From da19ee6252adb8c49211b657730cac47b9e11ddf Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Tue, 2 May 2023 17:30:32 -0400
Subject: [PATCH] [Extensions] Introduce Identity Plugin to Core (#7246)

* Identity and access control for OpenSearch

Adding a new service and plugin interface that provides identity and access control inside of OpenSearch. This is the founding building block, see more high level thoughts here on our recent blog. https://opensearch.org/blog/Introducing-Identity/

The new extension point, IdentityPlugin, is added with IdentityService handling that plugin interface. IdentityService authenticates users and enables access control systems. Adding HTTP basic authentication in the RestController the default NoopIdentityPlugin changes no behavior.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <petern@amazon.com>
Co-authored-by: Andriy Redko <drreta@gmail.com>
---
 .idea/inspectionProfiles/Project_Default.xml  |   3 +
 CHANGELOG.md                                  |   2 +
 gradle/missing-javadoc.gradle                 |   2 +
 plugins/identity-shiro/build.gradle           |  67 ++++++
 .../licenses/bcprov-jdk15on-1.70.jar.sha1     |   1 +
 .../licenses/bcprov-jdk15on-LICENSE.txt       |  22 ++
 .../licenses/bcprov-jdk15on-NOTICE.txt        |   0
 .../licenses/commons-beanutils-1.9.4.jar.sha1 |   1 +
 .../licenses/commons-beanutils-LICENSE.txt    | 202 ++++++++++++++++++
 .../licenses/commons-beanutils-NOTICE.txt     |   5 +
 .../licenses/commons-lang-2.6.jar.sha1        |   1 +
 .../licenses/commons-lang-LICENSE.txt         | 202 ++++++++++++++++++
 .../licenses/commons-lang-NOTICE.txt          |   5 +
 .../licenses/commons-logging-1.2.jar.sha1     |   1 +
 .../licenses/commons-logging-LICENSE.txt      | 202 ++++++++++++++++++
 .../licenses/commons-logging-NOTICE.txt       |   5 +
 .../licenses/shiro-core-1.9.1.jar.sha1        |   1 +
 .../licenses/shiro-core-LICENSE.txt           | 201 +++++++++++++++++
 .../licenses/shiro-core-NOTICE.txt            |  15 ++
 .../licenses/slf4j-api-1.7.36.jar.sha1        |   1 +
 .../licenses/slf4j-api-LICENSE.txt            |  21 ++
 .../licenses/slf4j-api-NOTICE.txt             |   0
 .../identity/shiro/AuthTokenHandler.java      |  37 ++++
 .../identity/shiro/ShiroIdentityPlugin.java   |  53 +++++
 .../identity/shiro/ShiroSecurityManager.java  |  38 ++++
 .../identity/shiro/ShiroSubject.java          |  91 ++++++++
 .../shiro/UnsupportedAuthenticationToken.java |  12 ++
 .../identity/shiro/package-info.java          |  12 ++
 .../shiro/realm/BCryptPasswordMatcher.java    |  36 ++++
 .../identity/shiro/realm/OpenSearchRealm.java | 144 +++++++++++++
 .../opensearch/identity/shiro/realm/User.java |  54 +++++
 .../identity/shiro/realm/package-info.java    |  10 +
 .../plugin-metadata/plugin-security.policy    |  11 +
 .../identity/shiro/AuthTokenHandlerTests.java |  62 ++++++
 .../identity/shiro/ShiroSubjectTests.java     |  74 +++++++
 .../realm/BCryptPasswordMatcherTests.java     |  45 ++++
 .../shiro/realm/OpenSearchRealmTests.java     |  39 ++++
 qa/smoke-test-http/build.gradle               |   3 +-
 .../http/IdentityAuthenticationIT.java        |  91 ++++++++
 .../replication/SegmentReplicationIT.java     |   6 +-
 .../org/opensearch/action/ActionModule.java   |   6 +-
 .../common/settings/FeatureFlagSettings.java  |   1 +
 .../opensearch/common/util/FeatureFlags.java  |   6 +
 .../opensearch/identity/IdentityService.java  |  51 +++++
 .../opensearch/identity/NamedPrincipal.java   |  55 +++++
 .../java/org/opensearch/identity/Subject.java |  32 +++
 .../identity/noop/NoopIdentityPlugin.java     |  32 +++
 .../opensearch/identity/noop/NoopSubject.java |  57 +++++
 .../identity/noop/package-info.java           |  10 +
 .../org/opensearch/identity/package-info.java |   7 +
 .../opensearch/identity/tokens/AuthToken.java |  18 ++
 .../identity/tokens/BasicAuthToken.java       |  44 ++++
 .../identity/tokens/RestTokenExtractor.java   |  56 +++++
 .../identity/tokens/package-info.java         |  10 +
 .../main/java/org/opensearch/node/Node.java   |  15 +-
 .../opensearch/plugins/IdentityPlugin.java    |  26 +++
 .../org/opensearch/rest/RestController.java   |  50 ++++-
 .../opensearch/action/ActionModuleTests.java  |   7 +-
 .../bootstrap/IdentityPluginTests.java        |  36 ++++
 .../extensions/ExtensionsManagerTests.java    |   4 +-
 .../opensearch/rest/RestControllerTests.java  |  25 ++-
 .../rest/RestHttpResponseHeadersTests.java    |  11 +-
 .../indices/RestValidateQueryActionTests.java |  12 +-
 .../test/rest/RestActionTestCase.java         |  12 +-
 64 files changed, 2341 insertions(+), 20 deletions(-)
 create mode 100644 plugins/identity-shiro/build.gradle
 create mode 100644 plugins/identity-shiro/licenses/bcprov-jdk15on-1.70.jar.sha1
 create mode 100644 plugins/identity-shiro/licenses/bcprov-jdk15on-LICENSE.txt
 create mode 100644 plugins/identity-shiro/licenses/bcprov-jdk15on-NOTICE.txt
 create mode 100644 plugins/identity-shiro/licenses/commons-beanutils-1.9.4.jar.sha1
 create mode 100644 plugins/identity-shiro/licenses/commons-beanutils-LICENSE.txt
 create mode 100644 plugins/identity-shiro/licenses/commons-beanutils-NOTICE.txt
 create mode 100644 plugins/identity-shiro/licenses/commons-lang-2.6.jar.sha1
 create mode 100644 plugins/identity-shiro/licenses/commons-lang-LICENSE.txt
 create mode 100644 plugins/identity-shiro/licenses/commons-lang-NOTICE.txt
 create mode 100644 plugins/identity-shiro/licenses/commons-logging-1.2.jar.sha1
 create mode 100644 plugins/identity-shiro/licenses/commons-logging-LICENSE.txt
 create mode 100644 plugins/identity-shiro/licenses/commons-logging-NOTICE.txt
 create mode 100644 plugins/identity-shiro/licenses/shiro-core-1.9.1.jar.sha1
 create mode 100644 plugins/identity-shiro/licenses/shiro-core-LICENSE.txt
 create mode 100644 plugins/identity-shiro/licenses/shiro-core-NOTICE.txt
 create mode 100644 plugins/identity-shiro/licenses/slf4j-api-1.7.36.jar.sha1
 create mode 100644 plugins/identity-shiro/licenses/slf4j-api-LICENSE.txt
 create mode 100644 plugins/identity-shiro/licenses/slf4j-api-NOTICE.txt
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/AuthTokenHandler.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSecurityManager.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSubject.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/UnsupportedAuthenticationToken.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/package-info.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/OpenSearchRealm.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/User.java
 create mode 100644 plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/package-info.java
 create mode 100644 plugins/identity-shiro/src/main/plugin-metadata/plugin-security.policy
 create mode 100644 plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/AuthTokenHandlerTests.java
 create mode 100644 plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/ShiroSubjectTests.java
 create mode 100644 plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
 create mode 100644 plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/OpenSearchRealmTests.java
 create mode 100644 qa/smoke-test-http/src/test/java/org/opensearch/http/IdentityAuthenticationIT.java
 create mode 100644 server/src/main/java/org/opensearch/identity/IdentityService.java
 create mode 100644 server/src/main/java/org/opensearch/identity/NamedPrincipal.java
 create mode 100644 server/src/main/java/org/opensearch/identity/Subject.java
 create mode 100644 server/src/main/java/org/opensearch/identity/noop/NoopIdentityPlugin.java
 create mode 100644 server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
 create mode 100644 server/src/main/java/org/opensearch/identity/noop/package-info.java
 create mode 100644 server/src/main/java/org/opensearch/identity/package-info.java
 create mode 100644 server/src/main/java/org/opensearch/identity/tokens/AuthToken.java
 create mode 100644 server/src/main/java/org/opensearch/identity/tokens/BasicAuthToken.java
 create mode 100644 server/src/main/java/org/opensearch/identity/tokens/RestTokenExtractor.java
 create mode 100644 server/src/main/java/org/opensearch/identity/tokens/package-info.java
 create mode 100644 server/src/main/java/org/opensearch/plugins/IdentityPlugin.java
 create mode 100644 server/src/test/java/org/opensearch/bootstrap/IdentityPluginTests.java

diff --git a/.idea/inspectionProfiles/Project_Default.xml b/.idea/inspectionProfiles/Project_Default.xml
index 5cf789707c58c..ece87b3eed38a 100644
--- a/.idea/inspectionProfiles/Project_Default.xml
+++ b/.idea/inspectionProfiles/Project_Default.xml
@@ -2,6 +2,9 @@
   <profile version="1.0">
     <option name="myName" value="Project Default" />
     <inspection_tool class="GroovyPointlessBoolean" enabled="false" level="WARNING" enabled_by_default="false" />
+    <inspection_tool class="JavadocDeclaration" enabled="true" level="WARNING" enabled_by_default="true">
+      <option name="ADDITIONAL_TAGS" value="opensearch.experimental" />
+    </inspection_tool>
     <inspection_tool class="PointlessBooleanExpression" enabled="false" level="WARNING" enabled_by_default="false">
       <option name="m_ignoreExpressionsContainingConstants" value="true" />
     </inspection_tool>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e002a70724c8c..fdf074079085d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 - [Extensions] Moving Extensions APIs to protobuf serialization. ([#6960](https://github.com/opensearch-project/OpenSearch/pull/6960))
 - Add connectToNodeAsExtension in TransportService ([#6866](https://github.com/opensearch-project/OpenSearch/pull/6866))
+- [Extensions] Add IdentityPlugin into core to support Extension identities ([#7246](https://github.com/opensearch-project/OpenSearch/pull/7246))
 
