feat(alerting): Block non-PPL monitor CRUD on pluggable dataformat domains

alerting/build.gradle

@@ -392,6 +392,46 @@ integTest {
             excludeTestsMatching "org.opensearch.alerting.bwc.*IT"
         }
     }
+
+    task integTestPluggableDataformat(type: RestIntegTestTask) {
+        description = "Runs integration tests with pluggable dataformat feature flag enabled"
+        dependsOn bundlePlugin
+        testClassesDirs = sourceSets.test.output.classesDirs
+        classpath = sourceSets.test.runtimeClasspath
+
+        systemProperty 'tests.security.manager', 'false'
+        systemProperty 'java.io.tmpdir', opensearch_tmp_dir.absolutePath
+
+        filter {
+            includeTestsMatching "org.opensearch.alerting.transport.PluggableDataFormatMonitorBlockIT"
+        }
+    }
+
+    testClusters.integTestPluggableDataformat {
+        testDistribution = "ARCHIVE"
+        systemProperty 'opensearch.experimental.feature.pluggable.dataformat.enabled', 'true'
+
+        // Include same plugins as main integTest cluster
+        plugin(provider({ new RegularFile() { @Override File getAsFile() { return configurations.zipArchive.asFileTree.matching { include '**/opensearch-notifications-core*' }.singleFile } } }))
+        plugin(provider({ new RegularFile() { @Override File getAsFile() { return configurations.zipArchive.asFileTree.matching { include '**/notifications*' }.singleFile } } }))
+        plugin(provider({ new RegularFile() { @Override File getAsFile() { return configurations.zipArchive.asFileTree.matching { include '**/opensearch-job-scheduler*' }.singleFile } } }))
+        plugin(provider({ new RegularFile() { @Override File getAsFile() { return configurations.zipArchive.asFileTree.matching { include '**/opensearch-sql-plugin*' }.singleFile } } }))
+
+    }
+
+    // Install alerting plugin on the pluggable dataformat test cluster
+    integTestPluggableDataformat.dependsOn(bundle)
+    integTestPluggableDataformat.getClusters().forEach{c -> c.plugin(project.getObjects().fileProperty().value(bundle.getArchiveFile()))}
+
+    // Exclude pluggable dataformat tests from the main integTest task
+    integTest {
+        filter {
+            excludeTestsMatching "org.opensearch.alerting.transport.PluggableDataFormatMonitorBlockIT"
+        }
+    }
+
+    check.dependsOn integTestPluggableDataformat
+    integTest.finalizedBy integTestPluggableDataformat
 }
 
 task integTestRemote(type: RestIntegTestTask) {

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportExecuteMonitorAction.kt

@@ -27,6 +27,7 @@ import org.opensearch.alerting.util.use
 import org.opensearch.cluster.service.ClusterService
 import org.opensearch.common.inject.Inject
 import org.opensearch.common.settings.Settings
+import org.opensearch.common.util.FeatureFlags
 import org.opensearch.common.xcontent.LoggingDeprecationHandler
 import org.opensearch.common.xcontent.XContentHelper
 import org.opensearch.common.xcontent.XContentType
@@ -35,6 +36,7 @@ import org.opensearch.commons.alerting.model.Monitor
 import org.opensearch.commons.alerting.model.ScheduledJob
 import org.opensearch.commons.alerting.util.AlertingException
 import org.opensearch.commons.alerting.util.isMonitorOfStandardType
+import org.opensearch.commons.alerting.util.isPPLMonitor
 import org.opensearch.commons.authuser.User
 import org.opensearch.commons.utils.TenantContext
 import org.opensearch.core.action.ActionListener
@@ -207,6 +209,22 @@ class TransportExecuteMonitorAction @Inject constructor(
                     return@use
                 }
 
