Remote indices too

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -426,17 +426,28 @@ static SimpleRole buildFromRoleDescriptor(
             final String[] clusterAliases = remoteIndicesPrivileges.remoteClusters();
             assert Arrays.equals(new String[] { "*" }, clusterAliases)
                 : "reserved role should not define remote indices privileges for specific clusters";
-            final RoleDescriptor.IndicesPrivileges indicesPrivileges = remoteIndicesPrivileges.indicesPrivileges();
-            builder.addRemoteIndicesGroup(
-                Set.of(clusterAliases),
-                fieldPermissionsCache.getFieldPermissions(
-                    new FieldPermissionsDefinition(indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields())
-                ),
-                indicesPrivileges.getQuery() == null ? null : Collections.singleton(indicesPrivileges.getQuery()),
-                IndexPrivilege.get(Set.of(indicesPrivileges.getPrivileges())),
-                indicesPrivileges.allowRestrictedIndices(),
-                indicesPrivileges.getIndices()
+            final RoleDescriptor.IndicesPrivileges indexPrivilege = remoteIndicesPrivileges.indicesPrivileges();
+            FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(
+                new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+            );
+            Set<BytesReference> query = indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery());
+            boolean allowRestrictedIndices = indexPrivilege.allowRestrictedIndices();
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.partitionBySelectorPrivilege(
+                indexPrivilege.getPrivileges()
             );
+            for (var entry : split.entrySet()) {
+                IndexPrivilege privilege = IndexPrivilege.get(entry.getValue());
+                assert privilege.getSelectorPrivilege() == entry.getKey()
+                    : "expected selector privilege to match the partitioned privilege";
+                builder.addRemoteIndicesGroup(
+                    Set.of(clusterAliases),
+                    fieldPermissions,
+                    query,
+                    privilege,
+                    allowRestrictedIndices,
+                    indexPrivilege.getIndices()
+                );
+            }
         }
 
         RemoteClusterPermissions remoteClusterPermissions = roleDescriptor.getRemoteClusterPermissions();

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java

@@ -419,7 +419,6 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd
                         FieldPermissions.DEFAULT,
                         null,
                         false,
-                        // TODO
                         indexPatternPrivilege.indexPatterns()
                     );
                 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java

@@ -16,6 +16,8 @@
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
+import static org.elasticsearch.common.util.set.Sets.newHashSet;
+
 public record IndexComponentSelectorPrivilege(String name, Predicate<IndexComponentSelector> predicate) {
     public static final IndexComponentSelectorPrivilege ALL = new IndexComponentSelectorPrivilege("all", Predicates.always());
     public static final IndexComponentSelectorPrivilege DATA = new IndexComponentSelectorPrivilege(
@@ -40,7 +42,7 @@ public static Set<IndexComponentSelectorPrivilege> get(Set<String> indexPrivileg
     }
 
     public static Map<IndexComponentSelectorPrivilege, Set<String>> partitionBySelectorPrivilege(String... indexPrivileges) {
-        return partitionBySelectorPrivilege(Set.of(indexPrivileges));
+        return partitionBySelectorPrivilege(newHashSet(indexPrivileges));
     }
 
     public static Map<IndexComponentSelectorPrivilege, Set<String>> partitionBySelectorPrivilege(Set<String> indexPrivileges) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java

@@ -101,7 +101,12 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             new RoleDescriptor.RemoteIndicesPrivileges(
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("*")
-                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
+                    .privileges(
+                        // TODO are there edge-cases where this is a bad idea?
+                        DataStream.isFailureStoreFeatureFlagEnabled()
+                            ? new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store" }
+                            : new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster" }
+                    )
                     .allowRestrictedIndices(true)
                     .build(),
                 "*"

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilegeTests.java

@@ -58,32 +58,26 @@ public void testOrderingOfPrivilegeNames() throws Exception {
     }
 
     public void testFindPrivilegesThatGrant() {
-        assertThat(findPrivilegesThatGrant(TransportSearchAction.TYPE.name()), equalTo(List.of("read", "read_failure_store", "all")));
+        assertThat(findPrivilegesThatGrant(TransportSearchAction.TYPE.name()), equalTo(List.of("read", "all")));
         assertThat(findPrivilegesThatGrant(TransportIndexAction.NAME), equalTo(List.of("create_doc", "create", "index", "write", "all")));
         assertThat(findPrivilegesThatGrant(TransportUpdateAction.NAME), equalTo(List.of("index", "write", "all")));
         assertThat(findPrivilegesThatGrant(TransportDeleteAction.NAME), equalTo(List.of("delete", "write", "all")));
         assertThat(
             findPrivilegesThatGrant(IndicesStatsAction.NAME),
-            equalTo(List.of("monitor", "manage", "manage_failure_store_internal", "cross_cluster_replication", "all"))
-        );
-        assertThat(
-            findPrivilegesThatGrant(RefreshAction.NAME),
-            equalTo(List.of("maintenance", "manage", "manage_failure_store_internal", "all"))
+            equalTo(List.of("monitor", "manage", "cross_cluster_replication", "all"))
         );
+        assertThat(findPrivilegesThatGrant(RefreshAction.NAME), equalTo(List.of("maintenance", "manage", "all")));
     }
 
     public void testPrivilegesForRollupFieldCapsAction() {
         final Collection<String> privileges = findPrivilegesThatGrant(GetRollupIndexCapsAction.NAME);
-        assertThat(
-            Set.copyOf(privileges),
-            equalTo(Set.of("manage", "all", "read_failure_store", "view_index_metadata", "read", "manage_failure_store_internal"))
-        );
+        assertThat(Set.copyOf(privileges), equalTo(Set.of("manage", "all", "view_index_metadata", "read")));
     }
 
     public void testPrivilegesForGetCheckPointAction() {
         assertThat(
             findPrivilegesThatGrant(GetCheckpointAction.NAME),
-            containsInAnyOrder("monitor", "view_index_metadata", "manage", "manage_failure_store_internal", "all")
+            containsInAnyOrder("monitor", "view_index_metadata", "manage", "all")
         );
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java

