Introduce asynchronous RBACEngine

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java

@@ -23,6 +23,7 @@ public class IndicesAccessControl {
     public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true,
             Collections.singletonMap(IndicesAndAliasesResolverField.NO_INDEX_PLACEHOLDER,
                     new IndicesAccessControl.IndexAccessControl(true, new FieldPermissions(), null)));
+    public static final IndicesAccessControl DENIED = new IndicesAccessControl(false, Collections.emptyMap());
 
     private final boolean granted;
     private final Map<String, IndexAccessControl> indexPermissions;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -11,7 +11,6 @@
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.cluster.metadata.AliasOrIndex;
 import org.elasticsearch.cluster.metadata.IndexMetaData;
-import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.bytes.BytesReference;
@@ -28,7 +27,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import java.util.SortedMap;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;
 import java.util.function.Predicate;
@@ -152,19 +150,18 @@ public Automaton allowedActionsMatcher(String index) {
      * Authorizes the provided action against the provided indices, given the current cluster metadata
      */
     public Map<String, IndicesAccessControl.IndexAccessControl> authorize(String action, Set<String> requestedIndicesOrAliases,
-                                                                          MetaData metaData, FieldPermissionsCache fieldPermissionsCache) {
+                                                                          Function<String, AliasOrIndex> allAliasesAndIndices,
+                                                                          FieldPermissionsCache fieldPermissionsCache) {
         // now... every index that is associated with the request, must be granted
         // by at least one indices permission group
-
-        SortedMap<String, AliasOrIndex> allAliasesAndIndices = metaData.getAliasAndIndexLookup();
         Map<String, Set<FieldPermissions>> fieldPermissionsByIndex = new HashMap<>();
         Map<String, DocumentLevelPermissions> roleQueriesByIndex = new HashMap<>();
         Map<String, Boolean> grantedBuilder = new HashMap<>();
 
         for (String indexOrAlias : requestedIndicesOrAliases) {
             boolean granted = false;
             Set<String> concreteIndices = new HashSet<>();
-            AliasOrIndex aliasOrIndex = allAliasesAndIndices.get(indexOrAlias);
+            AliasOrIndex aliasOrIndex = allAliasesAndIndices.apply(indexOrAlias);
             if (aliasOrIndex != null) {
                 for (IndexMetaData indexMetaData : aliasOrIndex.getIndices()) {
                     concreteIndices.add(indexMetaData.getIndex().getName());

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -5,7 +5,7 @@
  */
 package org.elasticsearch.xpack.core.security.authz.permission;
 
-import org.elasticsearch.cluster.metadata.MetaData;
+import org.elasticsearch.cluster.metadata.AliasOrIndex;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.collect.Tuple;
@@ -25,6 +25,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.function.Function;
 
 public final class Role {
 
@@ -77,10 +78,11 @@ public static Builder builder(RoleDescriptor rd, FieldPermissionsCache fieldPerm
      * specified action with the requested indices/aliases. At the same time if field and/or document level security
      * is configured for any group also the allowed fields and role queries are resolved.
      */
-    public IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases, MetaData metaData,
+    public IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases,
+                                          Function<String, AliasOrIndex> aliasAndIndexLookup,
                                           FieldPermissionsCache fieldPermissionsCache) {
         Map<String, IndicesAccessControl.IndexAccessControl> indexPermissions = indices.authorize(
-            action, requestedIndicesOrAliases, metaData, fieldPermissionsCache
+            action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache
         );
 
         // At least one role / indices permission set need to match with all the requested indices/aliases:

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/Exceptions.java

@@ -27,6 +27,10 @@ public static ElasticsearchSecurityException authenticationError(String msg, Obj
     }
 
     public static ElasticsearchSecurityException authorizationError(String msg, Object... args) {
-        return new ElasticsearchSecurityException(msg, RestStatus.FORBIDDEN, args);
+        return new ElasticsearchSecurityException(msg, RestStatus.FORBIDDEN, null, args);
+    }
+
+    public static ElasticsearchSecurityException authorizationError(String msg, Exception cause, Object... args) {
+        return new ElasticsearchSecurityException(msg, RestStatus.FORBIDDEN, cause, args);
     }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java