+                // Block non-PPL monitors on pluggable dataformat domains
+                if (FeatureFlags.isEnabled(FeatureFlags.PLUGGABLE_DATAFORMAT_EXPERIMENTAL_FLAG) &&
+                    !monitor.isPPLMonitor()
+                ) {
+                    actionListener.onFailure(
+                        AlertingException.wrap(
+                            OpenSearchStatusException(
+                                "Only PPL monitors are supported on this domain." +
+                                    " ${monitor.monitorType} monitors are not allowed.",
+                                RestStatus.FORBIDDEN
+                            )
+                        )
+                    )
+                    return@use
+                }
+
                 if (
                     monitor.isMonitorOfStandardType() &&
                     Monitor.MonitorType.valueOf(monitor.monitorType.uppercase(Locale.ROOT)) == Monitor.MonitorType.DOC_LEVEL_MONITOR

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexMonitorAction.kt

@@ -62,6 +62,7 @@ import org.opensearch.cluster.service.ClusterService
 import org.opensearch.common.inject.Inject
 import org.opensearch.common.settings.Settings
 import org.opensearch.common.unit.TimeValue
+import org.opensearch.common.util.FeatureFlags
 import org.opensearch.common.xcontent.LoggingDeprecationHandler
 import org.opensearch.common.xcontent.XContentFactory
 import org.opensearch.common.xcontent.XContentHelper
@@ -85,6 +86,7 @@ import org.opensearch.commons.alerting.model.remote.monitors.RemoteDocLevelMonit
 import org.opensearch.commons.alerting.model.userErrorMessage
 import org.opensearch.commons.alerting.util.AlertingException
 import org.opensearch.commons.alerting.util.isMonitorOfStandardType
+import org.opensearch.commons.alerting.util.isPPLMonitor
 import org.opensearch.commons.authuser.User
 import org.opensearch.commons.utils.TenantContext
 import org.opensearch.commons.utils.recreateObject
@@ -213,6 +215,22 @@ class TransportIndexMonitorAction @Inject constructor(
             return
         }
 
+        // Block non-PPL monitors on pluggable dataformat domains
+        if (FeatureFlags.isEnabled(FeatureFlags.PLUGGABLE_DATAFORMAT_EXPERIMENTAL_FLAG) &&
+            !transformedRequest.monitor.isPPLMonitor()
+        ) {
+            actionListener.onFailure(
+                AlertingException.wrap(
+                    OpenSearchStatusException(
+                        "Only PPL monitors are supported on this domain." +
+                            " ${transformedRequest.monitor.monitorType} monitors are not allowed.",
+                        RestStatus.FORBIDDEN
+                    )
+                )
+            )
+            return
+        }
+
         val user = readUserFromThreadContext(client)
 
         if (!validateUserBackendRoles(user, actionListener)) {

alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexWorkflowAction.kt

@@ -51,6 +51,7 @@ import org.opensearch.alerting.workflow.CompositeWorkflowRunner
 import org.opensearch.cluster.service.ClusterService
 import org.opensearch.common.inject.Inject
 import org.opensearch.common.settings.Settings
+import org.opensearch.common.util.FeatureFlags
 import org.opensearch.common.xcontent.LoggingDeprecationHandler
 import org.opensearch.common.xcontent.XContentFactory.jsonBuilder
 import org.opensearch.common.xcontent.XContentHelper
@@ -150,6 +151,22 @@ class TransportIndexWorkflowAction @Inject constructor(
             return
         }
 
+        // Block workflow creation on pluggable dataformat domains
+        if (FeatureFlags.isEnabled(
+                FeatureFlags.PLUGGABLE_DATAFORMAT_EXPERIMENTAL_FLAG
+            )
+        ) {
+            actionListener.onFailure(
+                AlertingException.wrap(
+                    OpenSearchStatusException(
+                        "Workflow operations are not supported on this domain.",
+                        RestStatus.FORBIDDEN
+                    )
+                )
+            )
+            return
+        }
+
         val transformedRequest = request as? IndexWorkflowRequest
             ?: recreateObject(request, namedWriteableRegistry) {
                 IndexWorkflowRequest(it)