 ### Dependencies
 - Bump `com.netflix.nebula:gradle-info-plugin` from 12.0.0 to 12.1.0
@@ -30,3 +31,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Security
 
+
diff --git a/gradle/missing-javadoc.gradle b/gradle/missing-javadoc.gradle
index 3e9016e38700b..e006b4309deea 100644
--- a/gradle/missing-javadoc.gradle
+++ b/gradle/missing-javadoc.gradle
@@ -6,6 +6,7 @@
  * compatible open source license.
  */
 
+
 import javax.annotation.Nullable
 import org.gradle.api.tasks.PathSensitive;
 import org.gradle.api.tasks.PathSensitivity;
@@ -147,6 +148,7 @@ configure([
   project(":plugins:discovery-ec2:qa:amazon-ec2"),
   project(":plugins:discovery-gce"),
   project(":plugins:discovery-gce:qa:gce"),
+  project(":plugins:identity-shiro"),
   project(":plugins:ingest-attachment"),
   project(":plugins:mapper-annotated-text"),
   project(":plugins:mapper-murmur3"),
diff --git a/plugins/identity-shiro/build.gradle b/plugins/identity-shiro/build.gradle
new file mode 100644
index 0000000000000..95a80a2e37a7a
--- /dev/null
+++ b/plugins/identity-shiro/build.gradle
@@ -0,0 +1,67 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+apply plugin: 'opensearch.internal-cluster-test'
+
+opensearchplugin {
+  description 'Plugin for identity features in OpenSearch.'
+  classname 'org.opensearch.identity.shiro.ShiroIdentityPlugin'
+  name project.name
+  licenseFile rootProject.file('licenses/APACHE-LICENSE-2.0.txt')
+  noticeFile rootProject.file('NOTICE.txt')
+}
+
+dependencies {
+  implementation 'org.apache.shiro:shiro-core:1.9.1'
+  // Needed for shiro
+  implementation "org.slf4j:slf4j-api:${versions.slf4j}"
+
+  implementation 'commons-beanutils:commons-beanutils:1.9.4'
+  implementation 'commons-logging:commons-logging:1.2'
+  implementation 'commons-lang:commons-lang:2.6'
+
+  implementation "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
+
+  testImplementation project(path: ':modules:transport-netty4') // for http
+  testImplementation project(path: ':plugins:transport-nio') // for http
+  testImplementation "org.mockito:mockito-core:${versions.mockito}"
+    testImplementation project(path: ':client:rest-high-level')
+}
+
+/*
+ * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each
+ * other if we allow them to set the number of available processors as it's set-once in Netty.
+ */
+test {
+  systemProperty 'opensearch.set.netty.runtime.available.processors', 'false'
+}
+
+internalClusterTest {
+  systemProperty 'opensearch.set.netty.runtime.available.processors', 'false'
+}
+
+thirdPartyAudit.ignoreMissingClasses(
+  'javax.servlet.ServletContextEvent',
+  'javax.servlet.ServletContextListener',
+  'org.apache.avalon.framework.logger.Logger',
+  'org.apache.commons.collections.Closure',
+  'org.apache.commons.collections.FastHashMap',
+  'org.apache.commons.collections.Predicate',
+  'org.apache.commons.collections.Transformer',
+  'org.apache.commons.collections.comparators.ComparableComparator',
+  'org.apache.commons.collections.keyvalue.AbstractMapEntry',
+  'org.apache.commons.configuration2.interpol.ConfigurationInterpolator',
+  'org.apache.log.Hierarchy',
+  'org.apache.log.Logger',
+  'org.apache.log4j.Level',
+  'org.apache.log4j.Logger',
+  'org.apache.log4j.Priority',
+  'org.slf4j.impl.StaticLoggerBinder',
+  'org.slf4j.impl.StaticMDCBinder',
+  'org.slf4j.impl.StaticMarkerBinder'
+)
diff --git a/plugins/identity-shiro/licenses/bcprov-jdk15on-1.70.jar.sha1 b/plugins/identity-shiro/licenses/bcprov-jdk15on-1.70.jar.sha1
new file mode 100644
index 0000000000000..f5e89c0f5ed45
--- /dev/null
+++ b/plugins/identity-shiro/licenses/bcprov-jdk15on-1.70.jar.sha1
@@ -0,0 +1 @@
+4636a0d01f74acaf28082fb62b317f1080118371
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/bcprov-jdk15on-LICENSE.txt b/plugins/identity-shiro/licenses/bcprov-jdk15on-LICENSE.txt
new file mode 100644
index 0000000000000..9f27bafe96885
--- /dev/null
+++ b/plugins/identity-shiro/licenses/bcprov-jdk15on-LICENSE.txt
@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2000 - 2013 The Legion of the Bouncy Castle Inc.
+                          (http://www.bouncycastle.org)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/plugins/identity-shiro/licenses/bcprov-jdk15on-NOTICE.txt b/plugins/identity-shiro/licenses/bcprov-jdk15on-NOTICE.txt
new file mode 100644
index 0000000000000..e69de29bb2d1d
diff --git a/plugins/identity-shiro/licenses/commons-beanutils-1.9.4.jar.sha1 b/plugins/identity-shiro/licenses/commons-beanutils-1.9.4.jar.sha1
new file mode 100644
index 0000000000000..b91aa1e1d1f4f
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-beanutils-1.9.4.jar.sha1
@@ -0,0 +1 @@
+d52b9abcd97f38c81342bb7e7ae1eee9b73cba51
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/commons-beanutils-LICENSE.txt b/plugins/identity-shiro/licenses/commons-beanutils-LICENSE.txt
new file mode 100644
index 0000000000000..d645695673349
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-beanutils-LICENSE.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/plugins/identity-shiro/licenses/commons-beanutils-NOTICE.txt b/plugins/identity-shiro/licenses/commons-beanutils-NOTICE.txt
new file mode 100644
index 0000000000000..e1529d40c6bb6
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-beanutils-NOTICE.txt
@@ -0,0 +1,5 @@
+Apache Commons BeanUtils
+Copyright 2000-2019 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
diff --git a/plugins/identity-shiro/licenses/commons-lang-2.6.jar.sha1 b/plugins/identity-shiro/licenses/commons-lang-2.6.jar.sha1
new file mode 100644
index 0000000000000..4ee9249d2b76f
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-lang-2.6.jar.sha1
@@ -0,0 +1 @@
+0ce1edb914c94ebc388f086c6827e8bdeec71ac2
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/commons-lang-LICENSE.txt b/plugins/identity-shiro/licenses/commons-lang-LICENSE.txt
new file mode 100644
index 0000000000000..d645695673349
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-lang-LICENSE.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/plugins/identity-shiro/licenses/commons-lang-NOTICE.txt b/plugins/identity-shiro/licenses/commons-lang-NOTICE.txt
new file mode 100644
index 0000000000000..780ac0edb3c94
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-lang-NOTICE.txt
@@ -0,0 +1,5 @@
+Apache Commons Lang
+Copyright 2001-2022 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (https://www.apache.org/).
diff --git a/plugins/identity-shiro/licenses/commons-logging-1.2.jar.sha1 b/plugins/identity-shiro/licenses/commons-logging-1.2.jar.sha1
new file mode 100644
index 0000000000000..f40f0242448e8
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-logging-1.2.jar.sha1
@@ -0,0 +1 @@
+4bfc12adfe4842bf07b657f0369c4cb522955686
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/commons-logging-LICENSE.txt b/plugins/identity-shiro/licenses/commons-logging-LICENSE.txt
new file mode 100644
index 0000000000000..d645695673349
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-logging-LICENSE.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/plugins/identity-shiro/licenses/commons-logging-NOTICE.txt b/plugins/identity-shiro/licenses/commons-logging-NOTICE.txt
new file mode 100644
index 0000000000000..1a45218353e87
--- /dev/null
+++ b/plugins/identity-shiro/licenses/commons-logging-NOTICE.txt
@@ -0,0 +1,5 @@
+Apache Commons Logging
+Copyright 2003-2016 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
diff --git a/plugins/identity-shiro/licenses/shiro-core-1.9.1.jar.sha1 b/plugins/identity-shiro/licenses/shiro-core-1.9.1.jar.sha1
new file mode 100644
index 0000000000000..8cd594d254f9b
--- /dev/null
+++ b/plugins/identity-shiro/licenses/shiro-core-1.9.1.jar.sha1
@@ -0,0 +1 @@
+90263d749749198f0a6dbdca57b52fa6d903d3db
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/shiro-core-LICENSE.txt b/plugins/identity-shiro/licenses/shiro-core-LICENSE.txt
new file mode 100644
index 0000000000000..261eeb9e9f8b2
--- /dev/null
+++ b/plugins/identity-shiro/licenses/shiro-core-LICENSE.txt
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/plugins/identity-shiro/licenses/shiro-core-NOTICE.txt b/plugins/identity-shiro/licenses/shiro-core-NOTICE.txt
new file mode 100644
index 0000000000000..1a356397fa88c
--- /dev/null
+++ b/plugins/identity-shiro/licenses/shiro-core-NOTICE.txt
@@ -0,0 +1,15 @@
+Apache Shiro
+Copyright 2008-2022 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).
+
+The implementation for org.apache.shiro.util.SoftHashMap is based
+on initial ideas from Dr. Heinz Kabutz's publicly posted version
+available at http://www.javaspecialists.eu/archive/Issue015.html,
+with continued modifications.
+
+Certain parts (StringUtils, IpAddressMatcher, AntPathMatcherTests, etc.) of the
+source code for this product was copied for simplicity and to reduce
+dependencies from the source code developed by the Spring Framework Project
+(http://www.springframework.org).
diff --git a/plugins/identity-shiro/licenses/slf4j-api-1.7.36.jar.sha1 b/plugins/identity-shiro/licenses/slf4j-api-1.7.36.jar.sha1
new file mode 100644
index 0000000000000..77b9917528382
--- /dev/null
+++ b/plugins/identity-shiro/licenses/slf4j-api-1.7.36.jar.sha1
@@ -0,0 +1 @@
+6c62681a2f655b49963a5983b8b0950a6120ae14
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/slf4j-api-LICENSE.txt b/plugins/identity-shiro/licenses/slf4j-api-LICENSE.txt
new file mode 100644
index 0000000000000..8fda22f4d72f6
--- /dev/null
+++ b/plugins/identity-shiro/licenses/slf4j-api-LICENSE.txt
@@ -0,0 +1,21 @@
+Copyright (c) 2004-2014 QOS.ch
+All rights reserved.
+
+Permission is hereby granted, free  of charge, to any person obtaining
+a  copy  of this  software  and  associated  documentation files  (the
+"Software"), to  deal in  the Software without  restriction, including
+without limitation  the rights to  use, copy, modify,  merge, publish,
+distribute,  sublicense, and/or sell  copies of  the Software,  and to
+permit persons to whom the Software  is furnished to do so, subject to
+the following conditions:
+
+The  above  copyright  notice  and  this permission  notice  shall  be
+included in all copies or substantial portions of the Software.
+
+THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/plugins/identity-shiro/licenses/slf4j-api-NOTICE.txt b/plugins/identity-shiro/licenses/slf4j-api-NOTICE.txt
new file mode 100644
index 0000000000000..e69de29bb2d1d
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/AuthTokenHandler.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/AuthTokenHandler.java
new file mode 100644
index 0000000000000..14801b665f14f
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/AuthTokenHandler.java
@@ -0,0 +1,37 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import java.util.Optional;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.opensearch.identity.tokens.BasicAuthToken;
+
+/**
+ * Extracts Shiro's {@link AuthenticationToken} from different types of auth headers
+ *
+ * @opensearch.experimental
+ */
+class AuthTokenHandler {
+
+    /**
+     * Translates into shiro auth token from the given header token
+     * @param authenticationToken the token from which to translate
+     * @return An optional of the shiro auth token for login
+     */
+    public Optional<AuthenticationToken> translateAuthToken(org.opensearch.identity.tokens.AuthToken authenticationToken) {
+        if (authenticationToken instanceof BasicAuthToken) {
+            final BasicAuthToken basicAuthToken = (BasicAuthToken) authenticationToken;
+            return Optional.of(new UsernamePasswordToken(basicAuthToken.getUser(), basicAuthToken.getPassword()));
+        }
+
+        return Optional.empty();
+    }
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java
new file mode 100644
index 0000000000000..eee5dd8ce0bd4
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java
@@ -0,0 +1,53 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import org.opensearch.identity.Subject;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.plugins.IdentityPlugin;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.plugins.Plugin;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.mgt.SecurityManager;
+
+/**
+ * Identity implementation with Shiro
+ *
+ * @opensearch.experimental
+ */
+public final class ShiroIdentityPlugin extends Plugin implements IdentityPlugin {
+    private Logger log = LogManager.getLogger(this.getClass());
+
+    private final Settings settings;
+    private final AuthTokenHandler authTokenHandler;
+
+    /**
+     * Create a new instance of the Shiro Identity Plugin
+     *
+     * @param settings settings being used in the configuration
+     */
+    public ShiroIdentityPlugin(final Settings settings) {
+        this.settings = settings;
+        authTokenHandler = new AuthTokenHandler();
+
+        SecurityManager securityManager = new ShiroSecurityManager();
+        SecurityUtils.setSecurityManager(securityManager);
+    }
+
+    /**
+     * Return a Shiro Subject based on the provided authTokenHandler and current subject
+     *
+     * @return The current subject
+     */
+    @Override
+    public Subject getSubject() {
+        return new ShiroSubject(authTokenHandler, SecurityUtils.getSubject());
+    }
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSecurityManager.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSecurityManager.java
new file mode 100644
index 0000000000000..96cf05ac53a1a
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSecurityManager.java
@@ -0,0 +1,38 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import org.apache.shiro.mgt.DefaultSecurityManager;
+import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
+import org.apache.shiro.mgt.DefaultSubjectDAO;
+import org.opensearch.identity.shiro.realm.OpenSearchRealm;
+
+/**
+ * OpenSearch specific security manager implementation
+ *
+ * @opensearch.experimental
+ */
+public class ShiroSecurityManager extends DefaultSecurityManager {
+
+    /**
+     * Creates the security manager using a default realm and no session storage
+     */
+    public ShiroSecurityManager() {
+        super(OpenSearchRealm.INSTANCE);
+
+        // By default shiro stores session information into a cache, there were performance
+        // issues with this sessions cache and so are defaulting to a stateless configuration
+        final DefaultSessionStorageEvaluator evaluator = new DefaultSessionStorageEvaluator();
+        evaluator.setSessionStorageEnabled(false);
+
+        final DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
+        subjectDAO.setSessionStorageEvaluator(evaluator);
+        setSubjectDAO(subjectDAO);
+    }
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSubject.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSubject.java
new file mode 100644
index 0000000000000..3208d2bb5d8ca
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSubject.java
@@ -0,0 +1,91 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import java.security.Principal;
+import java.util.Objects;
+
+import org.opensearch.identity.Subject;
+import org.opensearch.identity.tokens.AuthToken;
+
+/**
+ * Subject backed by Shiro
+ *
+ * @opensearch.experimental
+ */
+public class ShiroSubject implements Subject {
+    private final AuthTokenHandler authTokenHandler;
+    private final org.apache.shiro.subject.Subject shiroSubject;
+
+    /**
+     * Creates a new shiro subject for use with the IdentityPlugin
+     * Cannot return null
+     * @param authTokenHandler Used to extract auth header info
+     * @param subject The specific subject being authc/z'd
+     */
+    public ShiroSubject(final AuthTokenHandler authTokenHandler, final org.apache.shiro.subject.Subject subject) {
+        this.authTokenHandler = Objects.requireNonNull(authTokenHandler);
+        this.shiroSubject = Objects.requireNonNull(subject);
+    }
+
+    /**
+     * Return the current principal
+     *
+     * @return The current principal
+     */
+    @Override
+    public Principal getPrincipal() {
+        final Object o = shiroSubject.getPrincipal();
+        if (o == null) return null;
+        if (o instanceof Principal) return (Principal) o;
+        return () -> o.toString();
+    }
+
+    /**
+     * Check if another object is equal to this object
+     *
+     * @param obj The object to be compared against this
+     * @return Whether the two objects are equal
+     */
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) return true;
+        if (obj == null || getClass() != obj.getClass()) return false;
+        final Subject that = (Subject) obj;
+        return Objects.equals(getPrincipal(), that.getPrincipal());
+    }
+
+    /**
+     * Return this Subject's principal as a hash
+     * @return An int hash code
+     */
+    @Override
+    public int hashCode() {
+        return Objects.hash(getPrincipal());
+    }
+
+    /**
+     * Convert this ShiroSubject's principal to a string
+     * @return A string of the subject's principal
+     */
+    @Override
+    public String toString() {
+        return "ShiroSubject(principal=" + getPrincipal() + ")";
+    }
+
+    /**
+     * Logs the user in via authenticating the user against current Shiro realm
+     * @param authenticationToken The authToken to be used for login
+     */
+    public void authenticate(AuthToken authenticationToken) {
+        final org.apache.shiro.authc.AuthenticationToken authToken = authTokenHandler.translateAuthToken(authenticationToken)
+            .orElseThrow(() -> new UnsupportedAuthenticationToken());
+        shiroSubject.login(authToken);
+    }
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/UnsupportedAuthenticationToken.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/UnsupportedAuthenticationToken.java
new file mode 100644
index 0000000000000..f216bbfefe940
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/UnsupportedAuthenticationToken.java
@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+/** Thrown if the authentication token was invalid */
+public class UnsupportedAuthenticationToken extends RuntimeException {}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/package-info.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/package-info.java
new file mode 100644
index 0000000000000..49e276f11f660
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/package-info.java
@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/**
+ * Identity implementation using Shiro
+ */
+package org.opensearch.identity.shiro;
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
new file mode 100644
index 0000000000000..a2cb78425929e
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
@@ -0,0 +1,36 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro.realm;
+
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authc.credential.CredentialsMatcher;
+import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
+
+/**
+ * Password matcher for BCrypt
+ *
+ * @opensearch.experimental
+ */
+public class BCryptPasswordMatcher implements CredentialsMatcher {
+
+    /**
+     * Check if the provided authentication token and authentication info match one another
+     * @param token   the {@code AuthenticationToken} submitted during the authentication attempt
+     * @param info the {@code AuthenticationInfo} stored in the system.
+     * @return A boolean showing whether the token credentials match the info or not.
+     */
+    @Override
+    public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
+        final UsernamePasswordToken userToken = (UsernamePasswordToken) token;
+        return OpenBSDBCrypt.checkPassword((String) info.getCredentials(), userToken.getPassword());
+    }
+
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/OpenSearchRealm.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/OpenSearchRealm.java
new file mode 100644
index 0000000000000..e005d7c3360cf
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/OpenSearchRealm.java
@@ -0,0 +1,144 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro.realm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.IncorrectCredentialsException;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authc.pam.UnsupportedTokenException;
+import org.apache.shiro.realm.AuthenticatingRealm;
+import org.apache.shiro.authc.UsernamePasswordToken;
+
+import org.opensearch.identity.NamedPrincipal;
+
+import java.util.Objects;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * Internal Realm is a custom realm using the internal OpenSearch IdP
+ *
+ * @opensearch.experimental
+ */
+public class OpenSearchRealm extends AuthenticatingRealm {
+    private static final String DEFAULT_REALM_NAME = "internal";
+
+    /**
+     * The instance of the realm to be constructed through the builder method
+     */
+    public static final OpenSearchRealm INSTANCE = new OpenSearchRealm.Builder(DEFAULT_REALM_NAME).build();
+
+    private final String realmName;
+
+    private Map<String, User> internalUsers;
+
+    /**
+     * Instantiate a new OpenSearchRealm
+     *
+     * @param realmName The name of the realm
+     * @param internalUsers A map of internal users
+     */
+    private OpenSearchRealm(final String realmName, final Map<String, User> internalUsers) {
+        super(new BCryptPasswordMatcher());
+        this.realmName = realmName;
+        this.internalUsers = internalUsers;
+        setAuthenticationTokenClass(UsernamePasswordToken.class);
+    }
+
+    /**
+     * An internal class representing a realm builder
+     *
+     */
+    public static final class Builder {
+        private final String name;
+
+        /**
+         *  Instantiate a realm builder
+         * @param name The name of the realm builder
+         */
+        public Builder(final String name) {
+            this.name = Objects.requireNonNull(name);
+        }
+
+        /**
+         * Create a new OpenSearchRealm
+         *
+         * @return A new realm
+         */
+        public OpenSearchRealm build() {
+            // TODO: Replace hardcoded admin user / user map with an external provider
+            final User adminUser = new User();
+            adminUser.setUsername(new NamedPrincipal("admin"));
+            adminUser.setBcryptHash("$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"); // Password 'admin'
+            final Map<String, User> internalUsers = Map.of("admin", adminUser);
+            return new OpenSearchRealm(name, internalUsers);
+        }
+    }
+
+    /**
+     * Return an internal user given a principalIdentifier
+     *
+     * @param principalIdentifier The string of the identifier
+     * @return The associated user
+     * @throws UnknownAccountException when the principal identifier has no user match
+     */
+    public User getInternalUser(final String principalIdentifier) throws UnknownAccountException {
+        final User userRecord = internalUsers.get(principalIdentifier);
+        if (userRecord == null) {
+            throw new UnknownAccountException();
+        }
+        return userRecord;
+    }
+
+    /**
+     * Gets the authentication info associated with a specific authentication token
+     *
+     * @param token the authentication token containing the user's principal and credentials.
+     * @return Authentication info associated with the auth token
+     * @throws AuthenticationException When the auth token has no valid info
+     */
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(final AuthenticationToken token) throws AuthenticationException {
+        if (token instanceof UsernamePasswordToken) {
+            final String username = ((UsernamePasswordToken) token).getUsername();
+            // Look up the user by the provide username
