Introduce new dynamic setting (plugins.security.dls.write_blocked) to block all writes when restrictions apply

[cwperks]

Description

This PR adds a new dynamic cluster setting (plugins.security.dls.write_blocked) to block all write operations against indices where restrictions apply for the calling user. When set to true all write operations (IndexRequest, UpdateRequest, DeleteRequest) are blocked. When set to false (the default value) only UpdateRequest is block whereas other write operations are permitted.

Currently, the documentation website has a blurb on dls and write permissions that instructs cluster administrators about this behavior, but this behavior has caused confusion. This PR aims to introduce a cluster setting to prevent cluster admins from shooting themselves in the foot.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Enhancement

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.68%. Comparing base (cc1d27f) to head (6ffa252).

Files with missing lines	Patch %	Lines
...search/security/configuration/DlsFlsValveImpl.java	60.00%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5828      +/-   ##
==========================================
+ Coverage   73.66%   73.68%   +0.02%     
==========================================
  Files         438      438              
  Lines       26642    26653      +11     
  Branches     3937     3939       +2     
==========================================
+ Hits        19626    19640      +14     
+ Misses       5146     5138       -8     
- Partials     1870     1875       +5     

Files with missing lines	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	85.39% <100.00%> (+0.01%)	⬆️
...g/opensearch/security/support/ConfigConstants.java	77.27% <ø> (ø)
.../opensearch/security/support/SecuritySettings.java	83.33% <100.00%> (+3.33%)	⬆️
...search/security/configuration/DlsFlsValveImpl.java	66.36% <60.00%> (+1.58%)	⬆️

... and 9 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DarshitChanpura]

changes mostly look good to me. Left couple of comments.

I see commits around CHANGELOG entry but don't see the CHANGELOG file modified. We should add an entry for this feature.

[DarshitChanpura]

this message should change to "...when write block is active". thoughts?

[cwperks]

I agree that the message is bad, but I think it can be reworded differently. Maybe, <WriteRequest> is not support when index has FLS, DLS or FieldMasking Restrictions?

[DarshitChanpura]

why change it to adminClient?

[cwperks]

Bc the test user has restrictions on the index. Its better to use admin client here which has no restrictions.

This block is for seeding test data for bwc tests and if we made the default for this new setting true then the calls here would fail since the test user has restrictions.

[cwperks]

I see commits around CHANGELOG entry but don't see the CHANGELOG file modified. We should add an entry for this feature.

I was planning to push it after the CHANGELOG is cleared for 3.5 since I think this will miss the 3.4 release train.