Security plugin support (#399)

* feat(plugins): add security client plugin

Signed-off-by: florian <florian@harfanglab.fr>

* test(plugins): skip security plugin tests when disabled

Signed-off-by: florian <florian@harfanglab.fr>

* fix(security): remove non-ASCII character

Signed-off-by: florian <florian@harfanglab.fr>

* chore(CHANGELOG): added entry for security api support in changelog

Signed-off-by: florian <florian@harfanglab.fr>

* test(plugins): add asynchronous tests version

Signed-off-by: florian <florian@harfanglab.fr>

* test: remove some warnings

Signed-off-by: florian <florian@harfanglab.fr>

* chore(USER_GUIDE): add a security plugin part

Signed-off-by: florian <florian@harfanglab.fr>

* test(security): Split out security plugin tests in its own file

Signed-off-by: florian <florian@harfanglab.fr>

* chore: apply reviews

Signed-off-by: florian <florian@harfanglab.fr>

---------

Signed-off-by: florian <florian@harfanglab.fr>

.ci/run-opensearch.sh

@@ -81,7 +81,7 @@ END
     docker run \
       --name "$node_name" \
       --network "$network_name" \
-      --env "ES_JAVA_OPTS=-Xms1g -Xmx1g" \
+      --env "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" \
       "${environment[@]}" \
       "${volumes[@]}" \
       "${security[@]}" \

CHANGELOG.md

@@ -8,6 +8,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Added index lifecycle guide ([#362](https://github.com/opensearch-project/opensearch-py/pull/362))
 - Added 'point in time' APIs to the pyi files in sync and async client ([#378](https://github.com/opensearch-project/opensearch-py/pull/378))
 - Added MacOS and Windows CI workflows ([#390](https://github.com/opensearch-project/opensearch-py/pull/390))
+- Added support for the security plugin ([#399](https://github.com/opensearch-project/opensearch-py/pull/399))
 - Compatibility with OpenSearch 2.1.0 - 2.6.0 ([#381](https://github.com/opensearch-project/opensearch-py/pull/381))
 - Added 'allow_redirects' parameter in perform_request function for RequestsHttpConnection ([#401](https://github.com/opensearch-project/opensearch-py/pull/401))
 - Enhanced YAML test runner to use OpenSearch rest-api-spec YAML tests ([#414](https://github.com/opensearch-project/opensearch-py/pull/414)

USER_GUIDE.md

@@ -21,6 +21,11 @@
       - [**Creating a destination**](#creating-a-destination)
       - [**Getting alerts**](#getting-alerts)
       - [**Acknowledge alerts**](#acknowledge-alerts)
+    - [Security plugin](#security-plugin)
+      - [Creating a role](#creating-a-role)
+      - [Getting a role](#getting-a-role)
+      - [Creating a user](#creating-a-user)
+      - [Getting a user](#getting-a-user)
   - [Using different authentication methods](#using-different-authentication-methods)
     - [Using IAM credentials](#using-iam-credentials)
       - [Pre-requisites to use `AWSV4SignerAuth`](#pre-requisites-to-use-awsv4signerauth)
@@ -420,6 +425,66 @@ query = {
 response = client.plugins.alerting.acknowledge_alert(query)
 print(response)
 ```
+
+### Security plugin
+
+#### Creating a role
+[API definition](https://opensearch.org/docs/latest/security/access-control/api/#create-role)
+```python
+print('\Creating a role:')
+
+role_name = "test-role"
+role_content = {
+  "cluster_permissions": ["cluster_monitor"],
+  "index_permissions": [
+      {
+          "index_patterns": ["index", "test-*"],
+          "allowed_actions": [
+              "data_access",
+              "indices_monitor",
+          ],
+      }
+  ],
+}
+
+response = client.security.put_role(role_name, body=role_content)
+print(response)
+```
+
+#### Getting a role
+[API definition](https://opensearch.org/docs/latest/security/access-control/api/#get-role)
+```python
+print('\Getting a role:')
+
+role_name = "test-role"
+
+response = client.security.get_role(role_name)
+print(response)
+```
+
+#### Creating a user
+[API definition](https://opensearch.org/docs/latest/security/access-control/api/#create-user)
+```python
+print('\Creating a user:')
+
+user_name = "test-user"
+user_content = {"password": "test_password", "opendistro_security_roles": []}
+
+response = client.security.put_role(user_name, body=user_content)
+print(response)
+```
+
+#### Getting a user
+[API definition](https://opensearch.org/docs/latest/security/access-control/api/#get-user)
+```python
+print('\Getting a user:')
+
+user_name = "test-user"
+
+response = client.security.get_user(user_name)
+print(response)
+```
+
 ## Using different authentication methods
 
 It is possible to use different methods for the authentication to OpenSearch. The parameters of `connection_class` and `http_auth` can be used for this. The following examples show how to authenticate using IAM credentials and using Kerberos.

docs/source/api-ref/plugins.md

@@ -8,4 +8,5 @@ maxdepth: 1
 ---
 
 plugins/alerting_plugin
+plugins/security_plugin
 ```

docs/source/api-ref/plugins/security_plugin.md

@@ -0,0 +1,5 @@
+# Security Plugin
+
+```{eval-rst}
+.. autoclass:: opensearchpy.plugins.security.SecurityClient
+```

opensearchpy/_async/client/plugins.py

@@ -10,6 +10,7 @@
 import warnings
 
 from ..plugins.alerting import AlertingClient
+from ..plugins.security import SecurityClient
 from .utils import NamespacedClient
 
 
@@ -23,7 +24,7 @@ def __init__(self, client):
         # self.anomaly_detection = AnomalyDetectionClient(client)
         # self.trace_analytics = TraceAnalyticsClient(client)
         # self.index_management = IndexManagementClient(client)
-        # self.security = SecurityClient(client)
+        self.security = SecurityClient(client)
 
         self._dynamic_lookup(client)
 
@@ -38,7 +39,7 @@ def _dynamic_lookup(self, client):
             # "anomaly_detection",
             # "trace_analytics",
             # "index_management",
-            # "security"
+            "security",
         ]
         for plugin in plugins:
             if not hasattr(client, plugin):

opensearchpy/_async/client/plugins.pyi

@@ -14,4 +14,5 @@ from .utils import NamespacedClient as NamespacedClient
 
 class PluginsClient(NamespacedClient):
     alerting: Any
+    security: Any
     def __init__(self, client: AsyncOpenSearch) -> None: ...