Union

n1v0lg · n1v0lg · commit da43e54c104d · 2025-02-17T17:46:07.000+01:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java
@@ -414,6 +414,7 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd
             this.requestPredicateSupplier = (restrictedIndices) -> {
                 IndicesPermission.Builder indicesPermissionBuilder = new IndicesPermission.Builder(restrictedIndices);
                 for (ManageRolesIndexPermissionGroup indexPatternPrivilege : manageRolesIndexPermissionGroups) {
+                    // TODO handle selectors
                     indicesPermissionBuilder.addGroup(
                         IndexPrivilege.get(Set.of(indexPatternPrivilege.privileges())),
                         FieldPermissions.DEFAULT,
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java
@@ -8,6 +8,7 @@
 package org.elasticsearch.xpack.core.security.authz.privilege;
 
 import org.elasticsearch.action.support.IndexComponentSelector;
+import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.core.Predicates;
 
 import java.util.HashSet;
@@ -18,7 +19,11 @@
 
 import static org.elasticsearch.common.util.set.Sets.newHashSet;
 
-public record IndexComponentSelectorPrivilege(String name, Predicate<IndexComponentSelector> predicate) {
+public record IndexComponentSelectorPrivilege(Set<String> names, Predicate<IndexComponentSelector> predicate) {
+    IndexComponentSelectorPrivilege(String name, Predicate<IndexComponentSelector> predicate) {
+        this(Set.of(name), predicate);
+    }
+
     public static final IndexComponentSelectorPrivilege ALL = new IndexComponentSelectorPrivilege("all", Predicates.always());
     public static final IndexComponentSelectorPrivilege DATA = new IndexComponentSelectorPrivilege(
         "data",
@@ -37,6 +42,13 @@ public boolean isTotal() {
         return this == ALL;
     }
 
+    public IndexComponentSelectorPrivilege or(IndexComponentSelectorPrivilege other) {
+        if (this == ALL || other == ALL) {
+            return ALL;
+        }
+        return new IndexComponentSelectorPrivilege(Sets.union(names, other.names), predicate.or(other.predicate));
+    }
+
     public static Set<IndexComponentSelectorPrivilege> get(Set<String> indexPrivileges) {
         return indexPrivileges.stream().map(IndexComponentSelectorPrivilege::get).collect(Collectors.toSet());
     }
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -48,6 +48,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.Iterator;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
@@ -185,11 +186,6 @@ public final class IndexPrivilege extends Privilege {
         READ_AUTOMATON,
         IndexComponentSelectorPrivilege.FAILURES
     );
-    public static final IndexPrivilege MANAGE_FAILURE_STORE_INTERNAL = new IndexPrivilege(
-        "manage_failure_store_internal",
-        MANAGE_AUTOMATON,
-        IndexComponentSelectorPrivilege.FAILURES
-    );
     public static final IndexPrivilege READ = new IndexPrivilege("read", READ_AUTOMATON);
     public static final IndexPrivilege READ_CROSS_CLUSTER = new IndexPrivilege("read_cross_cluster", READ_CROSS_CLUSTER_AUTOMATON);
     public static final IndexPrivilege CREATE = new IndexPrivilege("create", CREATE_AUTOMATON);
@@ -199,6 +195,11 @@ public final class IndexPrivilege extends Privilege {
     public static final IndexPrivilege CREATE_DOC = new IndexPrivilege("create_doc", CREATE_DOC_AUTOMATON);
     public static final IndexPrivilege MONITOR = new IndexPrivilege("monitor", MONITOR_AUTOMATON);
     public static final IndexPrivilege MANAGE = new IndexPrivilege("manage", MANAGE_AUTOMATON);
+    public static final IndexPrivilege MANAGE_FAILURE_STORE_INTERNAL = new IndexPrivilege(
+        "manage_failure_store_internal",
+        MANAGE_AUTOMATON,
+        IndexComponentSelectorPrivilege.FAILURES
+    );
     public static final IndexPrivilege DELETE_INDEX = new IndexPrivilege("delete_index", DELETE_INDEX_AUTOMATON);
     public static final IndexPrivilege CREATE_INDEX = new IndexPrivilege("create_index", CREATE_INDEX_AUTOMATON);
     public static final IndexPrivilege VIEW_METADATA = new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
@@ -342,17 +343,22 @@ private static IndexPrivilege resolve(Set<String> name) {
             selectorPrivileges.add(IndexComponentSelectorPrivilege.DATA);
         }
 
