Skip to content

Commit

Permalink
Replaced uses of SecurityRoles by Set<String> mappedRoles where the S…
Browse files Browse the repository at this point in the history
…ecurityRoles functionality is not needed.

Signed-off-by: Nils Bandener <[email protected]>
  • Loading branch information
nibix committed Jun 11, 2024
1 parent 8c722f6 commit 4ca4106
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -295,7 +295,7 @@ public PrivilegesEvaluatorResponse evaluate(
"No cluster-level perm match for {} [Action [{}]] [RolesChecked {}]. No permissions for {}",
user,
action0,
securityRoles.getRoleNames(),
mappedRoles,
presponse.missingPrivileges
);
} else {
Expand Down Expand Up @@ -332,7 +332,7 @@ public PrivilegesEvaluatorResponse evaluate(
}

// Protected index access
if (protectedIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, securityRoles).isComplete()) {
if (protectedIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, mappedRoles).isComplete()) {
return presponse;
}

Expand Down Expand Up @@ -373,7 +373,7 @@ public PrivilegesEvaluatorResponse evaluate(
user,
requestedResolved,
action0,
securityRoles.getRoleNames(),
mappedRoles,
presponse.missingPrivileges
);
return presponse;
Expand Down Expand Up @@ -470,7 +470,7 @@ public PrivilegesEvaluatorResponse evaluate(

if (isDebugEnabled) {
log.debug("Requested resolved index types: {}", requestedResolved);
log.debug("Security roles: {}", securityRoles.getRoleNames());
log.debug("Security roles: {}", mappedRoles);
}

// TODO exclude Security index
Expand Down Expand Up @@ -560,7 +560,7 @@ public PrivilegesEvaluatorResponse evaluate(
user,
requestedResolved,
action0,
securityRoles.getRoleNames()
mappedRoles
);
log.info("No permissions for {}", presponse.missingPrivileges);
} else {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

import java.util.ArrayList;
import java.util.List;
import java.util.Set;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
Expand All @@ -23,7 +24,6 @@
import org.opensearch.common.settings.Settings;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.resolver.IndexResolverReplacer;
import org.opensearch.security.securityconf.SecurityRoles;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.support.WildcardMatcher;
import org.opensearch.tasks.Task;
Expand Down Expand Up @@ -73,31 +73,29 @@ public PrivilegesEvaluatorResponse evaluate(
final String action,
final IndexResolverReplacer.Resolved requestedResolved,
final PrivilegesEvaluatorResponse presponse,
final SecurityRoles securityRoles
final Set<String> mappedRoles
) {
if (!protectedIndexEnabled) {
return presponse;
}
if (!requestedResolved.isLocalAll()
&& indexMatcher.matchAny(requestedResolved.getAllIndices())
&& deniedActionMatcher.test(action)
&& !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
&& !allowedRolesMatcher.matchAny(mappedRoles)) {
auditLog.logMissingPrivileges(action, request, task);
log.warn("{} for '{}' index/indices is not allowed for a regular user", action, indexMatcher);
presponse.allowed = false;
return presponse.markComplete();
}

if (requestedResolved.isLocalAll()
&& deniedActionMatcher.test(action)
&& !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
if (requestedResolved.isLocalAll() && deniedActionMatcher.test(action) && !allowedRolesMatcher.matchAny(mappedRoles)) {
auditLog.logMissingPrivileges(action, request, task);
log.warn("{} for '_all' indices is not allowed for a regular user", action);
presponse.allowed = false;
return presponse.markComplete();
}
if ((requestedResolved.isLocalAll() || indexMatcher.matchAny(requestedResolved.getAllIndices()))
&& !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
&& !allowedRolesMatcher.matchAny(mappedRoles)) {

final boolean isDebugEnabled = log.isDebugEnabled();
if (request instanceof SearchRequest) {
Expand Down

0 comments on commit 4ca4106

Please sign in to comment.