Description

This PR introduces a mechanism for OpenSearch plugins to contribute their own default roles via a default-roles.yml file bundled in their classpath resources. Currently, the security plugin's config/roles.yml centralizes default roles from many different plugins (alerting, anomaly detection, kNN, ML, etc.), which is problematic because plugins can be installed or removed independently by cluster admins.

This follows the same pattern established by resource-access-levels.yml for plugin-provided action groups.

• Category: New feature

• Why these changes are required?

The security plugin should not be the central repository for roles that belong to other plugins. Each plugin knows best what roles it needs, and those roles should travel with the plugin — installed when the plugin is installed, gone when it's removed. This also lays the groundwork for future hot-reloadability of static configs.

• What is the old behavior before changes and new behavior after changes?

Old behavior: All default roles for every plugin are defined in the security plugin's config/roles.yml and static_roles.yml. Plugins have no way to contribute their own role definitions.

New behavior: Plugins can include a default-roles.yml file in their classpath resources and implement the SecurityConfigExtension SPI interface. The security plugin discovers these at startup via ExtensionLoader, loads the YAML files, and merges them into the static roles pool. Plugin-provided roles are held in-memory only (never persisted to the security index), marked as static and reserved, and take precedence over entries in static_roles.yml and the security index when a name collision exists.

Key changes:

• New SecurityConfigExtension SPI marker interface in the spi module — any plugin can implement this to contribute static security config
• ResourceSharingExtension now extends SecurityConfigExtension, so resource-sharing plugins get this capability for free
• New PluginDefaultRolesHelper class that discovers and loads default-roles.yml from plugin classloaders (with URL-based deduplication for plugins that register multiple extensions sharing a classloader)
• DynamicConfigFactory updated to merge plugin default roles in both the onChange() path and the addStatics() path, with plugin roles taking highest precedence
• Sample resource plugin includes a default-roles.yml demonstrating the pattern

Precedence chain: plugin default-roles.yml > security static_roles.yml > security index entries

Issues Resolved

To be filed

Is this a backport? No

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? No

Testing

• Integration test DefaultRolesTests added to the sample resource plugin covering:
  • Plugin-provided roles are visible via the GET roles API
  • Plugin-provided roles are marked as static and reserved
  • Plugin-provided roles cannot be deleted by non-admin users (403 Forbidden)
  • Plugin-provided roles contain the correct permissions from default-roles.yml

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request [created](https://github.com/opensearch-project/opensearch-api-specification/blob/main/DEVELOPER_GUIDE.md)
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/security/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).