Add User.isAdminDn to User class

[cwperks]

Description

Adds a static helper method on the User class to determine if the user is in the security plugin's plugins.security.authcz.admin_dn list.

Issues Resolved

opensearch-project/security#3413

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwperks]

@dhrubo-os @ylwu-amzn Let me know if this helps. There should be some testing performed with the security plugin installed, but this should let you determine if the current user is in the admin_dn list (i.e. user is a super user)

Edit: This is where the super user gets authenticated in the security plugin: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L215-L220

[codecov]

Codecov Report

Merging #547 (dc0047c) into main (2ef47f9) will increase coverage by 0.58%.
Report is 2 commits behind head on main.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##               main     #547      +/-   ##
============================================
+ Coverage     74.55%   75.14%   +0.58%     
- Complexity      872      874       +2     
============================================
  Files           130      130              
  Lines          5680     5685       +5     
  Branches        698      698              
============================================
+ Hits           4235     4272      +37     
+ Misses         1139     1104      -35     
- Partials        306      309       +3     

Files	Coverage Δ
...n/java/org/opensearch/commons/ConfigConstants.java	87.50% <ø> (ø)
...ain/java/org/opensearch/commons/authuser/User.java	88.23% <100.00%> (+0.40%)	⬆️

... and 1 file with indirect coverage changes

[dhrubo-os]

I think we might need some backward compatibility? What happens if user is null? then it will throw exception in line 259. And I'm not a security person, so I don't know how to handle this situation. Just wanted to call out here.

[cwperks]

Added null check

[lezzago]

Usually when the user is super admin, the user object is null. Reference

[dhrubo-os]

Yeah same for ml-commons

[cwperks]

Please see details here.

There are 2 cases of superadmin:

1. Plugin stashed the threadcontext (user == null)
2. User connects to cluster using admin certificate <- scope of this PR

[cwperks]

Capturing discussion on this PR:

1. User is null means 1 of 2 things - 1) Security is not enabled or 2) plugin is operating in a stashContext block
2. User is non-null then - 1) User is a regular user (including anonymous) or 2) User is a superuser (meaning request comes from admin cert)

This PR pertains to 2) above and also relies on:

1. When security is enabled a user will always be present in the threadcontext
2. The plugin dev will ensure they are not making any calls to read the currently authenticated user from within a stashContext block

[dhrubo-os]

Do we need to mark this PR as draft? Are we planning to merge this?

[cwperks]

Do we need to mark this PR as draft? Are we planning to merge this?

Marked as ready for review. @dhrubo-os if there's a companion ml-commons PR please share to show how this change will be utilized.

[dhrubo-os]

Do we need to mark this PR as draft? Are we planning to merge this?

Marked as ready for review. @dhrubo-os if there's a companion ml-commons PR please share to show how this change will be utilized.

I'll share within next week.

[dhrubo-os]

Do we need to mark this PR as draft? Are we planning to merge this?

Marked as ready for review. @dhrubo-os if there's a companion ml-commons PR please share to show how this change will be utilized.

I'll share within next week.

Just Raised a draft PR to show the example

We are going to use this function similar like this way

Currently for the easy development we added this method in our ml-commons plugin end. But eventually we want to use this method

Please let me know if you have any question or concern. Thanks.

[cwperks]

Hey @dhrubo-os, thank you for providing the linked PRs for example usage. If I'm reading the PR correctly it means that if a regular user creates a model its not hidden, but if a superuser creates a model then its hidden?

Have you considered separate transport actions so that those actions are authorized separately? i.e.:

1. TransportRegisterModelAction
2. TransportRegisterHiddenModelAction

If you have a separate transport action then you can permission users to perform the register hidden model action through a separate "admin-level" role.

Roles for ml-commons plugin: https://github.com/opensearch-project/security/blob/main/config/roles.yml#L273-L295

While there are already instances in plugins of plugins having to implement their own authz models based on user's backend roles, this will be yet another instance of something that should be the responsibility of the security plugin that is implemented in a plugin.