Add security changes for point in time API

[bharath-techie]

Signed-off-by: Bharathwaj G bharath78910@gmail.com

Description

The existing model requires indices read access to 'pit delete' and 'list all pits' to all users.
So changing the action names to 'cluster:admin/<action_name>".

Now , we can't add these cluster permissions to 'cluster_composite_ops' or 'ops_ro' since user has access to 'my_index' role which has access to 'cluster_composite_ops' which will make all users to access list and delete pit.

So changing the approach to new one below.
Add point in time permissions to 'manage_point_in_time' which is part of default static action groups.

Point in time apis - and associated action names :

1. Create PIT - - "indices:data/read/point_in_time/create" ( indices:data/read is chosen because this will make sure users have read permission to the passed indices )
2. Delete PIT - "cluster:admin/point_in_time/delete" ( cluster:admin/* is used because the apis are not dependent on indices like create pit and should just work based on this standalone permission )
3. List all PITs - "cluster:admin/point_in_time/read*"
4. PIT segments API - "indices:monitor/point_in_time/segments"

All the above actions are added to new action group 'manage_point_in_time'

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
  New feature - Point in time feature
• Why these changes are required?
  These changes are required for access of various point in time APIs
• What is the old behavior before changes and new behavior after changes?
  This is a new feature

Design document:
opensearch-project/OpenSearch#3960

Api changes:
opensearch-project/OpenSearch#4064 - create pit and delete pit api
opensearch-project/OpenSearch#4016 - list all

Issues Resolved

opensearch-project/OpenSearch#3959

Is this a backport? If so, please add backport PR # and/or commits #

Testing

Tested locally by running opensearch server alongside security plugin.
Only when index permissions and 'manage_point_in_time' action group permission is present , create api succeeds
For rest of the APIs, 'manage_point_in_time' action group permission controls whether the api can be accessible or not, which has been tested as well.

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.07%. Comparing base (f4b3a3a) to head (abfabe1).
⚠️ Report is 1422 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #2033   +/-   ##
=========================================
  Coverage     61.06%   61.07%           
- Complexity     3229     3230    +1     
=========================================
  Files           256      256           
  Lines         18070    18070           
  Branches       3220     3220           
=========================================
+ Hits          11035    11036    +1     
+ Misses         5463     5461    -2     
- Partials       1572     1573    +1     

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bharath-techie]

@cliu123 @peternied please review

[peternied]

@bharath-techie Have these changes been tested, could you describe how this was done and what was covered? There was a previous permissions pull request that didn't cover the full scenarios.

[bharath-techie]

@bharath-techie Have these changes been tested, could you describe how this was done and what was covered? There was a previous permissions pull request that didn't cover the full scenarios.

Added testing section of PR. Tested the changes locally to verify the changes.

[Bukhtawar]

LGTM

[peternied]

Thanks for those updates