Skip isSimpleMatchPattern check for expressions in indirect requests such as ShardLevelRequest

[gmarouli]

Follow up from #78321 and this issue is proposed in #78321 (comment).

In

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

Line 148 in beb37e5

ResolvedIndices resolveIndicesAndAliasesWithoutWildcards(String action, IndicesRequest indicesRequest) {

, requests like ShardSearchRequest already have their wildcard and selectors expanded and do not need the following checks that are executed for every expression:

• Regex.isSimpleMatchPattern(selector)
• Regex.isSimpleMatchPattern(localExpression)

We can gain some performance here for large list of indices if we have an allowlist to skip this check.

Proposal

TransportClient can potentially send a shard level request directly with wildcard not expanded. But I don't think we need to worry about it since the actual search will not rely on the indices (it uses ShardSearchRequest#shardId). Also the comment below clearly states that it is acceptable to allow wildcards in shard level requests. They just won't get expanded.

It would be great if we have a formal way to categorise non-replaceable requests into

1. directly created for REST level requests (e.g. PutIndexRequest) and
2. NOT directly created for REST level requests (e.g. ShardSearchRequest).

Because major part of this method is necessary for (1) but not (2). For now, an allowlist is a viable alternative.

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)