Merge remote-tracking branch 'origin/main' into otlp-histograms

Author: felixbarny

docs/changelog/132967.yaml

@@ -0,0 +1,5 @@
+pr: 132967
+summary: ES-11331 streams params restriction
+area: Data streams
+type: enhancement
+issues: []

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -136,6 +136,10 @@ public interface EntitlementChecker {
 
     void check$java_net_URLClassLoader$(Class<?> callerClass, String name, URL[] urls, ClassLoader parent, URLStreamHandlerFactory factory);
 
+    void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls, ClassLoader parent);
+
+    void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls);
+
     void check$java_security_SecureClassLoader$(Class<?> callerClass);
 
     void check$java_security_SecureClassLoader$(Class<?> callerClass, ClassLoader parent);

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/JvmActions.java

@@ -72,6 +72,20 @@ static void createClassLoader() throws IOException {
         }
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createClassLoaderNewInstance1() throws IOException {
+        try (var classLoader = URLClassLoader.newInstance(new URL[0])) {
+            // intentionally empty, just let the loader close
+        }
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createClassLoaderNewInstance2() throws IOException {
+        try (var classLoader = URLClassLoader.newInstance(new URL[0], RestEntitlementsCheckAction.class.getClassLoader())) {
+            // intentionally empty, just let the loader close
+        }
+    }
+
     @EntitlementTest(expectedAccess = ALWAYS_DENIED)
     static void createLogManager() {
         new java.util.logging.LogManager() {

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/ElasticsearchEntitlementChecker.java

@@ -194,6 +194,16 @@ public ElasticsearchEntitlementChecker(PolicyChecker policyChecker) {
         policyChecker.checkCreateClassLoader(callerClass);
     }
 
+    @Override
+    public void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls) {
+        policyChecker.checkCreateClassLoader(callerClass);
+    }
+
+    @Override
+    public void check$java_net_URLClassLoader$$newInstance(Class<?> callerClass, URL[] urls, ClassLoader parent) {
+        policyChecker.checkCreateClassLoader(callerClass);
+    }
+
     @Override
     public void check$java_security_SecureClassLoader$(Class<?> callerClass) {
         policyChecker.checkCreateClassLoader(callerClass);

modules/streams/src/yamlRestTest/resources/rest-api-spec/test/streams/logs/20_substream_restrictions.yml

@@ -142,13 +142,16 @@ teardown:
             index.default_pipeline: "reroute-to-logs-foo-success"
   - do:
       bulk:
-        refresh: true
         body: |
           { "index": { "_index": "logs" } }
           { "foo": "bar", "baz": "qux" }
   - match: { errors: false }
   - match: { items.0.index.status: 201 }
 
+  - do:
+      indices.refresh:
+        index: logs.foo
+
   - do:
       delete_by_query:
         index: logs.foo

modules/streams/src/yamlRestTest/resources/rest-api-spec/test/streams/logs/30_param_restrictions.yml

