Map extension routes to permission-able action names

[cwperks]

Actions in OpenSearch are given names (indices:data/read/search for SearchAction for example) that directly translate into permissions in roles of the security plugin. Like native actions, plugins extend OpenSearch behavior and can register new actions to be executed on OpenSearch nodes. These actions are also given names (cluster:admin/opendistro/ad/detectors/get for GetAnomalyDetectorAction for example) and can also be granted to users via roles. In the current model of the security plugin, most actions for plugins will be granted in the cluster_permissions section of the roles of the security plugin which simply means that the action does not require any resource names like index patterns to permit the action - to differentiate cluster_permissions from index_permissions which do require a list of index patterns.

For extensions, I think ideally we will want a new section of the roles explicitly for extension_permissions to remove these actions from the cluster_permissions and index_permissions sections of the role.

A good reference for this issue is the HelloWorld example extension. See the OpenAPI spec file for the HelloWorld extension. Every route in this specification should be permissible via a short-name that can be added to a role definition in the Security plugin.

In the plugin world, the name of the permission is derived directly from the action. Take Get Detector from Anomaly Detection (AD):

GetAnomalyDetectorAction -> cluster:admin/opendistro/ad/detectors/get

When AD is converted to an extension there needs to be an equivalent:

# This is for example purposes and does not reflect current endpoints

GET /_extensions/ad/detectors/get/{id} -> extensions:ad/detector/get

Broadly speaking there are 2 types of actions in OpenSearch:

1. Rest actions - actions that can be entirely performed on the receiving node
2. Transport actions - actions that require coordination amongst nodes in the cluster

The security plugin currently performs auth in the Transport-layer requiring plugin developers to implement both types of actions to invoke authz checks on the request.

For extensions, authz will be performed at the REST layer and cannot rely on the action name for TransportActions. (Actions are registered in setupActions of ActionModule of core)

REST Actions also have names, a straightforward option for permissions for REST actions would be to use the REST action name.

[cwperks]

A series of draft PRs across Security, Core and SDK repos shows how this could be implemented: #2601

[DarshitChanpura]

Addressed via :

• Authorize rest requests #2753
• Support transport action names when registering NamedRoutes OpenSearch#7957
• Register new routes via SDK as named routes opensearch-sdk-java#827
• Makes route prefix setting routeNamePrefix optional opensearch-sdk-java#868