opensearch-project
diff --git a/‎CHANGELOG.md
-6 b/‎CHANGELOG.md
-6
diff --git a/‎build.gradle
+2-2 b/‎build.gradle
+2-2
diff --git a/‎release-notes/opensearch-anomaly-detection.release-notes-3.0.0.0-alpha1.md
+6 b/‎release-notes/opensearch-anomaly-detection.release-notes-3.0.0.0-alpha1.md
+6
diff --git a/‎src/main/java/org/opensearch/ad/constant/ADResourceScope.java
+11 b/‎src/main/java/org/opensearch/ad/constant/ADResourceScope.java
+11
diff --git a/‎src/main/java/org/opensearch/ad/constant/ConfigConstants.java
+11 b/‎src/main/java/org/opensearch/ad/constant/ConfigConstants.java
+11
diff --git a/‎src/main/java/org/opensearch/ad/model/AnomalyDetector.java
+18-1 b/‎src/main/java/org/opensearch/ad/model/AnomalyDetector.java
+18-1
diff --git a/‎src/main/java/org/opensearch/ad/transport/AnomalyDetectorJobTransportAction.java
+5-2 b/‎src/main/java/org/opensearch/ad/transport/AnomalyDetectorJobTransportAction.java
+5-2
diff --git a/‎src/main/java/org/opensearch/ad/transport/DeleteAnomalyDetectorTransportAction.java
+5-2 b/‎src/main/java/org/opensearch/ad/transport/DeleteAnomalyDetectorTransportAction.java
+5-2
diff --git a/‎src/main/java/org/opensearch/ad/transport/GetAnomalyDetectorTransportAction.java
+5-2 b/‎src/main/java/org/opensearch/ad/transport/GetAnomalyDetectorTransportAction.java
+5-2
diff --git a/‎src/main/java/org/opensearch/ad/transport/IndexAnomalyDetectorTransportAction.java
+63-28 b/‎src/main/java/org/opensearch/ad/transport/IndexAnomalyDetectorTransportAction.java
+63-28
@@ -8,22 +8,16 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 ### Enhancements
 ### Bug Fixes
 ### Infrastructure
-
 ### Documentation
-
 ### Maintenance
-- Fix breaking changes for 3.0.0 release ([#1424](https://github.com/opensearch-project/anomaly-detection/pull/1424))
-
 ### Refactoring
 
 ## [Unreleased 2.x](https://github.com/opensearch-project/anomaly-detection/compare/2.19...2.x)
 ### Features
 
-
 ### Enhancements
 - Github workflow for changelog verification ([#1413](https://github.com/opensearch-project/anomaly-detection/pull/1413))
 ### Bug Fixes
-
 ### Infrastructure
 ### Documentation
 ### Maintenance
 
@@ -65,7 +65,7 @@ buildscript {
 }
 
 plugins {
-    id 'com.netflix.nebula.ospackage' version "11.10.0"
+    id 'com.netflix.nebula.ospackage' version "11.11.1"
     id "com.diffplug.spotless" version "6.25.0"
     id 'java-library'
     id 'org.gradle.test-retry' version '1.6.0'
@@ -115,7 +115,7 @@ dependencies {
     implementation "org.opensearch:opensearch:${opensearch_version}"
     compileOnly "org.opensearch.plugin:opensearch-scripting-painless-spi:${opensearch_version}"
     compileOnly "org.opensearch:opensearch-job-scheduler-spi:${job_scheduler_version}"
-    compileOnly "org.opensearch:opensearch-resource-sharing-spi:${opensearch_build}"
+    compileOnly "org.opensearch:opensearch-security-client:${opensearch_build}"
     implementation "org.opensearch:common-utils:${common_utils_version}"
     implementation "org.opensearch.client:opensearch-rest-client:${opensearch_version}"
     compileOnly group: 'com.google.guava', name: 'guava', version:'32.1.3-jre'
 
@@ -0,0 +1,6 @@
+## Version 3.0.0.0-alpha1 Release Notes
+
+Compatible with OpenSearch 3.0.0.0-alpha1
+
+### Maintenance
+- Fix breaking changes for 3.0.0 release ([#1424](https://github.com/opensearch-project/anomaly-detection/pull/1424))
@@ -1,3 +1,14 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
 package org.opensearch.ad.constant;
 
 import org.opensearch.security.spi.resources.ResourceAccessScope;
 
