elastic
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java‎
Lines changed: 4 additions & 4 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java‎
Lines changed: 5 additions & 5 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java‎
Lines changed: 2 additions & 2 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java‎
Lines changed: 3 additions & 1 deletion b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎…ege/IndexComponentSelectorPrivilege.java‎ ‎…ege/IndexComponentSelectorPredicate.java‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java renamed to x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPredicate.java
Lines changed: 10 additions & 5 deletions b/‎…ege/IndexComponentSelectorPrivilege.java‎ ‎…ege/IndexComponentSelectorPredicate.java‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java renamed to x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPredicate.java
Lines changed: 10 additions & 5 deletions
@@ -11,7 +11,7 @@
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
-import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
@@ -49,7 +49,7 @@ public static ActionRequestValidationException validate(
         if (roleDescriptor.getIndicesPrivileges() != null) {
             for (RoleDescriptor.IndicesPrivileges idp : roleDescriptor.getIndicesPrivileges()) {
                 try {
-                    IndexPrivilege.getSplitBySelector(Set.of(idp.getPrivileges()));
+                    IndexPrivilege.getSplitBySelectorAccess(Set.of(idp.getPrivileges()));
                 } catch (IllegalArgumentException ile) {
                     validationException = addValidationError(ile.getMessage(), validationException);
                 }
@@ -61,8 +61,8 @@ public static ActionRequestValidationException validate(
                 validationException = addValidationError("remote index cluster alias cannot be an empty string", validationException);
             }
             try {
-                var privileges = IndexPrivilege.getSplitBySelector(Set.of(ridp.indicesPrivileges().getPrivileges()));
-                if (privileges.stream().anyMatch(p -> p.getSelectorPrivilege() == IndexComponentSelectorPrivilege.FAILURES)) {
+                var privileges = IndexPrivilege.getSplitBySelectorAccess(Set.of(ridp.indicesPrivileges().getPrivileges()));
+                if (privileges.stream().anyMatch(p -> p.getSelectorPredicate() == IndexComponentSelectorPredicate.FAILURES)) {
                     validationException = addValidationError(
                         "remote index privileges cannot contain privileges that grant access to the failure store",
                         validationException
 
@@ -27,7 +27,7 @@
 import org.elasticsearch.index.Index;
 import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
-import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 import org.elasticsearch.xpack.core.security.support.StringMatcher;
@@ -302,7 +302,7 @@ public boolean checkResourcePrivileges(
                     }
                 }
                 for (String privilege : checkForPrivileges) {
-                    IndexPrivilege indexPrivilege = IndexPrivilege.getSingleSelector(Collections.singleton(privilege));
+                    IndexPrivilege indexPrivilege = IndexPrivilege.getSingleSelectorOrThrow(Collections.singleton(privilege));
                     if (allowedIndexPrivilegesAutomaton != null
                         && Automatons.subsetOf(indexPrivilege.getAutomaton(), allowedIndexPrivilegesAutomaton)) {
                         if (resourcePrivilegesMapBuilder != null) {
@@ -793,7 +793,7 @@ public static class Group {
         public static final Group[] EMPTY_ARRAY = new Group[0];
 
         private final IndexPrivilege privilege;
-        private final IndexComponentSelectorPrivilege selectorPrivilege;
+        private final IndexComponentSelectorPredicate selectorPredicate;
         private final Predicate<String> actionMatcher;
         private final String[] indices;
         private final StringMatcher indexNameMatcher;
@@ -817,7 +817,7 @@ public Group(
             assert indices.length != 0;
             this.privilege = privilege;
             this.actionMatcher = privilege.predicate();
-            this.selectorPrivilege = privilege.getSelectorPrivilege();
+            this.selectorPredicate = privilege.getSelectorPredicate();
             this.indices = indices;
             this.allowRestrictedIndices = allowRestrictedIndices;
             ConcurrentHashMap<String[], Automaton> indexNameAutomatonMemo = new ConcurrentHashMap<>(1);
@@ -866,7 +866,7 @@ boolean hasQuery() {
         }
 
