Add --timeout (-to) as an option to securityadmin.sh

.github/workflows/auto-release.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Get tag
         id: tag
         uses: dawidd6/action-get-tag@v1
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Download release notes
         run: |
           curl -s -o release-notes.md https://raw.githubusercontent.com/opensearch-project/security/main/release-notes/opensearch-security.release-notes-${{ steps.tag.outputs.tag }}.md

.github/workflows/automatic-merges.yml

@@ -12,7 +12,7 @@ jobs:
   automatic-merge-version-bumps:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - id: find-triggering-pr
         uses: peternied/find-triggering-pr@v1

.github/workflows/changelog_verifier.yml

@@ -9,7 +9,7 @@ jobs:
     if: github.repository == 'opensearch-project/security'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ github.event.pull_request.head.sha }}

.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
           java-version: 21
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Generate list of tasks
         id: set-matrix
@@ -56,7 +56,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Build and Test
         uses: gradle/gradle-build-action@v3
@@ -99,7 +99,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Build and Test
         uses: gradle/gradle-build-action@v3
@@ -119,7 +119,7 @@ jobs:
     needs: ["test-windows", "test-linux", "integration-tests-windows", "integration-tests-linux", "sample-plugin-integration-tests-linux", "sample-plugin-integration-tests-windows"]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/download-artifact@v6
         with:
           path: downloaded-artifacts
@@ -156,7 +156,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Integration Tests
         uses: gradle/gradle-build-action@v3
@@ -199,7 +199,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Build and Test
         uses: gradle/gradle-build-action@v3
@@ -242,7 +242,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run SampleResourcePlugin Integration Tests
         uses: gradle/gradle-build-action@v3
@@ -274,7 +274,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run SampleResourcePlugin Integration Tests
         uses: gradle/gradle-build-action@v3
@@ -307,7 +307,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout security
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Resource Tests
         uses: gradle/gradle-build-action@v3
@@ -325,7 +325,7 @@ jobs:
           java-version: 21
 
       - name: Checkout Security Repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Build BWC tests
         uses: gradle/gradle-build-action@v3
@@ -349,7 +349,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout Security Repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - id: build-previous
         uses: ./.github/actions/run-bwc-suite
@@ -363,7 +363,7 @@ jobs:
   code-ql:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-java@v5
         with:
           distribution: temurin # Temurin is a distribution of adoptium
@@ -377,7 +377,7 @@ jobs:
   build-health:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-java@v5
         with:
           distribution: temurin # Temurin is a distribution of adoptium
@@ -395,7 +395,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup Environment
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Configure Java
         uses: actions/setup-java@v5

.github/workflows/code-hygiene.yml

@@ -8,7 +8,7 @@ jobs:
     name: Check if all files end in newline
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Linelint
         uses: fernandrone/linelint@0.0.6
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Spotless scan
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-java@v5
         with:
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Checkstyle scan
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-java@v5
         with:
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Spotbugs scan
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-java@v5
         with:
@@ -65,7 +65,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Check permissions orders
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - run: npm install yaml
 
     - name: Check permissions order

.github/workflows/dependabot_pr.yml

@@ -18,7 +18,7 @@ jobs:
           installation_id: 22958780
 
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           token: ${{ steps.github_app_token.outputs.token }}
           ref: ${{ github.head_ref }}

.github/workflows/integration-tests.yml

@@ -20,7 +20,7 @@ jobs:
         distribution: temurin # Temurin is a distribution of adoptium
         java-version: ${{ matrix.jdk }}
 
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
 
     - run: ./gradlew test
 

.github/workflows/link-checker.yml

@@ -9,7 +9,7 @@ jobs:
   linkchecker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: lychee Link Checker
         id: lychee
         uses: lycheeverse/lychee-action@master

.github/workflows/maven-publish.yml

@@ -21,7 +21,7 @@ jobs:
         with:
           distribution: temurin # Temurin is a distribution of adoptium
           java-version: 21
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Load secret
         uses: 1password/load-secrets-action@v3
         with:

.github/workflows/plugin_install.yml

@@ -27,7 +27,7 @@ jobs:
           java-version: ${{ matrix.jdk }}
 
       - name: Checkout Branch
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Assemble target plugin
         uses: gradle/gradle-build-action@v3

CHANGELOG.md

@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Changed
 - Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing ([#5396](https://github.com/opensearch-project/security/pull/5396))
+- Allow overlap of static and custom security configs, but prefer static ([#5805](https://github.com/opensearch-project/security/pull/5805))
+
 ### Features
 
 ### Enhancements
@@ -20,6 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [Resource Sharing] Keep track of resource_type on resource sharing document ([#5772](https://github.com/opensearch-project/security/pull/5772))
 - Add support for X509 v3 extensions (SAN) for authentication  ([#5701](https://github.com/opensearch-project/security/pull/5701))
 - [Resource Sharing] Requires default_owner for resource/migrate API ([#5789](https://github.com/opensearch-project/security/pull/5789))
+- Add --timeout (-to) as an option to securityadmin.sh ([#5787](https://github.com/opensearch-project/security/pull/5787))
 
