ConfigModel retirement was not completely done. Now fully deleted.

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -1170,7 +1170,6 @@ public Collection<Object> createComponents(
         backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool, cih);
         backendRegistry.registerClusterSettingsChangeListener(clusterService.getClusterSettings());
         cr.subscribeOnChange(configMap -> { backendRegistry.invalidateCache(); });
-        tokenManager = new SecurityTokenManager(cs, threadPool, userService);
 
         final CompatConfig compatConfig = new CompatConfig(environment, transportPassiveAuthSetting);
 
@@ -1181,6 +1180,7 @@ public Collection<Object> createComponents(
             threadPool.getThreadContext()
         );
         this.roleMapper = roleMapper;
+        tokenManager = new SecurityTokenManager(cs, threadPool, userService, roleMapper);
 
         PrivilegesConfiguration privilegesConfiguration = new PrivilegesConfiguration(
             cr,

src/main/java/org/opensearch/security/identity/SecurityTokenManager.java

@@ -32,7 +32,7 @@
 import org.opensearch.security.authtoken.jwt.ExpiringBearerAuthToken;
 import org.opensearch.security.authtoken.jwt.JwtVendor;
 import org.opensearch.security.authtoken.jwt.claims.OBOJwtClaimsBuilder;
-import org.opensearch.security.securityconf.ConfigModel;
+import org.opensearch.security.privileges.RoleMapper;
 import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.user.User;
@@ -53,21 +53,22 @@ public class SecurityTokenManager implements TokenManager {
     private final ClusterService cs;
     private final ThreadPool threadPool;
     private final UserService userService;
+    private final RoleMapper roleMapper;
 
     private Settings oboSettings = null;
-    private ConfigModel configModel = null;
     private final LongSupplier timeProvider = System::currentTimeMillis;
     private static final Integer OBO_MAX_EXPIRY_SECONDS = 600;
 
-    public SecurityTokenManager(final ClusterService cs, final ThreadPool threadPool, final UserService userService) {
+    public SecurityTokenManager(
+        final ClusterService cs,
+        final ThreadPool threadPool,
+        final UserService userService,
+        RoleMapper roleMapper
+    ) {
         this.cs = cs;
         this.threadPool = threadPool;
         this.userService = userService;
-    }
-
-    @Subscribe
-    public void onConfigModelChanged(final ConfigModel configModel) {
-        this.configModel = configModel;
+        this.roleMapper = roleMapper;
     }
 
     @Subscribe
@@ -90,7 +91,7 @@ JwtVendor createJwtVendor(final Settings settings) {
     }
 
     public boolean issueOnBehalfOfTokenAllowed() {
-        return oboSettings != null && configModel != null;
+        return oboSettings != null;
     }
 
     @Override
@@ -117,7 +118,7 @@ public ExpiringBearerAuthToken issueOnBehalfOfToken(final Subject subject, final
         }
 
         final TransportAddress callerAddress = null; /* OBO tokens must not roles based on location from network address */
-        final Set<String> mappedRoles = configModel.mapSecurityRoles(user, callerAddress);
+        final Set<String> mappedRoles = this.roleMapper.map(user, callerAddress);
 
         final long currentTimeMs = timeProvider.getAsLong();
         final Date now = new Date(currentTimeMs);

src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorImpl.java

@@ -38,6 +38,7 @@
 import java.util.function.Supplier;
 
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -145,7 +146,7 @@ public class PrivilegesEvaluatorImpl implements PrivilegesEvaluator {
     private final PitPrivilegesEvaluator pitPrivilegesEvaluator;
     private final Settings settings;
     private final AtomicReference<RoleBasedActionPrivileges> actionPrivileges = new AtomicReference<>();
-    private final Map<String, SubjectBasedActionPrivileges> pluginIdToActionPrivileges = new HashMap<>();
+    private final ImmutableMap<String, ActionPrivileges> pluginIdToActionPrivileges;
     private final RoleMapper roleMapper;
 
     private volatile boolean dnfofEnabled = false;
@@ -197,7 +198,7 @@ public PrivilegesEvaluatorImpl(
         termsAggregationEvaluator = new TermsAggregationEvaluator();
         pitPrivilegesEvaluator = new PitPrivilegesEvaluator();
 
-        this.pluginIdToActionPrivileges.putAll(createActionPrivileges(pluginIdToRolePrivileges, staticActionGroups));
+        this.pluginIdToActionPrivileges = createActionPrivileges(pluginIdToRolePrivileges, staticActionGroups);
         this.updateConfiguration(actionGroups, rolesConfiguration, generalConfiguration);
     }
 
@@ -267,10 +268,7 @@ public PrivilegesEvaluationContext createContext(
 
         if (user.isPluginUser()) {
             mappedRoles = ImmutableSet.of();
-            actionPrivileges = this.pluginIdToActionPrivileges.get(user.getName());
-            if (actionPrivileges == null) {
-                actionPrivileges = ActionPrivileges.EMPTY;
-            }
+            actionPrivileges = this.pluginIdToActionPrivileges.getOrDefault(user.getName(), ActionPrivileges.EMPTY);
         } else {
             mappedRoles = this.roleMapper.map(user, caller);
             actionPrivileges = this.actionPrivileges.get();
@@ -731,7 +729,7 @@ private List<String> toString(List<AliasMetadata> aliases) {
         return Collections.unmodifiableList(ret);
     }
 
-    private static Map<String, SubjectBasedActionPrivileges> createActionPrivileges(
+    private static ImmutableMap<String, ActionPrivileges> createActionPrivileges(
         Map<String, RoleV7> pluginIdToRolePrivileges,
         FlattenedActionGroups staticActionGroups
     ) {
@@ -741,7 +739,7 @@ private static Map<String, SubjectBasedActionPrivileges> createActionPrivileges(
             result.put(entry.getKey(), new SubjectBasedActionPrivileges(entry.getValue(), staticActionGroups));
         }
 
-        return result;
+        return ImmutableMap.copyOf(result);
     }
 
     private static boolean isDnfofEnabled(ConfigV7 generalConfiguration) {

src/main/java/org/opensearch/security/securityconf/ConfigModel.java

@@ -236,7 +236,6 @@ public void onChange(ConfigurationMap typeToConfig) {
 
         final DynamicConfigModel dcm;
         final InternalUsersModel ium;
-        final ConfigModel cm;
         final NodesDnModel nm = new NodesDnModelImpl(nodesDn);
         final AllowlistingSettings allowlist = cr.getConfiguration(CType.ALLOWLIST).getCEntry("config");
         final AuditConfig audit = cr.getConfiguration(CType.AUDIT).getCEntry("config");
@@ -278,10 +277,8 @@ public void onChange(ConfigurationMap typeToConfig) {
         // rebuild v7 Models
         dcm = new DynamicConfigModelV7(getConfigV7(config), opensearchSettings, configPath, iab, this.cih);
         ium = new InternalUsersModelV7(internalusers, roles, rolesmapping);
-        cm = new ConfigModelV7(roles, rolesmapping, dcm, opensearchSettings);
 
         // notify subscribers
-        eventBus.post(cm);
         eventBus.post(dcm);
         eventBus.post(ium);
         eventBus.post(nm);

src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java

@@ -999,6 +999,11 @@ public boolean detailedErrorsEnabled() {
             return false;
         }
 
+        @Override
+        public boolean detailedErrorStackTraceEnabled() {
+            return false;
+        }
+
         @Override
         public void sendResponse(RestResponse response) {
             this.response = response;