Merge branch 'main' into 2025/06/30/add-node-level-write-load-stats

Author: DiannaHohensee

docs/changelog/130427.yaml

@@ -1,5 +1,17 @@
 pr: 130427
-summary: Disallow brackets in unquoted index pattersn
+summary: Disallow brackets in unquoted index patterns
 area: ES|QL
-type: bug
-issues: []
+type: breaking
+issues:
+  - 130378
+breaking:
+  title: Unquoted index patterns do not allow `(` and `)` characters
+  area: ES|QL
+  details: >-
+    Previously, ES|QL accepted unquoted index patterns containing brackets, such as `FROM index(1) | ENRICH policy(2)`.
+
+    This query syntax is no longer valid because it could conflict with subquery syntax, where brackets are used as delimiters.
+
+    Brackets are now only allowed in quoted index patterns. For example: `FROM "index(1)" | ENRICH "policy(2)"`.
+  impact: "This affects existing queries containing brackets in index or policy names, i.e. in FROM, ENRICH, and LOOKUP JOIN commands."
+  notable: false

docs/changelog/130909.yaml

@@ -0,0 +1,5 @@
+pr: 130909
+summary: Allow adjustment of transport TLS handshake timeout
+area: Network
+type: enhancement
+issues: []

docs/changelog/130914.yaml

@@ -0,0 +1,6 @@
+pr: 130914
+summary: Fix LIMIT NPE with null value
+area: ES|QL
+type: bug
+issues:
+ - 130908

docs/reference/elasticsearch/configuration-reference/security-settings.md

@@ -1933,6 +1933,8 @@ You can configure the following TLS/SSL settings.
 `xpack.security.transport.ssl.trust_restrictions.x509_fields` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
 :   Specifies which field(s) from the TLS certificate is used to match for the restricted trust management that is used for remote clusters connections. This should only be set when a self managed cluster can not create certificates that follow the Elastic Cloud pattern. The default value is ["subjectAltName.otherName.commonName"], the Elastic Cloud pattern. "subjectAltName.dnsName" is also supported and can be configured in addition to or in replacement of the default.
 
+`xpack.security.transport.ssl.handshake_timeout`
+:   Specifies the timeout for a TLS handshake when opening a transport connection. Defaults to `10s`.
 
 ### Transport TLS/SSL key and trusted certificate settings [security-transport-tls-ssl-key-trusted-certificate-settings]
 
@@ -2131,6 +2133,9 @@ You can configure the following TLS/SSL settings.
 
     For more information, see Oracle’s [Java Cryptography Architecture documentation](https://docs.oracle.com/en/java/javase/11/security/oracle-providers.md#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2).
 
+`xpack.security.remote_cluster_server.ssl.handshake_timeout`
+:   Specifies the timeout for a TLS handshake when handling an inbound remote-cluster connection. Defaults to `10s`.
+
 
 ### Remote cluster server (API key based model) TLS/SSL key and trusted certificate settings [security-remote-cluster-server-tls-ssl-key-trusted-certificate-settings]
 
@@ -2260,6 +2265,9 @@ You can configure the following TLS/SSL settings.
 
     For more information, see Oracle’s [Java Cryptography Architecture documentation](https://docs.oracle.com/en/java/javase/11/security/oracle-providers.md#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2).
 
+`xpack.security.remote_cluster_client.ssl.handshake_timeout`
+:   Specifies the timeout for a TLS handshake when opening a remote-cluster connection. Defaults to `10s`.
+
 
 ### Remote cluster client (API key based model) TLS/SSL key and trusted certificate settings [security-remote-cluster-client-tls-ssl-key-trusted-certificate-settings]
 

libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java

@@ -40,7 +40,8 @@ public record SslConfiguration(
     SslVerificationMode verificationMode,
     SslClientAuthenticationMode clientAuth,
     List<String> ciphers,
-    List<String> supportedProtocols
+    List<String> supportedProtocols,
+    long handshakeTimeoutMillis
 ) {
 
