Introduce dfm_empty_overrides_all setting to enable role without dls/fls to override roles with dls/fls

[cliu123]

Signed-off-by: cliu123 lc12251109@gmail.com

Description

The default behavior of security plugin DLS and FLS follows the least privilege principle. When a user has more than 1 role, the role with the most restrictive permissions is honored.

With the new setting dfm_empty_overrides_all setting explicitly being set to true, security plugin enables role without dls/fls to override roles with dls/fls.

The setting dfm_empty_overrides_all is false by default.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) New feature

Issues Resolved

#1572

Testing

ITs

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #1735 (c4b65c1) into main (54a920b) will increase coverage by 0.06%.
The diff coverage is 79.41%.

@@             Coverage Diff              @@
##               main    #1735      +/-   ##
============================================
+ Coverage     60.42%   60.48%   +0.06%     
- Complexity     3197     3201       +4     
============================================
  Files           253      253              
  Lines         18093    18116      +23     
  Branches       3245     3251       +6     
============================================
+ Hits          10933    10958      +25     
  Misses         5579     5579              
+ Partials       1581     1579       -2     

Impacted Files	Coverage Δ
...pensearch/security/securityconf/ConfigModelV6.java	0.00% <ø> (ø)
...g/opensearch/security/support/ConfigConstants.java	94.44% <ø> (ø)
...pensearch/security/securityconf/ConfigModelV7.java	62.47% <77.41%> (+0.16%)	⬆️
.../opensearch/security/OpenSearchSecurityPlugin.java	79.66% <100.00%> (+0.04%)	⬆️
...earch/security/privileges/PrivilegesEvaluator.java	71.93% <100.00%> (+0.09%)	⬆️
...a/org/opensearch/security/tools/SecurityAdmin.java	37.74% <0.00%> (+0.24%)	⬆️
...security/configuration/DlsFlsFilterLeafReader.java	60.28% <0.00%> (+1.65%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 54a920b...c4b65c1. Read the comment docs.

[rursprung]

as usual: this is not meant as a thorough review, for that i'm not familiar enough with this code base (and security things should never be reviewed by people who aren't familiar with them, i.e. me 😄)

[rursprung]

why not move such descriptive comments up into a javadoc on the test method? then it's better visible that this is the description of the test method.
(same for the other tests below)

[cliu123]

Done. Java doc is actually barely used in this repo, especially in the tests. But this is a great idea!

[rursprung]

it seems that the newly pushed commit only changes the author (thanks!) but didn't address any of the other findings?

[peternied]

Thank you for removing the import changes and comments around the tests, much more readable!

Very close now, a few callouts remain.

[peternied]

@opensearch-project/security Could we get a second reviewer to take a look?