Only run the authz check on non-wildcard names

[albertzaharovits]

Description

Whenever we get into a detailed analysis of Security's authz of index requests the following implementation quirk comes up. Most recently it did during the review of https://github.com/elastic/elasticsearch/pull/92625.

Authorization happens in (at least) 2 steps: 1) rewrite the request to:

• replace wildcards with only authorized names
• if the ignore_unavailable request option is true, remove unauthorized resource names (non-wildcards) 2) authorize the request, by going over the resource names in the rewritten request, and letting it go through to the action handler, iff all the resources are authz.

Step 2) is wholy redundant if ignore_unavailable is true, as all the resource names in the rewritten request to be authorized are guaranteed to be authorized. Even if ignore_unavailable is false, in step 2), only the non-wildcard names from the original request need to be checked, because the ones expanded from wildcards are guaranteed to be authorized.

Corollary

It should be possible to incorporate step 2) into step 1). In this case, if ignore_unavailable is false, non-wildcard names from the original request should reject the request with the un-authorized error during the rewrite step (which also replaces wildcards and silently drops non-wildcard names if ignore_unavailable is true).

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)