탐색 도움말
로그인
lqb
/
elasticsearch
의 미러 https://gitee.com/mirrors/elasticsearch.git
1
0
포크 0
파일 이슈 0 위키
소스 검색

Refactor building role from single role descriptor (#91107)

This PR refactors functionality for building a role from a single role
descriptor. This used to be handled by a specialized constructor of the
Role.Builder class that accessed internal fields. This PR consolidates
this logic into a static method that uses the builder's canonical
methods instead. The method is used to construct the roles of internal
users, from static role descriptors, as well as in test code.

Relates: #90614 (comment)
Nikolaj Volgushev 3 년 전
부모
0ac81ce52a
커밋
3baaab5072
8개의 변경된 파일168개의 추가작업 그리고 120개의 파일을 삭제
분할 보기 변경상태 보기
  1. 49 59
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java
  2. 3 3
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java
  3. 55 24
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
  4. 11 8
      x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java
  5. 21 6
      x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
  6. 8 6
      x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java
  7. 5 3
      x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
  8. 16 11
      x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java

+ 49 - 59
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java
파일 보기 

@@ -34,6 +34,7 @@ import java.util.Collections;
 
 import java.util.HashMap;
 
 import java.util.List;
 
 import java.util.Map;
 
+import java.util.Objects;
 
 import java.util.Set;
 
 import java.util.function.Predicate;
 
 
@@ -177,10 +178,6 @@ public interface Role {
 
         return new Builder(restrictedIndices, names);
 
     }
 
 
-    static Builder builder(RoleDescriptor rd, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) {
 
-        return new Builder(rd, fieldPermissionsCache, restrictedIndices);
 
-    }
 
-
 
     class Builder {
 
 
         private final String[] names;
 
@@ -196,26 +193,6 @@ public interface Role {
 
             this.names = names;
 
         }
 
 
-        private Builder(RoleDescriptor rd, @Nullable FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) {
 
-            // TODO handle this when we introduce remote index privileges for built-in users and roles. That's the only production code
 
-            // using this builder
 
-            assert false == rd.hasRemoteIndicesPrivileges();
 
-            this.names = new String[] { rd.getName() };
 
-            cluster(Sets.newHashSet(rd.getClusterPrivileges()), Arrays.asList(rd.getConditionalClusterPrivileges()));
 
-            groups.addAll(convertFromIndicesPrivileges(rd.getIndicesPrivileges(), fieldPermissionsCache));
 
-
 
-            final RoleDescriptor.ApplicationResourcePrivileges[] applicationPrivileges = rd.getApplicationPrivileges();
 
-            for (RoleDescriptor.ApplicationResourcePrivileges applicationPrivilege : applicationPrivileges) {
 
-                applicationPrivs.add(convertApplicationPrivilege(applicationPrivilege));
 
-            }
 
-
 
-            String[] rdRunAs = rd.getRunAs();
 
-            if (rdRunAs != null && rdRunAs.length > 0) {
 
-                this.runAs(new Privilege(Sets.newHashSet(rdRunAs), rdRunAs));
 
-            }
 
-            this.restrictedIndices = restrictedIndices;
 
-        }
 
-
 
         public Builder cluster(Set<String> privilegeNames, Iterable<ConfigurableClusterPrivilege> configurableClusterPrivileges) {
 
             ClusterPermission.Builder builder = ClusterPermission.builder();
 
             if (privilegeNames.isEmpty() == false) {
 
@@ -314,41 +291,6 @@ public interface Role {
 
             return new SimpleRole(names, cluster, indices, applicationPermission, runAs, remoteIndices);
 
         }
 
 
-        static List<IndicesPermissionGroupDefinition> convertFromIndicesPrivileges(
 
-            RoleDescriptor.IndicesPrivileges[] indicesPrivileges,
 
-            @Nullable FieldPermissionsCache fieldPermissionsCache
 
-        ) {
 
-            List<IndicesPermissionGroupDefinition> list = new ArrayList<>(indicesPrivileges.length);
 
-            for (RoleDescriptor.IndicesPrivileges privilege : indicesPrivileges) {
 
-                final FieldPermissions fieldPermissions;
 
-                if (fieldPermissionsCache != null) {
 
-                    fieldPermissions = fieldPermissionsCache.getFieldPermissions(privilege.getGrantedFields(), privilege.getDeniedFields());
 