 ### Bug Fixes
 - Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string ([#5694](https://github.com/opensearch-project/security/pull/5694))
@@ -40,12 +43,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [GRPC] Fix compilation errors from core protobuf version bump to 0.23.0 ([#5763](https://github.com/opensearch-project/security/pull/5763))
 - Modularized PrivilegesEvaluator ([#5791](https://github.com/opensearch-project/security/pull/5791))
 - [Resource Sharing] Adds post support for update sharing info API ([#5799](https://github.com/opensearch-project/security/pull/5799))
+- Cleaned up use of PrivilegesEvaluatorResponse ([#5804](https://github.com/opensearch-project/security/pull/5804))
 
 ### Maintenance
 - Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.1 ([#5678](https://github.com/opensearch-project/security/pull/5678), [#5764](https://github.com/opensearch-project/security/pull/5764))
 - Bump `ch.qos.logback:logback-classic` from 1.5.18 to 1.5.20 ([#5680](https://github.com/opensearch-project/security/pull/5680), [#5724](https://github.com/opensearch-project/security/pull/5724))
-- Bump `org.scala-lang:scala-library` from 2.13.16 to 2.13.17 ([#5682](https://github.com/opensearch-project/security/pull/5682))
-- Bump `kafka_version` from 4.0.0 to 4.1.0 ([#5613](https://github.com/opensearch-project/security/pull/5613))
+- Bump `org.scala-lang:scala-library` from 2.13.16 to 2.13.18 ([#5682](https://github.com/opensearch-project/security/pull/5682), [#5809](https://github.com/opensearch-project/security/pull/5809))
+- Bump `kafka_version` from 4.0.0 to 4.1.1 ([#5613](https://github.com/opensearch-project/security/pull/5613), [#5806](https://github.com/opensearch-project/security/pull/5806))
 - Bump `org.gradle.test-retry` from 1.6.2 to 1.6.4 ([#5706](https://github.com/opensearch-project/security/pull/5706))
 - Bump `org.checkerframework:checker-qual` from 3.51.0 to 3.51.1 ([#5705](https://github.com/opensearch-project/security/pull/5705))
 - Bump `org.ow2.asm:asm` from 9.8 to 9.9 ([#5707](https://github.com/opensearch-project/security/pull/5707))
@@ -55,17 +59,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `github/codeql-action` from 3 to 4 ([#5702](https://github.com/opensearch-project/security/pull/5702))
 - Bump `com.github.spotbugs` from 6.4.2 to 6.4.4 ([#5727](https://github.com/opensearch-project/security/pull/5727))
 - Bump `com.autonomousapps.build-health` from 3.0.4 to 3.3.0 ([#5726](https://github.com/opensearch-project/security/pull/5726), [#5744](https://github.com/opensearch-project/security/pull/5744))
-- Bump `spring_version` from 6.2.11 to 6.2.12 ([#5725](https://github.com/opensearch-project/security/pull/5725))
+- Bump `spring_version` from 6.2.11 to 6.2.14 ([#5725](https://github.com/opensearch-project/security/pull/5725), [#5808](https://github.com/opensearch-project/security/pull/5808))
 - Bump `org.springframework.kafka:spring-kafka-test` from 4.0.0-M5 to 4.0.0-RC1 ([#5742](https://github.com/opensearch-project/security/pull/5742))
 - Bump `com.google.errorprone:error_prone_annotations` from 2.42.0 to 2.44.0 ([#5743](https://github.com/opensearch-project/security/pull/5743), [#5779](https://github.com/opensearch-project/security/pull/5779))
 - Bump `actions/upload-artifact` from 4 to 5 ([#5740](https://github.com/opensearch-project/security/pull/5740))
 - Bump `actions/download-artifact` from 5 to 6 ([#5739](https://github.com/opensearch-project/security/pull/5739))
-- Bump `com.google.googlejavaformat:google-java-format` from 1.28.0 to 1.31.0 ([#5741](https://github.com/opensearch-project/security/pull/5741), [#5765](https://github.com/opensearch-project/security/pull/5765))
+- Bump `com.google.googlejavaformat:google-java-format` from 1.28.0 to 1.32.0 ([#5741](https://github.com/opensearch-project/security/pull/5741), [#5765](https://github.com/opensearch-project/security/pull/5765), [#5811](https://github.com/opensearch-project/security/pull/5811))
 - Bump `com.jayway.jsonpath:json-path` from 2.9.0 to 2.10.0 ([#5767](https://github.com/opensearch-project/security/pull/5767))
 - Bump `org.apache.ws.xmlschema:xmlschema-core` from 2.3.1 to 2.3.2 ([#5781](https://github.com/opensearch-project/security/pull/5781))
 - Bump `commons-io:commons-io` from 2.20.0 to 2.21.0 ([#5780](https://github.com/opensearch-project/security/pull/5780))
 - Bump `com.nimbusds:nimbus-jose-jwt` from 10.5 to 10.6 ([#5782](https://github.com/opensearch-project/security/pull/5782))
 - Upgrade to gradle 9.2 and run CI with JDK 25 ([#5786](https://github.com/opensearch-project/security/pull/5786))
+- Bump `commons-validator:commons-validator` from 1.10.0 to 1.10.1 ([#5807](https://github.com/opensearch-project/security/pull/5807))
+- Bump `actions/checkout` from 5 to 6 ([#5810](https://github.com/opensearch-project/security/pull/5810))
 
