[Resource Sharing] Keep track of list ofall_shared_principals for which sharable resource is visible for searching (#5596)

cwperks · web-flow · commit 58f51fcc00f5 · 2025-09-05T13:32:27.000-04:00
Signed-off-by: Craig Perkins &lt;cwperx@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Enhancements
 
+- [Resource Sharing] Keep track of list of principals for which sharable resource is visible for searching ([#5596](https://github.com/opensearch-project/security/pull/5596))
 - [Resource Sharing] Keep track of tenant for sharable resources by persisting user requested tenant with sharing info ([#5588](https://github.com/opensearch-project/security/pull/5588))
 
 ### Bug Fixes
diff --git a/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/MigrateApiTests.java b/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/MigrateApiTests.java
@@ -26,7 +26,6 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.Version;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -64,7 +63,6 @@ public class MigrateApiTests {
 
     @ClassRule
     public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.DEFAULT)
-        .plugin(PainlessModulePlugin.class)
         .plugin(
             new PluginInfo(
                 SampleResourcePlugin.class.getName(),
diff --git a/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/SecurityDisabledTests.java b/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/SecurityDisabledTests.java
@@ -19,7 +19,6 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.Version;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -65,7 +64,6 @@ public class SecurityDisabledTests {
                 false
             )
         )
-        .plugin(PainlessModulePlugin.class)
         .loadConfigurationIntoIndex(false)
         .nodeSettings(Map.of("plugins.security.disabled", true, "plugins.security.ssl.http.enabled", false))
         .build();
diff --git a/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/TestUtils.java b/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/TestUtils.java
@@ -23,7 +23,6 @@
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -113,7 +112,6 @@ public static LocalCluster newCluster(boolean featureEnabled, boolean systemInde
                     false
                 )
             )
-            .plugin(PainlessModulePlugin.class)
             .anonymousAuth(true)
             .authc(AUTHC_HTTPBASIC_INTERNAL)
             .users(USER_ADMIN, FULL_ACCESS_USER, LIMITED_ACCESS_USER, NO_ACCESS_USER)
diff --git a/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/secure/SecurePluginTests.java b/sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/secure/SecurePluginTests.java
@@ -19,7 +19,6 @@
 
 import org.opensearch.Version;
 import org.opensearch.core.rest.RestStatus;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -47,7 +46,6 @@ public class SecurePluginTests {
         .anonymousAuth(false)
         .authc(AUTHC_DOMAIN)
         .users(USER_ADMIN)
-        .plugin(PainlessModulePlugin.class)
         .plugin(
             new PluginInfo(
                 SampleResourcePlugin.class.getName(),
diff --git a/spi/src/main/java/org/opensearch/security/spi/resources/sharing/ResourceSharing.java b/spi/src/main/java/org/opensearch/security/spi/resources/sharing/ResourceSharing.java
@@ -9,8 +9,10 @@
 package org.opensearch.security.spi.resources.sharing;
 
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
@@ -267,4 +269,47 @@ public Set<String> fetchAccessLevels(Recipient recipientType, Set<String> entiti
         }
         return matchingGroups;
     }
+
+    /**
+     * Returns all principals (users, roles, backend_roles) that have access to this resource,
+     * including the creator and all shared recipients, formatted with appropriate prefixes.
+     *
+     * @return List of principals in format ["user:username", "role:rolename", "backend:backend_role"]
+     */
+    public List<String> getAllPrincipals() {
+        List<String> principals = new ArrayList<>();
+
+        // Add creator
+        if (createdBy != null) {
+            principals.add("user:" + createdBy.getUsername());
+        }
+
+        // Add shared recipients
+        if (shareWith != null) {
+            // shared with at any access level
+            for (Recipients recipients : shareWith.getSharingInfo().values()) {
+                Map<Recipient, Set<String>> recipientMap = recipients.getRecipients();
+
+                // Add users
+                Set<String> users = recipientMap.getOrDefault(Recipient.USERS, Collections.emptySet());
+                for (String user : users) {
+                    principals.add("user:" + user);
+                }
+
+                // Add roles
+                Set<String> roles = recipientMap.getOrDefault(Recipient.ROLES, Collections.emptySet());
+                for (String role : roles) {
+                    principals.add("role:" + role);
+                }
+
+                // Add backend roles
+                Set<String> backendRoles = recipientMap.getOrDefault(Recipient.BACKEND_ROLES, Collections.emptySet());
+                for (String backendRole : backendRoles) {
+                    principals.add("backend:" + backendRole);
+                }
+            }
+        }
+
+        return principals;
+    }
 }
diff --git a/src/main/java/org/opensearch/security/resources/ResourceIndexListener.java b/src/main/java/org/opensearch/security/resources/ResourceIndexListener.java
@@ -54,7 +54,7 @@ public void postIndex(ShardId shardId, Engine.Index index, Engine.IndexResult re
         String resourceId = index.id();
 
         // Only proceed if this was a create operation and for primary shard
-        if (!result.isCreated() && index.origin().equals(Engine.Operation.Origin.PRIMARY)) {
+        if (!result.isCreated() || !index.origin().equals(Engine.Operation.Origin.PRIMARY)) {
             log.debug("Skipping resource sharing entry creation as this was an update operation for resource {}", resourceId);
             return;
         }
diff --git a/src/main/java/org/opensearch/security/resources/ResourceSharingIndexHandler.java b/src/main/java/org/opensearch/security/resources/ResourceSharingIndexHandler.java

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,6 @@`
`19`	`19`	`import org.junit.runner.RunWith;`
`20`	`20`
`21`	`21`	`import org.opensearch.Version;`
`22`		`-import org.opensearch.painless.PainlessModulePlugin;`
`23`	`22`	`import org.opensearch.plugins.PluginInfo;`
`24`	`23`	`import org.opensearch.sample.SampleResourcePlugin;`
`25`	`24`	`import org.opensearch.security.OpenSearchSecurityPlugin;`
`@@ -65,7 +64,6 @@ public class SecurityDisabledTests {`
`65`	`64`	`false`
`66`	`65`	`)`
`67`	`66`	`)`
`68`		`- .plugin(PainlessModulePlugin.class)`
`69`	`67`	`.loadConfigurationIntoIndex(false)`
`70`	`68`	`.nodeSettings(Map.of("plugins.security.disabled", true, "plugins.security.ssl.http.enabled", false))`
`71`	`69`	`.build();`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ public void postIndex(ShardId shardId, Engine.Index index, Engine.IndexResult re`
`54`	`54`	`String resourceId = index.id();`
`55`	`55`
`56`	`56`	`// Only proceed if this was a create operation and for primary shard`
`57`		`- if (!result.isCreated() && index.origin().equals(Engine.Operation.Origin.PRIMARY)) {`
	`57`	`+ if (!result.isCreated() \|\| !index.origin().equals(Engine.Operation.Origin.PRIMARY)) {`
`58`	`58`	`log.debug("Skipping resource sharing entry creation as this was an update operation for resource {}", resourceId);`
`59`	`59`	`return;`
`60`	`60`	`}`