[Manual Backport 2.x] Manually backports auth tokens, service account…

…s, and multi tenancy changes (#2737)

* [Extensions] Generate auth tokens for service accounts (#2716)

* Generate auth tokens for service accounts

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>

* Security User Refactor (#2594)

---------

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>

* Backport service account changes

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Update test

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Optimize imports

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Spotless

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* fix plugin

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* fix whitespace

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Fix multitency config update (#2758)

Moved multi-tenancy to REST API implementation

Signed-off-by: Andrey Pleskach <ples@aiven.io>

* Remove SSLCertsAction

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* Fix dependency

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

* fix tenancy tests

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

---------

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Andrey Pleskach <ples@aiven.io>
Co-authored-by: Andrey Pleskach <ples@aiven.io>

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -116,11 +116,6 @@
 import org.opensearch.search.query.QuerySearchResult;
 import org.opensearch.security.action.configupdate.ConfigUpdateAction;
 import org.opensearch.security.action.configupdate.TransportConfigUpdateAction;
-import org.opensearch.security.action.tenancy.TenancyConfigRestHandler;
-import org.opensearch.security.action.tenancy.TenancyConfigRetrieveActions;
-import org.opensearch.security.action.tenancy.TenancyConfigRetrieveTransportAction;
-import org.opensearch.security.action.tenancy.TenancyConfigUpdateAction;
-import org.opensearch.security.action.tenancy.TenancyConfigUpdateTransportAction;
 import org.opensearch.security.action.whoami.TransportWhoAmIAction;
 import org.opensearch.security.action.whoami.WhoAmIAction;
 import org.opensearch.security.auditlog.AuditLog;
@@ -179,6 +174,7 @@
 import org.opensearch.security.transport.InterClusterRequestEvaluator;
 import org.opensearch.security.transport.SecurityInterceptor;
 import org.opensearch.security.user.User;
+import org.opensearch.security.user.UserService;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.RemoteClusterService;
@@ -207,6 +203,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile SecurityRestFilter securityRestHandler;
     private volatile SecurityInterceptor si;
     private volatile PrivilegesEvaluator evaluator;
+    private volatile UserService userService;
     private volatile ThreadPool threadPool;
     private volatile ConfigurationRepository cr;
     private volatile AdminDNs adminDns;
@@ -364,7 +361,9 @@ public List<Path> run() {
             final List<String> files = AccessController.doPrivileged(new PrivilegedAction<List<String>>() {
                 @Override
                 public List<String> run() {
+
                     final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath();
+
                     if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) {
                         try (Stream<Path> s = Files.walk(confPath)) {
                             return s.distinct().map(p -> sha256(p)).collect(Collectors.toList());
@@ -477,15 +476,26 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
                 handlers.add(new DashboardsInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool)));
                 handlers.add(new TenantInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool),
                         Objects.requireNonNull(cs), Objects.requireNonNull(adminDns), Objects.requireNonNull(cr)));
-                handlers.add(new TenancyConfigRestHandler());
                 handlers.add(new SecurityConfigUpdateAction(settings, restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
                 handlers.add(new SecurityWhoAmIAction(settings ,restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
                 if (sslCertReloadEnabled) {
                     handlers.add(new SecuritySSLReloadCertsAction(settings, restController, sks, Objects.requireNonNull(threadPool), Objects.requireNonNull(adminDns)));
                 }
-                final Collection<RestHandler> apiHandlers = SecurityRestApiActions.getHandler(settings, configPath, restController, localClient, adminDns, cr, cs, principalExtractor, evaluator, threadPool, Objects.requireNonNull(auditLog));
-                handlers.addAll(apiHandlers);
-                log.debug("Added {} management rest handler(s)", apiHandlers.size());
+
+                handlers.addAll(
+                        SecurityRestApiActions.getHandler(
+                                settings,
+                                configPath,
+                                restController,
+                                localClient,
+                                adminDns,
+                                cr, cs, principalExtractor,
+                                evaluator,
+                                threadPool,
+                                Objects.requireNonNull(auditLog),
+                                Objects.requireNonNull(userService))
+                );
+                log.debug("Added {} rest handler(s)", handlers.size());
             }
         }
 
@@ -508,8 +518,6 @@ public UnaryOperator<RestHandler> getRestHandlerWrapper(final ThreadContext thre
         if(!disabled && !SSLConfig.isSslOnlyMode()) {
             actions.add(new ActionHandler<>(ConfigUpdateAction.INSTANCE, TransportConfigUpdateAction.class));
             actions.add(new ActionHandler<>(WhoAmIAction.INSTANCE, TransportWhoAmIAction.class));
-            actions.add(new ActionHandler<>(TenancyConfigRetrieveActions.INSTANCE, TenancyConfigRetrieveTransportAction.class));
-            actions.add(new ActionHandler<>(TenancyConfigUpdateAction.INSTANCE, TenancyConfigUpdateTransportAction.class));
         }
         return actions;
     }
@@ -810,6 +818,8 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
 
         cr = ConfigurationRepository.create(settings, this.configPath, threadPool, localClient, clusterService, auditLog);
 
+        userService = new UserService(cs, cr, settings, localClient);
+
         final XFFResolver xffResolver = new XFFResolver(threadPool);
         backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool);
 
@@ -866,6 +876,7 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
         components.add(evaluator);
         components.add(si);
         components.add(dcf);
+        components.add(userService);
 
 
         return components;
@@ -1172,7 +1183,6 @@ public static class GuiceHolder implements LifecycleComponent {
         private static RepositoriesService repositoriesService;
         private static RemoteClusterService remoteClusterService;
         private static IndicesService indicesService;
-
         private static PitService pitService;
 
         private static ExtensionsManager extensionsManager;