Interface ImplicitPrivilegesProvider


public interface ImplicitPrivilegesProvider
Provides additional RoleDescriptor.IndicesPrivileges that should be implicitly granted based on a user's application privileges.

Each registered provider is invoked with the resolved ResolvedApplicationPrivileges to consider, and any returned RoleDescriptor.IndicesPrivileges are merged in as if they had been declared explicitly. A provider is not invoked when there are no application privileges to consider, so it cannot contribute privileges independent of them.

Implementations are expected to be side-effect-free and fast; they run on the hot path of role resolution. An exception thrown by a provider propagates out of role building and fails authorization for the affected user.

  • Method Details

    • getImplicitIndicesPrivileges

      Collection<RoleDescriptor.IndicesPrivileges> getImplicitIndicesPrivileges(Collection<ResolvedApplicationPrivilege> applicationPrivileges)
      Returns additional index privileges that should be implicitly added to the role based on the given resolved application privileges.

      Each ResolvedApplicationPrivilege bundles a resolved ApplicationPrivilege (whose predicate already matches every action the grant authorizes — resolved stored-privilege actions as well as raw action patterns written directly under privileges[]) with the resources it applies to. Providers should test for the action(s) they care about via privilege().predicate().test(action) rather than rebuilding a matcher, and read the granted resources from ResolvedApplicationPrivilege.resources().

      Parameters:
      applicationPrivileges - the resolved application-privilege grants to consider; never null
      Returns:
      additional index privileges to merge into the role, or an empty collection if none