[Resource Permissions] Introduces Centralized Resource Access Control Framework

[DarshitChanpura]

Description

Introduces Centralized Resource Access Control framework by declaring a new SPI for plugins to extend ResourceSharingExtension and use ResourceSharingClient to utilize the resource access control APIs. Design outlined in the proposal below.

Issues Resolved

• Related to [Proposal] Resource Permissions and Sharing #4500

Testing

• unit and integration tests, manual testing

Check List

• New functionality includes testing
• New functionality has been documented
  - [ ] New Roles/Permissions have a corresponding security dashboards plugin PR
  - [ ] API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 65.70486% with 416 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.69%. Comparing base (cac58bc) to head (540d3c6).
⚠️ Report is 167 commits behind head on main.

Files with missing lines	Patch %	Lines
...ecurity/resources/ResourceSharingIndexHandler.java	57.98%	112 Missing and 9 partials ⚠️
...ecurity/spi/resources/sharing/ResourceSharing.java	50.60%	36 Missing and 5 partials ⚠️
...arch/security/resources/ResourceAccessHandler.java	66.66%	25 Missing and 11 partials ⚠️
...arch/security/resources/ResourceIndexListener.java	16.12%	26 Missing ⚠️
...y/spi/resources/sharing/SharedWithActionGroup.java	64.81%	17 Missing and 2 partials ⚠️
...arch/security/spi/resources/sharing/CreatedBy.java	46.15%	12 Missing and 2 partials ⚠️
...ain/java/org/opensearch/sample/SampleResource.java	64.70%	12 Missing ⚠️
...tions/transport/DeleteResourceTransportAction.java	69.44%	9 Missing and 2 partials ⚠️
.../opensearch/security/OpenSearchSecurityPlugin.java	74.41%	9 Missing and 2 partials ⚠️
...arch/security/spi/resources/sharing/ShareWith.java	64.00%	7 Missing and 2 partials ⚠️
... and 27 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5281      +/-   ##
==========================================
- Coverage   72.04%   71.69%   -0.36%     
==========================================
  Files         336      384      +48     
  Lines       22648    23858    +1210     
  Branches     3560     3632      +72     
==========================================
+ Hits        16317    17104     +787     
- Misses       4556     4929     +373     
- Partials     1775     1825      +50     

Files with missing lines	Coverage Δ
...va/org/opensearch/sample/SampleResourcePlugin.java	100.00% <100.00%> (ø)
...urce/actions/rest/create/CreateResourceAction.java	100.00% <100.00%> (ø)
...urce/actions/rest/create/UpdateResourceAction.java	100.00% <100.00%> (ø)
...urce/actions/rest/delete/DeleteResourceAction.java	100.00% <100.00%> (ø)
...e/resource/actions/rest/get/GetResourceAction.java	100.00% <100.00%> (ø)
...source/actions/rest/get/GetResourceRestAction.java	100.00% <100.00%> (ø)
...ctions/rest/revoke/RevokeResourceAccessAction.java	100.00% <100.00%> (ø)
...source/actions/rest/share/ShareResourceAction.java	100.00% <100.00%> (ø)
...transport/RevokeResourceAccessTransportAction.java	100.00% <100.00%> (ø)
...resource/client/ResourceSharingClientAccessor.java	100.00% <100.00%> (ø)
... and 44 more

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwperks]

Thank you for the persistence @DarshitChanpura. Approving this PR with some of the comments remaining above, particularly around setting up extendedPlugins within the integrationTest framework.

I think this change is sufficiently isolated behind the experimental feature flag where the new classes initialized in OpenSearchSecurityPlugin are not used/instantiated unless the feature flag is enabled.

I really wanted to laud the introduction of this new extensibility model which I can see extended further in the future for other use-cases for plugins integrating with security and really paves the path forward for getting rid of the awkward existing plugin use-cases reading the user from the threadcontext and storing a copy in their own system indices either for this sharing use-case or for the job scheduler use case where they inject the roles back in at job runtime.

I also wanted to leave this quote: opensearch-project/OpenSearch#4459 (comment)

Reviewing use of painless

[cwperks]

Marking as approved again with additional comments.

[derek-ho]

Thank you, Darshit Chanpura

[derek-ho]

Thanks