Skip to content

Commit

Permalink
[Backport 2.9] Reverse order of setUserInfoInThreadContext and addSec…
Browse files Browse the repository at this point in the history 
…urityRoles to resolve ConcurrentModificationException on bulk request (opensearch-project#3173)

Backport cd699bb from opensearch-project#3094.

Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@opensearch-trigger-bot @github-actions
opensearch-trigger-bot[bot] and github-actions[bot] authored Aug 14, 2023
1 parent 07508a0 commit 6170fce
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@
import java.util.regex.Pattern;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.greenrobot.eventbus.Subscribe;
Expand Down Expand Up @@ -202,12 +201,12 @@ public boolean isInitialized() {
return configModel != null && configModel.getSecurityRoles() != null && dcm != null;
}

private void setUserInfoInThreadContext(User user, Set<String> mappedRoles) {
private void setUserInfoInThreadContext(User user) {
if (threadContext.getTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT) == null) {
StringJoiner joiner = new StringJoiner("|");
joiner.add(user.getName());
joiner.add(String.join(",", user.getRoles()));
joiner.add(String.join(",", Sets.union(user.getSecurityRoles(), mappedRoles)));
joiner.add(String.join(",", user.getSecurityRoles()));
String requestedTenant = user.getRequestedTenant();
if (!Strings.isNullOrEmpty(requestedTenant)) {
joiner.add(requestedTenant);
Expand Down Expand Up @@ -260,9 +259,9 @@ public PrivilegesEvaluatorResponse evaluate(
presponse.resolvedSecurityRoles.addAll(mappedRoles);
final SecurityRoles securityRoles = getSecurityRoles(mappedRoles);

setUserInfoInThreadContext(user, mappedRoles);
// Add the security roles for this user so that they can be used for DLS parameter substitution.
user.addSecurityRoles(mappedRoles);
setUserInfoInThreadContext(user);

final boolean isDebugEnabled = log.isDebugEnabled();
if (isDebugEnabled) {
Expand Down

0 comments on commit 6170fce

Please sign in to comment.