-                } else {
 
-                    fieldPermissions = new FieldPermissions(
 
-                        new FieldPermissionsDefinition(privilege.getGrantedFields(), privilege.getDeniedFields())
 
-                    );
 
-                }
 
-                final Set<BytesReference> query = privilege.getQuery() == null ? null : Collections.singleton(privilege.getQuery());
 
-                list.add(
 
-                    new IndicesPermissionGroupDefinition(
 
-                        IndexPrivilege.get(Sets.newHashSet(privilege.getPrivileges())),
 
-                        fieldPermissions,
 
-                        query,
 
-                        privilege.allowRestrictedIndices(),
 
-                        privilege.getIndices()
 
-                    )
 
-                );
 
-            }
 
-            return list;
 
-        }
 
-
 
-        static Tuple<ApplicationPrivilege, Set<String>> convertApplicationPrivilege(RoleDescriptor.ApplicationResourcePrivileges arp) {
 
-            return new Tuple<>(
 
-                new ApplicationPrivilege(arp.getApplication(), Sets.newHashSet(arp.getPrivileges()), arp.getPrivileges()),
 
-                Sets.newHashSet(arp.getResources())
 
-            );
 
-        }
 
-
 
         private static class IndicesPermissionGroupDefinition {
 
             private final IndexPrivilege privilege;
 
             private final FieldPermissions fieldPermissions;
 
@@ -371,4 +313,52 @@ public interface Role {
 
             }
 
         }
 
     }
 
+
 
+    static SimpleRole buildFromRoleDescriptor(
 
+        final RoleDescriptor roleDescriptor,
 
+        final FieldPermissionsCache fieldPermissionsCache,
 
+        final RestrictedIndices restrictedIndices
 
+    ) {
 
+        // TODO handle this when we introduce remote index privileges for built-in users and roles. That's the only production code
 
+        // using this builder
 
+        assert false == roleDescriptor.hasRemoteIndicesPrivileges();
 
+        Objects.requireNonNull(fieldPermissionsCache);
 
+
 
+        final Builder builder = builder(restrictedIndices, roleDescriptor.getName());
 
+
 
+        builder.cluster(
 
+            Sets.newHashSet(roleDescriptor.getClusterPrivileges()),
 
+            Arrays.asList(roleDescriptor.getConditionalClusterPrivileges())
 
+        );
 
+
 
+        for (RoleDescriptor.IndicesPrivileges indexPrivilege : roleDescriptor.getIndicesPrivileges()) {
 
+            builder.add(
 
+                fieldPermissionsCache.getFieldPermissions(
 
+                    new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
 
+                ),
 
+                indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
 
+                IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
 
+                indexPrivilege.allowRestrictedIndices(),
 
+                indexPrivilege.getIndices()
 
+            );
 
+        }
 
+
 
+        for (RoleDescriptor.ApplicationResourcePrivileges applicationPrivilege : roleDescriptor.getApplicationPrivileges()) {
 
+            builder.addApplicationPrivilege(
 
+                new ApplicationPrivilege(
 
+                    applicationPrivilege.getApplication(),
 
+                    Sets.newHashSet(applicationPrivilege.getPrivileges()),
 
+                    applicationPrivilege.getPrivileges()
 
+                ),
 
+                Sets.newHashSet(applicationPrivilege.getResources())
 
+            );
 
+        }
 
+
 
+        final String[] rdRunAs = roleDescriptor.getRunAs();
 
+        if (rdRunAs != null && rdRunAs.length > 0) {
 
+            builder.runAs(new Privilege(Sets.newHashSet(rdRunAs), rdRunAs));
 
+        }
 
+
 
+        return builder.build();
 
+    }
 
 }

+ 3 - 3
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java
파일 보기 

@@ -28,11 +28,11 @@ public class SimpleRoleTests extends ESTestCase {
 
     }
 
 
     public void testHasPrivilegesCache() throws ExecutionException {
 
-        final SimpleRole role = Role.builder(
 
+        final SimpleRole role = Role.buildFromRoleDescriptor(
 
             new RoleDescriptor(randomAlphaOfLengthBetween(3, 8), new String[] { "monitor" }, null, null),
 
