Inject user custom attributes

[markdboyd]

Description

These changes are a follow-up to #5491. They are part of ongoing work to address opensearch-project/alerting#1829. These changes specifically inject user custom attributes to the security plugin context so that DLS/FLS replacement on queries will work properly.

These changes work in concert with these changes in other plugins:

opensearch-project/common-utils#827
opensearch-project/alerting#1917

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
  • Enhancement/bug fix
• Why these changes are required?
  • To ensure that user custom attributes are available in the security plugin so that DLS/FLS queries will work properly. See [BUG] Alerting does not work when the last person to create/update has a role with parameter substitution in the DLS alerting#1829
• What is the old behavior before changes and new behavior after changes?
  • User custom attributes are now available on the user object in the security plugin

Issues Resolved

Addresses #5491

Testing

I have been doing manual testing in Docker by compiling the jar files and mounting the jar files into the containers.

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 73.09%. Comparing base (9ed37b5) to head (95e3a92).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...earch/security/privileges/PrivilegesEvaluator.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5560      +/-   ##
==========================================
+ Coverage   73.07%   73.09%   +0.01%     
==========================================
  Files         408      408              
  Lines       25259    25262       +3     
  Branches     3842     3843       +1     
==========================================
+ Hits        18459    18466       +7     
+ Misses       4933     4926       -7     
- Partials     1867     1870       +3     

Files with missing lines	Coverage Δ
...va/org/opensearch/security/auth/RolesInjector.java	96.66% <100.00%> (+7.38%)	⬆️
...g/opensearch/security/privileges/IndexPattern.java	96.66% <100.00%> (-0.04%)	⬇️
...ensearch/security/privileges/TenantPrivileges.java	99.02% <100.00%> (-0.01%)	⬇️
...opensearch/security/privileges/UserAttributes.java	80.76% <100.00%> (+0.76%)	⬆️
...security/privileges/dlsfls/DocumentPrivileges.java	96.07% <100.00%> (-3.93%)	⬇️
...g/opensearch/security/support/ConfigConstants.java	95.23% <ø> (ø)
...earch/security/privileges/PrivilegesEvaluator.java	75.13% <0.00%> (ø)

... and 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cwperks]

Thank you for this PR @markdboyd! The changes LGTM. Left one suggestion on strengthening the logic to identify if attribute substitution for a query string is incomplete, but otherwise the changes look good. Thank you for all the contributions to solve this difficult bug in the alerting plugin!

[cwperks]

Thank you @markdboyd! The changes LGTM. left a few minor comments, but nothing major.

[DarshitChanpura]

thanks @markdboyd ! The PR looks good to me. left one clarifying question