opensearch-project · cwperks · Sep 5, 2025 · Aug 26, 2025 · Aug 27, 2025 · Aug 27, 2025
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Enhancements
 
+- [Resource Sharing] Keep track of list of principals for which sharable resource is visible for searching ([#5596](https://github.com/opensearch-project/security/pull/5596))
 - [Resource Sharing] Keep track of tenant for sharable resources by persisting user requested tenant with sharing info ([#5588](https://github.com/opensearch-project/security/pull/5588))
 
 ### Bug Fixes

@@ -26,7 +26,6 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.Version;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -64,7 +63,6 @@ public class MigrateApiTests {
 
     @ClassRule
     public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.DEFAULT)
-        .plugin(PainlessModulePlugin.class)
         .plugin(
             new PluginInfo(
                 SampleResourcePlugin.class.getName(),

@@ -19,7 +19,6 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.Version;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -65,7 +64,6 @@ public class SecurityDisabledTests {
                 false
             )
         )
-        .plugin(PainlessModulePlugin.class)
         .loadConfigurationIntoIndex(false)
         .nodeSettings(Map.of("plugins.security.disabled", true, "plugins.security.ssl.http.enabled", false))
         .build();

@@ -23,7 +23,6 @@
 import org.opensearch.common.xcontent.XContentFactory;
 import org.opensearch.core.xcontent.ToXContent;
 import org.opensearch.core.xcontent.XContentBuilder;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -113,7 +112,6 @@ public static LocalCluster newCluster(boolean featureEnabled, boolean systemInde
                     false
                 )
             )
-            .plugin(PainlessModulePlugin.class)
             .anonymousAuth(true)
             .authc(AUTHC_HTTPBASIC_INTERNAL)
             .users(USER_ADMIN, FULL_ACCESS_USER, LIMITED_ACCESS_USER, NO_ACCESS_USER)

@@ -19,7 +19,6 @@
 
 import org.opensearch.Version;
 import org.opensearch.core.rest.RestStatus;
-import org.opensearch.painless.PainlessModulePlugin;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.sample.SampleResourcePlugin;
 import org.opensearch.security.OpenSearchSecurityPlugin;
@@ -47,7 +46,6 @@ public class SecurePluginTests {
         .anonymousAuth(false)
         .authc(AUTHC_DOMAIN)
         .users(USER_ADMIN)
-        .plugin(PainlessModulePlugin.class)
         .plugin(
             new PluginInfo(
                 SampleResourcePlugin.class.getName(),

@@ -9,8 +9,10 @@
 package org.opensearch.security.spi.resources.sharing;
 
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
@@ -267,4 +269,47 @@ public Set<String> fetchAccessLevels(Recipient recipientType, Set<String> entiti
         }
         return matchingGroups;
     }
+
+    /**
+     * Returns all principals (users, roles, backend_roles) that have access to this resource,
+     * including the creator and all shared recipients, formatted with appropriate prefixes.
+     *
+     * @return List of principals in format ["user:username", "role:rolename", "backend:backend_role"]
+     */
+    public List<String> getAllPrincipals() {
+        List<String> principals = new ArrayList<>();
+
+        // Add creator
+        if (createdBy != null) {
+            principals.add("user:" + createdBy.getUsername());
+        }
+
+        // Add shared recipients
+        if (shareWith != null) {
+            // shared with at any access level
+            for (Recipients recipients : shareWith.getSharingInfo().values()) {
+                Map<Recipient, Set<String>> recipientMap = recipients.getRecipients();
+
+                // Add users
+                Set<String> users = recipientMap.getOrDefault(Recipient.USERS, Collections.emptySet());
+                for (String user : users) {
+                    principals.add("user:" + user);
+                }
+
+                // Add roles
+                Set<String> roles = recipientMap.getOrDefault(Recipient.ROLES, Collections.emptySet());
+                for (String role : roles) {
+                    principals.add("role:" + role);
+                }
+
+                // Add backend roles
+                Set<String> backendRoles = recipientMap.getOrDefault(Recipient.BACKEND_ROLES, Collections.emptySet());
+                for (String backendRole : backendRoles) {
+                    principals.add("backend:" + backendRole);
+                }
+            }
+        }
+
+        return principals;
+    }
 }
@@ -54,7 +54,7 @@ public void postIndex(ShardId shardId, Engine.Index index, Engine.IndexResult re
         String resourceId = index.id();
 
         // Only proceed if this was a create operation and for primary shard
-        if (!result.isCreated() && index.origin().equals(Engine.Operation.Origin.PRIMARY)) {
+        if (!result.isCreated() || !index.origin().equals(Engine.Operation.Origin.PRIMARY)) {
             log.debug("Skipping resource sharing entry creation as this was an update operation for resource {}", resourceId);
             return;
         }