Skip to content

Commit

Permalink
Add get-user-privileges API (#33928)
Browse files Browse the repository at this point in the history 
This API is intended as a companion to the _has_privileges API.
It returns the list of privileges that are held by the current user.

This information is difficult to reason about, and consumers should
avoid making direct security decisions based solely on this data.
For example, each of the following index privileges (as well as many
more) would grant a user access to index a new document into the
"metrics-2018-08-30" index, but clients should not try and deduce
that information from this API.
- "all" on "*"
- "all" on "metrics-*"
- "write" on "metrics-2018-*"
- "write" on "metrics-2018-08-30"

Rather, if a client wished to know if a user had "index" access to
_any_ index, it would be possible to use this API to determine whether
the user has any index privileges, and on which index patterns, and
then feed those index patterns into _has_privileges in order to
determine whether the "index" privilege had been granted.

The result JSON is modelled on the Role API, with a few small changes
to reflect how privileges are modelled when multiple roles are merged
together (multiple DLS queries, multiple FLS grants, multiple global
conditions, etc).
  • Loading branch information
@tvernum @kcm
tvernum authored and kcm committed Oct 30, 2018
1 parent 539bde3 commit a2154b0
Show file tree
Hide file tree
Showing 25 changed files with 1,485 additions and 34 deletions.
26 changes: 26 additions & 0 deletions .../main/java/org/elasticsearch/xpack/core/security/action/user/GetUserPrivilegesAction.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.user;

import org.elasticsearch.action.Action;

/**
* Action that lists the set of privileges held by a user.
*/
public final class GetUserPrivilegesAction extends Action<GetUserPrivilegesResponse> {

public static final GetUserPrivilegesAction INSTANCE = new GetUserPrivilegesAction();
public static final String NAME = "cluster:admin/xpack/security/user/list_privileges";

private GetUserPrivilegesAction() {
super(NAME);
}

@Override
public GetUserPrivilegesResponse newResponse() {
return new GetUserPrivilegesResponse();
}
}
73 changes: 73 additions & 0 deletions ...main/java/org/elasticsearch/xpack/core/security/action/user/GetUserPrivilegesRequest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.user;

import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;

import java.io.IOException;

/**
* A request for checking a user's privileges
*/
public final class GetUserPrivilegesRequest extends ActionRequest implements UserRequest {

private String username;

/**
* Package level access for {@link GetUserPrivilegesRequestBuilder}.
*/
GetUserPrivilegesRequest() {
}

public GetUserPrivilegesRequest(StreamInput in) throws IOException {
super(in);
this.username = in.readString();
}

@Override
public ActionRequestValidationException validate() {
return null;
}

/**
* @return the username that this request applies to.
*/
public String username() {
return username;
}

/**
* Set the username that the request applies to. Must not be {@code null}
*/
public void username(String username) {
this.username = username;
}

@Override
public String[] usernames() {
return new String[] { username };
}

/**
* Always throws {@link UnsupportedOperationException} as this object should be deserialized using
* the {@link #GetUserPrivilegesRequest(StreamInput)} constructor instead.
*/
@Override
@Deprecated
public void readFrom(StreamInput in) throws IOException {
throw new UnsupportedOperationException("Use " + getClass() + " as Writeable not Streamable");
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(username);
}

}
28 changes: 28 additions & 0 deletions ...va/org/elasticsearch/xpack/core/security/action/user/GetUserPrivilegesRequestBuilder.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.user;

import org.elasticsearch.action.ActionRequestBuilder;
import org.elasticsearch.client.ElasticsearchClient;

/**
* Request builder for checking a user's privileges
*/
public class GetUserPrivilegesRequestBuilder
extends ActionRequestBuilder<GetUserPrivilegesRequest, GetUserPrivilegesResponse> {

public GetUserPrivilegesRequestBuilder(ElasticsearchClient client) {
super(client, GetUserPrivilegesAction.INSTANCE, new GetUserPrivilegesRequest());
}

/**
* Set the username of the user whose privileges should be retrieved. Must not be {@code null}
*/
public GetUserPrivilegesRequestBuilder username(String username) {
request.username(username);
return this;
}
}
242 changes: 242 additions & 0 deletions ...ain/java/org/elasticsearch/xpack/core/security/action/user/GetUserPrivilegesResponse.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,242 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.core.security.action.user;

import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.xcontent.ToXContentObject;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivileges;

