Add security exceptions to the list of fatals and remove test overrides

Author: smalyshev

x-pack/plugin/esql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/esql/EsqlSecurityIT.java

@@ -315,10 +315,7 @@ public void testIndexPatternErrorMessageComparison_ESQL_SearchDSL() throws Excep
         setUser(searchRequest, "metadata1_read2");
 
         // ES|QL query on the same index pattern
-        var esqlResp = expectThrows(
-            ResponseException.class,
-            () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2", false)
-        );
+        var esqlResp = expectThrows(ResponseException.class, () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2"));
         var srchResp = expectThrows(ResponseException.class, () -> client().performRequest(searchRequest));
 
         for (ResponseException r : List.of(esqlResp, srchResp)) {
@@ -337,8 +334,7 @@ public void testLimitedPrivilege() throws Exception {
             ResponseException.class,
             () -> runESQLCommand(
                 "metadata1_read2",
-                "FROM index-user1,index-user2 METADATA _index | STATS sum=sum(value), index=VALUES(_index)",
-                false
+                "FROM index-user1,index-user2 METADATA _index | STATS sum=sum(value), index=VALUES(_index)"
             )
         );
         assertThat(
@@ -351,7 +347,7 @@ public void testLimitedPrivilege() throws Exception {
 
         resp = expectThrows(
             ResponseException.class,
-            () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2 METADATA _index | STATS index=VALUES(_index)", false)
+            () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2 METADATA _index | STATS index=VALUES(_index)")
         );
         assertThat(
             EntityUtils.toString(resp.getResponse().getEntity()),
@@ -363,7 +359,7 @@ public void testLimitedPrivilege() throws Exception {
 
         resp = expectThrows(
             ResponseException.class,
-            () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2 | STATS sum=sum(value)", false)
+            () -> runESQLCommand("metadata1_read2", "FROM index-user1,index-user2 | STATS sum=sum(value)")
         );
         assertThat(
             EntityUtils.toString(resp.getResponse().getEntity()),
@@ -375,7 +371,7 @@ public void testLimitedPrivilege() throws Exception {
 
         resp = expectThrows(
             ResponseException.class,
-            () -> runESQLCommand("alias_user1", "FROM first-alias,index-user1 METADATA _index | KEEP _index, org, value | LIMIT 10", false)
+            () -> runESQLCommand("alias_user1", "FROM first-alias,index-user1 METADATA _index | KEEP _index, org, value | LIMIT 10")
         );
         assertThat(
             EntityUtils.toString(resp.getResponse().getEntity()),
@@ -389,8 +385,7 @@ public void testLimitedPrivilege() throws Exception {
             ResponseException.class,
             () -> runESQLCommand(
                 "alias_user2",
-                "from second-alias,index-user2 METADATA _index | stats sum=sum(value), index=VALUES(_index)",
-                false
+                "from second-alias,index-user2 METADATA _index | stats sum=sum(value), index=VALUES(_index)"
             )
         );
         assertThat(
@@ -864,10 +859,6 @@ public void testDataStream() throws IOException {
     }
 
     protected Response runESQLCommand(String user, String command) throws IOException {
-        return runESQLCommand(user, command, null);
-    }
-
-    protected Response runESQLCommand(String user, String command, Boolean allowPartialResults) throws IOException {
         if (command.toLowerCase(Locale.ROOT).contains("limit") == false) {
             // add a (high) limit to avoid warnings on default limit
             command += " | limit 10000000";
@@ -881,9 +872,6 @@ protected Response runESQLCommand(String user, String command, Boolean allowPart
         request.setJsonEntity(Strings.toString(json));
         setUser(request, user);
         request.addParameter("error_trace", "true");
-        if (allowPartialResults != null) {
-            request.addParameter("allow_partial_results", Boolean.toString(allowPartialResults));
-        }
         return client().performRequest(request);
     }
 

x-pack/plugin/esql/qa/server/single-node/src/javaRestTest/java/org/elasticsearch/xpack/esql/qa/single_node/RestEsqlIT.java

@@ -111,7 +111,7 @@ public void testInvalidPragma() throws IOException {
             request.setJsonEntity("{\"f\":" + i + "}");
             assertOK(client().performRequest(request));
         }
-        RequestObjectBuilder builder = requestObjectBuilder().query("from test-index | limit 1 | keep f").allowPartialResults(false);
+        RequestObjectBuilder builder = requestObjectBuilder().query("from test-index | limit 1 | keep f");
         builder.pragmas(Settings.builder().put("data_partitioning", "invalid-option").build());
         ResponseException re = expectThrows(ResponseException.class, () -> runEsqlSync(builder));
         assertThat(EntityUtils.toString(re.getResponse().getEntity()), containsString("No enum constant"));

x-pack/plugin/esql/qa/server/src/main/java/org/elasticsearch/xpack/esql/qa/rest/EsqlRestValidationTestCase.java

