Refactor IdentityAwarePlugin interface to be assigned a client for ex…

…ecuting actions

Signed-off-by: Craig Perkins <[email protected]>

plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java

@@ -13,6 +13,7 @@
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.mgt.SecurityManager;
 import org.opensearch.client.Client;
+import org.opensearch.client.FilterClient;
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
 import org.opensearch.cluster.service.ClusterService;
@@ -23,8 +24,8 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.env.Environment;
 import org.opensearch.env.NodeEnvironment;
-import org.opensearch.identity.PluginSubject;
 import org.opensearch.identity.Subject;
+import org.opensearch.identity.noop.RunAsSystemClient;
 import org.opensearch.identity.tokens.AuthToken;
 import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.plugins.ActionPlugin;
@@ -54,6 +55,7 @@ public final class ShiroIdentityPlugin extends Plugin implements IdentityPlugin,
     private final ShiroTokenManager authTokenHandler;
 
     private ThreadPool threadPool;
+    private Client client;
 
     /**
      * Create a new instance of the Shiro Identity Plugin
@@ -83,6 +85,7 @@ public Collection<Object> createComponents(
         Supplier<RepositoriesService> repositoriesServiceSupplier
     ) {
         this.threadPool = threadPool;
+        this.client = client;
         return Collections.emptyList();
     }
 
@@ -138,7 +141,7 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
         }
     }
 
-    public PluginSubject getPluginSubject(Plugin plugin) {
-        return new ShiroPluginSubject(threadPool);
+    public FilterClient getRunAsClient(Plugin plugin) {
+        return new RunAsSystemClient(client);
     }
 }

server/src/main/java/org/opensearch/identity/IdentityService.java

@@ -8,14 +8,14 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchException;
+import org.opensearch.client.Client;
 import org.opensearch.common.annotation.InternalApi;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.identity.noop.NoopIdentityPlugin;
 import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.plugins.IdentityAwarePlugin;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.Plugin;
-import org.opensearch.threadpool.ThreadPool;
 
 import java.util.List;
 import java.util.stream.Collectors;
@@ -30,14 +30,16 @@ public class IdentityService {
     private static final Logger log = LogManager.getLogger(IdentityService.class);
 
     private final Settings settings;
+    private final Client client;
     private final IdentityPlugin identityPlugin;
 
-    public IdentityService(final Settings settings, final ThreadPool threadPool, final List<IdentityPlugin> identityPlugins) {
+    public IdentityService(final Settings settings, final Client client, final List<IdentityPlugin> identityPlugins) {
         this.settings = settings;
+        this.client = client;
 
         if (identityPlugins.size() == 0) {
             log.debug("Identity plugins size is 0");
-            identityPlugin = new NoopIdentityPlugin(threadPool);
+            identityPlugin = new NoopIdentityPlugin(client);
         } else if (identityPlugins.size() == 1) {
             log.debug("Identity plugins size is 1");
             identityPlugin = identityPlugins.get(0);
@@ -66,8 +68,8 @@ public TokenManager getTokenManager() {
     public void initializeIdentityAwarePlugins(final List<IdentityAwarePlugin> identityAwarePlugins) {
         if (identityAwarePlugins != null) {
             for (IdentityAwarePlugin plugin : identityAwarePlugins) {
-                PluginSubject pluginSubject = identityPlugin.getPluginSubject((Plugin) plugin);
-                plugin.assignSubject(pluginSubject);
+                Client client = identityPlugin.getRunAsClient((Plugin) plugin);
+                plugin.assignRunAsClient(client);
             }
         }
     }

server/src/main/java/org/opensearch/identity/Subject.java

@@ -8,7 +8,6 @@
 import org.opensearch.common.annotation.ExperimentalApi;
 
 import java.security.Principal;
-import java.util.concurrent.Callable;
 
 /**
  * An individual, process, or device that causes information to flow among objects or change to the system state.
@@ -22,11 +21,4 @@ public interface Subject {
      * Get the application-wide uniquely identifying principal
      * */
     Principal getPrincipal();
-
-    /**
-     * runAs allows the caller to run a callable function as this subject
-     */
-    default <T> T runAs(Callable<T> callable) throws Exception {
-        return callable.call();
-    };
 }

server/src/main/java/org/opensearch/identity/noop/NoopIdentityPlugin.java

@@ -8,12 +8,12 @@
 
 package org.opensearch.identity.noop;
 
-import org.opensearch.identity.PluginSubject;
+import org.opensearch.client.Client;
+import org.opensearch.client.FilterClient;
 import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.Plugin;
-import org.opensearch.threadpool.ThreadPool;
 
 /**
  * Implementation of identity plugin that does not enforce authentication or authorization
@@ -24,10 +24,10 @@
  */
 public class NoopIdentityPlugin implements IdentityPlugin {
 
-    private final ThreadPool threadPool;
+    private final Client client;
 
-    public NoopIdentityPlugin(ThreadPool threadPool) {
-        this.threadPool = threadPool;
+    public NoopIdentityPlugin(Client client) {
+        this.client = client;
     }
 
