Investigate improvements to all pattern matching #36062
Assignees
Labels
>enhancement
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Security
Meta label for security team
Comments
jaymode
added
>enhancement
:Security/Authorization
|
Pinging @elastic/es-security |
|
This investigation should also consider an observation from @tvernum
This means that something like Additionally, one item to consider is the fact that certain patterns may overlap; |
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this issue
Nov 24, 2020
This commit moves the implementation of wildcard pattern matching into
a standalone utility class ("StringMatcher").
In general, we rely on lucene Automaton objects to implement pattern
matching (wildcards and regexp) within Elasticsearch security - for
example in Index name patterns within a role.
The IndicesPermission class also has a special optimisation for exact
string matches (that is raw index names that contain no wildcards) as
using String.equals / Set.contains is more efficient for this common
case.
All of the above functionality has now been extracted into the
StringMatcher class, and it is now used in several places where it may
be more efficient that the previous use of raw Automaton objects.
A future change will expand this StringMatcher class with additional
optimisations for common use cases that are poorly handled within our
existing automaton compilation process.
Relates: elastic#36062
tvernum
added a commit
that referenced
this issue
Dec 21, 2020
This commit moves the implementation of wildcard pattern matching into
a standalone utility class ("StringMatcher").
In general, we rely on lucene Automaton objects to implement pattern
matching (wildcards and regexp) within Elasticsearch security - for
example in Index name patterns within a role.
The IndicesPermission class also has a special optimisation for exact
string matches (that is raw index names that contain no wildcards) as
using String.equals / Set.contains is more efficient for this common
case.
All of the above functionality has now been extracted into the
StringMatcher class, and it is now used in several places where it may
be more efficient that the previous use of raw Automaton objects.
A future change will expand this StringMatcher class with additional
optimisations for common use cases that are poorly handled within our
existing automaton compilation process.
Relates: #36062
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #36017, a targeted improvement is made to the pattern matching for indices permissions to improve the exact match performance and building of permissions. @tvernum suggested that we can extract this logic into a
Patternsclass and update other places where pattern matching is done. Also, we can investigate the performance of other methods such asString#startsWithandString#endsWithin certain cases in place of aAutomaton.The text was updated successfully, but these errors were encountered: