Storing user object in all APIs and enabling filter of response based on user

[thalurur]

Signed-off-by: Ravi Thaluru [email protected]

Issue #, if available:
#75

Description of changes:

• Storing user information populated by security plugin in the APIs
  • For transforms, rollups, policies there is a high level attribute called user which stores the user information
  • For managed indices, the attached policies of the managed index will have the user information
  • None of the indexed job metadata has the user information
• Using the stored user information to run the background jobs - rollups, transforms, ism jobs
  • The user information is loaded into thread context to do this and this is only done for specific transport actions called as part of the background job - e.g. when writing data to ism config index the threadcontext will not have user information but when reading data from the source index in rollup job will have the user information in threadcontext. This will ensure an less privileged user will not be able to read/write data from other indices they don't have permissions for by creating rollup/transform jobs. Similarly when executing the policy actions the user information is added to thread context
  • Any data that was written prior to this change will not have user information in them and they are regarded as jobs with full permissions
• Enabling new setting to filter stored information based on the appropriate use permissions
  • There is a new setting which enables filtering of data returned by the IndexManagement plugin APIs, if this setting is enabled it is required that all users updating/creating jobs using IM plugin have backend roles. Other wise the request will fail
  • If the setting is enabled a user will only see data that matches their backend roles. All the existing data that is written without backend roles will not be visible to anyone (This is a limitation)

Call outs:

• One can no longer create a managed index job with a non existent policy, add policy API will verify that the policy exists and is stored with the managed index at the time of creation
• Permission check for managed indices is implemented based on a custom permission implemented as part of new Transport action called ManagedIndexAction, i.e if user has this permission on an index they will be able to manage the index - this check is implemented in AddPolicy, removePolicy, ChangePolicy, RetryFailedIndex API and the cluster event sweeper to determine the policy that should be applied to an index
• Explain API will always fail to return if user attempts to fetch indices they don't have permissions for - i.e on every index in the response the user needs to have the permission
• User information stored in the jobs is not being returned as part of the REST API responses

CheckList:
[ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #115 (e2b58a9) into main (5f6dd66) will decrease coverage by 1.75%.
The diff coverage is 57.25%.

@@             Coverage Diff              @@
##               main     #115      +/-   ##
============================================
- Coverage     77.26%   75.51%   -1.76%     
+ Complexity     1900     1893       -7     
============================================
  Files           258      259       +1     
  Lines         10523    10905     +382     
  Branches       1676     1730      +54     
============================================
+ Hits           8131     8235     +104     
- Misses         1474     1721     +247     
- Partials        918      949      +31     

Impacted Files	Coverage Δ
...agement/indexstatemanagement/model/ChangePolicy.kt	80.39% <0.00%> (ø)
...temanagement/opensearchapi/OpenSearchExtensions.kt	79.26% <ø> (-2.06%)	⬇️
...ement/step/notification/AttemptNotificationStep.kt	0.00% <0.00%> (ø)
...ent/transport/action/explain/ExplainAllResponse.kt	92.00% <0.00%> (ø)
...ent/indexstatemanagement/util/NotificationUtils.kt	0.00% <0.00%> (ø)
...ment/indexstatemanagement/util/RestHandlerUtils.kt	100.00% <ø> (+6.25%)	⬆️
...arch/indexmanagement/rollup/RollupSearchService.kt	57.40% <0.00%> (-3.38%)	⬇️
...arch/indexmanagement/transform/TransformIndexer.kt	71.73% <0.00%> (-6.84%)	⬇️
...ch/indexmanagement/transform/TransformValidator.kt	58.00% <0.00%> (-2.00%)	⬇️
...g/opensearch/indexmanagement/util/SecurityUtils.kt	20.00% <9.67%> (-24.45%)	⬇️
... and 62 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5f6dd66...e2b58a9. Read the comment docs.

[dbbaughe]

nit: Are we adding a whole dependency just for the "use" helper function? Is it not possible to just copy that helper function over? Seems a bit overkill.

[thalurur]

Yes, its added only for use method. Can copy the method instead - do we follow any rule of thumb on when to copy vs add dependency?

[dbbaughe]

I don't think there's a rule of thumb we follow.. I'd just look at dependency size (+ maintenance overhead, maintainer activity, etc.) vs what we're using from it. If it's just a simple method that we can import ourselves then might be able to not add a whole dependency, but if you find you're having to pull in a lot of things it's fine to add.

[dbbaughe]

Do we have unit tests for all the below new methods?

[thalurur]

no, don't have the tests, will add

[dbbaughe]

Few top level comments:

• Lots of changes in APIs, just confirm we are not introducing any breaking changes by removing or renaming fields or changing models etc.
• Lots of new behavior added for security, but I know we have issues running security tests locally w/ the local integ Cluster that runs. Can we still add integration tests that get filtered out if remote cluster is not used? i.e. we can still write integration tests, but they only run if isRemoteCluster && isSecurityEnabled or something.

[dbbaughe]

Curious, does this throw an exception if user is trying to access an index they can't access?

[thalurur]

No, this is a miss. Updating the check for ChangePolicy and RemovePolicy

[bowenlan-amzn]

If an existing ISM job doesn't have user info saved, what are the ways for user to adopt the new security model?
By calling change policy API?

And same question for Rollup and Transform jobs without user.

[dbbaughe]

Do we need to create new IndexManagementSecurityContext each time (here and below in while loop etc) or can we just reuse a single one?

[thalurur]

If an existing ISM job doesn't have user info saved, what are the ways for user to adopt the new security model?
By calling change policy API?

And same question for Rollup and Transform jobs without user.

Yes, updating would be the option for user to fix