Adds share API to allow resource sharing

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

Author: DarshitChanpura

src/main/java/org/opensearch/ad/transport/IndexAnomalyDetectorTransportAction.java

@@ -178,6 +178,11 @@ protected void adExecute(
             );
             indexAnomalyDetectorActionHandler.start(listener);
         }, listener);
+
+        // This call was added to ensure that existing functionality of sharing the resource via backend_role exists
+        // TODO 3.0 and later the following must be removed and a new REST API where user must explicitly share the detector should be
+        // exposed
+        shareResourceWithBackendRoles(detectorId, user, listener);
     }
 
     private void checkIndicesAndExecute(

src/main/java/org/opensearch/timeseries/TimeSeriesAnalyticsPlugin.java

@@ -293,6 +293,7 @@
 import org.opensearch.timeseries.function.ThrowingSupplierWrapper;
 import org.opensearch.timeseries.model.Job;
 import org.opensearch.timeseries.ratelimit.CheckPointMaintainRequestAdapter;
+import org.opensearch.timeseries.rest.RestShareConfigAction;
 import org.opensearch.timeseries.settings.TimeSeriesEnabledSetting;
 import org.opensearch.timeseries.settings.TimeSeriesSettings;
 import org.opensearch.timeseries.stats.StatNames;
@@ -302,6 +303,8 @@
 import org.opensearch.timeseries.stats.suppliers.SettableSupplier;
 import org.opensearch.timeseries.task.TaskCacheManager;
 import org.opensearch.timeseries.transport.CronTransportAction;
+import org.opensearch.timeseries.transport.ShareConfigAction;
+import org.opensearch.timeseries.transport.ShareConfigTransportAction;
 import org.opensearch.timeseries.transport.handler.ResultBulkIndexingHandler;
 import org.opensearch.timeseries.util.ClientUtil;
 import org.opensearch.timeseries.util.DiscoveryNodeFilterer;
@@ -439,6 +442,9 @@ public List<RestHandler> getRestHandlers(
         RestValidateForecasterAction validateForecasterAction = new RestValidateForecasterAction(settings, clusterService);
         RestForecasterSuggestAction suggestForecasterParamAction = new RestForecasterSuggestAction(settings, clusterService);
 
+        // Config sharing and access control
+        RestShareConfigAction restShareConfigAction = new RestShareConfigAction();
+
         ForecastJobProcessor forecastJobRunner = ForecastJobProcessor.getInstance();
         forecastJobRunner.setClient(client);
         forecastJobRunner.setThreadPool(threadPool);
@@ -478,7 +484,9 @@ public List<RestHandler> getRestHandlers(
                 statsForecasterAction,
                 runOnceForecasterAction,
                 validateForecasterAction,
-                suggestForecasterParamAction
+                suggestForecasterParamAction,
+                // Config sharing and access control
+                restShareConfigAction
             );
     }
 
@@ -1711,7 +1719,8 @@ public List<NamedXContentRegistry.Entry> getNamedXContent() {
                 new ActionHandler<>(ForecastRunOnceAction.INSTANCE, ForecastRunOnceTransportAction.class),
                 new ActionHandler<>(ForecastRunOnceProfileAction.INSTANCE, ForecastRunOnceProfileTransportAction.class),
                 new ActionHandler<>(ValidateForecasterAction.INSTANCE, ValidateForecasterTransportAction.class),
-                new ActionHandler<>(SuggestForecasterParamAction.INSTANCE, SuggestForecasterParamTransportAction.class)
+                new ActionHandler<>(SuggestForecasterParamAction.INSTANCE, SuggestForecasterParamTransportAction.class),
+                new ActionHandler<>(ShareConfigAction.INSTANCE, ShareConfigTransportAction.class)
             );
     }
 

src/main/java/org/opensearch/timeseries/constant/CommonValue.java

@@ -9,4 +9,7 @@ public class CommonValue {
     // unknown or no schema version
     public static Integer NO_SCHEMA_VERSION = 0;
 
+    // config access control
+    public static String CONFIG_ACCESS_CONTROL_BASE_ACTION = "cluster:admin/timeseries/config/access";
+    public static String CONFIG_ACCESS_CONTROL_BASE_URI = "/_plugins/_timeseries/config/access";
 }

