[Resource Sharing] Adds API to provide dashboards support for resource access management

[DarshitChanpura]

Description

Adds support for dashboard page to manage resource access. Enables plugins to supply static per-resource action-groups through yml config.

• Category : Enhancement

Issues Resolved

• resolves [FEATURE] Add APIs to support resource access management dashboard #5607
• resolves [FEATURE] Consume action-groups registered by resource plugins #5608

Testing

Automated + manual

• Apis added:

1. GET /_plugins/_security/api/resource/types

Description:
Retrieves the current sharing configuration for a given resource.

Example Request:

GET /_plugins/_security/api/resource/types

Response:

{
  "types": [
    {
      "type": "org.opensearch.sample.SampleResource",
      "index": ".sample_resource",
      "action_groups": ["sample_read_only", "sample_read_write", "sample_full_access"]
    }
  ]
}

NOTE: action_groups are fetched from resource-action-groups.yml supplied by resource plugin.

2. GET /_plugins/_security/api/resource/list?resource_type=<resource-index-name>

Description:
Retrieves sharing information for all records accessible to requesting user for the given resource_index.

Example Request:
as user darshit

GET /_plugins/_security/api/resource/list?resource_type=.sample_resource

Response:

{
  "resources": [
    {
      "resource_id": "1",
      "created_by":  {
        "user": "darshit",
        "tenant": "some-tenant"
      },
      "share_with": {
        "sample_read_only": {
          "users": ["craig"]
        }
      },
      "can_share": true
    }
  ]
}

NOTE:

• share_with may not be present if resource has not been shared yet
• if same request is made as user craig, can_share value for resource_id 1 will be false since craig does not have share permission.

Check List

• New functionality includes testing
• New functionality has been documented
  - [ ] New Roles/Permissions have a corresponding security dashboards plugin PR
  - [ ] API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 74.14966% with 114 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.91%. Comparing base (dfa83f1) to head (ee8d6b3).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ecurity/resources/ResourceSharingIndexHandler.java	71.01%	29 Missing and 11 partials ⚠️
...security/resources/ResourceActionGroupsHelper.java	56.09%	11 Missing and 7 partials ⚠️
...tions/transport/CreateResourceTransportAction.java	71.11%	10 Missing and 3 partials ⚠️
...arch/security/resources/ResourceAccessHandler.java	72.22%	7 Missing and 3 partials ⚠️
...nsearch/security/resources/ResourcePluginInfo.java	79.06%	4 Missing and 5 partials ⚠️
...ources/api/list/AccessibleResourcesRestAction.java	75.75%	8 Missing ⚠️
...ty/resources/api/list/ResourceTypesRestAction.java	69.23%	8 Missing ⚠️
...arch/security/spi/resources/sharing/ShareWith.java	81.48%	0 Missing and 5 partials ⚠️
...ain/java/org/opensearch/sample/SampleResource.java	70.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5597      +/-   ##
==========================================
- Coverage   73.05%   72.91%   -0.15%     
==========================================
  Files         408      413       +5     
  Lines       25396    25750     +354     
  Branches     3865     3917      +52     
==========================================
+ Hits        18553    18775     +222     
- Misses       4961     5061     +100     
- Partials     1882     1914      +32     

Files with missing lines	Coverage Δ
...org/opensearch/sample/SampleResourceExtension.java	100.00% <100.00%> (ø)
...in/java/org/opensearch/sample/utils/Constants.java	0.00% <ø> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java	85.23% <100.00%> (+0.09%)	⬆️
...search/security/configuration/DlsFlsValveImpl.java	64.55% <100.00%> (-0.78%)	⬇️
...org/opensearch/security/filter/SecurityFilter.java	66.93% <100.00%> (ø)
...ecurity/resources/ResourceAccessControlClient.java	63.63% <ø> (-18.19%)	⬇️
...arch/security/resources/ResourceIndexListener.java	93.93% <100.00%> (ø)
...ch/security/resources/ResourceSharingDlsUtils.java	73.91% <100.00%> (ø)
...g/opensearch/security/resources/SharingRecord.java	100.00% <100.00%> (ø)
...rch/security/resources/api/share/ShareRequest.java	68.00% <100.00%> (+2.66%)	⬆️
... and 11 more

... and 8 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwperks]

@DarshitChanpura can you add new API Request and Response examples to the PR description?

[cwperks]

Suite: Test class org.opensearch.security.resources.ResourceAccessHandlerTest
  2> 2025-09-24T17:10:39.515916752Z Test worker INFO Starting configuration org.apache.logging.log4j.core.config.properties.PropertiesConfiguration@68b3979d...
  2> 2025-09-24T17:10:39.522712918Z Test worker INFO Configuration org.apache.logging.log4j.core.config.properties.PropertiesConfiguration@68b3979d started.
  2> 2025-09-24T17:10:39.525789256Z Test worker INFO Stopping configuration org.apache.logging.log4j.core.config.DefaultConfiguration@d180961...
  2> 2025-09-24T17:10:39.526423537Z Test worker INFO Configuration org.apache.logging.log4j.core.config.DefaultConfiguration@d180961 stopped.
  2> java.lang.ArrayIndexOutOfBoundsException: Index 3 out of bounds for length 3
        at org.mockito.internal.invocation.InterceptedInvocation.getArgument(InterceptedInvocation.java:124)
        at org.opensearch.security.resources.ResourceAccessHandlerTest.lambda$testGetOwnAndSharedResources_asNormalUser$5(ResourceAccessHandlerTest.java:248)
        at org.mockito.internal.stubbing.StubbedInvocationMatcher.answer(StubbedInvocationMatcher.java:42)
        at org.mockito.internal.handler.MockHandlerImpl.handle(MockHandlerImpl.java:103)
        at org.mockito.internal.handler.NullResultGuardian.handle(NullResultGuardian.java:29)
        at org.mockito.internal.handler.InvocationNotifierHandler.handle(InvocationNotifierHandler.java:34)
        at org.mockito.internal.creation.bytebuddy.access.MockMethodInterceptor.doIntercept(MockMethodInterceptor.java:84)
        at org.mockito.internal.creation.bytebuddy.access.MockMethodInterceptor.doIntercept(MockMethodInterceptor.java:58)
        at org.mockito.internal.creation.bytebuddy.access.MockMethodInterceptor$DispatcherDefaultingToRealMethod.interceptSuperCallable(MockMethodInterceptor.java:147)
        at org.opensearch.security.resources.ResourceSharingIndexHandler$MockitoMock$ij6xPk31.fetchAccessibleResourceIds(Unknown Source)
        at org.opensearch.security.resources.ResourceAccessHandler.getOwnAndSharedResourceIdsForCurrentUser(ResourceAccessHandler.java:99)
        at org.opensearch.security.resources.ResourceAccessHandlerTest.testGetOwnAndSharedResources_asNormalUser(ResourceAccessHandlerTest.java:253)

[cwperks]

All my comments have been addressed. Thank you @DarshitChanpura!