[DRAFT] [Feature] Introduces resource sharing and access-control

.gitignore

@@ -43,7 +43,3 @@ out/
 build/
 gradle-build/
 .gradle/
-
-# nodejs
-node_modules/
-package-lock.json

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -43,6 +43,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -68,6 +69,10 @@
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.SpecialPermission;
 import org.opensearch.Version;
+import org.opensearch.accesscontrol.resources.EntityType;
+import org.opensearch.accesscontrol.resources.ResourceService;
+import org.opensearch.accesscontrol.resources.ResourceSharing;
+import org.opensearch.accesscontrol.resources.ShareWith;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.search.PitService;
 import org.opensearch.action.search.SearchScrollAction;
@@ -120,6 +125,8 @@
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.MapperPlugin;
 import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.ResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourcePlugin;
 import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
 import org.opensearch.plugins.SecureSettingsFactory;
 import org.opensearch.plugins.SecureTransportSettingsProvider;
@@ -173,6 +180,10 @@
 import org.opensearch.security.privileges.RestLayerPrivilegesEvaluator;
 import org.opensearch.security.privileges.dlsfls.DlsFlsBaseContext;
 import org.opensearch.security.resolver.IndexResolverReplacer;
+import org.opensearch.security.resources.ResourceAccessHandler;
+import org.opensearch.security.resources.ResourceSharingIndexHandler;
+import org.opensearch.security.resources.ResourceSharingIndexListener;
+import org.opensearch.security.resources.ResourceSharingIndexManagementRepository;
 import org.opensearch.security.rest.DashboardsInfoAction;
 import org.opensearch.security.rest.SecurityConfigUpdateAction;
 import org.opensearch.security.rest.SecurityHealthAction;
@@ -230,9 +241,10 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     implements
         ClusterPlugin,
         MapperPlugin,
+        IdentityPlugin,
+        ResourceAccessControlPlugin,
         // CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings
-        ExtensionAwarePlugin,
-        IdentityPlugin
+        ExtensionAwarePlugin
 // CS-ENFORCE-SINGLE
 
 {
@@ -268,6 +280,9 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile OpensearchDynamicSetting<Boolean> transportPassiveAuthSetting;
     private volatile PasswordHasher passwordHasher;
     private volatile DlsFlsBaseContext dlsFlsBaseContext;
+    private ResourceSharingIndexManagementRepository rmr;
+    private ResourceAccessHandler resourceAccessHandler;
+    private final Set<String> indicesToListen = new HashSet<>();
 
     public static boolean isActionTraceEnabled() {
 
@@ -708,6 +723,14 @@ public void onIndexModule(IndexModule indexModule) {
                     dlsFlsBaseContext
                 )
             );
+
+            if (this.indicesToListen.contains(indexModule.getIndex().getName())) {
+                ResourceSharingIndexListener resourceSharingIndexListener = ResourceSharingIndexListener.getInstance();
+                resourceSharingIndexListener.initialize(threadPool, localClient);
+                indexModule.addIndexOperationListener(resourceSharingIndexListener);
+                log.warn("Security plugin started listening to operations on index {}", indexModule.getIndex().getName());
+            }
+
             indexModule.forceQueryCacheProvider((indexSettings, nodeCache) -> new QueryCache() {
 
                 @Override
@@ -1183,14 +1206,20 @@ public Collection<Object> createComponents(
 
         // NOTE: We need to create DefaultInterClusterRequestEvaluator before creating ConfigurationRepository since the latter requires
         // security index to be accessible which means
-        // communciation with other nodes is already up. However for the communication to be up, there needs to be trusted nodes_dn. Hence
+        // communication with other nodes is already up. However for the communication to be up, there needs to be trusted nodes_dn. Hence
         // the base values from opensearch.yml
         // is used to first establish trust between same cluster nodes and there after dynamic config is loaded if enabled.
         if (DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS.equals(className)) {
             DefaultInterClusterRequestEvaluator e = (DefaultInterClusterRequestEvaluator) interClusterRequestEvaluator;
             e.subscribeForChanges(dcf);
         }
 
