Local index resolution

Author: n1v0lg

server/src/main/java/org/elasticsearch/CrossProjectResolvableRequest.java

@@ -11,9 +11,11 @@
 
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.core.Nullable;
+import org.elasticsearch.transport.RemoteClusterAware;
 
 import java.util.List;
 
+// Extend indices.replaceable instead?
 public interface CrossProjectResolvableRequest extends IndicesRequest {
     /**
      * Only called if cross-project rewriting was applied
@@ -23,10 +25,22 @@ public interface CrossProjectResolvableRequest extends IndicesRequest {
     @Nullable
     List<RewrittenExpression> getRewrittenExpressions();
 
+    default boolean isCrossProjectModeEnabled() {
+        return getRewrittenExpressions() != null;
+    }
+
     /**
      * Used to track a mapping from original expression (potentially flat) to canonical CCS expressions.
      */
     record RewrittenExpression(String original, List<CanonicalExpression> canonicalExpressions) {}
 
-    record CanonicalExpression(String expression) {}
+    record CanonicalExpression(String expression) {
+        public boolean isQualified() {
+            return RemoteClusterAware.isRemoteIndexName(expression);
+        }
+
+        public boolean isUnqualified() {
+            return false == isQualified();
+        }
+    }
 }

server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java

@@ -9,6 +9,9 @@
 
 package org.elasticsearch.cluster.metadata;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.CrossProjectResolvableRequest;
 import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.action.support.UnsupportedSelectorException;
@@ -18,6 +21,7 @@
 import org.elasticsearch.index.Index;
 import org.elasticsearch.index.IndexNotFoundException;
 import org.elasticsearch.indices.SystemIndices.SystemIndexAccessLevel;
+import org.elasticsearch.transport.RemoteClusterAware;
 
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -28,12 +32,118 @@
 
 public class IndexAbstractionResolver {
 
+    private static final Logger logger = LogManager.getLogger(IndexAbstractionResolver.class);
+
     private final IndexNameExpressionResolver indexNameExpressionResolver;
 
     public IndexAbstractionResolver(IndexNameExpressionResolver indexNameExpressionResolver) {
         this.indexNameExpressionResolver = indexNameExpressionResolver;
     }
 
