[Backport 2.x] Rest admin permissions (#2411)

[DarshitChanpura]

Permissions for REST admin user

Added granular permissions for all REST API actions in OpenSearch to be individually assigned.

Permissions are:
- 'restapi:admin/actiongroups' - allow full access to actiongroups
- 'restapi:admin/allowlist' - allow full access to allowlist
- 'restapi:admin/internalusers'- allow full access to internalusers
- 'restapi:admin/nodesdn'- allow full access to nodesdn
- 'restapi:admin/roles' - allow full access to roles
- 'restapi:admin/rolesmapping' - allow full access to roles mappings
- 'restapi:admin/ssl/certs/info' - allow full access to certs info
- 'restapi:admin/ssl/certs/reload' - allow full access to certs reload
- 'restapi:admin/tenants' - allow full access to tenants

Adds tests for these permissions.

Signed-off-by: Andrey Pleskach [email protected]
(cherry picked from commit d676716)

Description

[Describe what this change achieves]

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
• Why these changes are required?
• What is the old behavior before changes and new behavior after changes?

Issues Resolved

[List any issues this PR will resolve]

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[DarshitChanpura]

@willyborankin Would you please review the changes?

[cwperks]

@DarshitChanpura wdyt about opening up the same PR against 2.8 to expedite the backport process to that branch?

[DarshitChanpura]

@DarshitChanpura wdyt about opening up the same PR against 2.8 to expedite the backport process to that branch?

Done. 😃 #2807

[codecov]

Codecov Report

Merging #2806 (1da6f70) into 2.x (279c4d9) will increase coverage by 0.10%.
The diff coverage is 75.72%.

@@             Coverage Diff              @@
##                2.x    #2806      +/-   ##
============================================
+ Coverage     61.26%   61.37%   +0.10%     
- Complexity     3316     3368      +52     
============================================
  Files           264      264              
  Lines         18507    18631     +124     
  Branches       3265     3283      +18     
============================================
+ Hits          11338    11434      +96     
- Misses         5593     5611      +18     
- Partials       1576     1586      +10     

Impacted Files	Coverage Δ
...earch/security/dlic/rest/api/AccountApiAction.java	81.15% <0.00%> (-1.20%)	⬇️
...curity/dlic/rest/api/AuthTokenProcessorAction.java	53.33% <0.00%> (-3.81%)	⬇️
...ch/security/dlic/rest/api/FlushCacheApiAction.java	61.29% <0.00%> (-2.05%)	⬇️
...earch/security/dlic/rest/api/MigrateApiAction.java	4.12% <0.00%> (-0.05%)	⬇️
...earch/security/dlic/rest/api/TenantsApiAction.java	36.36% <0.00%> (-3.64%)	⬇️
...arch/security/dlic/rest/api/ValidateApiAction.java	10.25% <0.00%> (-0.27%)	⬇️
...pensearch/security/securityconf/ConfigModelV6.java	0.00% <0.00%> (ø)
...security/dlic/rest/api/SecuritySSLCertsAction.java	71.71% <71.71%> (ø)
.../security/dlic/rest/api/RolesMappingApiAction.java	82.85% <76.92%> (-3.51%)	⬇️
...dlic/rest/api/RestApiAdminPrivilegesEvaluator.java	78.33% <78.33%> (ø)
... and 16 more

... and 5 files with indirect coverage changes

[DarshitChanpura]

this change should already be part of 2.x via https://github.com/opensearch-project/security/pull/2803/files
but isn't