Module org.elasticsearch.xcore
Interface Role
- All Known Implementing Classes:
LimitedRole,SimpleRole
public interface Role
-
Nested Class Summary
Nested Classes -
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptionorg.apache.lucene.util.automaton.AutomatonallowedActionsMatcher(String index) Returns anAutomatonthat matches all action names allowed for the given indexallowedIndicesMatcher(String action) authorize(String action, Set<String> requestedIndicesOrAliases, ProjectMetadata metadata, FieldPermissionsCache fieldPermissionsCache) Returns whether at least one group encapsulated by this indices permissions is authorized to execute the specified action with the requested indices/aliases.static Role.Builderbuilder(RestrictedIndices restrictedIndices, String... names) static SimpleRolebuildFromRoleDescriptor(RoleDescriptor roleDescriptor, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) static SimpleRolebuildFromRoleDescriptor(RoleDescriptor roleDescriptor, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices, Collection<ApplicationPrivilegeDescriptor> storedApplicationPrivilegeDescriptors) booleancheckApplicationResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.booleancheckClusterAction(String action, TransportRequest request, Authentication authentication) Check if cluster permissions allow for the given action in the context of given authentication.booleancheckIndicesAction(String action) Check if indices permissions allow for the given actionbooleancheckIndicesPrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.booleancheckRunAs(String runAsName) Check if the role is allowed to run-as the given username.cluster()forWorkflow(String workflow) This method returns an effective role for the given workflow if role has workflows restriction (i.e.getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion) Returns the intersection of role descriptors defined for a remote cluster with the given alias.booleangrants(ClusterPrivilege clusterPrivilege) Check if cluster permissions grants the given cluster privilegebooleanWhether the Role has any field or document level security enabled index privilegesbooleanindices()default RoleCreates aLimitedRolethat uses this Role as base and the given role as limited-by.String[]names()runAs()
-
Field Details
-
REMOTE_USER_ROLE_NAME
- See Also:
-
EMPTY
-
EMPTY_RESTRICTED_BY_WORKFLOW
-
-
Method Details
-
names
String[] names() -
cluster
ClusterPermission cluster() -
indices
IndicesPermission indices() -
application
ApplicationPermission application() -
runAs
RunAsPermission runAs() -
remoteIndices
RemoteIndicesPermission remoteIndices() -
remoteCluster
RemoteClusterPermissions remoteCluster() -
hasWorkflowsRestriction
boolean hasWorkflowsRestriction() -
forWorkflow
This method returns an effective role for the given workflow if role has workflows restriction (i.e.hasWorkflowsRestriction()is true). Otherwise, this method returns an unchanged role. The returned effective role can be anEMPTY_RESTRICTED_BY_WORKFLOWwhen the given workflow is not one of the workflows to which this role is restricted. The workflows to which a role can be restricted are static and defined inWorkflowResolver. -
hasFieldOrDocumentLevelSecurity
boolean hasFieldOrDocumentLevelSecurity()Whether the Role has any field or document level security enabled index privileges- Returns:
-
allowedIndicesMatcher
- Returns:
- A predicate that will match all the indices that this role has the privilege for executing the given action on.
-
allowedActionsMatcher
Returns anAutomatonthat matches all action names allowed for the given index -
checkRunAs
Check if the role is allowed to run-as the given username.- Parameters:
runAsName-- Returns:
-
checkIndicesAction
Check if indices permissions allow for the given action- Parameters:
action- indices action- Returns:
trueif action is allowed else returnsfalse
-
checkIndicesPrivileges
boolean checkIndicesPrivileges(Set<String> checkForIndexPatterns, boolean allowRestrictedIndices, Set<String> checkForPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For given index patterns and index privileges determines allowed privileges and creates an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere resource is index pattern and the map of index privilege to whether it is allowed or not.- Parameters:
checkForIndexPatterns- check permission grants for the set of index patternsallowRestrictedIndices- iftruethen checks permission grants even for restricted indices by index matchingcheckForPrivileges- check permission grants for the set of index privilegesresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
checkClusterAction
Check if cluster permissions allow for the given action in the context of given authentication.- Parameters:
action- cluster actionrequest-TransportRequestauthentication-Authentication- Returns:
trueif action is allowed else returnsfalse
-
grants
Check if cluster permissions grants the given cluster privilege- Parameters:
clusterPrivilege- cluster privilege- Returns:
trueif cluster privilege is allowed else returnsfalse
-
checkApplicationResourcePrivileges
boolean checkApplicationResourcePrivileges(String applicationName, Set<String> checkForResources, Set<String> checkForPrivilegeNames, Collection<ApplicationPrivilegeDescriptor> storedPrivileges, @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder) For a given application, checks for the privileges for resources and returns an instance ofResourcePrivilegesMapholding a map of resource toResourcePrivilegeswhere the resource is application resource and the map of application privilege to whether it is allowed or not.- Parameters:
applicationName- checks privileges for the provided application namecheckForResources- check permission grants for the set of resourcescheckForPrivilegeNames- check permission grants for the set of privilege namesstoredPrivileges- storedApplicationPrivilegeDescriptorfor an application against which the access checks are performedresourcePrivilegesMapBuilder- out-parameter for returning the details on which privilege over which resource is granted or not. Can benullwhen no such details are needed so the method can return early, after encountering the first privilege that is not granted over some resource.- Returns:
truewhen all the privileges are granted over all the resources, orfalseotherwise
-
authorize
IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases, ProjectMetadata metadata, FieldPermissionsCache fieldPermissionsCache) Returns whether at least one group encapsulated by this indices permissions is authorized to execute the specified action with the requested indices/aliases. At the same time if field and/or document level security is configured for any group also the allowed fields and role queries are resolved. -
getRoleDescriptorsIntersectionForRemoteCluster
RoleDescriptorsIntersection getRoleDescriptorsIntersectionForRemoteCluster(String remoteClusterAlias, TransportVersion remoteClusterVersion) Returns the intersection of role descriptors defined for a remote cluster with the given alias.- Parameters:
remoteClusterAlias- the remote cluster alias for which to return a role descriptors intersectionremoteClusterVersion- the version of the remote cluster- Returns:
- an intersection of role descriptors that describe the remote privileges towards a given cluster, otherwise an empty intersection if remote privileges are not defined
-
limitedBy
Creates aLimitedRolethat uses this Role as base and the given role as limited-by. -
builder
- Parameters:
restrictedIndices- An automaton that can determine whether a string names a restricted index. For simple unit tests, this can beAutomatons.EMPTY.names- Names of roles.- Returns:
- A builder for a role
-
buildFromRoleDescriptor
static SimpleRole buildFromRoleDescriptor(RoleDescriptor roleDescriptor, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) -
buildFromRoleDescriptor
static SimpleRole buildFromRoleDescriptor(RoleDescriptor roleDescriptor, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices, Collection<ApplicationPrivilegeDescriptor> storedApplicationPrivilegeDescriptors)
-