Modify ActionRequest in core to allow for resource_names to be passed in the request

[DarshitChanpura]

META issue: opensearch-project/security#4560

Description

This base class is extended by every plugin’s implementation of transport request calls. Hence, the idea is to add a standard class property List resources. In addition, add resource: as a valid transport action prefix here.

This will then be implemented by plugins to populate this property when handling an actionRequest after which SecurityFilter.java will intercept this call to perform privilege evaluation.

Implementation

Coming from comment: opensearch-project/security#4500 (comment), we will proceed with approach a, which introduces a new getter for resources, there-by allowing request handlers in plugin to populate the resource names before sending the request to Transport layer. Here is the pseudo-code (thank you @nibix):

public abstract class ActionRequest extends TransportRequest {

    public ActionRequest() {
        super();
    }

    public ActionRequest(StreamInput in) throws IOException {
        super(in);
    }
 
    /**
      * NEW NEW NEW .. to be overridden by whoever wants to
      */
    public List<String> getResources() {
       return Collections.emptyList();
    }

    public abstract ActionRequestValidationException validate();

    public boolean getShouldStoreResult() {
        return false;
    }

    @Override
    public void writeTo(StreamOutput out) throws IOException {
        super.writeTo(out);
    }
}

[cwperks]

[Triage] Thank you for filing this issue @DarshitChanpura going to transfer this issue to the OpenSearch core repository.

[nibix]

I mentioned it just briefly in opensearch-project/security#4500 (comment), but thought it might be worth pointing out more explicitly:

Instead of directly extending ActionRequest, one could also think about introducing a new interface which actions need to implement when they want to provide resource information.

That would be consistent to the style so far. Examples for this are:

• https:/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/action/IndicesRequest.java
• https:/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/action/CompositeIndicesRequest.java
• https:/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/action/AliasesRequest.java
• https:/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/action/RealtimeRequest.java

This helps to keep the ActionRequest class terse.

It could look similar to this:

interface PluginResourceRequest {
   List<String> getResources();
}

[peternied]

[Triage - attendees 1 2 3]
@DarshitChanpura Thanks for creating this issue; however, it isn't being accepted due to not having a clear problem that is trying to be solved.

If we had a model for defining addresses of resources, those could be useful for identifying and permission items, but it isn't clear if this issue would follow those needs. A list of untyped strings seems like it would create future issue without other infrastructure built up around it.

Please feel free to open a new issue after addressing the reason.