@@ -1,3 +1,14 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
 package org.opensearch.ad.constant;
 
 public class ConfigConstants {
 
@@ -42,6 +42,7 @@
 import org.opensearch.core.xcontent.XContentParser;
 import org.opensearch.index.query.QueryBuilder;
 import org.opensearch.index.query.QueryBuilders;
+import org.opensearch.security.spi.resources.Resource;
 import org.opensearch.timeseries.annotation.Generated;
 import org.opensearch.timeseries.common.exception.ValidationException;
 import org.opensearch.timeseries.constant.CommonMessages;
@@ -66,7 +67,8 @@
  * TODO: Will replace detector config mapping in AD task with detector config setting directly \
  *      in code rather than config it in anomaly-detection-state.json file.
  */
-public class AnomalyDetector extends Config {
+public class AnomalyDetector extends Config implements Resource {
+
     static class ADShingleGetter implements ShingleGetter {
         private Integer seasonIntervals;
 
@@ -240,6 +242,21 @@ public AnomalyDetector(
         this.rules = rules == null || rules.isEmpty() ? getDefaultRule() : rules;
     }
 
+    @Override
+    public String getResourceName() {
+        return "detector";
+    }
+
+    @Override
+    public String getWriteableName() {
+        return "anomaly_detector";
+    }
+
+    @Override
+    public boolean isFragment() {
+        return super.isFragment();
+    }
+
     /*
      * For backward compatiblity reason, we cannot use super class
      * Config's constructor as we have detectionDateRange and
 
@@ -34,6 +34,7 @@
 import org.opensearch.timeseries.transport.BaseJobTransportAction;
 import org.opensearch.transport.TransportService;
 import org.opensearch.transport.client.Client;
+import org.opensearch.transport.client.node.NodeClient;
 
 public class AnomalyDetectorJobTransportAction extends
     BaseJobTransportAction<ADIndex, ADIndexManagement, ADTaskCacheManager, ADTaskType, ADTask, ADTaskManager, AnomalyResult, ADProfileAction, ExecuteADResultResponseRecorder, ADIndexJobActionHandler> {
@@ -45,7 +46,8 @@ public AnomalyDetectorJobTransportAction(
         ClusterService clusterService,
         Settings settings,
         NamedXContentRegistry xContentRegistry,
-        ADIndexJobActionHandler adIndexJobActionHandler
+        ADIndexJobActionHandler adIndexJobActionHandler,
+        NodeClient nodeClient
     ) {
         super(
             transportService,
@@ -60,7 +62,8 @@ public AnomalyDetectorJobTransportAction(
             FAIL_TO_START_DETECTOR,
             FAIL_TO_STOP_DETECTOR,
             AnomalyDetector.class,
-            adIndexJobActionHandler
+            adIndexJobActionHandler,
+            nodeClient
         );
     }
 }
@@ -30,6 +30,7 @@
 import org.opensearch.timeseries.transport.BaseDeleteConfigTransportAction;
 import org.opensearch.transport.TransportService;
 import org.opensearch.transport.client.Client;
+import org.opensearch.transport.client.node.NodeClient;
 
 public class DeleteAnomalyDetectorTransportAction extends
     BaseDeleteConfigTransportAction<ADTaskCacheManager, ADTaskType, ADTask, ADIndex, ADIndexManagement, ADTaskManager, AnomalyDetector> {
@@ -43,7 +44,8 @@ public DeleteAnomalyDetectorTransportAction(
         Settings settings,
         NamedXContentRegistry xContentRegistry,
         NodeStateManager nodeStateManager,
-        ADTaskManager adTaskManager
+        ADTaskManager adTaskManager,
+        NodeClient nodeClient
     ) {
         super(
             transportService,
@@ -59,7 +61,8 @@ public DeleteAnomalyDetectorTransportAction(
             AnalysisType.AD,
             ADCommonName.DETECTION_STATE_INDEX,
             AnomalyDetector.class,
-            ADTaskType.HISTORICAL_DETECTOR_TASK_TYPES
+            ADTaskType.HISTORICAL_DETECTOR_TASK_TYPES,
+            nodeClient
         );
     }
 }
@@ -43,6 +43,7 @@
 import org.opensearch.timeseries.util.SecurityClientUtil;
 import org.opensearch.transport.TransportService;
 import org.opensearch.transport.client.Client;
+import org.opensearch.transport.client.node.NodeClient;
 
