[Resource Sharing] Makes resource settings dynamic

CHANGELOG.md

@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Features
 
 ### Enhancements
+- Makes resource settings dynamic ([#5677](https://github.com/opensearch-project/security/pull/5677))
 
 ### Bug Fixes
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))

RESOURCE_SHARING_AND_ACCESS_CONTROL.md

@@ -499,7 +499,7 @@ Since no entities are listed, the resource is accessible **only by its creator a
 
 ### **Additional Notes**
 - **Feature Flag:** These APIs are available only when `plugins.security.experimental.resource_sharing.enabled` is set to `true` in the configuration.
-
+- **Protected Types:** These APIs will only come into effect if concerned resources are marked as protected: `plugins.security.experimental.resource_sharing.protected_types: [<type-1>, <type-2>]`.
 
 ---
 
@@ -529,6 +529,58 @@ The list of protected types are controlled through following opensearch setting
   ```
 NOTE: These types will be available on documentation website.
 
+### **Dynamic Updates**
+
+The settings described above can be dynamically updated at runtime using the OpenSearch `_cluster/settings` API.
+This allows administrators to enable or disable the **Resource Sharing** feature and modify the list of **protected types** without restarting the cluster.
+
+#### **Example 1: Enable Resource Sharing Feature**
+
+```bash
+PUT _cluster/settings
+{
+  "transient": {
+    "plugins.security.experimental.resource_sharing.enabled": true
+  }
+}
+```
+
+#### **Example 2: Update Protected Types**
+
+```bash
+PUT _cluster/settings
+{
+  "transient": {
+    "plugins.security.experimental.resource_sharing.protected_types": ["sample-resource", "ml-model"]
+  }
+}
+```
+
+#### **Example 3: Clear Protected Types**
+
+```bash
+PUT _cluster/settings
+{
+  "transient": {
+    "plugins.security.experimental.resource_sharing.protected_types": []
+  }
+}
+```
+
+#### **Notes**
+
+* Both settings support **dynamic updates**, meaning the changes take effect immediately without requiring a node restart.
+* You can use either **transient** (temporary until restart) or **persistent** (survive restarts) settings.
+* To verify the current values, use:
+
+  ```bash
+  GET _cluster/settings?include_defaults=true
+  ```
+* Feature toggles and protected type lists can also be modified through configuration files before cluster startup if preferred.
+
+
+
+
 ## **2. User Setup**
 
 To enable users to interact with the **Resource Sharing and Access Control** feature, they must be assigned the appropriate cluster permissions along with resource-specific access.

sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/SecurityDisabledTests.java

@@ -10,6 +10,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
 import org.apache.http.HttpStatus;
@@ -22,6 +23,8 @@
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
+import org.opensearch.security.spi.resources.sharing.Recipient;
+import org.opensearch.security.spi.resources.sharing.Recipients;
 import org.opensearch.test.framework.cluster.ClusterManager;
 import org.opensearch.test.framework.cluster.LocalCluster;
 import org.opensearch.test.framework.cluster.TestRestClient;
@@ -33,12 +36,11 @@
 import static org.opensearch.sample.resource.TestUtils.SAMPLE_RESOURCE_CREATE_ENDPOINT;
 import static org.opensearch.sample.resource.TestUtils.SAMPLE_RESOURCE_DELETE_ENDPOINT;
 import static org.opensearch.sample.resource.TestUtils.SAMPLE_RESOURCE_GET_ENDPOINT;
-import static org.opensearch.sample.resource.TestUtils.SAMPLE_RESOURCE_REVOKE_ENDPOINT;
-import static org.opensearch.sample.resource.TestUtils.SAMPLE_RESOURCE_SHARE_ENDPOINT;
 import static org.opensearch.sample.resource.TestUtils.SAMPLE_RESOURCE_UPDATE_ENDPOINT;
-import static org.opensearch.sample.resource.TestUtils.revokeAccessPayload;
-import static org.opensearch.sample.resource.TestUtils.shareWithPayload;
+import static org.opensearch.sample.resource.TestUtils.SECURITY_SHARE_ENDPOINT;
+import static org.opensearch.sample.resource.TestUtils.putSharingInfoPayload;
 import static org.opensearch.sample.utils.Constants.RESOURCE_INDEX_NAME;
+import static org.opensearch.sample.utils.Constants.RESOURCE_TYPE;
 import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
 
 /**
@@ -109,25 +111,26 @@ public void testSamplePluginAPIs() {
             response = client.postJson(SAMPLE_RESOURCE_UPDATE_ENDPOINT + "/" + resourceId, sampleResourceUpdated);
             response.assertStatusCode(HttpStatus.SC_OK);
 
-            response = client.postJson(
-                SAMPLE_RESOURCE_SHARE_ENDPOINT + "/" + resourceId,
-                shareWithPayload(USER_ADMIN.getName(), SAMPLE_READ_ONLY_RESOURCE_AG)
+            response = client.putJson(
+                SECURITY_SHARE_ENDPOINT,
+                putSharingInfoPayload(resourceId, RESOURCE_TYPE, SAMPLE_READ_ONLY_RESOURCE_AG, Recipient.USERS, USER_ADMIN.getName())
             );
-            assertNotImplementedResponse(response, "Cannot share resource");
