Merge branch 'main' into multiple-resource-tests

Author: cwperks

.github/CODEOWNERS

@@ -1 +1 @@
-* @cwperks @DarshitChanpura @derek-ho @nibix @peternied @RyanL1997 @reta @shikharj05 @willyborankin
+* @cwperks @DarshitChanpura @derek-ho @nibix @RyanL1997 @reta @shikharj05 @willyborankin

.github/workflows/ci.yml

@@ -45,7 +45,7 @@ jobs:
       matrix:
         gradle_task: ${{ fromJson(needs.generate-test-list.outputs.separateTestsNames) }}
         platform: [windows-latest]
-        jdk: [21, 24]
+        jdk: [21, 25]
     runs-on: ${{ matrix.platform }}
 
     steps:
@@ -80,7 +80,7 @@ jobs:
       matrix:
         gradle_task: ${{ fromJson(needs.generate-test-list.outputs.separateTestsNames) }}
         platform: [ubuntu-latest]
-        jdk: [21, 24]
+        jdk: [21, 25]
     runs-on: ubuntu-latest
     container:
       # using the same image which is used by opensearch-build to build the OpenSearch Distribution
@@ -144,7 +144,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [21, 24]
+        jdk: [21, 25]
         platform: [windows-latest]
     runs-on: ${{ matrix.platform }}
 
@@ -178,7 +178,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [21, 24]
+        jdk: [21, 25]
         platform: [ubuntu-latest]
     runs-on: ubuntu-latest
     container:
@@ -221,7 +221,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [21,24]
+        jdk: [21, 25]
         platform: [ubuntu-latest]
     runs-on: ${{ matrix.platform }}
     container:
@@ -262,7 +262,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [21, 24]
+        jdk: [21, 25]
         platform: [windows-latest]
     runs-on: ${{ matrix.platform }}
 
@@ -295,7 +295,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [21, 24]
+        jdk: [21, 25]
         platform: [ubuntu-latest]
     runs-on: ${{ matrix.platform }}
 
@@ -338,7 +338,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [11, 17]
+        jdk: [21]
         platform: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
 

.github/workflows/integration-tests.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        jdk: [21, 24]
+        jdk: [21, 25]
         test-run: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
 
     steps:

.github/workflows/plugin_install.yml

@@ -12,7 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest]
-        jdk: [21, 24]
+        jdk: [21, 25]
     runs-on: ${{ matrix.os }}
 
     steps:

.whitesource

@@ -11,5 +11,11 @@
   },
   "issueSettings": {
     "minSeverityLevel": "LOW"
+  },
+  "remediateSettings": {
+    "addLabels": ["skip-changelog"],
+    "workflowRules": {
+      "enabled": true
+    }
   }
 }

CHANGELOG.md

@@ -17,6 +17,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Adding Alerting V2 roles to roles.yml ([#5747](https://github.com/opensearch-project/security/pull/5747))
 - add suggest api to ad read access role ([#5754](https://github.com/opensearch-project/security/pull/5754))
 - Get list of headersToCopy from core and use getHeader(String headerName) instead of getHeaders() ([#5769](https://github.com/opensearch-project/security/pull/5769))
+- [Resource Sharing] Keep track of resource_type on resource sharing document ([#5772](https://github.com/opensearch-project/security/pull/5772))
+- Add support for X509 v3 extensions (SAN) for authentication  ([#5701](https://github.com/opensearch-project/security/pull/5701))
 
 ### Bug Fixes
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))
@@ -34,11 +36,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Replace AccessController and remove restriction on word Extension ([#5750](https://github.com/opensearch-project/security/pull/5750))
 - Add security provider earlier in bootstrap process ([#5749](https://github.com/opensearch-project/security/pull/5749))
 - [GRPC] Fix compilation errors from core protobuf version bump to 0.23.0 ([#5763](https://github.com/opensearch-project/security/pull/5763))
+- Modularized PrivilegesEvaluator ([#5791](https://github.com/opensearch-project/security/pull/5791))
 
