Add ignore_hosts config option for auth failure listener

[cwperks]

Description

This PR adds a new configuration for IP-based auth failure listener to allow a cluster admin to specify a list of hosts where rate limiting should not apply. If requests originate from a host matching one of the ignore_hosts then the auth failure listener would not apply to the request.

Companion Documentation PR: opensearch-project/documentation-website#7859

• Category

Enhancement

Issues Resolved

Partially resolves #4262

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[DarshitChanpura]

Thank you for adding this enhancement @cwperks. What would happen in a scenario where a user is blocked but the IP address is allowed and that user requests through this IP address?

[shikharj05]

Thanks for the changes!

However, this would not fully resolve #4262 as this would completely disable rate-limiting for a particular IP. For example, as a user of dashboards, I would like that 'X-Forwarded-For' is used to rate-limit the clients and not disable my dashboards IP.

[cwperks]

@shikharj05 Understood, this PR only partially resolves the associated issue by implementing one of the new configuration options described in the issue.

[cwperks]

What would happen in a scenario where a user is blocked but the IP address is allowed and that user requests through this IP address?

It would be blocked by the username and I can add a test to prove it.

IP Address blocking is performed before authentication here: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L202

Username block is performed after authentication here:https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L279

[cwperks]

This PR makes this config value only applicable to IP-based auth failure listener. It could be extended to all types of auth failure listener, but I chose to apply it only to IP-based ones

[codecov]

Codecov Report

Attention: Patch coverage is 42.30769% with 15 lines in your changes missing coverage. Please review.

Project coverage is 65.26%. Comparing base (613aff1) to head (882042d).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4538      +/-   ##
==========================================
- Coverage   65.28%   65.26%   -0.03%     
==========================================
  Files         317      317              
  Lines       22272    22296      +24     
  Branches     3582     3588       +6     
==========================================
+ Hits        14541    14551      +10     
- Misses       5939     5951      +12     
- Partials     1792     1794       +2     

Files	Coverage Δ
...search/security/securityconf/impl/v7/ConfigV7.java	78.21% <ø> (ø)
...ch/security/auth/limiting/AbstractRateLimiter.java	63.63% <12.50%> (-29.23%)	⬇️
.../org/opensearch/security/auth/BackendRegistry.java	61.00% <55.55%> (-0.26%)	⬇️

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-4538-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bc92a8900ea147f92eed0c69eb9e787f4a5d3a65
# Push it to GitHub
git push --set-upstream origin backport/backport-4538-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-4538-to-2.x.

[DarshitChanpura]

@cwperks Would you create a manual backport?