Lazy compute and cache grantsAll per privilege (elastic#136684) (elastic#136696)

slobodanadamovic · web-flow · commit 1d3c26914cf6 · 2025-10-16T17:01:07.000+02:00
This change avoids calling expensive `Operations.isTotal` every 
time an application privilege is checked. This is done by caching 
the result per privilege. It avoids re-building privilege's automaton 
each time upstream `ApplicationPermission#grants` gets called.
diff --git a/docs/changelog/136684.yaml b/docs/changelog/136684.yaml
@@ -0,0 +1,5 @@
+pr: 136684
+summary: Lazy compute and cache `grantsAll` per privilege
+area: Authorization
+type: enhancement
+issues: []
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/ApplicationPermission.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/ApplicationPermission.java
@@ -197,7 +197,7 @@ private boolean matchesPrivilege(ApplicationPrivilege other) {
             if (this.application.test(other.getApplication()) == false) {
                 return false;
             }
-            if (Operations.isTotal(privilege.getAutomaton())) {
+            if (privilege.grantsAll()) {
                 return true;
             }
             return Operations.isEmpty(privilege.getAutomaton()) == false
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/Privilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/Privilege.java
@@ -7,6 +7,8 @@
 package org.elasticsearch.xpack.core.security.authz.privilege;
 
 import org.apache.lucene.util.automaton.Automaton;
+import org.apache.lucene.util.automaton.Operations;
+import org.elasticsearch.common.util.CachedSupplier;
 import org.elasticsearch.common.util.Maps;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 
@@ -18,6 +20,7 @@
 import java.util.SortedMap;
 import java.util.TreeMap;
 import java.util.function.Predicate;
+import java.util.function.Supplier;
 
 import static org.elasticsearch.xpack.core.security.support.Automatons.patterns;
 
@@ -29,6 +32,7 @@ public class Privilege {
     protected final Set<String> name;
     protected final Automaton automaton;
     protected final Predicate<String> predicate;
+    protected final Supplier<Boolean> grantsAll;
 
     public Privilege(String name, String... patterns) {
         this(Collections.singleton(name), patterns);
@@ -42,6 +46,7 @@ public Privilege(Set<String> name, Automaton automaton) {
         this.name = name;
         this.automaton = automaton;
         this.predicate = Automatons.predicate(automaton);
+        this.grantsAll = CachedSupplier.wrap(() -> Operations.isTotal(automaton));
     }
 
     public Set<String> name() {
@@ -80,6 +85,13 @@ public Automaton getAutomaton() {
         return automaton;
     }
 
+    /**
+     * Returns true if this privilege grants all names.
+     */
+    public boolean grantsAll() {
+        return grantsAll.get();
+    }
+
     /**
      * Sorts the map of privileges from least-privilege to most-privilege
      */

Original file line number	Diff line number	Diff line change
`@@ -197,7 +197,7 @@ private boolean matchesPrivilege(ApplicationPrivilege other) {`
`197`	`197`	`if (this.application.test(other.getApplication()) == false) {`
`198`	`198`	`return false;`
`199`	`199`	`}`
`200`		`- if (Operations.isTotal(privilege.getAutomaton())) {`
	`200`	`+ if (privilege.grantsAll()) {`
`201`	`201`	`return true;`
`202`	`202`	`}`
`203`	`203`	`return Operations.isEmpty(privilege.getAutomaton()) == false`