[Performance] Call AdminDns.isAdmin once per request (#5752)

cwperks · web-flow · commit 4f3906c962cd · 2025-10-30T10:03:44.000-04:00
Signed-off-by: Craig Perkins &lt;cwperx@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Use RestRequestFilter.getFilteredRequest to declare sensitive API params ([#5710](https://github.com/opensearch-project/security/pull/5710))
 - Fix deprecated SSL transport settings in demo certificates ([#5723](https://github.com/opensearch-project/security/pull/5723))
 - Updates DlsFlsValveImpl condition to return true if request is internal and not a protected resource request ([#5721](https://github.com/opensearch-project/security/pull/5721))
+- [Performance] Call AdminDns.isAdmin once per request ([#5752](https://github.com/opensearch-project/security/pull/5752))
 
 ### Refactoring
 - [Resource Sharing] Make migrate api require default access level to be supplied and updates documentations + tests ([#5717](https://github.com/opensearch-project/security/pull/5717))
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -165,6 +165,7 @@
 import org.opensearch.security.http.XFFResolver;
 import org.opensearch.security.identity.SecurePluginSubject;
 import org.opensearch.security.identity.SecurityTokenManager;
+import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluationException;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.privileges.PrivilegesInterceptor;
@@ -2329,9 +2330,13 @@ public Function<String, Predicate<String>> getFieldFilter() {
                 return field -> true;
             }
 
+            PrivilegesEvaluationContext ctx = this.dlsFlsBaseContext != null
+                ? this.dlsFlsBaseContext.getPrivilegesEvaluationContext()
+                : null;
+
             return field -> {
                 try {
-                    return dlsFlsValve.isFieldAllowed(index, field);
+                    return dlsFlsValve.isFieldAllowed(index, field, ctx);
                 } catch (PrivilegesEvaluationException e) {
                     log.error("Error while evaluating FLS for {}.{}", index, field, e);
                     return false;
diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java b/src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java
@@ -49,7 +49,7 @@ public interface DlsFlsRequestValve {
 
     boolean hasFieldMasking(String index) throws PrivilegesEvaluationException;
 
-    boolean isFieldAllowed(String index, String field) throws PrivilegesEvaluationException;
+    boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException;
 
     public static class NoopDlsFlsRequestValve implements DlsFlsRequestValve {
 
@@ -84,7 +84,7 @@ public boolean hasFieldMasking(String index) {
         }
 
         @Override
-        public boolean isFieldAllowed(String index, String field) {
+        public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) {
             return true;
         }
     }
diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
@@ -529,14 +529,13 @@ public boolean hasFieldMasking(String index) throws PrivilegesEvaluationExceptio
     }
 
     @Override
-    public boolean isFieldAllowed(String index, String field) throws PrivilegesEvaluationException {
-        PrivilegesEvaluationContext privilegesEvaluationContext = this.dlsFlsBaseContext.getPrivilegesEvaluationContext();
-        if (privilegesEvaluationContext == null) {
+    public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException {
+        if (ctx == null) {
             return true;
         }
 
         DlsFlsProcessedConfig config = this.dlsFlsProcessedConfig.get();
-        return config.getFieldPrivileges().getRestriction(privilegesEvaluationContext, index).isAllowedRecursive(field);
+        return config.getFieldPrivileges().getRestriction(ctx, index).isAllowedRecursive(field);
     }
 
     private static InternalAggregation aggregateBuckets(InternalAggregation aggregation) {
diff --git a/src/main/java/org/opensearch/security/privileges/dlsfls/DlsFlsBaseContext.java b/src/main/java/org/opensearch/security/privileges/dlsfls/DlsFlsBaseContext.java
@@ -37,13 +37,18 @@ public DlsFlsBaseContext(PrivilegesEvaluator privilegesEvaluator, ThreadContext
      * associated with a user. This indicates a system action. In these cases, no privilege evaluation should be performed.
      */
     public PrivilegesEvaluationContext getPrivilegesEvaluationContext() {
+        if (threadContext.getTransient("tmp_dls_fls_ctx") != null) {
+            return threadContext.getTransient("tmp_dls_fls_ctx");
+        }
         User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
 
         if (HeaderHelper.isInternalOrPluginRequest(threadContext) || adminDNs.isAdmin(user)) {
             return null;
         }
 
-        return this.privilegesEvaluator.createContext(user, null);
+        PrivilegesEvaluationContext ctx = this.privilegesEvaluator.createContext(user, null);
+        threadContext.putTransient("tmp_dls_fls_ctx", ctx);
+        return ctx;
     }
 
     public boolean isDlsDoneOnFilterLevel() {

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ public interface DlsFlsRequestValve {`
`49`	`49`
`50`	`50`	`boolean hasFieldMasking(String index) throws PrivilegesEvaluationException;`
`51`	`51`
`52`		`- boolean isFieldAllowed(String index, String field) throws PrivilegesEvaluationException;`
	`52`	`+ boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException;`
`53`	`53`
`54`	`54`	`public static class NoopDlsFlsRequestValve implements DlsFlsRequestValve {`
`55`	`55`
`@@ -84,7 +84,7 @@ public boolean hasFieldMasking(String index) {`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`@Override`
`87`		`- public boolean isFieldAllowed(String index, String field) {`
	`87`	`+ public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) {`
`88`	`88`	`return true;`
`89`	`89`	`}`
`90`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -529,14 +529,13 @@ public boolean hasFieldMasking(String index) throws PrivilegesEvaluationExceptio`
`529`	`529`	`}`
`530`	`530`
`531`	`531`	`@Override`
`532`		`- public boolean isFieldAllowed(String index, String field) throws PrivilegesEvaluationException {`
`533`		`- PrivilegesEvaluationContext privilegesEvaluationContext = this.dlsFlsBaseContext.getPrivilegesEvaluationContext();`
`534`		`- if (privilegesEvaluationContext == null) {`
	`532`	`+ public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException {`
	`533`	`+ if (ctx == null) {`
`535`	`534`	`return true;`
`536`	`535`	`}`
`537`	`536`
`538`	`537`	`DlsFlsProcessedConfig config = this.dlsFlsProcessedConfig.get();`
`539`		`- return config.getFieldPrivileges().getRestriction(privilegesEvaluationContext, index).isAllowedRecursive(field);`
	`538`	`+ return config.getFieldPrivileges().getRestriction(ctx, index).isAllowedRecursive(field);`
`540`	`539`	`}`
`541`	`540`
`542`	`541`	`private static InternalAggregation aggregateBuckets(InternalAggregation aggregation) {`