Adds a list setting to explicitly specify resources to be protected

[DarshitChanpura]

Description

Adds an opensearch setting that allow cluster-admins to specify which resources must be marked as protected.

plugins.security.experimental.resource_sharing.protected_types: []

• Category : Enhancement
• Why these changes are required?
• To allow individual control over which resources should be access-protected
• What is the old behavior before changes and new behavior after changes?
• Without this change, by default, all resources onboarded to this feature will receive protection, meaning cluster-admins cannot opt out of resource-protection for specific types. With this change, such specification will be allowed.

Issues Resolved

TBD

Testing

Automated + manual

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[RyanL1997]

Hi @DarshitChanpura , thanks for the change, and I just left a comment.

[cwperks]

@DarshitChanpura How will this work with the various plugins.*.filter_by_backend_role settings? Will the existing plugins with plugins.*.filter_by_backend_role setting be aware of this setting as well?

Are we doing anything to enforce that these settings are incompatible?

plugins.anomaly_detection.filter_by_backend_roles: true

vs.

plugins.security.resource_sharing_enabled: true
plugins.security.experimental.resource_sharing.protected_types: ['anomaly-detector']

[DarshitChanpura]

@cwperks These two settings act independently. We do not necessarily negate filter_by_backend_role in security plugin, however, the plugins implementing this feature will have precedence over filter_by setting.

[DarshitChanpura]

the tricky part however is that an extension will be assigned resource-sharing client even if no associated types were marked as protected. Which means, plugins using conditions like:
ResourceSharingClientAccessor.getInstance().getResoiurceSharingClient() to decide the code-path may end up using it incorrectly if resource is marked as not protected. I'm thinking of a way to mitigate this.

[codecov]

Codecov Report

❌ Patch coverage is 68.08511% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.91%. Comparing base (4abe750) to head (bacfeab).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...nsearch/security/resources/ResourcePluginInfo.java	56.25%	5 Missing and 2 partials ⚠️
...ecurity/resources/ResourceAccessControlClient.java	42.85%	4 Missing ⚠️
...rch/security/resources/api/share/ShareRequest.java	71.42%	2 Missing ⚠️
...rce/actions/rest/create/CreateResourceRequest.java	0.00%	1 Missing ⚠️
...h/security/privileges/ResourceAccessEvaluator.java	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5671      +/-   ##
==========================================
- Coverage   72.94%   72.91%   -0.04%     
==========================================
  Files         414      414              
  Lines       25902    25929      +27     
  Branches     3934     3936       +2     
==========================================
+ Hits        18894    18905      +11     
- Misses       5094     5110      +16     
  Partials     1914     1914              

Files with missing lines	Coverage Δ
...rce/actions/rest/create/UpdateResourceRequest.java	58.82% <100.00%> (+2.57%)	⬆️
...rce/actions/rest/delete/DeleteResourceRequest.java	61.53% <100.00%> (+3.20%)	⬆️
.../resource/actions/rest/get/GetResourceRequest.java	61.53% <100.00%> (+3.20%)	⬆️
...tions/rest/revoke/RevokeResourceAccessRequest.java	58.82% <100.00%> (+2.57%)	⬆️
...ource/actions/rest/share/ShareResourceRequest.java	58.82% <100.00%> (+2.57%)	⬆️
.../opensearch/security/OpenSearchSecurityPlugin.java	85.50% <100.00%> (+0.08%)	⬆️
.../security/resources/api/share/ShareRestAction.java	93.33% <100.00%> (+0.22%)	⬆️
...g/opensearch/security/support/ConfigConstants.java	95.45% <100.00%> (+0.21%)	⬆️
...rce/actions/rest/create/CreateResourceRequest.java	47.05% <0.00%> (-2.95%)	⬇️
...h/security/privileges/ResourceAccessEvaluator.java	66.66% <50.00%> (+1.14%)	⬆️
... and 3 more

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Test failures