Fix multitency config update

[willyborankin]

Description

The aim of this PR is to fix 2 issues with muti-tenancy:

1. Fixed for the multi-tenancy configuratiuon update. The current implementation uses "yet another" approach, it updates the configuration on each node and since the security index has a dedicated listener which sends new configuration on each node such action updates configuration on each node multiple times, which leads to timeouts.
2. Fixed who can change multi-tanency configuratuion. The current implementation gives access to update configuration for all users full cluster persmissions, while it is possible to do via REST API only if user is a "super-admin or it was assigned to the security_rest_api_access role.

Issues Resolved

Closes #2769.

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #2758 (b7ed864) into main (7c4e06d) will increase coverage by 0.03%.
The diff coverage is 89.33%.

@@             Coverage Diff              @@
##               main    #2758      +/-   ##
============================================
+ Coverage     61.31%   61.34%   +0.03%     
+ Complexity     3408     3386      -22     
============================================
  Files           272      265       -7     
  Lines         18846    18789      -57     
  Branches       3295     3296       +1     
============================================
- Hits          11555    11527      -28     
+ Misses         5690     5664      -26     
+ Partials       1601     1598       -3     

Impacted Files	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	80.03% <ø> (-0.12%)	⬇️
...g/opensearch/security/support/ConfigConstants.java	94.44% <ø> (ø)
...ity/dlic/rest/api/MultiTenancyConfigApiAction.java	88.23% <88.23%> (ø)
...security/dlic/rest/api/SecurityRestApiActions.java	95.23% <100.00%> (+0.23%)	⬆️
...c/rest/validation/MultiTenancyConfigValidator.java	100.00% <100.00%> (ø)

... and 4 files with indirect coverage changes

[RyanL1997]

Hi @willyborankin , thank you for putting this together. This PR looks good, and especially for the testing coverage! I left some minor questions/reviews just for my understanding.

[RyanL1997]

Are the L63 and L64 are the 2 case sensitive name for global tenants? Like 'global' vs 'Global'?

[willyborankin]

AFAIU they are not not, will change and add equalsIgnoreCase

[RyanL1997]

Just for my information, is there any reason for renaming this? Cuz I saw the asUser still remains the same.

[willyborankin]

Yes since configuration can be changed only by user which has access to REST API (I just want to highlight it)

[RyanL1997]

Nit: probably user_rest_api_access?

[willyborankin]

sure :-)

[RyanL1997]

Is this means that it is the admin user but without the all_access or only the rest_api_access?

[willyborankin]

Yes by default admin has full access to the cluster and indices but not to the REST API.

[cwperks]

Thank you for the contribution @willyborankin! This approach brings this API in line with other security APIs and reduces the amount of code for this feature.

[cwperks]

This greatly simplifies this down to a single class that extends AbstractApiAction. Great work!

[cwperks]

Thank you for adding this test. I agree that this should behave like all of the other security admin APIs.

[cwperks]

For anyone wondering what's special about this role and how it gets restapi access, its one of the roles specified in the demo configuration for restapi access here: https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.sh#L384

[willyborankin]

A small addition from my side.
There are 3 types of admins in the plugin:

• super admin - has access to everything e.g. can change configuration like SSL reload, update config on each node, CRUD operations for nodes ds etc. This is leftovers from the past idea to have a dedicated node admin
• admin - has full access to cluster and indices
• REST admin API - "admin" which has access to change some plugin configuration like roles, roles mapping, internal users etc.

compare to other security frameworks the plugin idea is very very confusing and it is hard to support such config.

[DarshitChanpura]

Nicely done @willyborankin! This is a great improvement, readability and maintenance wise!

[DarshitChanpura]

nicely done!

[DarshitChanpura]

Should this test case also be added here:

final HttpResponse updateSettingResponse = nonSslRestHelper().executePutRequest("/_plugins/_security/api/tenancy/config", "{\"private_tenant_enabled\":false}", AS_USER);
        assertThat(updateSettingResponse.getStatusCode(), equalTo(HttpStatus.SC_BAD_REQUEST));
        assertThat(updateSettingResponse.findValueInJson("error.reason"), containsString("Private tenant can not be disabled if it is the default tenant."));

[willyborankin]

It is end to end test and it tests what index dashboard should use for the auth use.

[willyborankin]

all tests now passed :-)

[stephen-crawford]

Thank you for taking the time to complete this. Looks good!

[opensearch-trigger-bot]

The backport to 2.7 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.7 2.7
# Navigate to the new working tree
cd .worktrees/backport-2.7
# Create a new branch
git switch --create backport/backport-2758-to-2.7
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 94db5dbb0e2351b6d2b31b2a0969863acbad9ebe
# Push it to GitHub
git push --set-upstream origin backport/backport-2758-to-2.7
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.7

Then, create a pull request where the base branch is 2.7 and the compare/head branch is backport/backport-2758-to-2.7.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2758-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 94db5dbb0e2351b6d2b31b2a0969863acbad9ebe
# Push it to GitHub
git push --set-upstream origin backport/backport-2758-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2758-to-2.x.

[RyanL1997]

Since the auto bacporting failed, I will manually backport this.

[stephen-crawford]

@RyanL1997, did you get a chance to manually backport this to 2.x yet? If not I can take care of it.