Maybe HasPrivileges

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -296,13 +296,15 @@ public boolean checkResourcePrivileges(
         Set<String> checkForIndexPatterns,
         boolean allowRestrictedIndices,
         Set<String> checkForPrivileges,
+        @Nullable IndexComponentSelector selector,
         @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
     ) {
         return checkResourcePrivileges(
             checkForIndexPatterns,
             allowRestrictedIndices,
             checkForPrivileges,
             false,
+            selector,
             resourcePrivilegesMapBuilder
         );
     }
@@ -326,11 +328,13 @@ public boolean checkResourcePrivileges(
         boolean allowRestrictedIndices,
         Set<String> checkForPrivileges,
         boolean combineIndexGroups,
+        @Nullable IndexComponentSelector selector,
         @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
     ) {
         boolean allMatch = true;
         Map<Automaton, Automaton> indexGroupAutomatons = indexGroupAutomatons(
-            combineIndexGroups && checkForIndexPatterns.stream().anyMatch(Automatons::isLuceneRegex)
+            combineIndexGroups && checkForIndexPatterns.stream().anyMatch(Automatons::isLuceneRegex),
+            selector
         );
         for (String forIndexPattern : checkForIndexPatterns) {
             Automaton checkIndexAutomaton = Automatons.patterns(forIndexPattern);
@@ -390,7 +394,8 @@ public boolean checkResourcePrivileges(
     public Automaton allowedActionsMatcher(String index) {
         List<Automaton> automatonList = new ArrayList<>();
         for (Group group : groups) {
-            if (group.indexNameMatcher.test(index)) {
+            // TODO failure store?
+            if (group.checkIndex(index) && group.checkSelector(null)) {
                 automatonList.add(group.privilege.getAutomaton());
             }
         }
@@ -809,10 +814,13 @@ private static boolean containsPrivilegeThatGrantsMappingUpdatesForBwc(Group gro
      *
      * @return a map of all index and privilege pattern automatons
      */
-    private Map<Automaton, Automaton> indexGroupAutomatons(boolean combine) {
+    private Map<Automaton, Automaton> indexGroupAutomatons(boolean combine, @Nullable IndexComponentSelector selector) {
         // Map of privilege automaton object references (cached by IndexPrivilege::CACHE)
         Map<Automaton, Automaton> allAutomatons = new HashMap<>();
         for (Group group : groups) {
+            if (false == group.checkSelector(selector)) {
+                continue;
+            }
             Automaton indexAutomaton = group.getIndexMatcherAutomaton();
             allAutomatons.compute(
                 group.privilege().getAutomaton(),

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java

@@ -11,6 +11,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.util.automaton.Automaton;
 import org.elasticsearch.TransportVersion;
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.cluster.metadata.Metadata;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.core.Nullable;
@@ -239,12 +240,14 @@ public boolean checkIndicesPrivileges(
         Set<String> checkForIndexPatterns,
         boolean allowRestrictedIndices,
         Set<String> checkForPrivileges,
+        @Nullable IndexComponentSelector selector,
         @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
     ) {
         boolean baseRoleCheck = baseRole.checkIndicesPrivileges(
             checkForIndexPatterns,
             allowRestrictedIndices,
             checkForPrivileges,
+            selector,
             resourcePrivilegesMapBuilder
         );
         if (false == baseRoleCheck && null == resourcePrivilegesMapBuilder) {
@@ -255,6 +258,7 @@ public boolean checkIndicesPrivileges(
             checkForIndexPatterns,
             allowRestrictedIndices,
             checkForPrivileges,
+            selector,
             resourcePrivilegesMapBuilder
         );
         return baseRoleCheck && limitedByRoleCheck;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -128,9 +128,25 @@ boolean checkIndicesPrivileges(
         Set<String> checkForIndexPatterns,
         boolean allowRestrictedIndices,
         Set<String> checkForPrivileges,
+        @Nullable IndexComponentSelector selector,
         @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
     );
 
+    default boolean checkIndicesPrivileges(
+        Set<String> checkForIndexPatterns,
+        boolean allowRestrictedIndices,
+        Set<String> checkForPrivileges,
+        @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
+    ) {
+        return checkIndicesPrivileges(
+            checkForIndexPatterns,
+            allowRestrictedIndices,
+            checkForPrivileges,
+            null,
+            resourcePrivilegesMapBuilder
+        );
+    }
+
     /**
      * Check if cluster permissions allow for the given action in the context of given
      * authentication.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRole.java

@@ -8,6 +8,7 @@
 
 import org.apache.lucene.util.automaton.Automaton;
 import org.elasticsearch.TransportVersion;
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.cluster.metadata.Metadata;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.cache.Cache;
@@ -154,12 +155,14 @@ public boolean checkIndicesPrivileges(
         Set<String> checkForIndexPatterns,
         boolean allowRestrictedIndices,
         Set<String> checkForPrivileges,
+        @Nullable IndexComponentSelector selector,
         @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
     ) {
         return indices.checkResourcePrivileges(
             checkForIndexPatterns,
             allowRestrictedIndices,
             checkForPrivileges,
+            selector,
             resourcePrivilegesMapBuilder
         );
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java

@@ -653,7 +653,7 @@ private static boolean requestIndexPatternsAllowed(
             String[] requestIndexPatterns,
             String[] privileges
         ) {
-            return indicesPermission.checkResourcePrivileges(Set.of(requestIndexPatterns), false, Set.of(privileges), true, null);
+            return indicesPermission.checkResourcePrivileges(Set.of(requestIndexPatterns), false, Set.of(privileges), true, null, null);
         }
 
         private static boolean hasNonIndexPrivileges(RoleDescriptor roleDescriptor) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -660,6 +660,7 @@ public void checkPrivileges(
                 Sets.newHashSet(check.getIndices()),
                 check.allowRestrictedIndices(),
                 Sets.newHashSet(check.getPrivileges()),
+                null,
                 combineIndicesResourcePrivileges
             );
             allMatch = allMatch && privilegesGranted;