Lazily resolve project in authorization

We have optimizations to avoid doing unnecessary authorization work on
child actions, and resolving the project can be unnecssary work.

This moves project resolution to be lazy and cached so we only do it
once but only when actually necessary.

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java

@@ -75,7 +75,7 @@
  *         can actually impersonate the user running the request.</li>
  *     <li>{@link #authorizeClusterAction(RequestInfo, AuthorizationInfo, ActionListener)} if the
  *         request is a cluster level operation.</li>
- *     <li>{@link #authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, ProjectMetadata, ActionListener)} if
+ *     <li>{@link #authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, Supplier, ActionListener)} if
  *         the request is a an index action. This method may be called multiple times for a single
  *         request as the request may be made up of sub-requests that also need to be authorized. The async supplier
  *         for resolved indices will invoke the
@@ -85,7 +85,7 @@
  * <br><p>
  * <em>NOTE:</em> the {@link #loadAuthorizedIndices(RequestInfo, AuthorizationInfo, Map, ActionListener)}
  * method may be called prior to
- * {@link #authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, ProjectMetadata, ActionListener)}
+ * {@link #authorizeIndexAction(RequestInfo, AuthorizationInfo, AsyncSupplier, Supplier, ActionListener)}
  * in cases where wildcards need to be expanded.
  * </p><br>
  * Authorization engines can be called from various threads including network threads that should
@@ -167,7 +167,7 @@ void authorizeIndexAction(
         RequestInfo requestInfo,
         AuthorizationInfo authorizationInfo,
         AsyncSupplier<ResolvedIndices> indicesAsyncSupplier,
-        ProjectMetadata metadata,
+        Supplier<ProjectMetadata> metadata,
         ActionListener<IndexAuthorizationResult> listener
     );
 

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/profile/ProfileCancellationIntegTests.java

@@ -58,6 +58,7 @@
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Supplier;
 
 import static org.elasticsearch.test.SecuritySettingsSource.TEST_USER_NAME;
 import static org.elasticsearch.test.SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING;
@@ -410,7 +411,7 @@ public void authorizeIndexAction(
                     RequestInfo requestInfo,
                     AuthorizationInfo authorizationInfo,
                     AsyncSupplier<ResolvedIndices> indicesAsyncSupplier,
-                    ProjectMetadata metadata,
+                    Supplier<ProjectMetadata> metadata,
                     ActionListener<IndexAuthorizationResult> listener
                 ) {
                     listener.onResponse(IndexAuthorizationResult.ALLOW_NO_INDICES);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