+            assertBadRequest(response, "no handler found for uri [/_plugins/_security/api/resource/share] and method [PUT]");
 
-            response = client.postJson(
-                SAMPLE_RESOURCE_REVOKE_ENDPOINT + "/" + resourceId,
-                revokeAccessPayload(USER_ADMIN.getName(), SAMPLE_READ_ONLY_RESOURCE_AG)
-            );
-            assertNotImplementedResponse(response, "Cannot revoke access to resource");
+            TestUtils.PatchSharingInfoPayloadBuilder patchBuilder = new TestUtils.PatchSharingInfoPayloadBuilder();
+            patchBuilder.resourceType(RESOURCE_TYPE);
+            patchBuilder.resourceId(resourceId);
+            patchBuilder.revoke(new Recipients(Map.of(Recipient.USERS, Set.of(USER_ADMIN.getName()))), SAMPLE_READ_ONLY_RESOURCE_AG);
+            response = client.patch(SECURITY_SHARE_ENDPOINT, patchBuilder.build());
+            assertBadRequest(response, "no handler found for uri [/_plugins/_security/api/resource/share] and method [PATCH]");
 
             response = client.delete(SAMPLE_RESOURCE_DELETE_ENDPOINT + "/" + resourceId);
             response.assertStatusCode(HttpStatus.SC_OK);
 
         }
     }
 
-    private void assertNotImplementedResponse(TestRestClient.HttpResponse response, String msg) {
-        assertThat(response, RestMatchers.isMethodNotImplemented("/error/reason", msg));
+    private void assertBadRequest(TestRestClient.HttpResponse response, String msg) {
+        assertThat(response, RestMatchers.isBadRequest("/error", msg));
     }
 }

sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/TestUtils.java

@@ -14,6 +14,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.hc.core5.http.Header;
 import org.apache.http.HttpStatus;
@@ -26,6 +27,7 @@
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
+import org.opensearch.security.spi.resources.sharing.Recipient;
 import org.opensearch.security.spi.resources.sharing.Recipients;
 import org.opensearch.test.framework.TestSecurityConfig;
 import org.opensearch.test.framework.certificate.CertificateData;
@@ -66,8 +68,8 @@ public final class TestUtils {
             "cluster:admin/sample-resource-plugin/get",
             "cluster:admin/sample-resource-plugin/search",
             "cluster:admin/sample-resource-plugin/create",
-            "cluster:admin/sample-resource-plugin/share",
-            "cluster:admin/sample-resource-plugin/revoke"
+            "cluster:admin/security/resource/share",
+            "cluster:admin/security/resource/share"
         ).indexPermissions("indices:data/read*").on(RESOURCE_INDEX_NAME)
     );
 
@@ -83,8 +85,6 @@ public final class TestUtils {
     public static final String SAMPLE_RESOURCE_UPDATE_ENDPOINT = SAMPLE_RESOURCE_PLUGIN_PREFIX + "/update";
     public static final String SAMPLE_RESOURCE_DELETE_ENDPOINT = SAMPLE_RESOURCE_PLUGIN_PREFIX + "/delete";
     public static final String SAMPLE_RESOURCE_SEARCH_ENDPOINT = SAMPLE_RESOURCE_PLUGIN_PREFIX + "/search";
-    public static final String SAMPLE_RESOURCE_SHARE_ENDPOINT = SAMPLE_RESOURCE_PLUGIN_PREFIX + "/share";
-    public static final String SAMPLE_RESOURCE_REVOKE_ENDPOINT = SAMPLE_RESOURCE_PLUGIN_PREFIX + "/revoke";
 
     public static final String RESOURCE_SHARING_MIGRATION_ENDPOINT = "_plugins/_security/api/resources/migrate";
     public static final String SECURITY_SHARE_ENDPOINT = "_plugins/_security/api/resource/share";
@@ -126,18 +126,6 @@ public static LocalCluster newCluster(boolean featureEnabled, boolean systemInde
             .build();
     }
 
-    public static String shareWithPayload(String user, String accessLevel) {
-        return """
-            {
-              "share_with": {
-                "%s" : {
-                    "users": ["%s"]
-                }
-              }
-            }
-            """.formatted(accessLevel, user);
-    }
-
     public static String directSharePayload(String resourceId, String creator, String target, String accessLevel) {
         return """
             {
@@ -154,31 +142,6 @@ public static String directSharePayload(String resourceId, String creator, Strin
             """.formatted(resourceId, creator, accessLevel, target);
     }
 
-    public static String revokeAccessPayload(String user, String accessLevel) {
-        return """
-            {
-              "entities_to_revoke": {
-                "%s" : {
-                    "users": ["%s"]
-                }
-              }
-            }
-            """.formatted(accessLevel, user);
-
-    }
-
-    public static String shareWithRolePayload(String role, String accessLevel) {
-        return """
-            {
-              "share_with": {
-                "%s" : {
-                    "roles": ["%s"]
-                }
-              }
-            }
-            """.formatted(accessLevel, role);
-    }
-
     public static String migrationPayload_valid() {
         return """
             {
@@ -227,18 +190,24 @@ public static String migrationPayload_missingBackendRoles() {
             """.formatted(RESOURCE_INDEX_NAME, "user/name");
     }
 