     /**
@@ -49,7 +49,7 @@ public TokenManager getTokenManager() {
     }
 
     @Override
-    public PluginSubject getPluginSubject(Plugin plugin) {
-        return new NoopPluginSubject(threadPool);
+    public FilterClient getRunAsClient(Plugin plugin) {
+        return new RunAsSystemClient(client);
     }
 }

server/src/main/java/org/opensearch/identity/noop/RunAsSystemClient.java

@@ -0,0 +1,56 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.noop;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionType;
+import org.opensearch.client.Client;
+import org.opensearch.client.FilterClient;
+import org.opensearch.common.annotation.InternalApi;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.action.ActionResponse;
+
+/**
+ * Implementation of client that will run transport actions in a stashed context
+ * <p>
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * This class is used by the NoopIdentityPlugin to initialize IdentityAwarePlugins
+ *
+ * @opensearch.internal
+ */
+@InternalApi
+public class RunAsSystemClient extends FilterClient {
+    public RunAsSystemClient(Client delegate) {
+        super(delegate);
+    }
+
+    @Override
+    protected <Request extends ActionRequest, Response extends ActionResponse> void doExecute(
+        ActionType<Response> action,
+        Request request,
+        ActionListener<Response> actionListener
+    ) {
+        ThreadContext threadContext = threadPool().getThreadContext();
+
+        try (ThreadContext.StoredContext ctx = threadContext.stashContext()) {
+
+            ActionListener<Response> wrappedListener = ActionListener.wrap(r -> {
+                ctx.restore();
+                actionListener.onResponse(r);
+            }, e -> {
+                ctx.restore();
+                actionListener.onFailure(e);
+            });
+
+            super.doExecute(action, request, wrappedListener);
+        }
+    }
+}

server/src/main/java/org/opensearch/node/Node.java

@@ -588,19 +588,6 @@ protected Node(
             runnableTaskListener = new AtomicReference<>();
             final ThreadPool threadPool = new ThreadPool(settings, runnableTaskListener, executorBuilders.toArray(new ExecutorBuilder[0]));
 
-            final IdentityService identityService = new IdentityService(settings, threadPool, identityPlugins);
-
-            if (FeatureFlags.isEnabled(FeatureFlags.EXTENSIONS)) {
-                final List<ExtensionAwarePlugin> extensionAwarePlugins = pluginsService.filterPlugins(ExtensionAwarePlugin.class);
-                Set<Setting<?>> additionalSettings = new HashSet<>();
-                for (ExtensionAwarePlugin extAwarePlugin : extensionAwarePlugins) {
-                    additionalSettings.addAll(extAwarePlugin.getExtensionSettings());
-                }
-                this.extensionsManager = new ExtensionsManager(additionalSettings, identityService);
-            } else {
-                this.extensionsManager = new NoopExtensionsManager(identityService);
-            }
-
             final SetOnce<RepositoriesService> repositoriesServiceReference = new SetOnce<>();
             final RemoteStoreNodeService remoteStoreNodeService = new RemoteStoreNodeService(repositoriesServiceReference::get, threadPool);
             localNodeFactory = new LocalNodeFactory(settings, nodeEnvironment.nodeId(), remoteStoreNodeService);
@@ -624,6 +611,19 @@ protected Node(
             }
             client = new NodeClient(settings, threadPool);
 
+            final IdentityService identityService = new IdentityService(settings, client, identityPlugins);
+
+            if (FeatureFlags.isEnabled(FeatureFlags.EXTENSIONS)) {
+                final List<ExtensionAwarePlugin> extensionAwarePlugins = pluginsService.filterPlugins(ExtensionAwarePlugin.class);
+                Set<Setting<?>> extAdditionalSettings = new HashSet<>();
+                for (ExtensionAwarePlugin extAwarePlugin : extensionAwarePlugins) {
+                    extAdditionalSettings.addAll(extAwarePlugin.getExtensionSettings());
+                }
+                this.extensionsManager = new ExtensionsManager(extAdditionalSettings, identityService);
+            } else {
+                this.extensionsManager = new NoopExtensionsManager(identityService);
+            }
+
             final ScriptModule scriptModule = new ScriptModule(settings, pluginsService.filterPlugins(ScriptPlugin.class));
             final ScriptService scriptService = newScriptService(settings, scriptModule.engines, scriptModule.contexts);
             AnalysisModule analysisModule = new AnalysisModule(this.environment, pluginsService.filterPlugins(AnalysisPlugin.class));

server/src/main/java/org/opensearch/plugins/IdentityAwarePlugin.java

@@ -8,8 +8,8 @@
 
 package org.opensearch.plugins;
 
+import org.opensearch.client.Client;
 import org.opensearch.common.annotation.ExperimentalApi;
-import org.opensearch.identity.PluginSubject;
 import org.opensearch.identity.Subject;
 
 /**
@@ -27,8 +27,8 @@ public interface IdentityAwarePlugin {
     /**
      * Passes necessary classes for this plugin to operate as an IdentityAwarePlugin
      *
-     * @param pluginSubject A subject for running transport actions in the plugin context for system index
+     * @param pluginClient A subject for running transport actions in the plugin context for system index
      *                      interaction
      */
-    default void assignSubject(PluginSubject pluginSubject) {}
+    default void assignRunAsClient(Client pluginClient) {}
 }