Replace usages of ThreadContext.stashContext with pluginSubject.runAs

[cwperks]

Description

This PR replaces usages of ThreadContext.stashContext with a replacement that enforces stricter ownership over system indices. Plugins can use this replacement for system index access and the advantage of this replacement is that it provides context into which plugin is performing privileged actions like system index access.

Related Issues

Resolves opensearch-project/opensearch-plugins#238

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[yizheliu-amazon]

Hi @cwperks , should this change be included in 2.19 release? The code freeze for 2.19 starts at Jan 28th as per: https://opensearch.org/releases.html

[cwperks]

Hi @cwperks , should this change be included in 2.19 release? The code freeze for 2.19 starts at Jan 28th as per: https://opensearch.org/releases.html

No this does not need to be included. This is part of a larger effort across plugins. I initially looked at geospatial since it was one of the plugins that creates an instance of JobScheduler's LockService and I wanted to demonstrate how to use the instance of LockService provided by job scheduler instead of creating a separate instance. Eventually, I want to remove the public constructor for LockService to enforce that plugins use the instance provided by job scheduler.

The reason for this is a new model for access to system indices instead of the current model of wrapping with ThreadContext.stashContext.

In the current model there are not authz checks that are run in that block so a plugin can perform any action w/o restriction.

In the new model (utilizing pluginSubject.runAs) it provides information at runtime about which plugin is running the action and security uses that information to allow it to access its own system indices, but can forbid other actions.

[yizheliu-amazon]

I see. Thank you for the information.

[cwperks]

Unrelated to the changes in this PR, but I'll see about fixing these:

> Task :compileTestJava
D:\a\geospatial\geospatial\src\test\java\org\opensearch\geospatial\index\mapper\xypoint\XYPointFieldMapperTests.java:61: error: ignoreMalformed() has protected access in AbstractGeometryFieldMapper
                assertTrue("param [ ignore_malformed ] is not updated", xyPointFieldMapper.ignoreMalformed().value());
                                                                                          ^
D:\a\geospatial\geospatial\src\test\java\org\opensearch\geospatial\index\mapper\xypoint\XYPointFieldMapperTests.java:122: error: ignoreMalformed() has protected access in AbstractGeometryFieldMapper
        assertEquals("param [ ignore_malformed ] default value should be false", xyPointFieldMapper.ignoreMalformed().value(), false);
                                                                                                   ^
D:\a\geospatial\geospatial\src\test\java\org\opensearch\geospatial\index\mapper\xyshape\XYShapeFieldMapperTests.java:66: error: ignoreMalformed() has protected access in AbstractGeometryFieldMapper
                assertTrue("param [ ignore_malformed ] is not updated", XYShapeFieldMapper.ignoreMalformed().value());
                                                                                          ^
D:\a\geospatial\geospatial\src\test\java\org\opensearch\geospatial\index\mapper\xyshape\XYShapeFieldMapperTests.java:137: error: ignoreMalformed() has protected access in AbstractGeometryFieldMapper
        assertEquals("param [ ignore_malformed ] default value should be false", XYShapeFieldMapper.ignoreMalformed().value(), false);

[cwperks]

Checks are failing due to this change in core: opensearch-project/OpenSearch#18706

access modifier for ignoreMalformed() changed from public to protected.

[cwperks]

Fixed the errors due to the breaking change from core.

I added a public shouldIgnoreMalformed to XYShapeFieldMapper and XYPointFieldMapper that can be called in the tests.