Add security index metadata -> metadata_flattened field migration for Roles (#108318)

* Add security index field migration for metadata

Author: jfreden

server/src/main/java/org/elasticsearch/TransportVersions.java

@@ -177,6 +177,7 @@ static TransportVersion def(int id) {
     public static final TransportVersion ESQL_ADD_INDEX_MODE_TO_SOURCE = def(8_668_00_0);
     public static final TransportVersion GET_SHUTDOWN_STATUS_TIMEOUT = def(8_669_00_0);
     public static final TransportVersion FAILURE_STORE_TELEMETRY = def(8_670_00_0);
+    public static final TransportVersion ADD_METADATA_FLATTENED_TO_ROLES = def(8_671_00_0);
 
     /*
      * STOP! READ THIS FIRST! No, really,

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackClientPlugin.java

@@ -89,6 +89,7 @@
 import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivileges;
+import org.elasticsearch.xpack.core.security.support.SecurityMigrationTaskParams;
 import org.elasticsearch.xpack.core.slm.SLMFeatureSetUsage;
 import org.elasticsearch.xpack.core.slm.SnapshotLifecycleMetadata;
 import org.elasticsearch.xpack.core.spatial.SpatialFeatureSetUsage;
@@ -298,7 +299,12 @@ public List<NamedWriteableRegistry.Entry> getNamedWriteables() {
                 XPackField.ENTERPRISE_SEARCH,
                 EnterpriseSearchFeatureSetUsage::new
             ),
-            new NamedWriteableRegistry.Entry(XPackFeatureSet.Usage.class, XPackField.UNIVERSAL_PROFILING, ProfilingUsage::new)
+            new NamedWriteableRegistry.Entry(XPackFeatureSet.Usage.class, XPackField.UNIVERSAL_PROFILING, ProfilingUsage::new),
+            new NamedWriteableRegistry.Entry(
+                PersistentTaskParams.class,
+                SecurityMigrationTaskParams.TASK_NAME,
+                SecurityMigrationTaskParams::new
+            )
         ).filter(Objects::nonNull).toList();
     }
 
@@ -369,6 +375,11 @@ public List<NamedXContentRegistry.Entry> getNamedXContent() {
                 Metadata.Custom.class,
                 new ParseField(TransformMetadata.TYPE),
                 parser -> TransformMetadata.LENIENT_PARSER.parse(parser, null).build()
+            ),
+            new NamedXContentRegistry.Entry(
+                PersistentTaskParams.class,
+                new ParseField(SecurityMigrationTaskParams.TASK_NAME),
+                SecurityMigrationTaskParams::fromXContent
             )
         );
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/UpdateIndexMigrationVersionAction.java

