Issue and ferry a Service Account Token to an Extension on bootstrap

[cwperks]

As part of [META] System Indices access for Extensions, the plan is for an extension that reserves indices to receive a token on bootstrap that the extension can utilize to interact with its reserved indices. This token will be referred to as a Service Account Token because it represents the identity of the extension and can be used by the extension to act as itself when making requests on the extension's reserved indices.

I'm filing an issue to track the work to create an interface within the IdentityPlugin extension point of core that can be used to trigger the security plugin's implementation of issuing a service account token. After issuance, the token also needs to be ferried to an extension.

I see 2 possible options for ferrying this token to an extension:

1. As part of the InitializeExtensionRequest which is initiated from core and used to initialize an extension. The handler on the SDK side can be found here.

2. As a separate Transport action that is sent after successful initialization. I recommend this option.

You can see a sample implementation of a separate transport action for ferrying service account tokens in here. (There's an open PR on the SDK repo to address token handling on the SDK side that provided implementations of ferrying a service account token and obo token: opensearch-project/opensearch-sdk-java#892)

Sending this as a separate Transport Request potentially allows the transport action to be re-used for token rotation, whereas an initialization request is only meant to be performed once.

Acceptance Criteria:

• Define an interface in core on the IdentityPlugin that can be called to issue a service account token given an extension's unique ID.
• Create a new TransportAction that runs after successful InitializeExtensionRequest to issue and ferry the service account token to an extension
• Implement the interface in the Security plugin

Future followup:

• Update Use auth tokens passed from core and introduce extension and user REST clients opensearch-sdk-java#892 to consume the TransportAction and initialize the extensionRestClient on the SDK side

[stephen-crawford]

[Triage] Thanks for filing this issue @cwperks. Please add an additional note about what is required for closing.

[stephen-crawford]

[Triage] Hi @cwperks, thanks for adding the action items. This looks like it is clear defined so marking as triaged.

[stephen-crawford]

Still waiting on review in core. Left comment asking for review.