Description

Add application_id field to the role schema and introduce a new REST endpoint (GET _plugins/_security/applicationpermissions) that returns the list of application IDs the current user has access to. This enables OpenSearch Dashboards to selectively show/hide menu items based on which plugin applications a user is authorized to access.

• Category: New feature
• Why these changes are required?

Currently, Dashboards menu visibility is limited to three coarse-grained levels: regular users (see everything except Security), read-only users (basically just Discover), and security admins (see everything). There is no way for a cluster admin to selectively hide menu items like Index Management or Alerting. This leads to poor UX where users navigate to pages they don't have permissions for and get Access Denied errors.

• What is the old behavior before changes and new behavior after changes?

Old behavior: No association between roles and Dashboards applications. Menu visibility is controlled only by readonly_mode.roles and restapi.roles_enabled settings.

New behavior: Plugins can declare an application_id on their default roles (in default-roles.yml), creating a strong association between the role and a specific Dashboards application. The new GET _plugins/_security/applicationpermissions endpoint resolves the current user's mapped roles and returns the distinct set of application_ids they have access to. Users mapped to all_access receive ["*"]. Users with no application-linked roles receive [].

Example response:

{
  "user_name": "analyst_user",
  "application_ids": ["security-analytics", "index-management"]
}

Issues Resolved

Resolves opensearch-project#5635

This is not a backport.

These changes introduce a new REST endpoint (_plugins/_security/applicationpermissions) but no new permissions to be displayed in the static dropdown. A companion security-dashboards-plugin PR will be needed to consume this endpoint for menu management.

Testing

• Unit tests: Added tests to RoleV7Test verifying application_id deserialization from YAML and null when absent
• Integration tests: Added ApplicationPermissionsInfoTest with 5 test cases:
  • all_access user receives ["*"]
  • User with a single application role receives that application ID
  • User with multiple application roles receives all application IDs
  • User with no application-linked roles receives empty list
  • Response includes correct user_name
• Unit tests verified passing via ./gradlew test --tests "org.opensearch.security.securityconf.impl.v7.RoleV7Test" (6/6 pass, 0 failures)

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request [created](https://github.com/opensearch-project/opensearch-api-specification/blob/main/DEVELOPER_GUIDE.md)
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/security/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Your working title looks good. Want me to write this into PR_DESCRIPTION.md or are you copying it straight into GitHub?