@@ -38,6 +38,7 @@
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.CachedSupplier;
 import org.elasticsearch.common.util.concurrent.ListenableFuture;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.core.Nullable;
@@ -480,8 +481,14 @@ private void authorizeAction(
                 l.onResponse(result);
             }));
         } else if (isIndexAction(action)) {
-            final ProjectMetadata projectMetadata = projectResolver.getProjectMetadata(clusterService.state());
-            assert projectMetadata != null;
+            // We use a supplier here to avoid resolving the project in cases where it's not going to be used
+            // The most common case is when a child action is authorized based on its parent, in that case we never need
+            // to lookup indices, so we never need the project metadata.
+            // But we do want to optimize by only looking up the project once for each action, so we use a cached supplier.
+            final Supplier<ProjectMetadata> projectMetadataSupplier = CachedSupplier.wrap(
+                () -> projectResolver.getProjectMetadata(clusterService.state())
+            );
+            assert projectMetadataSupplier != null;
             final AsyncSupplier<ResolvedIndices> resolvedIndicesAsyncSupplier = new CachingAsyncSupplier<>(resolvedIndicesListener -> {
                 if (request instanceof SearchRequest searchRequest && searchRequest.pointInTimeBuilder() != null) {
                     var resolvedIndices = indicesAndAliasesResolver.resolvePITIndices(searchRequest);
@@ -492,6 +499,7 @@ private void authorizeAction(
                 if (resolvedIndices != null) {
                     resolvedIndicesListener.onResponse(resolvedIndices);
                 } else {
+                    final ProjectMetadata projectMetadata = projectMetadataSupplier.get();
                     authzEngine.loadAuthorizedIndices(
                         requestInfo,
                         authzInfo,
@@ -516,7 +524,7 @@ private void authorizeAction(
                 requestInfo,
                 authzInfo,
                 resolvedIndicesAsyncSupplier,
-                projectMetadata,
+                projectMetadataSupplier,
                 wrapPreservingContext(
                     new AuthorizationResultListener<>(
                         result -> handleIndexActionAuthorizationResult(
@@ -526,7 +534,7 @@ private void authorizeAction(
                             authzInfo,
                             authzEngine,
                             resolvedIndicesAsyncSupplier,
-                            projectMetadata,
+                            projectMetadataSupplier,
                             listener
                         ),
                         listener::onFailure,
@@ -551,7 +559,7 @@ private void handleIndexActionAuthorizationResult(
         final AuthorizationInfo authzInfo,
         final AuthorizationEngine authzEngine,
         final AsyncSupplier<ResolvedIndices> resolvedIndicesAsyncSupplier,
-        final ProjectMetadata projectMetadata,
+        final Supplier<ProjectMetadata> projectMetadata,
         final ActionListener<Void> listener
     ) {
         final IndicesAccessControl indicesAccessControl = indicesAccessControlWrapper.wrap(result.getIndicesAccessControl());
@@ -763,7 +771,7 @@ private void authorizeBulkItems(
         AuthorizationContext bulkAuthzContext,
         AuthorizationEngine authzEngine,
         AsyncSupplier<ResolvedIndices> resolvedIndicesAsyncSupplier,
-        ProjectMetadata projectMetadata,
+        Supplier<ProjectMetadata> projectMetadata,
         String requestId,
         ActionListener<Void> listener
     ) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -318,7 +318,7 @@ public void authorizeIndexAction(
         RequestInfo requestInfo,
         AuthorizationInfo authorizationInfo,
         AsyncSupplier<ResolvedIndices> indicesAsyncSupplier,
-        ProjectMetadata metadata,
+        Supplier<ProjectMetadata> projectMetadataSupplier,
         ActionListener<IndexAuthorizationResult> listener
     ) {
         final String action = requestInfo.getAction();
@@ -423,7 +423,12 @@ public void authorizeIndexAction(
                                 .allMatch(IndicesAliasesRequest.AliasActions::expandAliasesWildcards))
                         : "expanded wildcards for local indices OR the request should not expand wildcards at all";
 
-                    IndexAuthorizationResult result = buildIndicesAccessControl(action, role, resolvedIndices, metadata);
+                    IndexAuthorizationResult result = buildIndicesAccessControl(
+                        action,
+                        role,
+                        resolvedIndices,
+                        projectMetadataSupplier.get()
+                    );
                     if (requestInfo.getAuthentication().isCrossClusterAccess()
                         && request instanceof IndicesRequest.RemoteClusterShardRequest shardsRequest
                         && shardsRequest.shards() != null) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java

@@ -3456,7 +3456,7 @@ public void authorizeIndexAction(
                 RequestInfo requestInfo,
                 AuthorizationInfo authorizationInfo,
                 AsyncSupplier<ResolvedIndices> indicesAsyncSupplier,
-                ProjectMetadata metadata,
+                Supplier<ProjectMetadata> metadata,
                 ActionListener<IndexAuthorizationResult> listener
             ) {
                 throw new UnsupportedOperationException("not implemented");

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java

@@ -1981,7 +1981,7 @@ private void authorizeIndicesAction(
                 )
             );
 
-        engine.authorizeIndexAction(requestInfo, authzInfo, indicesAsyncSupplier, metadata.build().getProject(), listener);
+        engine.authorizeIndexAction(requestInfo, authzInfo, indicesAsyncSupplier, metadata.build()::getProject, listener);
     }
 
     private static RequestInfo createRequestInfo(TransportRequest request, String action, ParentActionAuthorization parentAuthorization) {