Superuser fastpath for indexAccessControl

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java

@@ -29,7 +29,6 @@
  */
 public class IndicesAccessControl {
 
-    public static final IndicesAccessControl ALLOW_ALL = new IndicesAccessControl(true, Collections.emptyMap());
     public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true,
             Collections.singletonMap(IndicesAndAliasesResolverField.NO_INDEX_PLACEHOLDER,
                     new IndicesAccessControl.IndexAccessControl(true, new FieldPermissions(), DocumentPermissions.allowAll())));
@@ -179,6 +178,12 @@ public int hashCode() {
      * @return {@link IndicesAccessControl}
      */
     public IndicesAccessControl limitIndicesAccessControl(IndicesAccessControl limitedByIndicesAccessControl) {
+        if (this instanceof AllowAllIndicesAccessControl) {
+            return limitedByIndicesAccessControl;
+        } else if (limitedByIndicesAccessControl instanceof AllowAllIndicesAccessControl) {
+            return this;
+        }
+
         final boolean granted;
         if (this.granted == limitedByIndicesAccessControl.granted) {
             granted = this.granted;
@@ -205,4 +210,38 @@ public String toString() {
                 ", indexPermissions=" + indexPermissions +
                 '}';
     }
+
+    public boolean isAllowAll() {
+        return this == AllowAllIndicesAccessControl.ALLOW_ALL_INDICES_ACCESS_CONTROL;
+    }
+
+    public static IndicesAccessControl allowAll() {
+        return AllowAllIndicesAccessControl.ALLOW_ALL_INDICES_ACCESS_CONTROL;
+    }
+
+    private static class AllowAllIndicesAccessControl extends IndicesAccessControl {
+
+        private static final IndicesAccessControl ALLOW_ALL_INDICES_ACCESS_CONTROL = new AllowAllIndicesAccessControl();
+        private static final IndexAccessControl ALLOW_ALL_INDEX_ACCESS_CONTROL = new IndexAccessControl(true, null, null);
+
+        private AllowAllIndicesAccessControl() {
+            super(true, null);
+        }
+
+        @Override
+        public IndexAccessControl getIndexPermissions(String index) {
+            return ALLOW_ALL_INDEX_ACCESS_CONTROL;
+        }
+
+        @Override
+        public boolean isGranted() {
+            return true;
+        }
+
+        @Override
+        public Collection<?> getDeniedIndices() {
+            return Set.of();
+        }
+    }
+
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -118,6 +118,10 @@ public Group[] groups() {
         return groups;
     }
 
+    public boolean isTotal() {
+        return Arrays.stream(groups).anyMatch(Group::isTotal);
+    }
+
     /**
      * @return A predicate that will match all the indices that this permission
      * has the privilege for executing the given action on.
@@ -340,7 +344,6 @@ public Map<String, IndicesAccessControl.IndexAccessControl> authorize(
         Map<String, IndexAbstraction> lookup,
         FieldPermissionsCache fieldPermissionsCache
     ) {
-
         final List<IndexResource> resources = new ArrayList<>(requestedIndicesOrAliases.size());
         int totalResourceCount = 0;
 
@@ -499,7 +502,7 @@ public static class Group {
         private final IndexPrivilege privilege;
         private final Predicate<String> actionMatcher;
         private final String[] indices;
-        private final Predicate<String> indexNameMatcher;
+        private final StringMatcher indexNameMatcher;
         private final Supplier<Automaton> indexNameAutomaton;
         private final FieldPermissions fieldPermissions;
         private final Set<BytesReference> query;
@@ -567,6 +570,14 @@ public boolean allowRestrictedIndices() {
         public Automaton getIndexMatcherAutomaton() {
             return indexNameAutomaton.get();
         }
+
+        public boolean isTotal() {
+            return allowRestrictedIndices
+                && indexNameMatcher.isTotal()
+                && privilege == IndexPrivilege.ALL
+                && query == null
+                && false == fieldPermissions.hasFieldLevelSecurity();
+        }
     }
 
     private static class DocumentLevelPermissions {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java

