WIP bypass local permissions check for esql in CPS

richard-dennehy · richard-dennehy · commit 43ed5444b15e · 2025-10-06T16:24:35.000+01:00
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -322,6 +322,7 @@
 import org.elasticsearch.xpack.security.authc.support.mapper.ProjectStateRoleMapper;
 import org.elasticsearch.xpack.security.authz.AuthorizationDenialMessages;
 import org.elasticsearch.xpack.security.authz.AuthorizationService;
+import org.elasticsearch.xpack.security.authz.CustomActionAuthorizationStep;
 import org.elasticsearch.xpack.security.authz.DlsFlsRequestCacheDifferentiator;
 import org.elasticsearch.xpack.security.authz.FileRoleValidator;
 import org.elasticsearch.xpack.security.authz.ReservedRoleNameChecker;
@@ -643,6 +644,7 @@ public class Security extends Plugin
     private final SetOnce<RemoteClusterSecurityExtension.Provider> remoteClusterSecurityExtensionProvider = new SetOnce<>();
     private final SetOnce<RemoteClusterSecurityExtension> remoteClusterSecurityExtension = new SetOnce<>();
     private final SetOnce<RemoteClusterAuthenticationService> remoteClusterAuthenticationService = new SetOnce<>();
+    private final SetOnce<CustomActionAuthorizationStep.Factory> esqlAuthorizationStep = new SetOnce<>();
 
     private final SetOnce<SecurityMigrations.Manager> migrationManager = new SetOnce<>();
     private final SetOnce<List<Closeable>> closableComponents = new SetOnce<>();
@@ -1143,6 +1145,9 @@ Collection<Object> createComponents(
         if (authorizationDenialMessages.get() == null) {
             authorizationDenialMessages.set(new AuthorizationDenialMessages.Default());
         }
+        if (esqlAuthorizationStep.get() == null) {
+            esqlAuthorizationStep.set(new CustomActionAuthorizationStep.Factory.Default());
+        }
         final AuthorizationService authzService = new AuthorizationService(
             settings,
             allRolesStore,
@@ -1160,7 +1165,8 @@ Collection<Object> createComponents(
             restrictedIndices,
             authorizationDenialMessages.get(),
             linkedProjectConfigService,
-            projectResolver
+            projectResolver,
+            esqlAuthorizationStep.get().create(settings, linkedProjectConfigService)
         );
 
         components.add(nativeRolesStore); // used by roles actions
@@ -2524,6 +2530,7 @@ public void loadExtensions(ExtensionLoader loader) {
             RemoteClusterSecurityExtension.Provider.class,
             CrossClusterAccessSecurityExtension.Provider::new
         );
+        loadSingletonExtensionAndSetOnce(loader, esqlAuthorizationStep, CustomActionAuthorizationStep.Factory.class);
     }
 
     private <T> void loadSingletonExtensionAndSetOnce(ExtensionLoader loader, SetOnce<T> setOnce, Class<T> clazz) {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
@@ -166,7 +166,8 @@ public AuthorizationService(
         RestrictedIndices restrictedIndices,
         AuthorizationDenialMessages authorizationDenialMessages,
         LinkedProjectConfigService linkedProjectConfigService,
-        ProjectResolver projectResolver
+        ProjectResolver projectResolver,
+        CustomActionAuthorizationStep esqlAuthorizationStep
     ) {
         this.clusterService = clusterService;
         this.auditTrailService = auditTrailService;
@@ -182,7 +183,8 @@ public AuthorizationService(
             settings,
             rolesStore,
             fieldPermissionsCache,
-            new LoadAuthorizedIndicesTimeChecker.Factory(logger, settings, clusterService.getClusterSettings())
+            new LoadAuthorizedIndicesTimeChecker.Factory(logger, settings, clusterService.getClusterSettings()),
+            esqlAuthorizationStep
         );
         this.authorizationEngine = authorizationEngine == null ? this.rbacEngine : authorizationEngine;
         this.requestInterceptors = requestInterceptors;
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/CustomActionAuthorizationStep.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/CustomActionAuthorizationStep.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authz;
+
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.transport.LinkedProjectConfigService;
+import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
+
+public interface CustomActionAuthorizationStep {
+    boolean authorize(AuthorizationEngine.RequestInfo requestInfo);
+
+    class Default implements CustomActionAuthorizationStep {
+        @Override
+        public boolean authorize(AuthorizationEngine.RequestInfo requestInfo) {
+            return false;
+        }
+    }
+
+    interface Factory {
+        CustomActionAuthorizationStep create(Settings settings, LinkedProjectConfigService linkedProjectConfigService);
+
+        class Default implements Factory {
+            @Override
+            public CustomActionAuthorizationStep create(Settings settings, LinkedProjectConfigService linkedProjectConfigService) {
+                return new CustomActionAuthorizationStep.Default();
+            }
+        }
+    }
+}
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java
@@ -153,17 +153,20 @@ public class RBACEngine implements AuthorizationEngine {
     private final CompositeRolesStore rolesStore;
     private final FieldPermissionsCache fieldPermissionsCache;
     private final LoadAuthorizedIndicesTimeChecker.Factory authzIndicesTimerFactory;
+    private final CustomActionAuthorizationStep esqlStep;
 
