|
8 | 8 | package org.elasticsearch.xpack.security.authz; |
9 | 9 |
|
10 | 10 | import org.elasticsearch.action.support.IndexComponentSelector; |
11 | | -import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver; |
12 | 11 | import org.elasticsearch.common.Strings; |
13 | 12 | import org.elasticsearch.common.util.set.Sets; |
14 | 13 | import org.elasticsearch.core.Nullable; |
@@ -99,57 +98,31 @@ public String actionDenied( |
99 | 98 | + "]"; |
100 | 99 | } |
101 | 100 | } else if (isIndexAction(action)) { |
102 | | - String[] indices = AuthorizationEngine.RequestInfo.indices(request); |
103 | | - if (indices == null || indices.length == 0) { |
104 | | - final Collection<String> privileges = findIndexPrivilegesThatGrant(action, IndexComponentSelector.DATA); |
| 101 | + final Collection<String> privileges = findIndexPrivilegesThatGrant(action, IndexComponentSelector.DATA); |
| 102 | + final Collection<String> privilegesForFailuresSelector = findIndexPrivilegesThatGrant( |
| 103 | + action, |
| 104 | + IndexComponentSelector.FAILURES |
| 105 | + ); |
| 106 | + if (privileges != null && false == privileges.isEmpty()) { |
| 107 | + message = message |
| 108 | + + ", this action is granted by the index privileges [" |
| 109 | + + collectionToCommaDelimitedString(privileges) |
| 110 | + + "]"; |
| 111 | + } |
| 112 | + if (privilegesForFailuresSelector != null && false == privilegesForFailuresSelector.isEmpty()) { |
105 | 113 | if (privileges != null && false == privileges.isEmpty()) { |
106 | 114 | message = message |
107 | | - + ", this action is granted by the index privileges [" |
108 | | - + collectionToCommaDelimitedString(privileges) |
109 | | - + "]"; |
110 | | - } |
111 | | - return message; |
112 | | - } |
113 | | - boolean hasFailuresSelector = false; |
114 | | - boolean hasNullOrDataSelector = false; |
115 | | - for (String index : indices) { |
116 | | - if (IndexNameExpressionResolver.hasSelector(index, IndexComponentSelector.FAILURES)) { |
117 | | - hasFailuresSelector = true; |
| 115 | + + " for data access, or [" |
| 116 | + + collectionToCommaDelimitedString(privilegesForFailuresSelector) |
| 117 | + + "] for access via the failures selector"; |
118 | 118 | } else { |
119 | | - hasNullOrDataSelector = true; |
120 | | - } |
121 | | - // we found both selectors, we can stop |
122 | | - if (hasNullOrDataSelector && hasFailuresSelector) { |
123 | | - break; |
124 | | - } |
125 | | - } |
126 | | - if (hasNullOrDataSelector) { |
127 | | - final Collection<String> privileges = findIndexPrivilegesThatGrant(action, IndexComponentSelector.DATA); |
128 | | - if (privileges != null && false == privileges.isEmpty()) { |
129 | 119 | message = message |
130 | 120 | + ", this action is granted by the index privileges [" |
131 | | - + collectionToCommaDelimitedString(privileges) |
132 | | - + "]"; |
133 | | - } |
134 | | - } |
135 | | - if (hasFailuresSelector) { |
136 | | - final Collection<String> privileges = findIndexPrivilegesThatGrant(action, IndexComponentSelector.FAILURES); |
137 | | - if (privileges != null && false == privileges.isEmpty()) { |
138 | | - if (hasNullOrDataSelector) { |
139 | | - message = message |
140 | | - + " for data access, or [" |
141 | | - + collectionToCommaDelimitedString(privileges) |
142 | | - + "] for access via the failures selector"; |
143 | | - } else { |
144 | | - message = message |
145 | | - + ", this action is granted by the index privileges [" |
146 | | - + collectionToCommaDelimitedString(privileges) |
147 | | - + "]"; |
148 | | - } |
| 121 | + + collectionToCommaDelimitedString(privilegesForFailuresSelector) |
| 122 | + + "] for access via the failures selector"; |
149 | 123 | } |
150 | 124 | } |
151 | 125 | } |
152 | | - |
153 | 126 | return message; |
154 | 127 | } |
155 | 128 |
|
|
0 commit comments