Add filter by backend roles setting

alerting/src/main/kotlin/org/opensearch/alerting/AlertingPlugin.kt

@@ -432,7 +432,8 @@ internal class AlertingPlugin : PainlessExtension, ActionPlugin, ScriptPlugin, R
             AlertingSettings.COMMENTS_MAX_CONTENT_SIZE,
             AlertingSettings.MAX_COMMENTS_PER_ALERT,
             AlertingSettings.MAX_COMMENTS_PER_NOTIFICATION,
-            AlertingSettings.NOTIFICATION_CONTEXT_RESULTS_ALLOWED_ROLES
+            AlertingSettings.NOTIFICATION_CONTEXT_RESULTS_ALLOWED_ROLES,
+            AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY
         )
     }
 

alerting/src/main/kotlin/org/opensearch/alerting/settings/AlertingSettings.kt

@@ -302,5 +302,13 @@ class AlertingSettings {
             Setting.Property.NodeScope,
             Setting.Property.Dynamic
         )
+
+        val FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY = Setting.simpleString(
+            "plugins.alerting.filter_by_backend_roles_access_strategy",
+            FilterByBackendRolesAccessStrategy.INTERSECT.strategy,
+            FilterByBackendRolesAccessStrategyValidator(),
+            Setting.Property.NodeScope,
+            Setting.Property.Dynamic
+        )
     }
 }

alerting/src/main/kotlin/org/opensearch/alerting/settings/FilterByBackendRolesAccessStrategy.kt

@@ -0,0 +1,26 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.alerting.settings
+
+/**
+ * Defines the FilterByBackendRolesAccessStrategy
+ */
+enum class FilterByBackendRolesAccessStrategy(val strategy: String) {
+    /**
+     * User backend roles must contain all resource backend roles to have access
+     */
+    ALL("all"),
+
+    /**
+     * Backend roles must be exactly equal to have access
+     */
+    EXACT("exact"),
+
+    /**
+     * Backend roles must intersect to have access
+     */
+    INTERSECT("intersect"),
+}

alerting/src/main/kotlin/org/opensearch/alerting/settings/FilterByBackendRolesAccessStrategyValidator.kt

@@ -0,0 +1,23 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.alerting.settings
+
+import org.opensearch.common.settings.Setting
+
+class FilterByBackendRolesAccessStrategyValidator : Setting.Validator<String> {
+    override fun validate(strategy: String) {
+        val allStrategies: List<String> = FilterByBackendRolesAccessStrategy.entries.map { it.strategy }
+
+        when (strategy) {
+            FilterByBackendRolesAccessStrategy.ALL.strategy,
+            FilterByBackendRolesAccessStrategy.EXACT.strategy,
+            FilterByBackendRolesAccessStrategy.INTERSECT.strategy -> {}
+            else -> throw IllegalArgumentException(
+                "Setting value must be one of [$allStrategies]"
+            )
+        }
+    }
+}

alerting/src/main/kotlin/org/opensearch/alerting/transport/SecureTransportAction.kt

@@ -8,6 +8,7 @@ package org.opensearch.alerting.transport
 import org.apache.logging.log4j.LogManager
 import org.opensearch.OpenSearchStatusException
 import org.opensearch.alerting.settings.AlertingSettings
+import org.opensearch.alerting.settings.FilterByBackendRolesAccessStrategy
 import org.opensearch.cluster.service.ClusterService
 import org.opensearch.commons.ConfigConstants
 import org.opensearch.commons.alerting.util.AlertingException
@@ -38,9 +39,13 @@ private val log = LogManager.getLogger(SecureTransportAction::class.java)
 interface SecureTransportAction {
 
     var filterByEnabled: Boolean
+    var filterByAccessStrategy: String
 
     fun listenFilterBySettingChange(clusterService: ClusterService) {
         clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.FILTER_BY_BACKEND_ROLES) { filterByEnabled = it }
+        clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY) {
+            filterByAccessStrategy = it
+        }
     }
 
     fun readUserFromThreadContext(client: Client): User? {
@@ -100,6 +105,21 @@ interface SecureTransportAction {
         return true
     }
 
