Onboards to centralized resource access control for detectors and forecasters (#1533)

* Onboards to the auto authz for Resource requests

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Fixes compilation issues

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Adds missing streamoutput write for configIndex fiedl

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Update SuggestConfigParamRequestTests to bring coverage to 0.60

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Undo config indexing request to not be a docRequest

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Disabling run with feature flag as it requires decent number of changes in the rest tests

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Bump jacoco to 0.8.13

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

---------

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

Author: DarshitChanpura

.github/workflows/test_security.yml

@@ -24,7 +24,7 @@ jobs:
     strategy:
       matrix:
         # empty string = disabled, flag = enabled
-        resource_sharing_flag: ["", "-Dresource_sharing.enabled=true"]
+        resource_sharing_flag: [""]
 
     steps:
       - name: Run start commands

CHANGELOG.md

@@ -7,6 +7,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 ### Features
 ### Enhancements
 - Support >1 hr intervals ([#1513](https://github.com/opensearch-project/anomaly-detection/pull/1513))
+- Onboards to centralized resource access control for detectors and forecasters ([#1533](https://github.com/opensearch-project/anomaly-detection/pull/1533))
 
 
 ### Bug Fixes

build-tools/coverage.gradle

@@ -6,7 +6,7 @@
 apply plugin: 'jacoco'
 
 jacoco {
-    toolVersion = "0.8.12"
+    toolVersion = "0.8.13"
 }
 
 /**

build.gradle

@@ -163,8 +163,8 @@ dependencies {
     implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.18.0'
 
 
-    implementation "org.jacoco:org.jacoco.agent:0.8.12"
-    implementation ("org.jacoco:org.jacoco.ant:0.8.12") {
+    implementation "org.jacoco:org.jacoco.agent:0.8.13"
+    implementation ("org.jacoco:org.jacoco.ant:0.8.13") {
         exclude group: 'org.ow2.asm', module: 'asm-commons'
         exclude group: 'org.ow2.asm', module: 'asm'
         exclude group: 'org.ow2.asm', module: 'asm-tree'
@@ -213,7 +213,7 @@ allprojects {
     version = "${opensearch_build}"
 
     plugins.withId('jacoco') {
-        jacoco.toolVersion = '0.8.12'
+        jacoco.toolVersion = '0.8.13'
     }
 }
 
@@ -375,6 +375,7 @@ integTest {
     systemProperty "https", System.getProperty("https")
     systemProperty "user", System.getProperty("user")
     systemProperty "password", System.getProperty("password")
+    systemProperty "resource_sharing.enabled", System.getProperty("resource_sharing.enabled")
 
     // Only rest case can run with remote cluster
     if (System.getProperty("tests.rest.cluster") != null) {

src/main/java/org/opensearch/ad/rest/RestAnomalyDetectorJobAction.java

@@ -21,6 +21,7 @@
 import java.util.Locale;
 
 import org.opensearch.ad.constant.ADCommonMessages;
+import org.opensearch.ad.indices.ADIndex;
 import org.opensearch.ad.settings.ADEnabledSetting;
 import org.opensearch.ad.transport.AnomalyDetectorJobAction;
 import org.opensearch.cluster.service.ClusterService;
@@ -65,7 +66,13 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
         String rawPath = request.rawPath();
         DateRange detectionDateRange = parseInputDateRange(request);
 
-        JobRequest anomalyDetectorJobRequest = new JobRequest(detectorId, detectionDateRange, historical, rawPath);
+        JobRequest anomalyDetectorJobRequest = new JobRequest(
+            detectorId,
+            ADIndex.CONFIG.getIndexName(),
+            detectionDateRange,
+            historical,
+            rawPath
+        );
 
         return channel -> client
             .execute(AnomalyDetectorJobAction.INSTANCE, anomalyDetectorJobRequest, new RestToXContentListener<>(channel));

src/main/java/org/opensearch/ad/rest/RestDeleteAnomalyDetectorAction.java

@@ -18,6 +18,7 @@
 import java.util.Locale;
 
 import org.opensearch.ad.constant.ADCommonMessages;
+import org.opensearch.ad.indices.ADIndex;
 import org.opensearch.ad.settings.ADEnabledSetting;
 import org.opensearch.ad.transport.DeleteAnomalyDetectorAction;
 import org.opensearch.rest.BaseRestHandler;
@@ -50,7 +51,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
         }
 