+    public List<CrossProjectResolvableRequest.RewrittenExpression> resolveIndexAbstractionsForOrigin(
+        Iterable<CrossProjectResolvableRequest.RewrittenExpression> rewrittenExpressions,
+        IndicesOptions indicesOptions,
+        ProjectMetadata projectMetadata,
+        Function<IndexComponentSelector, Set<String>> allAuthorizedAndAvailableBySelector,
+        BiPredicate<String, IndexComponentSelector> isAuthorized,
+        boolean includeDataStreams
+    ) {
+        // TODO handle exclusions and consolidate with `resolveIndexAbstractions` somehow, maybe?
+        List<CrossProjectResolvableRequest.RewrittenExpression> finalRewrittenExpressions = new ArrayList<>();
+        for (CrossProjectResolvableRequest.RewrittenExpression rewrittenExpression : rewrittenExpressions) {
+            // qualified original expression, nothing to rewrite (TODO handle origin)
+            if (RemoteClusterAware.isRemoteIndexName(rewrittenExpression.original())) {
+                logger.info("Skipping rewriting of qualified expression [{}] for origin", rewrittenExpression.original());
+                finalRewrittenExpressions.add(rewrittenExpression);
+                continue;
+            }
+            // no expressions targeting origin, also nothing to rewrite
+            if (rewrittenExpression.canonicalExpressions()
+                .stream()
+                .noneMatch(CrossProjectResolvableRequest.CanonicalExpression::isUnqualified)) {
+                logger.info(
+                    "Skipping rewriting of qualified expression [{}] because there are no origin expressions",
+                    rewrittenExpression.original()
+                );
+                finalRewrittenExpressions.add(rewrittenExpression);
+                continue;
+            }
+
+            String indexAbstraction = rewrittenExpression.original();
+
+            // Always check to see if there's a selector on the index expression
+            Tuple<String, String> expressionAndSelector = IndexNameExpressionResolver.splitSelectorExpression(indexAbstraction);
+            String selectorString = expressionAndSelector.v2();
+            if (indicesOptions.allowSelectors() == false && selectorString != null) {
+                throw new UnsupportedSelectorException(indexAbstraction);
+            }
+            indexAbstraction = expressionAndSelector.v1();
+            IndexComponentSelector selector = IndexComponentSelector.getByKeyOrThrow(selectorString);
+
+            // we always need to check for date math expressions
+            indexAbstraction = IndexNameExpressionResolver.resolveDateMathExpression(indexAbstraction);
+
+            if (indicesOptions.expandWildcardExpressions() && Regex.isSimpleMatchPattern(indexAbstraction)) {
+                Set<String> resolvedIndices = new HashSet<>();
+                for (String authorizedIndex : allAuthorizedAndAvailableBySelector.apply(selector)) {
+                    if (Regex.simpleMatch(indexAbstraction, authorizedIndex)
+                        && isIndexVisible(
+                            indexAbstraction,
+                            selectorString,
+                            authorizedIndex,
+                            indicesOptions,
+                            projectMetadata,
+                            indexNameExpressionResolver,
+                            includeDataStreams
+                        )) {
+                        resolveSelectorsAndCollect(authorizedIndex, selectorString, indicesOptions, resolvedIndices, projectMetadata);
+                    }
+                }
+                if (resolvedIndices.isEmpty()) {
+                    // es core honours allow_no_indices for each wildcard expression, we do the same here by throwing index not found.
+                    if (indicesOptions.allowNoIndices() == false) {
+                        // TODO gotta do something here
+                    }
+                    finalRewrittenExpressions.add(replaceOriginIndices(rewrittenExpression, Set.of()));
+                } else {
+                    finalRewrittenExpressions.add(replaceOriginIndices(rewrittenExpression, resolvedIndices));
+                }
+            } else {
+                Set<String> resolvedIndices = new HashSet<>();
+                resolveSelectorsAndCollect(indexAbstraction, selectorString, indicesOptions, resolvedIndices, projectMetadata);
+
+                // TODO this is probably not right?
+                if (indicesOptions.ignoreUnavailable() == false) {
+                    finalRewrittenExpressions.add(replaceOriginIndices(rewrittenExpression, resolvedIndices));
+                } else if (isAuthorized.test(indexAbstraction, selector)) {
+                    finalRewrittenExpressions.add(replaceOriginIndices(rewrittenExpression, resolvedIndices));
+                } else {
+                    finalRewrittenExpressions.add(replaceOriginIndices(rewrittenExpression, Set.of()));
+                }
+            }
+        }
+        // TODO assert size is the same
+        return finalRewrittenExpressions;
+    }
+
+    private static CrossProjectResolvableRequest.RewrittenExpression replaceOriginIndices(
+        CrossProjectResolvableRequest.RewrittenExpression rewrittenExpression,
+        Set<String> resolvedIndices
+    ) {
+        List<CrossProjectResolvableRequest.CanonicalExpression> resolvedOriginalExpressions = resolvedIndices.stream()
+            .map(CrossProjectResolvableRequest.CanonicalExpression::new)
+            .toList();
+        List<CrossProjectResolvableRequest.CanonicalExpression> qualifiedExpressions = rewrittenExpression.canonicalExpressions()
+            .stream()
+            .filter(CrossProjectResolvableRequest.CanonicalExpression::isQualified)
+            .toList();
+        List<CrossProjectResolvableRequest.CanonicalExpression> combined = new ArrayList<>(resolvedOriginalExpressions);
+        combined.addAll(qualifiedExpressions);
+        var e = new CrossProjectResolvableRequest.RewrittenExpression(rewrittenExpression.original(), combined);
+        logger.info("Replaced origin indices for expression [{}] with [{}]", rewrittenExpression, e);
+        return e;
+    }
+
     public List<String> resolveIndexAbstractions(
         Iterable<String> indices,
         IndicesOptions indicesOptions,
@@ -105,6 +215,7 @@ && isIndexVisible(
                     // discarded from the `finalIndices` list. Other "ways of unavailable" must be handled by the action
                     // handler, see: https://github.com/elastic/elasticsearch/issues/90215
                     finalIndices.addAll(resolvedIndices);
+
                 }
             }
         }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

