[HLRC] Put Role #36209
[HLRC] Put Role #36209
Conversation
This reverts commit 345838a.
|
Pinging @elastic/es-core-features |
| @@ -217,12 +217,12 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws | |||
| builder.startObject(); | |||
| builder.field(NAMES.getPreferredName(), indices); | |||
| builder.field(PRIVILEGES.getPreferredName(), privileges); | |||
| if (isUsingFieldLevelSecurity()) { | |||
| if (grantedFields != null || deniedFields != null) { | |||
There was a problem hiding this comment.
Although the previous condition was correctly from the server logic stand point, it would hinder testing in IndicesPrivilegesTests.
| PARSER.declareObject(constructorArg(), (parser, c) -> parser.map(), METADATA); | ||
| PARSER.declareObject(constructorArg(), (parser, c) -> parser.map(), TRANSIENT_METADATA); | ||
| PARSER.declareObject(optionalConstructorArg(), (parser, c) -> parser.map(), METADATA); | ||
| PARSER.declareObject(optionalConstructorArg(), (parser, c) -> parser.map(), TRANSIENT_METADATA); |
There was a problem hiding this comment.
Again this was correct judging by the server logic but XContentTests serialize and deserialize roles with null metadata and then test for equality.
| Objects.requireNonNull(transientMetadata, "Transient metadata cannot be null. Pass an empty map instead."); | ||
| return this; | ||
| } | ||
|
|
There was a problem hiding this comment.
Transient metadata cannot be set in the builder, by the client, it is created only by the server.
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(name, clusterPrivileges, globalApplicationPrivileges, indicesPrivileges, applicationResourcePrivileges, | ||
| runAsPrivilege, metadata, transientMetadata); | ||
| runAsPrivilege, metadata); |
There was a problem hiding this comment.
transient metadata is a read only field when retrieving the Role and cannot be set on a put Role.
It should not matter in an equals because a user should be able to create a role that is equal to another one, except for the transient part over which it has no control (cannot set it himself)
There was a problem hiding this comment.
Is a (retrieved) enabled role equal (for a client) to a disabled role ?
There was a problem hiding this comment.
In principle yes because the enabled status is included in the transientMetadata which is not counted by equals. In practice I don't know how the client could get hold of a disabled role (probably before disabling it).
Do you have some scenario in mind when you think transientMetadata would be something the client should touch?
There was a problem hiding this comment.
In principle yes because the enabled status is included in the transientMetadata which is not counted by equals.
Yes, this is what we have now. My (poorly stated) stated question was whether we think it should be this way or not.
In practice I don't know how the client could get hold of a disabled role (probably before disabling it).
A role that has DLS/FLS for a user that was on platinum but is now on Gold maybe.
Do you have some scenario in mind when you think transientMetadata would be something the client should touch?
No not specifically. I was just wondering if the client should be able to distinguish between the same role being enabled or disabled by comparing the role objects
There was a problem hiding this comment.
This is similar to the enabled flag on the user. I think the Role that is included in a PutRoleRequest should contain only fields that the client can change. transientMetadata is a field that is read only, and it is a compromise because the Role is also part of the GetRolesResponse . We can completely pull out transientMetadata from the Role and present it other way in the Get Roles API. GetRolesResponse would be having some sort of transientMetadata field. Do you see this preferable?
There was a problem hiding this comment.
I think it's clearer.. I'm now circling back to our discussion regarding Role when I started with the GetRoles API and it's much clearer what you were saying back then. I probably should have done it in the get roles effort but it wasn't obvious at that point, sorry ❤️
There was a problem hiding this comment.
I think it's clearer too. I will make the change in this PR, instead of opening a new one, because Role was "synthetically" created and was expected to change as APIs suit it. But we need to get this PR in before 6.6 so as not to be breaking because it will change GetRolesResponse.
Sounds like a plan?
There was a problem hiding this comment.
another approach that might help here is PutRoleRequest.Builder which implicitly uses Role.Builder but does not build the transient part to build Role.
There was a problem hiding this comment.
@bizybot I prefer to pass the Role to the PutRoleRequest and not take fields apart to call builder methods.
...nt/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java
Outdated
Show resolved
Hide resolved
| @@ -1023,18 +1019,63 @@ public void onFailure(Exception e) { | |||
| } | |||
| } | |||
|
|
|||
| // TODO: move all calls to high-level REST client once APIs for adding new role exist | |||
...high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java
Show resolved
Hide resolved
| @@ -49,7 +49,7 @@ | |||
|
|
|||
| // When categories change, adapting this field should suffice. Categories are NOT | |||
| // opaque "named_objects", we wish to maintain control over these namespaces | |||
| static final List<String> CATEGORIES = Collections.unmodifiableList(Arrays.asList("application")); | |||
| public static final List<String> CATEGORIES = Collections.unmodifiableList(Arrays.asList("application")); | |||
There was a problem hiding this comment.
Collections.singletonList if we do not have other categories for now.
| @@ -329,6 +326,9 @@ public Role build() { | |||
| public static final String MANAGE_PIPELINE = "manage_pipeline"; | |||
| public static final String MANAGE_CCR = "manage_ccr"; | |||
| public static final String READ_CCR = "read_ccr"; | |||
| public static final String[] ARRAY = new String[] { NONE, ALL, MONITOR, MONITOR_ML, MONITOR_WATCHER, MONITOR_ROLLUP, MANAGE, | |||
There was a problem hiding this comment.
I think we should rename this constant to something that represents the meaning.
| @@ -349,6 +349,8 @@ public Role build() { | |||
| public static final String CREATE_INDEX = "create_index"; | |||
| public static final String VIEW_INDEX_METADATA = "view_index_metadata"; | |||
| public static final String MANAGE_FOLLOW_INDEX = "manage_follow_index"; | |||
| public static final String[] ARRAY = new String[] { NONE, ALL, READ, READ_CROSS, CREATE, INDEX, DELETE, WRITE, MONITOR, MANAGE, | |||
| } | ||
|
|
||
| @Override | ||
| public int hashCode() { | ||
| return Objects.hash(name, clusterPrivileges, globalApplicationPrivileges, indicesPrivileges, applicationResourcePrivileges, | ||
| runAsPrivilege, metadata, transientMetadata); | ||
| runAsPrivilege, metadata); |
There was a problem hiding this comment.
another approach that might help here is PutRoleRequest.Builder which implicitly uses Role.Builder but does not build the transient part to build Role.
| if (role.getMetadata() != null) { | ||
| builder.field(Role.METADATA.getPreferredName(), role.getMetadata()); | ||
| } | ||
| if (role.getTransientMetadata() != null) { |
There was a problem hiding this comment.
I think we should not write this for PutRoleRequest.
This commit adds support for the put role API in the java high level rest client.
This commit adds support for the put role API in the java high level rest client.
Related #29827
cc @elastic/es-security