 ### Maintenance
 - Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.1 ([#5678](https://github.com/opensearch-project/security/pull/5678), [#5764](https://github.com/opensearch-project/security/pull/5764))
 - Bump `ch.qos.logback:logback-classic` from 1.5.18 to 1.5.20 ([#5680](https://github.com/opensearch-project/security/pull/5680), [#5724](https://github.com/opensearch-project/security/pull/5724))
 - Bump `org.scala-lang:scala-library` from 2.13.16 to 2.13.17 ([#5682](https://github.com/opensearch-project/security/pull/5682))
+- Bump `kafka_version` from 4.0.0 to 4.1.0 ([#5613](https://github.com/opensearch-project/security/pull/5613))
 - Bump `org.gradle.test-retry` from 1.6.2 to 1.6.4 ([#5706](https://github.com/opensearch-project/security/pull/5706))
 - Bump `org.checkerframework:checker-qual` from 3.51.0 to 3.51.1 ([#5705](https://github.com/opensearch-project/security/pull/5705))
 - Bump `org.ow2.asm:asm` from 9.8 to 9.9 ([#5707](https://github.com/opensearch-project/security/pull/5707))
@@ -50,11 +54,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `com.autonomousapps.build-health` from 3.0.4 to 3.3.0 ([#5726](https://github.com/opensearch-project/security/pull/5726), [#5744](https://github.com/opensearch-project/security/pull/5744))
 - Bump `spring_version` from 6.2.11 to 6.2.12 ([#5725](https://github.com/opensearch-project/security/pull/5725))
 - Bump `org.springframework.kafka:spring-kafka-test` from 4.0.0-M5 to 4.0.0-RC1 ([#5742](https://github.com/opensearch-project/security/pull/5742))
-- Bump `com.google.errorprone:error_prone_annotations` from 2.42.0 to 2.43.0 ([#5743](https://github.com/opensearch-project/security/pull/5743))
+- Bump `com.google.errorprone:error_prone_annotations` from 2.42.0 to 2.44.0 ([#5743](https://github.com/opensearch-project/security/pull/5743), [#5779](https://github.com/opensearch-project/security/pull/5779))
 - Bump `actions/upload-artifact` from 4 to 5 ([#5740](https://github.com/opensearch-project/security/pull/5740))
 - Bump `actions/download-artifact` from 5 to 6 ([#5739](https://github.com/opensearch-project/security/pull/5739))
 - Bump `com.google.googlejavaformat:google-java-format` from 1.28.0 to 1.31.0 ([#5741](https://github.com/opensearch-project/security/pull/5741), [#5765](https://github.com/opensearch-project/security/pull/5765))
 - Bump `com.jayway.jsonpath:json-path` from 2.9.0 to 2.10.0 ([#5767](https://github.com/opensearch-project/security/pull/5767))
+- Bump `org.apache.ws.xmlschema:xmlschema-core` from 2.3.1 to 2.3.2 ([#5781](https://github.com/opensearch-project/security/pull/5781))
+- Bump `commons-io:commons-io` from 2.20.0 to 2.21.0 ([#5780](https://github.com/opensearch-project/security/pull/5780))
+- Bump `com.nimbusds:nimbus-jose-jwt` from 10.5 to 10.6 ([#5782](https://github.com/opensearch-project/security/pull/5782))
+- Upgrade to gradle 9.2 and run CI with JDK 25 ([#5786](https://github.com/opensearch-project/security/pull/5786))
 
