Introduce Application Scopes for Extension Management

CHANGELOG.md

@@ -78,6 +78,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Added
 - Add server version as REST response header [#6583](https://github.com/opensearch-project/OpenSearch/issues/6583)
 - Start replication checkpointTimers on primary before segments upload to remote store. ([#8221]()https://github.com/opensearch-project/OpenSearch/pull/8221)
+- Introduce Application Scopes ([#7850]((https://github.com/opensearch-project/OpenSearch/issues/6583)))
 
 ### Dependencies
 - Bump `org.apache.logging.log4j:log4j-core` from 2.17.1 to 2.20.0 ([#8307](https://github.com/opensearch-project/OpenSearch/pull/8307))

distribution/tools/plugin-cli/src/test/java/org/opensearch/plugins/ListPluginsCommandTests.java

@@ -39,8 +39,8 @@
 import java.util.Arrays;
 import java.util.Map;
 import java.util.stream.Collectors;
-
 import org.apache.lucene.tests.util.LuceneTestCase;
+import org.junit.Before;
 import org.opensearch.LegacyESVersion;
 import org.opensearch.Version;
 import org.opensearch.cli.ExitCodes;
@@ -50,7 +50,6 @@
 import org.opensearch.env.Environment;
 import org.opensearch.env.TestEnvironment;
 import org.opensearch.test.OpenSearchTestCase;
-import org.junit.Before;
 
 @LuceneTestCase.SuppressFileSystems("*")
 public class ListPluginsCommandTests extends OpenSearchTestCase {

plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroSubject.java

@@ -10,28 +10,28 @@
 
 import java.security.Principal;
 import java.util.Objects;
-
+import java.util.Optional;
 import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.AuthToken;
 
 /**
- * Subject backed by Shiro
+ * A Subject backed by the Identity Shiro Plugin and wrapping a shiro.subject implementing Subject
  *
  * @opensearch.experimental
  */
 public class ShiroSubject implements Subject {
     private final ShiroTokenManager authTokenHandler;
-    private final org.apache.shiro.subject.Subject shiroSubject;
+    private final org.apache.shiro.subject.Subject delegate;
 
     /**
      * Creates a new shiro subject for use with the IdentityPlugin
      * Cannot return null
      * @param authTokenHandler Used to extract auth header info
-     * @param subject The specific subject being authc/z'd
+     * @param shiroBackedSubject The specific subject being authc/z'd
      */
-    public ShiroSubject(final ShiroTokenManager authTokenHandler, final org.apache.shiro.subject.Subject subject) {
+    public ShiroSubject(final ShiroTokenManager authTokenHandler, final org.apache.shiro.subject.Subject shiroBackedSubject) {
         this.authTokenHandler = Objects.requireNonNull(authTokenHandler);
-        this.shiroSubject = Objects.requireNonNull(subject);
+        this.delegate = Objects.requireNonNull(shiroBackedSubject);
     }
 
     /**
@@ -41,7 +41,7 @@ public ShiroSubject(final ShiroTokenManager authTokenHandler, final org.apache.s
      */
     @Override
     public Principal getPrincipal() {
-        final Object o = shiroSubject.getPrincipal();
+        final Object o = delegate.getPrincipal();
         if (o == null) return null;
         if (o instanceof Principal) return (Principal) o;
         return () -> o.toString();
@@ -85,7 +85,13 @@ public String toString() {
      */
     public void authenticate(AuthToken authenticationToken) {
         final org.apache.shiro.authc.AuthenticationToken authToken = authTokenHandler.translateAuthToken(authenticationToken)
-            .orElseThrow(() -> new UnsupportedAuthenticationToken());
-        shiroSubject.login(authToken);
+            .orElseThrow(UnsupportedAuthenticationToken::new);
+        delegate.login(authToken);
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public Optional<Principal> getApplication() {
+        return Optional.empty();
     }
 }

plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/AuthTokenHandlerTests.java

@@ -12,7 +12,6 @@
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
 import org.junit.Before;
-import org.opensearch.identity.noop.NoopTokenManager;
 import org.opensearch.identity.tokens.AuthToken;
 import org.opensearch.identity.tokens.BasicAuthToken;
 import org.opensearch.identity.tokens.BearerAuthToken;
@@ -31,12 +30,10 @@
 public class AuthTokenHandlerTests extends OpenSearchTestCase {
 
     private ShiroTokenManager shiroAuthTokenHandler;
-    private NoopTokenManager noopTokenManager;
 
     @Before
     public void testSetup() {
         shiroAuthTokenHandler = new ShiroTokenManager();
-        noopTokenManager = new NoopTokenManager();
     }
 
     public void testShouldExtractBasicAuthTokenSuccessfully() {

plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/ShiroIdentityPluginTests.java

@@ -8,23 +8,26 @@
 
 package org.opensearch.identity.shiro;
 
+import java.io.IOException;
 import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
 import org.opensearch.OpenSearchException;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.identity.ApplicationManager;
 import org.opensearch.identity.IdentityService;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.test.OpenSearchTestCase;
-import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
-import static org.junit.Assert.assertThrows;
 
 public class ShiroIdentityPluginTests extends OpenSearchTestCase {
 
-    public void testSingleIdentityPluginSucceeds() {
+    public void testSingleIdentityPluginSucceeds() throws IOException {
         IdentityPlugin identityPlugin1 = new ShiroIdentityPlugin(Settings.EMPTY);
         List<IdentityPlugin> pluginList1 = List.of(identityPlugin1);
-        IdentityService identityService1 = new IdentityService(Settings.EMPTY, pluginList1);
+        IdentityService identityService1 = new IdentityService(Settings.EMPTY, pluginList1, new ApplicationManager());
         assertThat(identityService1.getTokenManager(), is(instanceOf(ShiroTokenManager.class)));
     }
 
