Merge branch 'elastic:main' into EvaluatorImplementer-conditional-warnings

Author: mjmbischoff

docs/changelog/135337.yaml

@@ -0,0 +1,5 @@
+pr: 135337
+summary: Do not pass `ProjectMetadata` to lazy index permissions builder
+area: Security
+type: enhancement
+issues: []

docs/reference/enrich-processor/geoip-processor.md

@@ -206,14 +206,18 @@ PUT my_ip_locations
 
 If you can’t [automatically update](#geoip-automatic-updates) your IP geolocation databases from the Elastic endpoint, you have a few other options:
 
-* [Use a proxy endpoint](#use-proxy-geoip-endpoint)
+* [Use a reverse proxy endpoint](#use-proxy-geoip-endpoint)
 * [Use a custom endpoint](#use-custom-geoip-endpoint)
 * [Manually update your IP geolocation databases](#manually-update-geoip-databases)
 
 $$$use-proxy-geoip-endpoint$$$
-**Use a proxy endpoint**
+**Use a reverse proxy endpoint**
 
-If you can’t connect directly to the Elastic GeoIP endpoint, consider setting up a secure proxy. You can then specify the proxy endpoint URL in the [`ingest.geoip.downloader.endpoint`](#ingest-geoip-downloader-endpoint) setting of each node’s `elasticsearch.yml` file.
+If you can’t connect directly to the Elastic GeoIP endpoint, consider setting up a secure reverse proxy. You can then specify the reverse proxy endpoint URL in the [`ingest.geoip.downloader.endpoint`](#ingest-geoip-downloader-endpoint) setting of each node’s `elasticsearch.yml` file.
+
+:::{note}
+True HTTP proxy support for GeoIP database downloads is not currently available in {{es}}.
+:::
 
 In a strict setup the following domains may need to be added to the allowed domains list:
 

docs/reference/query-languages/esql/_snippets/functions/description/count_distinct.md

@@ -549,12 +549,6 @@ tests:
 - class: org.elasticsearch.xpack.test.rest.XPackRestIT
   method: test {p0=transform/transforms_start_stop/Test stop transform with force and wait_for_checkpoint true}
   issue: https://github.com/elastic/elasticsearch/issues/135135
-- class: org.elasticsearch.lucene.RollingUpgradeSearchableSnapshotIndexCompatibilityIT
-  method: testSearchableSnapshotUpgrade {p0=[9.2.0, 9.2.0, 9.2.0]}
-  issue: https://github.com/elastic/elasticsearch/issues/135150
-- class: org.elasticsearch.lucene.RollingUpgradeSearchableSnapshotIndexCompatibilityIT
-  method: testMountSearchableSnapshot {p0=[9.2.0, 9.2.0, 9.2.0]}
-  issue: https://github.com/elastic/elasticsearch/issues/135151
 - class: org.elasticsearch.discovery.ClusterDisruptionIT
   method: testAckedIndexing
   issue: https://github.com/elastic/elasticsearch/issues/117024
@@ -591,27 +585,12 @@ tests:
 - class: org.elasticsearch.xpack.esql.expression.function.scalar.score.DecayTests
   method: "testEvaluateBlockWithoutNulls {TestCase=<date_nanos>, <date_nanos>, <time_duration>, <_source> #12}"
   issue: https://github.com/elastic/elasticsearch/issues/135394
-- class: org.elasticsearch.upgrades.DataStreamsUpgradeIT
-  method: testDataStreamValidationDoesNotBreakUpgrade
-  issue: https://github.com/elastic/elasticsearch/issues/135406
-- class: org.elasticsearch.upgrades.IndexingIT
-  method: testIndexing
-  issue: https://github.com/elastic/elasticsearch/issues/135407
-- class: org.elasticsearch.upgrades.QueryableBuiltInRolesUpgradeIT
-  method: testBuiltInRolesSyncedOnClusterUpgrade
-  issue: https://github.com/elastic/elasticsearch/issues/135194
 - class: org.elasticsearch.gradle.TestClustersPluginFuncTest
   method: override jdk usage via ES_JAVA_HOME for known jdk os incompatibilities
   issue: https://github.com/elastic/elasticsearch/issues/135413
 - class: org.elasticsearch.xpack.esql.qa.single_node.EsqlSpecIT
   method: test {csv-spec:spatial_shapes.ConvertCartesianShapeFromStringParseError}
   issue: https://github.com/elastic/elasticsearch/issues/135455
-- class: org.elasticsearch.upgrades.SearchableSnapshotsRollingUpgradeIT
-  method: testBlobStoreCacheWithPartialCopyInMixedVersions
-  issue: https://github.com/elastic/elasticsearch/issues/135473
-- class: org.elasticsearch.upgrades.SearchableSnapshotsRollingUpgradeIT
-  method: testBlobStoreCacheWithFullCopyInMixedVersions
-  issue: https://github.com/elastic/elasticsearch/issues/135474
 - class: org.elasticsearch.xpack.esql.qa.multi_node.GenerativeIT
   method: test
   issue: https://github.com/elastic/elasticsearch/issues/134407
@@ -636,6 +615,9 @@ tests:
 - class: org.elasticsearch.xpack.esql.heap_attack.HeapAttackIT
   method: testAggTooManyMvLongs
   issue: https://github.com/elastic/elasticsearch/issues/135585
+- class: org.elasticsearch.xpack.esql.qa.single_node.GenerativeIT
+  method: test
+  issue: https://github.com/elastic/elasticsearch/issues/134407
 
