org.elasticsearch.client.security.user.privileges.IndicesPrivileges Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of elasticsearch-rest-high-level-client Show documentation
Show all versions of elasticsearch-rest-high-level-client Show documentation
Elasticsearch subproject :client:rest-high-level
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/
package org.elasticsearch.client.security.user.privileges;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentType;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Objects;
import static org.elasticsearch.xcontent.ConstructingObjectParser.constructorArg;
import static org.elasticsearch.xcontent.ConstructingObjectParser.optionalConstructorArg;
/**
* Represents privileges over indices. There is a canonical set of privilege
* names (eg. {@code IndicesPrivileges#READ_PRIVILEGE_NAME}) but there is
* flexibility in the definition of finer grained, more specialized, privileges.
* This also encapsulates field and document level security privileges. These
* allow to control what fields or documents are readable or queryable.
*/
public final class IndicesPrivileges extends AbstractIndicesPrivileges implements ToXContentObject {
@SuppressWarnings("unchecked")
static final ConstructingObjectParser PARSER = new ConstructingObjectParser<>(
"indices_privileges",
false,
constructorObjects -> {
int i = 0;
final Collection indices = (Collection) constructorObjects[i++];
final Collection privileges = (Collection) constructorObjects[i++];
final boolean allowRestrictedIndices = (Boolean) constructorObjects[i++];
final FieldSecurity fields = (FieldSecurity) constructorObjects[i++];
final String query = (String) constructorObjects[i];
return new IndicesPrivileges(indices, privileges, allowRestrictedIndices, fields, query);
}
);
static {
PARSER.declareStringArray(constructorArg(), NAMES);
PARSER.declareStringArray(constructorArg(), PRIVILEGES);
PARSER.declareBoolean(constructorArg(), ALLOW_RESTRICTED_INDICES);
PARSER.declareObject(optionalConstructorArg(), FieldSecurity::parse, FIELD_PERMISSIONS);
PARSER.declareStringOrNull(optionalConstructorArg(), QUERY);
}
private final FieldSecurity fieldSecurity;
// missing query means all documents, i.e. no restrictions
private final @Nullable String query;
private IndicesPrivileges(
Collection indices,
Collection privileges,
boolean allowRestrictedIndices,
@Nullable FieldSecurity fieldSecurity,
@Nullable String query
) {
super(indices, privileges, allowRestrictedIndices);
this.fieldSecurity = fieldSecurity;
this.query = query;
}
/**
* The combination of the {@link FieldSecurity#getGrantedFields() granted} and
* {@link FieldSecurity#getDeniedFields() denied} document fields.
* May be null, in which case no field level security is applicable, and all the document's fields are granted access to.
*/
public FieldSecurity getFieldSecurity() {
return fieldSecurity;
}
/**
* A query limiting the visible documents in the indices. Can be null, in which
* case all documents are visible.
*/
public @Nullable String getQuery() {
return this.query;
}
/**
* If {@code true} some documents might not be visible. Only the documents
* matching {@code query} will be readable.
*/
@Override
public boolean isUsingDocumentLevelSecurity() {
return query != null;
}
/**
* If {@code true} some document fields might not be visible.
*/
@Override
public boolean isUsingFieldLevelSecurity() {
return fieldSecurity != null && fieldSecurity.isUsingFieldLevelSecurity();
}
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
IndicesPrivileges that = (IndicesPrivileges) o;
return indices.equals(that.indices)
&& privileges.equals(that.privileges)
&& allowRestrictedIndices == that.allowRestrictedIndices
&& Objects.equals(this.fieldSecurity, that.fieldSecurity)
&& Objects.equals(query, that.query);
}
@Override
public int hashCode() {
return Objects.hash(indices, privileges, allowRestrictedIndices, fieldSecurity, query);
}
@Override
public String toString() {
try {
return XContentHelper.toXContent(this, XContentType.JSON, true).utf8ToString();
} catch (IOException e) {
throw new RuntimeException("Unexpected", e);
}
}
@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
builder.startObject();
builder.field(NAMES.getPreferredName(), indices);
builder.field(PRIVILEGES.getPreferredName(), privileges);
builder.field(ALLOW_RESTRICTED_INDICES.getPreferredName(), allowRestrictedIndices);
if (fieldSecurity != null) {
builder.field(FIELD_PERMISSIONS.getPreferredName(), fieldSecurity, params);
}
if (isUsingDocumentLevelSecurity()) {
builder.field("query", query);
}
return builder.endObject();
}
public static IndicesPrivileges fromXContent(XContentParser parser) {
return PARSER.apply(parser, null);
}
public static Builder builder() {
return new Builder();
}
public static final class Builder {
private @Nullable Collection indices = null;
private @Nullable Collection privileges = null;
private @Nullable Collection grantedFields = null;
private @Nullable Collection deniedFields = null;
private @Nullable String query = null;
boolean allowRestrictedIndices = false;
public Builder() {}
public Builder indices(String... indices) {
return indices(Arrays.asList(Objects.requireNonNull(indices, "indices required")));
}
public Builder indices(Collection indices) {
this.indices = Objects.requireNonNull(indices, "indices required");
return this;
}
public Builder privileges(String... privileges) {
return privileges(Arrays.asList(Objects.requireNonNull(privileges, "privileges required")));
}
public Builder privileges(Collection privileges) {
this.privileges = Objects.requireNonNull(privileges, "privileges required");
return this;
}
public Builder grantedFields(@Nullable String... grantedFields) {
if (grantedFields == null) {
this.grantedFields = null;
return this;
}
return grantedFields(Arrays.asList(grantedFields));
}
public Builder grantedFields(@Nullable Collection grantedFields) {
this.grantedFields = grantedFields;
return this;
}
public Builder deniedFields(@Nullable String... deniedFields) {
if (deniedFields == null) {
this.deniedFields = null;
return this;
}
return deniedFields(Arrays.asList(deniedFields));
}
public Builder deniedFields(@Nullable Collection deniedFields) {
this.deniedFields = deniedFields;
return this;
}
public Builder query(@Nullable String query) {
this.query = query;
return this;
}
public Builder allowRestrictedIndices(boolean allow) {
this.allowRestrictedIndices = allow;
return this;
}
public IndicesPrivileges build() {
final FieldSecurity fieldSecurity;
if (grantedFields == null && deniedFields == null) {
fieldSecurity = null;
} else {
fieldSecurity = new FieldSecurity(grantedFields, deniedFields);
}
return new IndicesPrivileges(indices, privileges, allowRestrictedIndices, fieldSecurity, query);
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy