Test related to authentication with x.509 certificates.

[lukasz-soszynski-eliatra]

Description

[Describe what this change achieves]

• Category (Integration tests)
• Why these changes are required?
• What is the old behavior before changes and new behavior after changes?

Issues Resolved

[List any issues this PR will resolve]

Integration tests related to user authentication with X.509 certificates.

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #2227 (88eca16) into main (25ea092) will decrease coverage by 0.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main    #2227      +/-   ##
============================================
- Coverage     61.04%   61.02%   -0.02%     
+ Complexity     3268     3267       -1     
============================================
  Files           259      259              
  Lines         18337    18336       -1     
  Branches       3248     3248              
============================================
- Hits          11193    11190       -3     
- Misses         5559     5561       +2     
  Partials       1585     1585              

Impacted Files	Coverage Δ
...ch/security/auditlog/routing/AsyncStoragePool.java	50.00% <0.00%> (-5.56%)	⬇️
...ecurity/ssl/rest/SecuritySSLReloadCertsAction.java	84.78% <0.00%> (-0.33%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[DarshitChanpura]

LGTM!

[DarshitChanpura]

Bwc tests are broken on main. Tracking issue here: #2221

[cwperks]

Thank you @lukasz-soszynski-eliatra, this looks good to me. There may be an opportunity to test a scenario with multiple backend roles, but I think this adds some nice coverage!

[cwperks]

nit: Spock

[cwperks]

Interesting, I didn't know roles_attribute was possible with client cert authentication. I don't see documentation for this on the documentation website: https://opensearch.org/docs/latest/security-plugin/configuration/client-auth/

@cwillum, putting this on your radar to visit when client cert authentication is re-visited on the documentation website.

My understanding of Organizational Unit in LDAP is that it is conventionally used to model hierarchical structures of organizations. i.e. As a contributor the OpenSearch project concentrated on security, I may model a Distinguished name as:

L=NYC,CN=Craig,OU=OpenSearch,OU=Security,DC=opensearch,DC=org

Here it looks like we are using this as the list of backend roles and using that it is repeated as a convenience.