Versions (relevant - OpenSearch): 3.0.0
Describe the issue:
We develop an Opensearch plugin, and we notice since OS version 3.0.0, the OPENDISTRO_SECURITY_DLS_QUERY_HEADER and OPENDISTRO_SECURITY_FLS_FIELDS_HEADER are no longer included in the thread context. Our plugin previously relied on these headers as discriminators for our internal cache. With their removal, we can only use the user as a cache discriminator, which reduces cache hit rates and may negatively impact performance, as the caching layer is critical for us.
Is there any way for a plugin to access similar information? We do not need to decode the DLS/FLS content itself, but we require that two users with the same DLS/FLS context generate the same cache key. Ideally, an API or mechanism to obtain a stable identifier or hash representing the effective DLS/FLS context for a request would allow us to maintain optimal cache efficiency while respecting the new security model.
Any guidance or suggestions would be appreciated.
PR that introduce the change: https://github.com/opensearch-project/security/pull/4380