[DRAFT] [Feature]Introduces ability to control access to and share resources

[DarshitChanpura]

Work in Progress.

companion PR: opensearch-project/security#4746

Description

This PR introduces a new capability to enable access-control and sharing of resources. This PR introduces:

1. Interfaces to be extended by security plugin for concrete implementation, and to be used by plugins when authorizing the requested resources.
2. Adds a No-op implementation when security plugin is not enabled.

At present, plugins have implemented in-house authorization mechanisms to control access to their resources. This framework enables capability to have a centralized resource-authorization framework.

Please review feature proposal here that discusses the problem-statement and design approach. opensearch-project/security#4500

Plugins will leverage the APIs introduced here to check user access to resources.

To-do items:

• Add integration tests
• Add end-to-end tests

Documentation website will follow.

Related Issues

• Related to [Proposal] Resource Permissions and Sharing security#4500

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

❌ Gradle check result for 7e7cd0a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[DarshitChanpura]

@reta @jainankitk Would love to get some initial feedback on this PR. This is still work-in-progress.

[cwperks]

In NoOp implementation, wouldn't a plugin expect to be able to list all? Why the return type Map<String, List<String>>? Can this be made more generic and let the plugin that defines the Resource to be able to serialize and deserialize what is stored in a resource index?

[cwperks]

I think any instance of systemIndex should be renamed to resourceIndex. A resourceIndex is a system index, but it would specifically be for plugins that want to have this resource-sharing ability.

[cwperks]

I'm hesitant to introduce notions of roles, backend roles or user into the core. I'm wondering if Security can provide a class similar to this to plugins (similar to SPI model from JS), but not have plugins formally extending the security plugin. If a plugin extends another plugin then it means that the other plugin must be installed in a cluster before the plugin that depends on another can be installed.

With resource sharing, if the security plugin is not installed then all users will have full access to all plugin resources.

With the security plugin installed it can enforce authz on plugin resources using this new mechanism.

[cwperks]

The License below can be removed

[cwperks]

Can a plugin define multiple types of resources that can be shared?

i.e. In a hypothetical Searchable Photos plugin, would it be able to do resource sharing on both the Album level and Photo level?

[nibix]

Is it really necessary to support all three criteria (user name, roles, backend roles)? Especially back end roles can vary between auth backend (e.g. users authenticated via LDAP might have different backend roles than users authenticated via OIDC).

Such disparities can lead to confusion.

Who is supposed to specify these criteria when?

[cwperks]

Unfortunately, backend roles is already in place amongst plugins that implement custom resource authz.

Its already in place in:

1. ML Commons
2. Flow Framework
3. Anomaly Detection
4. Alerting

I think there may be others as well (possibly Reporting?).

Backend roles would need to be supported in order for those plugins to adopt the mechanism provided by security.

[nibix]

Ah, so this has the goal of a seamless transition from the older methods used in these different plugins?

Still, from a UX point of view, having too many options for a single thing is not optimal. It requires users to make a choice which is the optimal option. Proper information on how to make the right choice might be hard to find or might even not exist.

This is actually demonstrated by the broad range of artifacts which require backend roles in their configuration.

Thus, maybe the backend role option should be marked as deprecated? Or, maybe the docs should be clearer on how to use the roles?

[github-actions]

❌ Gradle check result for fba48ab: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?