+            final User userRecord = getInternalUser(username);
+            // TODO: Check for other things, like a locked account, expired password, etc.
+
+            // Verify the user
+            final SimpleAuthenticationInfo sai = new SimpleAuthenticationInfo(
+                userRecord.getUsername(),
+                userRecord.getBcryptHash(),
+                realmName
+            );
+
+            final boolean successfulAuthentication = getCredentialsMatcher().doCredentialsMatch(token, sai);
+
+            if (successfulAuthentication) {
+                // TODO: Check for anything else that might prevent login (expired password, locked account, etc.)
+                // if (other problems) {
+                // throw new CredentialsException(); // Or something more specific
+                // }
+                // Success!
+                return sai;
+            } else {
+                // Bad password
+                throw new IncorrectCredentialsException();
+            }
+        }
+
+        // If the token was not handled, it was unsupported
+        final String tokenClassName = Optional.ofNullable(token).map(Object::getClass).map(Class::getName).orElse("null");
+        throw new UnsupportedTokenException("Unable to support authentication token " + tokenClassName);
+    }
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/User.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/User.java
new file mode 100644
index 0000000000000..35b3348a955d7
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/User.java
@@ -0,0 +1,54 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro.realm;
+
+import org.opensearch.identity.NamedPrincipal;
+
+/**
+ * A non-volatile and immutable object in the storage.
+ *
+ * @opensearch.experimental
+ */
+public class User {
+
+    private NamedPrincipal username;
+    private String bcryptHash;
+
+    /**
+     * Get the User's username as a NamedPrincipal
+     * @return the named principal representing the username
+     */
+    public NamedPrincipal getUsername() {
+        return username;
+    }
+
+    /**
+     * Set the User's username
+     * @param username NamedPrincipal representing the username to be set
+     */
+    public void setUsername(NamedPrincipal username) {
+        this.username = username;
+    }
+
+    /**
+     * Get the User's hash
+     * @return The User's hash as a string
+     */
+    public String getBcryptHash() {
+        return bcryptHash;
+    }
+
+    /**
+     * Set the User's hash
+     * @param bcryptHash A string to be set as the User's hash
+     */
+    public void setBcryptHash(String bcryptHash) {
+        this.bcryptHash = bcryptHash;
+    }
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/package-info.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/package-info.java
new file mode 100644
index 0000000000000..888f54c6e37ea
--- /dev/null
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/package-info.java
@@ -0,0 +1,10 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/** Classes for the internal OpenSearch realm */
+package org.opensearch.identity.shiro.realm;
diff --git a/plugins/identity-shiro/src/main/plugin-metadata/plugin-security.policy b/plugins/identity-shiro/src/main/plugin-metadata/plugin-security.policy
new file mode 100644
index 0000000000000..120d1d8fbdb3a
--- /dev/null
+++ b/plugins/identity-shiro/src/main/plugin-metadata/plugin-security.policy
@@ -0,0 +1,11 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+grant {
+
+};
diff --git a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/AuthTokenHandlerTests.java b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/AuthTokenHandlerTests.java
new file mode 100644
index 0000000000000..942d777df2086
--- /dev/null
+++ b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/AuthTokenHandlerTests.java
@@ -0,0 +1,62 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.opensearch.identity.tokens.BasicAuthToken;
+import org.opensearch.test.OpenSearchTestCase;
+import org.junit.Before;
+
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.notNullValue;
+
+import java.util.Optional;
+
+public class AuthTokenHandlerTests extends OpenSearchTestCase {
+
+    private AuthTokenHandler authTokenHandler;
+
+    @Before
+    public void testSetup() {
+        authTokenHandler = new AuthTokenHandler();
+    }
+
+    public void testShouldExtractBasicAuthTokenSuccessfully() {
+        final BasicAuthToken authToken = new BasicAuthToken("Basic YWRtaW46YWRtaW4="); // admin:admin
+
+        final AuthenticationToken translatedToken = authTokenHandler.translateAuthToken(authToken).get();
+        assertThat(translatedToken, is(instanceOf(UsernamePasswordToken.class)));
+
+        final UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) translatedToken;
+        assertThat(usernamePasswordToken, notNullValue());
+        assertThat(usernamePasswordToken.getUsername(), equalTo("admin"));
+        assertThat(new String(usernamePasswordToken.getPassword()), equalTo("admin"));
+    }
+
+    public void testShouldExtractBasicAuthTokenSuccessfully_twoSemiColonPassword() {
+        final BasicAuthToken authToken = new BasicAuthToken("Basic dGVzdDp0ZTpzdA=="); // test:te:st
+
+        final AuthenticationToken translatedToken = authTokenHandler.translateAuthToken(authToken).get();
+        assertThat(translatedToken, is(instanceOf(UsernamePasswordToken.class)));
+
+        final UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) translatedToken;
+        assertThat(usernamePasswordToken, notNullValue());
+        assertThat(usernamePasswordToken.getUsername(), equalTo("test"));
+        assertThat(new String(usernamePasswordToken.getPassword()), equalTo("te:st"));
+    }
+
+    public void testShouldReturnNullWhenExtractingNullToken() {
+        final Optional<AuthenticationToken> translatedToken = authTokenHandler.translateAuthToken(null);
+
+        assertThat(translatedToken.isEmpty(), is(true));
+    }
+}
diff --git a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/ShiroSubjectTests.java b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/ShiroSubjectTests.java
new file mode 100644
index 0000000000000..baf6090f79ff3
--- /dev/null
+++ b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/ShiroSubjectTests.java
@@ -0,0 +1,74 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import org.opensearch.test.OpenSearchTestCase;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.verify;
+import org.junit.Before;
+import org.junit.After;
+
+import java.security.Principal;
+
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.hamcrest.Matchers.nullValue;
+import static org.hamcrest.Matchers.equalTo;
+
+public class ShiroSubjectTests extends OpenSearchTestCase {
+
+    private org.apache.shiro.subject.Subject shiroSubject;
+    private AuthTokenHandler authTokenHandler;
+    private ShiroSubject subject;
+
+    @Before
+    public void setup() {
+        shiroSubject = mock(org.apache.shiro.subject.Subject.class);
+        authTokenHandler = mock(AuthTokenHandler.class);
+        subject = new ShiroSubject(authTokenHandler, shiroSubject);
+    }
+
+    @After
+    public void cleanup() {
+        verifyNoMoreInteractions(shiroSubject);
+    }
+
+    public void testGetPrincipal_null() {
+        when(shiroSubject.getPrincipal()).thenReturn(null);
+
+        final Principal result = subject.getPrincipal();
+
+        assertThat(result, nullValue());
+        verify(shiroSubject).getPrincipal();
+    }
+
+    public void testGetPrincipal_principal() {
+        final Principal mockPrincipal = mock(Principal.class);
+        when(shiroSubject.getPrincipal()).thenReturn(mockPrincipal);
+
+        final Principal result = subject.getPrincipal();
+
+        assertThat(result, equalTo(mockPrincipal));
+        verify(shiroSubject).getPrincipal();
+    }
+
+    public void testGetPrincipal_otherType() {
+        final Object objPrincipal = mock(Object.class);
+        when(shiroSubject.getPrincipal()).thenReturn(objPrincipal);
+        when(objPrincipal.toString()).thenReturn("objectPrincipalString");
+
+        final Principal result = subject.getPrincipal();
+
+        // assertThat(result, equalTo("objectPrincipalString"));
+        verify(shiroSubject).getPrincipal();
+        verifyNoMoreInteractions(objPrincipal);
+    }
+
+}
diff --git a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
new file mode 100644
index 0000000000000..37c8c4c220b58
--- /dev/null
+++ b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
@@ -0,0 +1,45 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro.realm;
+
+import org.opensearch.test.OpenSearchTestCase;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.hamcrest.Matchers.equalTo;
+
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authc.AuthenticationInfo;
+
+public class BCryptPasswordMatcherTests extends OpenSearchTestCase {
+
+    public void testCredentialMatch() {
+        final UsernamePasswordToken token = mock(UsernamePasswordToken.class);
+        when(token.getPassword()).thenReturn("admin".toCharArray());
+        final AuthenticationInfo info = mock(AuthenticationInfo.class);
+        when(info.getCredentials()).thenReturn("$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG");
+
+        final BCryptPasswordMatcher matcher = new BCryptPasswordMatcher();
+        final boolean result = matcher.doCredentialsMatch(token, info);
+
+        assertThat(result, equalTo(true));
+    }
+
+    public void testCredentialDoNotMatch() {
+        final UsernamePasswordToken token = mock(UsernamePasswordToken.class);
+        when(token.getPassword()).thenReturn("HashedPassword".toCharArray());
+        final AuthenticationInfo info = mock(AuthenticationInfo.class);
+        when(info.getCredentials()).thenReturn("$2a$12$VcCDgh2NDk07JGN0rQGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG");
+
+        final BCryptPasswordMatcher matcher = new BCryptPasswordMatcher();
+        final boolean result = matcher.doCredentialsMatch(token, info);
+
+        assertThat(result, equalTo(false));
+    }
+}
diff --git a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/OpenSearchRealmTests.java b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/OpenSearchRealmTests.java
new file mode 100644
index 0000000000000..d6129c238408a
--- /dev/null
+++ b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/OpenSearchRealmTests.java
@@ -0,0 +1,39 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro.realm;
+
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.IncorrectCredentialsException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.junit.Before;
+import org.opensearch.test.OpenSearchTestCase;
+
+public class OpenSearchRealmTests extends OpenSearchTestCase {
+
+    private OpenSearchRealm realm;
+
+    @Before
+    public void setup() {
+        realm = new OpenSearchRealm.Builder("test").build();
+    }
+
+    public void testGetAuthenticationInfoUserExists() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("admin", "admin");
+        final User admin = realm.getInternalUser("admin");
+        final AuthenticationInfo adminInfo = realm.getAuthenticationInfo(token);
+        assertNotNull(adminInfo);
+    }
+
+    public void testGetAuthenticationInfoUserExistsWrongPassword() {
+        final UsernamePasswordToken token = new UsernamePasswordToken("admin", "wrong_password");
+        final User admin = realm.getInternalUser("admin");
+
+        assertThrows(IncorrectCredentialsException.class, () -> realm.getAuthenticationInfo(token));
+    }
+}
diff --git a/qa/smoke-test-http/build.gradle b/qa/smoke-test-http/build.gradle
index 2402c9b807283..f48ddc26d929b 100644
--- a/qa/smoke-test-http/build.gradle
+++ b/qa/smoke-test-http/build.gradle
@@ -35,7 +35,8 @@ apply plugin: 'opensearch.test-with-dependencies'
 
 dependencies {
   testImplementation project(path: ':modules:transport-netty4') // for http
-  testImplementation project(path: ':plugins:transport-nio') // for http
+  testImplementation project(path: ':plugins:transport-nio')
+  testImplementation project(path: ':plugins:identity-shiro') // for http
 }
 
 integTest {
diff --git a/qa/smoke-test-http/src/test/java/org/opensearch/http/IdentityAuthenticationIT.java b/qa/smoke-test-http/src/test/java/org/opensearch/http/IdentityAuthenticationIT.java
new file mode 100644
index 0000000000000..45202f6dcbfce
--- /dev/null
+++ b/qa/smoke-test-http/src/test/java/org/opensearch/http/IdentityAuthenticationIT.java
@@ -0,0 +1,91 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.http;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Collection;
+import org.junit.Assert;
+import org.opensearch.client.Request;
+import org.opensearch.client.RequestOptions;
+import org.opensearch.client.Response;
+import org.opensearch.client.ResponseException;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.FeatureFlags;
+import org.opensearch.identity.shiro.ShiroIdentityPlugin;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.rest.RestStatus;
+
+import org.opensearch.test.OpenSearchIntegTestCase;
+import org.opensearch.test.OpenSearchTestCase;
+import org.opensearch.transport.Netty4ModulePlugin;
+import org.opensearch.transport.nio.NioTransportPlugin;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.core.StringContains.containsString;
+
+@OpenSearchIntegTestCase.ClusterScope(scope = OpenSearchIntegTestCase.Scope.SUITE, supportsDedicatedMasters = false, numDataNodes = 1)
+public class IdentityAuthenticationIT extends HttpSmokeTestCase {
+
+    @Override
+    protected Settings nodeSettings(int nodeOrdinal) {
+        return Settings.builder()
+            .put(super.nodeSettings(nodeOrdinal))
+            .put(FeatureFlags.IDENTITY, "true")
+            .build();
+    }
+
+    @Override
+    protected Collection<Class<? extends Plugin>> nodePlugins() {
+        return Arrays.asList(OpenSearchTestCase.getTestTransportPlugin(), Netty4ModulePlugin.class, NioTransportPlugin.class, ShiroIdentityPlugin.class);
+    }
+
+
+    public void testBasicAuthSuccess() throws Exception {
+        final Response response = createHealthRequest("Basic YWRtaW46YWRtaW4="); // admin:admin
+        final String content = new String(response.getEntity().getContent().readAllBytes(), StandardCharsets.UTF_8);
+
+        Assert.assertThat(content, response.getStatusLine().getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+        Assert.assertThat(content, containsString("green"));
+    }
+
+    public void testBasicAuthUnauthorized_invalidHeader() throws Exception {
+        final Response response = createHealthRequest("Basic aaaa"); // invalid username password
+        final String content = new String(response.getEntity().getContent().readAllBytes(), StandardCharsets.UTF_8);
+
+        Assert.assertThat(content, response.getStatusLine().getStatusCode(), equalTo(RestStatus.UNAUTHORIZED.getStatus()));
+        Assert.assertThat(content, containsString("Illegally formed basic authorization header"));
+    }
+
+    public void testBasicAuthUnauthorized_wrongPassword() throws Exception {
+        final Response response = createHealthRequest("Basic YWRtaW46aW52YWxpZFBhc3N3b3Jk"); // admin:invalidPassword
+        final String content = new String(response.getEntity().getContent().readAllBytes(), StandardCharsets.UTF_8);
+
+        Assert.assertThat(content, response.getStatusLine().getStatusCode(), equalTo(RestStatus.UNAUTHORIZED.getStatus()));
+    }
+
+    public void testBasicAuthUnauthorized_unknownUser() throws Exception {
+        final Response response = createHealthRequest("Basic dXNlcjpkb2VzTm90RXhpc3Q="); // user:doesNotExist
+        final String content = new String(response.getEntity().getContent().readAllBytes(), StandardCharsets.UTF_8);
+
+        Assert.assertThat(content, response.getStatusLine().getStatusCode(), equalTo(RestStatus.UNAUTHORIZED.getStatus()));
+    }
+
+    private Response createHealthRequest(final String authorizationHeaderValue) throws Exception {
+        final Request request = new Request("GET", "/_cluster/health");
+        final RequestOptions options = RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", authorizationHeaderValue).build();
+        request.setOptions(options);
+
+        try {
+            final Response response = OpenSearchIntegTestCase.getRestClient().performRequest(request);
+            return response;
+        } catch (final ResponseException re) {
+            return re.getResponse();
+        }
+    }
+}
diff --git a/server/src/internalClusterTest/java/org/opensearch/indices/replication/SegmentReplicationIT.java b/server/src/internalClusterTest/java/org/opensearch/indices/replication/SegmentReplicationIT.java
index 59713cf0642f6..14717f3cca1cc 100644
--- a/server/src/internalClusterTest/java/org/opensearch/indices/replication/SegmentReplicationIT.java
+++ b/server/src/internalClusterTest/java/org/opensearch/indices/replication/SegmentReplicationIT.java
@@ -359,7 +359,7 @@ public void testClosedIndices() {
 
     /**
      * This test validates the primary node drop does not result in shard failure on replica.
-     * @throws Exception
+     * @throws Exception when issue is encountered
      */
     public void testNodeDropWithOngoingReplication() throws Exception {
         internalCluster().startClusterManagerOnlyNode();
@@ -870,7 +870,7 @@ public void testPressureServiceStats() throws Exception {
 
     /**
      * Tests a scroll query on the replica
-     * @throws Exception
+     * @throws Exception when issue is encountered
      */
     public void testScrollCreatedOnReplica() throws Exception {
         // create the cluster with one primary node containing primary shard and replica node containing replica shard
@@ -959,7 +959,7 @@ public void testScrollCreatedOnReplica() throws Exception {
      * Tests that when scroll query is cleared, it does not delete the temporary replication files, which are part of
      * ongoing round of segment replication
      *
-     * @throws Exception
+     * @throws Exception when issue is encountered
      */
     public void testScrollWithOngoingSegmentReplication() throws Exception {
         // create the cluster with one primary node containing primary shard and replica node containing replica shard
diff --git a/server/src/main/java/org/opensearch/action/ActionModule.java b/server/src/main/java/org/opensearch/action/ActionModule.java
index 24f688155c369..5141e9e1ebd38 100644
--- a/server/src/main/java/org/opensearch/action/ActionModule.java
+++ b/server/src/main/java/org/opensearch/action/ActionModule.java
@@ -295,6 +295,7 @@
 import org.opensearch.extensions.action.ExtensionProxyAction;
 import org.opensearch.extensions.action.ExtensionProxyTransportAction;
 import org.opensearch.index.seqno.RetentionLeaseActions;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.indices.SystemIndices;
 import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.persistent.CompletionPersistentTaskAction;
@@ -512,7 +513,8 @@ public ActionModule(
         NodeClient nodeClient,
         CircuitBreakerService circuitBreakerService,
         UsageService usageService,
-        SystemIndices systemIndices
+        SystemIndices systemIndices,
+        IdentityService identityService
     ) {
         this.settings = settings;
         this.indexNameExpressionResolver = indexNameExpressionResolver;
@@ -548,7 +550,7 @@ public ActionModule(
             actionPlugins.stream().flatMap(p -> p.indicesAliasesRequestValidators().stream()).collect(Collectors.toList())
         );
 
-        restController = new RestController(headers, restWrapper, nodeClient, circuitBreakerService, usageService);
+        restController = new RestController(headers, restWrapper, nodeClient, circuitBreakerService, usageService, identityService);
     }
 
     public Map<String, ActionHandler<?, ?>> getActions() {
diff --git a/server/src/main/java/org/opensearch/common/settings/FeatureFlagSettings.java b/server/src/main/java/org/opensearch/common/settings/FeatureFlagSettings.java
index 0f819ad02bf0e..b869ef9d16d44 100644
--- a/server/src/main/java/org/opensearch/common/settings/FeatureFlagSettings.java
+++ b/server/src/main/java/org/opensearch/common/settings/FeatureFlagSettings.java
@@ -37,6 +37,7 @@ protected FeatureFlagSettings(
                 FeatureFlags.SEGMENT_REPLICATION_EXPERIMENTAL_SETTING,
                 FeatureFlags.REMOTE_STORE_SETTING,
                 FeatureFlags.EXTENSIONS_SETTING,
+                FeatureFlags.IDENTITY_SETTING,
                 FeatureFlags.SEARCH_PIPELINE_SETTING
             )
         )
diff --git a/server/src/main/java/org/opensearch/common/util/FeatureFlags.java b/server/src/main/java/org/opensearch/common/util/FeatureFlags.java
index 34d0feeaeb525..d8e6f3784debd 100644
--- a/server/src/main/java/org/opensearch/common/util/FeatureFlags.java
+++ b/server/src/main/java/org/opensearch/common/util/FeatureFlags.java
@@ -52,6 +52,11 @@ public class FeatureFlags {
      */
     public static final String SEARCH_PIPELINE = "opensearch.experimental.feature.search_pipeline.enabled";
 
