Cluster state role mapper file settings service (elastic#107886)

This PR simplifies the ReservedRoleMappingAction implementation,
which is part of the FileSettingsService infrastructure, such that it stores
the role mappings it parses from the settings.json file into the
cluster state custom metadata that's used by the new ClusterStateRoleMapper.
The native role mappings (stored in the .security index) are left untouched
by the ReservedRoleMappingAction.

docs/changelog/107886.yaml

@@ -0,0 +1,5 @@
+pr: 107886
+summary: Cluster state role mapper file settings service
+area: Authorization
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/rolemapping/PutRoleMappingRequest.java

@@ -166,16 +166,4 @@ public void writeTo(StreamOutput out) throws IOException {
     public ExpressionRoleMapping getMapping() {
         return new ExpressionRoleMapping(name, rules, roles, roleTemplates, metadata, enabled);
     }
-
-    public static PutRoleMappingRequest fromMapping(ExpressionRoleMapping mapping) {
-        var request = new PutRoleMappingRequest();
-        request.setName(mapping.getName());
-        request.setEnabled(mapping.isEnabled());
-        request.setRoles(mapping.getRoles());
-        request.setRoleTemplates(mapping.getRoleTemplates());
-        request.setRules(mapping.getExpression());
-        request.setMetadata(mapping.getMetadata());
-
-        return request;
-    }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/rolemapping/PutRoleMappingRequestBuilder.java

@@ -9,8 +9,7 @@
 import org.elasticsearch.action.ActionRequestBuilder;
 import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.internal.ElasticsearchClient;
-import org.elasticsearch.common.bytes.BytesReference;
-import org.elasticsearch.xcontent.XContentType;
+import org.elasticsearch.xcontent.XContentParser;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.TemplateRoleName;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.RoleMapperExpression;
@@ -35,8 +34,8 @@ public PutRoleMappingRequestBuilder(ElasticsearchClient client) {
     /**
      * Populate the put role request from the source and the role's name
      */
-    public PutRoleMappingRequestBuilder source(String name, BytesReference source, XContentType xContentType) throws IOException {
-        ExpressionRoleMapping mapping = ExpressionRoleMapping.parse(name, source, xContentType);
+    public PutRoleMappingRequestBuilder source(String name, XContentParser parser) throws IOException {
+        ExpressionRoleMapping mapping = ExpressionRoleMapping.parse(name, parser);
         request.setName(name);
         request.setEnabled(mapping.isEnabled());
         request.setRoles(mapping.getRoles());

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -1103,8 +1103,7 @@ Collection<Object> createComponents(
             new SecurityUsageServices(realms, allRolesStore, nativeRoleMappingStore, ipFilter.get(), profileService, apiKeyService)
         );
 
-        reservedRoleMappingAction.set(new ReservedRoleMappingAction(nativeRoleMappingStore));
-        systemIndices.getMainIndexManager().onStateRecovered(state -> reservedRoleMappingAction.get().securityIndexRecovered());
+        reservedRoleMappingAction.set(new ReservedRoleMappingAction());
 
         cacheInvalidatorRegistry.validate();
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/rolemapping/ReservedRoleMappingAction.java

@@ -7,24 +7,18 @@
 
 package org.elasticsearch.xpack.security.action.rolemapping;
 
-import org.elasticsearch.action.ActionListener;
-import org.elasticsearch.action.support.GroupedActionListener;
-import org.elasticsearch.common.util.concurrent.ListenableFuture;
-import org.elasticsearch.reservedstate.NonStateTransformResult;
+import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.reservedstate.ReservedClusterStateHandler;
 import org.elasticsearch.reservedstate.TransformState;
 import org.elasticsearch.xcontent.XContentParser;
 import org.elasticsearch.xcontent.XContentParserConfiguration;
-import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingRequest;
 import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequest;
+import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequestBuilder;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
-import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
+import org.elasticsearch.xpack.core.security.authz.RoleMappingMetadata;
 
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -38,123 +32,59 @@
  * It is used by the ReservedClusterStateService to add/update or remove role mappings. Typical usage
  * for this action is in the context of file based settings.
  */
-public class ReservedRoleMappingAction implements ReservedClusterStateHandler<List<ExpressionRoleMapping>> {
+public class ReservedRoleMappingAction implements ReservedClusterStateHandler<List<PutRoleMappingRequest>> {
     public static final String NAME = "role_mappings";
 
-    private final NativeRoleMappingStore roleMappingStore;
-    private final ListenableFuture<Void> securityIndexRecoveryListener = new ListenableFuture<>();
-
-    /**
-     * Creates a ReservedRoleMappingAction
-     *
-     * @param roleMappingStore requires {@link NativeRoleMappingStore} for storing/deleting the mappings
-     */
-    public ReservedRoleMappingAction(NativeRoleMappingStore roleMappingStore) {
-        this.roleMappingStore = roleMappingStore;
-    }
-
     @Override
     public String name() {
         return NAME;
     }
 
