[FEATURE] Read-only access to security plugin resources (eg. roles, mappings)

[riconnon]

Is your feature request related to a problem?
We run terraform in our CI environment and would like to use the opensearch provider.
On PRs we run with an identity that has only read-only credentials, and need to be able to grant read-only access to read resources such as roles, role mappings, etc. to that identity.

What solution would you like?
Create permissions to allow read-only access to security plugin resources available in the terraform provider.

What alternatives have you considered?
N/A

Do you have any additional context?
N/A

[cwperks]

I believe this is possible using the plugins.security.restapi.endpoints_disabled.{role}.{endpoint}: [HTTP Verbs...] setting.

See example below from opensearch.yml.example below:

# Disable particular endpoints and their HTTP methods for roles. 
# By default all endpoints/methods are allowed.
#plugins.security.restapi.endpoints_disabled.<role>.<endpoint>: <array of http methods>
# Example:
#plugins.security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"]
#plugins.security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"]