Added user level access control based on backend roles

[owaiskazi19]

Description

Added user level access control based on backend roles.

1. Created common util methods to get a workflow and then compare if requested user has backend role required to access the resource
2. Blocked creation of workflows if user doesn’t have a backend role
3. Changed following APIs with a check to see if user has permission to the resource using common method in task 1: update workflow, get workflow, provision workflow, get workflow status, reprovision workflow, deprovision workflow and delete workflow
4. Created a common util method to add backend role for search requests (search workflows and search workflow state)
5. Updated following API with additional backend role query in search request: search workflows and search workflow states
   [For this task, I had to change the search queries to boolean to add a nested filter query] @dbwiddis any thoughts?
6. Added Security Integaration tests for all APIs with backend roles considered (except reprovision)
7. Documentation PR - Added documentation for FGAC for Flow Framework documentation-website#8076

Learning after working on this feature

1. How access role filtering is done on OpenSearch?
2. Played a lot with ThreadContext
3. How user level permissions are defined?
4. Writing Security integration tests

Refer #668 (comment) for step by step workflow and src/test/java/org/opensearch/flowframework/rest/FlowFrameworkSecureRestApiIT.java file for complete functionality.

Related Issues

Resolves ##668

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 71.95767% with 106 lines in your changes missing coverage. Please review.

Project coverage is 77.44%. Comparing base (3a88199) to head (9d578d9).
Report is 1 commits behind head on main.

Files	Patch %	Lines
.../org/opensearch/flowframework/util/ParseUtils.java	58.66%	26 Missing and 5 partials ⚠️
...rk/transport/ProvisionWorkflowTransportAction.java	66.66%	20 Missing and 3 partials ⚠️
.../transport/ReprovisionWorkflowTransportAction.java	79.68%	12 Missing and 1 partial ⚠️
...ework/transport/CreateWorkflowTransportAction.java	70.00%	8 Missing and 1 partial ⚠️
...ork/transport/GetWorkflowStateTransportAction.java	78.57%	5 Missing and 1 partial ⚠️
...ework/transport/DeleteWorkflowTransportAction.java	75.00%	5 Missing ⚠️
...ramework/transport/GetWorkflowTransportAction.java	80.76%	4 Missing and 1 partial ⚠️
.../transport/DeprovisionWorkflowTransportAction.java	83.33%	4 Missing ⚠️
...flowframework/transport/handler/SearchHandler.java	84.61%	3 Missing and 1 partial ⚠️
.../transport/SearchWorkflowStateTransportAction.java	40.00%	3 Missing ⚠️
... and 1 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #838      +/-   ##
============================================
- Coverage     77.47%   77.44%   -0.03%     
- Complexity      928      963      +35     
============================================
  Files            96       97       +1     
  Lines          4359     4536     +177     
  Branches        413      423      +10     
============================================
+ Hits           3377     3513     +136     
- Misses          810      841      +31     
- Partials        172      182      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dbwiddis]

Some suggestions.

[For this task, I had to change the search queries to boolean to add a nested filter query] @dbwiddis any thoughts?

See comment below. You can wrap any query inside a BoolQuery with a must() and then add a filter. I linked to an example I just wrote last week.

[dbwiddis]

LGTM with some style nits.

[joshpalis]

Overall looks good to me, just some non-blocking comments. Thanks @owaiskazi19 for add this in

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/flow-framework/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/flow-framework/backport-2.x
# Create a new branch
git switch --create backport/backport-838-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 60458a6275a2fe358a236583bce29db821d09ddc
# Push it to GitHub
git push --set-upstream origin backport/backport-838-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/flow-framework/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-838-to-2.x.