Merge branch 'main' into multiple-resource-tests

Author: cwperks

CHANGELOG.md

@@ -6,26 +6,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ## [Unreleased 3.x]
 ### Added
 
+### Changed
+- Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing ([#5396](https://github.com/opensearch-project/security/pull/5396))
 ### Features
 
 ### Enhancements
+- Moved configuration reloading to dedicated thread to improve node stability  ([#5479](https://github.com/opensearch-project/security/pull/5479))
 - Makes resource settings dynamic ([#5677](https://github.com/opensearch-project/security/pull/5677))
 - [Resource Sharing] Allow multiple sharable resource types in single resource index ([#5713](https://github.com/opensearch-project/security/pull/5713))
+- Adding Alerting V2 roles to roles.yml ([#5747](https://github.com/opensearch-project/security/pull/5747))
+- add suggest api to ad read access role ([#5754](https://github.com/opensearch-project/security/pull/5754))
+- Get list of headersToCopy from core and use getHeader(String headerName) instead of getHeaders() ([#5769](https://github.com/opensearch-project/security/pull/5769))
 
 ### Bug Fixes
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))
 - Improve array validator to also check for blank string in addition to null ([#5714](https://github.com/opensearch-project/security/pull/5714))
 - Use RestRequestFilter.getFilteredRequest to declare sensitive API params ([#5710](https://github.com/opensearch-project/security/pull/5710))
 - Fix deprecated SSL transport settings in demo certificates ([#5723](https://github.com/opensearch-project/security/pull/5723))
 - Updates DlsFlsValveImpl condition to return true if request is internal and not a protected resource request ([#5721](https://github.com/opensearch-project/security/pull/5721))
+- [Performance] Call AdminDns.isAdmin once per request ([#5752](https://github.com/opensearch-project/security/pull/5752))
 
 ### Refactoring
 - [Resource Sharing] Make migrate api require default access level to be supplied and updates documentations + tests ([#5717](https://github.com/opensearch-project/security/pull/5717))
 - [Resource Sharing] Removes share and revoke java APIs ([#5718](https://github.com/opensearch-project/security/pull/5718))
 - Fix build failure in SecurityFilterTests ([#5736](https://github.com/opensearch-project/security/pull/5736))
+- [Resource Sharing]Refactor ResourceProvider to an interface and other ResourceSharing refactors ([#5755](https://github.com/opensearch-project/security/pull/5755))
+- Replace AccessController and remove restriction on word Extension ([#5750](https://github.com/opensearch-project/security/pull/5750))
+- Add security provider earlier in bootstrap process ([#5749](https://github.com/opensearch-project/security/pull/5749))
+- [GRPC] Fix compilation errors from core protobuf version bump to 0.23.0 ([#5763](https://github.com/opensearch-project/security/pull/5763))
 
 ### Maintenance
-- Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.0 ([#5678](https://github.com/opensearch-project/security/pull/5678))
+- Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.1 ([#5678](https://github.com/opensearch-project/security/pull/5678), [#5764](https://github.com/opensearch-project/security/pull/5764))
 - Bump `ch.qos.logback:logback-classic` from 1.5.18 to 1.5.20 ([#5680](https://github.com/opensearch-project/security/pull/5680), [#5724](https://github.com/opensearch-project/security/pull/5724))
 - Bump `org.scala-lang:scala-library` from 2.13.16 to 2.13.17 ([#5682](https://github.com/opensearch-project/security/pull/5682))
 - Bump `org.gradle.test-retry` from 1.6.2 to 1.6.4 ([#5706](https://github.com/opensearch-project/security/pull/5706))
@@ -38,9 +49,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `com.github.spotbugs` from 6.4.2 to 6.4.4 ([#5727](https://github.com/opensearch-project/security/pull/5727))
 - Bump `com.autonomousapps.build-health` from 3.0.4 to 3.3.0 ([#5726](https://github.com/opensearch-project/security/pull/5726), [#5744](https://github.com/opensearch-project/security/pull/5744))
 - Bump `spring_version` from 6.2.11 to 6.2.12 ([#5725](https://github.com/opensearch-project/security/pull/5725))
+- Bump `org.springframework.kafka:spring-kafka-test` from 4.0.0-M5 to 4.0.0-RC1 ([#5742](https://github.com/opensearch-project/security/pull/5742))
+- Bump `com.google.errorprone:error_prone_annotations` from 2.42.0 to 2.43.0 ([#5743](https://github.com/opensearch-project/security/pull/5743))
 - Bump `actions/upload-artifact` from 4 to 5 ([#5740](https://github.com/opensearch-project/security/pull/5740))
 - Bump `actions/download-artifact` from 5 to 6 ([#5739](https://github.com/opensearch-project/security/pull/5739))
-- Bump `com.google.googlejavaformat:google-java-format` from 1.28.0 to 1.30.0 ([#5741](https://github.com/opensearch-project/security/pull/5741))
+- Bump `com.google.googlejavaformat:google-java-format` from 1.28.0 to 1.31.0 ([#5741](https://github.com/opensearch-project/security/pull/5741), [#5765](https://github.com/opensearch-project/security/pull/5765))
+- Bump `com.jayway.jsonpath:json-path` from 2.9.0 to 2.10.0 ([#5767](https://github.com/opensearch-project/security/pull/5767))
 
 ### Documentation
 

build.gradle

@@ -482,7 +482,7 @@ configurations {
             // For integrationTest
             force "org.apache.httpcomponents:httpclient:4.5.14"
             force "org.apache.httpcomponents:httpcore:4.4.16"
-            force "com.google.errorprone:error_prone_annotations:2.42.0"
+            force "com.google.errorprone:error_prone_annotations:2.43.0"
             force "org.checkerframework:checker-qual:3.51.1"
             force "ch.qos.logback:logback-classic:1.5.20"
             force "commons-io:commons-io:2.20.0"
@@ -574,7 +574,7 @@ allprojects {
         integrationTestImplementation 'org.slf4j:slf4j-api:2.0.12'
         integrationTestImplementation 'com.selectivem.collections:special-collections-complete:1.4.0'
 
-        integrationTestImplementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        integrationTestImplementation ('com.jayway.jsonpath:json-path:2.10.0') {
             exclude(group: 'net.minidev', module: 'json-smart')
         }
     }
@@ -695,7 +695,7 @@ dependencies {
     runtimeOnly 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
     runtimeOnly 'commons-codec:commons-codec:1.19.0'
     runtimeOnly 'org.cryptacular:cryptacular:1.2.7'
-    compileOnly 'com.google.errorprone:error_prone_annotations:2.42.0'
+    compileOnly 'com.google.errorprone:error_prone_annotations:2.43.0'
     runtimeOnly 'com.sun.istack:istack-commons-runtime:4.2.0'
     runtimeOnly 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.4'
     runtimeOnly 'org.ow2.asm:asm:9.9'
@@ -762,10 +762,10 @@ dependencies {
     testImplementation "org.apache.kafka:kafka-test-common-runtime:${kafka_version}"
     testImplementation "org.apache.kafka:kafka-test-common-internal-api:${kafka_version}"
     testImplementation 'commons-validator:commons-validator:1.10.0'
-    testImplementation "org.springframework.kafka:spring-kafka-test:4.0.0-M5"
+    testImplementation "org.springframework.kafka:spring-kafka-test:4.0.0-RC1"
     testImplementation "org.springframework:spring-beans:${spring_version}"
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.14.0'
-    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.14.0'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.14.1'
+    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.14.1'
     testImplementation('org.awaitility:awaitility:4.3.0') {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
@@ -795,7 +795,7 @@ dependencies {
     compileOnly "org.opensearch:opensearch:${opensearch_version}"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.30.0') {
+    implementation('com.google.googlejavaformat:google-java-format:1.31.0') {
         exclude group: 'com.google.guava'
     }
 }

bwc-test/build.gradle

@@ -138,7 +138,7 @@ def String extractVersion(versionStr) {
                 node.setting("plugins.security.ssl.transport.pemcert_filepath", "esnode.pem")
                 node.setting("plugins.security.ssl.transport.pemkey_filepath", "esnode-key.pem")
                 node.setting("plugins.security.ssl.transport.pemtrustedcas_filepath", "root-ca.pem")
-                node.setting("plugins.security.ssl.transport.enforce_hostname_verification", "false")
+                node.setting("transport.ssl.enforce_hostname_verification", "false")
                 node.setting("plugins.security.ssl.http.enabled", "true")
                 node.setting("plugins.security.ssl.http.pemcert_filepath", "esnode.pem")
                 node.setting("plugins.security.ssl.http.pemkey_filepath", "esnode-key.pem")

checkstyle/checkstyle.xml

@@ -228,20 +228,13 @@
     <property name="severity" value="error"/>
   </module>
 
-  <module name="RegexpSingleline">
-    <property name="format" value="extension"/>
-    <property name="ignoreCase" value="true"/>
-    <property name="message" value="Extension should only be used sparingly to keep implementations as generic as possible" />
-    <property name="severity" value="error"/>
-  </module>
-
   <module name="SuppressWithPlainTextCommentFilter">
-    <property name="offCommentFormat" value="CS-SUPPRESS-ALL: .+"/> <!-- Require an explaination after surpressing -->
+    <property name="offCommentFormat" value="CS-SUPPRESS-ALL: .+"/> <!-- Require an explanation after suppressing -->
     <property name="onCommentFormat" value="CS-ENFORCE-ALL"/>
   </module>
 
   <module name="SuppressWithPlainTextCommentFilter">
-    <property name="offCommentFormat" value="CS-SUPPRESS-SINGLE\: ([\w\|]+) .+"/> <!-- Require an explaination after surpressing -->
+    <property name="offCommentFormat" value="CS-SUPPRESS-SINGLE\: ([\w\|]+) .+"/> <!-- Require an explanation after suppressing -->
     <property name="onCommentFormat" value="CS-ENFORCE-SINGLE()"/>
     <property name="checkFormat" value="$1"/>
   </module>

config/roles.yml

@@ -35,6 +35,9 @@ alerting_read_access:
     - 'cluster:admin/opensearch/alerting/comments/search'
     - 'cluster:admin/opensearch/alerting/findings/get'
     - 'cluster:admin/opensearch/alerting/remote/indexes/get'
+    - 'cluster:admin/opensearch/alerting/v2/alerts/get'
+    - 'cluster:admin/opensearch/alerting/v2/monitor/get'
+    - 'cluster:admin/opensearch/alerting/v2/monitor/search'
     - 'cluster:admin/opensearch/alerting/workflow/get'
     - 'cluster:admin/opensearch/alerting/workflow_alerts/get'
 
@@ -69,6 +72,7 @@ anomaly_read_access:
   cluster_permissions:
     - 'cluster:admin/opendistro/ad/detector/info'
     - 'cluster:admin/opendistro/ad/detector/search'
+    - 'cluster:admin/opendistro/ad/detector/suggest'
     - 'cluster:admin/opendistro/ad/detector/validate'
     - 'cluster:admin/opendistro/ad/detectors/get'
     - 'cluster:admin/opendistro/ad/result/search'

release-notes/opensearch-security.release-notes-3.3.2.0.md

@@ -0,0 +1,8 @@
+## Version 3.3.2 Release Notes
+
+Compatible with OpenSearch 3.3.2 and OpenSearch Dashboards 3.3.0
+
+### Bug Fixes
+* Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))
+* Add security provider earlier in bootstrap process ([#5749](https://github.com/opensearch-project/security/pull/5749))
+

sample-resource-plugin/build.gradle

@@ -58,7 +58,7 @@ configurations.all {
 
         // Duplicate dependencies with conflicting versions from org.opensearch.plugin:transport-grpc
         // Force versions present in security plugin
-        force "com.google.errorprone:error_prone_annotations:2.42.0"
+        force "com.google.errorprone:error_prone_annotations:2.43.0"
         force "com.google.protobuf:protobuf-java:${versions.protobuf}"
         force "com.google.guava:guava:${guava_version}"
         force "com.google.guava:failureaccess:1.0.3"