+    /**
+     * Gates the functionality of identity.
+     */
+    public static final String IDENTITY = "opensearch.experimental.feature.identity.enabled";
+
     /**
      * Should store the settings from opensearch.yml.
      */
@@ -91,4 +96,5 @@ public static boolean isEnabled(String featureFlagName) {
     public static final Setting<Boolean> EXTENSIONS_SETTING = Setting.boolSetting(EXTENSIONS, false, Property.NodeScope);
 
     public static final Setting<Boolean> SEARCH_PIPELINE_SETTING = Setting.boolSetting(SEARCH_PIPELINE, false, Property.NodeScope);
+    public static final Setting<Boolean> IDENTITY_SETTING = Setting.boolSetting(IDENTITY, false, Property.NodeScope);
 }
diff --git a/server/src/main/java/org/opensearch/identity/IdentityService.java b/server/src/main/java/org/opensearch/identity/IdentityService.java
new file mode 100644
index 0000000000000..e7e785ba75231
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/IdentityService.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.identity;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchException;
+import org.opensearch.identity.noop.NoopIdentityPlugin;
+import java.util.List;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.plugins.IdentityPlugin;
+import java.util.stream.Collectors;
+
+/**
+ * Identity and access control for OpenSearch.
+ *
+ * @opensearch.experimental
+ * */
+public class IdentityService {
+    private static final Logger log = LogManager.getLogger(IdentityService.class);
+
+    private final Settings settings;
+    private final IdentityPlugin identityPlugin;
+
+    public IdentityService(final Settings settings, final List<IdentityPlugin> identityPlugins) {
+        this.settings = settings;
+
+        if (identityPlugins.size() == 0) {
+            log.debug("Identity plugins size is 0");
+            identityPlugin = new NoopIdentityPlugin();
+        } else if (identityPlugins.size() == 1) {
+            log.debug("Identity plugins size is 1");
+            identityPlugin = identityPlugins.get(0);
+        } else {
+            throw new OpenSearchException(
+                "Multiple identity plugins are not supported, found: "
+                    + identityPlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
+            );
+        }
+    }
+
+    /**
+     * Gets the current subject
+     */
+    public Subject getSubject() {
+        return identityPlugin.getSubject();
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/NamedPrincipal.java b/server/src/main/java/org/opensearch/identity/NamedPrincipal.java
new file mode 100644
index 0000000000000..f30d307bdf592
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/NamedPrincipal.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.identity;
+
+import java.security.Principal;
+import java.util.Objects;
+
+/**
+ * Create a principal from a string
+ *
+ * @opensearch.experimental
+ */
+public class NamedPrincipal implements Principal {
+
+    /**
+     * Represents a principal which has not been authenticated
+     */
+    public static final NamedPrincipal UNAUTHENTICATED = new NamedPrincipal("Unauthenticated");
+
+    private final String name;
+
+    /**
+     * Creates a principal for an identity specified as a string
+     * @param name A persistent string that represent an identity
+     */
+    public NamedPrincipal(final String name) {
+        this.name = name;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+        if (this == obj) return true;
+        if (obj == null || getClass() != obj.getClass()) return false;
+        final Principal that = (Principal) obj;
+        return Objects.equals(name, that.getName());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(name);
+    }
+
+    @Override
+    public String toString() {
+        return "NamedPrincipal(" + "name=" + name + ")";
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/Subject.java b/server/src/main/java/org/opensearch/identity/Subject.java
new file mode 100644
index 0000000000000..cbfdadb5cf6a7
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/Subject.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.identity;
+
+import org.opensearch.identity.tokens.AuthToken;
+
+import java.security.Principal;
+
+/**
+ * An individual, process, or device that causes information to flow among objects or change to the system state.
+ *
+ * @opensearch.experimental
+ */
+public interface Subject {
+
+    /**
+     * Get the application-wide uniquely identifying principal
+     * */
+    Principal getPrincipal();
+
+    /**
+     * Authenticate via an auth token
+     * throws UnsupportedAuthenticationMethod
+     * throws InvalidAuthenticationToken
+     * throws SubjectNotFound
+     * throws SubjectDisabled
+     */
+    void authenticate(final AuthToken token);
+}
diff --git a/server/src/main/java/org/opensearch/identity/noop/NoopIdentityPlugin.java b/server/src/main/java/org/opensearch/identity/noop/NoopIdentityPlugin.java
new file mode 100644
index 0000000000000..437c059684565
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/noop/NoopIdentityPlugin.java
@@ -0,0 +1,32 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.noop;
+
+import org.opensearch.plugins.IdentityPlugin;
+import org.opensearch.identity.Subject;
+
+/**
+ * Implementation of identity plugin that does not enforce authentication or authorization
+ *
+ * This class and related classes in this package will not return nulls or fail access checks
+ *
+ * @opensearch.internal
+ */
+public class NoopIdentityPlugin implements IdentityPlugin {
+
+    /**
+     * Get the current subject
+     * @return Must never return null
+     */
+    @Override
+    public Subject getSubject() {
+        return new NoopSubject();
+    }
+
+}
diff --git a/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java b/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
new file mode 100644
index 0000000000000..801225fb16ad3
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
@@ -0,0 +1,57 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.noop;
+
+import java.security.Principal;
+import java.util.Objects;
+
+import org.opensearch.identity.NamedPrincipal;
+import org.opensearch.identity.tokens.AuthToken;
+import org.opensearch.identity.Subject;
+
+/**
+ * Implementation of subject that is always authenticated
+ *
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * @opensearch.internal
+ */
+public class NoopSubject implements Subject {
+
+    @Override
+    public Principal getPrincipal() {
+        return NamedPrincipal.UNAUTHENTICATED;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) return true;
+        if (obj == null || getClass() != obj.getClass()) return false;
+        Subject that = (Subject) obj;
+        return Objects.equals(getPrincipal(), that.getPrincipal());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getPrincipal());
+    }
+
+    @Override
+    public String toString() {
+        return "NoopSubject(principal=" + getPrincipal() + ")";
+    }
+
+    /**
+     * Logs the user in
+     */
+    @Override
+    public void authenticate(AuthToken AuthToken) {
+        // Do nothing as noop subject is always logged in
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/noop/package-info.java b/server/src/main/java/org/opensearch/identity/noop/package-info.java
new file mode 100644
index 0000000000000..fcdd70db7f020
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/noop/package-info.java
@@ -0,0 +1,10 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/** Classes for the noop authentication in OpenSearch */
+package org.opensearch.identity.noop;
diff --git a/server/src/main/java/org/opensearch/identity/package-info.java b/server/src/main/java/org/opensearch/identity/package-info.java
new file mode 100644
index 0000000000000..4693206af62a5
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/package-info.java
@@ -0,0 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/** Core identity and access controls for OpenSearch */
+package org.opensearch.identity;
diff --git a/server/src/main/java/org/opensearch/identity/tokens/AuthToken.java b/server/src/main/java/org/opensearch/identity/tokens/AuthToken.java
new file mode 100644
index 0000000000000..6e113f6eaa96a
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/tokens/AuthToken.java
@@ -0,0 +1,18 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.tokens;
+
+/**
+ * Interface for all token formats to support to authenticate user such as UserName/Password tokens, Access tokens, and more.
+ *
+ * @opensearch.experimental
+ */
+public interface AuthToken {
+
+}
diff --git a/server/src/main/java/org/opensearch/identity/tokens/BasicAuthToken.java b/server/src/main/java/org/opensearch/identity/tokens/BasicAuthToken.java
new file mode 100644
index 0000000000000..e5000cb3d6965
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/tokens/BasicAuthToken.java
@@ -0,0 +1,44 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.tokens;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+/**
+ * Basic (Base64 encoded) Authentication Token in a http request header
+ */
+public final class BasicAuthToken implements AuthToken {
+
+    public final static String TOKEN_IDENIFIER = "Basic";
+
+    private String user;
+    private String password;
+
+    public BasicAuthToken(final String headerValue) {
+        final String base64Encoded = headerValue.substring(TOKEN_IDENIFIER.length()).trim();
+        final byte[] rawDecoded = Base64.getDecoder().decode(base64Encoded);
+        final String usernamepassword = new String(rawDecoded, StandardCharsets.UTF_8);
+
+        final String[] tokenParts = usernamepassword.split(":", 2);
+        if (tokenParts.length != 2) {
+            throw new IllegalStateException("Illegally formed basic authorization header " + tokenParts[0]);
+        }
+        user = tokenParts[0];
+        password = tokenParts[1];
+    }
+
+    public String getUser() {
+        return user;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/tokens/RestTokenExtractor.java b/server/src/main/java/org/opensearch/identity/tokens/RestTokenExtractor.java
new file mode 100644
index 0000000000000..eaeacdb240fd9
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/tokens/RestTokenExtractor.java
@@ -0,0 +1,56 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+package org.opensearch.identity.tokens;
+
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
+import org.opensearch.common.Strings;
+import org.opensearch.rest.RestRequest;
+
+import java.util.Collections;
+import java.util.Optional;
+
+/**
+ * Extracts tokens from RestRequests used for authentication
+ */
+public class RestTokenExtractor {
+
+    private static final Logger logger = LogManager.getLogger(RestTokenExtractor.class);
+
+    public final static String AUTH_HEADER_NAME = "Authorization";
+
+    /**
+     * Given a rest request it will extract authentication token
+     *
+     * If no token was found, returns null.
+     */
+    public static AuthToken extractToken(final RestRequest request) {
+
+        // Extract authentication information from headers
+        final Optional<String> authHeaderValue = request.getHeaders()
+            .getOrDefault(AUTH_HEADER_NAME, Collections.emptyList())
+            .stream()
+            .findFirst();
+
+        if (authHeaderValue.isPresent()) {
+            final String authHeaderValueStr = authHeaderValue.get();
+
+            if (authHeaderValueStr.startsWith(BasicAuthToken.TOKEN_IDENIFIER)) {
+                return new BasicAuthToken(authHeaderValueStr);
+            } else {
+                if (logger.isDebugEnabled()) {
+                    String tokenTypeTruncated = Strings.substring(authHeaderValueStr, 0, 5);
+                    logger.debug("An authentication header was detected but the token type was not supported " + tokenTypeTruncated);
+                }
+            }
+        }
+
+        logger.trace("No auth token could be extracted");
+        return null;
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/tokens/package-info.java b/server/src/main/java/org/opensearch/identity/tokens/package-info.java
new file mode 100644
index 0000000000000..b63ea40c61659
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/tokens/package-info.java
@@ -0,0 +1,10 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/** Classes for the authentication tokens in OpenSearch */
+package org.opensearch.identity.tokens;
diff --git a/server/src/main/java/org/opensearch/node/Node.java b/server/src/main/java/org/opensearch/node/Node.java
index 78e4f95724580..8ce3d5f801151 100644
--- a/server/src/main/java/org/opensearch/node/Node.java
+++ b/server/src/main/java/org/opensearch/node/Node.java
@@ -147,6 +147,7 @@
 import org.opensearch.gateway.MetaStateService;
 import org.opensearch.gateway.PersistedClusterStateService;
 import org.opensearch.http.HttpServerTransport;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.index.IndexSettings;
 import org.opensearch.index.analysis.AnalysisRegistry;
 import org.opensearch.index.engine.EngineFactory;
@@ -179,6 +180,7 @@
 import org.opensearch.plugins.ClusterPlugin;
 import org.opensearch.plugins.DiscoveryPlugin;
 import org.opensearch.plugins.EnginePlugin;
+import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.IndexStorePlugin;
 import org.opensearch.plugins.IngestPlugin;
 import org.opensearch.plugins.MapperPlugin;
@@ -456,6 +458,15 @@ protected Node(
             // Ensure to initialize Feature Flags via the settings from opensearch.yml
             FeatureFlags.initializeFeatureFlags(settings);
 