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import java.util.stream.Collectors;

/**
* Response for a {@link GetUserPrivilegesRequest}
*/
public final class GetUserPrivilegesResponse extends ActionResponse {

private Set<String> cluster;
private Set<ConditionalClusterPrivilege> conditionalCluster;
private Set<Indices> index;
private Set<RoleDescriptor.ApplicationResourcePrivileges> application;
private Set<String> runAs;

public GetUserPrivilegesResponse() {
this(Collections.emptySet(), Collections.emptySet(), Collections.emptySet(), Collections.emptySet(), Collections.emptySet());
}

public GetUserPrivilegesResponse(Set<String> cluster, Set<ConditionalClusterPrivilege> conditionalCluster,
Set<Indices> index,
Set<RoleDescriptor.ApplicationResourcePrivileges> application,
Set<String> runAs) {
this.cluster = Collections.unmodifiableSet(cluster);
this.conditionalCluster = Collections.unmodifiableSet(conditionalCluster);
this.index = Collections.unmodifiableSet(index);
this.application = Collections.unmodifiableSet(application);
this.runAs = Collections.unmodifiableSet(runAs);
}

public Set<String> getClusterPrivileges() {
return cluster;
}

public Set<ConditionalClusterPrivilege> getConditionalClusterPrivileges() {
return conditionalCluster;
}

public Set<Indices> getIndexPrivileges() {
return index;
}

public Set<RoleDescriptor.ApplicationResourcePrivileges> getApplicationPrivileges() {
return application;
}

public Set<String> getRunAs() {
return runAs;
}

public void readFrom(StreamInput in) throws IOException {
super.readFrom(in);
cluster = Collections.unmodifiableSet(in.readSet(StreamInput::readString));
conditionalCluster = Collections.unmodifiableSet(in.readSet(ConditionalClusterPrivileges.READER));
index = Collections.unmodifiableSet(in.readSet(Indices::new));
application = Collections.unmodifiableSet(in.readSet(RoleDescriptor.ApplicationResourcePrivileges::createFrom));
runAs = Collections.unmodifiableSet(in.readSet(StreamInput::readString));
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeCollection(cluster, StreamOutput::writeString);
out.writeCollection(conditionalCluster, ConditionalClusterPrivileges.WRITER);
out.writeCollection(index, (o, p) -> p.writeTo(o));
out.writeCollection(application, (o, p) -> p.writeTo(o));
out.writeCollection(runAs, StreamOutput::writeString);
}

@Override
public boolean equals(Object other) {
if (this == other) {
return true;
}
if (other == null || getClass() != other.getClass()) {
return false;
}
final GetUserPrivilegesResponse that = (GetUserPrivilegesResponse) other;
return Objects.equals(cluster, that.cluster) &&
Objects.equals(conditionalCluster, that.conditionalCluster) &&
Objects.equals(index, that.index) &&
Objects.equals(application, that.application) &&
Objects.equals(runAs, that.runAs);
}

@Override
public int hashCode() {
return Objects.hash(cluster, conditionalCluster, index, application, runAs);
}

/**
* This is modelled on {@link RoleDescriptor.IndicesPrivileges}, with support for multiple DLS and FLS field sets.
*/
public static class Indices implements ToXContentObject, Writeable {

private final Set<String> indices;
private final Set<String> privileges;
private final Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> fieldSecurity;
private final Set<BytesReference> queries;

public Indices(Collection<String> indices, Collection<String> privileges,
Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> fieldSecurity, Set<BytesReference> queries) {
// The use of TreeSet is to provide a consistent order that can be relied upon in tests
this.indices = Collections.unmodifiableSet(new TreeSet<>(Objects.requireNonNull(indices)));
this.privileges = Collections.unmodifiableSet(new TreeSet<>(Objects.requireNonNull(privileges)));
this.fieldSecurity = Collections.unmodifiableSet(Objects.requireNonNull(fieldSecurity));
this.queries = Collections.unmodifiableSet(Objects.requireNonNull(queries));
}

