[workspace]feat: Add ACL auditor

[SuZhou-Joe]

Description

This PR is mainly to add an auditor per request, if somehow a call to the saved objects client bypass the ACL, the auditor is supposed to audit a bypass error.

Issues Resolved

Screenshot

Testing the changes

• Enabled permission control: savedObjects.permission.enabled: true
• Enabled workspace: workspace.enabled: true
• Claim a user as dashboard admin so that others will be regarded as normal user: opensearchDashboards.dashboardAdmin.users: ["admin"]
• Clicking around, there should not be a message with pattern: [ACLCounterCheckoutFailed] counter state: xxx

Changelog

• feat: Add ACL auditor

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov]

Codecov Report

Attention: Patch coverage is 83.33333% with 21 lines in your changes missing coverage. Please review.

Project coverage is 60.96%. Comparing base (98df4dd) to head (2c29dce).
Report is 87 commits behind head on main.

Files with missing lines	Patch %	Lines
..._objects/workspace_saved_objects_client_wrapper.ts	80.00%	7 Missing and 4 partials ⚠️
src/core/server/utils/acl_auditor.ts	81.48%	2 Missing and 3 partials ⚠️
...rkspace/server/saved_objects/repository_wrapper.ts	75.00%	0 Missing and 3 partials ⚠️
src/core/server/utils/client_call_auditor.ts	87.50%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8557      +/-   ##
==========================================
+ Coverage   60.93%   60.96%   +0.03%     
==========================================
  Files        3769     3780      +11     
  Lines       89506    89973     +467     
  Branches    14012    14099      +87     
==========================================
+ Hits        54539    54853     +314     
- Misses      31557    31676     +119     
- Partials     3410     3444      +34     

Flag	Coverage Δ
Linux_1	29.24% <81.74%> (+0.24%)	⬆️
Linux_2	56.32% <84.09%> (+0.07%)	⬆️
Linux_3	37.80% <27.27%> (+0.04%)	⬆️
Linux_4	29.95% <27.27%> (+0.03%)	⬆️
Windows_1	29.26% <81.74%> (+0.24%)	⬆️
Windows_2	56.27% <84.09%> (+0.07%)	⬆️
Windows_3	37.80% <27.27%> (+0.04%)	⬆️
Windows_4	29.95% <27.27%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[wanglam]

How about add a decrement method?

[SuZhou-Joe]

I would like to keep the interface simple, increment with a negative value can give the same functionality here actually.

[wanglam]

Since we will throw error if not permitted, the sum of VALIDATE_FAILURE + VALIDATE_SUCCESS will always less than DATABASE_OPERATION? For example, we have 10 objects and increment 10 data source operation. We don't have permission to the last saved objects. We will only increment 1 VALIDATE_FAILURE and throw error if not permitted. Other permitted saved objects won't be recorded.

[SuZhou-Joe]

Actually if there is an error, the decorator will reset the auditor and won't checkout the record for this client call.

https://github.com/opensearch-project/OpenSearch-Dashboards/pull/8557/files#diff-6f4daf9988f5262d2403821efd458faf7157c7e7473ec65a16ae2724a92d6556R693

[Hailong-am]

do we want to provide a flag to turn off aduit behavior?, could enabled by default.

[SuZhou-Joe]

I was thinking that but there are too many feature flags now and I'd prefer to use the permission control feature flag. The auditor behavior won't add any impact to the UI or the server.

[wanglam]

Do we need to return Promise.reject here? Or the promise will be resolved after return.

[SuZhou-Joe]

No, we already return the result, the result will give the rejected error if the promise fails.