@@ -0,0 +1,190 @@
+---
+teardown:
+  - do:
+      streams.logs_disable: { }
+
+---
+"Check User Can't Use Restricted Params On Logs Endpoint":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      streams.status: { }
+  - is_true: logs.enabled
+
+  - do:
+      bulk:
+        list_executed_pipelines: true
+        body: |
+          { "index": { "_index": "logs"} }
+          { "foo": "bar" }
+          { "index": { "_index": "not-logs" } }
+          { "foo": "bar" }
+  - match: { errors: true }
+  - match: { items.0.index.status: 400 }
+  - match: { items.0.index.error.type: "illegal_argument_exception" }
+  - match: { items.0.index.error.reason: '/When\ writing\ to\ a\ stream\,\ only\ the\ following\ parameters\ are\ allowed\:\ \[.+\]\ however\ the\ following\ were\ used\:\ \[.+\]/' }
+  - match: { items.1.index.status: 201 }
+
+---
+"Check User Can't Use Restricted Params On Logs Endpoint - Single Doc":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      streams.status: { }
+  - is_true: logs.enabled
+
+  - do:
+      index:
+        require_alias: true
+        index: logs
+        body: { "foo": "bar" }
+      catch: '/When writing to a stream, only the following parameters are allowed: \[.+\] however the following were used: \[.+\]/'
+
+---
+"Allowed Params Only - Bulk Should Succeed":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      bulk:
+        error_trace: true
+        timeout: "1m"
+        body: |
+          { "index": { "_index": "logs"} }
+          { "foo": "bar" }
+  - match: { errors: false }
+  - match: { items.0.index.status: 201 }
+
+---
+"Allowed Params Only - Single Doc Should Succeed":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      index:
+        index: logs
+        error_trace: true
+        timeout: "1m"
+        body: |
+          { "foo": "bar" }
+  - match: { _index: "logs" }
+  - match: { result: "created" }
+
+---
+"Allowed Params Only - Single Doc with ID Should Succeed":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      index:
+        index: logs
+        id: 123456
+        body: |
+          { "foo": "bar" }
+  - match: { _index: "logs" }
+  - match: { result: "created" }
+
+---
+"No Params - Bulk Should Succeed":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      bulk:
+        body: |
+          { "index": { "_index": "logs"} }
+          { "foo": "bar" }
+  - match: { errors: false }
+  - match: { items.0.index.status: 201 }
+
+---
+"No Params - Single Doc Should Succeed":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+  -
+    do:
+      index:
+        index: logs
+        body: { "foo": "bar" }
+  - match: { _index: "logs" }
+  - match: { result: "created" }
+
+---
+"Mixed Allowed and Disallowed Params - Bulk Should Fail":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      bulk:
+        error_trace: true
+        timeout: "1m"
+        routing: "custom-routing"
+        refresh: true
+        body: |
+          { "index": { "_index": "logs"} }
+          { "foo": "bar" }
+  - match: { errors: true }
+  - match: { items.0.index.status: 400 }
+  - match: { items.0.index.error.type: "illegal_argument_exception" }
+  - match: { items.0.index.error.reason: '/When\ writing\ to\ a\ stream\,\ only\ the\ following\ parameters\ are\ allowed\:\ \[.+\]\ however\ the\ following\ were\ used\:\ \[.+\]/' }
+
+---
+"Mixed Allowed and Disallowed Params - Single Doc Should Fail":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      index:
+        index: logs
+        error_trace: true
+        timeout: "1m"
+        routing: "custom-routing"
+        refresh: true
+        body: { "foo": "bar" }
+      catch: '/When writing to a stream, only the following parameters are allowed: \[.+\] however the following were used: \[.+\]/'
+
+---
+"Multiple Disallowed Params - Bulk Should Fail":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      bulk:
+        routing: "custom-routing"
+        wait_for_active_shards: "2"
+        refresh: true
+        body: |
+          { "index": { "_index": "logs"} }
+          { "foo": "bar" }
+  - match: { errors: true }
+  - match: { items.0.index.status: 400 }
+  - match: { items.0.index.error.type: "illegal_argument_exception" }
+  - match: { items.0.index.error.reason: '/When\ writing\ to\ a\ stream\,\ only\ the\ following\ parameters\ are\ allowed\:\ \[.+\]\ however\ the\ following\ were\ used\:\ \[.+\]/' }
+
+---
+"Multiple Disallowed Params - Single Doc Should Fail":
+  - do:
+      streams.logs_enable: { }
+  - is_true: acknowledged
+
+  - do:
+      index:
+        index: logs
+        routing: "custom-routing"
+        pipeline: "my-pipeline"
+        wait_for_active_shards: "2"
+        refresh: true
+        body: { "foo": "bar" }
+      catch: '/When writing to a stream, only the following parameters are allowed: \[.+\] however the following were used: \[.+\]/'

muted-tests.yml

@@ -555,6 +555,12 @@ tests:
 - class: org.elasticsearch.xpack.kql.parser.KqlParserBooleanQueryTests
   method: testParseOrQuery
   issue: https://github.com/elastic/elasticsearch/issues/133863
+- class: org.elasticsearch.xpack.kql.parser.KqlParserBooleanQueryTests
+  method: testParseAndQuery
+  issue: https://github.com/elastic/elasticsearch/issues/133871
+- class: org.elasticsearch.simdvec.internal.vectorization.ES92Int7VectorScorerTests
+  method: testInt7ScoreBulk
+  issue: https://github.com/elastic/elasticsearch/issues/133893
 
 # Examples:
 #

server/src/main/java/org/elasticsearch/TransportVersions.java

@@ -354,6 +354,7 @@ static TransportVersion def(int id) {
     public static final TransportVersion SHARD_WRITE_LOAD_IN_CLUSTER_INFO = def(9_126_0_00);
     public static final TransportVersion ESQL_SAMPLE_OPERATOR_STATUS = def(9_127_0_00);
     public static final TransportVersion PROJECT_RESERVED_STATE_MOVE_TO_REGISTRY = def(9_147_0_00);
+    public static final TransportVersion STREAMS_ENDPOINT_PARAM_RESTRICTIONS = def(9_148_00_00);
 