+    fun doUserBackendRolesMatchResource(userBackendRoles: List<String>, resourceBackendRoles: List<String>): Boolean {
+        if (filterByAccessStrategy == FilterByBackendRolesAccessStrategy.ALL.strategy) {
+            return userBackendRoles.containsAll(resourceBackendRoles)
+        } else if (filterByAccessStrategy == FilterByBackendRolesAccessStrategy.INTERSECT.strategy) {
+            return resourceBackendRoles.any { it in userBackendRoles }
+        } else if (filterByAccessStrategy == FilterByBackendRolesAccessStrategy.EXACT.strategy) {
+            return resourceBackendRoles.sorted().equals(userBackendRoles.sorted())
+        }
+        // Not sure if this is necessary, since there is a validator
+        // on the setting itself
+        throw IllegalArgumentException(
+            "Invalid filter by access strategy: $filterByAccessStrategy"
+        )
+    }
+
     /**
      * If FilterBy is enabled, this function verifies that the requester user has FilterBy permissions to access
      * the resource. If FilterBy is disabled, we will assume the user has permissions and return true.
@@ -122,7 +142,7 @@ interface SecureTransportAction {
         if (
             resourceBackendRoles == null ||
             requesterBackendRoles == null ||
-            resourceBackendRoles.intersect(requesterBackendRoles).isEmpty()
+            !doUserBackendRolesMatchResource(requesterBackendRoles, resourceBackendRoles)
         ) {
             actionListener.onFailure(
                 AlertingException.wrap(

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportDeleteAlertingCommentAction.kt

@@ -60,6 +60,7 @@ class TransportDeleteAlertingCommentAction @Inject constructor(
 
     @Volatile private var alertingCommentsEnabled = AlertingSettings.ALERTING_COMMENTS_ENABLED.get(settings)
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.ALERTING_COMMENTS_ENABLED) {

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportDeleteMonitorAction.kt

@@ -56,6 +56,7 @@ class TransportDeleteMonitorAction @Inject constructor(
     SecureTransportAction {
 
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         listenFilterBySettingChange(clusterService)

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportDeleteWorkflowAction.kt

@@ -83,6 +83,7 @@ class TransportDeleteWorkflowAction @Inject constructor(
     private val log = LogManager.getLogger(javaClass)
 
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         listenFilterBySettingChange(clusterService)

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportDocLevelMonitorFanOutAction.kt

@@ -196,6 +196,7 @@ class TransportDocLevelMonitorFanOutAction
 
     @Volatile
     override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     override fun doExecute(
         task: Task,

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetAlertsAction.kt

@@ -73,6 +73,7 @@ class TransportGetAlertsAction @Inject constructor(
 
     @Volatile
     override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         listenFilterBySettingChange(clusterService)

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetDestinationsAction.kt

@@ -57,6 +57,7 @@ class TransportGetDestinationsAction @Inject constructor(
     SecureTransportAction {
 
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         listenFilterBySettingChange(clusterService)

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt

@@ -71,6 +71,7 @@ class TransportGetFindingsSearchAction @Inject constructor(
     SecureTransportAction {
 
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         listenFilterBySettingChange(clusterService)

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetMonitorAction.kt

@@ -69,6 +69,7 @@ class TransportGetMonitorAction @Inject constructor(
 
     @Volatile
     override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         listenFilterBySettingChange(clusterService)

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetRemoteIndexesAction.kt

@@ -61,6 +61,7 @@ class TransportGetRemoteIndexesAction @Inject constructor(
     SecureTransportAction {
 
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     @Volatile private var remoteMonitoringEnabled = CROSS_CLUSTER_MONITORING_ENABLED.get(settings)
 

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetWorkflowAction.kt

@@ -48,6 +48,7 @@ class TransportGetWorkflowAction @Inject constructor(
     private val log = LogManager.getLogger(javaClass)
 
