List of usage examples for org.apache.lucene.search.join ToChildBlockJoinQuery ToChildBlockJoinQuery
public ToChildBlockJoinQuery(Query parentQuery, BitSetProducer parentsFilter)
From source file:org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.java
License:Open Source License
@Override protected DirectoryReader wrap(DirectoryReader reader) { if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) { return reader; }//from www. j av a 2 s . c o m try { final IndicesAccessControl indicesAccessControl = getIndicesAccessControl(); ShardId shardId = ShardUtils.extractShardId(reader); if (shardId == null) { throw new IllegalStateException( LoggerMessageFormat.format("couldn't extract shardId from reader [{}]", reader)); } IndicesAccessControl.IndexAccessControl permissions = indicesAccessControl .getIndexPermissions(shardId.getIndexName()); // No permissions have been defined for an index, so don't intercept the index reader for access control if (permissions == null) { return reader; } if (permissions.getQueries() != null) { BooleanQuery.Builder filter = new BooleanQuery.Builder(); for (BytesReference bytesReference : permissions.getQueries()) { QueryShardContext queryShardContext = queryShardContextProvider.apply(shardId); String templateResult = evaluateTemplate(bytesReference.utf8ToString()); try (XContentParser parser = XContentFactory.xContent(templateResult).createParser( queryShardContext.getXContentRegistry(), LoggingDeprecationHandler.INSTANCE, templateResult)) { QueryBuilder queryBuilder = queryShardContext.parseInnerQueryBuilder(parser); verifyRoleQuery(queryBuilder); failIfQueryUsesClient(queryBuilder, queryShardContext); Query roleQuery = queryShardContext.toFilter(queryBuilder).query(); filter.add(roleQuery, SHOULD); if (queryShardContext.getMapperService().hasNested()) { NestedHelper nestedHelper = new NestedHelper(queryShardContext.getMapperService()); if (nestedHelper.mightMatchNestedDocs(roleQuery)) { roleQuery = new BooleanQuery.Builder().add(roleQuery, FILTER) .add(Queries.newNonNestedFilter(queryShardContext.indexVersionCreated()), FILTER) .build(); } // If access is allowed on root doc then also access is allowed on all nested docs of that root document: BitSetProducer rootDocs = queryShardContext.bitsetFilter( Queries.newNonNestedFilter(queryShardContext.indexVersionCreated())); ToChildBlockJoinQuery includeNestedDocs = new ToChildBlockJoinQuery(roleQuery, rootDocs); filter.add(includeNestedDocs, SHOULD); } } } // at least one of the queries should match filter.setMinimumNumberShouldMatch(1); reader = DocumentSubsetReader.wrap(reader, bitsetFilterCache, new ConstantScoreQuery(filter.build())); } return permissions.getFieldPermissions().filter(reader); } catch (IOException e) { logger.error("Unable to apply field level security"); throw ExceptionsHelper.convertToElastic(e); } }