Expand RoleV7 to include Resources

Signed-off-by: Stephen Crawford <[email protected]>
stephen-crawford · Aug 13, 2024 · b317a1a · b317a1a
1 parent 4cb7bc2
commit b317a1a
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -138,6 +138,7 @@ public class PrivilegesEvaluator {
     private final SnapshotRestoreEvaluator snapshotRestoreEvaluator;
     private final SystemIndexAccessEvaluator systemIndexAccessEvaluator;
     private final ProtectedIndexAccessEvaluator protectedIndexAccessEvaluator;
+    private final ResourceAccessEvaluator resourceAccessEvaluator;
     private final TermsAggregationEvaluator termsAggregationEvaluator;
     private final PitPrivilegesEvaluator pitPrivilegesEvaluator;
     private DynamicConfigModel dcm;
@@ -174,6 +175,7 @@ public PrivilegesEvaluator(
         snapshotRestoreEvaluator = new SnapshotRestoreEvaluator(settings, auditLog);
         systemIndexAccessEvaluator = new SystemIndexAccessEvaluator(settings, auditLog, irr);
         protectedIndexAccessEvaluator = new ProtectedIndexAccessEvaluator(settings, auditLog);
+        resourceAccessEvaluator = new ResourceAccessEvaluator();
         termsAggregationEvaluator = new TermsAggregationEvaluator();
         pitPrivilegesEvaluator = new PitPrivilegesEvaluator();
         this.namedXContentRegistry = namedXContentRegistry;
@@ -347,6 +349,10 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context)
             return presponse;
         }
 
+        if (resourceAccessEvaluator.evaluate(request, action0, securityRoles, user, clusterService).isComplete()) {
+            return presponse;
+        }
+
         // check access for point in time requests
         if (pitPrivilegesEvaluator.evaluate(request, clusterService, user, securityRoles, action0, resolver, presponse, irr).isComplete()) {
             return presponse;