opensearch-project
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎RESOURCE_SHARING_AND_ACCESS_CONTROL.md‎
Lines changed: 10 additions & 7 deletions b/‎RESOURCE_SHARING_AND_ACCESS_CONTROL.md‎
Lines changed: 10 additions & 7 deletions
diff --git a/‎config/roles.yml‎
Lines changed: 1 addition & 0 deletions b/‎config/roles.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/TestUtils.java‎
Lines changed: 26 additions & 7 deletions b/‎sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/TestUtils.java‎
Lines changed: 26 additions & 7 deletions
diff --git a/‎sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/FeatureFlagSettingTests.java‎
Lines changed: 4 additions & 1 deletion b/‎sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/FeatureFlagSettingTests.java‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/ProtectedTypesSettingTests.java‎
Lines changed: 4 additions & 1 deletion b/‎sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/ProtectedTypesSettingTests.java‎
Lines changed: 4 additions & 1 deletion
@@ -19,6 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Get list of headersToCopy from core and use getHeader(String headerName) instead of getHeaders() ([#5769](https://github.com/opensearch-project/security/pull/5769))
 - [Resource Sharing] Keep track of resource_type on resource sharing document ([#5772](https://github.com/opensearch-project/security/pull/5772))
 - Add support for X509 v3 extensions (SAN) for authentication  ([#5701](https://github.com/opensearch-project/security/pull/5701))
+- [Resource Sharing] Requires default_owner for resource/migrate API ([#5789](https://github.com/opensearch-project/security/pull/5789))
 
 ### Bug Fixes
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))
 
@@ -605,11 +605,12 @@ Read documents from a plugin’s index and migrate ownership and backend role-ba
 
 **Request Body**
 
-| Parameter              | Type   | Required | Description                                                                                                                                          |
-|------------------------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `source_index`         | string | yes      | Name of the plugin index containing the existing resource documents                                                                                  |
-| `username_path`        | string | yes      | JSON Pointer to the username field inside each document                                                                                              |
-| `backend_roles_path`   | string | yes      | JSON Pointer to the backend_roles field (must point to a JSON array)                                                                                 |
+| Parameter              | Type   | Required | Description                                                                                                                                         |
+|------------------------|--------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| `source_index`         | string | yes      | Name of the plugin index containing the existing resource documents                                                                                 |
+| `username_path`        | string | yes      | JSON Pointer to the username field inside each document                                                                                             |
+| `backend_roles_path`   | string | yes      | JSON Pointer to the backend_roles field (must point to a JSON array)                                                                                |
+| `default_owner`        | string | yes      | Name of the user to be used as owner for resource without owner information                                                                         |
 | `default_access_level` | object | yes      | Default access level to assign migrated backend_roles. Must be one from the available action-groups for this type. See `resource-action-groups.yml`. |
 
 **Example Request**
@@ -620,6 +621,7 @@ Read documents from a plugin’s index and migrate ownership and backend role-ba
   "source_index": ".sample_resource",
   "username_path": "/owner",
   "backend_roles_path": "/backend_roles",
+  "default_owner": "some_user",
   "default_access_level": {
     "sample-resource": "read_only",
     "sample-resource-group": "read-only-group"
@@ -631,8 +633,9 @@ Read documents from a plugin’s index and migrate ownership and backend role-ba
 
 ```json
 {
-  "summary": "Migration complete. migrated 10; skippedNoUser 2; failed 1",
-  "skippedResources": ["doc-17", "doc-22"]
+  "summary": "Migration complete. migrated 10; skippedNoType 1; skippedExisting 0; failed 1",
+  "resourcesWithDefaultOwner": ["doc-17"],
+  "skippedResources": ["doc-22"]
 }
 ```
 
 
@@ -18,6 +18,7 @@ security_rest_api_full_access:
     - 'restapi:admin/config/update'
     - 'restapi:admin/internalusers'
     - 'restapi:admin/nodesdn'
+    - 'restapi:admin/resource_sharing/migrate'
     - 'restapi:admin/roles'
     - 'restapi:admin/rolesmapping'
     - 'restapi:admin/ssl/certs/info'
 