public Indices(StreamInput in) throws IOException {
indices = Collections.unmodifiableSet(in.readSet(StreamInput::readString));
privileges = Collections.unmodifiableSet(in.readSet(StreamInput::readString));
fieldSecurity = Collections.unmodifiableSet(in.readSet(input -> {
final String[] grant = input.readOptionalStringArray();
final String[] exclude = input.readOptionalStringArray();
return new FieldPermissionsDefinition.FieldGrantExcludeGroup(grant, exclude);
}));
queries = Collections.unmodifiableSet(in.readSet(StreamInput::readBytesReference));
}

public Set<String> getIndices() {
return indices;
}

public Set<String> getPrivileges() {
return privileges;
}

public Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> getFieldSecurity() {
return fieldSecurity;
}

public Set<BytesReference> getQueries() {
return queries;
}

@Override
public String toString() {
StringBuilder sb = new StringBuilder(getClass().getSimpleName())
.append("[")
.append("indices=[").append(Strings.collectionToCommaDelimitedString(indices))
.append("], privileges=[").append(Strings.collectionToCommaDelimitedString(privileges))
.append("]");
if (fieldSecurity.isEmpty() == false) {
sb.append(", fls=[").append(Strings.collectionToCommaDelimitedString(fieldSecurity)).append("]");
}
if (queries.isEmpty() == false) {
sb.append(", dls=[")
.append(queries.stream().map(BytesReference::utf8ToString).collect(Collectors.joining(",")))
.append("]");
}
sb.append("]");
return sb.toString();
}

@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;

Indices that = (Indices) o;

return this.indices.equals(that.indices)
&& this.privileges.equals(that.privileges)
&& this.fieldSecurity.equals(that.fieldSecurity)
&& this.queries.equals(that.queries);
}

@Override
public int hashCode() {
return Objects.hash(indices, privileges, fieldSecurity, queries);
}

@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
builder.startObject();
builder.field(RoleDescriptor.Fields.NAMES.getPreferredName(), indices);
builder.field(RoleDescriptor.Fields.PRIVILEGES.getPreferredName(), privileges);
if (fieldSecurity.stream().anyMatch(g -> nonEmpty(g.getGrantedFields()) || nonEmpty(g.getExcludedFields()))) {
builder.startArray(RoleDescriptor.Fields.FIELD_PERMISSIONS.getPreferredName());
for (FieldPermissionsDefinition.FieldGrantExcludeGroup group : this.fieldSecurity) {
builder.startObject();
if (nonEmpty(group.getGrantedFields())) {
builder.array(RoleDescriptor.Fields.GRANT_FIELDS.getPreferredName(), group.getGrantedFields());
}
if (nonEmpty(group.getExcludedFields())) {
builder.array(RoleDescriptor.Fields.EXCEPT_FIELDS.getPreferredName(), group.getExcludedFields());
}
builder.endObject();
}
builder.endArray();
}
if (queries.isEmpty() == false) {
builder.startArray(RoleDescriptor.Fields.QUERY.getPreferredName());
for (BytesReference q : queries) {
builder.value(q.utf8ToString());
}
builder.endArray();
}
return builder.endObject();
}

private boolean nonEmpty(String[] grantedFields) {
return grantedFields != null && grantedFields.length != 0;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
out.writeCollection(indices, StreamOutput::writeString);
out.writeCollection(privileges, StreamOutput::writeString);
out.writeCollection(fieldSecurity, (output, fields) -> {
output.writeOptionalStringArray(fields.getGrantedFields());
output.writeOptionalStringArray(fields.getExcludedFields());
});
out.writeCollection(queries, StreamOutput::writeBytesReference);
}
}
}
6 changes: 5 additions & 1 deletion ...plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -763,6 +763,10 @@ public Builder privileges(String... privileges) {
return this;
}

public Builder privileges(Collection<String> privileges) {
return privileges(privileges.toArray(new String[privileges.size()]));
}

public Builder grantedFields(String... grantedFields) {
indicesPrivileges.grantedFields = grantedFields;
return this;
Expand Down Expand Up @@ -919,7 +923,7 @@ public Builder resources(String... resources) {
return this;
}

public Builder resources(List<String> resources) {
public Builder resources(Collection<String> resources) {
return resources(resources.toArray(new String[resources.size()]));
}

Expand Down
Loading

0 comments on commit a2154b0

Please sign in to comment.