Add 'DLS and multiple roles' section to DLS topic

[john-eliatra]

Description

A request came in from a user searching for documentation on the dfm_empty_overrides_all setting that was introduced in OpenSearch previously.

Background

The exact setting is plugins.security.dfm_empty_overrides_all, and it caters for when a user with multiple roles has their search results restricted by DLS from one of those roles.

Proposed change to documentation

Added a new section to the Document-level security topic called 'DLS and multiple roles', which describes the situation and how to change it by adding the setting.

Issues Resolved

This PR resolves #6049

Checklist

• By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and subject to the Developers Certificate of Origin.
  For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[hdhalter]

Thanks, @john-eliatra !
@scrawfor99 - Can you please review this for technical accuracy? Thanks!

[hdhalter]

Hi @rursprung , can you please take a look at this PR to see if it addresses your issue? Thanks!

[rursprung]

thanks for documenting this. i think it should more explicitly mention that this also applies to roles which do not grant read access to the documents (e.g. a role granting access to search templates), see opensearch-project/security#3963 for more details.
it might also not hurt if it would give an example.

[stephen-crawford]

Signing off on technical accuracy.

[leanneeliatra]

@rursprung , I have updated the documentation to give an example of the case you mentioned, could you review it please. if you're happy with the changes we should be good to merge.
Thank you.

[Naarcha-AWS]

@leanneeliatra: Added some formatting and wording changes.

[leanneeliatra]

@leanneeliatra: Added some formatting and wording changes.

Yes thank you for those improvements, they have been integrated.

[rursprung]

thanks for the example!

tbh, i kind-of think that two examples would be helpful:

• the case for why you would want to have this setting enabled: namely you have two roles granting read access, one with DLS and one without, where the former is e.g. granted to a whole group of users while the latter is granted only to specific users (e.g. an admin user) where you somehow can't filter out the admin user from the group receiving the first (restricted) role, thus requiring the latter to be able to override the former
• the case you've now documented which is generally an unintentional consequence of having enabled the setting (which you enabled because you had the first case)

then you can clearly explain:

• why/when you'd want to enable it
• what you need to be extra careful about when you do need to enable it

[leanneeliatra]

I added another example @rursprung and hopefully made the docs clearer.

Could you review and let me know your thoughts please?

[natebower]

@john-eliatra @Naarcha-AWS Please see my comments and changes and let me know if you have any questions. Thanks!

[natebower]

is "grant read documents" correct? (It may be, but it reads a bit oddly to me).

[Naarcha-AWS]

"...grant read document permissions?"

[natebower]

Would the first sentence be better as "When a user is assigned both Role A and Role B and the plugins.security.dfm_empty_overrides_all setting is enabled, Role B's permissions..."?