Fixed READ_ACTIONS required by TermsAggregationEvaluator

[nibix]

The READ_ACTIONS array is passed by TermsAggregationEvaluator to securityRoles.getAllPermittedIndicesForDashboards() which checks whether privileges are available for all actions specified in READ_ACTIONS. READ_ACTIONS also contained the string "indices:data/read/field_caps*", which is actually wrong, because it is not an action but looks like pattern. However, the code behind securityRoles.getAllPermittedIndicesForDashboards() will never treat these strings as patterns. The "*" is only considered a normal, bare character. Patterns (via WildcardMatcher class) will be only applied to these strings.

This had the effect that a bare privilege "indices:data/read/field_caps" was not sufficient to fulfill the requirement. It was necessary to have either "indices:data/read/field_caps*" in ones roles.yml or something broader like "indices:data/read/*". The latter is the most likely case, which is the reason why in most cases this gets unnoticed.

Observed while working on #3870 and decoupled from #4380.

Description

[Describe what this change achieves]

• Category: Bug fix
• Why these changes are required? - The code created an impression that patterns were supported at the particular place, while they were actually not supported. For the changes introduced in Optimized Privilege Evaluation #4380, this also caused a performance penalty, as the specified string was not an actual action and needed to be specially treated.
• What is the old behavior before changes and new behavior after changes? - No significant changes. It will be sufficient to specify the privilege "indices:data/read/field_caps" instead of ""indices:data/read/field_caps*" to have field caps on indices properly working, but in practice this seems to be a rare case.

Issues Resolved

Contributes to #3870

Testing

Integration testing via existing tests

Check List

• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[DarshitChanpura]

Thanks @nibix for addressing this! is there a way this can be tested to ensure that * is a bare character here and would not expand?

[nibix]

@DarshitChanpura

Thanks @nibix for addressing this! is there a way this can be tested to ensure that * is a bare character here and would not expand?

This is quite easy to verify by a simple manual static code analysis. This is the call path:

security/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java

Lines 89 to 95 in 26a4c0b

	final Set<String> allPermittedIndices = securityRoles.getAllPermittedIndicesForDashboards(
	resolved,
	user,
	READ_ACTIONS,
	resolver,
	clusterService
	);

security/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

Line 391 in 26a4c0b

retVal.addAll(sr.getAllResolvedPermittedIndices(Resolved._LOCAL_ALL, user, actions, resolver, cs, Function.identity()));

security/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

Line 564 in 26a4c0b

final boolean patternMatch = matcherModification.apply(p.getPerms()).matchAll(actions);

This shows that the actions parameter is never passed to a WildcardMatcher.create() method. However, it is only this method which gives you the possibility to interpret strings with patterns.

[cwperks]

@nibix wdyt about removing all hardcoding and pulling the static action name from core if possible (it may not be possible in all cases)?

Related issue: #4515

[nibix]

wdyt about removing all hardcoding and pulling the static action name from core if possible (it may not be possible in all cases)?

sure

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 65.25%. Comparing base (26a4c0b) to head (57bd4f3).
Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4582      +/-   ##
==========================================
- Coverage   65.28%   65.25%   -0.04%     
==========================================
  Files         317      317              
  Lines       22272    22272              
  Branches     3582     3582              
==========================================
- Hits        14541    14534       -7     
- Misses       5939     5946       +7     
  Partials     1792     1792              

Files	Coverage Δ
...security/privileges/TermsAggregationEvaluator.java	57.14% <ø> (ø)

... and 1 file with indirect coverage changes

[nibix]

@cwperks @DarshitChanpura is there anything still missing that blocks this?

[cwperks]

@cwperks @DarshitChanpura is there anything still missing that blocks this?

It needs one more approval. @DarshitChanpura @peternied @scrawfor99 @willyborankin @reta @RyanL1997 Can one of you take a look?