-    private static Collection<PutRoleMappingRequest> prepare(List<ExpressionRoleMapping> roleMappings) {
-        List<PutRoleMappingRequest> requests = roleMappings.stream().map(rm -> PutRoleMappingRequest.fromMapping(rm)).toList();
-
-        var exceptions = new ArrayList<Exception>();
-        for (var request : requests) {
-            // File based defined role mappings are allowed to use MetadataUtils.RESERVED_PREFIX
-            var exception = request.validate(false);
-            if (exception != null) {
-                exceptions.add(exception);
-            }
-        }
-
-        if (exceptions.isEmpty() == false) {
-            var illegalArgumentException = new IllegalArgumentException("error on validating put role mapping requests");
-            exceptions.forEach(illegalArgumentException::addSuppressed);
-            throw illegalArgumentException;
-        }
-
-        return requests;
-    }
-
     @Override
     public TransformState transform(Object source, TransformState prevState) throws Exception {
-        // We execute the prepare() call to catch any errors in the transform phase.
-        // Since we store the role mappings outside the cluster state, we do the actual save with a
-        // non cluster state transform call.
         @SuppressWarnings("unchecked")
-        var requests = prepare((List<ExpressionRoleMapping>) source);
-        return new TransformState(
-            prevState.state(),
-            prevState.keys(),
-            l -> securityIndexRecoveryListener.addListener(
-                ActionListener.wrap(ignored -> nonStateTransform(requests, prevState, l), l::onFailure)
-            )
-        );
-    }
-
-    // Exposed for testing purposes
-    protected void nonStateTransform(
-        Collection<PutRoleMappingRequest> requests,
-        TransformState prevState,
-        ActionListener<NonStateTransformResult> listener
-    ) {
-        Set<String> entities = requests.stream().map(r -> r.getName()).collect(Collectors.toSet());
-        Set<String> toDelete = new HashSet<>(prevState.keys());
-        toDelete.removeAll(entities);
-
-        final int tasksCount = requests.size() + toDelete.size();
-
-        // Nothing to do, don't start a group listener with 0 actions
-        if (tasksCount == 0) {
-            listener.onResponse(new NonStateTransformResult(ReservedRoleMappingAction.NAME, Set.of()));
-            return;
-        }
-
-        GroupedActionListener<Boolean> taskListener = new GroupedActionListener<>(tasksCount, new ActionListener<>() {
-            @Override
-            public void onResponse(Collection<Boolean> booleans) {
-                listener.onResponse(new NonStateTransformResult(ReservedRoleMappingAction.NAME, Collections.unmodifiableSet(entities)));
-            }
-
-            @Override
-            public void onFailure(Exception e) {
-                listener.onFailure(e);
-            }
-        });
-
-        for (var request : requests) {
-            roleMappingStore.putRoleMapping(request, taskListener);
-        }
-
-        for (var mappingToDelete : toDelete) {
-            var deleteRequest = new DeleteRoleMappingRequest();
-            deleteRequest.setName(mappingToDelete);
-            roleMappingStore.deleteRoleMapping(deleteRequest, taskListener);
+        Set<ExpressionRoleMapping> roleMappings = validate((List<PutRoleMappingRequest>) source);
+        RoleMappingMetadata newRoleMappingMetadata = new RoleMappingMetadata(roleMappings);
+        if (newRoleMappingMetadata.equals(RoleMappingMetadata.getFromClusterState(prevState.state()))) {
+            return prevState;
+        } else {
+            ClusterState newState = newRoleMappingMetadata.updateClusterState(prevState.state());
+            Set<String> entities = newRoleMappingMetadata.getRoleMappings()
+                .stream()
+                .map(ExpressionRoleMapping::getName)
+                .collect(Collectors.toSet());
+            return new TransformState(newState, entities);
         }
     }
 
     @Override
-    public List<ExpressionRoleMapping> fromXContent(XContentParser parser) throws IOException {
-        List<ExpressionRoleMapping> result = new ArrayList<>();
-
+    public List<PutRoleMappingRequest> fromXContent(XContentParser parser) throws IOException {
+        List<PutRoleMappingRequest> result = new ArrayList<>();
         Map<String, ?> source = parser.map();
-
         for (String name : source.keySet()) {
             @SuppressWarnings("unchecked")
             Map<String, ?> content = (Map<String, ?>) source.get(name);
             try (XContentParser mappingParser = mapToXContentParser(XContentParserConfiguration.EMPTY, content)) {
-                ExpressionRoleMapping mapping = ExpressionRoleMapping.parse(name, mappingParser);
-                result.add(mapping);
+                result.add(new PutRoleMappingRequestBuilder(null).source(name, mappingParser).request());
             }
         }
-
         return result;
     }
 
-    public void securityIndexRecovered() {
-        securityIndexRecoveryListener.onResponse(null);
+    private Set<ExpressionRoleMapping> validate(List<PutRoleMappingRequest> roleMappings) {
+        var exceptions = new ArrayList<Exception>();
+        for (var roleMapping : roleMappings) {
+            // File based defined role mappings are allowed to use MetadataUtils.RESERVED_PREFIX
+            var exception = roleMapping.validate(false);
+            if (exception != null) {
+                exceptions.add(exception);
+            }
+        }
+        if (exceptions.isEmpty() == false) {
+            var illegalArgumentException = new IllegalArgumentException("error on validating put role mapping requests");
+            exceptions.forEach(illegalArgumentException::addSuppressed);
+            throw illegalArgumentException;
+        }
+        return roleMappings.stream().map(PutRoleMappingRequest::getMapping).collect(Collectors.toUnmodifiableSet());
     }
 }