opensearch-project · DarshitChanpura · Aug 27, 2024 · Aug 27, 2024 · Aug 30, 2024 · Aug 30, 2024
@@ -18,6 +18,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [S3 Repository] Change default retry mechanism of s3 clients to Standard Mode ([#15978](https://github.com/opensearch-project/OpenSearch/pull/15978))
 - Add changes to block calls in cat shards, indices and segments based on dynamic limit settings ([#15986](https://github.com/opensearch-project/OpenSearch/pull/15986))
 - New `phone` & `phone-search` analyzer + tokenizer ([#15915](https://github.com/opensearch-project/OpenSearch/pull/15915))
+- Add resource-level access control and sharing ([#16030](https://github.com/opensearch-project/OpenSearch/pull/16030))
 
 ### Dependencies
 - Bump `com.azure:azure-identity` from 1.13.0 to 1.13.2 ([#15578](https://github.com/opensearch-project/OpenSearch/pull/15578))

@@ -0,0 +1,58 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+
+/**
+ * This class contains information on the creator of a resource.
+ * Creator can either be a user or a backend_role.
+ *
+ * @opensearch.experimental
+ */
+public class CreatedBy implements ToXContentFragment {
+
+    private String user;
+
+    private String backendRole;
+
+    public CreatedBy(String user, String backendRole) {
+        this.user = user;
+        this.backendRole = backendRole;
+    }
+
+    public String getBackendRole() {
+        return backendRole;
+    }
+
+    public void setBackendRole(String backendRole) {
+        this.backendRole = backendRole;
+    }
+
+    public String getUser() {
+        return user;
+    }
+
+    public void setUser(String user) {
+        this.user = user;
+    }
+
+    @Override
+    public String toString() {
+        return "CreatedBy {" + "user='" + user + '\'' + ", backendRole='" + backendRole + '\'' + '}';
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject().field("user", user).field("backend_role", backendRole).endObject();
+    }
+}
@@ -0,0 +1,23 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+/**
+ * This enum contains the type of entities a resource can be shared with.
+ *
+ * @opensearch.experimental
+ */
+public enum EntityType {
+
+    USERS,
+
+    ROLES,
+
+    BACKEND_ROLES,
+}
@@ -0,0 +1,21 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+/**
+ * This interface defines the two basic access scopes for resource-access.
+ * Each plugin must implement their own scopes and manage them
+ * These access scopes will then be used to verify the type of access being requested.
+ *
+ * @opensearch.experimental
+ */
+public interface ResourceAccessScope {
+    String READ_ONLY = "read_only";
+    String READ_WRITE = "read_write";
+}
@@ -0,0 +1,62 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchException;
+import org.opensearch.plugins.NoOpResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourcePlugin;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Resource access control for OpenSearch
+ *
+ * @opensearch.experimental
+ * */
+public class ResourceService {
+    private static final Logger log = LogManager.getLogger(ResourceService.class);
+
+    private final ResourceAccessControlPlugin resourceACPlugin;
+    private final List<ResourcePlugin> resourcePlugins;
+
+    public ResourceService(final List<ResourceAccessControlPlugin> resourceACPlugins, List<ResourcePlugin> resourcePlugins) {
+        this.resourcePlugins = resourcePlugins;
+
+        if (resourceACPlugins.isEmpty()) {
+            log.info("Security plugin disabled: Using NoOpResourceAccessControlPlugin");
+            resourceACPlugin = new NoOpResourceAccessControlPlugin();
+        } else if (resourceACPlugins.size() == 1) {
+            log.info("Security plugin enabled: Using OpenSearchSecurityPlugin");
+            resourceACPlugin = resourceACPlugins.get(0);
+        } else {
+            throw new OpenSearchException(
+                "Multiple resource access control plugins are not supported, found: "
+                    + resourceACPlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
+            );
+        }
+    }
+
+    /**
+     * Gets the current ResourcePlugin to perform authorization
+     */
+    public ResourceAccessControlPlugin getResourceAccessControlPlugin() {
+        return resourceACPlugin;
+    }
+
+    /**
+     * List active plugins that define resources
+     */
+    List<ResourcePlugin> listResourcePlugins() {
+        return resourcePlugins;
+    }
+}
@@ -0,0 +1,115 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Objects;
+
+/**
+ * A document in .resource_sharing index.
