Class CompositeRolesStore
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprotected static final recordA wrapper class to apply a project-id to another object. -
Constructor Summary
ConstructorsConstructorDescriptionCompositeRolesStore(Settings settings, ClusterService clusterService, RoleProviders roleProviders, NativePrivilegeStore privilegeStore, ThreadContext threadContext, XPackLicenseState licenseState, FieldPermissionsCache fieldPermissionsCache, ApiKeyService apiKeyService, ServiceAccountService serviceAccountService, ProjectResolver projectResolver, DocumentSubsetBitsetCache dlsBitsetCache, RestrictedIndices restrictedIndices, Executor roleBuildingExecutor, Consumer<Collection<RoleDescriptor>> effectiveRoleDescriptorsConsumer, List<ImplicitPrivilegesProvider> implicitPrivilegesProviders) -
Method Summary
Modifier and TypeMethodDescriptionvoidaddImplicitPrivilegesToRoles(Collection<RoleDescriptor> roleDescriptors, ActionListener<Collection<RoleDescriptor>> listener) Decorates each of the given role descriptors with the implicit index privileges its own application privileges would yield, returning a descriptor per input role.static voidbuildRoleFromDescriptors(Collection<RoleDescriptor> roleDescriptors, FieldPermissionsCache fieldPermissionsCache, NativePrivilegeStore privilegeStore, RestrictedIndices restrictedIndices, ActionListener<Role> listener, List<ImplicitPrivilegesProvider> implicitPrivilegesProviders, boolean dlsFlsEnabled) voidbuildRoleFromRoleReference(RoleReference roleReference, ProjectId projectId, ActionListener<Role> roleActionListener) protected RolevoidgetRole(Subject subject, ActionListener<Role> roleActionListener) voidgetRoleDescriptors(Subject subject, ActionListener<Set<RoleDescriptor>> listener) voidgetRoles(Authentication authentication, ActionListener<Tuple<Role, Role>> roleActionListener) voidinvalidate(String role) voidvoidinvalidateClusterScopedRoles(Set<String> roles) voidvoidinvalidateProject(ProjectId projectId) voidonSecurityIndexStateChange(ProjectId projectId, SecurityIndexManager.IndexState previousState, SecurityIndexManager.IndexState currentState) voidusageStats(ActionListener<Map<String, Object>> listener)
-
Constructor Details
-
CompositeRolesStore
public CompositeRolesStore(Settings settings, ClusterService clusterService, RoleProviders roleProviders, NativePrivilegeStore privilegeStore, ThreadContext threadContext, XPackLicenseState licenseState, FieldPermissionsCache fieldPermissionsCache, ApiKeyService apiKeyService, ServiceAccountService serviceAccountService, ProjectResolver projectResolver, DocumentSubsetBitsetCache dlsBitsetCache, RestrictedIndices restrictedIndices, Executor roleBuildingExecutor, Consumer<Collection<RoleDescriptor>> effectiveRoleDescriptorsConsumer, List<ImplicitPrivilegesProvider> implicitPrivilegesProviders)
-
-
Method Details
-
getRoles
public void getRoles(Authentication authentication, ActionListener<Tuple<Role, Role>> roleActionListener) -
getRole
-
getInternalUserRole
-
buildRoleFromRoleReference
public void buildRoleFromRoleReference(RoleReference roleReference, ProjectId projectId, ActionListener<Role> roleActionListener) -
getRoleDescriptors
-
buildRoleFromDescriptors
public static void buildRoleFromDescriptors(Collection<RoleDescriptor> roleDescriptors, FieldPermissionsCache fieldPermissionsCache, NativePrivilegeStore privilegeStore, RestrictedIndices restrictedIndices, ActionListener<Role> listener, List<ImplicitPrivilegesProvider> implicitPrivilegesProviders, boolean dlsFlsEnabled) -
addImplicitPrivilegesToRoles
public void addImplicitPrivilegesToRoles(Collection<RoleDescriptor> roleDescriptors, ActionListener<Collection<RoleDescriptor>> listener) Decorates each of the given role descriptors with the implicit index privileges its own application privileges would yield, returning a descriptor per input role. This backs theinclude_implicitoption of the get-role API, whose response lists each role separately, so implicit privileges must be attributable to an individual role.Accordingly,
ImplicitPrivilegesProviders are invoked per role descriptor here — each sees only that descriptor's resolved application privileges. This differs from runtime role building (seebuildRoleFromDescriptors(java.util.Collection<org.elasticsearch.xpack.core.security.authz.RoleDescriptor>, org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache, org.elasticsearch.xpack.security.authz.store.NativePrivilegeStore, org.elasticsearch.xpack.core.security.authz.RestrictedIndices, org.elasticsearch.action.ActionListener<org.elasticsearch.xpack.core.security.authz.permission.Role>, java.util.List<org.elasticsearch.xpack.core.security.authz.privilege.ImplicitPrivilegesProvider>, boolean)), where a provider is invoked once with the union of application privileges across all of the user's roles. For a provider whose grants depend on combining application privileges from different roles, the implicit privileges reported for a role in isolation may therefore be a subset of what the user is granted at runtime. This divergence is intentional and part of the get-role API contract; seeImplicitPrivilegesProvider. -
invalidateProject
public void invalidateProject() -
invalidateProject
-
invalidateAll
public void invalidateAll() -
invalidate
-
invalidateClusterScopedRoles
-
usageStatsWithJustDls
-
usageStats
-
onSecurityIndexStateChange
public void onSecurityIndexStateChange(ProjectId projectId, SecurityIndexManager.IndexState previousState, SecurityIndexManager.IndexState currentState) -
getSettings
-