-            null,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
             RESTRICTED_INDICES
 
-        ).build();
 
+        );
 
 
         // cache is null to begin with
 
         assertThat(role.getHasPrivilegesCache(), nullValue());

+ 55 - 24
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
파일 보기 

@@ -278,7 +278,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role snapshotUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY);
 
+        Role snapshotUserRole = Role.buildFromRoleDescriptor(roleDescriptor, fieldPermissionsCache, RESTRICTED_INDICES);
 
         assertThat(snapshotUserRole.cluster().check(GetRepositoriesAction.NAME, request, authentication), is(true));
 
         assertThat(snapshotUserRole.cluster().check(CreateSnapshotAction.NAME, request, authentication), is(true));
 
         assertThat(snapshotUserRole.cluster().check(SnapshotsStatusAction.NAME, request, authentication), is(true));
 
@@ -352,7 +353,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role ingestAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role ingestAdminRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(ingestAdminRole.cluster().check(PutIndexTemplateAction.NAME, request, authentication), is(true));
 
         assertThat(ingestAdminRole.cluster().check(GetIndexTemplatesAction.NAME, request, authentication), is(true));
 
         assertThat(ingestAdminRole.cluster().check(DeleteIndexTemplateAction.NAME, request, authentication), is(true));
 
@@ -394,7 +395,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role kibanaRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role kibanaRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(kibanaRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
 
         assertThat(kibanaRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true));
 
         assertThat(kibanaRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true));
 
@@ -1141,7 +1142,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
         assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true)));
 
 
-        Role kibanaAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role kibanaAdminRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(kibanaAdminRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false));
 
         assertThat(kibanaAdminRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false));
 
         assertThat(kibanaAdminRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false));
 
@@ -1185,7 +1186,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true));
 
 
-        Role kibanaUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role kibanaUserRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false));
 
         assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false));
 
         assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false));
 
@@ -1229,7 +1230,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role monitoringUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role monitoringUserRole = Role.buildFromRoleDescriptor(
 
+            roleDescriptor,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
+            RESTRICTED_INDICES
 
+        );
 
         assertThat(monitoringUserRole.cluster().check(MainAction.NAME, request, authentication), is(true));
 
         assertThat(monitoringUserRole.cluster().check(XPackInfoAction.NAME, request, authentication), is(true));
 
         assertThat(monitoringUserRole.cluster().check(RemoteInfoAction.NAME, request, authentication), is(true));
 
@@ -1318,7 +1323,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role remoteMonitoringAgentRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role remoteMonitoringAgentRole = Role.buildFromRoleDescriptor(
 
+            roleDescriptor,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
+            RESTRICTED_INDICES
 
+        );
 
         assertThat(remoteMonitoringAgentRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
 
         assertThat(remoteMonitoringAgentRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true));
 
         assertThat(remoteMonitoringAgentRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true));
 
@@ -1493,7 +1502,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role remoteMonitoringCollectorRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role remoteMonitoringCollectorRole = Role.buildFromRoleDescriptor(
 
+            roleDescriptor,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
+            RESTRICTED_INDICES
 
+        );
 
         assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
 
         assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true));
 
         assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true));
 
@@ -1759,7 +1772,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true));
 
 
-        Role reportingUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role reportingUserRole = Role.buildFromRoleDescriptor(
 
+            roleDescriptor,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
+            RESTRICTED_INDICES
 
+        );
 
         assertThat(reportingUserRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false));
 
         assertThat(reportingUserRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false));
 
         assertThat(reportingUserRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false));
 
@@ -1810,7 +1827,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role superuserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role superuserRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(superuserRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
 
         assertThat(superuserRole.cluster().check(ClusterUpdateSettingsAction.NAME, request, authentication), is(true));
 
         assertThat(superuserRole.cluster().check(PutUserAction.NAME, request, authentication), is(true));
 
@@ -1937,7 +1954,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role logstashSystemRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role logstashSystemRole = Role.buildFromRoleDescriptor(
 
+            roleDescriptor,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
+            RESTRICTED_INDICES
 
+        );
 
         assertThat(logstashSystemRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
 
         assertThat(logstashSystemRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true));
 
         assertThat(logstashSystemRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true));
 
