Replaced uses of SecurityRoles by Set<String> mappedRoles where the S…

…ecurityRoles functionality is not needed (#4432) Signed-off-by: Nils Bandener <[email protected]>
opensearch-project · Jun 13, 2024 · 681a944 · 681a944
1 parent c1872b6
commit 681a944
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 12 deletions.
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -296,7 +296,7 @@ public PrivilegesEvaluatorResponse evaluate(
                     "No cluster-level perm match for {} [Action [{}]] [RolesChecked {}]. No permissions for {}",
                     user,
                     action0,
-                    securityRoles.getRoleNames(),
+                    mappedRoles,
                     presponse.missingPrivileges
                 );
             } else {
@@ -333,7 +333,7 @@ public PrivilegesEvaluatorResponse evaluate(
         }
 
         // Protected index access
-        if (protectedIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, securityRoles).isComplete()) {
+        if (protectedIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, mappedRoles).isComplete()) {
             return presponse;
         }
 
@@ -374,7 +374,7 @@ public PrivilegesEvaluatorResponse evaluate(
                     user,
                     requestedResolved,
                     action0,
-                    securityRoles.getRoleNames(),
+                    mappedRoles,
                     presponse.missingPrivileges
                 );
                 return presponse;
@@ -471,7 +471,7 @@ public PrivilegesEvaluatorResponse evaluate(
 
         if (isDebugEnabled) {
             log.debug("Requested resolved index types: {}", requestedResolved);
-            log.debug("Security roles: {}", securityRoles.getRoleNames());
+            log.debug("Security roles: {}", mappedRoles);
         }
 
         // TODO exclude Security index
@@ -561,7 +561,7 @@ public PrivilegesEvaluatorResponse evaluate(
                 user,
                 requestedResolved,
                 action0,
-                securityRoles.getRoleNames()
+                mappedRoles
             );
             log.info("No permissions for {}", presponse.missingPrivileges);
         } else {

diff --git a/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java
@@ -13,6 +13,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -23,7 +24,6 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.resolver.IndexResolverReplacer;
-import org.opensearch.security.securityconf.SecurityRoles;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.tasks.Task;
@@ -73,31 +73,29 @@ public PrivilegesEvaluatorResponse evaluate(
         final String action,
         final IndexResolverReplacer.Resolved requestedResolved,
         final PrivilegesEvaluatorResponse presponse,
-        final SecurityRoles securityRoles
+        final Set<String> mappedRoles
     ) {
         if (!protectedIndexEnabled) {
             return presponse;
         }
         if (!requestedResolved.isLocalAll()
             && indexMatcher.matchAny(requestedResolved.getAllIndices())
             && deniedActionMatcher.test(action)
-            && !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
+            && !allowedRolesMatcher.matchAny(mappedRoles)) {
             auditLog.logMissingPrivileges(action, request, task);
             log.warn("{} for '{}' index/indices is not allowed for a regular user", action, indexMatcher);
             presponse.allowed = false;
             return presponse.markComplete();
         }
 
-        if (requestedResolved.isLocalAll()
-            && deniedActionMatcher.test(action)
-            && !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
+        if (requestedResolved.isLocalAll() && deniedActionMatcher.test(action) && !allowedRolesMatcher.matchAny(mappedRoles)) {
             auditLog.logMissingPrivileges(action, request, task);
             log.warn("{} for '_all' indices is not allowed for a regular user", action);
             presponse.allowed = false;
             return presponse.markComplete();
         }
         if ((requestedResolved.isLocalAll() || indexMatcher.matchAny(requestedResolved.getAllIndices()))
-            && !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
+            && !allowedRolesMatcher.matchAny(mappedRoles)) {
 
             final boolean isDebugEnabled = log.isDebugEnabled();
             if (request instanceof SearchRequest) {