@@ -0,0 +1,191 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.ActionType;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.master.MasterNodeRequest;
+import org.elasticsearch.action.support.master.TransportMasterNodeAction;
+import org.elasticsearch.cluster.ClusterState;
+import org.elasticsearch.cluster.ClusterStateTaskListener;
+import org.elasticsearch.cluster.SimpleBatchedExecutor;
+import org.elasticsearch.cluster.block.ClusterBlockException;
+import org.elasticsearch.cluster.block.ClusterBlockLevel;
+import org.elasticsearch.cluster.metadata.IndexMetadata;
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.metadata.Metadata;
+import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.cluster.service.MasterServiceTaskQueue;
+import org.elasticsearch.common.Priority;
+import org.elasticsearch.common.collect.ImmutableOpenMap;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.core.TimeValue;
+import org.elasticsearch.core.Tuple;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.threadpool.ThreadPool;
+import org.elasticsearch.transport.TransportService;
+
+import java.io.IOException;
+import java.util.Map;
+
+/**
+ * Updates the migration version in the custom metadata for an index in cluster state
+ */
+public class UpdateIndexMigrationVersionAction extends ActionType<UpdateIndexMigrationVersionResponse> {
+
+    public static final UpdateIndexMigrationVersionAction INSTANCE = new UpdateIndexMigrationVersionAction();
+    public static final String NAME = "internal:index/metadata/migration_version/update";
+    public static final String MIGRATION_VERSION_CUSTOM_KEY = "migration_version";
+    public static final String MIGRATION_VERSION_CUSTOM_DATA_KEY = "version";
+
+    public UpdateIndexMigrationVersionAction() {
+        super(NAME);
+    }
+
+    public static class Request extends MasterNodeRequest<Request> {
+        private final int indexMigrationVersion;
+        private final String indexName;
+
+        public Request(TimeValue timeout, int indexMigrationVersion, String indexName) {
+            super(timeout);
+            this.indexMigrationVersion = indexMigrationVersion;
+            this.indexName = indexName;
+        }
+
+        protected Request(StreamInput in) throws IOException {
+            super(in);
+            this.indexMigrationVersion = in.readInt();
+            this.indexName = in.readString();
+        }
+
+        @Override
+        public void writeTo(StreamOutput out) throws IOException {
+            super.writeTo(out);
+            out.writeInt(indexMigrationVersion);
+            out.writeString(indexName);
+        }
+
+        @Override
+        public ActionRequestValidationException validate() {
+            return null;
+        }
+
+        public int getIndexMigrationVersion() {
+            return indexMigrationVersion;
+        }
+
+        public String getIndexName() {
+            return indexName;
+        }
+    }
+
+    public static class TransportAction extends TransportMasterNodeAction<Request, UpdateIndexMigrationVersionResponse> {
+        private final MasterServiceTaskQueue<UpdateIndexMigrationVersionTask> updateIndexMigrationVersionTaskQueue;
+
+        @Inject
+        public TransportAction(
+            TransportService transportService,
+            ClusterService clusterService,
+            ThreadPool threadPool,
+            ActionFilters actionFilters,
+            IndexNameExpressionResolver indexNameExpressionResolver
+        ) {
+            super(
+                UpdateIndexMigrationVersionAction.NAME,
+                transportService,
+                clusterService,
+                threadPool,
+                actionFilters,
+                Request::new,
+                indexNameExpressionResolver,
+                UpdateIndexMigrationVersionResponse::new,
+                threadPool.executor(ThreadPool.Names.MANAGEMENT)
+            );
+            this.updateIndexMigrationVersionTaskQueue = clusterService.createTaskQueue(
+                "update-index-migration-version-task-queue",
+                Priority.LOW,
+                UPDATE_INDEX_MIGRATION_VERSION_TASK_EXECUTOR
+            );
+        }
+
+        private static final SimpleBatchedExecutor<UpdateIndexMigrationVersionTask, Void> UPDATE_INDEX_MIGRATION_VERSION_TASK_EXECUTOR =
+            new SimpleBatchedExecutor<>() {
+                @Override
+                public Tuple<ClusterState, Void> executeTask(UpdateIndexMigrationVersionTask task, ClusterState clusterState) {
+                    return Tuple.tuple(task.execute(clusterState), null);
+                }
+
+                @Override
+                public void taskSucceeded(UpdateIndexMigrationVersionTask task, Void unused) {
+                    task.listener.onResponse(null);
+                }
+            };
+
+        static class UpdateIndexMigrationVersionTask implements ClusterStateTaskListener {
+            private final ActionListener<Void> listener;
+            private final int indexMigrationVersion;
+            private final String indexName;
+
+            UpdateIndexMigrationVersionTask(ActionListener<Void> listener, int indexMigrationVersion, String indexName) {
+                this.listener = listener;
+                this.indexMigrationVersion = indexMigrationVersion;
+                this.indexName = indexName;
+            }
+
+            ClusterState execute(ClusterState currentState) {
+                IndexMetadata.Builder indexMetadataBuilder = IndexMetadata.builder(currentState.metadata().getIndices().get(indexName));
+                indexMetadataBuilder.putCustom(
+                    MIGRATION_VERSION_CUSTOM_KEY,
+                    Map.of(MIGRATION_VERSION_CUSTOM_DATA_KEY, Integer.toString(indexMigrationVersion))
+                );
+                indexMetadataBuilder.version(indexMetadataBuilder.version() + 1);
+
+                final ImmutableOpenMap.Builder<String, IndexMetadata> builder = ImmutableOpenMap.builder(
+                    currentState.metadata().getIndices()
+                );
+                builder.put(indexName, indexMetadataBuilder.build());
+
+                return ClusterState.builder(currentState)
+                    .metadata(Metadata.builder(currentState.metadata()).indices(builder.build()).build())
+                    .build();
+            }
+
+            @Override
+            public void onFailure(Exception e) {
+                listener.onFailure(e);
+            }
+        }
+
+        @Override
+        protected void masterOperation(
+            Task task,
+            Request request,
+            ClusterState state,
+            ActionListener<UpdateIndexMigrationVersionResponse> listener
+        ) throws Exception {
+            updateIndexMigrationVersionTaskQueue.submitTask(
+                "Updating cluster state with a new index migration version",
+                new UpdateIndexMigrationVersionTask(
+                    ActionListener.wrap(response -> listener.onResponse(new UpdateIndexMigrationVersionResponse()), listener::onFailure),
+                    request.getIndexMigrationVersion(),
+                    request.getIndexName()
+                ),
+                null
+            );
+        }
+
+        @Override
+        protected ClusterBlockException checkBlock(Request request, ClusterState state) {
+            return state.blocks().indicesBlockedException(ClusterBlockLevel.METADATA_WRITE, new String[] { request.getIndexName() });
+        }
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/UpdateIndexMigrationVersionResponse.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+
+public class UpdateIndexMigrationVersionResponse extends ActionResponse {
+    public UpdateIndexMigrationVersionResponse(StreamInput in) throws IOException {
+        super(in);
+    }
+
+    public UpdateIndexMigrationVersionResponse() {}
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {}
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java

@@ -416,6 +416,10 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
         return toXContent(builder, params, false);
     }
 
