Add ability to change default DLS parameter substitution behavior

[rofleksey]

Currently, if DLS contains a parameter that is not quoted and is not defined anywhere, i get this error:
Unrecognized token '$': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')

This is happening, because replaceProperties method replaces only defined parameters, but does nothing to at least replace undefined ones with ''. This doesn't result in error if all the parameters are quoted, because even though they are not being replaced, the JSON structure still stays syntactically correct. But if there is at least one unquoted parameter, I get this error.

For example, if I have this role configuration:

{
  "index_permissions": [
    {
      ...
      "dls": "{\"terms\":{\"arr\":[${attr.jwt.array}]}}",
      ...
    }
  ],
  ...
}

And JWT payload looks like:

{
  "array": "\"1\", \"2\", \"3\"",
}

Then everything works correctly. But if for some reason I don't define this array field in JWT payload, I get the error described above.

I think there should be an option to tweak this behavior:

1. do nothing to undefined parameters (default)
2. replace undefined parameters with ''
3. throw an exception if undefined parameters are detected

[andy840314]

I think offering options to tweak this is confusing for the users. However, this error message
Unrecognized token '$': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
is not really reflecting the root cause. Throwing an exception should be a better solution.

[stephen-crawford]

[Triage] This request remains relevant. Error/exception message should be swapped to be more relevant. Tagging as "help wanted" and "good first issue."

[ThyTran1402]

Hi @rofleksey @andy840314

I can take a look into this issue. I believe the code on ConfigModelV7.java file was refactored to UserAttributes.java now. The root cause is UserAttributes.replaceProperties never replaces undefined ${...} placeholders, that behavior is unchanged. There's no option to replace undefined attributes with a default like "" to keep the query valid.

I can fix it by throwing the exception as Andy suggested. The fix is to make the message precise by surfacing exactly which attributes were unresolved and what attributes are available on the user.

[cwperks]

Closing as completed in #5975

This will be released in 3.6.0.