     public RBACEngine(
         Settings settings,
         CompositeRolesStore rolesStore,
         FieldPermissionsCache fieldPermissionsCache,
-        LoadAuthorizedIndicesTimeChecker.Factory authzIndicesTimerFactory
+        LoadAuthorizedIndicesTimeChecker.Factory authzIndicesTimerFactory,
+        CustomActionAuthorizationStep esqlStep
     ) {
         this.settings = settings;
         this.rolesStore = rolesStore;
         this.fieldPermissionsCache = fieldPermissionsCache;
         this.authzIndicesTimerFactory = authzIndicesTimerFactory;
+        this.esqlStep = esqlStep;
     }
 
     @Override
@@ -334,6 +337,9 @@ public SubscribableListener<IndexAuthorizationResult> authorizeIndexAction(
         } catch (Exception e) {
             return SubscribableListener.newFailed(e);
         }
+        if (esqlStep.authorize(requestInfo)) {
+            return SubscribableListener.newSucceeded(IndexAuthorizationResult.EMPTY);
+        }
         if (TransportActionProxy.isProxyAction(action) || shouldAuthorizeIndexActionNameOnly(action, request)) {
             // we've already validated that the request is a proxy request so we can skip that but we still
             // need to validate that the action is allowed and then move on
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
@@ -341,7 +341,8 @@ public void setup() {
             RESTRICTED_INDICES,
             new AuthorizationDenialMessages.Default(),
             linkedProjectConfigService,
-            projectResolver
+            projectResolver,
+            new CustomActionAuthorizationStep.Default()
         );
     }
 
@@ -1775,7 +1776,8 @@ public void testDenialForAnonymousUser() {
             RESTRICTED_INDICES,
             new AuthorizationDenialMessages.Default(),
             linkedProjectConfigService,
-            projectResolver
+            projectResolver,
+            new CustomActionAuthorizationStep.Default()
         );
 
         RoleDescriptor role = new RoleDescriptor(
@@ -1826,7 +1828,8 @@ public void testDenialForAnonymousUserAuthorizationExceptionDisabled() {
             RESTRICTED_INDICES,
             new AuthorizationDenialMessages.Default(),
             linkedProjectConfigService,
-            projectResolver
+            projectResolver,
+            new CustomActionAuthorizationStep.Default()
         );
 
         RoleDescriptor role = new RoleDescriptor(
@@ -3365,7 +3368,8 @@ public void testAuthorizationEngineSelectionForCheckPrivileges() throws Exceptio
             RESTRICTED_INDICES,
             new AuthorizationDenialMessages.Default(),
             linkedProjectConfigService,
-            projectResolver
+            projectResolver,
+            new CustomActionAuthorizationStep.Default()
         );
 
         Subject subject = new Subject(new User("test", "a role"), mock(RealmRef.class));
@@ -3522,7 +3526,8 @@ public void getUserPrivileges(AuthorizationInfo authorizationInfo, ActionListene
             RESTRICTED_INDICES,
             new AuthorizationDenialMessages.Default(),
             linkedProjectConfigService,
-            projectResolver
+            projectResolver,
+            new CustomActionAuthorizationStep.Default()
         );
         Authentication authentication;
         try (StoredContext ignore = threadContext.stashContext()) {
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/RBACEngineTests.java
@@ -172,7 +172,13 @@ public void createEngine() {
         final LoadAuthorizedIndicesTimeChecker.Factory timerFactory = mock(LoadAuthorizedIndicesTimeChecker.Factory.class);
         when(timerFactory.newTimer(any())).thenReturn(LoadAuthorizedIndicesTimeChecker.NO_OP_CONSUMER);
         rolesStore = mock(CompositeRolesStore.class);
-        engine = new RBACEngine(Settings.EMPTY, rolesStore, new FieldPermissionsCache(Settings.EMPTY), timerFactory);
+        engine = new RBACEngine(
+            Settings.EMPTY,
+            rolesStore,
+            new FieldPermissionsCache(Settings.EMPTY),
+            timerFactory,
+            new CustomActionAuthorizationStep.Default()
+        );
     }
 
     public void testResolveAuthorizationInfoForEmptyRolesWithAuthentication() {
