[Resource Sharing] Allow specifying default access level in resouce access levels yml file

[cwperks]

Description

Allows plugin authors to mark a default access level directly in their resource-access-levels.yml file, reducing the burden on callers of the migration API.

• Category: Enhancement

• Why these changes are required?

• The migration API (POST _plugins/_security/api/resources/migrate) previously required callers to explicitly supply a default_access_level for every resource type being migrated. This is unnecessary friction — the plugin author already knows which access level is the safe default (typically the lowest-privilege one), and that knowledge belongs in the plugin's own definition rather than being re-specified at migration time.

• Old behavior: default_access_level was a mandatory field in the migrate request body. Omitting it returned a 400 Bad Request.

  New behavior: Plugin authors can mark one access level per resource type as the default by adding default: true in resource-access-levels.yml. The default_access_level field in the migrate request becomes optional — when omitted, the registered default is used. If explicitly supplied, the request value takes precedence. If neither is available and the resource has backend roles to migrate, the API fails fast with a descriptive 400 rather than silently dropping the backend role assignments.

Issues Resolved

N/A

Is this a backport? No.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? No.

Testing

• Updated MigrateApiTests integration tests:
  • testMigrateAPIWithSuperAdmin_noDefaultAccessLevel_usesRegisteredDefault — verifies that omitting default_access_level succeeds and sharing records are created using the yml-registered default (sample_read_only)
  • testMigrateAPIWithSuperAdmin_noDefaultAccessLevel — updated to reflect that omitting default_access_level is now valid when a registered default exists
  • Existing tests for explicit default_access_level and invalid access level values continue to pass unchanged

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

❌ Patch coverage is 69.23077% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.82%. Comparing base (2b86187) to head (3b9879a).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...security/resources/ResourceActionGroupsHelper.java	56.25%	4 Missing and 3 partials ⚠️
...i/migrate/MigrateResourceSharingInfoApiAction.java	76.47%	2 Missing and 2 partials ⚠️
...nsearch/security/resources/ResourcePluginInfo.java	83.33%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6018      +/-   ##
==========================================
- Coverage   73.88%   73.82%   -0.07%     
==========================================
  Files         440      440              
  Lines       27229    27261      +32     
  Branches     4044     4053       +9     
==========================================
+ Hits        20119    20126       +7     
- Misses       5199     5215      +16     
- Partials     1911     1920       +9     

Files with missing lines	Coverage Δ
...nsearch/security/resources/ResourcePluginInfo.java	87.60% <83.33%> (-0.23%)	⬇️
...i/migrate/MigrateResourceSharingInfoApiAction.java	79.04% <76.47%> (+0.18%)	⬆️
...security/resources/ResourceActionGroupsHelper.java	55.10% <56.25%> (+1.25%)	⬆️

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DarshitChanpura]

LGTM! Default access level is a great addition to RP setup. We should update doc to explicitly mention which access levels will be default for each plugin, once they have it that is.

[cwperks]

LGTM! Default access level is a great addition to RP setup. We should update doc to explicitly mention which access levels will be default for each plugin, once they have it that is.

I'll raise a PR to the documentation website repo