+ * Holds information about the resource (obtained from defining plugin's meta-data),
+ * the index which defines the resources, the creator of the resource,
+ * and the information on whom this resource is shared with.
+ *
+ * @opensearch.experimental
+ */
+public class ResourceSharing implements ToXContentFragment {
+
+    private String sourceIdx;
+
+    private String resourceId;
+
+    private CreatedBy createdBy;
+
+    private ShareWith shareWith;
+
+    public ResourceSharing(String sourceIdx, String resourceId, CreatedBy createdBy, ShareWith shareWith) {
+        this.sourceIdx = sourceIdx;
+        this.resourceId = resourceId;
+        this.createdBy = createdBy;
+        this.shareWith = shareWith;
+    }
+
+    public String getSourceIdx() {
+        return sourceIdx;
+    }
+
+    public void setSourceIdx(String sourceIdx) {
+        this.sourceIdx = sourceIdx;
+    }
+
+    public String getResourceId() {
+        return resourceId;
+    }
+
+    public void setResourceId(String resourceId) {
+        this.resourceId = resourceId;
+    }
+
+    public CreatedBy getCreatedBy() {
+        return createdBy;
+    }
+
+    public void setCreatedBy(CreatedBy createdBy) {
+        this.createdBy = createdBy;
+    }
+
+    public ShareWith getShareWith() {
+        return shareWith;
+    }
+
+    public void setShareWith(ShareWith shareWith) {
+        this.shareWith = shareWith;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        ResourceSharing resourceSharing = (ResourceSharing) o;
+        return Objects.equals(getSourceIdx(), resourceSharing.getSourceIdx())
+            && Objects.equals(getResourceId(), resourceSharing.getResourceId())
+            && Objects.equals(getCreatedBy(), resourceSharing.getCreatedBy())
+            && Objects.equals(getShareWith(), resourceSharing.getShareWith());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getSourceIdx(), getResourceId(), getCreatedBy(), getShareWith());
+    }
+
+    @Override
+    public String toString() {
+        return "Resource {"
+            + "sourceIdx='"
+            + sourceIdx
+            + '\''
+            + ", resourceId='"
+            + resourceId
+            + '\''
+            + ", createdBy="
+            + createdBy
+            + ", sharedWith="
+            + shareWith
+            + '}';
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject()
+            .field("source_idx", sourceIdx)
+            .field("resource_id", resourceId)
+            .field("created_by", createdBy)
+            .field("share_with", shareWith)
+            .endObject();
+    }
+}
@@ -0,0 +1,63 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.common.io.stream.NamedWriteable;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * This class contains information about whom a resource is shared with and at what scope.
+ * Here is a sample of what this would look like:
+ * "share_with": {
+ *       "read_only": {
+ *          "users": [],
+ *          "roles": [],
+ *          "backend_roles": []
+ *       },
+ *       "read_write": {
+ *          "users": [],
+ *          "roles": [],
+ *          "backend_roles": []
+ *       }
+ *    }
+ *
+ * @opensearch.experimental
+ */
+public class ShareWith implements ToXContentFragment, NamedWriteable {
+
+    private final List<SharedWithScope> sharedWithScopes;
+
+    public ShareWith(List<SharedWithScope> sharedWithScopes) {
+        this.sharedWithScopes = sharedWithScopes;
+    }
+
+    public List<SharedWithScope> getSharedWithScopes() {
+        return sharedWithScopes;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject("share_with").value(sharedWithScopes).endObject();
+    }
+
+    @Override
+    public String getWriteableName() {
+        return "share_with";
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeList(sharedWithScopes);
+    }
+}