-    public static String putSharingInfoPayload(String resourceId, String resourceType, String accessLevel, String user) {
+    public static String putSharingInfoPayload(
+        String resourceId,
+        String resourceType,
+        String accessLevel,
+        Recipient recipient,
+        String entity
+    ) {
         return """
             {
               "resource_id": "%s",
               "resource_type": "%s",
               "share_with": {
                 "%s" : {
-                    "users": ["%s"]
+                    "%s": ["%s"]
                 }
               }
             }
-            """.formatted(resourceId, resourceType, accessLevel, user);
+            """.formatted(resourceId, resourceType, accessLevel, recipient.getName(), entity);
     }
 
     public static class PatchSharingInfoPayloadBuilder {
@@ -335,7 +304,6 @@ public void wipeOutResourceEntries() {
                 String jsonBody = "{ \"query\": { \"match_all\": {} } }";
                 TestRestClient.HttpResponse resp = client.postJson(endpoint, jsonBody);
                 resp.assertStatusCode(HttpStatus.SC_OK);
-
             }
         }
 
@@ -522,7 +490,7 @@ private void assertUpdate(String endpoint, String newName, TestSecurityConfig.Us
             }
         }
 
-        public void assertDirectShare(
+        public void assertDirectUpdateSharingInfo(
             String resourceId,
             TestSecurityConfig.User user,
             TestSecurityConfig.User target,
@@ -544,43 +512,16 @@ public void assertApiShare(
             TestSecurityConfig.User target,
             String accessLevel,
             int status
-        ) {
-            assertShare(SAMPLE_RESOURCE_SHARE_ENDPOINT + "/" + resourceId, user, target, accessLevel, status);
-        }
-
-        private void assertShare(
-            String endpoint,
-            TestSecurityConfig.User user,
-            TestSecurityConfig.User target,
-            String accessLevel,
-            int status
         ) {
             try (TestRestClient client = cluster.getRestClient(user)) {
-                TestRestClient.HttpResponse response = client.postJson(endpoint, shareWithPayload(target.getName(), accessLevel));
+                TestRestClient.HttpResponse response = client.putJson(
+                    SECURITY_SHARE_ENDPOINT,
+                    putSharingInfoPayload(resourceId, RESOURCE_TYPE, accessLevel, Recipient.USERS, target.getName())
+                );
                 response.assertStatusCode(status);
             }
         }
 
-        public void assertDirectRevoke(
-            String resourceId,
-            TestSecurityConfig.User user,
-            TestSecurityConfig.User target,
-            String accessLevel,
-            int status
-        ) {
-            assertRevoke(RESOURCE_SHARING_INDEX + "/_doc/" + resourceId, user, target, accessLevel, status);
-        }
-
-        public void assertApiRevoke(
-            String resourceId,
-            TestSecurityConfig.User user,
-            TestSecurityConfig.User target,
-            String accessLevel,
-            int status
-        ) {
-            assertRevoke(SAMPLE_RESOURCE_REVOKE_ENDPOINT + "/" + resourceId, user, target, accessLevel, status);
-        }
-
         public void assertApiShareByRole(
             String resourceId,
             TestSecurityConfig.User user,
@@ -589,23 +530,27 @@ public void assertApiShareByRole(
             int status
         ) {
             try (TestRestClient client = cluster.getRestClient(user)) {
-                TestRestClient.HttpResponse response = client.postJson(
-                    SAMPLE_RESOURCE_SHARE_ENDPOINT + "/" + resourceId,
-                    shareWithRolePayload(targetRole, accessLevel)
+                TestRestClient.HttpResponse response = client.putJson(
+                    SECURITY_SHARE_ENDPOINT,
+                    putSharingInfoPayload(resourceId, RESOURCE_TYPE, accessLevel, Recipient.ROLES, targetRole)
                 );
                 response.assertStatusCode(status);
             }
         }
 
-        private void assertRevoke(
-            String endpoint,
+        public void assertApiRevoke(
+            String resourceId,
             TestSecurityConfig.User user,
             TestSecurityConfig.User target,
             String accessLevel,
             int status
         ) {
+            PatchSharingInfoPayloadBuilder patchBuilder = new PatchSharingInfoPayloadBuilder();
+            patchBuilder.resourceType(RESOURCE_TYPE);
+            patchBuilder.resourceId(resourceId);
+            patchBuilder.revoke(new Recipients(Map.of(Recipient.USERS, Set.of(target.getName()))), accessLevel);
             try (TestRestClient client = cluster.getRestClient(user)) {
-                TestRestClient.HttpResponse response = client.postJson(endpoint, revokeAccessPayload(target.getName(), accessLevel));
+                TestRestClient.HttpResponse response = client.patch(TestUtils.SECURITY_SHARE_ENDPOINT, patchBuilder.build());
                 response.assertStatusCode(status);
             }
         }