 ### Documentation
 

build.gradle

@@ -26,14 +26,14 @@ buildscript {
 
         common_utils_version = System.getProperty("common_utils.version", '3.2.0.0-SNAPSHOT')
 
-        kafka_version  = '4.1.0'
+        kafka_version  = '4.1.1'
         open_saml_version = '5.1.6'
         open_saml_shib_version = "9.1.4"
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.13.0'
         guava_version = '33.5.0-jre'
         jaxb_version = '2.3.9'
-        spring_version = '6.2.12'
+        spring_version = '6.2.14'
 
         if (buildVersionQualifier) {
             opensearch_build += "-${buildVersionQualifier}"
@@ -480,7 +480,7 @@ configurations {
         resolutionStrategy {
             force 'commons-codec:commons-codec:1.19.0'
             force 'org.slf4j:slf4j-api:1.7.36'
-            force 'org.scala-lang:scala-library:2.13.17'
+            force 'org.scala-lang:scala-library:2.13.18'
             force "com.fasterxml.jackson:jackson-bom:${versions.jackson}"
             force "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
             force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}"
@@ -778,7 +778,7 @@ dependencies {
     testImplementation "org.apache.kafka:kafka-test-common-runtime:${kafka_version}"
     testImplementation "org.apache.kafka:kafka-test-common-internal-api:${kafka_version}"
     testImplementation "org.apache.kafka:kafka-transaction-coordinator:${kafka_version}"
-    testImplementation 'commons-validator:commons-validator:1.10.0'
+    testImplementation 'commons-validator:commons-validator:1.10.1'
     testImplementation "org.springframework.kafka:spring-kafka-test:4.0.0-RC1"
     testImplementation "org.springframework:spring-beans:${spring_version}"
     testImplementation 'org.junit.jupiter:junit-jupiter:5.14.1'
@@ -796,7 +796,7 @@ dependencies {
     testRuntimeOnly ("org.springframework:spring-core:${spring_version}") {
         exclude(group:'org.springframework', module: 'spring-jcl' )
     }
-    testRuntimeOnly 'org.scala-lang:scala-library:2.13.17'
+    testRuntimeOnly 'org.scala-lang:scala-library:2.13.18'
     testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.6'
     testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.3') {
         exclude(group:'ch.qos.logback', module: 'logback-classic' )
@@ -812,7 +812,7 @@ dependencies {
     compileOnly "org.opensearch:opensearch:${opensearch_version}"
 
     //spotless
-    implementation('com.google.googlejavaformat:google-java-format:1.31.0') {
+    implementation('com.google.googlejavaformat:google-java-format:1.32.0') {
         exclude group: 'com.google.guava'
     }
 }

src/main/java/org/opensearch/security/filter/SecurityFilter.java

@@ -402,18 +402,14 @@ private <Request extends ActionRequest, Response extends ActionResponse> void ap
             User finalUser = user;
             Consumer<PrivilegesEvaluatorResponse> handleUnauthorized = response -> {
                 auditLog.logMissingPrivileges(action, request, task);
-                String err;
-                if (!response.getMissingSecurityRoles().isEmpty()) {
-                    err = String.format("No mapping for %s on roles %s", finalUser, response.getMissingSecurityRoles());
-                } else {
-                    err = (injectedRoles != null)
-                        ? String.format(
-                            "no permissions for %s and associated roles %s",
-                            response.getMissingPrivileges(),
-                            context.getMappedRoles()
-                        )
-                        : String.format("no permissions for %s and %s", response.getMissingPrivileges(), finalUser);
-                }
+                String err = (injectedRoles != null)
+                    ? String.format(
+                        "no permissions for %s and associated roles %s",
+                        response.getMissingPrivileges(),
+                        context.getMappedRoles()
+                    )
+                    : String.format("no permissions for %s and %s", response.getMissingPrivileges(), finalUser);
+
                 log.debug(err);
                 listener.onFailure(new OpenSearchSecurityException(err, RestStatus.FORBIDDEN));
             };