Multiple roles and DLS/FLS: role with no DLS/FLS should "win"

[rursprung]

Is your feature request related to a problem? Please describe.
situation:

• there are two roles: role A with DLS, role B without DLS, both giving access to an index X
• role A is granted to all users (intent: grant it to all "real" users so that they see only the data they need)
• role B is granted to a technical user to give him additional rights (e.g. data import user which needs to be able to see all documents)
• because role A is granted to all users it is also given to the technical user

due to the user having role B he should be able to see all documents in index X, even though he also has role A.

Describe the solution you'd like
there should be an option to change the behaviour so that the role with no DLS wins.

Search Guard has this feature using a config-option (system-wide setting: dfm_empty_overrides_all):

• release notes
• documentation for DLS

Describe alternatives you've considered

• granting the role(s) with DLS only to users with specific roles: e.g. in our setup there's only one user in the whole system which shouldn't have this role. there's no way (e.g. backend role in the JWT) which could be used to identify the other users
• granting the role(s) with DLS to all users except users of a specific group: it's not possible to define a role mapping as "everything except"
  also, both options would be cumbersome to manage the more roles exist and there's a risk that then a user might not be granted a restricting role and can see everything by accident.

Additional context
n/a

[jochenkressin]

I have created a patch for this feature including a Unit test, please find attached.
dfm_empty_overwrites_all.patch.zip

[cliu123]

@jochenkressin Thanks for the patch! I've converted it to a PR

[cliu123]

PR#1735 has been merged.