[FEATURE] Read-only access to security plugin resources (eg. roles, mappings)

[riconnon]

Is your feature request related to a problem? We run terraform in our CI environment and would like to use the opensearch provider. On PRs we run with an identity that has only read-only credentials, and need to be able to grant read-only access to read resources such as roles, role mappings, etc. to that identity.

What solution would you like? Create permissions to allow read-only access to security plugin resources available in the terraform provider.

What alternatives have you considered? N/A

Do you have any additional context? N/A

[cwperks]

I believe this is possible using the plugins.security.restapi.endpoints_disabled.{role}.{endpoint}: [HTTP Verbs...] setting.

See example below from opensearch.yml.example below:

# Disable particular endpoints and their HTTP methods for roles. 
# By default all endpoints/methods are allowed.
#plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: <array of http methods>
# Example:
#plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"]
#plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"]

[DarshitChanpura]

@riconnon Is the ask to define a role in the configuration or use an existing role to grant read_only access? If latter is true, then @cwperks comment above should work as a solution.