 # Examples:
 #

docs/reference/query-languages/esql/kibana/definition/functions/count_distinct.json

@@ -491,4 +491,5 @@
     exports org.elasticsearch.inference.telemetry;
     exports org.elasticsearch.index.codec.vectors.diskbbq to org.elasticsearch.test.knn;
     exports org.elasticsearch.index.codec.vectors.cluster to org.elasticsearch.test.knn;
+    exports org.elasticsearch.search.crossproject;
 }

docs/reference/query-languages/esql/kibana/docs/functions/count_distinct.md

@@ -45,6 +45,7 @@
 import org.elasticsearch.search.aggregations.AggregationExecutionException;
 import org.elasticsearch.search.aggregations.MultiBucketConsumerService;
 import org.elasticsearch.search.aggregations.UnsupportedAggregationOnDownsampledIndex;
+import org.elasticsearch.search.crossproject.NoMatchingProjectException;
 import org.elasticsearch.search.query.SearchTimeoutException;
 import org.elasticsearch.transport.TcpTransport;
 import org.elasticsearch.xcontent.ParseField;
@@ -79,6 +80,7 @@
 import static org.elasticsearch.cluster.metadata.IndexMetadata.INDEX_UUID_NA_VALUE;
 import static org.elasticsearch.common.xcontent.XContentParserUtils.ensureExpectedToken;
 import static org.elasticsearch.common.xcontent.XContentParserUtils.ensureFieldName;
+import static org.elasticsearch.search.crossproject.CrossProjectIndexExpressionsRewriter.NO_MATCHING_PROJECT_EXCEPTION_VERSION;
 
 /**
  * A base class for all elasticsearch exceptions.
@@ -2022,6 +2024,12 @@ private enum ElasticsearchExceptionHandle {
             184,
             TransportVersions.REMOTE_EXCEPTION,
             TransportVersions.REMOTE_EXCEPTION_8_19
+        ),
+        NO_MATCHING_PROJECT_EXCEPTION(
+            NoMatchingProjectException.class,
+            NoMatchingProjectException::new,
+            185,
+            NO_MATCHING_PROJECT_EXCEPTION_VERSION
         );
 
         final Class<? extends ElasticsearchException> exceptionClass;

muted-tests.yml

@@ -48,92 +48,114 @@ public ResolvedIndexExpressions resolveIndexAbstractions(
         boolean includeDataStreams
     ) {
         final ResolvedIndexExpressions.Builder resolvedExpressionsBuilder = ResolvedIndexExpressions.builder();
-
         boolean wildcardSeen = false;
         for (String index : indices) {
-            String indexAbstraction;
-            boolean minus = false;
-            if (index.charAt(0) == '-' && wildcardSeen) {
-                indexAbstraction = index.substring(1);
-                minus = true;
-            } else {
-                indexAbstraction = index;
-            }
+            wildcardSeen = resolveIndexAbstraction(
+                resolvedExpressionsBuilder,
+                index,
+                indicesOptions,
+                projectMetadata,
+                allAuthorizedAndAvailableBySelector,
+                isAuthorized,
+                includeDataStreams,
+                wildcardSeen
+            );
+        }
+        return resolvedExpressionsBuilder.build();
+    }
 
