Skip to content

Commit

Permalink
Cancellable Profile Has Privilege check (#87224)
Browse files Browse the repository at this point in the history 
The "profile has privileges" endpoint is designed to check the
privileges of many users, given their profile ids, in a single call.
This commit runs the privileges check under a "cancellable" task. When
the task is cancelled, the check is interrupted for the remaining
profiles to-be-checked. The task can also be cancelled when the HTTP
client disconnected.
  • Loading branch information
@albertzaharovits
albertzaharovits committed Jun 3, 2022
1 parent 7a4542f commit 7718b8a
Show file tree
Hide file tree
Showing 11 changed files with 449 additions and 27 deletions.
5 changes: 5 additions & 0 deletions docs/changelog/87224.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pr: 87224
summary: Cancellable Profile Has Privilege check
area: Authorization
type: enhancement
issues: []
14 changes: 14 additions & 0 deletions ...n/java/org/elasticsearch/xpack/core/security/action/user/ProfileHasPrivilegesRequest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.tasks.CancellableTask;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.tasks.TaskId;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ObjectParser;
import org.elasticsearch.xcontent.ParseField;
Expand All @@ -19,6 +22,7 @@

import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.Objects;

import static org.elasticsearch.action.ValidateActions.addValidationError;
Expand Down Expand Up @@ -64,6 +68,16 @@ public PrivilegesToCheck privilegesToCheck() {
return privilegesToCheck;
}

@Override
public Task createTask(long id, String type, String action, TaskId parentTaskId, Map<String, String> headers) {
return new CancellableTask(id, type, action, getDescription(), parentTaskId, headers);
}

@Override
public String getDescription() {
return toString();
}

@Override
public ActionRequestValidationException validate() {
ActionRequestValidationException validationException = null;
Expand Down
11 changes: 11 additions & 0 deletions ...n/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.Nullable;
Expand Down Expand Up @@ -291,6 +292,16 @@ public ActionRequestValidationException validate(ActionRequestValidationExceptio
}
if (index == null) {
validationException = addValidationError("indexPrivileges must not be null", validationException);
} else {
for (int i = 0; i < index.length; i++) {
BytesReference query = index[i].getQuery();
if (query != null) {
validationException = addValidationError(
"may only check index privileges without any DLS query [" + query.utf8ToString() + "]",
validationException
);
}
}
}
if (application == null) {
validationException = addValidationError("applicationPrivileges must not be null", validationException);
Expand Down

0 comments on commit 7718b8a

Please sign in to comment.