Optimize getFieldFilter to only return a predicate when index has FLS restrictions for user

CHANGELOG.md

@@ -22,6 +22,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [Resource Sharing] Keep track of resource_type on resource sharing document ([#5772](https://github.com/opensearch-project/security/pull/5772))
 - Add support for X509 v3 extensions (SAN) for authentication  ([#5701](https://github.com/opensearch-project/security/pull/5701))
 - [Resource Sharing] Requires default_owner for resource/migrate API ([#5789](https://github.com/opensearch-project/security/pull/5789))
+- Optimize getFieldFilter to only return a predicate when index has FLS restrictions for user ([#5777](https://github.com/opensearch-project/security/pull/5777))
+
 
 ### Bug Fixes
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -2341,13 +2341,24 @@ public Collection<Class<? extends LifecycleComponent>> getGuiceServiceClasses()
     public Function<String, Predicate<String>> getFieldFilter() {
         return index -> {
             if (threadPool == null || dlsFlsValve == null) {
-                return field -> true;
+                return NOOP_FIELD_PREDICATE;
             }
 
             PrivilegesEvaluationContext ctx = this.dlsFlsBaseContext != null
                 ? this.dlsFlsBaseContext.getPrivilegesEvaluationContext()
                 : null;
 
+            boolean indexHasRestrictions = false;
+            try {
+                indexHasRestrictions = dlsFlsValve.indexHasFlsRestrictions(index, ctx);
+            } catch (PrivilegesEvaluationException e) {
+                log.error("Error while evaluating FLS restrictions for {}", index, e);
+            }
+
+            if (!indexHasRestrictions) {
+                return NOOP_FIELD_PREDICATE;
+            }
+
             return field -> {
                 try {
                     return dlsFlsValve.isFieldAllowed(index, field, ctx);

src/main/java/org/opensearch/security/configuration/DlsFlsRequestValve.java

@@ -51,6 +51,8 @@ public interface DlsFlsRequestValve {
 
     boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException;
 
+    boolean indexHasFlsRestrictions(String index, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException;
+
     public static class NoopDlsFlsRequestValve implements DlsFlsRequestValve {
 
         @Override
@@ -87,6 +89,11 @@ public boolean hasFieldMasking(String index) {
         public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationContext ctx) {
             return true;
         }
+
+        @Override
+        public boolean indexHasFlsRestrictions(String index, PrivilegesEvaluationContext ctx) {
+            return false;
+        }
     }
 
 }

src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java

@@ -550,6 +550,15 @@ public boolean isFieldAllowed(String index, String field, PrivilegesEvaluationCo
         return config.getFieldPrivileges().getRestriction(ctx, index).isAllowedRecursive(field);
     }
 
+    @Override
+    public boolean indexHasFlsRestrictions(String index, PrivilegesEvaluationContext ctx) throws PrivilegesEvaluationException {
+        if (ctx == null) {
+            return false;
+        }
+        DlsFlsProcessedConfig config = this.dlsFlsProcessedConfig.get();
+        return !config.getFieldPrivileges().getRestriction(ctx, index).isUnrestricted();
+    }
+
     private static InternalAggregation aggregateBuckets(InternalAggregation aggregation) {
         if (aggregation instanceof StringTerms) {
             StringTerms stringTerms = (StringTerms) aggregation;