Add AuthZ initialization completion check in health check API (#5626)

Signed-off-by: Nagaraj G <narajg@amazon.com>
Signed-off-by: Nagaraj G <nagaraj170297@gmail.com>
Co-authored-by: Nagaraj G <narajg@amazon.com>
Co-authored-by: Craig Perkins <craig5008@gmail.com>

Author: 3 people

CHANGELOG.md

@@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 - [Resource Sharing] Keep track of list of principals for which sharable resource is visible for searching ([#5596](https://github.com/opensearch-project/security/pull/5596))
 - [Resource Sharing] Keep track of tenant for sharable resources by persisting user requested tenant with sharing info ([#5588](https://github.com/opensearch-project/security/pull/5588))
+- [SecurityPlugin Health Check] Add AuthZ initialization completion check in health check API [(#5626)](https://github.com/opensearch-project/security/pull/5626)
 
 ### Bug Fixes
 

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -629,7 +629,14 @@ public List<RestHandler> getRestHandlers(
                 handlers.add(
                     new SecurityInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool))
                 );
-                handlers.add(new SecurityHealthAction(settings, restController, Objects.requireNonNull(backendRegistry)));
+                handlers.add(
+                    new SecurityHealthAction(
+                        settings,
+                        restController,
+                        Objects.requireNonNull(backendRegistry),
+                        Objects.requireNonNull(evaluator)
+                    )
+                );
                 handlers.add(
                     new DashboardsInfoAction(
                         settings,

src/main/java/org/opensearch/security/rest/SecurityHealthAction.java

@@ -40,6 +40,7 @@
 import org.opensearch.rest.RestController;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.security.auth.BackendRegistry;
+import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.transport.client.node.NodeClient;
 
 import static org.opensearch.rest.RestRequest.Method.GET;
@@ -66,10 +67,17 @@ public class SecurityHealthAction extends BaseRestHandler {
     );
 
     private final BackendRegistry registry;
-
-    public SecurityHealthAction(final Settings settings, final RestController controller, final BackendRegistry registry) {
+    private final PrivilegesEvaluator privilegesEvaluator;
+
+    public SecurityHealthAction(
+        final Settings settings,
+        final RestController controller,
+        final BackendRegistry registry,
+        final PrivilegesEvaluator privilegesEvaluator
+    ) {
         super();
         this.registry = registry;
+        this.privilegesEvaluator = privilegesEvaluator;
     }
 
     @Override
@@ -100,7 +108,7 @@ public void accept(RestChannel channel) throws Exception {
 
                     builder.startObject();
 
-                    if ("strict".equalsIgnoreCase(mode) && registry.isInitialized() == false) {
+                    if ("strict".equalsIgnoreCase(mode) && !(registry.isInitialized() && privilegesEvaluator.isInitialized())) {
                         status = "DOWN";
                         message = "Not initialized";
                         restStatus = RestStatus.SERVICE_UNAVAILABLE;

src/test/java/org/opensearch/security/HealthTests.java

@@ -76,4 +76,19 @@ public void testHealthUnitialized() throws Exception {
         assertContains(res, "*strict*");
         assertNotContains(res, "*UP*");
     }
+
+    @Test
+    public void testHealthUninitialized_securityNotInitialized() throws Exception {
+        setup(Settings.EMPTY, new DynamicSecurityConfig(), Settings.EMPTY, false);
+
+        RestHelper rh = nonSslRestHelper();
+        HttpResponse res;
+        assertThat(
+            HttpStatus.SC_SERVICE_UNAVAILABLE,
+            is((res = rh.executeGetRequest("_opendistro/_security/health?pretty")).getStatusCode())
+        );
+        assertContains(res, "*DOWN*");
+        assertContains(res, "*strict*");
+        assertNotContains(res, "*UP*");
+    }
 }