[Resource Sharing] Adds a Resource Access Evaluator for standalone Resource access authorization (#5408)

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

Author: DarshitChanpura

.github/workflows/ci.yml

@@ -297,9 +297,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [ 21 ]
-        platform: [ ubuntu-latest ]
-    runs-on: ubuntu-latest
+        jdk: [21,24]
+        platform: [ubuntu-latest]
+    runs-on: ${{ matrix.platform }}
     container:
       # using the same image which is used by opensearch-build team to build the OpenSearch Distribution
       # this image tag is subject to change as more dependencies and updates will arrive over time

CHANGELOG.md

@@ -18,6 +18,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 * Create a mechanism for plugins to explicitly declare actions they need to perform with their assigned PluginSubject ([#5341](https://github.com/opensearch-project/security/pull/5341))
 * Moves OpenSAML jars to a Shadow Jar configuration to facilitate its use in FIPS enabled environments ([#5400](https://github.com/opensearch-project/security/pull/5404))
+* [Resource Sharing] Adds a Resource Access Evaluator for standalone Resource access authorization ([#5408](https://github.com/opensearch-project/security/pull/5408))
 * Replaced the standard distribution of BouncyCastle with BC-FIPS ([#5439](https://github.com/opensearch-project/security/pull/5439))
 * Introduced setting `plugins.security.privileges_evaluation.precomputed_privileges.enabled` ([#5465](https://github.com/opensearch-project/security/pull/5465))
 * Optimized wildcard matching runtime performance ([#5470](https://github.com/opensearch-project/security/pull/5470))
@@ -36,12 +37,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Refactoring
 
-* Refactor JWT Vender to take a claims builder and rename oboEnabled to enabled ([#5436](https://github.com/opensearch-project/security/pull/5436))
+* Refactor JWT Vendor to take a claims builder and rename oboEnabled to be enabled ([#5436](https://github.com/opensearch-project/security/pull/5436))
 * Remove ASN1 reflection methods ([#5454](https://github.com/opensearch-project/security/pull/5454))
 * Remove provider reflection code ([#5457](https://github.com/opensearch-project/security/pull/5457))
 * Add tenancy access info to serialized user in threadcontext ([#5519](https://github.com/opensearch-project/security/pull/5519))
 
 ### Maintenance
+
 - Bump `org.eclipse.platform:org.eclipse.core.runtime` from 3.33.0 to 3.33.100 ([#5400](https://github.com/opensearch-project/security/pull/5400))
 - Bump `org.eclipse.platform:org.eclipse.equinox.common` from 3.20.0 to 3.20.100 ([#5402](https://github.com/opensearch-project/security/pull/5402))
 - Bump `spring_version` from 6.2.7 to 6.2.9 ([#5403](https://github.com/opensearch-project/security/pull/5403), [#5493](https://github.com/opensearch-project/security/pull/5493))

sample-resource-plugin/README.md

@@ -58,12 +58,13 @@ plugins.security.system_indices.enabled: true
 
 4. **Interaction Rules**
     - If a **user is not the resource owner**, they must:
-        - Be assigned **a role with `sample_read_access`** permissions.
-        - **Have the resource shared with them** via the resource-sharing API.
+        - **Have the resource shared with them** via the resource-sharing API with appropriate action group.
     - A user **without** the necessary `sample-resource-plugin` cluster permissions:
         - **Cannot access the resource**, even if it is shared with them.
     - A user **with `sample-resource-plugin` permissions** but **without a shared resource**:
         - **Cannot access the resource**, since resource-level access control applies.
+    - A user **with full-access to the resource** will be able to **update and delete that resource**.
+        - Owners and super-admin get full-access by default.
 
 
 ## API Endpoints
@@ -140,20 +141,22 @@ The plugin exposes the following six API endpoints:
 
 ### 5. Share Resource
 - **Endpoint:** `POST /_plugins/sample_resource_sharing/share/{resource_id}`
-- **Description:** Shares a resource with the intended entities. At present, only admin and resource owners can share the resource.
+- **Description:** Shares a resource with the intended entities.
 - **Request Body:**
   ```json
   {
     "share_with": {
-      "users": [ "sample_user" ]
+      "read_only": {
+        "users": [ "sample_user" ]
+      }
     }
   }
   ```
 - **Response:**
   ```json
     {
       "share_with": {
-        "default": {
+        "read_only": {
           "users": [ "sample_user" ]
         }
       }
@@ -162,19 +165,25 @@ The plugin exposes the following six API endpoints:
 
 ### 6. Revoke Resource Access
 - **Endpoint:** `POST /_plugins/sample_resource_sharing/revoke/{resource_id}`
-- **Description:** Shares a resource with the intended entities. At present, only admin and resource owners can share the resource.
+- **Description:** Shares a resource with the intended entities.
 - **Request Body:**
   ```json
     {
       "entities_to_revoke": {
-        "users": [ "sample_user" ]
+        "read_only": {
+          "users": [ "sample_user" ]
+        }
       }
     }
   ```
 - **Response:**
   ```json
     {
-      "share_with" : { }
+      "share_with" : {
+        "read_only": {
+          "users" : [ ]
+        }
+      }
     }
   ```
 

sample-resource-plugin/build.gradle

@@ -74,6 +74,8 @@ dependencies {
     implementation "org.opensearch.client:opensearch-rest-client:${opensearch_version}"
     implementation "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
 
+    integrationTestImplementation 'org.ldaptive:ldaptive:1.2.3' // for running multinode tests
+
     // Integration test dependencies
     integrationTestImplementation rootProject.sourceSets.integrationTest.output
     integrationTestImplementation rootProject.sourceSets.main.output