[Resource Sharing] Keep track of list ofall_shared_principals for which sharable resource is visible for searching

[cwperks]

Description

This change updates the fetchAccessibleResourceIds method in ResourceSharingIndexHandler to search the resource index directly instead of the *-sharing index.

• Category: Enhancement

• Why these changes are required?
  Previously, we only searched the resource sharing index (*-sharing) and derived principals from share_with. This required scripts and runtime fields to flatten recipients, adding overhead. This PR also keeps track of principals in each resource document, we can query this field directly to determine visibility. Principals are of the form: user:{username}, role:{rolename}, backend:{backend_role_name}. user:* will be used as the convention for making a resource publicly visible.

  Keeping track of principals in the resource document improves:

  • Visibility: resource docs reflect who can access them without needing to cross-reference the sharing index.
  • Searchability: access checks can run efficiently using termsQuery("principals", entities).
  • Performance: avoids costly runtime scripts and reduces indirection across indices.

• Old behavior: Queries ran against the *-sharing index, required derived runtime fields, and fetched resource_id from _source.

• New behavior: Queries run directly on the resource index, filtering by the principals field, and collect _ids as resource identifiers.

Note: There will be a follow-up change to this PR to change fetchAccessibleResourceIds to a behind-the-scenes DLS clause which would not require the resource plugin to make 2 queries to get the list of visible IDs followed by the request they intend to make. The security plugin would inject a clause behind-the-scenes to limit the result set to a resource plugin based on the authenticated user.

Issues Resolved

Related to: #4500

Testing

• Added/updated unit tests for fetchAccessibleResourceIds to validate queries against principals.
• Verified integration tests where resources are created, shared, and revoked—ensuring principals updates are honored in queries.
• Manual testing with multiple users, roles, and backend roles to confirm correct visibility enforcement.

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request [created](https://github.com/opensearch-project/opensearch-api-specification/blob/main/DEVELOPER_GUIDE.md)
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/security/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.96%. Comparing base (16993b4) to head (9ff8918).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
...ecurity/resources/ResourceSharingIndexHandler.java	85.13%	10 Missing and 1 partial ⚠️
...ecurity/spi/resources/sharing/ResourceSharing.java	60.00%	4 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5596      +/-   ##
==========================================
- Coverage   73.02%   72.96%   -0.06%     
==========================================
  Files         408      408              
  Lines       25293    25387      +94     
  Branches     3854     3862       +8     
==========================================
+ Hits        18469    18523      +54     
- Misses       4952     4983      +31     
- Partials     1872     1881       +9     

Files with missing lines	Coverage Δ
...arch/security/resources/ResourceIndexListener.java	93.93% <100.00%> (+0.18%)	⬆️
...ecurity/spi/resources/sharing/ResourceSharing.java	65.13% <60.00%> (-1.16%)	⬇️
...ecurity/resources/ResourceSharingIndexHandler.java	80.81% <85.13%> (-1.52%)	⬇️

... and 9 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.