[FEATURE] implement security for security-analytics actions

[raj-chak]

Is your feature request related to a problem?
We need the actions in the security_analytics plugin to be protected by roles. Also any interactions with the alerting plugin from within will use the admin rule provided the user has the underlying privileges to invoke the appropriate detector action.

What solution would you like?
Adding the corresponding entries for the security_analytics actions in the config file used by the security plugin.
( https://github.com/opensearch-project/security/blob/main/config/roles.yml ) That would enable the initial authentication that happens before the transport layer

Allows users to see security analytics detectors and others
security_analytics_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/get'
- 'cluster:admin/opensearch/securityanalytics/detector/get'
- 'cluster:admin/opensearch/securityanalytics/detector/search'
- 'cluster:admin/opensearch/securityanalytics/findings/get'
- 'cluster:admin/opensearch/securityanalytics/mapping/get'
- 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
- 'cluster:admin/opensearch/securityanalytics/rule/get'
- 'cluster:admin/opensearch/securityanalytics/rule/search'

Allows users to use all security analytics functionality
security_analytics_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/'
- 'cluster:admin/opensearch/securityanalytics/detector/'
- 'cluster:admin/opensearch/securityanalytics/findings/'
- 'cluster:admin/opensearch/securityanalytics/mapping/'
- 'cluster:admin/opensearch/securityanalytics/rule/'
index_permissions:
- index_patterns:
- ''
allowed_actions:
- 'indices:admin/mapping/put'
- 'indices:admin/mappings/get'

Allows users to view and acknowledge alerts
security_analytics_ack_alerts:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/*'

For fine grain access, we need to enable back end roles programmatically at the transport layer in the security_analytics plugin.

We will implement the following at the Transport layer level
filterBy is a setting defined as Setting.boolSetting(
"plugins.security_analytics.filter_by_backend_roles",
false,
Setting.Property.NodeScope, Setting.Property.Dynamic)
)

1. If filterBy is enabled
   a) Don't allow to create detectors (throw error) if the logged-on user has no backend roles configured.

2. If filterBy is enabled & detectors are created when filterBy is disabled:
   a) If backend_roles are saved with config, results will get filtered and data is shown
   b) If backend_roles are not saved with detectors config, results will get filtered and no detectors
   will be displayed.
   c) Users can edit and save the detectors to associate their backend_roles.

If user1 has roles "IT, HR, Accounting" and user2 has roles "IT", user2 would be able to see detectors created by user1 and vice versa

For integration testing
We can define a github workflow that would enable the security plugin for the security analytics plugin and add Secure Integration tests that would then test these.

[eirsep]

Plz update title of issue and triage it @raj-chak

[eirsep]

• If user A creates a detector, will the Alerting plugin monitors have the user stored as a part of the document.
  I ask this because I want to understand how we can model acknowledging alerts created by detectors and how to validate the security on that api