@@ -1652,6 +1652,57 @@ public void testBuildRoleWithAllPrivilegeIsNeverSplit() {
16521652 );
16531653 }
16541654
1655+ public void testBuildRoleWithFailureStorePrivilegeCollatesToRemoveDlsFlsFromAnotherGroup () {
1656+ assumeTrue ("requires failure store feature" , DataStream .isFailureStoreFeatureFlagEnabled ());
1657+ String indexPattern = randomAlphanumericOfLength (10 );
1658+ boolean allowRestrictedIndices = randomBoolean ();
1659+ final Role role = buildRole (
1660+ roleDescriptorWithIndicesPrivileges (
1661+ "r1" ,
1662+ new IndicesPrivileges [] {
1663+ IndicesPrivileges .builder ()
1664+ .indices (indexPattern )
1665+ .privileges ("read_failure_store" )
1666+ .allowRestrictedIndices (allowRestrictedIndices )
1667+ .build (),
1668+ IndicesPrivileges .builder ()
1669+ .indices (indexPattern )
1670+ .privileges ("read" , "view_index_metadata" )
1671+ .query ("{\" match\" :{\" field\" :\" a\" }}" )
1672+ .grantedFields ("field" )
1673+ .allowRestrictedIndices (allowRestrictedIndices )
1674+ .build () }
1675+ )
1676+ );
1677+ assertHasIndexGroups (
1678+ role .indices (),
1679+ indexGroup (
1680+ IndexPrivilege .getWithSingleSelectorAccess (Set .of ("read_failure_store" )),
1681+ allowRestrictedIndices ,
1682+ null ,
1683+ new FieldPermissionsDefinition (
1684+ Set .of (
1685+ new FieldPermissionsDefinition .FieldGrantExcludeGroup (null , null ),
1686+ new FieldPermissionsDefinition .FieldGrantExcludeGroup (new String [] { "field" }, null )
1687+ )
1688+ ),
1689+ indexPattern
1690+ ),
1691+ indexGroup (
1692+ IndexPrivilege .getWithSingleSelectorAccess (Set .of ("read" , "view_index_metadata" )),
1693+ allowRestrictedIndices ,
1694+ null ,
1695+ new FieldPermissionsDefinition (
1696+ Set .of (
1697+ new FieldPermissionsDefinition .FieldGrantExcludeGroup (null , null ),
1698+ new FieldPermissionsDefinition .FieldGrantExcludeGroup (new String [] { "field" }, null )
1699+ )
1700+ ),
1701+ indexPattern
1702+ )
1703+ );
1704+ }
1705+
16551706 public void testBuildRoleNeverSplitsWithoutFailureStoreRelatedPrivileges () {
16561707 String indexPattern = randomAlphanumericOfLength (10 );
16571708 List <String > nonFailurePrivileges = IndexPrivilege .names ()
@@ -3540,6 +3591,16 @@ private static Matcher<IndicesPermission.Group> indexGroup(
35403591 @ Nullable final String query ,
35413592 final FieldPermissionsDefinition .FieldGrantExcludeGroup flsGroup ,
35423593 final String ... indices
3594+ ) {
3595+ return indexGroup (privilege , allowRestrictedIndices , query , new FieldPermissionsDefinition (Set .of (flsGroup )), indices );
3596+ }
3597+
3598+ private static Matcher <IndicesPermission .Group > indexGroup (
3599+ final IndexPrivilege privilege ,
3600+ final boolean allowRestrictedIndices ,
3601+ @ Nullable final String query ,
3602+ final FieldPermissionsDefinition fieldPermissionsDefinition ,
3603+ final String ... indices
35433604 ) {
35443605 return new BaseMatcher <>() {
35453606 @ Override
@@ -3551,7 +3612,7 @@ public boolean matches(Object o) {
35513612 return equalTo (query == null ? null : Set .of (new BytesArray (query ))).matches (group .getQuery ())
35523613 && equalTo (privilege ).matches (group .privilege ())
35533614 && equalTo (allowRestrictedIndices ).matches (group .allowRestrictedIndices ())
3554- && equalTo (new FieldPermissions (new FieldPermissionsDefinition ( Set . of ( flsGroup )) )).matches (group .getFieldPermissions ())
3615+ && equalTo (new FieldPermissions (fieldPermissionsDefinition )).matches (group .getFieldPermissions ())
35553616 && arrayContaining (indices ).matches (group .indices ());
35563617 }
35573618
@@ -3567,8 +3628,8 @@ public void describeTo(Description description) {
35673628 + Strings .arrayToCommaDelimitedString (indices )
35683629 + ", query="
35693630 + query
3570- + ", fieldGrantExcludeGroup ="
3571- + flsGroup
3631+ + ", fieldPermissionsDefinition ="
3632+ + fieldPermissionsDefinition
35723633 + '}'
35733634 );
35743635 }
0 commit comments