     /**
@@ -71,7 +72,8 @@ public SslConfiguration(
         SslVerificationMode verificationMode,
         SslClientAuthenticationMode clientAuth,
         List<String> ciphers,
-        List<String> supportedProtocols
+        List<String> supportedProtocols,
+        long handshakeTimeoutMillis
     ) {
         this.settingPrefix = settingPrefix;
         this.explicitlyConfigured = explicitlyConfigured;
@@ -85,6 +87,10 @@ public SslConfiguration(
         this.keyConfig = Objects.requireNonNull(keyConfig, "key config cannot be null");
         this.verificationMode = Objects.requireNonNull(verificationMode, "verification mode cannot be null");
         this.clientAuth = Objects.requireNonNull(clientAuth, "client authentication cannot be null");
+        if (handshakeTimeoutMillis < 1L) {
+            throw new SslConfigException("handshake timeout must be at least 1ms");
+        }
+        this.handshakeTimeoutMillis = handshakeTimeoutMillis;
         this.ciphers = Collections.unmodifiableList(ciphers);
         this.supportedProtocols = Collections.unmodifiableList(supportedProtocols);
     }
@@ -164,11 +170,21 @@ public boolean equals(Object o) {
             && this.verificationMode == that.verificationMode
             && this.clientAuth == that.clientAuth
             && Objects.equals(this.ciphers, that.ciphers)
-            && Objects.equals(this.supportedProtocols, that.supportedProtocols);
+            && Objects.equals(this.supportedProtocols, that.supportedProtocols)
+            && this.handshakeTimeoutMillis == that.handshakeTimeoutMillis;
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(settingPrefix, trustConfig, keyConfig, verificationMode, clientAuth, ciphers, supportedProtocols);
+        return Objects.hash(
+            settingPrefix,
+            trustConfig,
+            keyConfig,
+            verificationMode,
+            clientAuth,
+            ciphers,
+            supportedProtocols,
+            handshakeTimeoutMillis
+        );
     }
 }

libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationKeys.java

@@ -132,6 +132,10 @@ public class SslConfigurationKeys {
      * The use of this setting {@link #isDeprecated(String) is deprecated}.
      */
     public static final String KEY_LEGACY_PASSPHRASE = "key_passphrase";
+    /**
+     * The timeout for TLS handshakes in this context.
+     */
+    public static final String HANDSHAKE_TIMEOUT = "handshake_timeout";
 
     private static final Set<String> DEPRECATED_KEYS = new HashSet<>(
         Arrays.asList(TRUSTSTORE_LEGACY_PASSWORD, KEYSTORE_LEGACY_PASSWORD, KEYSTORE_LEGACY_KEY_PASSWORD, KEY_LEGACY_PASSPHRASE)

libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java

@@ -10,6 +10,7 @@
 package org.elasticsearch.common.ssl;
 
 import org.elasticsearch.core.Nullable;
+import org.elasticsearch.core.TimeValue;
 
 import java.nio.file.Path;
 import java.security.KeyStore;
@@ -27,6 +28,7 @@
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CERTIFICATE_AUTHORITIES;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CIPHERS;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CLIENT_AUTH;
+import static org.elasticsearch.common.ssl.SslConfigurationKeys.HANDSHAKE_TIMEOUT;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.KEY;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.KEYSTORE_ALGORITHM;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.KEYSTORE_LEGACY_KEY_PASSWORD;
@@ -152,6 +154,8 @@ public abstract class SslConfigurationLoader {
     private static final char[] EMPTY_PASSWORD = new char[0];
     public static final List<X509Field> GLOBAL_DEFAULT_RESTRICTED_TRUST_FIELDS = List.of(X509Field.SAN_OTHERNAME_COMMONNAME);
 
+    public static final TimeValue DEFAULT_HANDSHAKE_TIMEOUT = TimeValue.timeValueSeconds(10);
+
     private final String settingPrefix;
 
     private SslTrustConfig defaultTrustConfig;
@@ -302,6 +306,11 @@ public SslConfiguration load(Path basePath) {
             X509Field::parseForRestrictedTrust,
             defaultRestrictedTrustFields
         );
+        final long handshakeTimeoutMillis = resolveSetting(
+            HANDSHAKE_TIMEOUT,
+            s -> TimeValue.parseTimeValue(s, HANDSHAKE_TIMEOUT),
+            DEFAULT_HANDSHAKE_TIMEOUT
+        ).millis();
 
         final SslKeyConfig keyConfig = buildKeyConfig(basePath);
         final SslTrustConfig trustConfig = buildTrustConfig(basePath, verificationMode, keyConfig, Set.copyOf(trustRestrictionsX509Fields));
@@ -321,7 +330,8 @@ public SslConfiguration load(Path basePath) {
             verificationMode,
             clientAuth,
             ciphers,
-            protocols
+            protocols,
+            handshakeTimeoutMillis
         );
     }
 

libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslConfigurationTests.java

