Moar

n1v0lg · n1v0lg · commit 2ccd9698be63 · 2025-02-17T10:20:29.000+01:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java
@@ -913,7 +913,7 @@ boolean isTotal() {
                 && privilege == IndexPrivilege.ALL
                 && query == null
                 && false == fieldPermissions.hasFieldLevelSecurity()
-                // TODO do we want this?
+                // TODO add selectorPrivilege here in a follow PR handling authorization
                 && selectorPrivilege.isTotal();
         }
 
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java
@@ -428,7 +428,7 @@ static SimpleRole buildFromRoleDescriptor(
             );
             Set<BytesReference> query = indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery());
             boolean allowRestrictedIndices = indexPrivilege.allowRestrictedIndices();
-            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.splitBySelectors(
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelectors(
                 indexPrivilege.getPrivileges()
             );
             for (var entry : split.entrySet()) {
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java
@@ -31,7 +31,7 @@ public record IndexComponentSelectorPrivilege(String name, Predicate<IndexCompon
         IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL
     );
 
-    public boolean test(IndexComponentSelector selector) {
+    public boolean grants(IndexComponentSelector selector) {
         return predicate.test(selector);
     }
 
@@ -43,37 +43,39 @@ public static Set<IndexComponentSelectorPrivilege> get(Set<String> indexPrivileg
         return indexPrivileges.stream().map(IndexComponentSelectorPrivilege::get).collect(Collectors.toSet());
     }
 
-    public static Map<IndexComponentSelectorPrivilege, Set<String>> splitBySelectors(String... indexPrivileges) {
-        return splitBySelectors(Set.of(indexPrivileges));
+    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelectors(String... indexPrivileges) {
+        return groupBySelectors(Set.of(indexPrivileges));
     }
 
-    public static Map<IndexComponentSelectorPrivilege, Set<String>> splitBySelectors(Set<String> indexPrivileges) {
-        final Set<String> data = new HashSet<>();
-        final Set<String> failures = new HashSet<>();
+    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelectors(Set<String> indexPrivileges) {
+        final Set<String> dataAccessPrivileges = new HashSet<>();
+        final Set<String> failuresAccessPrivileges = new HashSet<>();
 
         for (String indexPrivilege : indexPrivileges) {
-            final IndexComponentSelectorPrivilege privilege = get(indexPrivilege);
-            // If we ever hit all, we can return early since we don't need to split
-            if (privilege.equals(ALL)) {
+            final IndexComponentSelectorPrivilege selectorPrivilege = get(indexPrivilege);
+            // If we ever hit `all`, the entire group can be treated as granting "all" access and we can return early
+            if (selectorPrivilege.equals(ALL)) {
                 return Map.of(ALL, indexPrivileges);
             }
 
-            if (privilege.equals(DATA)) {
-                data.add(indexPrivilege);
-            } else if (privilege.equals(FAILURES)) {
-                failures.add(indexPrivilege);
+            if (selectorPrivilege.equals(DATA)) {
+                dataAccessPrivileges.add(indexPrivilege);
+            } else if (selectorPrivilege.equals(FAILURES)) {
+                failuresAccessPrivileges.add(indexPrivilege);
             } else {
-                throw new IllegalArgumentException("Unknown index privilege: " + indexPrivilege);
+                assert false : "index privilege [" + indexPrivilege + "] mapped to an unexpected selector [" + selectorPrivilege + "]";
+                throw new IllegalStateException(
+                    "index privilege [" + indexPrivilege + "] mapped to an unexpected selector [" + selectorPrivilege + "]"
+                );
             }
-
         }
 
-        if (data.isEmpty()) {
-            return Map.of(FAILURES, failures);
-        } else if (failures.isEmpty()) {
-            return Map.of(DATA, data);
+        if (dataAccessPrivileges.isEmpty()) {
+            return Map.of(FAILURES, failuresAccessPrivileges);
+        } else if (failuresAccessPrivileges.isEmpty()) {
+            return Map.of(DATA, dataAccessPrivileges);
         } else {
-            return Map.of(DATA, data, FAILURES, failures);
+            return Map.of(DATA, dataAccessPrivileges, FAILURES, failuresAccessPrivileges);
         }
     }
 
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
@@ -543,7 +543,7 @@ public static void buildRoleFromDescriptors(
 
         for (Map.Entry<Set<String>, MergeableIndicesPrivilege> entry : indicesPrivilegesMap.entrySet()) {
             MergeableIndicesPrivilege indicesPrivilege = entry.getValue();
-            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.splitBySelectors(
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelectors(
                 indicesPrivilege.privileges
             );
             FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);
@@ -561,7 +561,7 @@ public static void buildRoleFromDescriptors(
         }
         for (Map.Entry<Set<String>, MergeableIndicesPrivilege> entry : restrictedIndicesPrivilegesMap.entrySet()) {
             MergeableIndicesPrivilege indicesPrivilege = entry.getValue();
-            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.splitBySelectors(
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelectors(
                 indicesPrivilege.privileges
             );
             FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);

Original file line number	Diff line number	Diff line change
`@@ -913,7 +913,7 @@ boolean isTotal() {`
`913`	`913`	`&& privilege == IndexPrivilege.ALL`
`914`	`914`	`&& query == null`
`915`	`915`	`&& false == fieldPermissions.hasFieldLevelSecurity()`
`916`		`- // TODO do we want this?`
	`916`	`+ // TODO add selectorPrivilege here in a follow PR handling authorization`
`917`	`917`	`&& selectorPrivilege.isTotal();`
`918`	`918`	`}`
`919`	`919`