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         listenFilterBySettingChange(clusterService)

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetWorkflowAlertsAction.kt

@@ -69,6 +69,9 @@ class TransportGetWorkflowAlertsAction @Inject constructor(
     @Volatile
     override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
 
+    @Volatile
+    override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
+
     @Volatile
     private var isAlertHistoryEnabled = AlertingSettings.ALERT_HISTORY_ENABLED.get(settings)
 

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexAlertingCommentAction.kt

@@ -86,6 +86,7 @@ constructor(
     @Volatile private var indexTimeout = INDEX_TIMEOUT.get(settings)
 
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         clusterService.clusterSettings.addSettingsUpdateConsumer(ALERTING_COMMENTS_ENABLED) { alertingCommentsEnabled = it }

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexMonitorAction.kt

@@ -111,6 +111,7 @@ class TransportIndexMonitorAction @Inject constructor(
     @Volatile private var maxActionThrottle = MAX_ACTION_THROTTLE_VALUE.get(settings)
     @Volatile private var allowList = ALLOW_LIST.get(settings)
     @Volatile override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
 
     init {
         clusterService.clusterSettings.addSettingsUpdateConsumer(ALERTING_MAX_MONITORS) { maxMonitors = it }

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexWorkflowAction.kt

@@ -119,6 +119,9 @@ class TransportIndexWorkflowAction @Inject constructor(
     @Volatile
     override var filterByEnabled = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
 
+    @Volatile
+    override var filterByAccessStrategy = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
+
     init {
         clusterService.clusterSettings.addSettingsUpdateConsumer(ALERTING_MAX_MONITORS) { maxMonitors = it }
         clusterService.clusterSettings.addSettingsUpdateConsumer(REQUEST_TIMEOUT) { requestTimeout = it }

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportSearchAlertingCommentAction.kt

@@ -63,6 +63,8 @@ class TransportSearchAlertingCommentAction @Inject constructor(
 
     @Volatile private var alertingCommentsEnabled = AlertingSettings.ALERTING_COMMENTS_ENABLED.get(settings)
     @Volatile override var filterByEnabled: Boolean = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile override var filterByAccessStrategy: String = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
+
     init {
         clusterService.clusterSettings.addSettingsUpdateConsumer(AlertingSettings.ALERTING_COMMENTS_ENABLED) {
             alertingCommentsEnabled = it

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportSearchMonitorAction.kt

@@ -62,6 +62,9 @@ class TransportSearchMonitorAction @Inject constructor(
     SecureTransportAction {
     @Volatile
     override var filterByEnabled: Boolean = AlertingSettings.FILTER_BY_BACKEND_ROLES.get(settings)
+    @Volatile
+    override var filterByAccessStrategy: String = AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.get(settings)
+
     init {
         listenFilterBySettingChange(clusterService)
     }

alerting/src/test/kotlin/org/opensearch/alerting/AlertingRestTestCase.kt

@@ -1482,6 +1482,20 @@ abstract class AlertingRestTestCase : ODFERestTestCase() {
         assertEquals(updateResponse.statusLine.toString(), 200, updateResponse.statusLine.statusCode)
     }
 
+    fun setFilterByBackendRolesStrategy(strategy: String) {
+        val updateResponse = client().makeRequest(
+            "PUT", "_cluster/settings",
+            emptyMap(),
+            StringEntity(
+                XContentFactory.jsonBuilder().startObject().field("persistent")
+                    .startObject().field(AlertingSettings.FILTER_BY_BACKEND_ROLES_ACCESS_STRATEGY.key, strategy).endObject()
+                    .endObject().string(),
+                ContentType.APPLICATION_JSON
+            )
+        )
+        assertEquals(updateResponse.statusLine.toString(), 200, updateResponse.statusLine.statusCode)
+    }
+
     fun disableFilterBy() {
         val updateResponse = client().makeRequest(
             "PUT", "_cluster/settings",