@@ -31,6 +31,7 @@
 import org.elasticsearch.action.search.SearchAction;
 import org.elasticsearch.action.update.UpdateAction;
 import org.elasticsearch.cluster.metadata.AliasMetaData;
+import org.elasticsearch.cluster.metadata.AliasOrIndex;
 import org.elasticsearch.cluster.metadata.IndexMetaData;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.settings.Settings;
@@ -118,6 +119,7 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Map;
+import java.util.SortedMap;
 
 import static org.hamcrest.Matchers.hasEntry;
 import static org.hamcrest.Matchers.is;
@@ -587,18 +589,20 @@ public void testSuperuserRole() {
                 .build();
 
         FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY);
+        SortedMap<String, AliasOrIndex> lookup = metaData.getAliasAndIndexLookup();
         Map<String, IndexAccessControl> authzMap =
-                superuserRole.indices().authorize(SearchAction.NAME, Sets.newHashSet("a1", "ba"), metaData, fieldPermissionsCache);
+                superuserRole.indices().authorize(SearchAction.NAME, Sets.newHashSet("a1", "ba"), lookup::get, fieldPermissionsCache);
         assertThat(authzMap.get("a1").isGranted(), is(true));
         assertThat(authzMap.get("b").isGranted(), is(true));
-        authzMap = superuserRole.indices().authorize(DeleteIndexAction.NAME, Sets.newHashSet("a1", "ba"), metaData, fieldPermissionsCache);
+        authzMap =
+            superuserRole.indices().authorize(DeleteIndexAction.NAME, Sets.newHashSet("a1", "ba"), lookup::get, fieldPermissionsCache);
         assertThat(authzMap.get("a1").isGranted(), is(true));
         assertThat(authzMap.get("b").isGranted(), is(true));
-        authzMap = superuserRole.indices().authorize(IndexAction.NAME, Sets.newHashSet("a2", "ba"), metaData, fieldPermissionsCache);
+        authzMap = superuserRole.indices().authorize(IndexAction.NAME, Sets.newHashSet("a2", "ba"), lookup::get, fieldPermissionsCache);
         assertThat(authzMap.get("a2").isGranted(), is(true));
         assertThat(authzMap.get("b").isGranted(), is(true));
         authzMap = superuserRole.indices()
-                .authorize(UpdateSettingsAction.NAME, Sets.newHashSet("aaaaaa", "ba"), metaData, fieldPermissionsCache);
+                .authorize(UpdateSettingsAction.NAME, Sets.newHashSet("aaaaaa", "ba"), lookup::get, fieldPermissionsCache);
         assertThat(authzMap.get("aaaaaa").isGranted(), is(true));
         assertThat(authzMap.get("b").isGranted(), is(true));
         assertTrue(superuserRole.indices().check(SearchAction.NAME));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java

@@ -28,14 +28,17 @@
 import org.elasticsearch.xpack.core.XPackField;
 import org.elasticsearch.xpack.core.security.SecurityContext;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authz.permission.Role;
 import org.elasticsearch.xpack.core.security.authz.privilege.HealthAndStatsPrivilege;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.security.action.SecurityActionMapper;
 import org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor;
 import org.elasticsearch.xpack.security.authc.AuthenticationService;
+import org.elasticsearch.xpack.security.authz.AuthorizationEngine.AuthorizationInfo;
 import org.elasticsearch.xpack.security.authz.AuthorizationService;
 import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
+import org.elasticsearch.xpack.security.authz.RBACEngine.RBACAuthorizationInfo;
 
