[Feature] Pluggable and enforced Authorization (ideating)

[krishna-ggk]

(This is early ideation to invite some early thinking/feedback - will evolve this into detailed RFC).

Problem Statement

Today security plugin authorization is primarily modeled around transport actions. In addition to transport actions, plugins can directly access shard, cluster-state via listeners and other ways which can be misleading. To achieve zero-trust security posture, all access to data and metadata need to be encapsulated with authorization enforced.

Further, the authorization rules today are very specific to OpenSearch. There is an opportunity to adopt more open standard models such as OPA, Cedar which offer richer constructs and some of them ensure correctness through formal verification which are potentially good foundations to evolve support on.

Proposal

In current architecture, authorization abstraction is implemented in PrivilegesEvaluator invoked through SecurityFilter. The thought process is, can we extract this into a pluggable interface (EvaluationBackend) accepting resource, identity principals, context. The implementations can invoke respective libraries to evaluate permissions as per configured policy.

The enforcement is open and complex item though and will require enlisting all access possibilities.

[cwperks]

[Triage] Removing the untriaged label. I like the idea in general and I'd like to see some more concrete examples of what the configuration could look like using Cedar, Opa or Opal. Thank you for filing this issue @krishna-ggk!

[varun-lodaya]

Great idea, also looks like a natural extension of security plugin to suit newer and dynamic authorization mechanisms along with existing. How does this fit with the existing work on Resource Based permissions - https://github.com/opensearch-project/security/issues/4500?