Cluster state role mapper file settings service

docs/changelog/107886.yaml

@@ -0,0 +1,5 @@
+pr: 107886
+summary: Cluster state role mapper file settings service
+area: Authorization
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/rolemapping/PutRoleMappingRequest.java

@@ -166,16 +166,4 @@ public void writeTo(StreamOutput out) throws IOException {
     public ExpressionRoleMapping getMapping() {
         return new ExpressionRoleMapping(name, rules, roles, roleTemplates, metadata, enabled);
     }
-
-    public static PutRoleMappingRequest fromMapping(ExpressionRoleMapping mapping) {
-        var request = new PutRoleMappingRequest();
-        request.setName(mapping.getName());
-        request.setEnabled(mapping.isEnabled());
-        request.setRoles(mapping.getRoles());
-        request.setRoleTemplates(mapping.getRoleTemplates());
-        request.setRules(mapping.getExpression());
-        request.setMetadata(mapping.getMetadata());
-
-        return request;
-    }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/rolemapping/PutRoleMappingRequestBuilder.java

@@ -9,8 +9,7 @@
 import org.elasticsearch.action.ActionRequestBuilder;
 import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.internal.ElasticsearchClient;
-import org.elasticsearch.common.bytes.BytesReference;
-import org.elasticsearch.xcontent.XContentType;
+import org.elasticsearch.xcontent.XContentParser;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.TemplateRoleName;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.RoleMapperExpression;
@@ -35,8 +34,8 @@ public PutRoleMappingRequestBuilder(ElasticsearchClient client) {
     /**
      * Populate the put role request from the source and the role's name
      */
-    public PutRoleMappingRequestBuilder source(String name, BytesReference source, XContentType xContentType) throws IOException {
-        ExpressionRoleMapping mapping = ExpressionRoleMapping.parse(name, source, xContentType);
+    public PutRoleMappingRequestBuilder source(String name, XContentParser parser) throws IOException {
+        ExpressionRoleMapping mapping = ExpressionRoleMapping.parse(name, parser);
         request.setName(name);
         request.setEnabled(mapping.isEnabled());
         request.setRoles(mapping.getRoles());

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -1103,8 +1103,7 @@ Collection<Object> createComponents(
             new SecurityUsageServices(realms, allRolesStore, nativeRoleMappingStore, ipFilter.get(), profileService, apiKeyService)
         );
 
-        reservedRoleMappingAction.set(new ReservedRoleMappingAction(nativeRoleMappingStore));
-        systemIndices.getMainIndexManager().onStateRecovered(state -> reservedRoleMappingAction.get().securityIndexRecovered());
+        reservedRoleMappingAction.set(new ReservedRoleMappingAction());
 
         cacheInvalidatorRegistry.validate();
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/rolemapping/ReservedRoleMappingAction.java

@@ -7,24 +7,18 @@
 
 package org.elasticsearch.xpack.security.action.rolemapping;
 
-import org.elasticsearch.action.ActionListener;
-import org.elasticsearch.action.support.GroupedActionListener;
-import org.elasticsearch.common.util.concurrent.ListenableFuture;
-import org.elasticsearch.reservedstate.NonStateTransformResult;
+import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.reservedstate.ReservedClusterStateHandler;
 import org.elasticsearch.reservedstate.TransformState;
 import org.elasticsearch.xcontent.XContentParser;
 import org.elasticsearch.xcontent.XContentParserConfiguration;
-import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingRequest;
 import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequest;
+import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequestBuilder;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
-import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
+import org.elasticsearch.xpack.core.security.authz.RoleMappingMetadata;
 
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -38,123 +32,59 @@
  * It is used by the ReservedClusterStateService to add/update or remove role mappings. Typical usage
  * for this action is in the context of file based settings.
  */
-public class ReservedRoleMappingAction implements ReservedClusterStateHandler<List<ExpressionRoleMapping>> {
+public class ReservedRoleMappingAction implements ReservedClusterStateHandler<List<PutRoleMappingRequest>> {
     public static final String NAME = "role_mappings";
 
-    private final NativeRoleMappingStore roleMappingStore;
-    private final ListenableFuture<Void> securityIndexRecoveryListener = new ListenableFuture<>();
-
-    /**
-     * Creates a ReservedRoleMappingAction
-     *
-     * @param roleMappingStore requires {@link NativeRoleMappingStore} for storing/deleting the mappings
-     */
-    public ReservedRoleMappingAction(NativeRoleMappingStore roleMappingStore) {
-        this.roleMappingStore = roleMappingStore;
-    }
-
     @Override
     public String name() {
         return NAME;
     }
 
