Class IndicesAccessControl.IndexAccessControl
- All Implemented Interfaces:
CacheKey
- Enclosing class:
IndicesAccessControl
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionIndexAccessControl(FieldPermissions fieldPermissions, DocumentPermissions documentPermissions) IndexAccessControl(FieldPermissions fieldPermissions, DocumentPermissions documentPermissions, boolean dlsFlsImplicit) -
Method Summary
Modifier and TypeMethodDescriptionvoidNote:dlsFlsImplicitis deliberately excluded from the cache key.booleaninthashCode()booleanWhether the DLS/FLS on this index was contributed exclusively by implicit grants — for example, those derived from application privileges via an ImplicitPrivilegesProvider rather than by anything declared in the role definition.limitIndexAccessControl(IndicesAccessControl.IndexAccessControl limitedByIndexAccessControl) Returns an instance ofIndicesAccessControl.IndexAccessControl, where the privileges forthisobject are constrained by the privileges contained in the provided parameter.
Allowed fields for this index permission would be an intersection of allowed fields.
Allowed documents for this index permission would be an intersection of allowed documents.
The result is marked implicit when every side that contributed DLS or FLS was already implicit; see the inline rationale.toString()
-
Field Details
-
ALLOW_ALL
-
-
Constructor Details
-
IndexAccessControl
public IndexAccessControl(FieldPermissions fieldPermissions, DocumentPermissions documentPermissions) -
IndexAccessControl
public IndexAccessControl(FieldPermissions fieldPermissions, DocumentPermissions documentPermissions, boolean dlsFlsImplicit)
-
-
Method Details
-
getFieldPermissions
- Returns:
- The allowed fields for this index permissions.
-
getDocumentPermissions
- Returns:
- The allowed documents expressed as a query for this index permission. If
nullis returned then this means that there are no document level restrictions
-
isDlsFlsImplicit
public boolean isDlsFlsImplicit()Whether the DLS/FLS on this index was contributed exclusively by implicit grants — for example, those derived from application privileges via an ImplicitPrivilegesProvider rather than by anything declared in the role definition.Used to gate license enforcement and feature-usage tracking for DLS/FLS. Returns
trueonly whengetFieldPermissions()orgetDocumentPermissions()carry actual restrictions and every contributor of those restrictions was implicit; an index without any DLS or FLS therefore reportsfalse. If any explicit DLS/FLS contributed to this index — even alongside implicit grants — the flag isfalseand the strictest semantics apply.When two
IndicesAccessControl.IndexAccessControlinstances are composed vialimitIndexAccessControl(org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.IndexAccessControl)(e.g. for API-key or run-as flows), the result is implicit when every side that contributed DLS/FLS was already implicit. A side with no DLS/FLS is neutral. See that method. -
limitIndexAccessControl
public IndicesAccessControl.IndexAccessControl limitIndexAccessControl(IndicesAccessControl.IndexAccessControl limitedByIndexAccessControl) Returns an instance ofIndicesAccessControl.IndexAccessControl, where the privileges forthisobject are constrained by the privileges contained in the provided parameter.
Allowed fields for this index permission would be an intersection of allowed fields.
Allowed documents for this index permission would be an intersection of allowed documents.
The result is marked implicit when every side that contributed DLS or FLS was already implicit; see the inline rationale.- Parameters:
limitedByIndexAccessControl-IndicesAccessControl.IndexAccessControl- Returns:
IndicesAccessControl.IndexAccessControl- See Also:
-
toString
-
buildCacheKey
public void buildCacheKey(StreamOutput out, SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext context) throws IOException Note:dlsFlsImplicitis deliberately excluded from the cache key. Two entries with the same DLS queries and FLS restrictions produce identical query results regardless of whether the restrictions were contributed implicitly (via application-privilege-derived grants) or explicitly (via a role definition), so the request cache should be shared across them.- Specified by:
buildCacheKeyin interfaceCacheKey- Throws:
IOException
-
equals
-
hashCode
public int hashCode()
-