src/main/java/org/opensearch/timeseries/rest/RestShareConfigAction.java

@@ -0,0 +1,70 @@
+package org.opensearch.timeseries.rest;
+
+import static java.util.Collections.singletonList;
+import static org.opensearch.rest.RestRequest.Method.POST;
+import static org.opensearch.timeseries.constant.CommonValue.CONFIG_ACCESS_CONTROL_BASE_URI;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+import org.opensearch.accesscontrol.resources.ShareWith;
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.common.xcontent.LoggingDeprecationHandler;
+import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.common.xcontent.XContentType;
+import org.opensearch.core.xcontent.NamedXContentRegistry;
+import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.rest.BaseRestHandler;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.action.RestToXContentListener;
+import org.opensearch.timeseries.transport.ShareConfigAction;
+import org.opensearch.timeseries.transport.ShareConfigRequest;
+
+public class RestShareConfigAction extends BaseRestHandler {
+    public RestShareConfigAction() {}
+
+    @Override
+    public List<Route> routes() {
+        return singletonList(new Route(POST, CONFIG_ACCESS_CONTROL_BASE_URI + "/share"));
+    }
+
+    @Override
+    public String getName() {
+        return "share_timeseries_config";
+    }
+
+    @Override
+    protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
+        Map<String, Object> source;
+        try (XContentParser parser = request.contentParser()) {
+            source = parser.map();
+        }
+
+        String resourceId = (String) source.get("config_id");
+
+        ShareWith shareWith = parseShareWith(source);
+        final ShareConfigRequest shareResourceRequest = new ShareConfigRequest(resourceId, shareWith);
+        return channel -> client.executeLocally(ShareConfigAction.INSTANCE, shareResourceRequest, new RestToXContentListener<>(channel));
+    }
+
+    private ShareWith parseShareWith(Map<String, Object> source) throws IOException {
+        @SuppressWarnings("unchecked")
+        Map<String, Object> shareWithMap = (Map<String, Object>) source.get("share_with");
+        if (shareWithMap == null || shareWithMap.isEmpty()) {
+            throw new IllegalArgumentException("share_with is required and cannot be empty");
+        }
+
+        String jsonString = XContentFactory.jsonBuilder().map(shareWithMap).toString();
+
+        try (
+            XContentParser parser = XContentType.JSON
+                .xContent()
+                .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, jsonString)
+        ) {
+            return ShareWith.fromXContent(parser);
+        } catch (IllegalArgumentException e) {
+            throw new IllegalArgumentException("Invalid share_with structure: " + e.getMessage(), e);
+        }
+    }
+}

src/main/java/org/opensearch/timeseries/transport/ShareConfigAction.java

@@ -0,0 +1,21 @@
+package org.opensearch.timeseries.transport;
+
+import static org.opensearch.timeseries.constant.CommonValue.CONFIG_ACCESS_CONTROL_BASE_ACTION;
+
+import org.opensearch.action.ActionType;
+
+public class ShareConfigAction extends ActionType<ShareConfigResponse> {
+
+    /**
+     * Share config action instance.
+     */
+    public static final ShareConfigAction INSTANCE = new ShareConfigAction();
+    /**
+     * Share config action name
+     */
+    public static final String NAME = CONFIG_ACCESS_CONTROL_BASE_ACTION + "/share";
+
+    private ShareConfigAction() {
+        super(NAME, ShareConfigResponse::new);
+    }
+}

src/main/java/org/opensearch/timeseries/transport/ShareConfigRequest.java

@@ -0,0 +1,48 @@
+package org.opensearch.timeseries.transport;
+
+import java.io.IOException;
+import java.util.stream.Collectors;
+
+import org.opensearch.accesscontrol.resources.ShareWith;
+import org.opensearch.accesscontrol.resources.SharedWithScope;
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.timeseries.util.ValidationUtil;
+
+public class ShareConfigRequest extends ActionRequest {
+    private final String configId;
+    private final ShareWith shareWith;
+
+    public ShareConfigRequest(String configId, ShareWith shareWith) {
+        this.configId = configId;
+        this.shareWith = shareWith;
+    }
+
+    public ShareConfigRequest(StreamInput in) throws IOException {
+        this.configId = in.readString();
+        this.shareWith = in.readNamedWriteable(ShareWith.class);
+    }
+
+    @Override
+    public void writeTo(final StreamOutput out) throws IOException {
+        out.writeString(configId);
+        out.writeNamedWriteable(shareWith);
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+
+        return ValidationUtil
+            .validateScopes(shareWith.getSharedWithScopes().stream().map(SharedWithScope::getScope).collect(Collectors.toSet()));
+    }
+
+    public String getConfigId() {
+        return configId;
+    }
+
+    public ShareWith getShareWith() {
+        return shareWith;
+    }
+}

src/main/java/org/opensearch/timeseries/transport/ShareConfigResponse.java

@@ -0,0 +1,35 @@
+package org.opensearch.timeseries.transport;
+
+import java.io.IOException;
+
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+public class ShareConfigResponse extends ActionResponse implements ToXContentObject {
+    private final String message;
+
+    public ShareConfigResponse(String message) {
+        this.message = message;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(message);
+    }
+
+    public ShareConfigResponse(final StreamInput in) throws IOException {
+        message = in.readString();
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
+        builder.startObject();
+        builder.field("message", message);
+        builder.endObject();
+        return builder;
+    }
+}

src/main/java/org/opensearch/timeseries/transport/ShareConfigTransportAction.java

