[Backport 1.x] Reverse order of setUserInfoInThreadContext and addSec…

…urityRoles to resolve ConcurrentModificationException on bulk request (opensearch-project#3094) (opensearch-project#3194) Backport opensearch-project#3094 to 1.x
willyborankin · Aug 16, 2023 · 64fd6b7 · 64fd6b7
1 parent 411c37f
commit 64fd6b7
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -99,8 +99,6 @@
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.User;
 
-import com.google.common.collect.Sets;
-
 import static org.opensearch.security.OpenSearchSecurityPlugin.traceAction;
 import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT;
 
@@ -184,12 +182,12 @@ public boolean isInitialized() {
         return configModel !=null && configModel.getSecurityRoles() != null && dcm != null;
     }
 
-    private void setUserInfoInThreadContext(User user, Set<String> mappedRoles) {
+    private void setUserInfoInThreadContext(User user) {
         if (threadContext.getTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT) == null) {
             StringJoiner joiner = new StringJoiner("|");
             joiner.add(user.getName());
             joiner.add(String.join(",", user.getRoles()));
-            joiner.add(String.join(",", Sets.union(user.getSecurityRoles(), mappedRoles)));
+            joiner.add(String.join(",", user.getSecurityRoles()));
             String requestedTenant = user.getRequestedTenant();
             if (!Strings.isNullOrEmpty(requestedTenant)) {
                 joiner.add(requestedTenant);
@@ -235,7 +233,9 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
         presponse.resolvedSecurityRoles.addAll(mappedRoles);
         final SecurityRoles securityRoles = getSecurityRoles(mappedRoles);
 
-        setUserInfoInThreadContext(user, mappedRoles);
+        // Add the security roles for this user so that they can be used for DLS parameter substitution.
+        user.addSecurityRoles(mappedRoles);
+        setUserInfoInThreadContext(user);
 
         final boolean isDebugEnabled = log.isDebugEnabled();
         if (isDebugEnabled) {