Skip to content

Commit 5384cf3

Browse files
nibixnibix
authored
Optimized runtime behavior of index matching during StatefulIndexPrivileges construction (#5471)
Signed-off-by: Nils Bandener <[email protected]>
1 parent 3121d88 commit 5384cf3

File tree

2 files changed

+11
-8
lines changed

2 files changed

+11
-8
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
1818
* Replaced the standard distribution of BouncyCastle with BC-FIPS ([#5439](https://github.com/opensearch-project/security/pull/5439))
1919
* Introduced setting `plugins.security.privileges_evaluation.precomputed_privileges.enabled` ([#5465](https://github.com/opensearch-project/security/pull/5465))
2020
* Optimized wildcard matching runtime performance ([#5470](https://github.com/opensearch-project/security/pull/5470))
21+
* Optimized performance for construction of internal action privileges data structure ([#5470](https://github.com/opensearch-project/security/pull/5470))
2122

2223
### Bug Fixes
2324

src/main/java/org/opensearch/security/privileges/actionlevel/RoleBasedActionPrivileges.java

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -696,28 +696,30 @@ static class StatefulIndexPrivileges extends RuntimeOptimizedActionPrivileges.St
696696
continue;
697697
}
698698

699+
List<IndexAbstraction> matchingIndices = indexMatcher.matching(indices.values(), IndexAbstraction::getName);
700+
if (matchingIndices.isEmpty()) {
701+
continue;
702+
}
703+
699704
for (String permission : permissions) {
700705
WildcardMatcher actionMatcher = WildcardMatcher.from(permission);
701706
Collection<String> matchedActions = actionMatcher.getMatchAny(
702707
WellKnownActions.INDEX_ACTIONS,
703708
Collectors.toList()
704709
);
705710

706-
for (Map.Entry<String, IndexAbstraction> indicesEntry : indexMatcher.iterateMatching(
707-
indices.entrySet(),
708-
Map.Entry::getKey
709-
)) {
711+
for (IndexAbstraction index : matchingIndices) {
710712
for (String action : matchedActions) {
711713
CompactMapGroupBuilder.MapBuilder<
712714
String,
713715
DeduplicatingCompactSubSetBuilder.SubSetBuilder<String>> indexToRoles = actionToIndexToRoles
714716
.computeIfAbsent(action, k -> indexMapBuilder.createMapBuilder());
715717

716-
indexToRoles.get(indicesEntry.getKey()).add(roleName);
718+
indexToRoles.get(index.getName()).add(roleName);
717719

718-
if (indicesEntry.getValue() instanceof IndexAbstraction.Alias) {
720+
if (index instanceof IndexAbstraction.Alias) {
719721
// For aliases we additionally add the sub-indices to the privilege map
720-
for (IndexMetadata subIndex : indicesEntry.getValue().getIndices()) {
722+
for (IndexMetadata subIndex : index.getIndices()) {
721723
String subIndexName = subIndex.getIndex().getName();
722724
// We need to check whether the subIndex is part of the global indices
723725
// metadata map because that map has been filtered by relevantOnly().
@@ -732,7 +734,7 @@ static class StatefulIndexPrivileges extends RuntimeOptimizedActionPrivileges.St
732734
log.debug(
733735
"Ignoring member index {} of alias {}. This is usually the case because the index is closed or a data stream backing index.",
734736
subIndexName,
735-
indicesEntry.getKey()
737+
index.getName()
736738
);
737739
}
738740
}

0 commit comments

Comments
 (0)