+        final var resourceSharingIndex = ConfigConstants.OPENSEARCH_RESOURCE_SHARING_INDEX;
+        ResourceSharingIndexHandler rsIndexHandler = new ResourceSharingIndexHandler(resourceSharingIndex, localClient, threadPool);
+        resourceAccessHandler = new ResourceAccessHandler(threadPool, rsIndexHandler, adminDns);
+
+        rmr = ResourceSharingIndexManagementRepository.create(rsIndexHandler);
+
         components.add(adminDns);
         components.add(cr);
         components.add(xffResolver);
@@ -1367,7 +1396,7 @@ public List<Setting<?>> getSettings() {
 
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, Property.NodeScope, Property.Filtered));
             settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN + ".", Property.NodeScope)); // not filtered
-                                                                                                                            // here
+            // here
 
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_CERT_OID, Property.NodeScope, Property.Filtered));
 
@@ -1383,8 +1412,8 @@ public List<Setting<?>> getSettings() {
             );// not filtered here
 
             settings.add(Setting.boolSetting(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false, Property.NodeScope));// not
-                                                                                                                                   // filtered
-                                                                                                                                   // here
+            // filtered
+            // here
 
             settings.add(
                 Setting.boolSetting(
@@ -1428,8 +1457,8 @@ public List<Setting<?>> getSettings() {
                 Setting.boolSetting(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false, Property.NodeScope, Property.Filtered)
             );
             settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS + ".", Property.NodeScope)); // not
-                                                                                                                                    // filtered
-                                                                                                                                    // here
+            // filtered
+            // here
 
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, Property.NodeScope, Property.Filtered));
             settings.add(
@@ -2065,6 +2094,17 @@ public void onNodeStarted(DiscoveryNode localNode) {
         if (!SSLConfig.isSslOnlyMode() && !client && !disabled && !useClusterStateToInitSecurityConfig(settings)) {
             cr.initOnNodeStart();
         }
+
+        // create resource sharing index if absent
+        rmr.createResourceSharingIndexIfAbsent();
+
+        for (ResourcePlugin resourcePlugin : OpenSearchSecurityPlugin.GuiceHolder.getResourceService().listResourcePlugins()) {
+            String resourceIndex = resourcePlugin.getResourceIndex();
+
+            this.indicesToListen.add(resourceIndex);
+            log.info("Preparing to listen to index: {} of plugin: {}", resourceIndex, resourcePlugin);
+        }
+
         final Set<ModuleInfo> securityModules = ReflectionHelper.getModulesLoaded();
         log.info("{} OpenSearch Security modules loaded so far: {}", securityModules.size(), securityModules);
     }
@@ -2082,6 +2122,7 @@ public Collection<Class<? extends LifecycleComponent>> getGuiceServiceClasses()
 
         final List<Class<? extends LifecycleComponent>> services = new ArrayList<>(1);
         services.add(GuiceHolder.class);
+        log.info("Guice service classes loaded");
         return services;
     }
 
@@ -2166,12 +2207,48 @@ private void tryAddSecurityProvider() {
         });
     }
 
