Implement on behalf of token passing for extensions

[stephen-crawford]

Description

This PR introduces basic token passing within the RestSendToExtensionAction. These tokens provide authc/z capabilities when supported by a complete Identity Plugin.

Completes: opensearch-project/security#2764

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/20116/
• CommitID: abd83c4
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/20117/
• CommitID: 0b4d85d
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/20119/
• CommitID: afc6b34
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[opensearch-trigger-bot]

Compatibility status:

> Task :checkCompatibility
Incompatible components: [https:/opensearch-project/geospatial.git, https:/opensearch-project/notifications.git, https:/opensearch-project/neural-search.git, https:/opensearch-project/index-management.git, https:/opensearch-project/security-analytics.git, https:/opensearch-project/job-scheduler.git, https:/opensearch-project/sql.git, https:/opensearch-project/k-nn.git, https:/opensearch-project/observability.git, https:/opensearch-project/alerting.git, https:/opensearch-project/cross-cluster-replication.git, https:/opensearch-project/anomaly-detection.git, https:/opensearch-project/asynchronous-search.git, https:/opensearch-project/performance-analyzer.git, https:/opensearch-project/common-utils.git, https:/opensearch-project/reporting.git]
Compatible components: [https:/opensearch-project/security.git, https:/opensearch-project/opensearch-oci-object-storage.git, https:/opensearch-project/ml-commons.git, https:/opensearch-project/performance-analyzer-rca.git]

BUILD SUCCESSFUL in 23m 58s

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/22522/
• CommitID: d2b7519
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[opensearch-trigger-bot]

Compatibility status:

> Task :checkCompatibility
Incompatible components: [https:/opensearch-project/alerting.git, https:/opensearch-project/anomaly-detection.git, https:/opensearch-project/asynchronous-search.git, https:/opensearch-project/index-management.git, https:/opensearch-project/sql.git, https:/opensearch-project/job-scheduler.git, https:/opensearch-project/common-utils.git, https:/opensearch-project/observability.git, https:/opensearch-project/k-nn.git, https:/opensearch-project/reporting.git, https:/opensearch-project/geospatial.git, https:/opensearch-project/cross-cluster-replication.git, https:/opensearch-project/notifications.git, https:/opensearch-project/neural-search.git, https:/opensearch-project/performance-analyzer.git, https:/opensearch-project/security-analytics.git]
Compatible components: [https:/opensearch-project/security.git, https:/opensearch-project/ml-commons.git, https:/opensearch-project/performance-analyzer-rca.git, https:/opensearch-project/opensearch-oci-object-storage.git]

BUILD SUCCESSFUL in 29m 10s

[opensearch-trigger-bot]

Compatibility status:

> Task :checkCompatibility
Incompatible components: [https:/opensearch-project/alerting.git, https:/opensearch-project/anomaly-detection.git, https:/opensearch-project/asynchronous-search.git, https:/opensearch-project/index-management.git, https:/opensearch-project/job-scheduler.git, https:/opensearch-project/sql.git, https:/opensearch-project/common-utils.git, https:/opensearch-project/observability.git, https:/opensearch-project/reporting.git, https:/opensearch-project/k-nn.git, https:/opensearch-project/geospatial.git, https:/opensearch-project/cross-cluster-replication.git, https:/opensearch-project/notifications.git, https:/opensearch-project/neural-search.git, https:/opensearch-project/security-analytics.git, https:/opensearch-project/performance-analyzer.git]
Compatible components: [https:/opensearch-project/security.git, https:/opensearch-project/ml-commons.git, https:/opensearch-project/performance-analyzer-rca.git, https:/opensearch-project/opensearch-oci-object-storage.git]

BUILD SUCCESSFUL in 31m 50s

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/22524/
• CommitID: 40afb9e
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/22525/
• CommitID: 5d17b26
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: UNSTABLE ❕
• TEST FAILURES:

      1 org.opensearch.client.PitIT.testDeleteAllAndListAllPits

• URL: https://build.ci.opensearch.org/job/gradle-check/22526/
• CommitID: 2a8b4ae
  Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[peternied]

Thanks for driving this @scrawfor99

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-8679-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 487e3e34460cb16abab7597fe4ed7d00a11c595d
# Push it to GitHub
git push --set-upstream origin backport/backport-8679-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-8679-to-2.x.

[reta]

@scrawfor99 please send manual backport to 2.x when you have time, thank you

[peternied]

• OnBehalfOf tokens internal security review process + App Sec signoff security#3162

After the security review has been completed lets revisit backporting, how does that sound @reta @scrawfor99 ?