From ca66928df983bef49ddd2cd7c7a8f78c7c166c3b Mon Sep 17 00:00:00 2001 From: Nils Bandener Date: Wed, 30 Oct 2024 07:26:17 +0100 Subject: [PATCH] Added comment Signed-off-by: Nils Bandener --- .../security/privileges/ActionPrivileges.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java index f46a8e11cd..aecf636274 100644 --- a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java +++ b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java @@ -700,6 +700,22 @@ static class IndexPrivileges { this.explicitlyRequiredIndexActions = explicitlyRequiredIndexActions; } + /** + * Checks whether this instance provides privileges for the combination of the provided action, + * the provided indices and the provided roles. + *

+ * Returns a PrivilegesEvaluatorResponse with allowed=true if privileges are available. + *

+ * If privileges are only available for a sub-set of indices, isPartiallyOk() will return true + * and the indices for which privileges are available are returned by getAvailableIndices(). This allows the + * do_not_fail_on_forbidden behaviour. + *

+ * This method will only verify privileges for the index/action combinations which are un-checked in + * the checkTable instance provided to this method. Checked index/action combinations are considered to be + * "already fulfilled by other means" - usually that comes from the stateful data structure. + * As a side-effect, this method will further mark the available index/action combinations in the provided + * checkTable instance as checked. + */ PrivilegesEvaluatorResponse providesPrivilege( PrivilegesEvaluationContext context, Set actions,