From 7bc3e79f7a5d25a32e0a728f9d90df2539d11017 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Sun, 23 Aug 2020 18:55:07 +0300 Subject: [PATCH 1/2] Done --- .../authz/SecuritySearchOperationListener.java | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java index 0d9e2d55ceb86..b26fbb3016f8f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java @@ -102,14 +102,12 @@ public void onPreQueryPhase(SearchContext searchContext) { void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) { if (licenseState.isSecurityEnabled() && searchContext.scrollContext() != null) { - IndicesAccessControl scrollIndicesAccessControl = - searchContext.scrollContext().getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); IndicesAccessControl threadIndicesAccessControl = securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); - if (scrollIndicesAccessControl != threadIndicesAccessControl) { - throw new ElasticsearchSecurityException("[" + searchContext.id() + "] expected scroll indices access control [" + - scrollIndicesAccessControl.toString() + "] but found [" + threadIndicesAccessControl.toString() + "] in thread " + - "context"); + if (null == threadIndicesAccessControl) { + throw new ElasticsearchSecurityException("Unexpected null indices access control for search context [" + + searchContext.id() + "] for request [" + searchContext.request().getDescription() + "] with source [" + + searchContext.source() + "]"); } } } From 106a79575ceb6e63059374665eba974991b4d0cb Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 27 Aug 2020 18:58:44 +0300 Subject: [PATCH 2/2] Merge woes --- .../authz/SecuritySearchOperationListener.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java index 07679d30edbb9..f4520c9e24724 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java @@ -29,7 +29,7 @@ /** * A {@link SearchOperationListener} that is used to provide authorization for scroll requests. - * + *

* In order to identify the user associated with a scroll request, we replace the {@link ReaderContext} * on creation with a custom implementation that holds the {@link Authentication} object. When * this context is accessed again in {@link SearchOperationListener#onPreQueryPhase(SearchContext)} @@ -82,7 +82,7 @@ public void validateSearchContext(ReaderContext readerContext, TransportRequest if (null == securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY)) { // fill in the DLS and FLS permissions for the scroll search action from the scroll context IndicesAccessControl scrollIndicesAccessControl = - readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); + readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); assert scrollIndicesAccessControl != null : "scroll does not contain index access control"; securityContext.getThreadContext().putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, scrollIndicesAccessControl); @@ -93,16 +93,16 @@ public void validateSearchContext(ReaderContext readerContext, TransportRequest @Override public void onPreFetchPhase(SearchContext searchContext) { - ensureIndicesAccessControlForScrollThreadContext(searchContext.readerContext()); + ensureIndicesAccessControlForScrollThreadContext(searchContext); } @Override public void onPreQueryPhase(SearchContext searchContext) { - ensureIndicesAccessControlForScrollThreadContext(searchContext.readerContext()); + ensureIndicesAccessControlForScrollThreadContext(searchContext); } - void ensureIndicesAccessControlForScrollThreadContext(ReaderContext readerContext) { - if (licenseState.isSecurityEnabled() && readerContext.scrollContext() != null) { + void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) { + if (licenseState.isSecurityEnabled() && searchContext.readerContext().scrollContext() != null) { IndicesAccessControl threadIndicesAccessControl = securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); if (null == threadIndicesAccessControl) { @@ -129,7 +129,7 @@ static void ensureAuthenticatedUserIsSame(Authentication original, Authenticatio if (original.getUser().isRunAs()) { if (current.getUser().isRunAs()) { sameRealmType = original.getLookedUpBy().getType().equals(current.getLookedUpBy().getType()); - } else { + } else { sameRealmType = original.getLookedUpBy().getType().equals(current.getAuthenticatedBy().getType()); } } else if (current.getUser().isRunAs()) {