Configure masking algorithm default

[terryquigleysas]

Description

• New feature
• The field masking algorithm defaults to Blake2b. We'd like to be able to change this via a configuration option.

Issues Resolved

Resolves #4213

Testing

New tests added.
Tested locally against a running cluster.

Documentation

I will be raising an issue to add documentation to https://opensearch.org/docs/latest/security/access-control/field-masking

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.00%. Comparing base (ab4b323) to head (62960d7).
Report is 2 commits behind head on main.

❗ Current head 62960d7 differs from pull request most recent head a676af8. Consider uploading reports for the commit a676af8 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4336      +/-   ##
==========================================
- Coverage   66.02%   66.00%   -0.02%     
==========================================
  Files         302      302              
  Lines       21758    21762       +4     
  Branches     3522     3523       +1     
==========================================
- Hits        14366    14365       -1     
- Misses       5625     5630       +5     
  Partials     1767     1767              

Files	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	84.50% <100.00%> (+0.17%)	⬆️
...security/configuration/DlsFlsFilterLeafReader.java	61.84% <100.00%> (+0.09%)	⬆️
...opensearch/security/configuration/MaskedField.java	51.61% <100.00%> (-2.85%)	⬇️
...nsearch/security/dlic/rest/api/RolesApiAction.java	97.95% <100.00%> (+2.30%)	⬆️
...g/opensearch/security/support/ConfigConstants.java	95.00% <ø> (ø)

... and 5 files with indirect coverage changes

[peternied]

Thanks for this update @terryquigleysas. Lets shift the logic around so the MaskedField uses an algorithm provider. As masked field should not need to know which implementation is being used, but just that it is using the algorithm selected for use by the plugin.

This will pave the way for different kinds of providers to by swapped, such as a specific FIPS compliant set vs others.

[terryquigleysas]

@peternied Thank you for your comments.
Would you be able to provide more details of the changes you propose?

[cwperks]

@terryquigleysas What do you think about passing the default in as a constructor arg to MaskedField in this call to avoid passing it into the mask function on every call?

[terryquigleysas]

@terryquigleysas What do you think about passing the default in as a constructor arg to MaskedField in this call to avoid passing it into the mask function on every call?

@cwperks Thank you for the review. I have changed the code to this effect.

[peternied]

Thanks for the updates @terryquigleysas looks much cleaner, the refactor to a provider/factory doesn't seem a relevant with these changes.

[DarshitChanpura]

Thanks for filing this PR @terryquigleysas. I left some clarifying comments from my end.

[cwperks]

@terryquigleysas last request, can you sign all of the commits on this PR? The DCO check is failing: https://github.com/opensearch-project/security/pull/4336/checks?check_run_id=24958472355

[terryquigleysas]

@terryquigleysas last request, can you sign all of the commits on this PR? The DCO check is failing: https://github.com/opensearch-project/security/pull/4336/checks?check_run_id=24958472355

@cwperks I have followed the process at https://github.com/opensearch-project/security/pull/4336/checks?check_run_id=24958472355 but things do not appear to have changed here. Is there another way to do this? I'm new to this specific process.

UPDATE: That appears to have worked now for my commits. Hopefully none of the other commits pulled in are affected.

[DarshitChanpura]

LGTM! Thank you @terryquigleysas !

[cwperks]

@willyborankin any concerns with this PR using the older test mechanism?

This PR looks good to me. I think it can be followed-up with a change to the integrationTest package.

[willyborankin]

@willyborankin any concerns with this PR using the older test mechanism?

This PR looks good to me. I think it can be followed-up with a change to the integrationTest package.

@cwperks If fine with.

[cwperks]

@terryquigleysas Did you create a documentation PR to accompany this change? Can you update the PR description to include a link to the companion PR for the documentation-website?

[terryquigleysas]

@terryquigleysas Did you create a documentation PR to accompany this change? Can you update the PR description to include a link to the companion PR for the documentation-website?

Yes, it can be found at opensearch-project/documentation-website#7162