@@ -33,8 +36,25 @@ public void testMultipleIdentityPluginsFail() {
         IdentityPlugin identityPlugin2 = new ShiroIdentityPlugin(Settings.EMPTY);
         IdentityPlugin identityPlugin3 = new ShiroIdentityPlugin(Settings.EMPTY);
         List<IdentityPlugin> pluginList = List.of(identityPlugin1, identityPlugin2, identityPlugin3);
-        Exception ex = assertThrows(OpenSearchException.class, () -> new IdentityService(Settings.EMPTY, pluginList));
+        Exception ex = assertThrows(
+            OpenSearchException.class,
+            () -> new IdentityService(Settings.EMPTY, pluginList, new ApplicationManager())
+        );
         assert (ex.getMessage().contains("Multiple identity plugins are not supported,"));
     }
 
+    public void testShiroIdentityMethods() throws IOException {
+        IdentityPlugin identityPlugin1 = new ShiroIdentityPlugin(Settings.EMPTY);
+        List<IdentityPlugin> pluginList1 = List.of(identityPlugin1);
+        IdentityService identityService1 = new IdentityService(Settings.EMPTY, pluginList1, new ApplicationManager());
+        assertThat(identityService1.getTokenManager(), is(instanceOf(ShiroTokenManager.class)));
+        assertTrue(identityPlugin1.getSubject() instanceof ShiroSubject);
+        assertEquals(identityPlugin1.getSubject().hashCode(), Objects.hash(identityPlugin1.getSubject().getPrincipal()));
+        assertEquals(identityPlugin1.getSubject().getApplication(), Optional.empty());
+        assertEquals(
+            identityPlugin1.getSubject().toString(),
+            "ShiroSubject(principal=" + identityPlugin1.getSubject().getPrincipal() + ")"
+        );
+    }
+
 }

server/build.gradle

@@ -105,9 +105,10 @@ dependencies {
   api project(':libs:opensearch-x-content')
   api project(":libs:opensearch-geo")
   api project(":libs:opensearch-telemetry")
+    testImplementation project(path: ':modules:reindex')
 
 
-  compileOnly project(':libs:opensearch-plugin-classloader')
+    compileOnly project(':libs:opensearch-plugin-classloader')
   testRuntimeOnly project(':libs:opensearch-plugin-classloader')
 
   // lucene

server/src/internalClusterTest/java/org/opensearch/identity/IdentityServiceIT.java

@@ -0,0 +1,81 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity;
+
+import org.apache.lucene.index.LeafReaderContext;
+import org.apache.lucene.search.CollectionTerminatedException;
+import org.apache.lucene.search.ScoreMode;
+
+import org.opensearch.ExceptionsHelper;
+import org.opensearch.action.ActionListener;
+import org.opensearch.action.admin.cluster.node.stats.NodeStats;
+import org.opensearch.action.admin.cluster.node.stats.NodesStatsRequest;
+import org.opensearch.action.admin.cluster.node.stats.NodesStatsResponse;
+import org.opensearch.action.index.IndexRequest;
+import org.opensearch.action.index.IndexResponse;
+import org.opensearch.action.support.IndicesOptions;
+import org.opensearch.action.support.WriteRequest;
+import org.opensearch.client.Client;
+import org.opensearch.cluster.metadata.IndexMetadata;
+import org.opensearch.common.breaker.CircuitBreaker;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.unit.TimeValue;
+import org.opensearch.common.util.concurrent.AtomicArray;
+import org.opensearch.core.common.Strings;
+import org.opensearch.core.xcontent.ObjectParser;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.index.IndexSettings;
+import org.opensearch.index.query.QueryShardContext;
+import org.opensearch.index.query.RangeQueryBuilder;
+import org.opensearch.index.shard.IndexShard;
+import org.opensearch.indices.IndicesService;
+import org.opensearch.indices.replication.common.ReplicationType;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.plugins.SearchPlugin;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.search.DocValueFormat;
+import org.opensearch.search.SearchHit;
+import org.opensearch.search.aggregations.AbstractAggregationBuilder;
+import org.opensearch.search.aggregations.AggregationBuilder;
+import org.opensearch.search.aggregations.Aggregations;
+import org.opensearch.search.aggregations.Aggregator;
+import org.opensearch.search.aggregations.AggregatorBase;
+import org.opensearch.search.aggregations.AggregatorFactories;
+import org.opensearch.search.aggregations.AggregatorFactory;
+import org.opensearch.search.aggregations.CardinalityUpperBound;
+import org.opensearch.search.aggregations.InternalAggregation;
+import org.opensearch.search.aggregations.LeafBucketCollector;
+import org.opensearch.search.aggregations.bucket.terms.LongTerms;
+import org.opensearch.search.aggregations.bucket.terms.TermsAggregationBuilder;
+import org.opensearch.search.aggregations.metrics.InternalMax;
+import org.opensearch.search.aggregations.support.ValueType;
+import org.opensearch.search.builder.SearchSourceBuilder;
+import org.opensearch.search.fetch.FetchSubPhase;
+import org.opensearch.search.fetch.FetchSubPhaseProcessor;
+import org.opensearch.search.internal.SearchContext;
+import org.opensearch.test.OpenSearchIntegTestCase;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.CountDownLatch;
+
+import static org.opensearch.test.hamcrest.OpenSearchAssertions.assertAcked;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+
+public class IdentityServiceIT extends OpenSearchIntegTestCase {
+
+    // TODO: Verify that application aware subject is persisted on the same request
+
+}