Add runAs(Subject subject) to Client interface

CHANGELOG.md

@@ -70,6 +70,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Allow extended plugins to be optional ([#16909](https://github.com/opensearch-project/OpenSearch/pull/16909))
 - Use the correct type to widen the sort fields when merging top docs ([#16881](https://github.com/opensearch-project/OpenSearch/pull/16881))
 - Limit reader writer separation to remote store enabled clusters [#16760](https://github.com/opensearch-project/OpenSearch/pull/16760)
+- Refactor IdentityAwarePlugin interface to be assigned a client for executing actions ([#16976](https://github.com/opensearch-project/OpenSearch/pull/16976))
 
 ### Deprecated
 - Performing update operation with default pipeline or final pipeline is deprecated ([#16712](https://github.com/opensearch-project/OpenSearch/pull/16712))

plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java

@@ -23,7 +23,7 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.env.Environment;
 import org.opensearch.env.NodeEnvironment;
-import org.opensearch.identity.PluginSubject;
+import org.opensearch.identity.RunAsSystemClient;
 import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.AuthToken;
 import org.opensearch.identity.tokens.TokenManager;
@@ -54,6 +54,7 @@
     private final ShiroTokenManager authTokenHandler;
 
     private ThreadPool threadPool;
+    private Client client;
 
     /**
      * Create a new instance of the Shiro Identity Plugin
@@ -83,6 +84,7 @@
         Supplier<RepositoriesService> repositoriesServiceSupplier
     ) {
         this.threadPool = threadPool;
+        this.client = client;
         return Collections.emptyList();
     }
 
@@ -138,7 +140,7 @@
         }
     }
 
-    public PluginSubject getPluginSubject(Plugin plugin) {
-        return new ShiroPluginSubject(threadPool);
+    public Client getRunAsClient(Plugin plugin) {
+        return new RunAsSystemClient(client);
     }
 }

plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/ShiroIdentityPluginTests.java

@@ -9,11 +9,11 @@
 package org.opensearch.identity.shiro;
 
 import org.opensearch.OpenSearchException;
+import org.opensearch.client.Client;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.identity.IdentityService;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.test.OpenSearchTestCase;
-import org.opensearch.threadpool.ThreadPool;
 
 import java.util.List;
 
@@ -28,7 +28,7 @@ public class ShiroIdentityPluginTests extends OpenSearchTestCase {
     public void testSingleIdentityPluginSucceeds() {
         IdentityPlugin identityPlugin1 = new ShiroIdentityPlugin(Settings.EMPTY);
         List<IdentityPlugin> pluginList1 = List.of(identityPlugin1);
-        IdentityService identityService1 = new IdentityService(Settings.EMPTY, mock(ThreadPool.class), pluginList1);
+        IdentityService identityService1 = new IdentityService(Settings.EMPTY, mock(Client.class), pluginList1);
         assertThat(identityService1.getTokenManager(), is(instanceOf(ShiroTokenManager.class)));
     }
 
@@ -37,10 +37,7 @@ public void testMultipleIdentityPluginsFail() {
         IdentityPlugin identityPlugin2 = new ShiroIdentityPlugin(Settings.EMPTY);
         IdentityPlugin identityPlugin3 = new ShiroIdentityPlugin(Settings.EMPTY);
         List<IdentityPlugin> pluginList = List.of(identityPlugin1, identityPlugin2, identityPlugin3);
-        Exception ex = assertThrows(
-            OpenSearchException.class,
-            () -> new IdentityService(Settings.EMPTY, mock(ThreadPool.class), pluginList)
-        );
+        Exception ex = assertThrows(OpenSearchException.class, () -> new IdentityService(Settings.EMPTY, mock(Client.class), pluginList));
         assert (ex.getMessage().contains("Multiple identity plugins are not supported,"));
     }
 

server/src/main/java/org/opensearch/identity/IdentityService.java

@@ -8,14 +8,14 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.OpenSearchException;
+import org.opensearch.client.Client;
 import org.opensearch.common.annotation.InternalApi;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.identity.noop.NoopIdentityPlugin;
 import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.plugins.IdentityAwarePlugin;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.Plugin;
-import org.opensearch.threadpool.ThreadPool;
 
 import java.util.List;
 import java.util.stream.Collectors;
@@ -30,14 +30,16 @@
     private static final Logger log = LogManager.getLogger(IdentityService.class);
 
     private final Settings settings;
+    private final Client client;
     private final IdentityPlugin identityPlugin;
 
-    public IdentityService(final Settings settings, final ThreadPool threadPool, final List<IdentityPlugin> identityPlugins) {
+    public IdentityService(final Settings settings, final Client client, final List<IdentityPlugin> identityPlugins) {
         this.settings = settings;
+        this.client = client;
 
         if (identityPlugins.size() == 0) {
             log.debug("Identity plugins size is 0");
-            identityPlugin = new NoopIdentityPlugin(threadPool);
+            identityPlugin = new NoopIdentityPlugin(client);
         } else if (identityPlugins.size() == 1) {
             log.debug("Identity plugins size is 1");
             identityPlugin = identityPlugins.get(0);
@@ -66,8 +68,8 @@
     public void initializeIdentityAwarePlugins(final List<IdentityAwarePlugin> identityAwarePlugins) {
         if (identityAwarePlugins != null) {
             for (IdentityAwarePlugin plugin : identityAwarePlugins) {
-                PluginSubject pluginSubject = identityPlugin.getPluginSubject((Plugin) plugin);
-                plugin.assignSubject(pluginSubject);
+                Client client = identityPlugin.getRunAsClient((Plugin) plugin);
+                plugin.assignRunAsClient(client);
             }
         }
     }

