[2.x Backport] Optimized Privilege Evaluation

[nibix]

Description

This implements the optimized privilege evaluation as described in #3870 and backports the changes from #4380 to the 2.x branch.

Important: Before this can be release, the OpenSearch version in the LEGACY_HEADERS_UNNECESSARY_AS_OF property must be checked to be in sync with the actual release version. See review comment at #4898 (review)

This introduces de-normalized data structures that are optimized for the checks that need to be done during privilege evaluation. Additionally, certain objects (like DLS queries) are prepared ahead of time, as early as possible in order to minimize the overhead during actual privilege evaluation.

This is a big change set - in order to facilitate the review, I have split it into three major commits:

• Optimized action privilege evaluation
• Optimized DLS/FLS/FM privilege evaluation
• Removal of unused code

The code is extensively commented - I hope that will help during review.

• Category: Enhancement
• Why these changes are required?

Performance tests indicate that the OpenSearch security layer adds a noticeable overhead to the indexing throughput of an OpenSearch cluster. The overhead may vary depending on the number of indices, the use of aliases, the number of roles and the size of the user object. The goal of these changes is to improve privilege evaluation performance and to make it less dependent on the number of indices, etc.

• What is the old behavior before changes and new behavior after changes?

No significant behavioral changes in the "happy case", when privileges are present.

The undocumented config option config.dynamic.multi_rolespan_enabled is no longer evaluated. The code now behaves like it is always set to true - that is the former default. See #4495 for details.

Some slight changes are present in error cases:

• More detailed error messages for missing privileges, showing a index/action matrix of missing privileges
• Errors in the role configuration might be reported (as error log messages) more early, directly after the configuration was applied
• The DLS/FLS implementation now defaults to a "deny by default" implementation. This is not relevant for normal cases. This will be only relevant if index requests pass through privileges evaluator even though there are no roles which grant privileges to the requested indices. Note: This would only happen in case of a bug in the code. In the previous versions, the DLS/FLS implementation would grant full access to the indices. Now, the DLS/FLS implementation acts as a second barrier, denying access to the indices.

Issues Resolved

• Optimized Privilege Evaluation #3870

This is a backport from #4380

Testing

• Each new component is accompanied by its own unit test.
• The high-level functionality is validated by the existing integration tests
• Mixed cluster behavior is verfied by SecurityBackwardsCompatibilityIT (extended in Fixed bulk index requests in BWC tests and hardened assertions #4817 )

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[nibix]

Important: Before this PR is released, it must be made sure that the attribute LEGACY_HEADERS_UNNECESSARY_AS_OF refers to the OpenSearch version this functionality is released in. Otherwise, DLS/FLS won't properly work in mixed clusters with older versions.

This also needs to be forward-ported to main then.

[codecov]

Codecov Report

Attention: Patch coverage is 73.42760% with 545 lines in your changes missing coverage. Please review.

Project coverage is 66.71%. Comparing base (7efe29b) to head (3c88111).
Report is 3 commits behind head on 2.x.

Files with missing lines	Patch %	Lines
...ecurity/privileges/dlsfls/DlsFlsLegacyHeaders.java	1.42%	68 Missing and 1 partial ⚠️
...search/security/configuration/DlsFlsValveImpl.java	61.04%	42 Missing and 25 partials ⚠️
...privileges/dlsfls/AbstractRuleBasedPrivileges.java	82.77%	33 Missing and 18 partials ⚠️
...ensearch/security/privileges/ActionPrivileges.java	87.72%	30 Missing and 18 partials ⚠️
...security/configuration/DlsFlsFilterLeafReader.java	43.90%	42 Missing and 4 partials ⚠️
...earch/security/privileges/dlsfls/FieldMasking.java	72.56%	40 Missing and 5 partials ⚠️
...g/opensearch/security/privileges/IndexPattern.java	54.34%	38 Missing and 4 partials ⚠️
...earch/security/privileges/PrivilegesEvaluator.java	69.89%	17 Missing and 11 partials ⚠️
...ch/security/privileges/dlsfls/FieldPrivileges.java	81.34%	16 Missing and 9 partials ⚠️
...urity/privileges/dlsfls/FlsStoredFieldVisitor.java	37.83%	20 Missing and 3 partials ⚠️
... and 24 more

Additional details and impacted files

@@            Coverage Diff             @@
##              2.x    #4898      +/-   ##
==========================================
+ Coverage   63.87%   66.71%   +2.84%     
==========================================
  Files         330      342      +12     
  Lines       23136    23157      +21     
  Branches     3747     3659      -88     
==========================================
+ Hits        14777    15450     +673     
+ Misses       6527     5863     -664     
- Partials     1832     1844      +12     

Files with missing lines	Coverage Δ
...ty/configuration/ConfigurationLoaderSecurity7.java	67.64% <100.00%> (+0.23%)	⬆️
...ecurity/configuration/ConfigurationRepository.java	74.42% <100.00%> (ø)
...urity/configuration/PrivilegesInterceptorImpl.java	59.77% <100.00%> (+2.45%)	⬆️
...va/org/opensearch/security/configuration/Salt.java	100.00% <ø> (ø)
...rity/configuration/SystemIndexSearcherWrapper.java	91.52% <100.00%> (+0.14%)	⬆️
...nsearch/security/dlic/rest/api/RolesApiAction.java	89.58% <100.00%> (-2.58%)	⬇️
...org/opensearch/security/filter/SecurityFilter.java	65.87% <100.00%> (-0.48%)	⬇️
...ch/security/privileges/PitPrivilegesEvaluator.java	96.15% <100.00%> (-0.15%)	⬇️
...urity/privileges/RestLayerPrivilegesEvaluator.java	93.75% <100.00%> (-0.37%)	⬇️
.../security/privileges/dlsfls/DlsFlsBaseContext.java	100.00% <100.00%> (ø)
... and 40 more

... and 4 files with indirect coverage changes