-            // Always check to see if there's a selector on the index expression
-            final Tuple<String, String> expressionAndSelector = IndexNameExpressionResolver.splitSelectorExpression(indexAbstraction);
-            final String selectorString = expressionAndSelector.v2();
-            if (indicesOptions.allowSelectors() == false && selectorString != null) {
-                throw new UnsupportedSelectorException(indexAbstraction);
-            }
-            indexAbstraction = expressionAndSelector.v1();
-            IndexComponentSelector selector = IndexComponentSelector.getByKeyOrThrow(selectorString);
+    private boolean resolveIndexAbstraction(
+        ResolvedIndexExpressions.Builder resolvedExpressionsBuilder,
+        String index,
+        IndicesOptions indicesOptions,
+        ProjectMetadata projectMetadata,
+        Function<IndexComponentSelector, Set<String>> allAuthorizedAndAvailableBySelector,
+        BiPredicate<String, IndexComponentSelector> isAuthorized,
+        boolean includeDataStreams,
+        boolean wildcardSeen
+    ) {
+        String indexAbstraction;
+        boolean minus = false;
+        if (index.charAt(0) == '-' && wildcardSeen) {
+            indexAbstraction = index.substring(1);
+            minus = true;
+        } else {
+            indexAbstraction = index;
+        }
+
+        // Always check to see if there's a selector on the index expression
+        final Tuple<String, String> expressionAndSelector = IndexNameExpressionResolver.splitSelectorExpression(indexAbstraction);
+        final String selectorString = expressionAndSelector.v2();
+        if (indicesOptions.allowSelectors() == false && selectorString != null) {
+            throw new UnsupportedSelectorException(indexAbstraction);
+        }
+        indexAbstraction = expressionAndSelector.v1();
+        IndexComponentSelector selector = IndexComponentSelector.getByKeyOrThrow(selectorString);
 
-            // we always need to check for date math expressions
-            indexAbstraction = IndexNameExpressionResolver.resolveDateMathExpression(indexAbstraction);
+        // we always need to check for date math expressions
+        indexAbstraction = IndexNameExpressionResolver.resolveDateMathExpression(indexAbstraction);
 