+            final List<IdentityPlugin> identityPlugins = new ArrayList<>();
+            if (FeatureFlags.isEnabled(FeatureFlags.IDENTITY)) {
+                // If identity is enabled load plugins implementing the extension point
+                logger.info("Identity on so found plugins implementing: " + pluginsService.filterPlugins(IdentityPlugin.class).toString());
+                identityPlugins.addAll(pluginsService.filterPlugins(IdentityPlugin.class));
+            }
+
+            final IdentityService identityService = new IdentityService(settings, identityPlugins);
+
             if (FeatureFlags.isEnabled(FeatureFlags.EXTENSIONS)) {
                 this.extensionsManager = new ExtensionsManager(tmpSettings, initialEnvironment.extensionDir());
             } else {
@@ -814,7 +825,8 @@ protected Node(
                 client,
                 circuitBreakerService,
                 usageService,
-                systemIndices
+                systemIndices,
+                identityService
             );
             modules.add(actionModule);
 
@@ -1126,6 +1138,7 @@ protected Node(
                 b.bind(ShardLimitValidator.class).toInstance(shardLimitValidator);
                 b.bind(FsHealthService.class).toInstance(fsHealthService);
                 b.bind(SystemIndices.class).toInstance(systemIndices);
+                b.bind(IdentityService.class).toInstance(identityService);
             });
             injector = modules.createInjector();
 
diff --git a/server/src/main/java/org/opensearch/plugins/IdentityPlugin.java b/server/src/main/java/org/opensearch/plugins/IdentityPlugin.java
new file mode 100644
index 0000000000000..4cb15f4ab3cbe
--- /dev/null
+++ b/server/src/main/java/org/opensearch/plugins/IdentityPlugin.java
@@ -0,0 +1,26 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.plugins;
+
+import org.opensearch.identity.Subject;
+
+/**
+ * Plugin that provides identity and access control for OpenSearch
+ *
+ * @opensearch.experimental
+ */
+public interface IdentityPlugin {
+
+    /**
+     * Get the current subject
+     *
+     * Should never return null
+     * */
+    public Subject getSubject();
+}
diff --git a/server/src/main/java/org/opensearch/rest/RestController.java b/server/src/main/java/org/opensearch/rest/RestController.java
index fc23613c9913b..69cfa98a06fb9 100644
--- a/server/src/main/java/org/opensearch/rest/RestController.java
+++ b/server/src/main/java/org/opensearch/rest/RestController.java
@@ -47,9 +47,14 @@
 import org.opensearch.common.path.PathTrie;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.common.util.FeatureFlags;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.internal.io.Streams;
 import org.opensearch.http.HttpServerTransport;
+import org.opensearch.identity.IdentityService;
+import org.opensearch.identity.Subject;
+import org.opensearch.identity.tokens.AuthToken;
+import org.opensearch.identity.tokens.RestTokenExtractor;
 import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.usage.UsageService;
 
@@ -110,13 +115,15 @@ public class RestController implements HttpServerTransport.Dispatcher {
     /** Rest headers that are copied to internal requests made during a rest request. */
     private final Set<RestHeaderDefinition> headersToCopy;
     private final UsageService usageService;
+    private final IdentityService identityService;
 
     public RestController(
         Set<RestHeaderDefinition> headersToCopy,
         UnaryOperator<RestHandler> handlerWrapper,
         NodeClient client,
         CircuitBreakerService circuitBreakerService,
-        UsageService usageService
+        UsageService usageService,
+        IdentityService identityService
     ) {
         this.headersToCopy = headersToCopy;
         this.usageService = usageService;
@@ -126,6 +133,7 @@ public RestController(
         this.handlerWrapper = handlerWrapper;
         this.client = client;
         this.circuitBreakerService = circuitBreakerService;
+        this.identityService = identityService;
         registerHandlerNoWrap(
             RestRequest.Method.GET,
             "/favicon.ico",
@@ -395,6 +403,11 @@ private void tryAllHandlers(final RestRequest request, final RestChannel channel
                         return;
                     }
                 } else {
+                    if (FeatureFlags.isEnabled(FeatureFlags.IDENTITY)) {
+                        if (!handleAuthenticateUser(request, channel)) {
+                            return;
+                        }
+                    }
                     dispatchRequest(request, channel, handler);
                     return;
                 }
@@ -505,6 +518,41 @@ private void handleBadRequest(String uri, RestRequest.Method method, RestChannel
         }
     }
 
+    /**
+     * Attempts to extract auth token and login.
+     *
+     * @returns false if there was an error and the request should not continue being dispatched
+     * */
+    private boolean handleAuthenticateUser(final RestRequest request, final RestChannel channel) {
+        try {
+            final AuthToken token = RestTokenExtractor.extractToken(request);
+            // If no token was found, continue executing the request
+            if (token == null) {
+                // Authentication did not fail so return true. Authorization is handled at the action level.
+                return true;
+            }
+            final Subject currentSubject = identityService.getSubject();
+            currentSubject.authenticate(token);
+            logger.debug("Logged in as user " + currentSubject);
+        } catch (final Exception e) {
+            try {
+                final BytesRestResponse bytesRestResponse = BytesRestResponse.createSimpleErrorResponse(
+                    channel,
+                    RestStatus.UNAUTHORIZED,
+                    e.getMessage()
+                );
+                channel.sendResponse(bytesRestResponse);
+            } catch (final Exception ex) {
+                final BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, ex.getMessage());
+                channel.sendResponse(bytesRestResponse);
+            }
+            return false;
+        }
+
+        // Authentication did not fail so return true. Authorization is handled at the action level.
+        return true;
+    }
+
     /**
      * Get the valid set of HTTP methods for a REST request.
      */
diff --git a/server/src/test/java/org/opensearch/action/ActionModuleTests.java b/server/src/test/java/org/opensearch/action/ActionModuleTests.java
index 94ebf0fcf8816..41375dc005ef3 100644
--- a/server/src/test/java/org/opensearch/action/ActionModuleTests.java
+++ b/server/src/test/java/org/opensearch/action/ActionModuleTests.java
@@ -32,6 +32,7 @@
 
 package org.opensearch.action;
 
+import java.util.ArrayList;
 import org.opensearch.action.ActionModule.DynamicActionRegistry;
 import org.opensearch.action.main.MainAction;
 import org.opensearch.action.main.TransportMainAction;
@@ -50,6 +51,7 @@
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.extensions.action.ExtensionAction;
 import org.opensearch.extensions.action.ExtensionTransportAction;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.plugins.ActionPlugin;
 import org.opensearch.plugins.ActionPlugin.ActionHandler;
 
@@ -143,7 +145,8 @@ public void testSetupRestHandlerContainsKnownBuiltin() {
             null,
             null,
             usageService,
-            null
+            null,
+            new IdentityService(Settings.EMPTY, new ArrayList<>())
         );
         actionModule.initRestHandlers(null);
         // At this point the easiest way to confirm that a handler is loaded is to try to register another one on top of it and to fail
@@ -199,6 +202,7 @@ public String getName() {
                 null,
                 null,
                 usageService,
+                null,
                 null
             );
             Exception e = expectThrows(IllegalArgumentException.class, () -> actionModule.initRestHandlers(null));
@@ -248,6 +252,7 @@ public List<RestHandler> getRestHandlers(
                 null,
                 null,
                 usageService,
+                null,
                 null
             );
             actionModule.initRestHandlers(null);
diff --git a/server/src/test/java/org/opensearch/bootstrap/IdentityPluginTests.java b/server/src/test/java/org/opensearch/bootstrap/IdentityPluginTests.java
new file mode 100644
index 0000000000000..5595fdd564d01
--- /dev/null
+++ b/server/src/test/java/org/opensearch/bootstrap/IdentityPluginTests.java
@@ -0,0 +1,36 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.bootstrap;
+
+import java.util.List;
+import org.opensearch.OpenSearchException;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.identity.IdentityService;
+import org.opensearch.identity.noop.NoopIdentityPlugin;
+import org.opensearch.plugins.IdentityPlugin;
+import org.opensearch.test.OpenSearchTestCase;
+
+public class IdentityPluginTests extends OpenSearchTestCase {
+
+    public void testSingleIdentityPluginSucceeds() {
+        IdentityPlugin identityPlugin1 = new NoopIdentityPlugin();
+        List<IdentityPlugin> pluginList = List.of(identityPlugin1);
+        IdentityService identityService = new IdentityService(Settings.EMPTY, pluginList);
+        assertTrue(identityService.getSubject().getPrincipal().getName().equalsIgnoreCase("Unauthenticated"));
+    }
+
+    public void testMultipleIdentityPluginsFail() {
+        IdentityPlugin identityPlugin1 = new NoopIdentityPlugin();
+        IdentityPlugin identityPlugin2 = new NoopIdentityPlugin();
+        IdentityPlugin identityPlugin3 = new NoopIdentityPlugin();
+        List<IdentityPlugin> pluginList = List.of(identityPlugin1, identityPlugin2, identityPlugin3);
+        Exception ex = assertThrows(OpenSearchException.class, () -> new IdentityService(Settings.EMPTY, pluginList));
+        assert (ex.getMessage().contains("Multiple identity plugins are not supported,"));
+    }
+}
diff --git a/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java b/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java
index dbbd25fd9e4e4..437c2d5690df7 100644
--- a/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java
+++ b/server/src/test/java/org/opensearch/extensions/ExtensionsManagerTests.java
@@ -70,6 +70,7 @@
 import org.opensearch.extensions.proto.ExtensionRequestProto;
 import org.opensearch.extensions.rest.RegisterRestActionsRequest;
 import org.opensearch.extensions.settings.RegisterCustomSettingsRequest;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.index.IndexModule;
 import org.opensearch.index.IndexSettings;
 import org.opensearch.index.analysis.AnalysisRegistry;
@@ -166,7 +167,8 @@ public void setup() throws Exception {
             null,
             new NodeClient(Settings.EMPTY, threadPool),
             new NoneCircuitBreakerService(),
-            new UsageService()
+            new UsageService(),
+            new IdentityService(Settings.EMPTY, List.of())
         );
         when(actionModule.getRestController()).thenReturn(restController);
         settingsModule = new SettingsModule(Settings.EMPTY, emptyList(), emptyList(), emptySet());
diff --git a/server/src/test/java/org/opensearch/rest/RestControllerTests.java b/server/src/test/java/org/opensearch/rest/RestControllerTests.java
index bffda441b5dcf..73b3bf21392f3 100644
--- a/server/src/test/java/org/opensearch/rest/RestControllerTests.java
+++ b/server/src/test/java/org/opensearch/rest/RestControllerTests.java
@@ -52,6 +52,7 @@
 import org.opensearch.http.HttpResponse;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpStats;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.indices.breaker.HierarchyCircuitBreakerService;
 import org.opensearch.test.OpenSearchTestCase;
 import org.opensearch.test.client.NoOpNodeClient;
@@ -91,6 +92,7 @@ public class RestControllerTests extends OpenSearchTestCase {
     private RestController restController;
     private HierarchyCircuitBreakerService circuitBreakerService;
     private UsageService usageService;
+    private IdentityService identityService;
     private NodeClient client;
 