@@ -158,11 +158,12 @@ public static String migrationPayload_valid() {
               "source_index": "%s",
               "username_path": "%s",
               "backend_roles_path": "%s",
+              "default_owner": "%s",
               "default_access_level": {
                 "sample-resource": "%s"
               }
             }
-            """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "sample_read_only");
+            """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "some_user", "sample_read_only");
     }
 
     public static String migrationPayload_valid_withSpecifiedAccessLevel(String accessLevel) {
@@ -171,57 +172,75 @@ public static String migrationPayload_valid_withSpecifiedAccessLevel(String acce
              "source_index": "%s",
              "username_path": "%s",
              "backend_roles_path": "%s",
+             "default_owner": "%s",
              "default_access_level": {
                  "sample-resource": "%s"
               }
             }
-             """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", accessLevel);
+             """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "some_user", accessLevel);
     }
 
     public static String migrationPayload_missingSourceIndex() {
         return """
             {
             "username_path": "%s",
             "backend_roles_path": "%s",
+            "default_owner": "%s",
             "default_access_level": {
               "sample-resource": "%s"
              }
             }
-            """.formatted("user/name", "user/backend_roles", "sample_read_only");
+            """.formatted("user/name", "user/backend_roles", "some_user", "sample_read_only");
     }
 
     public static String migrationPayload_missingUserName() {
         return """
             {
             "source_index": "%s",
             "backend_roles_path": "%s",
+            "default_owner": "%s",
             "default_access_level": {
               "sample-resource": "%s"
              }
             }
-            """.formatted(RESOURCE_INDEX_NAME, "user/backend_roles", "sample_read_only");
+            """.formatted(RESOURCE_INDEX_NAME, "user/backend_roles", "some_user", "sample_read_only");
     }
 
     public static String migrationPayload_missingBackendRoles() {
         return """
             {
             "source_index": "%s",
             "username_path": "%s",
+            "default_owner": "%s",
             "default_access_level": {
               "sample-resource": "%s"
              }
             }
-            """.formatted(RESOURCE_INDEX_NAME, "user/name", "sample_read_only");
+            """.formatted(RESOURCE_INDEX_NAME, "user/name", "some_user", "sample_read_only");
     }
 
     public static String migrationPayload_missingDefaultAccessLevel() {
         return """
             {
             "source_index": "%s",
             "username_path": "%s",
-            "backend_roles_path": "%s"
+            "backend_roles_path": "%s",
+            "default_owner": "%s"
+            }
+            """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "some_user");
+    }
+
+    public static String migrationPayload_missingDefaultOwner() {
+        return """
+            {
+              "source_index": "%s",
+              "username_path": "%s",
+              "backend_roles_path": "%s",
+              "default_access_level": {
+                "sample-resource": "%s"
+              }
             }
-            """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles");
+            """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "sample_read_only");
     }
 
     public static String putSharingInfoPayload(
 
@@ -256,7 +256,10 @@ public void testBehaviorAfterEnabling() throws Exception {
         try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) {
             TestRestClient.HttpResponse migrateResponse = client.postJson(RESOURCE_SHARING_MIGRATION_ENDPOINT, migrationPayload_valid());
             migrateResponse.assertStatusCode(HttpStatus.SC_OK);
-            assertThat(migrateResponse.bodyAsMap().get("summary"), equalTo("Migration complete. migrated 1; skippedNoUser 0; failed 0"));
+            assertThat(
+                migrateResponse.bodyAsMap().get("summary"),
+                equalTo("Migration complete. migrated 1; skippedNoType 0; skippedExisting 0; failed 0")
+            );
         }
 
         // “Enabled” expectations:
 
@@ -258,7 +258,10 @@ public void testResourceProtected() throws Exception {
         try (TestRestClient client = cluster.getRestClient(cluster.getAdminCertificate())) {
             TestRestClient.HttpResponse migrateResponse = client.postJson(RESOURCE_SHARING_MIGRATION_ENDPOINT, migrationPayload_valid());
             migrateResponse.assertStatusCode(HttpStatus.SC_OK);
-            assertThat(migrateResponse.bodyAsMap().get("summary"), equalTo("Migration complete. migrated 1; skippedNoUser 0; failed 0"));
+            assertThat(
+                migrateResponse.bodyAsMap().get("summary"),
+                equalTo("Migration complete. migrated 1; skippedNoType 0; skippedExisting 0; failed 0")
+            );
         }
 
