[Resource Sharing] Keep track of tenant for sharable resources by persisting user requested tenant with sharing info (#5588)

Signed-off-by: Craig Perkins <[email protected]>

Author: cwperks

CHANGELOG.md

@@ -9,6 +9,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Enhancements
 
+- [Resource Sharing] Keep track of tenant for sharable resources by persisting user requested tenant with sharing info ([#5588](https://github.com/opensearch-project/security/pull/5588))
+
 ### Bug Fixes
 
 * Added new option skip_users to client cert authenticator  (clientcert_auth_domain.http_authenticator.config.skip_users in config.yml)([#4378](https://github.com/opensearch-project/security/pull/5525))

sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/TestUtils.java

@@ -15,6 +15,7 @@
 import java.util.List;
 import java.util.Map;
 
+import org.apache.hc.core5.http.Header;
 import org.apache.http.HttpStatus;
 import org.awaitility.Awaitility;
 
@@ -325,10 +326,10 @@ public void wipeOutResourceEntries() {
         }
 
         // Helper to create a sample resource and return its ID
-        public String createSampleResourceAs(TestSecurityConfig.User user) {
+        public String createSampleResourceAs(TestSecurityConfig.User user, Header... headers) {
             try (TestRestClient client = cluster.getRestClient(user)) {
                 String sample = "{\"name\":\"sample\"}";
-                TestRestClient.HttpResponse resp = client.putJson(SAMPLE_RESOURCE_CREATE_ENDPOINT, sample);
+                TestRestClient.HttpResponse resp = client.putJson(SAMPLE_RESOURCE_CREATE_ENDPOINT, sample, headers);
                 resp.assertStatusCode(HttpStatus.SC_OK);
                 return resp.getTextFromJsonBody("/message").split(":")[1].trim();
             }

sample-resource-plugin/src/integrationTest/java/org/opensearch/sample/resource/feature/enabled/ResourceSharingMultiTenancyTests.java

@@ -0,0 +1,64 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.sample.resource.feature.enabled;
+
+import com.carrotsearch.randomizedtesting.RandomizedRunner;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.hc.core5.http.message.BasicHeader;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.sample.resource.TestUtils;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsString;
+import static org.opensearch.sample.resource.TestUtils.newCluster;
+import static org.opensearch.sample.utils.Constants.RESOURCE_INDEX_NAME;
+import static org.opensearch.test.framework.TestSecurityConfig.User.USER_ADMIN;
+
+/**
+ * Test resource access when shared with full-access (sampleAllAG action-group).
+ * All tests are against USER_ADMIN's resource created during setup.
+ */
+@RunWith(RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class ResourceSharingMultiTenancyTests {
+
+    @ClassRule
+    public static LocalCluster cluster = newCluster(true, true);
+
+    private final TestUtils.ApiHelper api = new TestUtils.ApiHelper(cluster);
+    private String resourceId;
+
+    @Before
+    public void setup() {
+        resourceId = api.createSampleResourceAs(USER_ADMIN, new BasicHeader("securitytenant", "customtenant"));
+        api.awaitSharingEntry(); // wait until sharing entry is created
+    }
+
+    @After
+    public void cleanup() {
+        api.wipeOutResourceEntries();
+    }
+
+    @Test
+    public void testCreateResourceWithMultiTenancyEnabled() {
+        try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
+            TestRestClient.HttpResponse sharingInfoResponse = client.get(
+                "_plugins/_security/api/resource/share?resource_id=" + resourceId + "&resource_type=" + RESOURCE_INDEX_NAME
+            );
+            assertThat(sharingInfoResponse.getBody(), containsString("\"created_by\":{\"user\":\"admin\",\"tenant\":\"customtenant\"}"));
+        }
+    }
+}

spi/src/main/java/org/opensearch/security/spi/resources/sharing/CreatedBy.java

@@ -17,6 +17,9 @@
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
 
+import static org.opensearch.core.xcontent.XContentParser.Token.VALUE_NULL;
+import static org.opensearch.core.xcontent.XContentParser.Token.VALUE_STRING;
+
 /**
  * This class is used to store information about the creator of a resource.
  *
@@ -25,22 +28,41 @@
 public class CreatedBy implements ToXContentFragment, NamedWriteable {
 
     private final String username;
+    private final String tenant; // capture tenant if multi-tenancy is enabled
 
     public CreatedBy(String username) {
         this.username = username;
+        this.tenant = null;
+    }
+
+    public CreatedBy(String username, String tenant) {
+        this.username = username;
+        this.tenant = tenant;
     }
 
     public CreatedBy(StreamInput in) throws IOException {
         this.username = in.readString();
+        this.tenant = in.readOptionalString();
     }
 
     public String getUsername() {
         return username;
     }
 
+    public String getTenant() {
+        return tenant;
+    }
+
     @Override
     public String toString() {
-        return "CreatedBy {user='" + this.username + '\'' + '}';
+        if (tenant != null) {
+            return """
+                CreatedBy {user='%s', tenant='%s'}
+                """.formatted(username, tenant).trim();
+        }
+        return """
+            CreatedBy {user='%s'}
+            """.formatted(username).trim();
     }
 
