@@ -1693,6 +1693,104 @@ public void testBuildRoleWithReadFailureStoreAndReadPrivilegeAndMultipleIndexPat
16931693 }
16941694 }
16951695
1696+ public void testBuildRoleWithReadOnRestrictedAndNonRestrictedIndices () {
1697+ assumeTrue ("requires failure store feature" , DataStream .isFailureStoreFeatureFlagEnabled ());
1698+ String indexPattern = randomAlphanumericOfLength (10 );
1699+ List <Role > roles = List .of (
1700+ buildRole (
1701+ roleDescriptorWithIndicesPrivileges (
1702+ "r1" ,
1703+ new IndicesPrivileges [] {
1704+ IndicesPrivileges .builder ()
1705+ .indices (indexPattern )
1706+ .privileges ("read" , "read_failure_store" )
1707+ .allowRestrictedIndices (true )
1708+ .build (),
1709+ IndicesPrivileges .builder ().indices (indexPattern ).privileges ("read" ).allowRestrictedIndices (false ).build () }
1710+ )
1711+ ),
1712+ buildRole (
1713+ roleDescriptorWithIndicesPrivileges (
1714+ "r1" ,
1715+ new IndicesPrivileges [] {
1716+ IndicesPrivileges .builder ()
1717+ .indices (indexPattern )
1718+ .privileges ("read" , "read_failure_store" )
1719+ .allowRestrictedIndices (true )
1720+ .build () }
1721+ ),
1722+ roleDescriptorWithIndicesPrivileges (
1723+ "r2" ,
1724+ new IndicesPrivileges [] {
1725+ IndicesPrivileges .builder ().indices (indexPattern ).privileges ("read" ).allowRestrictedIndices (false ).build () }
1726+ )
1727+ )
1728+ );
1729+ // the roles are different "format" but the same so should produce the same index groups
1730+ for (var role : roles ) {
1731+ IndicesPermission indices = role .indices ();
1732+ assertHasIndexGroups (
1733+ indices ,
1734+ indexGroup (IndexPrivilege .get ("read" ), false , indexPattern ),
1735+ indexGroup (IndexPrivilege .get ("read" ), true , indexPattern ),
1736+ indexGroup (IndexPrivilege .get ("read_failure_store" ), true , indexPattern )
1737+ );
1738+ }
1739+ }
1740+
1741+ public void testBuildRoleWithReadFailureStoreOnRestrictedAndNonRestrictedIndices () {
1742+ assumeTrue ("requires failure store feature" , DataStream .isFailureStoreFeatureFlagEnabled ());
1743+ String indexPattern = randomAlphanumericOfLength (10 );
1744+ List <Role > roles = List .of (
1745+ buildRole (
1746+ roleDescriptorWithIndicesPrivileges (
1747+ "r1" ,
1748+ new IndicesPrivileges [] {
1749+ IndicesPrivileges .builder ()
1750+ .indices (indexPattern )
1751+ .privileges ("read" , "read_failure_store" )
1752+ .allowRestrictedIndices (true )
1753+ .build (),
1754+ IndicesPrivileges .builder ()
1755+ .indices (indexPattern )
1756+ .privileges ("read_failure_store" )
1757+ .allowRestrictedIndices (false )
1758+ .build () }
1759+ )
1760+ ),
1761+ buildRole (
1762+ roleDescriptorWithIndicesPrivileges (
1763+ "r1" ,
1764+ new IndicesPrivileges [] {
1765+ IndicesPrivileges .builder ()
1766+ .indices (indexPattern )
1767+ .privileges ("read" , "read_failure_store" )
1768+ .allowRestrictedIndices (true )
1769+ .build () }
1770+ ),
1771+ roleDescriptorWithIndicesPrivileges (
1772+ "r2" ,
1773+ new IndicesPrivileges [] {
1774+ IndicesPrivileges .builder ()
1775+ .indices (indexPattern )
1776+ .privileges ("read_failure_store" )
1777+ .allowRestrictedIndices (false )
1778+ .build () }
1779+ )
1780+ )
1781+ );
1782+ // the roles are different "format" but the same so should produce the same index groups
1783+ for (var role : roles ) {
1784+ IndicesPermission indices = role .indices ();
1785+ assertHasIndexGroups (
1786+ indices ,
1787+ indexGroup (IndexPrivilege .get ("read_failure_store" ), false , indexPattern ),
1788+ indexGroup (IndexPrivilege .get ("read" ), true , indexPattern ),
1789+ indexGroup (IndexPrivilege .get ("read_failure_store" ), true , indexPattern )
1790+ );
1791+ }
1792+ }
1793+
16961794 public void testBuildRoleWithMultipleReadFailureStoreAndReadPrivilegeSplit () {
16971795 assumeTrue ("requires failure store feature" , DataStream .isFailureStoreFeatureFlagEnabled ());
16981796 String indexPattern = randomAlphanumericOfLength (10 );
0 commit comments