From 05890d5b240e22032fe0125cb6e166a862a2e64b Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 14 Oct 2024 16:02:44 -0400 Subject: [PATCH] Create common method for getting SecurityRoles and move plugin specific logic into method Signed-off-by: Craig Perkins --- .../SystemIndexSearcherWrapper.java | 2 +- .../privileges/PrivilegesEvaluator.java | 30 +++++++++++-------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java b/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java index 8e89b60712..c8cc6885d2 100644 --- a/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java +++ b/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java @@ -167,7 +167,7 @@ protected final boolean isBlockedSystemIndexRequest() { } final TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); final Set mappedRoles = evaluator.mapRoles(user, caller); - final SecurityRoles securityRoles = evaluator.getSecurityRoles(mappedRoles); + final SecurityRoles securityRoles = evaluator.filterSecurityRolesFromCache(mappedRoles); return !securityRoles.isPermittedOnSystemIndex(index.getName()); } return true; diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index 195f819f7b..1d904fc5bb 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -194,7 +194,22 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) { this.dcm = dcm; } - public SecurityRoles getSecurityRoles(Set roles) { + public SecurityRoles getSecurityRoles(User user, Set roles) { + SecurityRoles securityRoles; + if (user.isPluginUser()) { + securityRoles = getSecurityRoleForPlugin(user.getName()); + } else { + securityRoles = filterSecurityRolesFromCache(roles); + + // Add the security roles for this user so that they can be used for DLS parameter substitution. + user.addSecurityRoles(roles); + setUserInfoInThreadContext(user); + } + + return securityRoles; + } + + public SecurityRoles filterSecurityRolesFromCache(Set roles) { return configModel.getSecurityRoles().filter(roles); } @@ -214,7 +229,7 @@ public boolean hasRestAdminPermissions(final User user, final TransportAddress r } private boolean hasRestAdminPermissions(final Set roles, String permission) { - final SecurityRoles securityRoles = getSecurityRoles(roles); + final SecurityRoles securityRoles = filterSecurityRolesFromCache(roles); return securityRoles.hasExplicitClusterPermissionPermission(permission); } @@ -294,16 +309,7 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context) context.setMappedRoles(mappedRoles); } presponse.resolvedSecurityRoles.addAll(mappedRoles); - final SecurityRoles securityRoles; - if (user.isPluginUser()) { - securityRoles = getSecurityRoleForPlugin(user.getName()); - } else { - securityRoles = getSecurityRoles(mappedRoles); - } - - // Add the security roles for this user so that they can be used for DLS parameter substitution. - user.addSecurityRoles(mappedRoles); - setUserInfoInThreadContext(user); + final SecurityRoles securityRoles = getSecurityRoles(user, mappedRoles); final boolean isDebugEnabled = log.isDebugEnabled(); if (isDebugEnabled) {