Adds featureFlag for resource sharing

Signed-off-by: Darshit Chanpura <[email protected]>

src/integrationTest/java/org/opensearch/security/SearchOperationTest.java

@@ -143,6 +143,7 @@
 import static org.opensearch.security.Song.TITLE_POISON;
 import static org.opensearch.security.Song.TITLE_SONG_1_PLUS_1;
 import static org.opensearch.security.auditlog.impl.AuditCategory.INDEX_EVENT;
+import static org.opensearch.security.support.ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
 import static org.opensearch.test.framework.audit.AuditMessagePredicate.auditPredicate;
@@ -383,6 +384,7 @@ public class SearchOperationTest {
             new AuditConfiguration(true).compliance(new AuditCompliance().enabled(true))
                 .filters(new AuditFilters().enabledRest(true).enabledTransport(true))
         )
+        .nodeSettings(Map.of(OPENSEARCH_RESOURCE_SHARING_ENABLED, false))
         .build();
 
     @Rule

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -696,14 +696,19 @@ public List<RestHandler> getRestHandlers(
                 );
 
                 // Adds rest handlers for resource-access-control actions
-                handlers.addAll(
-                    List.of(
-                        new RestShareResourceAction(),
-                        new RestRevokeResourceAccessAction(),
-                        new RestListAccessibleResourcesAction(),
-                        new RestVerifyResourceAccessAction()
-                    )
-                );
+                if (settings.getAsBoolean(
+                    ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED,
+                    ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT
+                )) {
+                    handlers.addAll(
+                        List.of(
+                            new RestShareResourceAction(),
+                            new RestRevokeResourceAccessAction(),
+                            new RestListAccessibleResourcesAction(),
+                            new RestVerifyResourceAccessAction()
+                        )
+                    );
+                }
                 log.debug("Added {} rest handler(s)", handlers.size());
             }
         }
@@ -733,14 +738,19 @@ public UnaryOperator<RestHandler> getRestHandlerWrapper(final ThreadContext thre
             actions.add(new ActionHandler<>(WhoAmIAction.INSTANCE, TransportWhoAmIAction.class));
 
             // Resource-access-control related actions
-            actions.addAll(
-                List.of(
-                    new ActionHandler<>(ShareResourceAction.INSTANCE, TransportShareResourceAction.class),
-                    new ActionHandler<>(RevokeResourceAccessAction.INSTANCE, TransportRevokeResourceAccessAction.class),
-                    new ActionHandler<>(ListAccessibleResourcesAction.INSTANCE, TransportListAccessibleResourcesAction.class),
-                    new ActionHandler<>(VerifyResourceAccessAction.INSTANCE, TransportVerifyResourceAccessAction.class)
-                )
-            );
+            if (settings.getAsBoolean(
+                ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED,
+                ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT
+            )) {
+                actions.addAll(
+                    List.of(
+                        new ActionHandler<>(ShareResourceAction.INSTANCE, TransportShareResourceAction.class),
+                        new ActionHandler<>(RevokeResourceAccessAction.INSTANCE, TransportRevokeResourceAccessAction.class),
+                        new ActionHandler<>(ListAccessibleResourcesAction.INSTANCE, TransportListAccessibleResourcesAction.class),
+                        new ActionHandler<>(VerifyResourceAccessAction.INSTANCE, TransportVerifyResourceAccessAction.class)
+                    )
+                );
+            }
         }
         return actions;
     }
@@ -1271,8 +1281,12 @@ public Collection<Object> createComponents(
         );
         resourceAccessHandler = new ResourceAccessHandler(threadPool, rsIndexHandler, adminDns);
         resourceAccessHandler.initializeRecipientTypes();
-
-        rmr = ResourceSharingIndexManagementRepository.create(rsIndexHandler);
+        // Resource Sharing index is enabled by default
+        boolean isResourceSharingEnabled = settings.getAsBoolean(
+            ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED,
+            ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT
+        );
+        rmr = ResourceSharingIndexManagementRepository.create(rsIndexHandler, isResourceSharingEnabled);
 
         components.add(adminDns);
         components.add(cr);
@@ -2139,6 +2153,16 @@ public List<Setting<?>> getSettings() {
 
