Skip to content

AllowAll for indicesAccessControl (#78498)#79338

Merged
elasticsearchmachine merged 1 commit intoelastic:7.xfrom
ywangd:superuser-fast-path-for-index-authorization-7.x
Oct 18, 2021
Merged

AllowAll for indicesAccessControl (#78498)#79338
elasticsearchmachine merged 1 commit intoelastic:7.xfrom
ywangd:superuser-fast-path-for-index-authorization-7.x

Conversation

@ywangd
Copy link
Copy Markdown
Member

@ywangd ywangd commented Oct 18, 2021
edited
Loading

This PR adds a fast path for computing indicesAccessControl if
the role has all access to all indices.

A role is considered to have all access to all indices if any of its
IndicesPermission#Group satisfy the following criteria:

  1. Any of the index patterns is a simple match-all wildcard, i.e. "*"
  2. It allows access to restricted indices
  3. It grants the "all" index privilege
  4. It has no DLS or FLS

An example of such role is the builtin superuser role.

Note the fastpath does not apply to roles that have "effective" but not
direct "all access of all indices". For example, if the "effective"
access is achieved by combining multiple Groups belong to the role, or
combining multiple index patterns within a single Group. This fast path
is provided so that we have a reference baseline for authorization
related performance which is useful for both production use and
troubleshooting.

@ywangd ywangd added backport auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) labels Oct 18, 2021
@ywangd ywangd removed the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Oct 18, 2021
@ywangd
AllowAll for indicesAccessControl (elastic#78498)
3fcdac1 
This PR adds a fast path for computing indicesAccessControl if
the role has all access to all indices.

A role is considered to have all access to all indices if any of its
IndicesPermission#Group satisfy the following criteria:

1. Any of the index patterns is a simple match-all wildcard, i.e. "*"
2. It allows access to restricted indices
3. It grants the "all" index privilege
4. It has no DLS or FLS

An example of such role is the builtin superuser role.

Note the fastpath does not apply to roles that have "effective" but not
direct "all access of all indices". For example, if the "effective"
access is achieved by combining multiple Groups belong to the role, or
combining multiple index patterns within a single Group. This fast path
is provided so that we have a reference baseline for authorization
related performance which is useful for both production use and
troubleshooting.
@ywangd ywangd force-pushed the superuser-fast-path-for-index-authorization-7.x branch from 458b6e7 to 3fcdac1 Compare October 18, 2021 07:06
@ywangd ywangd added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Oct 18, 2021
@elasticsearchmachine elasticsearchmachine merged commit 3473ca9 into elastic:7.x Oct 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport v7.16.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ywangd @elasticsearchmachine