opensearch-project · DarshitChanpura · Aug 27, 2024 · Aug 27, 2024 · Aug 30, 2024 · Aug 30, 2024
@@ -23,6 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add stats for remote publication failure and move download failure stats to remote methods([#16682](https://github.com/opensearch-project/OpenSearch/pull/16682/))
 - Added a precaution to handle extreme date values during sorting to prevent `arithmetic_exception: long overflow` ([#16812](https://github.com/opensearch-project/OpenSearch/pull/16812)).
 - Add search replica stats to segment replication stats API ([#16678](https://github.com/opensearch-project/OpenSearch/pull/16678))
+- Add resource-level access control and sharing ([#16030](https://github.com/opensearch-project/OpenSearch/pull/16030))
 
 ### Dependencies
 - Bump `com.google.cloud:google-cloud-core-http` from 2.23.0 to 2.47.0 ([#16504](https://github.com/opensearch-project/OpenSearch/pull/16504))

@@ -0,0 +1,88 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.common.io.stream.NamedWriteable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.core.xcontent.XContentParser;
+
+import java.io.IOException;
+
+/**
+ * This class contains information on the creator of a resource.
+ * Creator can either be a user or a backend_role.
+ *
+ * @opensearch.experimental
+ */
+public class CreatedBy implements ToXContentFragment, NamedWriteable {
+
+    private String user;
+
+    public CreatedBy(String user) {
+        this.user = user;
+    }
+
+    public CreatedBy(StreamInput in) throws IOException {
+        this(in.readString());
+    }
+
+    public String getUser() {
+        return user;
+    }
+
+    public void setUser(String user) {
+        this.user = user;
+    }
+
+    @Override
+    public String toString() {
+        return "CreatedBy {" + "user='" + user + '\'' + '}';
+    }
+
+    @Override
+    public String getWriteableName() {
+        return "created_by";
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(user);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject().field("user", user).endObject();
+    }
+
+    public static CreatedBy fromXContent(XContentParser parser) throws IOException {
+        String user = null;
+        String currentFieldName = null;
+        XContentParser.Token token;
+
+        while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) {
+            if (token == XContentParser.Token.FIELD_NAME) {
+                currentFieldName = parser.currentName();
+            } else if (token == XContentParser.Token.VALUE_STRING) {
+                if ("user".equals(currentFieldName)) {
+                    user = parser.text();
+                }
+            }
+        }
+
+        if (user == null) {
+            throw new IllegalArgumentException("user field is required");
+        }
+
+        return new CreatedBy(user);
+    }
+
+}
@@ -0,0 +1,48 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import java.util.Arrays;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+/**
+ * This enum contains the type of entities a resource can be shared with.
+ *
+ * @opensearch.experimental
+ */
+public enum EntityType {
+
+    USERS("users"),
+    ROLES("roles"),
+    BACKEND_ROLES("backend_roles");
+
+    private static final Map<String, EntityType> VALUE_MAP = Arrays.stream(values())
+        .collect(Collectors.toMap(EntityType::toString, Function.identity()));
+
+    private final String value;
+
+    EntityType(String value) {
+        this.value = value;
+    }
+
+    @Override
+    public String toString() {
+        return value;
+    }
+
+    public static EntityType fromValue(String value) {
+        EntityType type = VALUE_MAP.get(value);
+        if (type == null) {
+            throw new IllegalArgumentException("No enum constant with value: " + value);
+        }
+        return type;
+    }
+}
@@ -0,0 +1,21 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+/**
+ * This interface defines the two basic access scopes for resource-access.
+ * Each plugin must implement their own scopes and manage them
+ * These access scopes will then be used to verify the type of access being requested.
+ *
+ * @opensearch.experimental
+ */
+public interface ResourceAccessScope {
+    String READ_ONLY = "READ_ONLY";
+    String READ_WRITE = "READ_WRITE";
+}
@@ -0,0 +1,71 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchException;
+import org.opensearch.accesscontrol.resources.fallback.DefaultResourceAccessControlPlugin;
+import org.opensearch.client.Client;
+import org.opensearch.common.inject.Inject;
+import org.opensearch.plugins.ResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourcePlugin;
+import org.opensearch.threadpool.ThreadPool;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Resource access control for OpenSearch
+ *
+ * @opensearch.experimental
+ * */
+public class ResourceService {
+    private static final Logger log = LogManager.getLogger(ResourceService.class);
+
+    private final ResourceAccessControlPlugin resourceACPlugin;
+    private final List<ResourcePlugin> resourcePlugins;
+
+    @Inject
+    public ResourceService(
+        final List<ResourceAccessControlPlugin> resourceACPlugins,
+        List<ResourcePlugin> resourcePlugins,
+        Client client,
+        ThreadPool threadPool
+    ) {
+        this.resourcePlugins = resourcePlugins;
+
+        if (resourceACPlugins.isEmpty()) {
+            log.info("Security plugin disabled: Using DefaultResourceAccessControlPlugin");
+            resourceACPlugin = new DefaultResourceAccessControlPlugin(client, threadPool);
+        } else if (resourceACPlugins.size() == 1) {
+            log.info("Security plugin enabled: Using OpenSearchSecurityPlugin");
+            resourceACPlugin = resourceACPlugins.get(0);
+        } else {
+            throw new OpenSearchException(
+                "Multiple resource access control plugins are not supported, found: "
+                    + resourceACPlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
+            );
+        }
+    }
+
+    /**
+     * Gets the current ResourcePlugin to perform authorization
+     */
+    public ResourceAccessControlPlugin getResourceAccessControlPlugin() {
+        return resourceACPlugin;
+    }
+
+    /**
+     * List active plugins that define resources
+     */
+    public List<ResourcePlugin> listResourcePlugins() {
+        return resourcePlugins;
+    }
+}