 public class GetAnomalyDetectorTransportAction extends
     BaseGetConfigTransportAction<GetAnomalyDetectorResponse, ADTaskCacheManager, ADTaskType, ADTask, ADIndex, ADIndexManagement, ADTaskManager, AnomalyDetector, ADEntityProfileAction, ADEntityProfileRunner, ADTaskProfile, DetectorProfile, ADProfileAction, ADTaskProfileRunner, AnomalyDetectorProfileRunner> {
@@ -60,7 +61,8 @@ public GetAnomalyDetectorTransportAction(
         Settings settings,
         NamedXContentRegistry xContentRegistry,
         ADTaskManager adTaskManager,
-        ADTaskProfileRunner adTaskProfileRunner
+        ADTaskProfileRunner adTaskProfileRunner,
+        NodeClient nodeClient
     ) {
         super(
             transportService,
@@ -81,7 +83,8 @@ public GetAnomalyDetectorTransportAction(
             ADTaskType.HISTORICAL_HC_DETECTOR.name(),
             ADTaskType.HISTORICAL_SINGLE_ENTITY.name(),
             AnomalyDetectorSettings.AD_FILTER_BY_BACKEND_ROLES,
-            adTaskProfileRunner
+            adTaskProfileRunner,
+            nodeClient
         );
     }
 
 
@@ -16,6 +16,7 @@
 import static org.opensearch.ad.settings.AnomalyDetectorSettings.AD_FILTER_BY_BACKEND_ROLES;
 import static org.opensearch.timeseries.util.ParseUtils.checkFilterByBackendRoles;
 import static org.opensearch.timeseries.util.ParseUtils.getConfig;
+import static org.opensearch.timeseries.util.ParseUtils.verifyResourceAccessAndProcessRequest;
 import static org.opensearch.timeseries.util.RestHandlerUtils.wrapRestActionListener;
 
 import java.util.List;
@@ -27,6 +28,7 @@
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.WriteRequest;
+import org.opensearch.ad.constant.ADResourceScope;
 import org.opensearch.ad.constant.ConfigConstants;
 import org.opensearch.ad.indices.ADIndexManagement;
 import org.opensearch.ad.model.AnomalyDetector;
@@ -52,6 +54,7 @@
 import org.opensearch.timeseries.util.SecurityClientUtil;
 import org.opensearch.transport.TransportService;
 import org.opensearch.transport.client.Client;
+import org.opensearch.transport.client.node.NodeClient;
 
 public class IndexAnomalyDetectorTransportAction extends HandledTransportAction<IndexAnomalyDetectorRequest, IndexAnomalyDetectorResponse> {
     private static final Logger LOG = LogManager.getLogger(IndexAnomalyDetectorTransportAction.class);
@@ -66,6 +69,7 @@ public class IndexAnomalyDetectorTransportAction extends HandledTransportAction<
     private final SearchFeatureDao searchFeatureDao;
     private final Settings settings;
     private final boolean resourceSharingEnabled;
+    private final NodeClient nodeClient;
 
     @Inject
     public IndexAnomalyDetectorTransportAction(
@@ -78,7 +82,8 @@ public IndexAnomalyDetectorTransportAction(
         ADIndexManagement anomalyDetectionIndices,
         NamedXContentRegistry xContentRegistry,
         ADTaskManager adTaskManager,
-        SearchFeatureDao searchFeatureDao
+        SearchFeatureDao searchFeatureDao,
+        NodeClient nodeClient
     ) {
         super(IndexAnomalyDetectorAction.NAME, transportService, actionFilters, IndexAnomalyDetectorRequest::new);
         this.client = client;
@@ -94,6 +99,7 @@ public IndexAnomalyDetectorTransportAction(
         this.settings = settings;
         this.resourceSharingEnabled = settings
             .getAsBoolean(ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED, ConfigConstants.OPENSEARCH_RESOURCE_SHARING_ENABLED_DEFAULT);
+        this.nodeClient = nodeClient;
     }
 
