Skip to content

Improved index resolution and revised index authorization #5827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
nibix wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Improved index resolution and revised index authorization #5827

nibix wants to merge 2 commits into from

Conversation

@nibix
Copy link
Collaborator

@nibix nibix commented Dec 2, 2025

Description

This introduces all the necessary changes for the improved index resolution and revised index authorization described in #5814.

This has several advantages:

  • The old index authorization and index resolution system had many inconsistencies and oddities. These are fixed by the new approach.
  • The responsibility for index resolution is moved from the security plugin to the individual transport actions. This makes the whole authorization process much more robust and the code less messy and fragile.
  • As each transport action knows its indices it is operating on very well, it can do the resolution in a more efficient manner (often actually no resolution takes place at all, as all indices are already determined as constant values). This reduces the performance overhead induced by the security plugin.
  • The security plugin no longer needs to resolve data streams to its individual backing indices to check privileges; this brings further performance improvements.
  • Category: Enhancement
  • Why these changes are required?
    • Fundamental improvements for index authorization were due
  • What is the old behavior before changes and new behavior after changes?

Issues Resolved

#5814

Testing

  • extensive integration tests

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@nibix nibix force-pushed the improved-index-resolution-2 branch from 30aceb2 to be840d0 Compare December 2, 2025 07:37
@nibix nibix mentioned this pull request Dec 2, 2025
Closed
5 tasks
@codecov
Copy link

codecov bot commented Dec 2, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 77.60512% with 245 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.69%. Comparing base (46e5937) to head (b47b6bc).
⚠️ Report is 11 commits behind head on main.

Files with missing lines Patch % Lines
...s/actionlevel/nextgen/PrivilegesEvaluatorImpl.java 69.77% 49 Missing and 32 partials ⚠️
...tgen/DashboardsMultitenancySystemIndexHandler.java 62.89% 38 Missing and 21 partials ⚠️
...eges/actionlevel/SubjectBasedActionPrivileges.java 64.70% 14 Missing and 4 partials ⚠️
.../actionlevel/RuntimeOptimizedActionPrivileges.java 87.50% 8 Missing and 7 partials ⚠️
...curity/privileges/PrivilegesEvaluatorResponse.java 64.10% 12 Missing and 2 partials ⚠️
...nsearch/security/privileges/DocumentAllowList.java 26.66% 10 Missing and 1 partial ⚠️
...vileges/actionlevel/RoleBasedActionPrivileges.java 85.93% 4 Missing and 5 partials ⚠️
...leges/actionlevel/nextgen/ActionConfiguration.java 86.20% 5 Missing and 3 partials ⚠️
...search/security/configuration/DlsFlsValveImpl.java 75.86% 4 Missing and 3 partials ⚠️
...earch/security/privileges/PrivilegesEvaluator.java 71.42% 4 Missing and 2 partials ⚠️
... and 10 more
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5827      +/-   ##
==========================================
+ Coverage   73.66%   73.69%   +0.03%     
==========================================
  Files         438      443       +5     
  Lines       26660    27504     +844     
  Branches     3939     4140     +201     
==========================================
+ Hits        19638    20270     +632     
- Misses       5148     5279     +131     
- Partials     1874     1955      +81
Files with missing lines Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java 85.36% <100.00%> (-0.02%) ⬇️
...rity/configuration/SystemIndexSearcherWrapper.java 94.82% <100.00%> (ø)
...leges/ClusterStateMetadataDependentPrivileges.java 93.33% <100.00%> (ø)
...g/opensearch/security/privileges/IndexPattern.java 97.08% <100.00%> (+0.42%) ⬆️
...ch/security/privileges/IndicesRequestResolver.java 100.00% <100.00%> (ø)
...curity/privileges/PrivilegesEvaluationContext.java 97.29% <100.00%> (+4.98%) ⬆️
...ges/actionlevel/legacy/PitPrivilegesEvaluator.java 96.29% <100.00%> (ø)
...es/actionlevel/legacy/PrivilegesEvaluatorImpl.java 84.69% <100.00%> (ø)
...ionlevel/legacy/ProtectedIndexAccessEvaluator.java 75.55% <ø> (ø)
...s/actionlevel/legacy/SnapshotRestoreEvaluator.java 96.55% <ø> (ø)
... and 26 more

... and 7 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nibix nibix force-pushed the improved-index-resolution-2 branch from be840d0 to c2d7b55 Compare December 2, 2025 09:24
@nibix nibix force-pushed the improved-index-resolution-2 branch from c2d7b55 to b47b6bc Compare December 2, 2025 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwperks cwperks Awaiting requested review from cwperks cwperks will be requested when the pull request is marked ready for review cwperks is a code owner

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura will be requested when the pull request is marked ready for review DarshitChanpura is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho will be requested when the pull request is marked ready for review derek-ho is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 will be requested when the pull request is marked ready for review RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta will be requested when the pull request is marked ready for review reta is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 will be requested when the pull request is marked ready for review shikharj05 is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin will be requested when the pull request is marked ready for review willyborankin is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nibix