-        for (IndexComponentSelectorPrivilege selectorPrivilege : selectorPrivileges) {
-            if (selectorPrivilege == IndexComponentSelectorPrivilege.ALL) {
-                return new IndexPrivilege(name, unionAndMinimize(automata), IndexComponentSelectorPrivilege.ALL);
-            }
+        return new IndexPrivilege(name, unionAndMinimize(automata), union(selectorPrivileges));
+    }
+
+    private static IndexComponentSelectorPrivilege union(Set<IndexComponentSelectorPrivilege> selectorPrivileges) {
+        assert selectorPrivileges.isEmpty() == false;
+        if (selectorPrivileges.contains(IndexComponentSelectorPrivilege.ALL)) {
+            return IndexComponentSelectorPrivilege.ALL;
+        } else if (selectorPrivileges.size() == 1) {
+            return selectorPrivileges.iterator().next();
         }
-        if (selectorPrivileges.size() != 1) {
-            // TODO assertion and make this clearer
-            throw new IllegalArgumentException("Cannot mix different selector privileges in a single index privilege for [" + name + "]");
+        Iterator<IndexComponentSelectorPrivilege> iterator = selectorPrivileges.iterator();
+        IndexComponentSelectorPrivilege result = iterator.next();
+        while (iterator.hasNext()) {
+            result = result.or(iterator.next());
         }
-
-        return new IndexPrivilege(name, unionAndMinimize(automata), selectorPrivileges.iterator().next());
+        return result;
     }
 
     static Map<String, IndexPrivilege> values() {
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java
@@ -1754,6 +1754,11 @@ public void testGetRoleDescriptorsForRemoteClusterForReservedRoles() {
                                     .indices("*")
                                     .privileges("monitor", "read", "read_cross_cluster", "view_index_metadata")
                                     .allowRestrictedIndices(true)
+                                    .build(),
+                                IndicesPrivileges.builder()
+                                    .indices("*")
+                                    .privileges("read_failure_store")
+                                    .allowRestrictedIndices(true)
                                     .build() },
                             null,
                             null,
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/QueryableBuiltInRolesUtilsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/QueryableBuiltInRolesUtilsTests.java
@@ -43,7 +43,7 @@ public void testCalculateHash() {
             QueryableBuiltInRolesUtils.calculateHash(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR),
             equalTo(
                 DataStream.isFailureStoreFeatureFlagEnabled()
-                    ? "3na054vyhPlUqSeq8cim+JwuBc+81r7JViA27peTAGc="
+                    ? "qgdWamvjudRKGezTGfjoSCr230sFDdh2t6xFUPYiW2Q="
                     : "bWEFdFo4WX229wdhdecfiz5QHMYEssh3ex8hizRgg+Q="
             )
         );

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ public void testCalculateHash() {`
`43`	`43`	`QueryableBuiltInRolesUtils.calculateHash(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR),`
`44`	`44`	`equalTo(`
`45`	`45`	`DataStream.isFailureStoreFeatureFlagEnabled()`
`46`		`- ? "3na054vyhPlUqSeq8cim+JwuBc+81r7JViA27peTAGc="`
	`46`	`+ ? "qgdWamvjudRKGezTGfjoSCr230sFDdh2t6xFUPYiW2Q="`
`47`	`47`	`: "bWEFdFo4WX229wdhdecfiz5QHMYEssh3ex8hizRgg+Q="`
`48`	`48`	`)`
`49`	`49`	`);`