-            if (indicesOptions.expandWildcardExpressions() && Regex.isSimpleMatchPattern(indexAbstraction)) {
-                wildcardSeen = true;
-                final HashSet<String> resolvedIndices = new HashSet<>();
-                for (String authorizedIndex : allAuthorizedAndAvailableBySelector.apply(selector)) {
-                    if (Regex.simpleMatch(indexAbstraction, authorizedIndex)
+        if (indicesOptions.expandWildcardExpressions() && Regex.isSimpleMatchPattern(indexAbstraction)) {
+            wildcardSeen = true;
+            final HashSet<String> resolvedIndices = new HashSet<>();
+            for (String authorizedIndex : allAuthorizedAndAvailableBySelector.apply(selector)) {
+                if (Regex.simpleMatch(indexAbstraction, authorizedIndex)
+                    && isIndexVisible(
+                        indexAbstraction,
+                        selectorString,
+                        authorizedIndex,
+                        indicesOptions,
+                        projectMetadata,
+                        indexNameExpressionResolver,
+                        includeDataStreams
+                    )) {
+                    resolveSelectorsAndCollect(authorizedIndex, selectorString, indicesOptions, resolvedIndices, projectMetadata);
+                }
+            }
+            if (resolvedIndices.isEmpty()) {
+                // es core honours allow_no_indices for each wildcard expression, we do the same here by throwing index not found.
+                if (indicesOptions.allowNoIndices() == false) {
+                    throw new IndexNotFoundException(indexAbstraction);
+                }
+                resolvedExpressionsBuilder.addLocalExpressions(index, new HashSet<>(), SUCCESS);
+            } else {
+                if (minus) {
+                    resolvedExpressionsBuilder.excludeFromLocalExpressions(resolvedIndices);
+                } else {
+                    resolvedExpressionsBuilder.addLocalExpressions(index, resolvedIndices, SUCCESS);
+                }
+            }
+        } else {
+            final HashSet<String> resolvedIndices = new HashSet<>();
+            resolveSelectorsAndCollect(indexAbstraction, selectorString, indicesOptions, resolvedIndices, projectMetadata);
+            if (minus) {
+                resolvedExpressionsBuilder.excludeFromLocalExpressions(resolvedIndices);
+            } else {
+                final boolean authorized = isAuthorized.test(indexAbstraction, selector);
+                if (authorized) {
+                    final boolean visible = indexExists(projectMetadata, indexAbstraction)
                         && isIndexVisible(
                             indexAbstraction,
                             selectorString,
-                            authorizedIndex,
+                            indexAbstraction,
                             indicesOptions,
                             projectMetadata,
                             indexNameExpressionResolver,
                             includeDataStreams
-                        )) {
-                        resolveSelectorsAndCollect(authorizedIndex, selectorString, indicesOptions, resolvedIndices, projectMetadata);
-                    }
-                }
-                if (resolvedIndices.isEmpty()) {
-                    // es core honours allow_no_indices for each wildcard expression, we do the same here by throwing index not found.
-                    if (indicesOptions.allowNoIndices() == false) {
-                        throw new IndexNotFoundException(indexAbstraction);
-                    }
-                    resolvedExpressionsBuilder.addLocalExpressions(index, new HashSet<>(), SUCCESS);
-                } else {
-                    if (minus) {
-                        resolvedExpressionsBuilder.excludeFromLocalExpressions(resolvedIndices);
-                    } else {
-                        resolvedExpressionsBuilder.addLocalExpressions(index, resolvedIndices, SUCCESS);
-                    }
-                }
-            } else {
-                final HashSet<String> resolvedIndices = new HashSet<>();
-                resolveSelectorsAndCollect(indexAbstraction, selectorString, indicesOptions, resolvedIndices, projectMetadata);
-                if (minus) {
-                    resolvedExpressionsBuilder.excludeFromLocalExpressions(resolvedIndices);
+                        );
+                    final LocalIndexResolutionResult result = visible ? SUCCESS : CONCRETE_RESOURCE_NOT_VISIBLE;
+                    resolvedExpressionsBuilder.addLocalExpressions(index, resolvedIndices, result);
+                } else if (indicesOptions.ignoreUnavailable()) {
+                    // ignoreUnavailable implies that the request should not fail if an index is not authorized
+                    // so we map this expression to an empty list,
+                    resolvedExpressionsBuilder.addLocalExpressions(index, new HashSet<>(), CONCRETE_RESOURCE_UNAUTHORIZED);
                 } else {
-                    final boolean authorized = isAuthorized.test(indexAbstraction, selector);
-                    if (authorized) {
-                        final boolean visible = indexExists(projectMetadata, indexAbstraction)
-                            && isIndexVisible(
-                                indexAbstraction,
-                                selectorString,
-                                indexAbstraction,
-                                indicesOptions,
-                                projectMetadata,
-                                indexNameExpressionResolver,
-                                includeDataStreams
-                            );
-                        final LocalIndexResolutionResult result = visible ? SUCCESS : CONCRETE_RESOURCE_NOT_VISIBLE;
-                        resolvedExpressionsBuilder.addLocalExpressions(index, resolvedIndices, result);
-                    } else if (indicesOptions.ignoreUnavailable()) {
-                        // ignoreUnavailable implies that the request should not fail if an index is not authorized
-                        // so we map this expression to an empty list,
-                        resolvedExpressionsBuilder.addLocalExpressions(index, new HashSet<>(), CONCRETE_RESOURCE_UNAUTHORIZED);
-                    } else {
-                        // store the calculated expansion as unauthorized, it will be rejected later
-                        resolvedExpressionsBuilder.addLocalExpressions(index, resolvedIndices, CONCRETE_RESOURCE_UNAUTHORIZED);
-                    }
+                    // store the calculated expansion as unauthorized, it will be rejected later
+                    resolvedExpressionsBuilder.addLocalExpressions(index, resolvedIndices, CONCRETE_RESOURCE_UNAUTHORIZED);
                 }
             }
         }
-        return resolvedExpressionsBuilder.build();
+        return wildcardSeen;
     }
 
     private static void resolveSelectorsAndCollect(