@@ -39,6 +39,7 @@ public void testBasicConstruction() {
         final SslClientAuthenticationMode clientAuth = randomFrom(SslClientAuthenticationMode.values());
         final List<String> ciphers = randomSubsetOf(randomIntBetween(1, DEFAULT_CIPHERS.size()), DEFAULT_CIPHERS);
         final List<String> protocols = randomSubsetOf(randomIntBetween(1, 4), VALID_PROTOCOLS);
+        final long handshakeTimeoutMillis = randomHandshakeTimeoutMillis();
         final SslConfiguration configuration = new SslConfiguration(
             "test.ssl",
             true,
@@ -47,7 +48,8 @@ public void testBasicConstruction() {
             verificationMode,
             clientAuth,
             ciphers,
-            protocols
+            protocols,
+            handshakeTimeoutMillis
         );
 
         assertThat(configuration.trustConfig(), is(trustConfig));
@@ -56,13 +58,15 @@ public void testBasicConstruction() {
         assertThat(configuration.clientAuth(), is(clientAuth));
         assertThat(configuration.getCipherSuites(), is(ciphers));
         assertThat(configuration.supportedProtocols(), is(protocols));
+        assertThat(configuration.handshakeTimeoutMillis(), is(handshakeTimeoutMillis));
 
         assertThat(configuration.toString(), containsString("TEST-TRUST"));
         assertThat(configuration.toString(), containsString("TEST-KEY"));
         assertThat(configuration.toString(), containsString(verificationMode.toString()));
         assertThat(configuration.toString(), containsString(clientAuth.toString()));
         assertThat(configuration.toString(), containsString(randomFrom(ciphers)));
         assertThat(configuration.toString(), containsString(randomFrom(protocols)));
+        assertThat(configuration.toString(), containsString("handshakeTimeoutMillis=" + handshakeTimeoutMillis));
     }
 
     public void testEqualsAndHashCode() {
@@ -72,6 +76,7 @@ public void testEqualsAndHashCode() {
         final SslClientAuthenticationMode clientAuth = randomFrom(SslClientAuthenticationMode.values());
         final List<String> ciphers = randomSubsetOf(randomIntBetween(1, DEFAULT_CIPHERS.size() - 1), DEFAULT_CIPHERS);
         final List<String> protocols = randomSubsetOf(randomIntBetween(1, VALID_PROTOCOLS.length - 1), VALID_PROTOCOLS);
+        final long handshakeTimeoutMillis = randomHandshakeTimeoutMillis();
         final SslConfiguration configuration = new SslConfiguration(
             "test.ssl",
             true,
@@ -80,7 +85,8 @@ public void testEqualsAndHashCode() {
             verificationMode,
             clientAuth,
             ciphers,
-            protocols
+            protocols,
+            handshakeTimeoutMillis
         );
 
         EqualsHashCodeTestUtils.checkEqualsAndHashCode(
@@ -93,14 +99,15 @@ public void testEqualsAndHashCode() {
                 orig.verificationMode(),
                 orig.clientAuth(),
                 orig.getCipherSuites(),
-                orig.supportedProtocols()
+                orig.supportedProtocols(),
+                orig.handshakeTimeoutMillis()
             ),
             this::mutateSslConfiguration
         );
     }
 
     private SslConfiguration mutateSslConfiguration(SslConfiguration orig) {
-        return switch (randomIntBetween(1, 4)) {
+        return switch (randomIntBetween(1, 5)) {
             case 1 -> new SslConfiguration(
                 "test.ssl",
                 true,
@@ -109,7 +116,8 @@ private SslConfiguration mutateSslConfiguration(SslConfiguration orig) {
                 randomValueOtherThan(orig.verificationMode(), () -> randomFrom(SslVerificationMode.values())),
                 orig.clientAuth(),
                 orig.getCipherSuites(),
-                orig.supportedProtocols()
+                orig.supportedProtocols(),
+                orig.handshakeTimeoutMillis()
             );
             case 2 -> new SslConfiguration(
                 "test.ssl",
@@ -119,7 +127,8 @@ private SslConfiguration mutateSslConfiguration(SslConfiguration orig) {
                 orig.verificationMode(),
                 randomValueOtherThan(orig.clientAuth(), () -> randomFrom(SslClientAuthenticationMode.values())),
                 orig.getCipherSuites(),
-                orig.supportedProtocols()
+                orig.supportedProtocols(),
+                orig.handshakeTimeoutMillis()
             );
             case 3 -> new SslConfiguration(
                 "test.ssl",
@@ -129,7 +138,19 @@ private SslConfiguration mutateSslConfiguration(SslConfiguration orig) {
                 orig.verificationMode(),
                 orig.clientAuth(),
                 DEFAULT_CIPHERS,
-                orig.supportedProtocols()
+                orig.supportedProtocols(),
+                orig.handshakeTimeoutMillis()
+            );
+            case 4 -> new SslConfiguration(
+                "test.ssl",
+                true,
+                orig.trustConfig(),
+                orig.keyConfig(),
+                orig.verificationMode(),
+                orig.clientAuth(),
+                orig.getCipherSuites(),
+                Arrays.asList(VALID_PROTOCOLS),
+                orig.handshakeTimeoutMillis()
             );
             default -> new SslConfiguration(
                 "test.ssl",
@@ -139,11 +160,16 @@ private SslConfiguration mutateSslConfiguration(SslConfiguration orig) {
                 orig.verificationMode(),
                 orig.clientAuth(),
                 orig.getCipherSuites(),
-                Arrays.asList(VALID_PROTOCOLS)
+                orig.supportedProtocols(),
+                randomValueOtherThan(orig.handshakeTimeoutMillis(), SslConfigurationTests::randomHandshakeTimeoutMillis)
             );
         };
     }
 
