesresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
checkClusterAction
public boolean checkClusterAction(String action, TransportRequest request, Authentication authentication) Check if cluster permissions allow for the given action, also checks whether the limited by role allows the given actions in the context of given authentication.- Specified by:
checkClusterActionin interfaceRole- Parameters:
action- cluster actionrequest-TransportRequestauthentication-Authentication- Returns:
trueif action is allowed else returnsfalse
-
grants
Check if cluster permissions grants the given cluster privilege, also checks whether the limited by role grants the given cluster privilege -
checkApplicationResourcePrivileges
public boolean checkApplicationResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.
This one takes intersection of resource privileges with the resource privileges from the limited-by role.- Specified by:
checkApplicationResourcePrivilegesin interfaceRole- Parameters:
applicationName- checks privileges for the provided application namecheckForResources- check permission grants for the set of resourcescheckForPrivilegeNames- check permission grants for the set of privilege namesstoredPrivileges- storedApplicationPrivilegeDescriptorfor an application against which the access checks are performedresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
checkRunAs
Description copied from interface:RoleCheck if the role is allowed to run-as the given username.- Specified by:
checkRunAsin interfaceRole- Parameters:
runAs-- Returns:
-