Allow plugins to bring a default-roles.yml file with static list of roles to use plugin

[cwperks]

Description

This PR introduces a mechanism for OpenSearch plugins to contribute their own default roles via a default-roles.yml file bundled in their classpath resources. Currently, the security plugin's config/roles.yml centralizes default roles from many different plugins (alerting, anomaly detection, kNN, ML, etc.), which is problematic because plugins can be installed or removed independently by cluster admins.

This follows the same pattern established by resource-access-levels.yml for plugin-provided action groups.

• Category: New feature

• Why these changes are required?

The security plugin should not be the central repository for roles that belong to other plugins. Each plugin knows best what roles it needs, and those roles should travel with the plugin — installed when the plugin is installed, gone when it's removed. This also lays the groundwork for future hot-reloadability of static configs.

• What is the old behavior before changes and new behavior after changes?

Old behavior: All default roles for every plugin are defined in the security plugin's config/roles.yml and static_roles.yml. Plugins have no way to contribute their own role definitions.

New behavior: Plugins can include a default-roles.yml file in their classpath resources and implement the SecurityConfigExtension SPI interface. The security plugin discovers these at startup via ExtensionLoader, loads the YAML files, and merges them into the static roles pool. Plugin-provided roles are held in-memory only (never persisted to the security index), marked as static and reserved, and take precedence over entries in static_roles.yml and the security index when a name collision exists.

Key changes:

• New SecurityConfigExtension SPI marker interface in the spi module — any plugin can implement this to contribute static security config
• ResourceSharingExtension now extends SecurityConfigExtension, so resource-sharing plugins get this capability for free
• New PluginDefaultRolesHelper class that discovers and loads default-roles.yml from plugin classloaders (with URL-based deduplication for plugins that register multiple extensions sharing a classloader)
• DynamicConfigFactory updated to merge plugin default roles in both the onChange() path and the addStatics() path, with plugin roles taking highest precedence
• Sample resource plugin includes a default-roles.yml demonstrating the pattern

Precedence chain: plugin default-roles.yml > security static_roles.yml > security index entries

Issues Resolved

To be filed

Is this a backport? No

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? No

Testing

• Integration test DefaultRolesTests added to the sample resource plugin covering:
  • Plugin-provided roles are visible via the GET roles API
  • Plugin-provided roles are marked as static and reserved
  • Plugin-provided roles cannot be deleted by non-admin users (403 Forbidden)
  • Plugin-provided roles contain the correct permissions from default-roles.yml

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request [created](https://github.com/opensearch-project/opensearch-api-specification/blob/main/DEVELOPER_GUIDE.md)
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/security/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

[codecov]

Codecov Report

❌ Patch coverage is 73.46939% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.81%. Comparing base (adf4a40) to head (d1ee5bd).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
...h/security/resources/PluginDefaultRolesHelper.java	72.72%	7 Missing and 2 partials ⚠️
...ch/security/securityconf/DynamicConfigFactory.java	70.00%	2 Missing and 1 partial ⚠️
.../opensearch/security/OpenSearchSecurityPlugin.java	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6038      +/-   ##
==========================================
+ Coverage   73.79%   73.81%   +0.01%     
==========================================
  Files         440      441       +1     
  Lines       27259    27379     +120     
  Branches     4052     4081      +29     
==========================================
+ Hits        20117    20211      +94     
- Misses       5227     5243      +16     
- Partials     1915     1925      +10     

Files with missing lines	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	84.89% <83.33%> (-0.02%)	⬇️
...ch/security/securityconf/DynamicConfigFactory.java	66.87% <70.00%> (+0.42%)	⬆️
...h/security/resources/PluginDefaultRolesHelper.java	72.72% <72.72%> (ø)

... and 7 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DarshitChanpura]

nice addition!! lets update documentation as well

[cwperks]

^ I'll follow-up this PR with doc update and adding a CHANGELOG. I'm currently waiting until the CHANGELOG is cleared to avoid conflict.