     @Before
@@ -108,9 +110,11 @@ public void setup() {
         // we can do this here only because we know that we don't adjust breaker settings dynamically in the test
         inFlightRequestsBreaker = circuitBreakerService.getBreaker(CircuitBreaker.IN_FLIGHT_REQUESTS);
 
+        identityService = new IdentityService(Settings.EMPTY, List.of());
+
         HttpServerTransport httpServerTransport = new TestHttpServerTransport();
         client = new NoOpNodeClient(this.getTestName());
-        restController = new RestController(Collections.emptySet(), null, client, circuitBreakerService, usageService);
+        restController = new RestController(Collections.emptySet(), null, client, circuitBreakerService, usageService, identityService);
         restController.registerHandler(
             RestRequest.Method.GET,
             "/",
@@ -135,7 +139,7 @@ public void testApplyRelevantHeaders() throws Exception {
         Set<RestHeaderDefinition> headers = new HashSet<>(
             Arrays.asList(new RestHeaderDefinition("header.1", true), new RestHeaderDefinition("header.2", true))
         );
-        final RestController restController = new RestController(headers, null, null, circuitBreakerService, usageService);
+        final RestController restController = new RestController(headers, null, null, circuitBreakerService, usageService, identityService);
         Map<String, List<String>> restHeaders = new HashMap<>();
         restHeaders.put("header.1", Collections.singletonList("true"));
         restHeaders.put("header.2", Collections.singletonList("true"));
@@ -171,7 +175,7 @@ public void testRequestWithDisallowedMultiValuedHeader() {
         Set<RestHeaderDefinition> headers = new HashSet<>(
             Arrays.asList(new RestHeaderDefinition("header.1", true), new RestHeaderDefinition("header.2", false))
         );
-        final RestController restController = new RestController(headers, null, null, circuitBreakerService, usageService);
+        final RestController restController = new RestController(headers, null, null, circuitBreakerService, usageService, identityService);
         Map<String, List<String>> restHeaders = new HashMap<>();
         restHeaders.put("header.1", Collections.singletonList("boo"));
         restHeaders.put("header.2", Arrays.asList("foo", "bar"));
@@ -186,7 +190,14 @@ public void testRequestWithDisallowedMultiValuedHeaderButSameValues() {
         Set<RestHeaderDefinition> headers = new HashSet<>(
             Arrays.asList(new RestHeaderDefinition("header.1", true), new RestHeaderDefinition("header.2", false))
         );
-        final RestController restController = new RestController(headers, null, client, circuitBreakerService, usageService);
+        final RestController restController = new RestController(
+            headers,
+            null,
+            client,
+            circuitBreakerService,
+            usageService,
+            identityService
+        );
         Map<String, List<String>> restHeaders = new HashMap<>();
         restHeaders.put("header.1", Collections.singletonList("boo"));
         restHeaders.put("header.2", Arrays.asList("foo", "foo"));
@@ -247,7 +258,7 @@ public void testRegisterWithDeprecatedHandler() {
     }
 
     public void testRegisterSecondMethodWithDifferentNamedWildcard() {
-        final RestController restController = new RestController(null, null, null, circuitBreakerService, usageService);
+        final RestController restController = new RestController(null, null, null, circuitBreakerService, usageService, identityService);
 
         RestRequest.Method firstMethod = randomFrom(RestRequest.Method.values());
         RestRequest.Method secondMethod = randomFrom(
@@ -275,7 +286,7 @@ public void testRestHandlerWrapper() throws Exception {
         final RestController restController = new RestController(Collections.emptySet(), h -> {
             assertSame(handler, h);
             return (RestRequest request, RestChannel channel, NodeClient client) -> wrapperCalled.set(true);
-        }, client, circuitBreakerService, usageService);
+        }, client, circuitBreakerService, usageService, identityService);
         restController.registerHandler(RestRequest.Method.GET, "/wrapped", handler);
         RestRequest request = testRestRequest("/wrapped", "{}", XContentType.JSON);
         AssertingChannel channel = new AssertingChannel(request, true, RestStatus.BAD_REQUEST);
@@ -338,7 +349,7 @@ public void testDispatchRequiresContentTypeForRequestsWithContent() {
         String content = randomAlphaOfLength((int) Math.round(BREAKER_LIMIT.getBytes() / inFlightRequestsBreaker.getOverhead()));
         RestRequest request = testRestRequest("/", content, null);
         AssertingChannel channel = new AssertingChannel(request, true, RestStatus.NOT_ACCEPTABLE);
-        restController = new RestController(Collections.emptySet(), null, null, circuitBreakerService, usageService);
+        restController = new RestController(Collections.emptySet(), null, null, circuitBreakerService, usageService, identityService);
         restController.registerHandler(
             RestRequest.Method.GET,
             "/",
diff --git a/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java b/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java
index 2ac2b3bb5a964..c1f5cd6ddf8bd 100644
--- a/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java
+++ b/server/src/test/java/org/opensearch/rest/RestHttpResponseHeadersTests.java
@@ -37,6 +37,7 @@
 import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.indices.breaker.HierarchyCircuitBreakerService;
 import org.opensearch.test.OpenSearchTestCase;
@@ -104,7 +105,15 @@ public void testUnsupportedMethodResponseHttpHeader() throws Exception {
 
         final Settings settings = Settings.EMPTY;
         UsageService usageService = new UsageService();
-        RestController restController = new RestController(Collections.emptySet(), null, null, circuitBreakerService, usageService);
+        final IdentityService identityService = new IdentityService(settings, List.of());
+        RestController restController = new RestController(
+            Collections.emptySet(),
+            null,
+            null,
+            circuitBreakerService,
+            usageService,
+            identityService
+        );
 
         // A basic RestHandler handles requests to the endpoint
         RestHandler restHandler = new RestHandler() {
diff --git a/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java b/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java
index 6971aa866ccb1..e14b003e7ccad 100644
--- a/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java
+++ b/server/src/test/java/org/opensearch/rest/action/admin/indices/RestValidateQueryActionTests.java
@@ -31,6 +31,7 @@
 
 package org.opensearch.rest.action.admin.indices;
 
+import java.util.List;
 import org.opensearch.action.ActionListener;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionType;
@@ -43,6 +44,7 @@
 import org.opensearch.common.io.stream.NamedWriteableRegistry;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.indices.breaker.NoneCircuitBreakerService;
 import org.opensearch.rest.RestController;
 import org.opensearch.rest.RestRequest;
@@ -73,7 +75,15 @@ public class RestValidateQueryActionTests extends AbstractSearchTestCase {
     private static NodeClient client = new NodeClient(Settings.EMPTY, threadPool);
 
     private static UsageService usageService = new UsageService();
-    private static RestController controller = new RestController(emptySet(), null, client, new NoneCircuitBreakerService(), usageService);
+    private static IdentityService identityService = new IdentityService(Settings.EMPTY, List.of());
+    private static RestController controller = new RestController(
+        emptySet(),
+        null,
+        client,
+        new NoneCircuitBreakerService(),
+        usageService,
+        identityService
+    );
     private static RestValidateQueryAction action = new RestValidateQueryAction();
 
     /**
diff --git a/test/framework/src/main/java/org/opensearch/test/rest/RestActionTestCase.java b/test/framework/src/main/java/org/opensearch/test/rest/RestActionTestCase.java
index eb3cb98fc113a..df2d3790d42bb 100644
--- a/test/framework/src/main/java/org/opensearch/test/rest/RestActionTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/test/rest/RestActionTestCase.java
@@ -38,6 +38,7 @@
 import org.opensearch.action.ActionType;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.identity.IdentityService;
 import org.opensearch.indices.breaker.NoneCircuitBreakerService;
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.rest.RestController;
@@ -51,6 +52,7 @@
 import org.junit.Before;
 
 import java.util.Collections;
+import java.util.List;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.BiFunction;
 
@@ -65,7 +67,15 @@ public abstract class RestActionTestCase extends OpenSearchTestCase {
     @Before
     public void setUpController() {
         verifyingClient = new VerifyingClient(this.getTestName());
-        controller = new RestController(Collections.emptySet(), null, verifyingClient, new NoneCircuitBreakerService(), new UsageService());
+        final IdentityService identityService = new IdentityService(Settings.EMPTY, List.of());
+        controller = new RestController(
+            Collections.emptySet(),
+            null,
+            verifyingClient,
+            new NoneCircuitBreakerService(),
+            new UsageService(),
+            identityService
+        );
     }
 
     @After