Implement IdentityPlugin in Security plugin

[stephen-crawford]

Description

This change implements the IdentityPlugin interface inside the Security Plugin codebase.
This change adds the methods getSubject and getTokenManager. It also adds a new class SecurityTokenManager which handles the issuance of Service Account tokens and OBO tokens. This is done by having the token manager wrap the appropriate methods inside the UserService (for service accounts) and JwtVendor (for OBO tokens).

Issues Resolved

This issue addresses the final check box for: #3176

Testing

This change adds tests for issuing the tokens using the SecurityTokenManager. The other functionality has already been tested by the supporting classes.

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[stephen-crawford]

Blocked by: opensearch-project/OpenSearch#10614

[codecov]

Codecov Report

Merging #3538 (67d14b4) into main (d10475c) will increase coverage by 5.60%.
The diff coverage is 1.63%.

❗ Current head 67d14b4 differs from pull request most recent head 5cdaa04. Consider uploading reports for the commit 5cdaa04 to get more accurate results

@@            Coverage Diff            @@
##             main   #3538      +/-   ##
=========================================
+ Coverage        0   5.60%   +5.60%     
- Complexity      0     238     +238     
=========================================
  Files           0     283     +283     
  Lines           0   20661   +20661     
  Branches        0    3395    +3395     
=========================================
+ Hits            0    1159    +1159     
- Misses          0   19312   +19312     
- Partials        0     190     +190     

Files	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	10.97% <16.66%> (ø)
.../opensearch/security/identity/SecuritySubject.java	10.00% <10.00%> (ø)
...y/action/onbehalf/CreateOnBehalfOfTokenAction.java	0.00% <0.00%> (ø)
...search/security/identity/SecurityTokenManager.java	0.00% <0.00%> (ø)

... and 279 files with indirect coverage changes

[stephen-crawford]

Need to make this change: opensearch-project/OpenSearch#10664

We don't want people to have to provide absolute times in JSON form. Right now we are running into an issue like this where the calculated time expects a Second value to be provided in the case of a JSON is used to request the token settings. But then it auto-propagates the fields with a millisecond absolute time value.

We want our times to be in similar magnitude not way out of scale like this:

Max expiry time is: 1697562174
Provided expiry time is: 300

Or running into issues with conversion like this:

Max expiry time is: 1697562174
Provided expiry time is: 1697561874

[peternied]

Design/refactoring is done so I'm marking this change ready for review as there were changes from the original version of this change.

In the meanwhile, I'll be adding & cleaning up the tests.

[peternied]

Thanks @cwperks & @DarshitChanpura I've responded to all feedback and resolved all threads - let me know what you think.

[cwperks]

I have one more question around backend_roles, but otherwise this PR looks good to me.

[stephen-crawford]

Looks good just a few comments but otherwise seems all set!

[peternied]

@cwperks @DarshitChanpura Anything holding up approval of this PR?

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3538-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 467645241d42c8ae02166c4d41d3e7aa5edafdc7
# Push it to GitHub
git push --set-upstream origin backport/backport-3538-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3538-to-2.x.