Optimized tenant privilege evaluation

[nibix]

Description

This change applies the principles used for the optimized privilege evaluation feature (#4380) also for tenant privileges. This should fix the performance issues observed in #5342 and #5129.

• Category: Enhancement
• Why these changes are required? The old implementation had severe performance issues on clusters with many tenants
• What is the old behavior before changes and new behavior after changes? No behavioral changes.

Issues Resolved

Fixes #5342
Fixes #5129

Testing

• New unit tests
• Existing integration tests

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 94.32624% with 8 lines in your changes missing coverage. Please review.

Project coverage is 72.06%. Comparing base (344673a) to head (e165558).

Files with missing lines	Patch %	Lines
...earch/security/privileges/PrivilegesEvaluator.java	76.47%	4 Missing ⚠️
...urity/configuration/PrivilegesInterceptorImpl.java	80.00%	0 Missing and 2 partials ⚠️
...ensearch/security/privileges/TenantPrivileges.java	99.03%	0 Missing and 1 partial ⚠️
...ecurityconf/impl/SecurityDynamicConfiguration.java	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5350      +/-   ##
==========================================
+ Coverage   71.96%   72.06%   +0.10%     
==========================================
  Files         378      379       +1     
  Lines       23562    23569       +7     
  Branches     3630     3635       +5     
==========================================
+ Hits        16956    16986      +30     
+ Misses       4794     4786       -8     
+ Partials     1812     1797      -15     

Files with missing lines	Coverage Δ
...earch/security/dlic/rest/api/AccountApiAction.java	98.64% <100.00%> (ø)
...rch/security/privileges/PrivilegesInterceptor.java	88.23% <ø> (ø)
...opensearch/security/privileges/UserAttributes.java	80.00% <ø> (+8.57%)	⬆️
...g/opensearch/security/rest/SecurityInfoAction.java	72.41% <100.00%> (ø)
...org/opensearch/security/rest/TenantInfoAction.java	77.77% <100.00%> (-9.73%)	⬇️
.../opensearch/security/securityconf/ConfigModel.java	100.00% <ø> (ø)
...pensearch/security/securityconf/ConfigModelV7.java	72.50% <ø> (-0.80%)	⬇️
...ch/security/securityconf/DynamicConfigFactory.java	62.32% <100.00%> (ø)
...ensearch/security/privileges/TenantPrivileges.java	99.03% <99.03%> (ø)
...ecurityconf/impl/SecurityDynamicConfiguration.java	83.09% <50.00%> (-0.48%)	⬇️
... and 2 more

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DarshitChanpura]

qq, is remoteAddress not being used when getting mappedRoles?

[nibix]

The second parameter of createContext() is the action name, not the remoteAddress. createContext() will retrieve the remoteAddress by itself out of the thread context (i.e., do that what is also being done in line 123 as seen above).

We can pass null for the action name, as we are not actually authorizing any action here.