@@ -129,7 +129,6 @@ private Request createRequest(String indexName) throws IOException {
         final var request = new Request("POST", "/_query");
         request.addParameter("error_trace", "true");
         request.addParameter("pretty", "true");
-        request.addParameter("allow_partial_results", Boolean.toString(false));
         request.setJsonEntity(
             Strings.toString(JsonXContent.contentBuilder().startObject().field("query", "from " + indexName).endObject())
         );

x-pack/plugin/esql/src/internalClusterTest/java/org/elasticsearch/xpack/esql/action/AbstractCrossClusterTestCase.java

@@ -77,11 +77,6 @@ protected Collection<Class<? extends Plugin>> nodePlugins(String clusterAlias) {
         return plugins;
     }
 
-    @Override
-    protected Settings nodeSettings() {
-        return Settings.builder().put(super.nodeSettings()).put(EsqlPlugin.QUERY_ALLOW_PARTIAL_RESULTS.getKey(), false).build();
-    }
-
     public static class InternalExchangePlugin extends Plugin {
         @Override
         public List<Setting<?>> getSettings() {

x-pack/plugin/esql/src/internalClusterTest/java/org/elasticsearch/xpack/esql/action/AbstractEsqlIntegTestCase.java

@@ -139,14 +139,6 @@ protected Collection<Class<? extends Plugin>> nodePlugins() {
         return CollectionUtils.appendToCopy(super.nodePlugins(), EsqlPlugin.class);
     }
 
-    @Override
-    protected Settings nodeSettings(int nodeOrdinal, Settings otherSettings) {
-        return Settings.builder()
-            .put(super.nodeSettings(nodeOrdinal, otherSettings))
-            .put(EsqlPlugin.QUERY_ALLOW_PARTIAL_RESULTS.getKey(), false)
-            .build();
-    }
-
     protected void setRequestCircuitBreakerLimit(ByteSizeValue limit) {
         if (limit != null) {
             assertAcked(

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/plugin/ClusterComputeHandler.java

@@ -7,7 +7,6 @@
 
 package org.elasticsearch.xpack.esql.plugin;
 
-import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.ActionListenerResponseHandler;
 import org.elasticsearch.action.OriginalIndices;
@@ -17,7 +16,6 @@
 import org.elasticsearch.compute.operator.exchange.ExchangeSourceHandler;
 import org.elasticsearch.core.Releasable;
 import org.elasticsearch.core.TimeValue;
-import org.elasticsearch.index.IndexNotFoundException;
 import org.elasticsearch.tasks.CancellableTask;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.tasks.TaskCancelledException;
@@ -90,18 +88,12 @@ void startComputeOnRemoteCluster(
             if (receivedResults == false && EsqlCCSUtils.shouldIgnoreRuntimeError(executionInfo, clusterAlias, e)) {
                 EsqlCCSUtils.markClusterWithFinalStateAndNoShards(executionInfo, clusterAlias, EsqlExecutionInfo.Cluster.Status.SKIPPED, e);
                 l.onResponse(DriverCompletionInfo.EMPTY);
-            } else if (configuration.allowPartialResults()
-                && (ExceptionsHelper.unwrapCause(e) instanceof IndexNotFoundException) == false) {
-                    EsqlCCSUtils.markClusterWithFinalStateAndNoShards(
-                        executionInfo,
-                        clusterAlias,
-                        EsqlExecutionInfo.Cluster.Status.PARTIAL,
-                        e
-                    );
-                    l.onResponse(DriverCompletionInfo.EMPTY);
-                } else {
-                    l.onFailure(e);
-                }
+            } else if (configuration.allowPartialResults() && EsqlCCSUtils.canAllowPartial(e)) {
+                EsqlCCSUtils.markClusterWithFinalStateAndNoShards(executionInfo, clusterAlias, EsqlExecutionInfo.Cluster.Status.PARTIAL, e);
+                l.onResponse(DriverCompletionInfo.EMPTY);
+            } else {
+                l.onFailure(e);
+            }
         });
         ExchangeService.openExchange(
             transportService,

