roles yml changes for security-analytics plugin

[raj-chak]

Signed-off-by: Raj Chakravarthi raj@icedome.ca

Description

Added entries in roles.yml for cluster permissions to security-analytics plugin end points
Added default roles configuration required for security-analytics plugin

Issues Resolved

opensearch-project/security-analytics#50

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peternied]

Thanks for creating this pull request, can you please fill in the pull request description for this change?

Biggest unknown for me is where the design usage of these permissions, would love to get more details on this. Please link associated issues/documents about this plugin.

[getsaurabh02]

Lets also add security_analytics_ack_alerts for the security operators to be able to acknowledge alerts with cluster permission as:

cluster_permissions:
    - 'cluster:admin/opendistro/securityanalytics/alerts/*'

[raj-chak]

done as opensearch not opendistro to be consistent with the rest

[getsaurabh02]

How about indices:admin/mappings/get ? Also are there more permissions such as for aliases that might be needed?

[raj-chak]

done and tested.

[peternied]

❌ CI / backward-compatibility (pull_request) Failing after 5m

This looks unrelated to this change, need to see if there is a new failure from main

[codecov-commenter]

Codecov Report

Merging #2192 (399269e) into main (9f9fddc) will decrease coverage by 0.11%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main    #2192      +/-   ##
============================================
- Coverage     61.14%   61.02%   -0.12%     
- Complexity     3266     3267       +1     
============================================
  Files           259      259              
  Lines         18335    18335              
  Branches       3248     3248              
============================================
- Hits          11211    11189      -22     
- Misses         5535     5561      +26     
+ Partials       1589     1585       -4     

Impacted Files	Coverage Δ
...curity/util/ratetracking/HeapBasedRateTracker.java	48.62% <0.00%> (-22.94%)	⬇️
...org/opensearch/security/support/SecurityUtils.java	72.30% <0.00%> (ø)
...search/security/transport/SecurityInterceptor.java	76.15% <0.00%> (+0.76%)	⬆️
.../dlic/auth/ldap2/LDAPConnectionFactoryFactory.java	58.95% <0.00%> (+1.49%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[peternied]

Thanks for making these updates, merging!

[peternied]

Note; the BWC issue is on main, merging this despite BWC failures since they were not impacted

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2192-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 89a11c5a165d9fc1a5412a3c2369d3b27869b305
# Push it to GitHub
git push --set-upstream origin backport/backport-2192-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2192-to-2.x.

[opensearch-trigger-bot]

The backport to 2.4 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.4 2.4
# Navigate to the new working tree
cd .worktrees/backport-2.4
# Create a new branch
git switch --create backport/backport-2192-to-2.4
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 89a11c5a165d9fc1a5412a3c2369d3b27869b305
# Push it to GitHub
git push --set-upstream origin backport/backport-2192-to-2.4
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.4

Then, create a pull request where the base branch is 2.4 and the compare/head branch is backport/backport-2192-to-2.4.