             // Privileges evaluation
             settings.add(ActionPrivileges.PRECOMPUTED_PRIVILEGES_MAX_HEAP_SIZE);
+
+            // Resource Sharing
+            settings.add(
+                Setting.boolSetting(
+                    ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED,
+                    ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT,
+                    Property.NodeScope,
+                    Property.Filtered
+                )
+            );
         }
 
         return settings;

src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java

@@ -101,6 +101,7 @@ public class DlsFlsValveImpl implements DlsFlsRequestValve {
     private final FieldMasking.Config fieldMaskingConfig;
     private final Settings settings;
     private final ResourceAccessHandler resourceAccessHandler;
+    private final boolean isResourceSharingEnabled;
 
     public DlsFlsValveImpl(
         Settings settings,
@@ -123,6 +124,10 @@ public DlsFlsValveImpl(
         this.dlsFlsBaseContext = dlsFlsBaseContext;
         this.settings = settings;
         this.resourceAccessHandler = resourceAccessHandler;
+        this.isResourceSharingEnabled = settings.getAsBoolean(
+            ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED,
+            ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT
+        );
 
         clusterService.addListener(event -> {
             DlsFlsProcessedConfig config = dlsFlsProcessedConfig.get();
@@ -390,11 +395,8 @@ public void handleSearchContext(SearchContext searchContext, ThreadPool threadPo
             DlsRestriction dlsRestriction;
 
             Set<String> resourceIds;
-            if (OpenSearchSecurityPlugin.getResourceIndices().contains(index)) {
+            if (this.isResourceSharingEnabled && OpenSearchSecurityPlugin.getResourceIndices().contains(index)) {
                 resourceIds = this.resourceAccessHandler.getAccessibleResourceIdsForCurrentUser(index);
-                if (resourceIds.isEmpty()) {
-                    return;
-                }
                 // Create a DLS restriction to filter search results with accessible resources only
                 dlsRestriction = this.resourceAccessHandler.createResourceDLSRestriction(resourceIds, namedXContentRegistry);
 

src/main/java/org/opensearch/security/configuration/SecurityFlsDlsIndexSearcherWrapper.java

@@ -65,6 +65,7 @@ public class SecurityFlsDlsIndexSearcherWrapper extends SystemIndexSearcherWrapp
     private final Supplier<DlsFlsProcessedConfig> dlsFlsProcessedConfigSupplier;
     private final DlsFlsBaseContext dlsFlsBaseContext;
     private final ResourceAccessHandler resourceAccessHandler;
+    private final boolean isResourceSharingEnabled;
 
     public SecurityFlsDlsIndexSearcherWrapper(
         final IndexService indexService,
@@ -109,6 +110,10 @@ public SecurityFlsDlsIndexSearcherWrapper(
         this.dlsFlsProcessedConfigSupplier = dlsFlsProcessedConfigSupplier;
         this.dlsFlsBaseContext = dlsFlsBaseContext;
         this.resourceAccessHandler = resourceAccessHandler;
+        this.isResourceSharingEnabled = settings.getAsBoolean(
+            ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED,
+            ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT
+        );
     }
 
     @SuppressWarnings("unchecked")
@@ -123,9 +128,14 @@ protected DirectoryReader dlsFlsWrap(final DirectoryReader reader, boolean isAdm
         }
 
         String indexName = shardId != null ? shardId.getIndexName() : null;
-        Set<String> resourceIds = null;
-        if (!Strings.isNullOrEmpty(indexName) && OpenSearchSecurityPlugin.getResourceIndices().contains(indexName)) {
+        Set<String> resourceIds;
+        if (this.isResourceSharingEnabled
+            && !Strings.isNullOrEmpty(indexName)
+            && OpenSearchSecurityPlugin.getResourceIndices().contains(indexName)) {
             resourceIds = this.resourceAccessHandler.getAccessibleResourceIdsForCurrentUser(indexName);
+            // resourceIds.isEmpty() indicates that the index is a resource index but the user does not have access to any resource under
+            // the
+            // index
             if (resourceIds.isEmpty()) {
                 return new EmptyFilterLeafReader.EmptyDirectoryReader(reader);
             }
@@ -148,10 +158,7 @@ protected DirectoryReader dlsFlsWrap(final DirectoryReader reader, boolean isAdm
             );
         }
 