@@ -1971,7 +1992,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        final Role beatsAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        final Role beatsAdminRole = Role.buildFromRoleDescriptor(
 
+            roleDescriptor,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
+            RESTRICTED_INDICES
 
+        );
 
         assertThat(beatsAdminRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false));
 
         assertThat(beatsAdminRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false));
 
         assertThat(beatsAdminRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false));
 
@@ -2018,7 +2043,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role beatsSystemRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role beatsSystemRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(beatsSystemRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
 
         assertThat(beatsSystemRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true));
 
         assertThat(beatsSystemRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true));
 
@@ -2060,7 +2085,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role APMSystemRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role APMSystemRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(APMSystemRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true));
 
         assertThat(APMSystemRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true));
 
         assertThat(APMSystemRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true));
 
@@ -2113,7 +2138,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
 
         assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false));
 
         assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false));
 
@@ -2165,7 +2190,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY);
 
+        Role role = Role.buildFromRoleDescriptor(roleDescriptor, fieldPermissionsCache, RESTRICTED_INDICES);
 
         assertRoleHasManageMl(role);
 
         assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false));
 
 
@@ -2275,7 +2301,8 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY);
 
+        Role role = Role.buildFromRoleDescriptor(roleDescriptor, fieldPermissionsCache, RESTRICTED_INDICES);
 
         assertThat(role.cluster().check(CloseJobAction.NAME, request, authentication), is(false));
 
         assertThat(role.cluster().check(DeleteCalendarAction.NAME, request, authentication), is(false));
 
         assertThat(role.cluster().check(DeleteCalendarEventAction.NAME, request, authentication), is(false));
 
@@ -2378,7 +2405,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
                 assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true)));
 
             }
 
 
-            Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+            Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
             assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(true));
 
             assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true));
 
             assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true));
 
@@ -2441,7 +2468,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
                 assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true)));
 
             }
 
 
-            Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+            Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
             assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(false));
 
             assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true));
 
             assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true));
 
@@ -2500,7 +2527,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(role.cluster().check(PutWatchAction.NAME, request, authentication), is(true));
 
         assertThat(role.cluster().check(GetWatchAction.NAME, request, authentication), is(true));
 
         assertThat(role.cluster().check(DeleteWatchAction.NAME, request, authentication), is(true));
 
@@ -2531,7 +2558,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         assertThat(role.cluster().check(PutWatchAction.NAME, request, authentication), is(false));
 
         assertThat(role.cluster().check(GetWatchAction.NAME, request, authentication), is(true));
 
         assertThat(role.cluster().check(DeleteWatchAction.NAME, request, authentication), is(false));
 
@@ -2566,7 +2593,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
         // No cluster privileges
 
         assertThat(role.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false));
 
         assertThat(role.cluster().check(ClusterStateAction.NAME, request, authentication), is(false));
 
@@ -2624,7 +2651,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES);
 
 
         // No cluster privileges
 
         assertThat(role.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false));
 
@@ -2778,7 +2805,11 @@ public class ReservedRolesStoreTests extends ESTestCase {
 
         assertNotNull(roleDescriptor);
 
         assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
 
 
-        Role logstashAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build();
 
+        Role logstashAdminRole = Role.buildFromRoleDescriptor(
 
+            roleDescriptor,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
+            RESTRICTED_INDICES
 
+        );
 
         assertThat(logstashAdminRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false));
 
         assertThat(logstashAdminRole.cluster().check(PutIndexTemplateAction.NAME, request, authentication), is(false));
 
         assertThat(logstashAdminRole.cluster().check(ClusterRerouteAction.NAME, request, authentication), is(false));

+ 11 - 8
x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java
파일 보기 

@@ -55,6 +55,7 @@ import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper;
 
 import org.elasticsearch.xpack.core.security.authc.support.Hasher;
 
 import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
 
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 
+import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
 
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
 
 import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
 
 import org.elasticsearch.xpack.core.security.support.Automatons;
 
@@ -432,10 +433,11 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
 
             assertTrue("test_role does not exist!", getRolesResponse.hasRoles());
 
             assertTrue(
 
                 "any cluster permission should be authorized",
 
-                Role.builder(getRolesResponse.roles()[0], null, EMPTY_RESTRICTED_INDICES)
 
