Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More robust and consistent allowAll indicesAccessControl #79415

Merged
merged 2 commits into from
Oct 19, 2021
Merged

More robust and consistent allowAll indicesAccessControl #79415

merged 2 commits into from
Oct 19, 2021

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Oct 19, 2021
edited
Loading

This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and mandate
non-null in the constructor of IndicesAccessControl.

In addition, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that a role reports it has DLS/FLS while the
indicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: #79361

@ywangd
More robust and consistnt allowAll indicesAccessControl
18ee249 
This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and also mandate
non-null in the constructor of IndicesAccessControl.

In additional, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that the role reports it has DLS/FLS while the
cindicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: elastic#79361
@ywangd ywangd added >test Issues or PRs that are addressing/adding tests :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.0.0 v7.16.0 labels Oct 19, 2021
@ywangd ywangd requested a review from tvernum October 19, 2021 03:50
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Oct 19, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ywangd ywangd changed the title More robust and consistnt allowAll indicesAccessControl More robust and consistent allowAll indicesAccessControl Oct 19, 2021
tvernum
tvernum approved these changes Oct 19, 2021
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ywangd
Copy link
Member Author

ywangd commented Oct 19, 2021

@elasticmachine run elasticsearch-ci/part-1

@ywangd ywangd merged commit 4ea349d into elastic:master Oct 19, 2021
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
7.x Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 79415

weizijun added a commit to weizijun/elasticsearch that referenced this pull request Oct 19, 2021
@weizijun
Merge branch 'upstream/master' into reuse-date-stream-timestamp
93beacb 
* upstream/master: (34 commits)
  Add extensionName() to security extension (elastic#79329)
  More robust and consistent allowAll indicesAccessControl (elastic#79415)
  Fix circuit breaker leak in MultiTerms aggregation (elastic#79362)
  guard geoline aggregation from parents aggegator that emit empty buckets (elastic#79129)
  Vector tiles: increase the size of the envelope used to clip geometries (elastic#79030)
  Revert "[ML] Add queue_capacity setting to start deployment API (elastic#79369)" (elastic#79374)
  Convert token service license object to LicensedFeature (elastic#79284)
  [TEST] Fix ShardPathTests for MDP (elastic#79393)
  Fix fleet search API with no checkpints (elastic#79400)
  Reduce BWC version for transient settings (elastic#79396)
  EQL: Rename a test class for eclipse (elastic#79254)
  Use search_coordination threadpool in field caps (elastic#79378)
  Use query param instead of a system property for opting in for new cluster health response code (elastic#79351)
  Add new kNN search endpoint (elastic#79013)
  Disable BWC tests
  Convert auditing license object to LicensedFeature (elastic#79280)
  Update BWC versions after backport of elastic#78551
  Enable InstantiatingObjectParser to pass context as a first argument (elastic#79206)
  Move xcontent filtering tests (elastic#79298)
  Update links to Fleet/Agent docs (elastic#79303)
  ...
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Oct 19, 2021
@ywangd
More robust and consistent allowAll indicesAccessControl (elastic#79415)
bca07c7 
This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and also mandate
non-null in the constructor of IndicesAccessControl.

In additional, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that the role reports it has DLS/FLS while the
cindicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: elastic#79361
@ywangd ywangd mentioned this pull request Oct 19, 2021
Merged
elasticsearchmachine pushed a commit that referenced this pull request Oct 19, 2021
@ywangd
More robust and consistent allowAll indicesAccessControl (#79415) (#7…
ba5032d 
…9427)

* More robust and consistent allowAll indicesAccessControl (#79415)

This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and also mandate
non-null in the constructor of IndicesAccessControl.

In additional, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that the role reports it has DLS/FLS while the
cindicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: #79361

* fix for 7.x quirks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
:Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team >test Issues or PRs that are addressing/adding tests v7.16.0 v8.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NativeRealmIntegTests fail on master and 7.x
5 participants
@ywangd @elasticmachine @elasticsearchmachine @tvernum @jakelandis