     @Override
@@ -51,31 +73,49 @@ public String getWriteableName() {
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(username);
+        out.writeOptionalString(tenant);
     }
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        if (tenant != null) {
+            return builder.startObject().field("user", username).field("tenant", tenant).endObject();
+        }
         return builder.startObject().field("user", username).endObject();
     }
 
     public static CreatedBy fromXContent(XContentParser parser) throws IOException {
         String username = null;
-        XContentParser.Token token;
-
-        while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) {
-            if (token == XContentParser.Token.FIELD_NAME) {
-                if (!"user".equals(parser.currentName())) {
-                    throw new IllegalArgumentException("created_by must only contain a single field with user");
+        String tenant = null;
+
+        while (parser.nextToken() != XContentParser.Token.END_OBJECT) {
+            if (parser.currentToken() == XContentParser.Token.FIELD_NAME) {
+                String fieldName = parser.currentName();
+                parser.nextToken();
+
+                switch (fieldName) {
+                    case "user":
+                        if (VALUE_STRING == parser.currentToken()) {
+                            username = parser.text();
+                        } else {
+                            throw new IllegalArgumentException("created_by cannot be empty");
+                        }
+                        break;
+
+                    case "tenant":
+                        tenant = (parser.currentToken() == VALUE_NULL) ? null : parser.text();
+                        break;
+
+                    default:
+                        throw new IllegalArgumentException("created_by contains unknown field: " + fieldName);
                 }
-            } else if (token == XContentParser.Token.VALUE_STRING) {
-                username = parser.text();
             }
         }
 
         if (username == null) {
             throw new IllegalArgumentException("created_by cannot be empty");
         }
 
-        return new CreatedBy(username);
+        return new CreatedBy(username, tenant);
     }
 }

spi/src/test/java/org/opensearch/security/spi/resources/CreatedByTests.java

@@ -46,17 +46,27 @@ public void testCreatedByConstructorWithValidUser() {
     }
 
     @Test
-    public void testCreatedByFromStreamInput() throws IOException {
+    public void testCreatedByConstructorWithValidUserAndTenant() {
         String expectedUser = "testUser";
+        String expectedTenant = "customTenant";
+        CreatedBy createdBy = new CreatedBy(expectedUser, expectedTenant);
+
+        MatcherAssert.assertThat(expectedUser, is(equalTo(createdBy.getUsername())));
+        MatcherAssert.assertThat(expectedTenant, is(equalTo(createdBy.getTenant())));
+    }
+
+    @Test
+    public void testCreatedByFromStreamInput() throws IOException {
+        CreatedBy expectedUser = new CreatedBy("testUser");
 
         try (BytesStreamOutput out = new BytesStreamOutput()) {
-            out.writeString(expectedUser);
+            expectedUser.writeTo(out);
 
             StreamInput in = out.bytes().streamInput();
 
             CreatedBy createdBy = new CreatedBy(in);
 
-            MatcherAssert.assertThat(expectedUser, is(equalTo(createdBy.getUsername())));
+            MatcherAssert.assertThat(expectedUser.getUsername(), is(equalTo(createdBy.getUsername())));
         }
     }
 

src/main/java/org/opensearch/security/resources/ResourceIndexListener.java

@@ -73,7 +73,14 @@ public void postIndex(ShardId shardId, Engine.Index index, Engine.IndexResult re
                     resourceIndex
                 );
             }, e -> { log.debug(e.getMessage()); });
-            this.resourceSharingIndexHandler.indexResourceSharing(resourceId, resourceIndex, new CreatedBy(user.getName()), null, listener);
+            // User.getRequestedTenant() is null if multi-tenancy is disabled
+            this.resourceSharingIndexHandler.indexResourceSharing(
+                resourceId,
+                resourceIndex,
+                new CreatedBy(user.getName(), user.getRequestedTenant()),
+                null,
+                listener
+            );
 
         } catch (IOException e) {
             log.debug("Failed to create a resource sharing entry for resource: {}", resourceId, e);