-                    .build()
 
-                    .cluster()
 
-                    .check("cluster:admin/foo", request, authentication)
 
+                Role.buildFromRoleDescriptor(
 
+                    getRolesResponse.roles()[0],
 
+                    new FieldPermissionsCache(Settings.EMPTY),
 
+                    EMPTY_RESTRICTED_INDICES
 
+                ).cluster().check("cluster:admin/foo", request, authentication)
 
             );
 
 
             preparePutRole("test_role").cluster("none")
 
@@ -453,10 +455,11 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
 
 
             assertFalse(
 
                 "no cluster permission should be authorized",
 
-                Role.builder(getRolesResponse.roles()[0], null, EMPTY_RESTRICTED_INDICES)
 
-                    .build()
 
-                    .cluster()
 
-                    .check("cluster:admin/bar", request, authentication)
 
+                Role.buildFromRoleDescriptor(
 
+                    getRolesResponse.roles()[0],
 
+                    new FieldPermissionsCache(Settings.EMPTY),
 
+                    EMPTY_RESTRICTED_INDICES
 
+                ).cluster().check("cluster:admin/bar", request, authentication)
 
             );
 
         }
 
     }

+ 21 - 6
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
파일 보기 

@@ -153,12 +153,27 @@ public class CompositeRolesStore {
 
         }
 
         this.negativeLookupCache = nlcBuilder.build();
 
         this.restrictedIndices = restrictedIndices;
 
-        this.superuserRole = Role.builder(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices)
 
-            .build();
 
-        xpackSecurityRole = Role.builder(XPackSecurityUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build();
 
-        securityProfileRole = Role.builder(SecurityProfileUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build();
 
-        xpackUserRole = Role.builder(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build();
 
-        asyncSearchUserRole = Role.builder(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build();
 
+        this.superuserRole = Role.buildFromRoleDescriptor(
 
+            ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR,
 
+            fieldPermissionsCache,
 
+            this.restrictedIndices
 
+        );
 
+        this.xpackSecurityRole = Role.buildFromRoleDescriptor(
 
+            XPackSecurityUser.ROLE_DESCRIPTOR,
 
+            fieldPermissionsCache,
 
+            this.restrictedIndices
 
+        );
 
+        this.securityProfileRole = Role.buildFromRoleDescriptor(
 
+            SecurityProfileUser.ROLE_DESCRIPTOR,
 
+            fieldPermissionsCache,
 
+            this.restrictedIndices
 
+        );
 
+        this.xpackUserRole = Role.buildFromRoleDescriptor(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices);
 
+        this.asyncSearchUserRole = Role.buildFromRoleDescriptor(
 
+            AsyncSearchUser.ROLE_DESCRIPTOR,
 
+            fieldPermissionsCache,
 
+            this.restrictedIndices
 
+        );
 
 
         this.roleReferenceResolver = new RoleDescriptorStore(
 
             roleProviders,

+ 8 - 6
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java
파일 보기 

@@ -29,6 +29,7 @@ import org.elasticsearch.action.search.SearchAction;
 
 import org.elasticsearch.action.update.UpdateAction;
 
 import org.elasticsearch.cluster.metadata.IndexAbstraction;
 
 import org.elasticsearch.common.Strings;
 
+import org.elasticsearch.common.settings.Settings;
 
 import org.elasticsearch.test.ESTestCase;
 
 import org.elasticsearch.transport.TransportRequest;
 
 import org.elasticsearch.xpack.core.ilm.action.GetLifecycleAction;
 
@@ -107,6 +108,7 @@ import org.elasticsearch.xpack.core.security.action.user.PutUserAction;
 
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 
 import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper;
 
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 
+import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
 
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
 
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
 
 import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
 
@@ -145,11 +147,11 @@ public class ElasticServiceAccountsTests extends ESTestCase {
 
     }
 
 
     public void testElasticFleetServerPrivileges() {
 
-        final Role role = Role.builder(
 
+        final Role role = Role.buildFromRoleDescriptor(
 
             ElasticServiceAccounts.ACCOUNTS.get("elastic/fleet-server").roleDescriptor(),
 
-            null,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
             RESTRICTED_INDICES
 
-        ).build();
 