 import java.io.IOException;
 import java.util.Set;
@@ -164,21 +167,24 @@ private <Request extends ActionRequest> void authorizeRequest(Authentication aut
         if (authentication == null) {
             listener.onFailure(new IllegalArgumentException("authentication must be non null for authorization"));
         } else {
-            final AuthorizationUtils.AsyncAuthorizer asyncAuthorizer = new AuthorizationUtils.AsyncAuthorizer(authentication, listener,
-                    (userRoles, runAsRoles) -> {
-                        authzService.authorize(authentication, securityAction, request, userRoles, runAsRoles);
-                        /*
-                         * We use a separate concept for code that needs to be run after authentication and authorization that could
-                         * affect the running of the action. This is done to make it more clear of the state of the request.
-                         */
-                        for (RequestInterceptor interceptor : requestInterceptors) {
-                            if (interceptor.supports(request)) {
-                                interceptor.intercept(request, authentication, runAsRoles != null ? runAsRoles : userRoles, securityAction);
-                            }
-                        }
-                        listener.onResponse(null);
-                    });
-            asyncAuthorizer.authorize(authzService);
+            authzService.authorize(authentication, securityAction, request, ActionListener.wrap(ignore -> {
+                /*
+                 * We use a separate concept for code that needs to be run after authentication and authorization that could
+                 * affect the running of the action. This is done to make it more clear of the state of the request.
+                 */
+                // FIXME this needs to be done in a way that allows us to operate without a role
+                Role role = null;
+                AuthorizationInfo authorizationInfo = threadContext.getTransient("_authz_info");
+                if (authorizationInfo instanceof RBACAuthorizationInfo) {
+                    role = ((RBACAuthorizationInfo) authorizationInfo).getRole();
+                }
+                for (RequestInterceptor interceptor : requestInterceptors) {
+                    if (interceptor.supports(request)) {
+                        interceptor.intercept(request, authentication, role, securityAction);
+                    }
+                }
+                listener.onResponse(null);
+            }, listener::onFailure));
         }
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/IndicesAliasesRequestInterceptor.java

@@ -24,6 +24,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import static org.elasticsearch.xpack.security.authz.AuthorizationService.AUTHORIZATION_INFO_KEY;
+
 public final class IndicesAliasesRequestInterceptor implements RequestInterceptor<IndicesAliasesRequest> {
 
     private final ThreadContext threadContext;
@@ -72,7 +74,7 @@ public void intercept(IndicesAliasesRequest request, Authentication authenticati
                             if (Operations.subsetOf(aliasPermissions, indexPermissions) == false) {
                                 // TODO we've already audited a access granted event so this is going to look ugly
                                 auditTrailService.accessDenied(AuditUtil.extractRequestId(threadContext), authentication, action, request,
-                                    userPermissions.names());
+                                    threadContext.getTransient(AUTHORIZATION_INFO_KEY));
                                 throw Exceptions.authorizationError("Adding an alias is not allowed when the alias " +
                                     "has more permissions than any of the indices");
                             }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/ResizeRequestInterceptor.java

@@ -22,6 +22,7 @@
 import org.elasticsearch.xpack.security.audit.AuditTrailService;
 
 import static org.elasticsearch.xpack.security.audit.AuditUtil.extractRequestId;
+import static org.elasticsearch.xpack.security.authz.AuthorizationService.AUTHORIZATION_INFO_KEY;
 
 public final class ResizeRequestInterceptor implements RequestInterceptor<ResizeRequest> {
 
@@ -61,7 +62,8 @@ public void intercept(ResizeRequest request, Authentication authentication, Role
                 userPermissions.indices().allowedActionsMatcher(request.getTargetIndexRequest().index());
             if (Operations.subsetOf(targetIndexPermissions, sourceIndexPermissions) == false) {
                 // TODO we've already audited a access granted event so this is going to look ugly
-                auditTrailService.accessDenied(extractRequestId(threadContext), authentication, action, request, userPermissions.names());
+                auditTrailService.accessDenied(extractRequestId(threadContext), authentication, action, request,
+                    threadContext.getTransient(AUTHORIZATION_INFO_KEY));
                 throw Exceptions.authorizationError("Resizing an index is not allowed when the target index " +
                     "has more permissions than the source index");
             }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportGetUserPrivilegesAction.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
@@ -21,6 +22,7 @@
 import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesResponse;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
 import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
@@ -29,7 +31,7 @@
 import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.Privilege;
 import org.elasticsearch.xpack.core.security.user.User;
-import org.elasticsearch.xpack.security.authz.AuthorizationService;
+import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
 