+    public XContentBuilder toXContent(XContentBuilder builder, Params params, boolean docCreation) throws IOException {
+        return toXContent(builder, params, docCreation, false);
+    }
+
     /**
      * Generates x-content for this {@link RoleDescriptor} instance.
      *
@@ -424,10 +428,12 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
      * @param docCreation {@code true} if the x-content is being generated for creating a document
      *                    in the security index, {@code false} if the x-content being generated
      *                    is for API display purposes
+     * @param includeMetadataFlattened {@code true} if the metadataFlattened field should be included in doc
      * @return x-content builder
      * @throws IOException if there was an error writing the x-content to the builder
      */
-    public XContentBuilder toXContent(XContentBuilder builder, Params params, boolean docCreation) throws IOException {
+    public XContentBuilder toXContent(XContentBuilder builder, Params params, boolean docCreation, boolean includeMetadataFlattened)
+        throws IOException {
         builder.startObject();
         builder.array(Fields.CLUSTER.getPreferredName(), clusterPrivileges);
         if (configurableClusterPrivileges.length != 0) {
@@ -440,6 +446,9 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params, boolea
             builder.array(Fields.RUN_AS.getPreferredName(), runAs);
         }
         builder.field(Fields.METADATA.getPreferredName(), metadata);
+        if (includeMetadataFlattened) {
+            builder.field(Fields.METADATA_FLATTENED.getPreferredName(), metadata);
+        }
         if (docCreation) {
             builder.field(Fields.TYPE.getPreferredName(), ROLE_TYPE);
         } else {
@@ -584,6 +593,16 @@ public RoleDescriptor parse(String name, XContentParser parser) throws IOExcepti
                                 );
                             }
                             metadata = parser.map();
+                        } else if (Fields.METADATA_FLATTENED.match(currentFieldName, parser.getDeprecationHandler())) {
+                            if (token != XContentParser.Token.START_OBJECT) {
+                                throw new ElasticsearchParseException(
+                                    "expected field [{}] to be of type object, but found [{}] instead",
+                                    currentFieldName,
+                                    token
+                                );
+                            }
+                            // consume object but just drop
+                            parser.map();
                         } else if (Fields.TRANSIENT_METADATA.match(currentFieldName, parser.getDeprecationHandler())) {
                             if (token == XContentParser.Token.START_OBJECT) {
                                 // consume object but just drop
@@ -1856,6 +1875,8 @@ public interface Fields {
         ParseField GRANT_FIELDS = new ParseField("grant");
         ParseField EXCEPT_FIELDS = new ParseField("except");
         ParseField METADATA = new ParseField("metadata");
+
+        ParseField METADATA_FLATTENED = new ParseField("metadata_flattened");
         ParseField TRANSIENT_METADATA = new ParseField("transient_metadata");
         ParseField TYPE = new ParseField("type");
         ParseField RESTRICTION = new ParseField("restriction");

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/SecurityMigrationTaskParams.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.support;
+
+import org.elasticsearch.TransportVersion;
+import org.elasticsearch.TransportVersions;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.persistent.PersistentTaskParams;
+import org.elasticsearch.xcontent.ConstructingObjectParser;
+import org.elasticsearch.xcontent.ParseField;
+import org.elasticsearch.xcontent.ToXContent;
+import org.elasticsearch.xcontent.XContentBuilder;
+import org.elasticsearch.xcontent.XContentParser;
+
+import java.io.IOException;
+
+import static org.elasticsearch.xcontent.ConstructingObjectParser.constructorArg;
+
+public class SecurityMigrationTaskParams implements PersistentTaskParams {
+    public static final String TASK_NAME = "security-migration";
+
+    private final int migrationVersion;
+
+    public static final ConstructingObjectParser<SecurityMigrationTaskParams, Void> PARSER = new ConstructingObjectParser<>(
+        TASK_NAME,
+        true,
+        (arr) -> new SecurityMigrationTaskParams((int) arr[0])
+    );
+
+    static {
+        PARSER.declareInt(constructorArg(), new ParseField("migration_version"));
+    }
+
+    public SecurityMigrationTaskParams(int migrationVersion) {
+        this.migrationVersion = migrationVersion;
+    }
+
+    public SecurityMigrationTaskParams(StreamInput in) throws IOException {
+        this.migrationVersion = in.readInt();
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeInt(migrationVersion);
+    }
+
+    @Override
+    public String getWriteableName() {
+        return TASK_NAME;
+    }
+
+    @Override
+    public TransportVersion getMinimalSupportedVersion() {
+        return TransportVersions.ADD_METADATA_FLATTENED_TO_ROLES;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
+        builder.startObject();
+        builder.field("migration_version", migrationVersion);
+        builder.endObject();
+        return builder;
+    }
+
+    public static SecurityMigrationTaskParams fromXContent(XContentParser parser) {
+        return PARSER.apply(parser, null);
+    }
+
+    public int getMigrationVersion() {
+        return migrationVersion;
+    }
+}