[BUG] Duplicate name for roles and actiongroups leading to stackoverflow error during bootup

[palashhedau]

Describe the bug
The same name used for role and actiongroups create a recursive loop while loading them into the memory. It eventually leads to Stackoverflow error as it recursively tries to evaluate roles and actiongroup indefinitely.

To Reproduce

Action Group

"VzReadOnlyKibanaRole":{"reserved":false,"hidden":false,"allowed_actions":["kibana_all_read","read","VzReadOnlyKibanaRole","ultrawarm_index_read","cluster:monitor/nodes/hot_threads","indices:data/read/explain","indices:data/read/field_caps","indices:data/read/field_caps*","indices:data/read/get","indices:data/read/mget","indices:data/read/mget*","indices:data/read/msearch","indices:data/read/msearch/template","indices:data/read/mtv","indices:data/read/mtv*","indices:data/read/scroll","indices:data/read/scroll/clear","indices:data/read/search","indices:data/read/search*","indices:data/read/search/template","indices:data/read/tv","indices:data/write/index"],"static":false}

Roles

"VZReadOnlyKibanaRole":{"reserved":false,"hidden":false,"cluster_permissions":["VzReadOnlyKibanaRole"],"index_permissions":[{"index_patterns":["*"],"dls":"","fls":[],"masked_fields":[],"allowed_actions":["VzReadOnlyKibanaRole"]}],"tenant_permissions":[{"tenant_patterns":["global_tenant"],"allowed_actions":["kibana_all_write"]}],"static":false}

Expected behavior
The config should be loaded into memory without any issue.

Plugins
Security

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

Additional context
Error Details

[2021-08-03T22:19:47,285][INFO ][c.a.c.e.logger ] [f18f5b0460d773e958c85f374f5d4445] GET /_nodes filter_path=nodes..version%2Cnodes..http.publish_address%2Cnodes.*.ip 503 SERVICE_UNAVAILABLE 255 1
[2021-08-03T22:19:49,147][ERROR][c.a.o.s.s.ConfigModelV7 ] [f18f5b0460d773e958c85f374f5d4445] Error while updating roles: java.lang.StackOverflowError
java.lang.StackOverflowError: null
at java.util.HashMap.hash(HashMap.java:339) ~[?:?]
at java.util.HashMap.put(HashMap.java:607) ~[?:?]
at java.util.HashSet.add(HashSet.java:220) ~[?:?]
at com.amazon.opendistroforelasticsearch.security.securityconf.ConfigModelV7$1.resolve(ConfigModelV7.java:164) ~[?:?]
at com.amazon.opendistroforelasticsearch.security.securityconf.ConfigModelV7$1.resolve(ConfigModelV7.java:162) ~[?:?]
at com.amazon.opendistroforelasticsearch.security.securityconf.ConfigModelV7$1.resolve(ConfigModelV7.java:162) ~[?:?]
at com.amazon.opendistroforelasticsearch.security.securityconf.ConfigModelV7$1.resolve(ConfigModelV7.java:162) ~[?:?]

[dhiAmzn]

This seems like two bugs to me:

1. An action group and role name having the same name, we're not able to distinguish between them (the bug mentioned in this issue seems to be a special case where action group name and role name both are same)
2. An action groups allowed_action forms a recursive dependency graph - which is why the above case is failing

Regarding 2, it can happen if:
a. Action group references to itself in its allowed action thus forming an infinite recursion.
b. Action group references in its allowed actions an action group B, which then references in its allowed actions the action group A. And so on with bigger dependency loops.

[peternied]

This issue is impacting clusters on startup, not currently running clusters.

[cliu123]

Closing the issue with merging #1868.
Note: If a cluster is set up with recursive action groups initially, the cluster boostrap would fail. But this fix prevents recursive action groups from getting introduced into a running cluster.

[peternied]

Note; we do not plan to fix issues with the recursive definition from in a configuration file as the node was never operational comparted to a functioning cluster going down, if there is interest we would be happy to review a pull request that addresses the configuration loading issue, thanks!