+    @Override
+    public <T> Set<T> getAccessibleResourcesForCurrentUser(String systemIndexName, Class<T> clazz) {
+        return this.resourceAccessHandler.getAccessibleResourcesForCurrentUser(systemIndexName, clazz);
+    }
+
+    @Override
+    public boolean hasPermission(String resourceId, String systemIndexName, String scope) {
+        return this.resourceAccessHandler.hasPermission(resourceId, systemIndexName, scope);
+    }
+
+    @Override
+    public ResourceSharing shareWith(String resourceId, String systemIndexName, ShareWith shareWith) {
+        return this.resourceAccessHandler.shareWith(resourceId, systemIndexName, shareWith);
+    }
+
+    @Override
+    public ResourceSharing revokeAccess(
+        String resourceId,
+        String systemIndexName,
+        Map<EntityType, Set<String>> entities,
+        Set<String> scopes
+    ) {
+        return this.resourceAccessHandler.revokeAccess(resourceId, systemIndexName, entities, scopes);
+    }
+
+    @Override
+    public boolean deleteResourceSharingRecord(String resourceId, String systemIndexName) {
+        return this.resourceAccessHandler.deleteResourceSharingRecord(resourceId, systemIndexName);
+    }
+
+    @Override
+    public boolean deleteAllResourceSharingRecordsForCurrentUser() {
+        return this.resourceAccessHandler.deleteAllResourceSharingRecordsForCurrentUser();
+    }
+
     public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;
         private static RemoteClusterService remoteClusterService;
         private static IndicesService indicesService;
         private static PitService pitService;
+        private static ResourceService resourceService;
 
         // CS-SUPPRESS-SINGLE: RegexpSingleline Extensions manager used to allow/disallow TLS connections to extensions
         private static ExtensionsManager extensionsManager;
@@ -2182,13 +2259,15 @@ public GuiceHolder(
             final TransportService remoteClusterService,
             IndicesService indicesService,
             PitService pitService,
-            ExtensionsManager extensionsManager
+            ExtensionsManager extensionsManager,
+            ResourceService resourceService
         ) {
             GuiceHolder.repositoriesService = repositoriesService;
             GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService();
             GuiceHolder.indicesService = indicesService;
             GuiceHolder.pitService = pitService;
             GuiceHolder.extensionsManager = extensionsManager;
+            GuiceHolder.resourceService = resourceService;
         }
         // CS-ENFORCE-SINGLE
 
@@ -2214,6 +2293,10 @@ public static ExtensionsManager getExtensionsManager() {
         }
         // CS-ENFORCE-SINGLE
 
+        public static ResourceService getResourceService() {
+            return resourceService;
+        }
+
         @Override
         public void close() {}
 

src/main/java/org/opensearch/security/auth/BackendRegistry.java

@@ -224,6 +224,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
         if (adminDns.isAdminDN(sslPrincipal)) {
             // PKI authenticated REST call
             threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, new User(sslPrincipal));
+            threadContext.putPersistent(ConfigConstants.OPENDISTRO_SECURITY_USER, new User(sslPrincipal));
             auditLog.logSucceededLogin(sslPrincipal, true, null, request);
             return true;
         }
@@ -389,6 +390,8 @@ public boolean authenticate(final SecurityRequestChannel request) {
             final User impersonatedUser = impersonate(request, authenticatedUser);
             threadPool.getThreadContext()
                 .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, impersonatedUser == null ? authenticatedUser : impersonatedUser);
+            threadPool.getThreadContext()
+                .putPersistent(ConfigConstants.OPENDISTRO_SECURITY_USER, impersonatedUser == null ? authenticatedUser : impersonatedUser);
             auditLog.logSucceededLogin(
                 (impersonatedUser == null ? authenticatedUser : impersonatedUser).getName(),
                 false,
@@ -422,6 +425,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 anonymousUser.setRequestedTenant(tenant);
 
                 threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
+                threadPool.getThreadContext().putPersistent(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
                 auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
                 if (isDebugEnabled) {
                     log.debug("Anonymous User is authenticated");

src/main/java/org/opensearch/security/filter/SecurityFilter.java

@@ -345,6 +345,7 @@ private <Request extends ActionRequest, Response extends ActionResponse> void ap
                         log.info("Transport auth in passive mode and no user found. Injecting default user");
                         user = User.DEFAULT_TRANSPORT_USER;
                         threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user);
+                        threadContext.putPersistent(ConfigConstants.OPENDISTRO_SECURITY_USER, user);
                     } else {
                         log.error(
                             "No user found for "