@@ -556,11 +556,11 @@ public static void buildRoleFromDescriptors(
         }
         for (Map.Entry<Set<String>, MergeableIndicesPrivilege> entry : restrictedIndicesPrivilegesMap.entrySet()) {
             MergeableIndicesPrivilege indicesPrivilege = entry.getValue();
+            FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);
+            String[] indices = indicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY);
             Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.partitionBySelectorPrivilege(
                 indicesPrivilege.privileges
             );
-            FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(indicesPrivilege.fieldPermissionsDefinition);
-            String[] indices = indicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY);
             for (Map.Entry<IndexComponentSelectorPrivilege, Set<String>> privilegesBySelector : split.entrySet()) {
                 IndexPrivilege indexPrivilege = IndexPrivilege.get(privilegesBySelector.getValue());
                 assert indexPrivilege.getSelectorPrivilege() == privilegesBySelector.getKey();
@@ -569,18 +569,28 @@ public static void buildRoleFromDescriptors(
         }
 
         remoteIndicesPrivilegesByCluster.forEach((clusterAliasKey, remoteIndicesPrivilegesForCluster) -> {
-            remoteIndicesPrivilegesForCluster.forEach(
-                (privilege) -> builder.addRemoteIndicesGroup(
-                    clusterAliasKey,
-                    fieldPermissionsCache.getFieldPermissions(
-                        new FieldPermissionsDefinition(privilege.getGrantedFields(), privilege.getDeniedFields())
-                    ),
-                    privilege.getQuery() == null ? null : newHashSet(privilege.getQuery()),
-                    IndexPrivilege.get(newHashSet(Objects.requireNonNull(privilege.getPrivileges()))),
-                    privilege.allowRestrictedIndices(),
-                    newHashSet(Objects.requireNonNull(privilege.getIndices())).toArray(new String[0])
-                )
-            );
+            remoteIndicesPrivilegesForCluster.forEach((privilege) -> {
+                FieldPermissions fieldPermissions = fieldPermissionsCache.getFieldPermissions(
+                    new FieldPermissionsDefinition(privilege.getGrantedFields(), privilege.getDeniedFields())
+                );
+                Set<BytesReference> query = privilege.getQuery() == null ? null : newHashSet(privilege.getQuery());
+                String[] indices = newHashSet(Objects.requireNonNull(privilege.getIndices())).toArray(new String[0]);
+                Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.partitionBySelectorPrivilege(
+                    Objects.requireNonNull(privilege.getPrivileges())
+                );
+                for (Map.Entry<IndexComponentSelectorPrivilege, Set<String>> privilegesBySelector : split.entrySet()) {
+                    IndexPrivilege indexPrivilege = IndexPrivilege.get(privilegesBySelector.getValue());
+                    assert indexPrivilege.getSelectorPrivilege() == privilegesBySelector.getKey();
+                    builder.addRemoteIndicesGroup(
+                        clusterAliasKey,
+                        fieldPermissions,
+                        query,
+                        indexPrivilege,
+                        privilege.allowRestrictedIndices(),
+                        indices
+                    );
+                }
+            });
         });
 
         if (remoteClusterPermissions.hasAnyPrivileges()) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/privilege/RestGetBuiltinPrivilegesAction.java

@@ -24,10 +24,12 @@
 import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesRequest;
 import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesResponse;
 import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesResponseTranslator;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
 import org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.List;
 
 import static org.elasticsearch.rest.RestRequest.Method.GET;
@@ -71,14 +73,24 @@ public RestResponse buildResponse(GetBuiltinPrivilegesResponse response, XConten
                     final var translatedResponse = responseTranslator.translate(response);
                     builder.startObject();
                     builder.array("cluster", translatedResponse.getClusterPrivileges());
-                    builder.array("index", translatedResponse.getIndexPrivileges());
+                    // TODO remove the filter once we can update docs tests again
+                    builder.array("index", filterOutFailureStorePrivileges(translatedResponse));
                     String[] remoteClusterPrivileges = translatedResponse.getRemoteClusterPrivileges();
                     if (remoteClusterPrivileges.length > 0) { // remote clusters are not supported in stateless mode, so hide entirely
                         builder.array("remote_cluster", remoteClusterPrivileges);
                     }
                     builder.endObject();
                     return new RestResponse(RestStatus.OK, builder);
                 }
+
+                private static String[] filterOutFailureStorePrivileges(GetBuiltinPrivilegesResponse translatedResponse) {
+                    return Arrays.stream(translatedResponse.getIndexPrivileges())
+                        .filter(
+                            p -> false == (p.equals(IndexPrivilege.READ_FAILURE_STORE.getSingleName())
+                                || p.equals(IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL.getSingleName()))
+                        )
+                        .toArray(String[]::new);
+                }
             }
         );
     }