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/plugin/ComputeService.java

@@ -7,7 +7,6 @@
 
 package org.elasticsearch.xpack.esql.plugin;
 
-import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.OriginalIndices;
 import org.elasticsearch.action.search.SearchRequest;
@@ -31,7 +30,6 @@
 import org.elasticsearch.core.Releasable;
 import org.elasticsearch.core.Releasables;
 import org.elasticsearch.core.Tuple;
-import org.elasticsearch.index.IndexNotFoundException;
 import org.elasticsearch.index.query.SearchExecutionContext;
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
@@ -63,6 +61,7 @@
 import org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner;
 import org.elasticsearch.xpack.esql.planner.PlannerUtils;
 import org.elasticsearch.xpack.esql.session.Configuration;
+import org.elasticsearch.xpack.esql.session.EsqlCCSUtils;
 import org.elasticsearch.xpack.esql.session.Result;
 
 import java.util.ArrayList;
@@ -433,8 +432,7 @@ public void executePlan(
                                 );
                                 dataNodesListener.onResponse(r.getCompletionInfo());
                             }, e -> {
-                                if (configuration.allowPartialResults()
-                                    && (ExceptionsHelper.unwrapCause(e) instanceof IndexNotFoundException) == false) {
+                                if (configuration.allowPartialResults() && EsqlCCSUtils.canAllowPartial(e)) {
                                     execInfo.swapCluster(
                                         LOCAL_CLUSTER,
                                         (k, v) -> new EsqlExecutionInfo.Cluster.Builder(v).setStatus(

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/session/EsqlCCSUtils.java

@@ -7,6 +7,8 @@
 
 package org.elasticsearch.xpack.esql.session;
 
+import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.OriginalIndices;
@@ -17,6 +19,7 @@
 import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.compute.operator.DriverCompletionInfo;
 import org.elasticsearch.core.Nullable;
+import org.elasticsearch.index.IndexNotFoundException;
 import org.elasticsearch.index.query.QueryBuilder;
 import org.elasticsearch.indices.IndicesExpressionGrouper;
 import org.elasticsearch.license.XPackLicenseState;
@@ -368,4 +371,16 @@ public static boolean shouldIgnoreRuntimeError(EsqlExecutionInfo executionInfo,
 
         return ExceptionsHelper.isRemoteUnavailableException(e);
     }
+
+    /**
+     * Check whether this exception can be tolerated when partial results are on, or should be treated as fatal.
+     * @return true if the exception can be tolerated, false if it should be treated as fatal.
+     */
+    public static boolean canAllowPartial(Exception e) {
+        Throwable unwrapped = ExceptionsHelper.unwrapCause(e);
+        if (unwrapped instanceof IndexNotFoundException || unwrapped instanceof ElasticsearchSecurityException) {
+            return false;
+        }
+        return true;
+    }
 }

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityEsqlIT.java

@@ -78,7 +78,6 @@ public class RemoteClusterSecurityEsqlIT extends AbstractRemoteClusterSecurityTe
             .apply(commonClusterConfig)
             .setting("remote_cluster.port", "0")
             .setting("xpack.ml.enabled", "false")
-            .setting("esql.query.allow_partial_results", "false")
             .setting("xpack.security.remote_cluster_server.ssl.enabled", () -> String.valueOf(SSL_ENABLED_REF.get()))
             .setting("xpack.security.remote_cluster_server.ssl.key", "remote-cluster.key")
             .setting("xpack.security.remote_cluster_server.ssl.certificate", "remote-cluster.crt")
@@ -98,7 +97,6 @@ public class RemoteClusterSecurityEsqlIT extends AbstractRemoteClusterSecurityTe
             .module("ingest-common")
             .apply(commonClusterConfig)
             .setting("xpack.ml.enabled", "false")
-            .setting("esql.query.allow_partial_results", "false")
             .setting("xpack.security.remote_cluster_client.ssl.enabled", () -> String.valueOf(SSL_ENABLED_REF.get()))
             .setting("xpack.security.remote_cluster_client.ssl.certificate_authorities", "remote-cluster-ca.crt")
             .setting("xpack.security.authc.token.enabled", "true")

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java

@@ -2771,7 +2771,6 @@ Request toEsqlRequest() throws IOException {
             json.endObject();
             var request = new Request("POST", "_query");
             request.setJsonEntity(Strings.toString(json));
-            request.addParameter("allow_partial_results", Boolean.toString(false));
             return request;
         }
     }