-    private static Collection<PutRoleMappingRequest> prepare(List<ExpressionRoleMapping> roleMappings) {
-        List<PutRoleMappingRequest> requests = roleMappings.stream().map(rm -> PutRoleMappingRequest.fromMapping(rm)).toList();
-
-        var exceptions = new ArrayList<Exception>();
-        for (var request : requests) {
-            // File based defined role mappings are allowed to use MetadataUtils.RESERVED_PREFIX
-            var exception = request.validate(false);
-            if (exception != null) {
-                exceptions.add(exception);
-            }
-        }
-
-        if (exceptions.isEmpty() == false) {
-            var illegalArgumentException = new IllegalArgumentException("error on validating put role mapping requests");
-            exceptions.forEach(illegalArgumentException::addSuppressed);
-            throw illegalArgumentException;
-        }
-
-        return requests;
-    }
-
     @Override
     public TransformState transform(Object source, TransformState prevState) throws Exception {
-        // We execute the prepare() call to catch any errors in the transform phase.
-        // Since we store the role mappings outside the cluster state, we do the actual save with a
-        // non cluster state transform call.
         @SuppressWarnings("unchecked")
-        var requests = prepare((List<ExpressionRoleMapping>) source);
-        return new TransformState(
-            prevState.state(),
-            prevState.keys(),
-            l -> securityIndexRecoveryListener.addListener(
-                ActionListener.wrap(ignored -> nonStateTransform(requests, prevState, l), l::onFailure)
-            )
-        );
-    }
-
-    // Exposed for testing purposes
-    protected void nonStateTransform(
-        Collection<PutRoleMappingRequest> requests,
-        TransformState prevState,
-        ActionListener<NonStateTransformResult> listener
-    ) {
-        Set<String> entities = requests.stream().map(r -> r.getName()).collect(Collectors.toSet());
-        Set<String> toDelete = new HashSet<>(prevState.keys());
-        toDelete.removeAll(entities);
-
-        final int tasksCount = requests.size() + toDelete.size();
-
-        // Nothing to do, don't start a group listener with 0 actions
-        if (tasksCount == 0) {
-            listener.onResponse(new NonStateTransformResult(ReservedRoleMappingAction.NAME, Set.of()));
-            return;
-        }
-
-        GroupedActionListener<Boolean> taskListener = new GroupedActionListener<>(tasksCount, new ActionListener<>() {
-            @Override
-            public void onResponse(Collection<Boolean> booleans) {
-                listener.onResponse(new NonStateTransformResult(ReservedRoleMappingAction.NAME, Collections.unmodifiableSet(entities)));
-            }
-
-            @Override
-            public void onFailure(Exception e) {
-                listener.onFailure(e);
-            }
-        });
-
-        for (var request : requests) {
-            roleMappingStore.putRoleMapping(request, taskListener);
-        }
-
-        for (var mappingToDelete : toDelete) {
-            var deleteRequest = new DeleteRoleMappingRequest();
-            deleteRequest.setName(mappingToDelete);
-            roleMappingStore.deleteRoleMapping(deleteRequest, taskListener);
+        Set<ExpressionRoleMapping> roleMappings = validate((List<PutRoleMappingRequest>) source);
+        RoleMappingMetadata newRoleMappingMetadata = new RoleMappingMetadata(roleMappings);
+        if (newRoleMappingMetadata.equals(RoleMappingMetadata.getFromClusterState(prevState.state()))) {
+            return prevState;
+        } else {
+            ClusterState newState = newRoleMappingMetadata.updateClusterState(prevState.state());
+            Set<String> entities = newRoleMappingMetadata.getRoleMappings()
+                .stream()
+                .map(ExpressionRoleMapping::getName)
+                .collect(Collectors.toSet());
+            return new TransformState(newState, entities);
         }
     }
 
     @Override
-    public List<ExpressionRoleMapping> fromXContent(XContentParser parser) throws IOException {
-        List<ExpressionRoleMapping> result = new ArrayList<>();
-
+    public List<PutRoleMappingRequest> fromXContent(XContentParser parser) throws IOException {
+        List<PutRoleMappingRequest> result = new ArrayList<>();
         Map<String, ?> source = parser.map();
-
         for (String name : source.keySet()) {
             @SuppressWarnings("unchecked")
             Map<String, ?> content = (Map<String, ?>) source.get(name);
             try (XContentParser mappingParser = mapToXContentParser(XContentParserConfiguration.EMPTY, content)) {
-                ExpressionRoleMapping mapping = ExpressionRoleMapping.parse(name, mappingParser);
-                result.add(mapping);
+                result.add(new PutRoleMappingRequestBuilder(null).source(name, mappingParser).request());
             }
         }
-
         return result;
     }
 
-    public void securityIndexRecovered() {
-        securityIndexRecoveryListener.onResponse(null);
+    private Set<ExpressionRoleMapping> validate(List<PutRoleMappingRequest> roleMappings) {
+        var exceptions = new ArrayList<Exception>();
+        for (var roleMapping : roleMappings) {
+            // File based defined role mappings are allowed to use MetadataUtils.RESERVED_PREFIX
+            var exception = roleMapping.validate(false);
+            if (exception != null) {
+                exceptions.add(exception);
+            }
+        }
+        if (exceptions.isEmpty() == false) {
+            var illegalArgumentException = new IllegalArgumentException("error on validating put role mapping requests");
+            exceptions.forEach(illegalArgumentException::addSuppressed);
+            throw illegalArgumentException;
+        }
+        return roleMappings.stream().map(PutRoleMappingRequest::getMapping).collect(Collectors.toUnmodifiableSet());
     }
 }