 import java.util.Arrays;
 import java.util.Collections;
@@ -46,14 +48,14 @@
 public class TransportGetUserPrivilegesAction extends HandledTransportAction<GetUserPrivilegesRequest, GetUserPrivilegesResponse> {
 
     private final ThreadPool threadPool;
-    private final AuthorizationService authorizationService;
+    private final CompositeRolesStore rolesStore;
 
     @Inject
     public TransportGetUserPrivilegesAction(ThreadPool threadPool, TransportService transportService,
-                                            ActionFilters actionFilters, AuthorizationService authorizationService) {
+                                            ActionFilters actionFilters, CompositeRolesStore rolesStore) {
         super(GetUserPrivilegesAction.NAME, transportService, actionFilters, GetUserPrivilegesRequest::new);
         this.threadPool = threadPool;
-        this.authorizationService = authorizationService;
+        this.rolesStore = rolesStore;
     }
 
     @Override
@@ -66,7 +68,8 @@ protected void doExecute(Task task, GetUserPrivilegesRequest request, ActionList
             return;
         }
 
-        authorizationService.roles(user, ActionListener.wrap(
+        // FIXME reuse field permissions cache!
+        rolesStore.getRoles(user, new FieldPermissionsCache(Settings.EMPTY), ActionListener.wrap(
             role -> listener.onResponse(buildResponseObject(role)),
             listener::onFailure));
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportHasPrivilegesAction.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.action.support.HandledTransportAction;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
@@ -21,6 +22,7 @@
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
 import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
@@ -30,7 +32,7 @@
 import org.elasticsearch.xpack.core.security.authz.privilege.Privilege;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 import org.elasticsearch.xpack.core.security.user.User;
-import org.elasticsearch.xpack.security.authz.AuthorizationService;
+import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
 import org.elasticsearch.xpack.security.authz.store.NativePrivilegeStore;
 
 import java.util.ArrayList;
@@ -51,16 +53,16 @@
 public class TransportHasPrivilegesAction extends HandledTransportAction<HasPrivilegesRequest, HasPrivilegesResponse> {
 
     private final ThreadPool threadPool;
-    private final AuthorizationService authorizationService;
+    private final CompositeRolesStore rolesStore;
     private final NativePrivilegeStore privilegeStore;
 
     @Inject
     public TransportHasPrivilegesAction(ThreadPool threadPool, TransportService transportService,
-                                        ActionFilters actionFilters, AuthorizationService authorizationService,
+                                        ActionFilters actionFilters, CompositeRolesStore rolesStore,
                                         NativePrivilegeStore privilegeStore) {
         super(HasPrivilegesAction.NAME, transportService, actionFilters, HasPrivilegesRequest::new);
         this.threadPool = threadPool;
-        this.authorizationService = authorizationService;
+        this.rolesStore = rolesStore;
         this.privilegeStore = privilegeStore;
     }
 
@@ -74,7 +76,8 @@ protected void doExecute(Task task, HasPrivilegesRequest request, ActionListener
             return;
         }
 
-        authorizationService.roles(user, ActionListener.wrap(
+        // FIXME
+        rolesStore.getRoles(user, new FieldPermissionsCache(Settings.EMPTY), ActionListener.wrap(
             role -> resolveApplicationPrivileges(request, ActionListener.wrap(
                 applicationPrivilegeLookup -> checkPrivileges(request, role, applicationPrivilegeLookup, listener),
                 listener::onFailure)),