diff --git a/docs/changelog/135337.yaml b/docs/changelog/135337.yaml new file mode 100644 index 0000000000000..a3ddb21822a96 --- /dev/null +++ b/docs/changelog/135337.yaml @@ -0,0 +1,5 @@ +pr: 135337 +summary: Do not pass `ProjectMetadata` to lazy index permissions builder +area: Security +type: enhancement +issues: [] diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java index 8a7d09406f2f1..fbb122c76c031 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java @@ -461,6 +461,12 @@ private IndexResource(String name, @Nullable IndexAbstraction abstraction, @Null this.selector = selector; } + public List getFailureIndices(ProjectMetadata metadata) { + return indexAbstraction != null && IndexComponentSelector.FAILURES.equals(selector) + ? indexAbstraction.getFailureIndices(metadata) + : List.of(); + } + /** * @return {@code true} if-and-only-if this object is related to a data-stream, either by having a * {@link IndexAbstraction#getType()} of {@link IndexAbstraction.Type#DATA_STREAM} or by being the backing index for a @@ -535,13 +541,12 @@ public int size(Map lookup) { } } - public Collection resolveConcreteIndices(ProjectMetadata metadata) { + public Collection resolveConcreteIndices(List failureIndices) { if (indexAbstraction == null) { return List.of(); } else if (indexAbstraction.getType() == IndexAbstraction.Type.CONCRETE_INDEX) { return List.of(indexAbstraction.getName()); } else if (IndexComponentSelector.FAILURES.equals(selector)) { - final List failureIndices = indexAbstraction.getFailureIndices(metadata); final List concreteIndexNames = new ArrayList<>(failureIndices.size()); for (var idx : failureIndices) { concreteIndexNames.add(idx.getName()); @@ -604,12 +609,16 @@ public IndicesAccessControl authorize( final boolean overallGranted = isActionGranted(action, resources.values()); final int finalTotalResourceCount = totalResourceCount; + final var failureIndicesByResourceName = resources.entrySet() + .stream() + .collect(Collectors.toMap(Map.Entry::getKey, entry -> entry.getValue().getFailureIndices(metadata))); + final Supplier> indexPermissions = () -> buildIndicesAccessControl( action, resources, finalTotalResourceCount, fieldPermissionsCache, - metadata + failureIndicesByResourceName ); return new IndicesAccessControl(overallGranted, indexPermissions); @@ -620,7 +629,7 @@ private Map buildIndicesAccessC final Map requestedResources, final int totalResourceCount, final FieldPermissionsCache fieldPermissionsCache, - final ProjectMetadata metadata + final Map> failureIndicesByIndexResource ) { // now... every index that is associated with the request, must be granted @@ -636,7 +645,9 @@ private Map buildIndicesAccessC boolean granted = false; final String resourceName = resourceEntry.getKey(); final IndexResource resource = resourceEntry.getValue(); - final Collection concreteIndices = resource.resolveConcreteIndices(metadata); + final Collection concreteIndices = resource.resolveConcreteIndices( + failureIndicesByIndexResource.get(resourceEntry.getKey()) + ); for (Group group : groups) { // the group covers the given index OR the given index is a backing index and the group covers the parent data stream if (resource.checkIndex(group)) {