[Resource Sharing] Adds a Resource Access Evaluator for standalone Resource access authorization

[DarshitChanpura]

Description

This PR adds a new privilege evaluator for evaluating access to a resource. #5281 introduced a way for plugin offload sharing and access evaluation to security plugin but that was done by requiring plugins to call verifyAccess method on their end. This leaves room for error. This new evaluator will filter all resource access requests through SecurityFilter class without requiring plugins to explicitly call verifyAccess method. It also adds support for access-levels instead of just the default one declared in the previous PR.

Notes:

1. Removes verifyAccess from the client as plugin no longer have to explicitly call the method to check user access.
2. Sharing model will be in full-effect. i.e. if a user has full access to a resource they can update, manage access or delete it.
3. Doesn't consider hierarchical access. It will be added in future PRs.

Issues Resolved

#5442

Testing

• Automated Tests

Check List

• New functionality includes testing
• New functionality has been documented
  - [ ] New Roles/Permissions have a corresponding security dashboards plugin PR
  - [ ] API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 75.13661% with 91 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.80%. Comparing base (5dc83be) to head (f7ddaac).

Files with missing lines	Patch %	Lines
...org/opensearch/security/filter/SecurityFilter.java	63.52%	27 Missing and 4 partials ⚠️
...h/security/privileges/ResourceAccessEvaluator.java	70.14%	15 Missing and 5 partials ⚠️
...ecurity/resources/ResourceSharingIndexHandler.java	71.01%	18 Missing and 2 partials ⚠️
...arch/security/resources/ResourceAccessHandler.java	53.33%	7 Missing ⚠️
...ecurity/spi/resources/sharing/ResourceSharing.java	86.36%	2 Missing and 1 partial ⚠️
...tions/rest/revoke/RevokeResourceAccessRequest.java	71.42%	2 Missing ⚠️
...ource/actions/rest/share/ShareResourceRequest.java	71.42%	2 Missing ⚠️
...va/org/opensearch/security/auth/RolesInjector.java	75.00%	0 Missing and 2 partials ⚠️
...rce/actions/rest/create/CreateResourceRequest.java	50.00%	1 Missing ⚠️
...ns/rest/revoke/RevokeResourceAccessRestAction.java	92.85%	0 Missing and 1 partial ⚠️
... and 2 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5408      +/-   ##
==========================================
+ Coverage   72.78%   72.80%   +0.02%     
==========================================
  Files         398      398              
  Lines       24641    24693      +52     
  Branches     3747     3759      +12     
==========================================
+ Hits        17934    17977      +43     
- Misses       4878     4887       +9     
  Partials     1829     1829              

Files with missing lines	Coverage Δ
...org/opensearch/sample/SampleResourceExtension.java	100.00% <100.00%> (ø)
...va/org/opensearch/sample/SampleResourcePlugin.java	96.55% <ø> (-0.23%)	⬇️
...rce/actions/rest/create/UpdateResourceRequest.java	56.25% <100.00%> (+6.25%)	⬆️
...rce/actions/rest/delete/DeleteResourceRequest.java	58.33% <100.00%> (+8.33%)	⬆️
.../resource/actions/rest/get/GetResourceRequest.java	58.33% <100.00%> (+8.33%)	⬆️
...ce/actions/rest/share/ShareResourceRestAction.java	87.50% <100.00%> (+4.16%)	⬆️
...tions/transport/DeleteResourceTransportAction.java	66.66% <100.00%> (-2.78%)	⬇️
.../actions/transport/GetResourceTransportAction.java	88.88% <100.00%> (-4.96%)	⬇️
...transport/RevokeResourceAccessTransportAction.java	100.00% <100.00%> (ø)
...tions/transport/UpdateResourceTransportAction.java	77.77% <100.00%> (-2.72%)	⬇️
... and 23 more

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DarshitChanpura]

@nibix @cwperks All outstanding concerns have been addressed. mind re-reviewing the PR?

[cwperks]

I'd like to see if we can move this down into PrivilegesEvaluator along with the rest of the authorizers like system index and snapshot restore.

I know that one of the problems is PrivilegesEvaluatorResponse pres = eval.evaluate(context); expects a return value of PrivilegesEvaluatorResponse and not designed to be async.

I'm wondering if it makes sense to change this to either return an Optional or just handle the case where it can return null and then simply return. i.e. if the return value indicates that privilege evaluation is not done, then it means its being done async so stop here and the decision to proceed will be handled in the async call where it either proceeds through the chain or returns early with forbidden error if the user does not have access.

[DarshitChanpura]

There is a markPending() method in PrivilegeEvalResponse class. I tried using it but was not successful. I can give it another try. With rest of PrivilegeEval being synchronous there are only 2 paths forward, as i see:

1. Create a delegating handler that handles rest of the evaluation when feature is disabled or request is not of Resource type
2. Utilize markPending() to indicate that access is currently being evaluated and will be processed by the evaluator. However, due to the nature of PrivilegeEval being synchronous i'm not entirely sure if that will be helpful.

[cwperks]

markPending() looks perfectly suited for this use-case :). I see its not utilized atm as well.