[Feature/Identity] Select AuthenticationManager via configuration

[cwperks]

Description

Uses the ExtensiblePlugin extension point to dynamically set the Authentication Manager based on settings. The default authentication manager is the InternalAuthenticationManager in the Identity module that uses the internal identity implementations of the APIs for AuthenticationManager and Subject. Other plugins can extend the extensible-identity plugin and define implementations of AuthenticationManager to allow for other implementations of the Identity APIs. See opensearch-project/security@main...cwperks:security:initial-feature-identity for an example of the security plugin implementing the getSubject() method.

PluginsService was modified to allow plugins defined in tests to be able to extend plugins and test loadExtensions.

A file called IDENTITY_TESTING.md was added to outline the steps of running a cluster with identity enabled and the security plugin installed.

The extensible-identity module is responsible for setting the Auth Manager on Identity which can then be used to get the Subject and perform calls on the current Subject.

Issues Resolved

#5884

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9655/
• CommitID: 7de61c0
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9657/
• CommitID: 49270b1
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9658/
• CommitID: 8688cb9
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: SUCCESS ✅
• URL: https://build.ci.opensearch.org/job/gradle-check/9669/
• CommitID: 748d257

[codecov-commenter]

Codecov Report

Merging #5953 (748d257) into feature/identity (f9fe796) will increase coverage by 0.14%.
The diff coverage is 66.66%.

@@                  Coverage Diff                   @@
##             feature/identity    #5953      +/-   ##
======================================================
+ Coverage               70.73%   70.87%   +0.14%     
- Complexity              58964    59067     +103     
======================================================
  Files                    4824     4821       -3     
  Lines                  281960   281956       -4     
  Branches                40638    40645       +7     
======================================================
+ Hits                   199438   199843     +405     
+ Misses                  66184    65821     -363     
+ Partials                16338    16292      -46     

Impacted Files	Coverage Δ
...pensearch/extensible/identity/ConfigConstants.java	0.00% <0.00%> (ø)
...anager/internal/InternalAuthenticationManager.java	66.66% <0.00%> (+6.66%)	⬆️
...ntity/authmanager/noop/NoopAccessTokenManager.java	0.00% <ø> (ø)
...ty/authmanager/noop/NoopAuthenticationManager.java	66.66% <ø> (ø)
...nsearch/identity/authmanager/noop/NoopSubject.java	66.66% <ø> (ø)
.../extensible/identity/ExtensibleIdentityPlugin.java	61.90% <61.90%> (ø)
...n/src/main/java/org/opensearch/authn/Identity.java	100.00% <100.00%> (ø)
...n/java/org/opensearch/identity/IdentityPlugin.java	76.92% <100.00%> (+10.25%)	⬆️
...in/java/org/opensearch/plugins/PluginsService.java	85.86% <100.00%> (+0.31%)	⬆️
...opensearch/persistent/PersistentTasksExecutor.java	22.22% <0.00%> (-44.45%)	⬇️
... and 503 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[DarshitChanpura]

This looks good to me. I have left only one comment.

Thank you for this PR @cwperks ! Will the ExtensibleIdentityPlugin be limited to modifying Auth manager or is there additional scope?

[DarshitChanpura]

Are we sure that we don't need it as runtime also. If not, we should leave it as implementation

[cwperks]

In this PR, the identity module extends the extensible-identity module which has this as an implementation dependency. It will get the dependency at runtime because of this this relationship.

[cwperks]

Thank you @DarshitChanpura. @peternied Presented another solution for Identity plugins in this PR: #5925 against main. I think the new plugin extension point IdentityPlugin.getSubject is cleaner than this PR of creating an ExtensiblePlugin that loads extensions of AuthenticationManager.

[stephen-crawford]

Looks really good. I just left a couple of optional comments that are more questions than anything else.

[stephen-crawford]

I really like that you added steps for people to be able to test Identity out!

[stephen-crawford]

When this gets merged will it have any impacts outside of our use or is it a relatively minor difference? I know it sets the number of processors and I think that setting it to false will make it not restrict the netty thread pool size. Is this intended?

[stephen-crawford]

I know this is old but this is overriding thread leak behavior to do no checks. I assume that if NONE is required it is detecting either a SUITE level leak (the whole suite may not have leaks but the individual tests can) or a TEST level leak (no test may have a leak).

I do not know if we need to be concerned about this. I am not sure where we would be swapping threads in this test case but imagine it is probably when it starts the second node or when it goes to check the cluster health.

[peternied]

@cwperks ExtensiblePlugin doesn't seem like the right direction for identity, an 'extra' extensibility layer outside of OpenSearch core seems like more work whereas we can directly added extensibility via plugin interfaces. What do you think about the future of this changes, are their other pieces you'd like to keep?

[cwperks]

@peternied I plan to close this PR. I also thinks it's best to add a new extension point in org.opensearch.plugins. I did not anticipate the IdentityPlugin extension point change introduced in the first PR against main since it wasn't in the feature/identity branch and this change was geared to work in how feature/identity was organized at the time. If the new extension point is the way to go, then let's rework feature/identity to utilize that as well.