+        );
 
         final Authentication authentication = AuthenticationTestHelper.builder().serviceAccount().build();
 
         assertThat(
 
             role.cluster()
 
@@ -305,11 +307,11 @@ public class ElasticServiceAccountsTests extends ESTestCase {
 
     }
 
 
     public void testElasticEnterpriseSearchServerAccount() {
 
-        final Role role = Role.builder(
 
+        final Role role = Role.buildFromRoleDescriptor(
 
             ElasticServiceAccounts.ACCOUNTS.get("elastic/enterprise-search-server").roleDescriptor(),
 
-            null,
 
+            new FieldPermissionsCache(Settings.EMPTY),
 
             RESTRICTED_INDICES
 
-        ).build();
 
+        );
 
 
         final Authentication authentication = AuthenticationTestHelper.builder().serviceAccount().build();
 
         final TransportRequest request = mock(TransportRequest.class);

+ 5 - 3
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
파일 보기 

@@ -354,17 +354,19 @@ public class IndicesAndAliasesResolverTests extends ESTestCase {
 
             @SuppressWarnings("unchecked")
 
             ActionListener<Role> listener = (ActionListener<Role>) i.getArguments()[1];
 
             if (XPackUser.is(user)) {
 
-                listener.onResponse(Role.builder(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES).build());
 
+                listener.onResponse(Role.buildFromRoleDescriptor(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES));
 
                 return Void.TYPE;
 
             }
 
             if (XPackSecurityUser.is(user)) {
 
                 listener.onResponse(
 
-                    Role.builder(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES).build()
 
+                    Role.buildFromRoleDescriptor(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES)
 
                 );
 
                 return Void.TYPE;
 
             }
 
             if (AsyncSearchUser.is(user)) {
 
-                listener.onResponse(Role.builder(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES).build());
 
+                listener.onResponse(
 
+                    Role.buildFromRoleDescriptor(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES)
 
+                );
 
                 return Void.TYPE;
 
             }

+ 16 - 11
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
파일 보기 

@@ -31,6 +31,7 @@ import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper;
 
 import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
 
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 
 import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
 
+import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
 
 import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
 
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
 
 import org.elasticsearch.xpack.core.security.authz.permission.RunAsPermission;
 
@@ -101,7 +102,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         RoleDescriptor descriptor = roles.get("role1");
 
         assertNotNull(descriptor);
 
-        Role role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        Role role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role1" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -129,7 +130,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role1.ab");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role1.ab" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -141,7 +142,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role2");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role2" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -152,7 +153,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role3");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role3" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -182,7 +183,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role_run_as");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role_run_as" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -195,7 +196,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role_run_as1");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role_run_as1" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -208,7 +209,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role_fields");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role_fields" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -230,7 +231,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role_query");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role_query" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -251,7 +252,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
 
         descriptor = roles.get("role_query_fields");
 
         assertNotNull(descriptor);
 
-        role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "role_query_fields" }));
 
         assertThat(role.cluster(), notNullValue());
 
@@ -442,7 +443,11 @@ public class FileRolesStoreTests extends ESTestCase {
 
             descriptors = store.roleDescriptors(Collections.singleton("role5"));
 
             assertThat(descriptors, notNullValue());
 
             assertEquals(1, descriptors.size());
 
-            Role role = Role.builder(descriptors.iterator().next(), null, restrictedIndices).build();
 
+            Role role = Role.buildFromRoleDescriptor(
 
+                descriptors.iterator().next(),
 
+                new FieldPermissionsCache(Settings.EMPTY),
 
+                restrictedIndices
 
+            );
 
             assertThat(role, notNullValue());
 
             assertThat(role.names(), equalTo(new String[] { "role5" }));
 
             assertThat(role.cluster().check("cluster:monitor/foo/bar", request, authentication), is(true));
 
@@ -539,7 +544,7 @@ public class FileRolesStoreTests extends ESTestCase {
 
         assertThat(roles, hasKey("valid_role"));
 
         RoleDescriptor descriptor = roles.get("valid_role");
 
         assertNotNull(descriptor);
 
-        Role role = Role.builder(descriptor, null, restrictedIndices).build();
 
+        Role role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices);
 
         assertThat(role, notNullValue());
 
         assertThat(role.names(), equalTo(new String[] { "valid_role" }));