diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java index 3423c96fd9..bd5def09c9 100644 --- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java +++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java @@ -455,8 +455,27 @@ public boolean hasExplicitIndexPermission( IndexNameExpressionResolver resolver, ClusterService cs ) { - // TODO: Handle this scenario in V6 config - return false; + final Set indicesForRequest = new HashSet<>(resolved.getAllIndicesResolved(cs, resolver)); + if (indicesForRequest.isEmpty()) { + // If no indices could be found on the request there is no way to check for the explicit permissions + return false; + } + + final Set explicitlyAllowedIndices = roles.stream() + .map(role -> role.getAllResolvedPermittedIndices(resolved, user, actions, resolver, cs, true)) + .flatMap(Collection::stream) + .collect(Collectors.toSet()); + + if (log.isDebugEnabled()) { + log.debug( + "ExplicitIndexPermission check indices for request {}, explicitly allowed indices {}", + indicesForRequest.toString(), + explicitlyAllowedIndices.toString() + ); + } + + indicesForRequest.removeAll(explicitlyAllowedIndices); + return indicesForRequest.isEmpty(); } // opensearchDashboards special only, terms eval @@ -469,7 +488,7 @@ public Set getAllPermittedIndicesForDashboards( ) { Set retVal = new HashSet<>(); for (SecurityRole sr : roles) { - retVal.addAll(sr.getAllResolvedPermittedIndices(Resolved._LOCAL_ALL, user, actions, resolver, cs)); + retVal.addAll(sr.getAllResolvedPermittedIndices(Resolved._LOCAL_ALL, user, actions, resolver, cs, false)); retVal.addAll(resolved.getRemoteIndices()); } return Collections.unmodifiableSet(retVal); @@ -479,7 +498,7 @@ public Set getAllPermittedIndicesForDashboards( public Set reduce(Resolved resolved, User user, String[] actions, IndexNameExpressionResolver resolver, ClusterService cs) { Set retVal = new HashSet<>(); for (SecurityRole sr : roles) { - retVal.addAll(sr.getAllResolvedPermittedIndices(resolved, user, actions, resolver, cs)); + retVal.addAll(sr.getAllResolvedPermittedIndices(resolved, user, actions, resolver, cs, false)); } if (log.isDebugEnabled()) { log.debug("Reduced requested resolved indices {} to permitted indices {}.", resolved, retVal.toString()); @@ -547,7 +566,8 @@ private Set getAllResolvedPermittedIndices( User user, String[] actions, IndexNameExpressionResolver resolver, - ClusterService cs + ClusterService cs, + boolean matchExplicitly ) { final Set retVal = new HashSet<>(); @@ -556,7 +576,9 @@ private Set getAllResolvedPermittedIndices( boolean patternMatch = false; final Set tperms = p.getTypePerms(); for (TypePerm tp : tperms) { - if (tp.typeMatcher.matchAny(resolved.getTypes())) { + // if matchExplicitly is true we don't want to match against `*` pattern + WildcardMatcher matcher = matchExplicitly && (tp.getTypeMatcher() == WildcardMatcher.ANY) ? WildcardMatcher.NONE : tp.getTypeMatcher(); + if (matcher.matchAny(resolved.getTypes())) { patternMatch = tp.getPerms().matchAll(actions); } }