Add dsl-query-executor sandbox plugin for dsl query execution via analytics engine

[vinaykpud]

Introduces a new sandbox plugin related to this issue that intercepts _search requests and routes them through a execution pipeline via the analytics engine.

Description

This PR introduces the dsl-query-executor sandbox plugin skeleton with end-to-end wiring: action filter → transport action → converter → executor → response builder.

The converter currently produces a LogicalTableScan RelNode only, the executor returns empty rows (analytics engine stub), and the response builder constructs an empty SearchResponse. Actual DSL-to-RelNode conversion, execution, and response population will be added incrementally in follow-up PRs.

Related Issues

#20914

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit ac00e6f.

Path	Line	Severity	Description
sandbox/plugins/dsl-query-executor/src/main/java/org/opensearch/dsl/action/SearchActionFilter.java	57	medium	The filter intercepts ALL _search requests (not just those targeting specific indices) and re-dispatches them as DslExecuteAction (indices:data/read/dsl/execute). The Security plugin at order 0 authorized the original 'indices:data/read/search' action, but the re-dispatched action uses a different action name that may not have a corresponding security rule, creating a potential authorization bypass path. The code itself acknowledges this gap in a TODO comment in DslExecuteAction.java.
sandbox/libs/analytics-framework/build.gradle	35	low	Addition of janino:3.1.9 and commons-compiler:3.1.9 introduces a runtime Java bytecode compiler into the analytics framework classloader. While legitimately required by Calcite for expression compilation, these libraries enable dynamic code generation at runtime, which expands the attack surface if query inputs are not properly sanitized in future plan-building code.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit dd475b2.

Path	Line	Severity	Description
sandbox/plugins/dsl-query-executor/src/main/java/org/opensearch/dsl/action/SearchActionFilter.java	44	medium	order() returns Integer.MIN_VALUE, ensuring this filter executes before all other action filters — including security/authorization filters from plugins like OpenSearch Security. Any search request is routed to the DSL executor before authorization is checked, which could allow unauthenticated or unauthorized queries to reach the analytics engine. This is the lowest possible filter order and circumvents the standard security filter chain. While the sandbox context makes intentional malice unlikely, this pattern warrants scrutiny in any deployment.
sandbox/plugins/dsl-query-executor/src/main/java/org/opensearch/dsl/action/SearchActionFilter.java	54	low	Every _search request is unconditionally intercepted and rerouted to the DSL executor regardless of the target index or whether DSL processing is desired. A TODO comment in SearchActionFilterTests acknowledges this should be conditional on a per-index setting but is not yet implemented. In its current form, enabling this plugin globally diverts all search traffic through a stub pipeline that returns empty hits, which could be exploited as a denial-of-service vector against search functionality.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[nssuresh2007]

LGTM

[expani]

Thanks for the changes @vinaykpud Looks like a great start.

Dropped some comments mostly requiring changes in Analytics framework and plugins.

We can add TODO or resolve minor one's to start with and then eventually implement the most optimal solution.

[github-actions]

Failed to generate code suggestions for PR

[github-actions]

❌ Gradle check result for 671ac61: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

Failed to generate code suggestions for PR

[github-actions]

❌ Gradle check result for e53b96a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0ffbc81: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 9b0add8: SUCCESS

[codecov]

Codecov Report

❌ Patch coverage is 99.07407% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 73.21%. Comparing base (dbe98aa) to head (962ba1c).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
.../opensearch/dsl/executor/DslQueryPlanExecutor.java	95.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##               main   #20916    +/-   ##
==========================================
  Coverage     73.21%   73.21%            
- Complexity    72620    72729   +109     
==========================================
  Files          5849     5868    +19     
  Lines        332066   332573   +507     
  Branches      47951    48006    +55     
==========================================
+ Hits         243109   243495   +386     
- Misses        69456    69572   +116     
- Partials      19501    19506     +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

❌ Gradle check result for f91520e: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 962ba1c: SUCCESS