Fixed READ_ACTIONS required by TermsAggregationEvaluator

The READ_ACTIONS array is passed by TermsAggregationEvaluator to securityRoles.getAllPermittedIndicesForDashboards() which checks whether privileges are available for all actions specified in READ_ACTIONS. READ_ACTIONS also contained the string "indices:data/read/field_caps*", which is actually wrong, because it is not an action but looks like pattern. However, the code behind securityRoles.getAllPermittedIndicesForDashboards() will never treat these strings as patterns. The "*" is only considered a normal, bare character. Patterns (via WildcardMatcher class) will be only applied to these strings. This had the effect that a bare privilege "indices:data/read/field_caps" was not sufficient to fulfill the requirement. It was necessary to have either "indices:data/read/field_caps*" in ones roles.yml or something broader like "indices:data/read/*". The latter is the most likely case, which is the reason why in most cases this gets unnoticed. Signed-off-by: Nils Bandener <[email protected]>
nibix · Jul 19, 2024 · 94c756f · 94c756f
1 parent 26a4c0b
commit 94c756f
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java b/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java
@@ -53,9 +53,7 @@ public class TermsAggregationEvaluator {
         "indices:data/read/mget",
         "indices:data/read/get",
         "indices:data/read/search",
-        "indices:data/read/field_caps*"
-        // "indices:admin/mappings/fields/get*"
-    };
+        "indices:data/read/field_caps" };
 
     private static final QueryBuilder NONE_QUERY = new MatchNoneQueryBuilder();