-        // resourceIds == null indicates that the index is not a resource index
-        // resourceIds.isEmpty() indicates that the index is a resource index but the user does not have access to any resource under the
-        // index
-        if (isAdmin || privilegesEvaluationContext == null || resourceIds == null) {
+        if (isAdmin || privilegesEvaluationContext == null) {
             return new DlsFlsFilterLeafReader.DlsFlsDirectoryReader(
                 reader,
                 FieldPrivileges.FlsRule.ALLOW_ALL,
@@ -167,7 +174,6 @@ protected DirectoryReader dlsFlsWrap(final DirectoryReader reader, boolean isAdm
         }
 
         try {
-
             DlsFlsProcessedConfig config = this.dlsFlsProcessedConfigSupplier.get();
             DlsRestriction dlsRestriction;
 

src/main/java/org/opensearch/security/resources/ResourceAccessHandler.java

@@ -397,6 +397,13 @@ public Query createResourceDLSQuery(Set<String> resourceIds, QueryShardContext q
      */
     public DlsRestriction createResourceDLSRestriction(Set<String> resourceIds, NamedXContentRegistry xContentRegistry)
         throws JsonProcessingException, PrivilegesConfigurationValidationException {
+
+        // resourceIds.isEmpty() is true when user doesn't have access to any resources
+        if (resourceIds.isEmpty()) {
+            LOGGER.debug("No resources found for user");
+            return DlsRestriction.FULL;
+        }
+
         String jsonQuery = String.format(
             "{ \"bool\": { \"filter\": [ { \"terms\": { \"_id\": %s } } ] } }",
             DefaultObjectMapper.writeValueAsString(resourceIds, true)

src/main/java/org/opensearch/security/resources/ResourceSharingIndexHandler.java

@@ -123,12 +123,16 @@ public void createResourceSharingIndexIfAbsent(Callable<Boolean> callable) {
             CreateIndexRequest cir = new CreateIndexRequest(resourceSharingIndex).settings(INDEX_SETTINGS).waitForActiveShards(1);
             ActionListener<CreateIndexResponse> cirListener = ActionListener.wrap(response -> {
                 LOGGER.info("Resource sharing index {} created.", resourceSharingIndex);
-                callable.call();
+                if (callable != null) {
+                    callable.call();
+                }
             }, (failResponse) -> {
                 /* Index already exists, ignore and continue */
                 LOGGER.info("Index {} already exists.", resourceSharingIndex);
                 try {
-                    callable.call();
+                    if (callable != null) {
+                        callable.call();
+                    }
                 } catch (Exception e) {
                     throw new RuntimeException(e);
                 }

src/main/java/org/opensearch/security/resources/ResourceSharingIndexManagementRepository.java

@@ -11,17 +11,29 @@
 
 package org.opensearch.security.resources;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
 public class ResourceSharingIndexManagementRepository {
 
+    private static final Logger log = LogManager.getLogger(ResourceSharingIndexManagementRepository.class);
+
     private final ResourceSharingIndexHandler resourceSharingIndexHandler;
+    private final boolean resourceSharingEnabled;
 
-    protected ResourceSharingIndexManagementRepository(final ResourceSharingIndexHandler resourceSharingIndexHandler) {
+    protected ResourceSharingIndexManagementRepository(
+        final ResourceSharingIndexHandler resourceSharingIndexHandler,
+        boolean isResourceSharingEnabled
+    ) {
         this.resourceSharingIndexHandler = resourceSharingIndexHandler;
+        this.resourceSharingEnabled = isResourceSharingEnabled;
     }
 
-    public static ResourceSharingIndexManagementRepository create(ResourceSharingIndexHandler resourceSharingIndexHandler) {
-
-        return new ResourceSharingIndexManagementRepository(resourceSharingIndexHandler);
+    public static ResourceSharingIndexManagementRepository create(
+        ResourceSharingIndexHandler resourceSharingIndexHandler,
+        boolean isResourceSharingEnabled
+    ) {
+        return new ResourceSharingIndexManagementRepository(resourceSharingIndexHandler, isResourceSharingEnabled);
     }
 
     /**
@@ -32,7 +44,10 @@ public static ResourceSharingIndexManagementRepository create(ResourceSharingInd
      */
     public void createResourceSharingIndexIfAbsent() {
         // TODO check if this should be wrapped in an atomic completable future
+        if (resourceSharingEnabled) {
+            log.info("Attempting to create Resource Sharing index");
+            this.resourceSharingIndexHandler.createResourceSharingIndexIfAbsent(() -> null);
+        }
 
-        this.resourceSharingIndexHandler.createResourceSharingIndexIfAbsent(() -> null);
     }
 }