mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-08 05:58:44 +00:00
18a2cf23d4
This PR changes how we use roles and how we look at the roles of a user. Previously we looked up each role individually, parsed each into their own `Role` object, and had a wrapper that essentially served as an iterator over the roles. The same pattern was also followed for the permissions that composed a role (ClusterPermission, IndicesPermission, and RunAsPermission). This resulted in a lot of code that was hard to follow and could be inefficient. Now, we look up the roles for a user in bulk and only get the RoleDescriptor for each role. Once all role descriptors have been retrieved, we build a single Role that represents the user's permissions and we also cache this combination for better performance as authorization can happen many times for a single top level request as we authorize the top level request and any sub requests, which could be a large number in the case of shard requests. This change also enabled a large cleanup of our permission and privilege classes, which should reduce the footprint of what needs to be followed. Some of the notable changes are: * Consolidation of GeneralPrivilege and AbstractAutomatonPrivilege into the Privilege class * The DefaultRole class has been removed and the permissions it provided were moved into the AuthorizationService * The GlobalPermission class was removed as there is a single role that represents a user's permissions * The Global inner classes for the various permissions were removed * The Core inner class was removed and ClusterPermission, IndexPermission, RunAsPermission became final classes instead of interfaces * The Permission interface has been removed. The isEmpty() method defined by this interface is not needed as we can simply evaluate the permission to get the same effect * The ClusterPermission#check method only takes the action name again * The AutomatonPredicate class was removed and replaced by Automatons#predicate * IndicesAccessControl objects no longer need to be merged when evaluating permissions * MergedFieldPermissions has been removed * The Name class that was used to hold an array of strings has been removed and replaced with the use of a Set * Privilege resolution is more efficient by only combining automata once Other items: * NativeRolesStore no longer does caching, so the RoleAndVersion class could be removed * FileRolesStore doesn't need to be an AbstractLifecycleComponent Relates elastic/elasticsearch#4327 Original commit: elastic/x-pack-elasticsearch@c1901bc82e