     /*
      * STOP! READ THIS FIRST! No, really,

server/src/main/java/org/elasticsearch/action/ActionModule.java

@@ -459,6 +459,7 @@ public class ActionModule extends AbstractModule {
     private final RequestValidators<IndicesAliasesRequest> indicesAliasesRequestRequestValidators;
     private final ReservedClusterStateService reservedClusterStateService;
     private final RestExtension restExtension;
+    private final ClusterService clusterService;
 
     public ActionModule(
         Settings settings,
@@ -534,6 +535,7 @@ public ActionModule(
             reservedProjectStateHandlers
         );
         this.restExtension = restExtension;
+        this.clusterService = clusterService;
     }
 
     private static <T> T getRestServerComponent(
@@ -927,9 +929,9 @@ public void initRestHandlers(Supplier<DiscoveryNodes> nodesInCluster, Predicate<
         registerHandler.accept(new RestResolveClusterAction());
         registerHandler.accept(new RestResolveIndexAction());
 
-        registerHandler.accept(new RestIndexAction());
-        registerHandler.accept(new CreateHandler());
-        registerHandler.accept(new AutoIdHandler());
+        registerHandler.accept(new RestIndexAction(clusterService, projectIdResolver));
+        registerHandler.accept(new CreateHandler(clusterService, projectIdResolver));
+        registerHandler.accept(new AutoIdHandler(clusterService, projectIdResolver));
         registerHandler.accept(new RestGetAction());
         registerHandler.accept(new RestGetSourceAction());
         registerHandler.accept(new RestMultiGetAction(settings));

server/src/main/java/org/elasticsearch/action/bulk/BulkRequest.java

@@ -48,6 +48,7 @@
 import java.util.Objects;
 import java.util.Set;
 
+import static java.util.Collections.emptySet;
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 
 /**
@@ -86,6 +87,7 @@ public class BulkRequest extends LegacyActionRequest
     private Boolean globalRequireAlias;
     private Boolean globalRequireDatsStream;
     private boolean includeSourceOnError = true;
+    private Set<String> paramsUsed = emptySet();
 
     private long sizeInBytes = 0;
 
@@ -108,6 +110,9 @@ public BulkRequest(StreamInput in) throws IOException {
         if (in.getTransportVersion().onOrAfter(TransportVersions.INGEST_REQUEST_INCLUDE_SOURCE_ON_ERROR)) {
             includeSourceOnError = in.readBoolean();
         } // else default value is true
+        if (in.getTransportVersion().onOrAfter(TransportVersions.STREAMS_ENDPOINT_PARAM_RESTRICTIONS)) {
+            paramsUsed = in.readCollectionAsImmutableSet(StreamInput::readString);
+        }
     }
 
     public BulkRequest(@Nullable String globalIndex) {
@@ -474,6 +479,9 @@ public void writeTo(StreamOutput out) throws IOException {
         if (out.getTransportVersion().onOrAfter(TransportVersions.INGEST_REQUEST_INCLUDE_SOURCE_ON_ERROR)) {
             out.writeBoolean(includeSourceOnError);
         }
+        if (out.getTransportVersion().onOrAfter(TransportVersions.STREAMS_ENDPOINT_PARAM_RESTRICTIONS)) {
+            out.writeCollection(paramsUsed, StreamOutput::writeString);
+        }
     }
 
     @Override
@@ -516,6 +524,14 @@ public boolean isSimulated() {
         return false; // Always false, but may be overridden by a subclass
     }
 
+    public Set<String> requestParamsUsed() {
+        return paramsUsed;
+    }
+
+    public void requestParamsUsed(Set<String> paramsUsed) {
+        this.paramsUsed = paramsUsed;
+    }
+
     /*
      * Returns any component template substitutions that are to be used as part of this bulk request. We would likely only have
      * substitutions in the event of a simulated request.
@@ -554,6 +570,7 @@ public BulkRequest shallowClone() {
         bulkRequest.routing(routing());
         bulkRequest.requireAlias(requireAlias());
         bulkRequest.requireDataStream(requireDataStream());
+        bulkRequest.requestParamsUsed(requestParamsUsed());
         return bulkRequest;
     }
 }