-
Notifications
You must be signed in to change notification settings - Fork 24.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Mark 'users' as a secured file, and add a secured permission for LDAP…
… role mappings (#108767)
- Loading branch information
Showing
7 changed files
with
154 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
...plugin/security/src/main/java/org/elasticsearch/xpack/security/PrivilegedFileWatcher.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.security; | ||
|
||
import org.elasticsearch.watcher.FileWatcher; | ||
|
||
import java.io.IOException; | ||
import java.nio.file.DirectoryStream; | ||
import java.nio.file.Files; | ||
import java.nio.file.Path; | ||
import java.nio.file.attribute.BasicFileAttributes; | ||
import java.security.PrivilegedAction; | ||
import java.security.PrivilegedActionException; | ||
import java.security.PrivilegedExceptionAction; | ||
|
||
import static java.security.AccessController.doPrivileged; | ||
|
||
/** | ||
* Extension of {@code FileWatcher} that does privileged calls to IO. | ||
* <p> | ||
* This class exists so that the calls into the IO methods get here first in the security stackwalk, | ||
* enabling us to use doPrivileged to ensure we have access. If we don't do this, the code location | ||
* that is doing the accessing is not the one that is granted the SecuredFileAccessPermission, | ||
* so the check in ESPolicy fails. | ||
*/ | ||
public class PrivilegedFileWatcher extends FileWatcher { | ||
|
||
public PrivilegedFileWatcher(Path path) { | ||
super(path); | ||
} | ||
|
||
@Override | ||
protected boolean fileExists(Path path) { | ||
return doPrivileged((PrivilegedAction<Boolean>) () -> Files.exists(path)); | ||
} | ||
|
||
@Override | ||
protected BasicFileAttributes readAttributes(Path path) throws IOException { | ||
try { | ||
return doPrivileged( | ||
(PrivilegedExceptionAction<BasicFileAttributes>) () -> Files.readAttributes(path, BasicFileAttributes.class) | ||
); | ||
} catch (PrivilegedActionException e) { | ||
throw new IOException(e); | ||
} | ||
} | ||
|
||
@Override | ||
protected DirectoryStream<Path> listFiles(Path path) throws IOException { | ||
try { | ||
return doPrivileged((PrivilegedExceptionAction<DirectoryStream<Path>>) () -> Files.newDirectoryStream(path)); | ||
} catch (PrivilegedActionException e) { | ||
throw new IOException(e); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 6 additions & 0 deletions
6
x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters