What is the bug?
SecurityLayer should not drop information from ThreadContext which is a opensearch construct.
In current setup SecurityRestFilter drops the request headers populated in ThreadContext for a request. OpenSearch process controls the valid list of headers that can be propagated from http layer to ThreadContext by defining them inside the ActionModule. But SecurityFilter does not consider all the whitelisted headers and abruptly drops all headers except X_OPAQUE_ID.

Problematic code line: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java#L139C13-L142C19

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Make a request with a custom http header which is defined in ActionModule
   curl -X GET https://localhost:9200/_search -u 'admin:passwd123456789@' --insecure -H 'queryGroupId: 9oguoImmRMy1qYe2M6W3dA'
2. try to consume this header from ThreadContext anywhere starting from your RestHandler (RestSearchAction)

What is the expected behavior?
Security plugin should retain all whitelisted headers.

What is your host/environment?

• OS: [e.g. iOS]
• Version [e.g. 22]
• Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.