DLS/FLS fixes

Signed-off-by: Nils Bandener <[email protected]>

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -1110,7 +1110,7 @@ public Collection<Object> createComponents(
             namedXContentRegistry.get()
         );
 
-        dlsFlsBaseContext = new DlsFlsBaseContext(evaluator, threadPool.getThreadContext());
+        dlsFlsBaseContext = new DlsFlsBaseContext(evaluator, threadPool.getThreadContext(), adminDns);
 
         if (SSLConfig.isSslOnlyMode()) {
             dlsFlsValve = new DlsFlsRequestValve.NoopDlsFlsRequestValve();

src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java

@@ -75,6 +75,7 @@
 import org.opensearch.search.internal.SearchContext;
 import org.opensearch.search.query.QuerySearchResult;
 import org.opensearch.security.OpenSearchSecurityPlugin;
+import org.opensearch.security.privileges.DocumentAllowList;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluationException;
 import org.opensearch.security.privileges.dlsfls.DlsFlsBaseContext;
@@ -398,6 +399,19 @@ public void handleSearchContext(SearchContext searchContext, ThreadPool threadPo
                 log.trace("handleSearchContext(); index: {}; dlsRestriction: {}", index, dlsRestriction);
             }
 
+            DocumentAllowList documentAllowList = DocumentAllowList.get(threadContext);
+
+            if (documentAllowList.isEntryForIndexPresent(index)) {
+                // The documentAllowList is needed for two cases:
+                // - DLS rules which use "term lookup queries" and thus need to access indices for which no privileges are present
+                // - Dashboards multi tenancy which can redirect index accesses to indices for which no normal index privileges are present
+
+                if (!dlsRestriction.isUnrestricted() && documentAllowList.isAllowed(index, "*")) {
+                    dlsRestriction = DlsRestriction.NONE;
+                    log.debug("Lifting DLS for {} due to present document allowlist", index);
+                }
+            }
+
             if (!dlsRestriction.isUnrestricted()) {
                 if (mode == Mode.ADAPTIVE && dlsRestriction.containsTermLookupQuery()) {
                     // Special case for scroll operations:

src/main/java/org/opensearch/security/privileges/dlsfls/DlsFlsBaseContext.java

@@ -11,6 +11,7 @@
 package org.opensearch.security.privileges.dlsfls;
 
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.security.configuration.AdminDNs;
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.support.ConfigConstants;
@@ -22,10 +23,12 @@
 public class DlsFlsBaseContext {
     private final PrivilegesEvaluator privilegesEvaluator;
     private final ThreadContext threadContext;
+    private final AdminDNs adminDNs;
 
-    public DlsFlsBaseContext(PrivilegesEvaluator privilegesEvaluator, ThreadContext threadContext) {
+    public DlsFlsBaseContext(PrivilegesEvaluator privilegesEvaluator, ThreadContext threadContext, AdminDNs adminDNs) {
         this.privilegesEvaluator = privilegesEvaluator;
         this.threadContext = threadContext;
+        this.adminDNs = adminDNs;
     }
 
     /**
@@ -35,7 +38,7 @@ public DlsFlsBaseContext(PrivilegesEvaluator privilegesEvaluator, ThreadContext
     public PrivilegesEvaluationContext getPrivilegesEvaluationContext() {
         User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
 
-        if (user == null) {
+        if (user == null || adminDNs.isAdmin(user)) {
             return null;
         }