server/src/main/java/org/opensearch/identity/RunAsSystemClient.java

@@ -0,0 +1,46 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionType;
+import org.opensearch.client.Client;
+import org.opensearch.client.FilterClient;
+import org.opensearch.common.annotation.InternalApi;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.action.ActionResponse;
+
+/**
+ * Implementation of client that will run transport actions in a stashed context
+ * <p>
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * This class is used by the NoopIdentityPlugin to initialize IdentityAwarePlugins
+ *
+ * @opensearch.internal
+ */
+@InternalApi
+public class RunAsSystemClient extends FilterClient {
+    public RunAsSystemClient(Client delegate) {
+        super(delegate);
+    }
+
+    @Override
+    protected <Request extends ActionRequest, Response extends ActionResponse> void doExecute(
+        ActionType<Response> action,
+        Request request,
+        ActionListener<Response> listener
+    ) {
+        ThreadContext threadContext = threadPool().getThreadContext();
+        try (ThreadContext.StoredContext ctx = threadContext.stashContext()) {
+            super.doExecute(action, request, ActionListener.runBefore(listener, ctx::restore));
+        }
+    }
+}

server/src/main/java/org/opensearch/identity/Subject.java

@@ -8,7 +8,6 @@
 import org.opensearch.common.annotation.ExperimentalApi;
 
 import java.security.Principal;
-import java.util.concurrent.Callable;
 
 /**
  * An individual, process, or device that causes information to flow among objects or change to the system state.
@@ -22,11 +21,4 @@ public interface Subject {
      * Get the application-wide uniquely identifying principal
      * */
     Principal getPrincipal();
-
-    /**
-     * runAs allows the caller to run a callable function as this subject
-     */
-    default <T> T runAs(Callable<T> callable) throws Exception {
-        return callable.call();
-    };
 }

server/src/main/java/org/opensearch/identity/noop/NoopIdentityPlugin.java

@@ -8,12 +8,12 @@
 
 package org.opensearch.identity.noop;
 
-import org.opensearch.identity.PluginSubject;
+import org.opensearch.client.Client;
+import org.opensearch.identity.RunAsSystemClient;
 import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.Plugin;
-import org.opensearch.threadpool.ThreadPool;
 
 /**
  * Implementation of identity plugin that does not enforce authentication or authorization
@@ -24,10 +24,10 @@
  */
 public class NoopIdentityPlugin implements IdentityPlugin {
 
-    private final ThreadPool threadPool;
+    private final Client client;
 
-    public NoopIdentityPlugin(ThreadPool threadPool) {
-        this.threadPool = threadPool;
+    public NoopIdentityPlugin(Client client) {
+        this.client = client;
     }
 
     /**
@@ -49,7 +49,7 @@
     }
 
     @Override
-    public PluginSubject getPluginSubject(Plugin plugin) {
-        return new NoopPluginSubject(threadPool);
+    public Client getRunAsClient(Plugin plugin) {
+        return new RunAsSystemClient(client);
     }
 }

server/src/main/java/org/opensearch/node/Node.java

@@ -588,7 +588,9 @@ protected Node(
             runnableTaskListener = new AtomicReference<>();
             final ThreadPool threadPool = new ThreadPool(settings, runnableTaskListener, executorBuilders.toArray(new ExecutorBuilder[0]));
 
-            final IdentityService identityService = new IdentityService(settings, threadPool, identityPlugins);
+            client = new NodeClient(settings, threadPool);
+
+            final IdentityService identityService = new IdentityService(settings, client, identityPlugins);
 
             if (FeatureFlags.isEnabled(FeatureFlags.EXTENSIONS)) {
                 final List<ExtensionAwarePlugin> extensionAwarePlugins = pluginsService.filterPlugins(ExtensionAwarePlugin.class);
@@ -622,7 +624,6 @@ protected Node(
             for (final ExecutorBuilder<?> builder : threadPool.builders()) {
                 additionalSettings.addAll(builder.getRegisteredSettings());
             }
-            client = new NodeClient(settings, threadPool);
 
             final ScriptModule scriptModule = new ScriptModule(settings, pluginsService.filterPlugins(ScriptPlugin.class));
             final ScriptService scriptService = newScriptService(settings, scriptModule.engines, scriptModule.contexts);

server/src/main/java/org/opensearch/plugins/IdentityAwarePlugin.java

@@ -8,8 +8,8 @@
 
 package org.opensearch.plugins;
 
+import org.opensearch.client.Client;
 import org.opensearch.common.annotation.ExperimentalApi;
-import org.opensearch.identity.PluginSubject;
 import org.opensearch.identity.Subject;
 
 /**
@@ -27,8 +27,8 @@
     /**
      * Passes necessary classes for this plugin to operate as an IdentityAwarePlugin
      *
-     * @param pluginSubject A subject for running transport actions in the plugin context for system index
+     * @param pluginClient A subject for running transport actions in the plugin context for system index
      *                      interaction
      */
-    default void assignSubject(PluginSubject pluginSubject) {}
+    default void assignRunAsClient(Client pluginClient) {}
 }