@@ -0,0 +1,42 @@
+package org.opensearch.timeseries.transport;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.accesscontrol.resources.ResourceService;
+import org.opensearch.accesscontrol.resources.ResourceSharing;
+import org.opensearch.action.support.ActionFilters;
+import org.opensearch.action.support.HandledTransportAction;
+import org.opensearch.common.inject.Inject;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.tasks.Task;
+import org.opensearch.timeseries.TimeSeriesAnalyticsPlugin;
+import org.opensearch.timeseries.constant.CommonName;
+import org.opensearch.transport.TransportService;
+
+public class ShareConfigTransportAction extends HandledTransportAction<ShareConfigRequest, ShareConfigResponse> {
+
+    private static final Logger log = LogManager.getLogger(ShareConfigTransportAction.class);
+
+    @Inject
+    public ShareConfigTransportAction(TransportService transportService, ActionFilters actionFilters) {
+        super(ShareConfigAction.NAME, transportService, actionFilters, ShareConfigRequest::new);
+    }
+
+    @Override
+    protected void doExecute(Task task, ShareConfigRequest request, ActionListener<ShareConfigResponse> listener) {
+        ResourceSharing sharing;
+        try {
+            sharing = shareConfig(request);
+            log.info("Shared config : {} with {}", request.getConfigId(), sharing.toString());
+            listener.onResponse(new ShareConfigResponse("Resource " + request.getConfigId() + " shared successfully with " + sharing));
+        } catch (Exception e) {
+            log.error("Something went wrong trying to share config {} with {}", request.getConfigId(), request.getShareWith().toString());
+            listener.onFailure(e);
+        }
+    }
+
+    private ResourceSharing shareConfig(ShareConfigRequest request) {
+        ResourceService rs = TimeSeriesAnalyticsPlugin.GuiceHolder.getResourceService();
+        return rs.getResourceAccessControlPlugin().shareWith(request.getConfigId(), CommonName.CONFIG_INDEX, request.getShareWith());
+    }
+}

src/main/java/org/opensearch/timeseries/util/ParseUtils.java

@@ -36,10 +36,14 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.join.ScoreMode;
 import org.opensearch.OpenSearchStatusException;
+import org.opensearch.accesscontrol.resources.RecipientType;
+import org.opensearch.accesscontrol.resources.ShareWith;
+import org.opensearch.accesscontrol.resources.SharedWithScope;
 import org.opensearch.action.get.GetRequest;
 import org.opensearch.action.get.GetResponse;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.ad.constant.ADResourceScope;
+import org.opensearch.ad.transport.IndexAnomalyDetectorResponse;
 import org.opensearch.client.Client;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.xcontent.LoggingDeprecationHandler;
@@ -841,4 +845,24 @@ public static void validatePermissions(String detectorId, ActionListener<? exten
         }
     }
 
+    public static void shareResourceWithBackendRoles(String detectorId, User user, ActionListener<IndexAnomalyDetectorResponse> listener) {
+        SharedWithScope.ScopeRecipients recipients = new SharedWithScope.ScopeRecipients(
+            Map.of(new RecipientType("backend_roles"), Set.copyOf(user.getBackendRoles()))
+        );
+        ShareWith shareWith = new ShareWith(Set.of(new SharedWithScope(ADResourceScope.AD_FULL_ACCESS.getScopeName(), recipients)));
+
+        TimeSeriesAnalyticsPlugin.GuiceHolder
+            .getResourceService()
+            .getResourceAccessControlPlugin()
+            .shareWith(detectorId, CommonName.CONFIG_INDEX, shareWith);
+
+        logger
+            .info(
+                "Detector {} shared with backend roles of user {} for scope {}",
+                detectorId,
+                user.getName(),
+                ADResourceScope.AD_FULL_ACCESS.getScopeName()
+            );
+    }
+
 }

src/main/java/org/opensearch/timeseries/util/ValidationUtil.java

@@ -0,0 +1,36 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.timeseries.util;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.opensearch.accesscontrol.resources.ResourceAccessScope;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.ad.constant.ADResourceScope;
+
+public class ValidationUtil {
+    public static ActionRequestValidationException validateScopes(Set<String> scopes) {
+        Set<String> validScopes = new HashSet<>();
+        for (ADResourceScope scope : ADResourceScope.values()) {
+            validScopes.add(scope.name());
+        }
+        validScopes.add(ResourceAccessScope.READ_ONLY);
+        validScopes.add(ResourceAccessScope.READ_WRITE);
+
+        for (String s : scopes) {
+            if (!validScopes.contains(s)) {
+                ActionRequestValidationException exception = new ActionRequestValidationException();
+                exception.addValidationError("Invalid scope: " + s + ". Scope must be one of: " + validScopes);
+                return exception;
+            }
+        }
+        return null;
+    }
+}