Make cacheEntry.getIndexInput() privileged when fetching blobs from remote snapshot

[finnegancarroll]

Description

See comment.

The transfer manager needs elevated permissions when calling getIndexInput() on the cache entry such that it can do disk io necessary to download new blobs from the remote snapshot store. These additional permissions are only required in the case of scripted queries, which run in a different security context.

Related Issues

Resolves #[Issue number to be closed when this PR is merged]
#16542

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

❌ Gradle check result for 98858d8: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for b60f058: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 1fdfb53: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 7978e4e: SUCCESS

[codecov]

Codecov Report

Attention: Patch coverage is 68.75000% with 5 lines in your changes missing coverage. Please review.

Project coverage is 72.07%. Comparing base (0363aa7) to head (7978e4e).
Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
...arch/index/store/remote/utils/TransferManager.java	68.75%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #16544      +/-   ##
============================================
+ Coverage     72.00%   72.07%   +0.06%     
- Complexity    65038    65106      +68     
============================================
  Files          5313     5314       +1     
  Lines        303454   303541      +87     
  Branches      43910    43921      +11     
============================================
+ Hits         218510   218762     +252     
+ Misses        67040    66908     -132     
+ Partials      17904    17871      -33     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-16544-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 4213cc27305c37ea71e5b5a5addd17e5383e8029
# Push it to GitHub
git push --set-upstream origin backport/backport-16544-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-16544-to-2.x.