         String detectorId = request.param(DETECTOR_ID);
-        DeleteConfigRequest deleteAnomalyDetectorRequest = new DeleteConfigRequest(detectorId);
+        DeleteConfigRequest deleteAnomalyDetectorRequest = new DeleteConfigRequest(detectorId, ADIndex.CONFIG.getIndexName());
         return channel -> client
             .execute(DeleteAnomalyDetectorAction.INSTANCE, deleteAnomalyDetectorRequest, new RestToXContentListener<>(channel));
     }

src/main/java/org/opensearch/ad/rest/RestGetAnomalyDetectorAction.java

@@ -22,6 +22,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.ad.constant.ADCommonMessages;
+import org.opensearch.ad.indices.ADIndex;
 import org.opensearch.ad.settings.ADEnabledSetting;
 import org.opensearch.ad.transport.GetAnomalyDetectorAction;
 import org.opensearch.rest.BaseRestHandler;
@@ -64,6 +65,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
         boolean all = request.paramAsBoolean("_all", false);
         GetConfigRequest getConfigRequest = new GetConfigRequest(
             detectorId,
+            ADIndex.CONFIG.getIndexName(),
             RestActions.parseVersion(request),
             returnJob,
             returnTask,

src/main/java/org/opensearch/ad/rest/handler/IndexAnomalyDetectorActionHandler.java

@@ -37,27 +37,27 @@ public class IndexAnomalyDetectorActionHandler extends AbstractAnomalyDetectorAc
     /**
      * Constructor function.
      *
-     * @param clusterService          ClusterService
-     * @param client                  ES node client that executes actions on the local node
-     * @param clientUtil              AD client util
-     * @param transportService        ES transport service
-     * @param anomalyDetectionIndices anomaly detector index manager
-     * @param detectorId              detector identifier
-     * @param seqNo                   sequence number of last modification
-     * @param primaryTerm             primary term of last modification
-     * @param refreshPolicy           refresh policy
-     * @param anomalyDetector         anomaly detector instance
-     * @param requestTimeout          request time out configuration
+     * @param clusterService           ClusterService
+     * @param client                   ES node client that executes actions on the local node
+     * @param clientUtil               AD client util
+     * @param transportService         ES transport service
+     * @param anomalyDetectionIndices  anomaly detector index manager
+     * @param detectorId               detector identifier
+     * @param seqNo                    sequence number of last modification
+     * @param primaryTerm              primary term of last modification
+     * @param refreshPolicy            refresh policy
+     * @param anomalyDetector          anomaly detector instance
+     * @param requestTimeout           request time out configuration
      * @param maxSingleStreamDetectors max single-stream anomaly detectors allowed
-     * @param maxHCDetectors          max HC detectors allowed
-     * @param maxFeatures             max features allowed per detector
-     * @param maxCategoricalFields    max number of categorical fields
-     * @param method                  Rest Method type
-     * @param xContentRegistry        Registry which is used for XContentParser
-     * @param user                    User context
-     * @param adTaskManager           AD Task manager
-     * @param searchFeatureDao        Search feature dao
-     * @param settings                Node settings
+     * @param maxHCDetectors           max HC detectors allowed
+     * @param maxFeatures              max features allowed per detector
+     * @param maxCategoricalFields     max number of categorical fields
+     * @param method                   Rest Method type
+     * @param xContentRegistry         Registry which is used for XContentParser
+     * @param user                     User context
+     * @param adTaskManager            AD Task manager
+     * @param searchFeatureDao         Search feature dao
+     * @param settings                 Node settings
      */
     public IndexAnomalyDetectorActionHandler(
         ClusterService clusterService,

src/main/java/org/opensearch/ad/transport/AnomalyDetectorJobTransportAction.java

@@ -63,7 +63,6 @@ public AnomalyDetectorJobTransportAction(
             FAIL_TO_STOP_DETECTOR,
             AnomalyDetector.class,
             adIndexJobActionHandler,
-            ADIndex.CONFIG.getIndexName(),
             Clock.systemUTC() // inject cannot find clock due to OS limitation
         );
     }

src/main/java/org/opensearch/ad/transport/AnomalyResultRequest.java

@@ -22,6 +22,7 @@
 import org.opensearch.action.ActionRequestValidationException;
 import org.opensearch.ad.constant.ADCommonMessages;
 import org.opensearch.ad.constant.ADCommonName;
+import org.opensearch.ad.indices.ADIndex;
 import org.opensearch.core.common.Strings;
 import org.opensearch.core.common.io.stream.InputStreamStreamInput;
 import org.opensearch.core.common.io.stream.OutputStreamStreamOutput;
@@ -37,7 +38,7 @@ public AnomalyResultRequest(StreamInput in) throws IOException {
     }
 
     public AnomalyResultRequest(String adID, long start, long end) {
-        super(adID, start, end);
+        super(adID, ADIndex.CONFIG.getIndexName(), start, end);
     }
 
     @Override