Add exclude_roles configuration parameter to LDAP authorization backend

[cwperks]

Description

Based on related PR: #3809

Adds a new config value for LDAP Authorization Backend called exclude_roles. This config value lets a cluster administrator configure a list of roles (globs are accepted too) to exclude from an external LDAP system to limit the backend roles fetched for a user to the most pertinent roles for OpenSearch.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Issues Resolved

• [BUG] unable to Hide unmapped backend roles #2189

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: 11 lines in your changes are missing coverage. Please review.

Comparison is base (321604c) 65.60% compared to head (8141cd5) 65.84%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4025      +/-   ##
==========================================
+ Coverage   65.60%   65.84%   +0.23%     
==========================================
  Files         298      298              
  Lines       21247    21258      +11     
  Branches     3457     3464       +7     
==========================================
+ Hits        13940    13997      +57     
+ Misses       5585     5527      -58     
- Partials     1722     1734      +12     

Files	Coverage Δ
...ava/com/amazon/dlic/auth/ldap/util/LdapHelper.java	67.50% <ø> (ø)
...g/opensearch/security/support/WildcardMatcher.java	66.87% <83.33%> (+2.13%)	⬆️
...ic/auth/ldap/backend/LDAPAuthorizationBackend.java	62.71% <55.55%> (+0.21%)	⬆️
...zon/dlic/auth/ldap2/LDAPAuthorizationBackend2.java	47.98% <50.00%> (+16.75%)	⬆️

... and 2 files with indirect coverage changes

[DarshitChanpura]

The changes look good to me. Could you please look at the codecov-patch percentage drop ?

[cwperks]

Blocked by: #4026

[derek-ho]

LGTM

[DarshitChanpura]

LGTM! Thanks @cwperks !

[cwperks]

@DarshitChanpura Code cov drop is because the tests aren't currently looking for the debug log statements as Peter mentioned here. I will follow-up with tests that hit those lines.

[DarshitChanpura]

okay. @cwperks Are you planning to add those in follow-up PR or this one?

[cwperks]

@DarshitChanpura I will follow-up with the additional tests in another PR. The LogsRule is the best way to write tests that expect logging statements, but its not available outside the integrationTest package and the tests in this PR are not in the integrationTest package.