Fix caching

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRoleMappingsIntegTests.java

@@ -70,7 +70,7 @@ protected Collection<Class<? extends Plugin>> getMockPlugins() {
     }
 
     @Before
-    private void clearRoleMappings() throws InterruptedException {
+    public void clearRoleMappings() throws InterruptedException {
         publishRoleMappings(Set.of());
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java

@@ -34,6 +34,7 @@
 import org.elasticsearch.xpack.core.security.ScrollHelper;
 import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingRequest;
 import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequest;
+import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.TemplateRoleName;
 import org.elasticsearch.xpack.security.support.SecurityIndexManager;
@@ -340,6 +341,7 @@ private void innerGetRoleMappings(Set<String> names, ActionListener<List<Express
         } else if (names == null || names.isEmpty()) {
             getMappings(listener);
         } else {
+            // TODO make sure order in which we are filtering is as expected...
             getMappings(listener.safeMap(mappings -> mappings.stream().filter(m -> names.contains(m.getName())).toList()));
         }
     }
@@ -419,6 +421,12 @@ public void onSecurityIndexStateChange(SecurityIndexManager.State previousState,
         }
     }
 
+    @Override
+    public void clearRealmCacheOnChange(CachingRealm realm) {
+        super.clearRealmCacheOnChange(realm);
+        reservedRoleMappings.clearRealmCacheOnChange(realm);
+    }
+
     @Override
     public void resolveRoles(UserData user, ActionListener<Set<String>> listener) {
         getRoleMappings(null, ActionListener.wrap(mappings -> {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/ReservedRoleMappings.java

@@ -7,6 +7,9 @@
 
 package org.elasticsearch.xpack.security.authc.support.mapper;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
 
 import java.util.LinkedHashMap;
@@ -15,6 +18,8 @@
 import java.util.Set;
 
 public class ReservedRoleMappings {
+
+    private static final Logger logger = LogManager.getLogger(ReservedRoleMappings.class);
     private final ClusterStateRoleMapper clusterStateRoleMapper;
 
     public ReservedRoleMappings(ClusterStateRoleMapper clusterStateRoleMapper) {
@@ -24,10 +29,12 @@ public ReservedRoleMappings(ClusterStateRoleMapper clusterStateRoleMapper) {
     public List<ExpressionRoleMapping> mergeWithReserved(List<ExpressionRoleMapping> roleMappings) {
         final Set<ExpressionRoleMapping> reservedRoleMappings = clusterStateRoleMapper.getMappings();
         if (reservedRoleMappings.isEmpty()) {
+            logger.debug("Reserved role mappings empty.");
             return roleMappings;
         }
 
         if (roleMappings.isEmpty()) {
+            logger.debug("Role mappings empty.");
             return List.copyOf(reservedRoleMappings);
         }
 
@@ -44,4 +51,9 @@ public List<ExpressionRoleMapping> mergeWithReserved(List<ExpressionRoleMapping>
     public boolean isReserved(String roleMappingName) {
         return clusterStateRoleMapper.getMappings().stream().anyMatch(roleMapping -> roleMapping.getName().equals(roleMappingName));
     }
+
+    // TODO find a cleaner way
+    public void clearRealmCacheOnChange(CachingRealm realm) {
+        clusterStateRoleMapper.clearRealmCacheOnChange(realm);
+    }
 }