@@ -174,8 +174,9 @@ void maybeRewriteCrossProjectResolvableRequest(
         for (String indexExpression : indices) {
             boolean isQualified = RemoteClusterAware.isRemoteIndexName(indexExpression);
             if (isQualified) {
+                // TODO handle empty case here -- empty means "search all" in ES which is _not_ what we want
                 List<CrossProjectResolvableRequest.CanonicalExpression> canonicalExpressions = rewriteQualified(indexExpression, projects);
-                // could fail early here in ignore_unavailable_indices and allow_no_indices strict mode if things are empty
+                // could fail early here in ignore_unavailable and allow_no_indices strict mode if things are empty
                 rewrittenExpressions.add(new CrossProjectResolvableRequest.RewrittenExpression(indexExpression, canonicalExpressions));
                 logger.info("Rewrote qualified expression [{}] to [{}]", indexExpression, canonicalExpressions);
             } else {
@@ -444,21 +445,38 @@ ResolvedIndices resolveIndicesAndAliases(
                 // if we cannot replace wildcards the indices list stays empty. Same if there are no authorized indices.
                 // we honour allow_no_indices like es core does.
             } else {
+                if (indicesRequest instanceof CrossProjectResolvableRequest crossProjectResolvableRequest
+                    && crossProjectResolvableRequest.isCrossProjectModeEnabled()) {
+                    assert crossProjectResolvableRequest.getRewrittenExpressions() != null;
+                    List<CrossProjectResolvableRequest.RewrittenExpression> rewrittenExpressions = indexAbstractionResolver
+                        .resolveIndexAbstractionsForOrigin(
+                            crossProjectResolvableRequest.getRewrittenExpressions(),
+                            indicesOptions,
+                            projectMetadata,
+                            authorizedIndices::all,
+                            authorizedIndices::check,
+                            indicesRequest.includeDataStreams()
+                        );
+                    crossProjectResolvableRequest.setRewrittenExpressions(rewrittenExpressions);
+                    assert ((IndicesRequest.Replaceable) indicesRequest).allowsRemoteIndices();
+                    return remoteClusterResolver.splitLocalAndRemoteIndexNames(indicesRequest.indices());
+                }
+
                 final ResolvedIndices split;
                 if (replaceable.allowsRemoteIndices()) {
                     split = remoteClusterResolver.splitLocalAndRemoteIndexNames(indicesRequest.indices());
                 } else {
                     split = new ResolvedIndices(Arrays.asList(indicesRequest.indices()), Collections.emptyList());
                 }
-                List<String> replaced = indexAbstractionResolver.resolveIndexAbstractions(
+                List<String> resolved = indexAbstractionResolver.resolveIndexAbstractions(
                     split.getLocal(),
                     indicesOptions,
                     projectMetadata,
                     authorizedIndices::all,
                     authorizedIndices::check,
                     indicesRequest.includeDataStreams()
                 );
-                resolvedIndicesBuilder.addLocal(replaced);
+                resolvedIndicesBuilder.addLocal(resolved);
                 resolvedIndicesBuilder.addRemote(split.getRemote());
             }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java

@@ -122,7 +122,7 @@ requests from all the nodes are attached with a user (either a serialize
                     });
                 } else {
                     if (SystemUser.is(authentication.getEffectiveSubject().getUser()) == false) {
-                        logger.info(
+                        logger.debug(
                             "Authenticated request [{}] for action [{}] from [{}]",
                             authentication.getEffectiveSubject().getUser(),
                             securityAction,