Has Privileges API

edit

Determines whether the logged in user has a specified list of privileges.

Has Privileges Request

edit

The HasPrivilegesRequest supports checking for any or all of the following privilege types:

  • Cluster Privileges
  • Index Privileges
  • Application Privileges

Privileges types that you do not wish to check my be passed in as null, but as least one privilege must be specified.

HasPrivilegesRequest request = new HasPrivilegesRequest(
    Sets.newHashSet("monitor", "manage"),
    Sets.newHashSet(
        IndicesPrivileges.builder().indices("logstash-2018-10-05").privileges("read", "write")
            .allowRestrictedIndices(false).build(),
        IndicesPrivileges.builder().indices("logstash-2018-*").privileges("read")
            .allowRestrictedIndices(true).build()
    ),
    null
);

Synchronous execution

edit

When executing a HasPrivilegesRequest in the following manner, the client waits for the HasPrivilegesResponse to be returned before continuing with code execution:

HasPrivilegesResponse response = client.security().hasPrivileges(request, RequestOptions.DEFAULT);

Synchronous calls may throw an IOException in case of either failing to parse the REST response in the high-level REST client, the request times out or similar cases where there is no response coming back from the server.

In cases where the server returns a 4xx or 5xx error code, the high-level client tries to parse the response body error details instead and then throws a generic ElasticsearchException and adds the original ResponseException as a suppressed exception to it.

Asynchronous execution

edit

Executing a HasPrivilegesRequest can also be done in an asynchronous fashion so that the client can return directly. Users need to specify how the response or potential failures will be handled by passing the request and a listener to the asynchronous has-privileges method:

client.security().hasPrivilegesAsync(request, RequestOptions.DEFAULT, listener); 

The HasPrivilegesRequest to execute and the ActionListener to use when the execution completes

The asynchronous method does not block and returns immediately. Once it is completed the ActionListener is called back using the onResponse method if the execution successfully completed or using the onFailure method if it failed. Failure scenarios and expected exceptions are the same as in the synchronous execution case.

A typical listener for has-privileges looks like:

ActionListener<HasPrivilegesResponse> listener = new ActionListener<HasPrivilegesResponse>() {
    @Override
    public void onResponse(HasPrivilegesResponse response) {
        
    }

    @Override
    public void onFailure(Exception e) {
        
    }
};

Called when the execution is successfully completed.

Called when the whole HasPrivilegesRequest fails.

Has Privileges Response

edit

The returned HasPrivilegesResponse contains the following properties

username
The username (userid) of the current user (for whom the "has privileges" check was executed)
hasAllRequested
true if the user has all of the privileges that were specified in the HasPrivilegesRequest. Otherwise false.
clusterPrivileges

A Map<String,Boolean> where each key is the name of one of the cluster privileges specified in the request, and the value is true if the user has that privilege, and false otherwise.

The method hasClusterPrivilege can be used to retrieve this information in a more fluent manner. This method throws an IllegalArgumentException if the privilege was not included in the response (which will be the case if the privilege was not part of the request).

indexPrivileges

A Map<String, Map<String, Boolean>> where each key is the name of an index (as specified in the HasPrivilegesRequest) and the value is a Map from privilege name to a Boolean. The Boolean value is true if the user has that privilege on that index, and false otherwise.

The method hasIndexPrivilege can be used to retrieve this information in a more fluent manner. This method throws an IllegalArgumentException if the privilege was not included in the response (which will be the case if the privilege was not part of the request).

applicationPrivileges

A Map<String, Map<String, Map<String, Boolean>>>> where each key is the name of an application (as specified in the HasPrivilegesRequest). For each application, the value is a Map keyed by resource name, with each value being another Map from privilege name to a Boolean. The Boolean value is true if the user has that privilege on that resource for that application, and false otherwise.

The method hasApplicationPrivilege can be used to retrieve this information in a more fluent manner. This method throws an IllegalArgumentException if the privilege was not included in the response (which will be the case if the privilege was not part of the request).

boolean hasMonitor = response.hasClusterPrivilege("monitor"); 
boolean hasWrite = response.hasIndexPrivilege("logstash-2018-10-05", "write"); 
boolean hasRead = response.hasIndexPrivilege("logstash-2018-*", "read"); 

hasMonitor will be true if the user has the "monitor" cluster privilege.

hasWrite will be true if the user has the "write" privilege on the "logstash-2018-10-05" index.

hasRead will be true if the user has the "read" privilege on all possible indices that would match the "logstash-2018-*" pattern.