opensearch-project · DarshitChanpura · Aug 27, 2024 · Aug 27, 2024 · Aug 30, 2024 · Aug 30, 2024
@@ -21,6 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Support prefix list for remote repository attributes([#16271](https://github.com/opensearch-project/OpenSearch/pull/16271))
 - Add new configuration setting `synonym_analyzer`, to the `synonym` and `synonym_graph` filters, enabling the specification of a custom analyzer for reading the synonym file ([#16488](https://github.com/opensearch-project/OpenSearch/pull/16488)).
 - Add stats for remote publication failure and move download failure stats to remote methods([#16682](https://github.com/opensearch-project/OpenSearch/pull/16682/))
+- Add resource-level access control and sharing ([#16030](https://github.com/opensearch-project/OpenSearch/pull/16030))
 
 ### Dependencies
 - Bump `com.google.cloud:google-cloud-core-http` from 2.23.0 to 2.47.0 ([#16504](https://github.com/opensearch-project/OpenSearch/pull/16504))

@@ -0,0 +1,88 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.common.io.stream.NamedWriteable;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.core.xcontent.XContentParser;
+
+import java.io.IOException;
+
+/**
+ * This class contains information on the creator of a resource.
+ * Creator can either be a user or a backend_role.
+ *
+ * @opensearch.experimental
+ */
+public class CreatedBy implements ToXContentFragment, NamedWriteable {
+
+    private String user;
+
+    public CreatedBy(String user) {
+        this.user = user;
+    }
+
+    public CreatedBy(StreamInput in) throws IOException {
+        this(in.readString());
+    }
+
+    public String getUser() {
+        return user;
+    }
+
+    public void setUser(String user) {
+        this.user = user;
+    }
+
+    @Override
+    public String toString() {
+        return "CreatedBy {" + "user='" + user + '\'' + '}';
+    }
+
+    @Override
+    public String getWriteableName() {
+        return "created_by";
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(user);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject().field("user", user).endObject();
+    }
+
+    public static CreatedBy fromXContent(XContentParser parser) throws IOException {
+        String user = null;
+        String currentFieldName = null;
+        XContentParser.Token token;
+
+        while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) {
+            if (token == XContentParser.Token.FIELD_NAME) {
+                currentFieldName = parser.currentName();
+            } else if (token == XContentParser.Token.VALUE_STRING) {
+                if ("user".equals(currentFieldName)) {
+                    user = parser.text();
+                }
+            }
+        }
+
+        if (user == null) {
+            throw new IllegalArgumentException("user field is required");
+        }
+
+        return new CreatedBy(user);
+    }
+
+}
@@ -0,0 +1,32 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+/**
+ * This enum contains the type of entities a resource can be shared with.
+ *
+ * @opensearch.experimental
+ */
+public enum EntityType {
+
+    USERS("users"),
+    ROLES("roles"),
+    BACKEND_ROLES("backend_roles");
+
+    private final String value;
+
+    EntityType(String value) {
+        this.value = value;
+    }
+
+    @Override
+    public String toString() {
+        return value;
+    }
+}
@@ -0,0 +1,21 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+/**
+ * This interface defines the two basic access scopes for resource-access.
+ * Each plugin must implement their own scopes and manage them
+ * These access scopes will then be used to verify the type of access being requested.
+ *
+ * @opensearch.experimental
+ */
+public interface ResourceAccessScope {
+    String READ_ONLY = "read_only";
+    String READ_WRITE = "read_write";
+}
@@ -0,0 +1,62 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchException;
+import org.opensearch.plugins.NoOpResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourcePlugin;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Resource access control for OpenSearch
+ *
+ * @opensearch.experimental
+ * */
+public class ResourceService {
+    private static final Logger log = LogManager.getLogger(ResourceService.class);
+
+    private final ResourceAccessControlPlugin resourceACPlugin;
+    private final List<ResourcePlugin> resourcePlugins;
+
+    public ResourceService(final List<ResourceAccessControlPlugin> resourceACPlugins, List<ResourcePlugin> resourcePlugins) {
+        this.resourcePlugins = resourcePlugins;
+
+        if (resourceACPlugins.isEmpty()) {
+            log.info("Security plugin disabled: Using NoOpResourceAccessControlPlugin");
+            resourceACPlugin = new NoOpResourceAccessControlPlugin();
+        } else if (resourceACPlugins.size() == 1) {
+            log.info("Security plugin enabled: Using OpenSearchSecurityPlugin");
+            resourceACPlugin = resourceACPlugins.get(0);
+        } else {
+            throw new OpenSearchException(
+                "Multiple resource access control plugins are not supported, found: "
+                    + resourceACPlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
+            );
+        }
+    }
+
+    /**
+     * Gets the current ResourcePlugin to perform authorization
+     */
+    public ResourceAccessControlPlugin getResourceAccessControlPlugin() {
+        return resourceACPlugin;
+    }
+
+    /**
+     * List active plugins that define resources
+     */
+    public List<ResourcePlugin> listResourcePlugins() {
+        return resourcePlugins;
+    }
+}