Tweak interface

n1v0lg · n1v0lg · commit 0b0948319bee · 2025-03-13T15:51:04.000+01:00
diff --git a/plugins/examples/security-authorization-engine/src/main/java/org/elasticsearch/example/CustomAuthorizationEngine.java b/plugins/examples/security-authorization-engine/src/main/java/org/elasticsearch/example/CustomAuthorizationEngine.java
@@ -10,6 +10,7 @@
 package org.elasticsearch.example;
 
 import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.action.support.SubscribableListener;
 import org.elasticsearch.cluster.metadata.IndexAbstraction;
 import org.elasticsearch.cluster.metadata.ProjectMetadata;
@@ -119,19 +120,19 @@ public void loadAuthorizedIndices(
     ) {
         if (isSuperuser(requestInfo.getAuthentication().getEffectiveSubject().getUser())) {
             listener.onResponse(new AuthorizedIndices() {
-                public Set<String> all(@Nullable String selector) {
+                public Set<String> all(IndexComponentSelector selector) {
                     return () -> indicesLookup.keySet();
                 }
-                public boolean check(String name, @Nullable String selector) {
+                public boolean check(String name, IndexComponentSelector selector) {
                     return indicesLookup.containsKey(name);
                 }
             });
         } else {
             listener.onResponse(new AuthorizedIndices() {
-                public Set<String> all(@Nullable String selector) {
+                public Set<String> all(IndexComponentSelector selector) {
                     return () -> Set.of();
                 }
-                public boolean check(String name, @Nullable String selector) {
+                public boolean check(String name, IndexComponentSelector selector) {
                     return false;
                 }
             });
diff --git a/server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java b/server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java
@@ -37,8 +37,8 @@ public List<String> resolveIndexAbstractions(
         Iterable<String> indices,
         IndicesOptions indicesOptions,
         ProjectMetadata projectMetadata,
-        Function<String, Set<String>> allAuthorizedAndAvailableBySelector,
-        BiPredicate<String, String> isAuthorized,
+        Function<IndexComponentSelector, Set<String>> allAuthorizedAndAvailableBySelector,
+        BiPredicate<String, IndexComponentSelector> isAuthorized,
         boolean includeDataStreams
     ) {
         List<String> finalIndices = new ArrayList<>();
@@ -63,6 +63,7 @@ public List<String> resolveIndexAbstractions(
                         + "]"
                 );
             }
+            IndexComponentSelector selector = IndexComponentSelector.getByKeyOrThrow(selectorString);
             indexAbstraction = expressionAndSelector.v1();
 
             // we always need to check for date math expressions
@@ -71,7 +72,7 @@ public List<String> resolveIndexAbstractions(
             if (indicesOptions.expandWildcardExpressions() && Regex.isSimpleMatchPattern(indexAbstraction)) {
                 wildcardSeen = true;
                 Set<String> resolvedIndices = new HashSet<>();
-                for (String authorizedIndex : allAuthorizedAndAvailableBySelector.apply(selectorString)) {
+                for (String authorizedIndex : allAuthorizedAndAvailableBySelector.apply(selector)) {
                     if (Regex.simpleMatch(indexAbstraction, authorizedIndex)
                         && isIndexVisible(
                             indexAbstraction,
@@ -102,7 +103,7 @@ && isIndexVisible(
                 resolveSelectorsAndCollect(indexAbstraction, selectorString, indicesOptions, resolvedIndices, projectMetadata);
                 if (minus) {
                     finalIndices.removeAll(resolvedIndices);
-                } else if (indicesOptions.ignoreUnavailable() == false || isAuthorized.test(indexAbstraction, selectorString)) {
+                } else if (indicesOptions.ignoreUnavailable() == false || isAuthorized.test(indexAbstraction, selector)) {
                     // Unauthorized names are considered unavailable, so if `ignoreUnavailable` is `true` they should be silently
                     // discarded from the `finalIndices` list. Other "ways of unavailable" must be handled by the action
                     // handler, see: https://github.com/elastic/elasticsearch/issues/90215
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java
@@ -293,12 +293,12 @@ interface AuthorizedIndices {
          * at a fixed point in time (for a single cluster state view).
          * The result is cached and subsequent calls to this method are idempotent.
          */
-        Set<String> all(@Nullable String selector);
+        Set<String> all(IndexComponentSelector selector);
 
         /**
          * Checks if an index-like resource name is authorized, for an action by a user. The resource might or might not exist.
          */
-        boolean check(String name, @Nullable String selector);
+        boolean check(String name, IndexComponentSelector selector);
     }
 
