forked from opensearch-project/security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Separated DLS/FLS privilege evaluation from action privilege evaluati…
…on (opensearch-project#4490) Signed-off-by: Nils Bandener <[email protected]> Signed-off-by: Prabhas Kurapati <[email protected]>
- Loading branch information
Showing
8 changed files
with
176 additions
and
93 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
97 changes: 97 additions & 0 deletions
97
src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
package org.opensearch.security.privileges; | ||
|
||
import com.google.common.collect.ImmutableSet; | ||
|
||
import org.opensearch.action.ActionRequest; | ||
import org.opensearch.security.resolver.IndexResolverReplacer; | ||
import org.opensearch.security.user.User; | ||
import org.opensearch.tasks.Task; | ||
|
||
/** | ||
* Request-scoped context information for privilege evaluation. | ||
* | ||
* This class carries metadata about the request and provides caching facilities for data which might need to be | ||
* evaluated several times per request. | ||
* | ||
* As this class is request-scoped, it is only used by a single thread. Thus, no thread synchronization mechanisms | ||
* are necessary. | ||
*/ | ||
public class PrivilegesEvaluationContext { | ||
private final User user; | ||
private final String action; | ||
private final ActionRequest request; | ||
private IndexResolverReplacer.Resolved resolvedRequest; | ||
private final Task task; | ||
private ImmutableSet<String> mappedRoles; | ||
private final IndexResolverReplacer indexResolverReplacer; | ||
|
||
public PrivilegesEvaluationContext( | ||
User user, | ||
ImmutableSet<String> mappedRoles, | ||
String action, | ||
ActionRequest request, | ||
Task task, | ||
IndexResolverReplacer indexResolverReplacer | ||
) { | ||
this.user = user; | ||
this.mappedRoles = mappedRoles; | ||
this.action = action; | ||
this.request = request; | ||
this.task = task; | ||
this.indexResolverReplacer = indexResolverReplacer; | ||
} | ||
|
||
public User getUser() { | ||
return user; | ||
} | ||
|
||
public String getAction() { | ||
return action; | ||
} | ||
|
||
public ActionRequest getRequest() { | ||
return request; | ||
} | ||
|
||
public IndexResolverReplacer.Resolved getResolvedRequest() { | ||
IndexResolverReplacer.Resolved result = this.resolvedRequest; | ||
|
||
if (result == null) { | ||
result = indexResolverReplacer.resolveRequest(request); | ||
this.resolvedRequest = result; | ||
} | ||
|
||
return result; | ||
} | ||
|
||
public Task getTask() { | ||
return task; | ||
} | ||
|
||
public ImmutableSet<String> getMappedRoles() { | ||
return mappedRoles; | ||
} | ||
|
||
/** | ||
* Note: Ideally, mappedRoles would be an unmodifiable attribute. PrivilegesEvaluator however contains logic | ||
* related to OPENDISTRO_SECURITY_INJECTED_ROLES_VALIDATION which first validates roles and afterwards modifies | ||
* them again. Thus, we need to be able to set this attribute. | ||
* | ||
* However, this method should be only used for this one particular phase. Normally, all roles should be determined | ||
* upfront and stay constant during the whole privilege evaluation process. | ||
*/ | ||
void setMappedRoles(ImmutableSet<String> mappedRoles) { | ||
this.mappedRoles = mappedRoles; | ||
} | ||
|
||
} |
Oops, something went wrong.