     @Override
@@ -103,7 +109,29 @@ protected void doExecute(Task task, IndexAnomalyDetectorRequest request, ActionL
         RestRequest.Method method = request.getMethod();
         String errorMessage = method == RestRequest.Method.PUT ? FAIL_TO_UPDATE_DETECTOR : FAIL_TO_CREATE_DETECTOR;
         ActionListener<IndexAnomalyDetectorResponse> listener = wrapRestActionListener(actionListener, errorMessage);
+
         try (ThreadContext.StoredContext context = client.threadPool().getThreadContext().stashContext()) {
+            if (resourceSharingEnabled) {
+                // Call verifyResourceAccessAndProcessRequest before proceeding
+                verifyResourceAccessAndProcessRequest(
+                    user,
+                    detectorId,
+                    ADResourceScope.AD_FULL_ACCESS.value(),
+                    nodeClient,
+                    settings,
+                    listener,
+                    args -> indexDetector(
+                        user,
+                        detectorId,
+                        method,
+                        listener,
+                        detector -> adExecute(request, user, detector, context, listener)
+                    ) // Execute only if access is granted
+                );
+                return;
+            }
+
+            // Proceed with normal execution if resource sharing is not enabled
             resolveUserAndExecute(user, detectorId, method, listener, (detector) -> adExecute(request, user, detector, context, listener));
         } catch (Exception e) {
             LOG.error(e);
@@ -119,44 +147,51 @@ private void resolveUserAndExecute(
         Consumer<AnomalyDetector> function
     ) {
         try {
-            // If resource sharing flag is enabled then access evaluation will be performed at DLS level
-            if (!resourceSharingEnabled && filterByEnabled) {
-                // Check if user has backend roles
-                // When filter by is enabled, block users creating/updating detectors who do not have backend roles.
+            if (filterByEnabled) {
                 String error = checkFilterByBackendRoles(requestedUser);
                 if (error != null) {
                     listener.onFailure(new TimeSeriesException(error));
                     return;
                 }
             }
-            if (method == RestRequest.Method.PUT) {
-                // requestedUser == null means security is disabled or user is superadmin. In this case we don't need to
-                // check if request user have access to the detector or not. But we still need to get current detector for
-                // this case, so we can keep current detector's user data.
-                boolean filterByBackendRole = requestedUser == null ? false : filterByEnabled;
-                // Update detector request, check if user has permissions to update the detector
-                // Get detector and verify backend roles
-                getConfig(
-                    requestedUser,
-                    detectorId,
-                    listener,
-                    function,
-                    client,
-                    clusterService,
-                    xContentRegistry,
-                    filterByBackendRole,
-                    AnomalyDetector.class,
-                    resourceSharingEnabled
-                );
-            } else {
-                // Create Detector. No need to get current detector.
-                function.accept(null);
-            }
+
+            indexDetector(requestedUser, detectorId, method, listener, function);
         } catch (Exception e) {
             listener.onFailure(e);
         }
     }
 
+    private void indexDetector(
+        User requestedUser,
+        String detectorId,
+        RestRequest.Method method,
+        ActionListener<IndexAnomalyDetectorResponse> listener,
+        Consumer<AnomalyDetector> function
+    ) {
+        if (method == RestRequest.Method.PUT) {
+            // requestedUser == null means security is disabled or user is superadmin. In this case we don't need to
+            // check if request user have access to the detector or not. But we still need to get current detector for
+            // this case, so we can keep current detector's user data.
+            boolean filterByBackendRole = requestedUser == null ? false : filterByEnabled;
+            // Update detector request, check if user has permissions to update the detector
+            // Get detector and verify backend roles
+            getConfig(
+                requestedUser,
+                detectorId,
+                listener,
+                function,
+                client,
+                clusterService,
+                xContentRegistry,
+                filterByBackendRole,
+                AnomalyDetector.class
+            );
+        } else {
+            // Create Detector. No need to get current detector.
+            function.accept(null);
+        }
+    }
+
     protected void adExecute(
         IndexAnomalyDetectorRequest request,
         User user,