Introduces IdentityPlugin with initial interface for extensions use-cases

[cwperks]

Description

Introduces IdentityPlugin with initial interface for extensions use-cases. Details about plans for Security for Extensions can be found here: https://gist.github.com/cwperks/e756e1cead72cd511d819241a11337e8

For an example of usage in the Security Plugin please see: cwperks/security#3

For a quick summary, the extensions project is a major effort in the OpenSearch community to promote contributions to OpenSearch by having extensions discoverable through a catalog. Extensions may or may not run in the same JVM as the ES process, but in either case interfaces are being built to ensure that extensions run in a secure fashion and are restricted with how actions originating from an extension can interact with an OpenSearch cluster. In the current plugin architecture of OpenSearch, plugins are granted a lot of trust, especially with the ability to stash the thread context to assume super user access to a cluster. With extensions, there is a more explicit trust boundary between OpenSearch core and an extension and this PR introduces a new IdentityPlugin interface which will provide the bridge between OpenSearch core and an extension.

In an OpenSearch node with the Security plugin installed, the Security plugin wraps a REST request to authenticate the request and enrich the thread context with user info (in the _opendistro_security_user threadcontext transient header). If this header is present in the threadcontext, then it means that the current subject exists and is authenticated (not necessarily authorized! That is a check that is performed later with the getActionFilters() extension point as the very first filter that is applied - See SecurityFilter for authz details).

For extensions, the threadcontext is not shared with an extension and in its place the extension will be issued an access token on-behalf-of the authenticated user. This access token permits the extension to make REST requests back to the OpenSearch cluster utilizing this token. To understand how a request utilizing the on-behalf-of token would be authorized please see On-behalf-of Tokens Authorization

This PR introduces an experimental new extension point IdentityPlugin that contains interfaces to enable security for extensions use-cases. This extension point is only meant to be implemented once - similar to the tailor-made ActionPlugin.getRestHandlerWrapper which allows the Security plugin to intercept REST requests to the cluster to authenticate a request.

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: null ❌
• URL:
• CommitID: ea13c66
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?