 ### Documentation
 

MAINTAINERS.md

@@ -15,7 +15,6 @@ This document contains a list of maintainers in this repo. See [opensearch-proje
 | Maintainer       | GitHub ID                                             | Affiliation |
 |------------------|-------------------------------------------------------|-------------|
 | Darshit Chanpura | [DarshitChanpura](https://github.com/DarshitChanpura) | Amazon      |
-| Peter Nied       | [peternied](https://github.com/peternied)             | Amazon      |
 | Craig Perkins    | [cwperks](https://github.com/cwperks)                 | Amazon      |
 | Derek Ho         | [derek-ho](https://github.com/derek-ho)               | Amazon      |
 | Ryan Liang       | [RyanL1997](https://github.com/RyanL1997)             | Amazon      |
@@ -28,6 +27,7 @@ This document contains a list of maintainers in this repo. See [opensearch-proje
 
 | Maintainer       | GitHub ID                                               | Affiliation |
 |------------------|---------------------------------------------------------|-------------|
+| Peter Nied       | [peternied](https://github.com/peternied)               | Airbnb      |
 | Dave Lago        | [davidlago](https://github.com/davidlago)               | Contributor |
 | Chang Liu        | [cliu123](https://github.com/cliu123)                   | Amazon      |
 | Stephen Crawford | [stephen-crawford](https://github.com/stephen-crawford) | Contributor |

README.md

@@ -1,5 +1,5 @@
 [![CI](https://github.com/opensearch-project/security/workflows/CI/badge.svg?branch=main)](https://github.com/opensearch-project/security/actions) [![](https://img.shields.io/github/issues/opensearch-project/security/untriaged?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"untriaged") [![](https://img.shields.io/github/issues/opensearch-project/security/security%20vulnerability?labelColor=red)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"security%20vulnerability") [![](https://img.shields.io/github/issues/opensearch-project/security)](https://github.com/opensearch-project/security/issues) [![](https://img.shields.io/github/issues-pr/opensearch-project/security)](https://github.com/opensearch-project/security/pulls)
-[![](https://img.shields.io/codecov/c/gh/opensearch-project/security)](https://app.codecov.io/gh/opensearch-project/security) [![](https://img.shields.io/github/issues/opensearch-project/security/v2.19.3)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v2.19.3") [![](https://img.shields.io/github/issues/opensearch-project/security/v3.1.0)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v3.1.0")
+[![](https://img.shields.io/codecov/c/gh/opensearch-project/security)](https://app.codecov.io/gh/opensearch-project/security) [![](https://img.shields.io/github/issues/opensearch-project/security/v2.19.5)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v2.19.5") [![](https://img.shields.io/github/issues/opensearch-project/security/v3.4.0)](https://github.com/opensearch-project/security/issues?q=is%3Aissue+is%3Aopen+label%3A"v3.4.0")
 [![Slack](https://img.shields.io/badge/Slack-4A154B?&logo=slack&logoColor=white)](https://opensearch.slack.com/archives/C051Y637FKK)
 
 

RESOURCE_SHARING_AND_ACCESS_CONTROL.md

@@ -610,7 +610,6 @@ Read documents from a plugin’s index and migrate ownership and backend role-ba
 | `source_index`         | string | yes      | Name of the plugin index containing the existing resource documents                                                                                  |
 | `username_path`        | string | yes      | JSON Pointer to the username field inside each document                                                                                              |
 | `backend_roles_path`   | string | yes      | JSON Pointer to the backend_roles field (must point to a JSON array)                                                                                 |
-| `type_path`            | string | no       | JSON Pointer to the resource type field inside each document (required if multiple resource types in same resource index)                            |
 | `default_access_level` | object | yes      | Default access level to assign migrated backend_roles. Must be one from the available action-groups for this type. See `resource-action-groups.yml`. |
 
 **Example Request**
@@ -621,7 +620,6 @@ Read documents from a plugin’s index and migrate ownership and backend role-ba
   "source_index": ".sample_resource",
   "username_path": "/owner",
   "backend_roles_path": "/backend_roles",
-  "type_path": "/type",
   "default_access_level": {
     "sample-resource": "read_only",
     "sample-resource-group": "read-only-group"