@@ -84,10 +84,14 @@ public IndicesAccessControl authorize(String action, Set<String> requestedIndice
             super.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache);
         IndicesAccessControl limitedByIndicesAccessControl = limitedBy.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup,
                 fieldPermissionsCache);
-
         return indicesAccessControl.limitIndicesAccessControl(limitedByIndicesAccessControl);
     }
 
+    @Override
+    public boolean allowAllIndices() {
+        return super.allowAllIndices() && limitedBy.allowAllIndices();
+    }
+
     /**
      * @return A predicate that will match all the indices that this role and the limited by role has the privilege for executing the given
      * action on.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -179,7 +179,7 @@ public ResourcePrivilegesMap checkApplicationResourcePrivileges(final String app
     public IndicesAccessControl authorize(String action, Set<String> requestedIndicesOrAliases,
                                           Map<String, IndexAbstraction> aliasAndIndexLookup,
                                           FieldPermissionsCache fieldPermissionsCache) {
-        Map<String, IndicesAccessControl.IndexAccessControl> indexPermissions = indices.authorize(
+        final Map<String, IndicesAccessControl.IndexAccessControl> indexPermissions = indices.authorize(
             action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache
         );
 
@@ -194,6 +194,10 @@ public IndicesAccessControl authorize(String action, Set<String> requestedIndice
         return new IndicesAccessControl(granted, indexPermissions);
     }
 
+    public boolean allowAllIndices() {
+        return indices.isTotal();
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java

@@ -69,6 +69,10 @@ public boolean test(String s) {
         return predicate.test(s);
     }
 
+    public boolean isTotal() {
+        return predicate == ALWAYS_TRUE_PREDICATE;
+    }
+
     // For testing
     Predicate<String> getPredicate() {
         return predicate;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java

@@ -336,7 +336,7 @@ private void authorizeAction(final RequestInfo requestInfo, final String request
         if (ClusterPrivilegeResolver.isClusterAction(action)) {
             final ActionListener<AuthorizationResult> clusterAuthzListener =
                 wrapPreservingContext(new AuthorizationResultListener<>(result -> {
-                        threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL);
+                        threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll());
                         listener.onResponse(null);
                     }, listener::onFailure, requestInfo, requestId, authzInfo), threadContext);
             authzEngine.authorizeClusterAction(requestInfo, authzInfo, ActionListener.wrap(result -> {
@@ -508,7 +508,7 @@ private void authorizeSystemUser(final Authentication authentication, final Stri
                                      final TransportRequest request, final ActionListener<Void> listener) {
         final AuditTrail auditTrail = auditTrailService.get();
         if (SystemUser.isAuthorized(action)) {
-            threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL);
+            threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll());
             threadContext.putTransient(AUTHORIZATION_INFO_KEY, SYSTEM_AUTHZ_INFO);
             auditTrail.accessGranted(requestId, authentication, action, request, SYSTEM_AUTHZ_INFO);
             listener.onResponse(null);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java

@@ -630,8 +630,13 @@ private IndexAuthorizationResult buildIndicesAccessControl(String action,
                                                                Set<String> indices,
                                                                Map<String, IndexAbstraction> aliasAndIndexLookup) {
         final Role role = ensureRBAC(authorizationInfo).getRole();
-        final IndicesAccessControl accessControl = role.authorize(action, indices, aliasAndIndexLookup, fieldPermissionsCache);
-        return new IndexAuthorizationResult(true, accessControl);
+        // Fast path if the role can access all indices, e.g. superuser
+        if (role.allowAllIndices()) {
+            return new IndexAuthorizationResult(true, IndicesAccessControl.allowAll());
+        } else {
+            final IndicesAccessControl accessControl = role.authorize(action, indices, aliasAndIndexLookup, fieldPermissionsCache);
+            return new IndexAuthorizationResult(true, accessControl);
+        }
     }
 
     private static RBACAuthorizationInfo ensureRBAC(AuthorizationInfo authorizationInfo) {