         public boolean checkSelector(IndexComponentSelector selector) {
-            return selectorPrivilege.test(selector);
+            return selectorPredicate.test(selector);
         }
 
         public boolean allowRestrictedIndices() {
 
@@ -437,7 +437,7 @@ static SimpleRole buildFromRoleDescriptor(
                     new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
                 ),
                 indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
-                IndexPrivilege.getSplitBySelector(Set.of(indexPrivilege.getPrivileges())),
+                IndexPrivilege.getSplitBySelectorAccess(Set.of(indexPrivilege.getPrivileges())),
                 indexPrivilege.allowRestrictedIndices(),
                 indexPrivilege.getIndices()
             );
@@ -454,7 +454,7 @@ static SimpleRole buildFromRoleDescriptor(
                     new FieldPermissionsDefinition(indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields())
                 ),
                 indicesPrivileges.getQuery() == null ? null : Collections.singleton(indicesPrivileges.getQuery()),
-                IndexPrivilege.getSplitBySelector(Set.of(indicesPrivileges.getPrivileges())),
+                IndexPrivilege.getSplitBySelectorAccess(Set.of(indicesPrivileges.getPrivileges())),
                 indicesPrivileges.allowRestrictedIndices(),
                 indicesPrivileges.getIndices()
             );
 
@@ -414,7 +414,9 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd
             this.requestPredicateSupplier = (restrictedIndices) -> {
                 IndicesPermission.Builder indicesPermissionBuilder = new IndicesPermission.Builder(restrictedIndices);
                 for (ManageRolesIndexPermissionGroup indexPatternPrivilege : manageRolesIndexPermissionGroups) {
-                    Set<IndexPrivilege> splitBySelector = IndexPrivilege.getSplitBySelector(Set.of(indexPatternPrivilege.privileges()));
+                    Set<IndexPrivilege> splitBySelector = IndexPrivilege.getSplitBySelectorAccess(
+                        Set.of(indexPatternPrivilege.privileges())
+                    );
                     for (IndexPrivilege indexPrivilege : splitBySelector) {
                         indicesPermissionBuilder.addGroup(
                             indexPrivilege,
 
@@ -13,19 +13,24 @@
 import java.util.Set;
 import java.util.function.Predicate;
 
-public record IndexComponentSelectorPrivilege(Set<String> names, Predicate<IndexComponentSelector> predicate)
+/**
+ * A predicate to capture role access by {@link IndexComponentSelector}.
+ * This is assigned to each {@link org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission.Group} during role building.
+ * See also {@link org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege#getSplitBySelectorAccess(Set)}.
+ */
+public record IndexComponentSelectorPredicate(Set<String> names, Predicate<IndexComponentSelector> predicate)
     implements
         Predicate<IndexComponentSelector> {
-    IndexComponentSelectorPrivilege(String name, Predicate<IndexComponentSelector> predicate) {
+    IndexComponentSelectorPredicate(String name, Predicate<IndexComponentSelector> predicate) {
         this(Set.of(name), predicate);
     }
 
-    public static final IndexComponentSelectorPrivilege ALL = new IndexComponentSelectorPrivilege("all", Predicates.always());
-    public static final IndexComponentSelectorPrivilege DATA = new IndexComponentSelectorPrivilege(
+    public static final IndexComponentSelectorPredicate ALL = new IndexComponentSelectorPredicate("all", Predicates.always());
+    public static final IndexComponentSelectorPredicate DATA = new IndexComponentSelectorPredicate(
         "data",
         IndexComponentSelector.DATA::equals
     );
-    public static final IndexComponentSelectorPrivilege FAILURES = new IndexComponentSelectorPrivilege(
+    public static final IndexComponentSelectorPredicate FAILURES = new IndexComponentSelectorPredicate(
         "failures",
         IndexComponentSelector.FAILURES::equals
     );