-
Notifications
You must be signed in to change notification settings - Fork 24.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security remove datemath special handling #91047
Security remove datemath special handling #91047
Conversation
indexAbstraction.getType() == Type.DATA_STREAM
0e54730
to
7fabf60
Compare
Pinging @elastic/es-security (Team:Security) |
Hi @albertzaharovits, I've created a changelog YAML for you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks for the details they helped. However there were a commits called out that only appear to be only be relevant to the this PR. For example: isDateMathVisible was introduced and removed all in this PR and for some changes I couldn't draw a line between those called out and the final changes here.
Thank you for the review!
Yes, it is true that some references in the explanations do not make sense in the final resultant codebase, as they were relevant only in the interim context that they were introduced in. I'll keep this feedback in mind, I think there was an opportunity to split this one up in two smaller PRs, and alleviate the issue you describe. |
This is a composite PR that removes a number of index expression resolving behaviors related to datemath evaluation.
Most of the removed cases were redundant; there was code elsewhere that handled the same cases.
There are however two esoteric behaviors that were not redundant, but which were actually bugs (see below the discussion for each change):
includeDataStreams==false
andindexAbstraction.getType() == Type.DATA_STREAM
condition is handled in RBACEngineelasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java
Line 816 in 87eb40a
elasticsearch/server/src/main/java/org/elasticsearch/cluster/metadata/IndexNameExpressionResolver.java
Line 1289 in a1d8b77
elasticsearch/server/src/main/java/org/elasticsearch/cluster/metadata/IndexNameExpressionResolver.java
Line 1286 in 1f265eb
availableIndexAbstractions.contains(dateMathName) == false
, i.e. index does not exist or is not authorized, we should still add the name to the resolved expression ifindicesOptions.ignoreUnavailable() == false
because:elasticsearch/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java
Line 384 in 56074ab
elasticsearch/server/src/main/java/org/elasticsearch/cluster/metadata/IndexNameExpressionResolver.java
Line 1282 in 56074ab