Use ClusterInfoHolder to pass clusterName

Signed-off-by: Ryan Liang <jiallian@amazon.com>

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -959,7 +959,7 @@ public Collection<Object> createComponents(
         // Register opensearch dynamic settings
         transportPassiveAuthSetting.registerClusterSettingsChangeListener(clusterService.getClusterSettings());
 
-        final ClusterInfoHolder cih = new ClusterInfoHolder();
+        final ClusterInfoHolder cih = new ClusterInfoHolder(this.cs.getNodeName());
         this.cs.addListener(cih);
         this.salt = Salt.from(settings);
 
@@ -1049,7 +1049,7 @@ public Collection<Object> createComponents(
             configPath,
             compatConfig
         );
-        dcf = new DynamicConfigFactory(cr, settings, configPath, localClient, threadPool, cih, this.cs.getClusterName().value());
+        dcf = new DynamicConfigFactory(cr, settings, configPath, localClient, threadPool, cih);
         dcf.registerDCFListener(backendRegistry);
         dcf.registerDCFListener(compatConfig);
         dcf.registerDCFListener(irr);

src/main/java/org/opensearch/security/configuration/ClusterInfoHolder.java

@@ -40,6 +40,11 @@ public class ClusterInfoHolder implements ClusterStateListener {
     private volatile DiscoveryNodes nodes = null;
     private volatile Boolean isLocalNodeElectedClusterManager = null;
     private volatile boolean initialized;
+    private final String clusterName;
+
+    public ClusterInfoHolder(String clusterName) {
+        this.clusterName = clusterName;
+    }
 
     @Override
     public void clusterChanged(ClusterChangedEvent event) {
@@ -72,4 +77,8 @@ public Boolean hasNode(DiscoveryNode node) {
 
         return nodes.nodeExists(node) ? Boolean.TRUE : Boolean.FALSE;
     }
+
+    public String getClusterName() {
+        return this.clusterName;
+    }
 }

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

@@ -174,7 +174,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
             }
 
             final String issuer = claims.getIssuer();
-            if (!issuer.equals(clusterName)) {
+            if (!clusterName.equals(issuer)) {
                 log.error("The issuer of this OBO does not match the current cluster identifier");
                 return null;
             }

src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java

@@ -81,7 +81,6 @@ public class DynamicConfigFactory implements Initializable, ConfigurationChangeL
     private static SecurityDynamicConfiguration<TenantV7> staticTenants = SecurityDynamicConfiguration.empty();
     private static final WhitelistingSettings defaultWhitelistingSettings = new WhitelistingSettings();
     private static final AllowlistingSettings defaultAllowlistingSettings = new AllowlistingSettings();
-    private final String clusterName;
 
     static void resetStatics() {
         staticRoles = SecurityDynamicConfiguration.empty();
@@ -129,6 +128,7 @@ public final static SecurityDynamicConfiguration<?> addStatics(SecurityDynamicCo
     private final Settings opensearchSettings;
     private final Path configPath;
     private final InternalAuthenticationBackend iab = new InternalAuthenticationBackend();
+    private final ClusterInfoHolder cih;
 
     SecurityDynamicConfiguration<?> config;
 
@@ -138,14 +138,13 @@ public DynamicConfigFactory(
         final Path configPath,
         Client client,
         ThreadPool threadPool,
-        ClusterInfoHolder cih,
-        String clusterName
+        ClusterInfoHolder cih
     ) {
         super();
         this.cr = cr;
         this.opensearchSettings = opensearchSettings;
         this.configPath = configPath;
-        this.clusterName = clusterName;
+        this.cih = cih;
 
         if (opensearchSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true)) {
             try {
@@ -274,7 +273,7 @@ public void onChange(Map<CType, SecurityDynamicConfiguration<?>> typeToConfig) {
             );
 
             // rebuild v7 Models
-            dcm = new DynamicConfigModelV7(getConfigV7(config), opensearchSettings, configPath, iab, this.clusterName);
+            dcm = new DynamicConfigModelV7(getConfigV7(config), opensearchSettings, configPath, iab, this.cih);
             ium = new InternalUsersModelV7(
                 (SecurityDynamicConfiguration<InternalUserV7>) internalusers,
                 (SecurityDynamicConfiguration<RoleV7>) roles,

src/main/java/org/opensearch/security/securityconf/DynamicConfigModelV7.java

@@ -58,6 +58,7 @@
 import org.opensearch.security.auth.blocking.ClientBlockRegistry;
 import org.opensearch.security.auth.internal.InternalAuthenticationBackend;
 import org.opensearch.security.auth.internal.NoOpAuthenticationBackend;
+import org.opensearch.security.configuration.ClusterInfoHolder;
 import org.opensearch.security.http.OnBehalfOfAuthenticator;
 import org.opensearch.security.securityconf.impl.v7.ConfigV7;
 import org.opensearch.security.securityconf.impl.v7.ConfigV7.Authc;
@@ -82,21 +83,21 @@ public class DynamicConfigModelV7 extends DynamicConfigModel {
     private Multimap<String, AuthFailureListener> authBackendFailureListeners;
     private List<ClientBlockRegistry<InetAddress>> ipClientBlockRegistries;
     private Multimap<String, ClientBlockRegistry<String>> authBackendClientBlockRegistries;
-    private String clusterName;
+    private final ClusterInfoHolder cih;
 
     public DynamicConfigModelV7(
         ConfigV7 config,
         Settings opensearchSettings,
         Path configPath,
         InternalAuthenticationBackend iab,
-        String clusterName
+        ClusterInfoHolder cih
     ) {
         super();
         this.config = config;
         this.opensearchSettings = opensearchSettings;
         this.configPath = configPath;
         this.iab = iab;
-        this.clusterName = clusterName;
+        this.cih = cih;
         buildAAA();
     }
 
@@ -385,7 +386,7 @@ private void buildAAA() {
         if (oboSettings.get("signing_key") != null && oboSettings.get("encryption_key") != null) {
             final AuthDomain _ad = new AuthDomain(
                 new NoOpAuthenticationBackend(Settings.EMPTY, null),
-                new OnBehalfOfAuthenticator(getDynamicOnBehalfOfSettings(), this.clusterName),
+                new OnBehalfOfAuthenticator(getDynamicOnBehalfOfSettings(), this.cih.getClusterName()),
                 false,
                 -1
             );