Optimize Index Permission Automatons for Has Privileges #136625
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
slobodanadamovic
added a commit
to slobodanadamovic/elasticsearch
that referenced
this pull request
Oct 15, 2025
Contributor
Author
|
The reported CI failure in serverless is valid I think: Working on reproducing locally now. |
Collaborator
|
Hi @jfreden, I've created a changelog YAML for you. |
Collaborator
|
Pinging @elastic/es-security (Team:Security) |
jfreden
commented
Oct 16, 2025
docs/changelog/136625.yaml
Outdated
| @@ -0,0 +1,5 @@ | |||
| pr: 136625 | |||
| summary: Optimize index permissions | |||
Contributor
Author
There was a problem hiding this comment.
Will update this as soon as CI finishes
slobodanadamovic
approved these changes
Oct 16, 2025
Contributor
slobodanadamovic
left a comment
There was a problem hiding this comment.
LGTM 🚀
Thanks for fixing it!
This was referenced Oct 16, 2025
Collaborator
💔 Backport failed
You can use sqren/backport to manually backport by running |
jfreden
added a commit
to jfreden/elasticsearch
that referenced
this pull request
Oct 16, 2025
This PR optimizes how index permission automatons are created. In elastic#110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the `manage_roles` privilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doing `Automatons.unionAndMinimize` on all index permissions in a group was left outside the conditional and therefore caused a performance regression. See [this](https://github.com/elastic/elasticsearch/blob/2a9c07eb6fe4e8bbb7fc9fbab6fa59ccc006e10b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java#L840-L860) comment for details on the original change.
jfreden
added a commit
to jfreden/elasticsearch
that referenced
this pull request
Oct 16, 2025
This PR optimizes how index permission automatons are created. In elastic#110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the `manage_roles` privilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doing `Automatons.unionAndMinimize` on all index permissions in a group was left outside the conditional and therefore caused a performance regression. See [this](https://github.com/elastic/elasticsearch/blob/2a9c07eb6fe4e8bbb7fc9fbab6fa59ccc006e10b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java#L840-L860) comment for details on the original change.
Contributor
Author
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
jfreden
added a commit
to jfreden/elasticsearch
that referenced
this pull request
Oct 16, 2025
This PR optimizes how index permission automatons are created. In elastic#110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the `manage_roles` privilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doing `Automatons.unionAndMinimize` on all index permissions in a group was left outside the conditional and therefore caused a performance regression. See [this](https://github.com/elastic/elasticsearch/blob/2a9c07eb6fe4e8bbb7fc9fbab6fa59ccc006e10b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java#L840-L860) comment for details on the original change. (cherry picked from commit 3df0abb) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 16, 2025
…36674) This PR optimizes how index permission automatons are created. In #110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the `manage_roles` privilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doing `Automatons.unionAndMinimize` on all index permissions in a group was left outside the conditional and therefore caused a performance regression. See [this](https://github.com/elastic/elasticsearch/blob/2a9c07eb6fe4e8bbb7fc9fbab6fa59ccc006e10b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java#L840-L860) comment for details on the original change.
jfreden
added a commit
that referenced
this pull request
Oct 16, 2025
…36678) This PR optimizes how index permission automatons are created. In #110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the `manage_roles` privilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doing `Automatons.unionAndMinimize` on all index permissions in a group was left outside the conditional and therefore caused a performance regression. See [this](https://github.com/elastic/elasticsearch/blob/2a9c07eb6fe4e8bbb7fc9fbab6fa59ccc006e10b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java#L840-L860) comment for details on the original change. (cherry picked from commit 3df0abb) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java
elasticsearchmachine
pushed a commit
that referenced
this pull request
Oct 16, 2025
…36673) This PR optimizes how index permission automatons are created. In #110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the `manage_roles` privilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doing `Automatons.unionAndMinimize` on all index permissions in a group was left outside the conditional and therefore caused a performance regression. See [this](https://github.com/elastic/elasticsearch/blob/2a9c07eb6fe4e8bbb7fc9fbab6fa59ccc006e10b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java#L840-L860) comment for details on the original change.
Kubik42
pushed a commit
to Kubik42/elasticsearch
that referenced
this pull request
Oct 16, 2025
This PR optimizes how index permission automatons are created. In elastic#110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the `manage_roles` privilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doing `Automatons.unionAndMinimize` on all index permissions in a group was left outside the conditional and therefore caused a performance regression. See [this](https://github.com/elastic/elasticsearch/blob/2a9c07eb6fe4e8bbb7fc9fbab6fa59ccc006e10b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java#L840-L860) comment for details on the original change.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR optimizes how index permission automatons are created.
In #110633 a feature was added to allow for doing regular expression "has privilege" style checks against index permission groups. The reason this was added was to support regular expressions for the
manage_rolesprivilege (so unrelated to the has privileges API). The implementation was known to have performance issues and the change was therefore made optional (and disabled in the has privileges API). Unfortunately, a change to simplify the logic by doingAutomatons.unionAndMinimizeon all index permissions in a group was left outside the conditional and therefore caused a performance regression.See this comment for details on the original change.