Refactor the cluster permission filter of service accounts

Signed-off-by: Ryan Liang <jiallian@amazon.com>
RyanL1997 · Oct 26, 2023 · 04c96d5 · 04c96d5
1 parent 12c60fe
commit 04c96d5
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -353,13 +353,14 @@ public PrivilegesEvaluatorResponse evaluate(
             namedXContentRegistry
         );
 
-        if (isClusterPerm(action0) && isServiceAccount(user)) {
-            presponse.allowed = false;
-            log.info("{} is a service account which as no access to cluster level permission of {}.", user, action0);
-            return presponse;
-        }
-
         if (isClusterPerm(action0)) {
+            if (isServiceAccount(user)) {
+                presponse.missingPrivileges.add(action0);
+                presponse.allowed = false;
+                log.info("{} is a service account which as no access to cluster level permission of {}.", user, action0);
+                return presponse;
+            }
+
             if (!securityRoles.impliesClusterPermissionPermission(action0)) {
                 presponse.missingPrivileges.add(action0);
                 presponse.allowed = false;