Has Privileges API
editHas Privileges API
editHas Privileges Request
editThe HasPrivilegesRequest
supports checking for any or all of the following privilege types:
- Cluster Privileges
- Index Privileges
- Application Privileges
Privileges types that you do not wish to check my be passed in as null
, but as least
one privilege must be specified.
HasPrivilegesRequest request = new HasPrivilegesRequest( Sets.newHashSet("monitor", "manage"), Sets.newHashSet( IndicesPrivileges.builder().indices("logstash-2018-10-05").privileges("read", "write") .allowRestrictedIndices(false).build(), IndicesPrivileges.builder().indices("logstash-2018-*").privileges("read") .allowRestrictedIndices(true).build() ), null );
Synchronous execution
editWhen executing a HasPrivilegesRequest
in the following manner, the client waits
for the HasPrivilegesResponse
to be returned before continuing with code execution:
HasPrivilegesResponse response = client.security().hasPrivileges(request, RequestOptions.DEFAULT);
Synchronous calls may throw an IOException
in case of either failing to
parse the REST response in the high-level REST client, the request times out
or similar cases where there is no response coming back from the server.
In cases where the server returns a 4xx
or 5xx
error code, the high-level
client tries to parse the response body error details instead and then throws
a generic ElasticsearchException
and adds the original ResponseException
as a
suppressed exception to it.
Asynchronous execution
editExecuting a HasPrivilegesRequest
can also be done in an asynchronous fashion so that
the client can return directly. Users need to specify how the response or
potential failures will be handled by passing the request and a listener to the
asynchronous has-privileges method:
The asynchronous method does not block and returns immediately. Once it is
completed the ActionListener
is called back using the onResponse
method
if the execution successfully completed or using the onFailure
method if
it failed. Failure scenarios and expected exceptions are the same as in the
synchronous execution case.
A typical listener for has-privileges
looks like:
Has Privileges Response
editThe returned HasPrivilegesResponse
contains the following properties
-
username
- The username (userid) of the current user (for whom the "has privileges" check was executed)
-
hasAllRequested
-
true
if the user has all of the privileges that were specified in theHasPrivilegesRequest
. Otherwisefalse
. -
clusterPrivileges
-
A
Map<String,Boolean>
where each key is the name of one of the cluster privileges specified in the request, and the value istrue
if the user has that privilege, andfalse
otherwise.The method
hasClusterPrivilege
can be used to retrieve this information in a more fluent manner. This method throws anIllegalArgumentException
if the privilege was not included in the response (which will be the case if the privilege was not part of the request). -
indexPrivileges
-
A
Map<String, Map<String, Boolean>>
where each key is the name of an index (as specified in theHasPrivilegesRequest
) and the value is aMap
from privilege name to aBoolean
. TheBoolean
value istrue
if the user has that privilege on that index, andfalse
otherwise.The method
hasIndexPrivilege
can be used to retrieve this information in a more fluent manner. This method throws anIllegalArgumentException
if the privilege was not included in the response (which will be the case if the privilege was not part of the request). -
applicationPrivileges
-
A
Map<String, Map<String, Map<String, Boolean>>>>
where each key is the name of an application (as specified in theHasPrivilegesRequest
). For each application, the value is aMap
keyed by resource name, with each value being anotherMap
from privilege name to aBoolean
. TheBoolean
value istrue
if the user has that privilege on that resource for that application, andfalse
otherwise.The method
hasApplicationPrivilege
can be used to retrieve this information in a more fluent manner. This method throws anIllegalArgumentException
if the privilege was not included in the response (which will be the case if the privilege was not part of the request).