Fix logic for determining if a role has no DLS/FLS/FieldMasking restrictions

[cwperks]

Description

This PR fixes the logic for determining whether a role is unrestricted with regards to FLS/DLS/FieldMasking restrictions. A role is considered unrestricted if the respective fls:, dls:, or masked_fields: portions are either an empty list or left out of the role definition altogether.

The gist of the problem is that we bypass the FlsDlsValveImpl if a role has no restrictions, but we are not computing whether a role has no restrictions correctly because we are resolving to concrete indices for cluster actions and then applying the default of {"match_none": {}} to any resolvable indices such as .opendistro_security.

There was a bug seen in CCR tests w/ security: opensearch-project/cross-cluster-replication#1518

The issue can be reproduced by checking out the CCR repo and running:

./gradlew integTest -Dbuild.snapshot=true -Psecurity=true --tests "org.opensearch.replication.integ.rest.SecurityCustomRolesIT.test for FOLLOWER that AutoFollow works for user with valid permissions" -i

Ensure that any local snapshots for core, security and common-utils are up to date.

For core and common-utils run ./gradlew publishToMavenLocal

For security run ./gradlew publishZipToMavenLocal

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Bug fix

Issues Resolved

Resolves opensearch-project/cross-cluster-replication#1518

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwperks]

FYI @nibix

[derek-ho]

LGTM - should we add a test case for this?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.69%. Comparing base (00ea10a) to head (0692e9a).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5184      +/-   ##
==========================================
- Coverage   71.71%   71.69%   -0.02%     
==========================================
  Files         337      337              
  Lines       22783    22786       +3     
  Branches     3604     3606       +2     
==========================================
- Hits        16338    16336       -2     
- Misses       4642     4644       +2     
- Partials     1803     1806       +3     

Files with missing lines	Coverage Δ
...search/security/configuration/DlsFlsValveImpl.java	62.71% <100.00%> (-1.58%)	⬇️
...security/privileges/dlsfls/DocumentPrivileges.java	100.00% <100.00%> (ø)

... and 10 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwperks]

@shikharj05 @nibix This PR is needed to unblock opensearch-3.0.0-alpha1 release. Do either of you have concerns with merging in the current state?

[shikharj05]

@shikharj05 @nibix This PR is needed to unblock opensearch-3.0.0-alpha1 release. Do either of you have concerns with merging in the current state?

Sure, let's create a separate issue to continue the conversation.