Moar

n1v0lg · n1v0lg · commit be718df3c804 · 2025-03-10T11:25:42.000+01:00
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java
@@ -885,7 +885,8 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(
             // TODO: can this be done smarter? I think there are usually more indices/aliases in the cluster then indices defined a roles?
             if (includeDataStreams) {
                 for (IndexAbstraction indexAbstraction : lookup.values()) {
-                    // TODO clean this up and explain
+                    // failure indices are special: when accessed directly (not through ::failures on parent data stream) they are accessed
+                    // as implicitly as data. However, authz to the parent data stream happens via the failures selector
                     if (indexAbstraction.isFailureIndexOfDataStream()
                         && predicate.test(indexAbstraction.getParentDataStream(), IndexComponentSelector.FAILURES)) {
                         indicesAndAliases.add(indexAbstraction.getName());
@@ -927,8 +928,8 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(
                         }
                     }
                 }
-                timeChecker.accept(indicesAndAliases);
             }
+            timeChecker.accept(indicesAndAliases);
             return indicesAndAliases;
         }, (name, selectorString) -> {
             final IndexAbstraction indexAbstraction = lookup.get(name);

Original file line number	Diff line number	Diff line change
`@@ -885,7 +885,8 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(`
`885`	`885`	`// TODO: can this be done smarter? I think there are usually more indices/aliases in the cluster then indices defined a roles?`
`886`	`886`	`if (includeDataStreams) {`
`887`	`887`	`for (IndexAbstraction indexAbstraction : lookup.values()) {`
`888`		`- // TODO clean this up and explain`
	`888`	`+ // failure indices are special: when accessed directly (not through ::failures on parent data stream) they are accessed`
	`889`	`+ // as implicitly as data. However, authz to the parent data stream happens via the failures selector`
`889`	`890`	`if (indexAbstraction.isFailureIndexOfDataStream()`
`890`	`891`	`&& predicate.test(indexAbstraction.getParentDataStream(), IndexComponentSelector.FAILURES)) {`
`891`	`892`	`indicesAndAliases.add(indexAbstraction.getName());`
`@@ -927,8 +928,8 @@ static AuthorizedIndices resolveAuthorizedIndicesFromRole(`
`927`	`928`	`}`
`928`	`929`	`}`
`929`	`930`	`}`
`930`		`- timeChecker.accept(indicesAndAliases);`
`931`	`931`	`}`
	`932`	`+ timeChecker.accept(indicesAndAliases);`
`932`	`933`	`return indicesAndAliases;`
`933`	`934`	`}, (name, selectorString) -> {`
`934`	`935`	`final IndexAbstraction indexAbstraction = lookup.get(name);`