     /**
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
@@ -322,7 +322,9 @@ ResolvedIndices resolveIndicesAndAliases(
                     );
                 }
                 if (indicesOptions.expandWildcardExpressions()) {
-                    for (String authorizedIndex : authorizedIndices.all(allIndicesPatternSelector)) {
+                    for (String authorizedIndex : authorizedIndices.all(
+                        IndexComponentSelector.getByKeyOrThrow(allIndicesPatternSelector)
+                    )) {
                         if (IndexAbstractionResolver.isIndexVisible(
                             "*",
                             allIndicesPatternSelector,
@@ -432,7 +434,7 @@ ResolvedIndices resolveIndicesAndAliases(
      */
     static String getPutMappingIndexOrAlias(
         PutMappingRequest request,
-        BiPredicate<String, String> isAuthorized,
+        BiPredicate<String, IndexComponentSelector> isAuthorized,
         ProjectMetadata projectMetadata
     ) {
         final String concreteIndexName = request.getConcreteIndex().getName();
@@ -451,7 +453,7 @@ static String getPutMappingIndexOrAlias(
                     + "], but a concrete index is expected"
             );
             // we know this is implicit data access (as opposed to another selector) so the default selector check is correct
-        } else if (isAuthorized.test(concreteIndexName, null)) {
+        } else if (isAuthorized.test(concreteIndexName, IndexComponentSelector.DATA)) {
             // user is authorized to put mappings for this index
             resolvedAliasOrIndex = concreteIndexName;
         } else {
@@ -462,7 +464,7 @@ static String getPutMappingIndexOrAlias(
             if (aliasMetadata != null) {
                 Optional<String> foundAlias = aliasMetadata.stream().map(AliasMetadata::alias).filter(aliasName -> {
                     // we know this is implicit data access (as opposed to another selector) so the default selector check is correct
-                    if (false == isAuthorized.test(aliasName, null)) {
+                    if (false == isAuthorized.test(aliasName, IndexComponentSelector.DATA)) {
                         return false;
                     }
                     IndexAbstraction alias = projectMetadata.getIndicesLookup().get(aliasName);
@@ -490,7 +492,7 @@ private static List<String> loadAuthorizedAliases(
     ) {
         List<String> authorizedAliases = new ArrayList<>();
         SortedMap<String, IndexAbstraction> existingAliases = projectMetadata.getIndicesLookup();
-        for (String authorizedIndex : authorizedIndices.all(null)) {
+        for (String authorizedIndex : authorizedIndices.all(IndexComponentSelector.DATA)) {
             IndexAbstraction indexAbstraction = existingAliases.get(authorizedIndex);
             if (indexAbstraction != null && indexAbstraction.getType() == IndexAbstraction.Type.ALIAS) {
                 authorizedAliases.add(authorizedIndex);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java
@@ -43,7 +43,6 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.CachedSupplier;
 import org.elasticsearch.common.util.set.Sets;
-import org.elasticsearch.core.Nullable;
 import org.elasticsearch.index.Index;
 import org.elasticsearch.index.shard.ShardId;
 import org.elasticsearch.transport.TransportActionProxy;
@@ -929,9 +928,8 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(
                 }
             }
             return indicesAndAliases;
-        }, (name, selectorString) -> {
+        }, (name, selector) -> {
             final IndexAbstraction indexAbstraction = lookup.get(name);
-            final IndexComponentSelector selector = IndexComponentSelector.getByKeyOrThrow(selectorString);
             if (indexAbstraction == null) {
                 // test access (by name) to a resource that does not currently exist
                 // the action handler must handle the case of accessing resources that do not exist
@@ -1077,27 +1075,27 @@ static final class AuthorizedIndices implements AuthorizationEngine.AuthorizedIn
 
         private final CachedSupplier<Set<String>> authorizedAndAvailableSupplier;
         private final CachedSupplier<Set<String>> failureStoreAuthorizedAndAvailableSupplier;
-        private final BiPredicate<String, String> isAuthorizedPredicate;
+        private final BiPredicate<String, IndexComponentSelector> isAuthorizedPredicate;
 
         AuthorizedIndices(
             Supplier<Set<String>> authorizedAndAvailableSupplier,
             Supplier<Set<String>> failureStoreAuthorizedAndAvailableSupplier,
-            BiPredicate<String, String> isAuthorizedPredicate
+            BiPredicate<String, IndexComponentSelector> isAuthorizedPredicate
         ) {
             this.authorizedAndAvailableSupplier = CachedSupplier.wrap(authorizedAndAvailableSupplier);
             this.failureStoreAuthorizedAndAvailableSupplier = CachedSupplier.wrap(failureStoreAuthorizedAndAvailableSupplier);
             this.isAuthorizedPredicate = Objects.requireNonNull(isAuthorizedPredicate);
         }
 
         @Override
-        public Set<String> all(@Nullable String selector) {
-            return IndexComponentSelector.FAILURES.equals(IndexComponentSelector.getByKeyOrThrow(selector))
+        public Set<String> all(IndexComponentSelector selector) {
+            return IndexComponentSelector.FAILURES.equals(selector)
                 ? failureStoreAuthorizedAndAvailableSupplier.get()
                 : authorizedAndAvailableSupplier.get();
         }
 
         @Override
-        public boolean check(String name, @Nullable String selector) {
+        public boolean check(String name, IndexComponentSelector selector) {
             return isAuthorizedPredicate.test(name, selector);
         }
     }
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizedIndicesTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizedIndicesTests.java
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java
