java.lang.Object
org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping
All Implemented Interfaces:
Writeable, org.elasticsearch.xcontent.ToXContent, org.elasticsearch.xcontent.ToXContentObject

public class ExpressionRoleMapping extends Object implements org.elasticsearch.xcontent.ToXContentObject, Writeable
A representation of a single role-mapping for use in NativeRoleMappingStore. Logically, this represents a set of roles that should be applied to any user where a boolean expression evaluates to true.
See Also:
  • Field Details

    • READ_ONLY_ROLE_MAPPING_SUFFIX

      public static final String READ_ONLY_ROLE_MAPPING_SUFFIX
      Reserved suffix for read-only operator-defined role mappings. This suffix is added to the name of all cluster-state role mappings returned via the TransportGetRoleMappingsAction action.
      See Also:
    • READ_ONLY_ROLE_MAPPING_METADATA_FLAG

      public static final String READ_ONLY_ROLE_MAPPING_METADATA_FLAG
      Reserved metadata field to mark role mappings as read-only. This field is added to the metadata of all cluster-state role mappings returned via the TransportGetRoleMappingsAction action.
      See Also:
  • Constructor Details

  • Method Details

    • resolveRoles

      public static Set<String> resolveRoles(UserRoleMapper.UserData user, Collection<ExpressionRoleMapping> mappings, ScriptService scriptService, org.apache.logging.log4j.Logger logger)
      Given the user information (in the form of UserRoleMapper.UserData) and a collection of ExpressionRoleMappings, this returns the set of role names that should be mapped to the user, according to the provided role mapping rules.
    • hasReadOnlySuffix

      public static boolean hasReadOnlySuffix(String name)
    • validateNoReadOnlySuffix

      public static void validateNoReadOnlySuffix(String name)
    • addReadOnlySuffix

      public static String addReadOnlySuffix(String name)
    • removeReadOnlySuffixIfPresent

      public static String removeReadOnlySuffixIfPresent(String name)
    • writeTo

      public void writeTo(StreamOutput out) throws IOException
      Specified by:
      writeTo in interface Writeable
      Throws:
      IOException
    • getName

      public String getName()
      The name of this mapping. The name exists for the sole purpose of providing a meaningful identifier for each mapping, so that it may be referred to for update, retrieval or deletion. The name does not affect the set of roles that a mapping provides.
    • getExpression

      public RoleMapperExpression getExpression()
      The expression that determines whether the roles in this mapping should be applied to any given user. If the expression matches a org.elasticsearch.xpack.security.authc.support.UserRoleMapper.UserData user, then the user should be assigned this mapping's roles
    • getRoles

      public List<String> getRoles()
      The list of roles (specified by name) that should be assigned to users that match the expression in this mapping.
    • getRoleTemplates

      public List<TemplateRoleName> getRoleTemplates()
      The list of roles (specified by a template that evaluates to one or more names) that should be assigned to users that match the expression in this mapping.
    • getMetadata

      public Map<String,Object> getMetadata()
      Meta-data for this mapping. This exists for external systems of user to track information about this mapping such as where it was sourced from, when it was loaded, etc. This is not used within the mapping process, and does not affect whether the expression matches, nor which roles are assigned.
    • isEnabled

      public boolean isEnabled()
      Whether this mapping is enabled. Mappings that are not enabled are not applied to users.
    • isReadOnly

      public boolean isReadOnly()
      Whether this mapping is an operator defined/read only role mapping
    • toString

      public String toString()
      Overrides:
      toString in class Object
    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • parse

      public static ExpressionRoleMapping parse(String name, BytesReference source, org.elasticsearch.xcontent.XContentType xContentType) throws IOException
      Parse an ExpressionRoleMapping from the provided XContent
      Throws:
      IOException
    • parse

      public static ExpressionRoleMapping parse(String name, org.elasticsearch.xcontent.XContentParser parser) throws IOException
      Parse an ExpressionRoleMapping from the provided XContent
      Throws:
      IOException
    • toXContent

      public org.elasticsearch.xcontent.XContentBuilder toXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params) throws IOException
      Converts this ExpressionRoleMapping into XContent that is compatible with the format handled by parse(String, BytesReference, XContentType).
      Specified by:
      toXContent in interface org.elasticsearch.xcontent.ToXContent
      Throws:
      IOException
    • toXContent

      public org.elasticsearch.xcontent.XContentBuilder toXContent(org.elasticsearch.xcontent.XContentBuilder builder, org.elasticsearch.xcontent.ToXContent.Params params, boolean indexFormat) throws IOException
      Throws:
      IOException
    • getRoleNames

      public Set<String> getRoleNames(ScriptService scriptService, ExpressionModel model)