Integrate rules into elasticsearch result

[HesamoddinMonfared]

I worked on applying rules to search results.
The current implementation is for elasticsearch only.

The implementation has been tested with different rules, policies and roles and the results show the correctness.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[harshach]

IMO it would be better if we codify for each expression/rule to return the search condition for it.
Example if the condition says isOwner() only allow, then we should return the condition.getSearchCondition(SecurityContext) -> return 'owner.name=%s'.format(SecurityContext.getUsername() or owner.name=(getTeams(SecurityContext.getUsername())

[harshach]

The complexity involved enforcing these on the search side is

1. Hierarchy of Rule processing
2. We process Deny rules first before the allow rules
3. Enforcing the Resource side attribute conditions example Allow Edit only if the table contains certain tags

[harshach]

@HesamoddinMonfared Thanks for taking this up. Lets visit the goals of this integration

1. Users who doesn't have view access to certain data assets shouldn't be able to see it as part of the search results
2. We are not going to worry about the Edit Access conditions as they will be taken care by the APIs itself
3. Complexity of View conditions Processing
   4. A team can set a condition that only their team members should be able to view all of it assets
   5. A team can set a condition that only their team members should be able to view all of it assets except if it contains certain tags
   6. Admin can set a condition at Org level, any data in a domain should only viewable by users with-in that domain except for assets that are part of Data Products

who will build the conditions, the delegation should be part of the rule itself . i.e each rule should have method to equivalent to returning true or false . Example isOwner() takes the security context and returns true or false if the user who logged in is a owner of the asset or part of the team that is owner of the asset.
Similarly it should return a condition that can be applied to search query instead of this logic outside. This way any new conditions added can be implemented methodically rather adding this logic in another place which can easily introduce gaps

Condition evaluation

1. Go through hierarchy of the conditions similar to what we are doing in authorizer.
2. Process the Deny rule first
3. All of these rules should have an operator with AND, if there are multiple rules at the same state we should look at the condition specified for that rule