Updates search handler to consume resource authz and updates resource authz related tests

[DarshitChanpura]

Description

[Describe what this change achieves]

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 41.48936% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.42%. Comparing base (17e56f0) to head (2a4fadf).

Files with missing lines	Patch %	Lines
...ava/org/opensearch/timeseries/util/ParseUtils.java	14.81%	20 Missing and 3 partials ⚠️
...transport/DeleteAnomalyResultsTransportAction.java	5.55%	17 Missing ⚠️
...arch/ad/transport/IndexAnomalyDetectorRequest.java	0.00%	2 Missing ⚠️
...rch/forecast/transport/IndexForecasterRequest.java	0.00%	2 Missing ⚠️
...ch/timeseries/transport/handler/SearchHandler.java	50.00%	1 Missing and 1 partial ⚠️
...transport/IndexAnomalyDetectorTransportAction.java	50.00%	1 Missing ⚠️
...ansport/PreviewAnomalyDetectorTransportAction.java	50.00%	1 Missing ⚠️
...cast/transport/ForecastRunOnceTransportAction.java	50.00%	1 Missing ⚠️
...cast/transport/IndexForecasterTransportAction.java	88.88%	1 Missing ⚠️
.../transport/SearchForecastTasksTransportAction.java	0.00%	1 Missing ⚠️
... and 4 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1546      +/-   ##
============================================
- Coverage     81.59%   81.42%   -0.18%     
- Complexity     6039     6041       +2     
============================================
  Files           536      536              
  Lines         24427    24474      +47     
  Branches       2494     2500       +6     
============================================
- Hits          19932    19928       -4     
- Misses         3260     3309      +49     
- Partials       1235     1237       +2     

Flag	Coverage Δ
plugin	81.42% <41.48%> (-0.18%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
.../java/org/opensearch/ad/model/AnomalyDetector.java	89.93% <100.00%> (+0.06%)	⬆️
...rch/ad/transport/SearchADTasksTransportAction.java	100.00% <100.00%> (ø)
...ransport/SearchAnomalyDetectorTransportAction.java	100.00% <100.00%> (ø)
.../transport/SearchAnomalyResultTransportAction.java	86.66% <100.00%> (ø)
...ansport/SearchTopAnomalyResultTransportAction.java	92.16% <100.00%> (ø)
...java/org/opensearch/forecast/model/Forecaster.java	80.22% <100.00%> (-0.92%)	⬇️
...nsport/SearchTopForecastResultTransportAction.java	66.12% <100.00%> (ø)
...n/java/org/opensearch/timeseries/model/Config.java	86.92% <100.00%> (+0.04%)	⬆️
...ies/transport/BaseDeleteConfigTransportAction.java	83.63% <100.00%> (+0.75%)	⬆️
...h/timeseries/transport/BaseJobTransportAction.java	90.00% <100.00%> (+2.50%)	⬆️
... and 14 more

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DarshitChanpura]

needed for access control on Validate method.

[kaituo]

Would there be a privilege escalation when one user writes someone else's id in the request body?

[DarshitChanpura]

No they cannot, all resource related requests are first checked for permission here, before proceeding to execute it:
https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/privileges/ResourceAccessEvaluator.java#L67

[DarshitChanpura]

this handles the Update scenario.

[DarshitChanpura]

most of these changes around verifyResourceAccessAndProcessRequest are code cleanup.

[DarshitChanpura]

please review this. This change currently modifies all searchHandler.search calls to pass the index name and id field of the config. However, the search calls that are made from tasks and results indices are not covered by resource-authz. Only AD and forecast config index are, since those two are registered as protected indices.

[DarshitChanpura]

makes as call to get accessible Id and then adds a filter to current search query to only search from those ids.

[DarshitChanpura]

user won't have access by default.

[DarshitChanpura]

adds test specifically for resource sharing feature

[DarshitChanpura]

to test that resource is no longer visible.

[DarshitChanpura]

to test that resource is visible.

[DarshitChanpura]

covers resource sharing feature enabled scenario.

[kaituo]

read until src/main/java/org/opensearch/ad/transport/IndexAnomalyDetectorRequest.java

[kaituo]

Can you update comment as you add a new condition?

[DarshitChanpura]

done.

[kaituo]

soo -> so

[kaituo]

Would there be a privilege escalation when one user writes someone else's id in the request body?

[kaituo]

What if both shouldUseResourceAuthz and filterEnabled are true? In your current code, would that increase a user's privilege as you only check shouldUseResourceAuthz? This can happen in an old cluster when backend role filtering is enabled.

[DarshitChanpura]

we don't intend for mixed cluster usage. If both are enabled, resource-authz takes precedence. At that point, cluster-admin is expected to have migrated resources from old sharing model to the new one.

[kaituo]

Is using a terms filter (ideally via terms lookup) directly inside Delete-By-Query is better than a separate “fetch IDs → inject into DBQ” step? Terms filter keeps authorization and deletion in a single request, eliminating the read-then-delete” race where ACLs/ownership can change between calls. DBQ will return version conflict error during race condition (see https://discuss.elastic.co/t/concurrent-delete-by-query-and-indexing/68868/2
). Also, writing a single DBQ evaluates the latest ACLs at request time and enforces least-privilege by intersecting resource-based authz with any backend-role filter in the same bool query—so enabling both cannot widen access. It also removes a network round trip, reduces latency and error surface, and keeps the request small—no 1,000-ID terms array bloating the query body—while avoiding large in-memory ID lists in the transport layer. The control flow becomes linear (assemble filters → run one DBQ), easier to read, test, and maintain, and if no resources are accessible the filter simply matches none (fail-closed).

[DarshitChanpura]

before I answer this is ADResult Index going to be a protected index? if so we should mark is as such in TimeSeriesResourceSharingExtension.

[DarshitChanpura]

CI is expected to fail until opensearch-project/security#5597 is merged.

SearchWrapper for resource-sharing requests is now being handled DLS style and will be available once this PR merges: opensearch-project/security#5600

[DarshitChanpura]

No they cannot, all resource related requests are first checked for permission here, before proceeding to execute it:
https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/privileges/ResourceAccessEvaluator.java#L67

[DarshitChanpura]

done.

[DarshitChanpura]

we don't intend for mixed cluster usage. If both are enabled, resource-authz takes precedence. At that point, cluster-admin is expected to have migrated resources from old sharing model to the new one.

[DarshitChanpura]

before I answer this is ADResult Index going to be a protected index? if so we should mark is as such in TimeSeriesResourceSharingExtension.

[DarshitChanpura]

PluginClient acts as a wrapper for search and security plugin will apply DLS automatically through it for resource-sharing requests

[DarshitChanpura]

please review this, as these are the action-groups that will be displayed on dashboard page for resource-access-management.