         // Marked as protected type; expectations:
Original file line number	Diff line number	Diff line change
`@@ -158,11 +158,12 @@ public static String migrationPayload_valid() {`
`158`	`158`	`"source_index": "%s",`
`159`	`159`	`"username_path": "%s",`
`160`	`160`	`"backend_roles_path": "%s",`
	`161`	`+ "default_owner": "%s",`
`161`	`162`	`"default_access_level": {`
`162`	`163`	`"sample-resource": "%s"`
`163`	`164`	`}`
`164`	`165`	`}`
`165`		`- """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "sample_read_only");`
	`166`	`+ """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "some_user", "sample_read_only");`
`166`	`167`	`}`
`167`	`168`
`168`	`169`	`public static String migrationPayload_valid_withSpecifiedAccessLevel(String accessLevel) {`
`@@ -171,57 +172,75 @@ public static String migrationPayload_valid_withSpecifiedAccessLevel(String acce`
`171`	`172`	`"source_index": "%s",`
`172`	`173`	`"username_path": "%s",`
`173`	`174`	`"backend_roles_path": "%s",`
	`175`	`+ "default_owner": "%s",`
`174`	`176`	`"default_access_level": {`
`175`	`177`	`"sample-resource": "%s"`
`176`	`178`	`}`
`177`	`179`	`}`
`178`		`- """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", accessLevel);`
	`180`	`+ """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "some_user", accessLevel);`
`179`	`181`	`}`
`180`	`182`
`181`	`183`	`public static String migrationPayload_missingSourceIndex() {`
`182`	`184`	`return """`
`183`	`185`	`{`
`184`	`186`	`"username_path": "%s",`
`185`	`187`	`"backend_roles_path": "%s",`
	`188`	`+ "default_owner": "%s",`
`186`	`189`	`"default_access_level": {`
`187`	`190`	`"sample-resource": "%s"`
`188`	`191`	`}`
`189`	`192`	`}`
`190`		`- """.formatted("user/name", "user/backend_roles", "sample_read_only");`
	`193`	`+ """.formatted("user/name", "user/backend_roles", "some_user", "sample_read_only");`
`191`	`194`	`}`
`192`	`195`
`193`	`196`	`public static String migrationPayload_missingUserName() {`
`194`	`197`	`return """`
`195`	`198`	`{`
`196`	`199`	`"source_index": "%s",`
`197`	`200`	`"backend_roles_path": "%s",`
	`201`	`+ "default_owner": "%s",`
`198`	`202`	`"default_access_level": {`
`199`	`203`	`"sample-resource": "%s"`
`200`	`204`	`}`
`201`	`205`	`}`
`202`		`- """.formatted(RESOURCE_INDEX_NAME, "user/backend_roles", "sample_read_only");`
	`206`	`+ """.formatted(RESOURCE_INDEX_NAME, "user/backend_roles", "some_user", "sample_read_only");`
`203`	`207`	`}`
`204`	`208`
`205`	`209`	`public static String migrationPayload_missingBackendRoles() {`
`206`	`210`	`return """`
`207`	`211`	`{`
`208`	`212`	`"source_index": "%s",`
`209`	`213`	`"username_path": "%s",`
	`214`	`+ "default_owner": "%s",`
`210`	`215`	`"default_access_level": {`
`211`	`216`	`"sample-resource": "%s"`
`212`	`217`	`}`
`213`	`218`	`}`
`214`		`- """.formatted(RESOURCE_INDEX_NAME, "user/name", "sample_read_only");`
	`219`	`+ """.formatted(RESOURCE_INDEX_NAME, "user/name", "some_user", "sample_read_only");`
`215`	`220`	`}`
`216`	`221`
`217`	`222`	`public static String migrationPayload_missingDefaultAccessLevel() {`
`218`	`223`	`return """`
`219`	`224`	`{`
`220`	`225`	`"source_index": "%s",`
`221`	`226`	`"username_path": "%s",`
`222`		`- "backend_roles_path": "%s"`
	`227`	`+ "backend_roles_path": "%s",`
	`228`	`+ "default_owner": "%s"`
	`229`	`+ }`
	`230`	`+ """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "some_user");`
	`231`	`+ }`
	`232`	`+`
	`233`	`+ public static String migrationPayload_missingDefaultOwner() {`
	`234`	`+ return """`
	`235`	`+ {`
	`236`	`+ "source_index": "%s",`
	`237`	`+ "username_path": "%s",`
	`238`	`+ "backend_roles_path": "%s",`
	`239`	`+ "default_access_level": {`
	`240`	`+ "sample-resource": "%s"`
	`241`	`+ }`
`223`	`242`	`}`
`224`		`- """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles");`
	`243`	`+ """.formatted(RESOURCE_INDEX_NAME, "user/name", "user/backend_roles", "sample_read_only");`
`225`	`244`	`}`
`226`	`245`
`227`	`246`	`public static String putSharingInfoPayload(`