Api token authc/z implementation with Cache

[derek-ho]

Description

This PR implements authc/z for api tokens. For authc it is based on token validity for as well as presence in a cache, which listens to index and delete operations on the api token index. For Authz, it onboards onto action privileges class, where instead of returning not authorized for cluster and index privileges, requests go through a final api token check, where if the user is an api token, it will evaluate whether the permissions in the cache are sufficient to execute the request.

Issues Resolved

[List any issues this PR will resolve]

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 62.50000% with 84 lines in your changes missing coverage. Please review.

Project coverage is 71.38%. Comparing base (0edba23) to head (6418226).
Report is 10 commits behind head on feature/api-tokens.

Files with missing lines	Patch %	Lines
...pensearch/security/http/ApiTokenAuthenticator.java	64.63%	20 Missing and 9 partials ⚠️
...y/action/apitokens/ApiTokenIndexListenerCache.java	25.00%	21 Missing ⚠️
...ensearch/security/privileges/ActionPrivileges.java	80.76%	5 Missing and 10 partials ⚠️
...earch/security/auditlog/impl/AbstractAuditLog.java	40.00%	3 Missing and 3 partials ⚠️
.../opensearch/security/OpenSearchSecurityPlugin.java	0.00%	4 Missing and 1 partial ⚠️
...nsearch/security/action/apitokens/Permissions.java	60.00%	4 Missing ⚠️
...ch/security/securityconf/DynamicConfigModelV7.java	20.00%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@                  Coverage Diff                   @@
##           feature/api-tokens    #4992      +/-   ##
======================================================
- Coverage               71.46%   71.38%   -0.09%     
======================================================
  Files                     334      343       +9     
  Lines                   22552    23131     +579     
  Branches                 3590     3669      +79     
======================================================
+ Hits                    16117    16511     +394     
- Misses                   4642     4795     +153     
- Partials                 1793     1825      +32     

Files with missing lines	Coverage Δ
.../security/action/apitokens/ApiTokenRepository.java	100.00% <100.00%> (ø)
...g/opensearch/security/authtoken/jwt/JwtVendor.java	88.00% <ø> (-1.10%)	⬇️
...search/security/identity/SecurityTokenManager.java	82.75% <100.00%> (-6.61%)	⬇️
...curity/privileges/PrivilegesEvaluationContext.java	97.43% <100.00%> (+0.13%)	⬆️
...g/opensearch/security/ssl/util/ExceptionUtils.java	45.83% <100.00%> (+2.35%)	⬆️
...a/org/opensearch/security/util/AuthTokenUtils.java	66.66% <100.00%> (+4.16%)	⬆️
...nsearch/security/action/apitokens/Permissions.java	60.00% <60.00%> (ø)
...ch/security/securityconf/DynamicConfigModelV7.java	73.22% <20.00%> (-1.07%)	⬇️
.../opensearch/security/OpenSearchSecurityPlugin.java	83.01% <0.00%> (-0.55%)	⬇️
...earch/security/auditlog/impl/AbstractAuditLog.java	76.88% <40.00%> (+0.15%)	⬆️
... and 3 more

... and 6 files with indirect coverage changes

[derek-ho]

Changes in this file are to correct a mis-merge that happened in prior PRs to this feature branch.

[cwperks]

Curious, why use this approach w/ IndexOperationListener opposed to the same approach as the security index vs in-memory data-structures that back the security index?

i.e. With the security index, if I call the API to create a new user. The node that receives the request will fulfill the request and add the new user to the security index. After updating the security index, it will use an internal transport action (TransportConfigUpdateAction) to instruct all nodes of the cluster to re-read from the security index. On node bootstrap, each node of the cluster reads from the security index and populates their in-memory cache of the security index.

[cwperks]

Why add this to PrivilegesEvaluatorContext?

I think this should be handled similarly to the security configCache from ConfigurationRepository: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java

[cwperks]

Note that security uses a publish-subscribe model to notify consumers about changes to the security config. See BackendRegistry.onDynamicConfigModelChanged for an example of a subscriber.

[cwperks]

Use Jwts.builder() to construct jwts for testing: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L175-L193