+    private static long randomHandshakeTimeoutMillis() {
+        return randomLongBetween(1, 100000);
+    }
+
     public void testDependentFiles() {
         final SslTrustConfig trustConfig = Mockito.mock(SslTrustConfig.class);
         final SslKeyConfig keyConfig = Mockito.mock(SslKeyConfig.class);
@@ -155,7 +181,8 @@ public void testDependentFiles() {
             randomFrom(SslVerificationMode.values()),
             randomFrom(SslClientAuthenticationMode.values()),
             DEFAULT_CIPHERS,
-            SslConfigurationLoader.DEFAULT_PROTOCOLS
+            SslConfigurationLoader.DEFAULT_PROTOCOLS,
+            randomHandshakeTimeoutMillis()
         );
 
         final Path dir = createTempDir();
@@ -182,7 +209,8 @@ public void testBuildSslContext() {
             randomFrom(SslVerificationMode.values()),
             randomFrom(SslClientAuthenticationMode.values()),
             DEFAULT_CIPHERS,
-            Collections.singletonList(protocol)
+            Collections.singletonList(protocol),
+            randomHandshakeTimeoutMillis()
         );
 
         Mockito.when(trustConfig.createTrustManager()).thenReturn(null);

muted-tests.yml

@@ -576,6 +576,9 @@ tests:
 - class: org.elasticsearch.xpack.esql.action.EsqlActionBreakerIT
   method: testRowStatsProjectGroupByInt
   issue: https://github.com/elastic/elasticsearch/issues/131024
+- class: org.elasticsearch.xpack.esql.qa.mixed.EsqlClientYamlIT
+  method: test {p0=esql/60_enrich/Enrich in fork}
+  issue: https://github.com/elastic/elasticsearch/issues/131028
 
 # Examples:
 #

server/src/main/java/org/elasticsearch/tasks/TaskManager.java

@@ -170,21 +170,33 @@ public Task register(String type, String action, TaskAwareRequest request, boole
             Task previousTask = tasks.put(task.getId(), task);
             assert previousTask == null;
             if (traceRequest) {
-                startTrace(threadContext, task);
+                maybeStartTrace(threadContext, task);
             }
         }
         return task;
     }
 
-    // package private for testing
-    void startTrace(ThreadContext threadContext, Task task) {
+    /**
+     * Start a new trace span if a parent trace context already exists.
+     * For REST actions this will be the case, otherwise {@link Tracer#startTrace} can be used.
+     */
+    void maybeStartTrace(ThreadContext threadContext, Task task) {
+        if (threadContext.hasParentTraceContext() == false) {
+            return;
+        }
         TaskId parentTask = task.getParentTaskId();
         Map<String, Object> attributes = parentTask.isSet()
             ? Map.of(Tracer.AttributeKeys.TASK_ID, task.getId(), Tracer.AttributeKeys.PARENT_TASK_ID, parentTask.toString())
             : Map.of(Tracer.AttributeKeys.TASK_ID, task.getId());
         tracer.startTrace(threadContext, task, task.getAction(), attributes);
     }
 
+    void maybeStopTrace(ThreadContext threadContext, Task task) {
+        if (threadContext.hasTraceContext()) {
+            tracer.stopTrace(task);
+        }
+    }
+
     public <Request extends ActionRequest, Response extends ActionResponse> Task registerAndExecute(
         String type,
         TransportAction<Request, Response> action,
@@ -247,7 +259,7 @@ private void registerCancellableTask(Task task, long requestId, boolean traceReq
         CancellableTaskHolder holder = new CancellableTaskHolder(cancellableTask);
         cancellableTasks.put(task, requestId, holder);
         if (traceRequest) {
-            startTrace(threadPool.getThreadContext(), task);
+            maybeStartTrace(threadPool.getThreadContext(), task);
         }
         // Check if this task was banned before we start it.
         if (task.getParentTaskId().isSet()) {
@@ -346,7 +358,7 @@ public Task unregister(Task task) {
                 return removedTask;
             }
         } finally {
-            tracer.stopTrace(task);
+            maybeStopTrace(threadPool.getThreadContext(), task);
             for (RemovedTaskListener listener : removedTaskListeners) {
                 listener.onRemoved(task);
             }