Handle wildcard and clean up

Author: n1v0lg

build-tools/src/main/resources/roles.yml

@@ -6,9 +6,6 @@ _es_test_root:
     - names: [ "*" ]
       allow_restricted_indices: true
       privileges: [ "ALL" ]
-    - names: [ "*::failures" ]
-      allow_restricted_indices: true
-      privileges: [ "ALL" ]
   run_as: [ "*" ]
   applications:
     - application: "*"

test/test-clusters/src/main/resources/default_test_roles.yml

@@ -6,9 +6,6 @@ _es_test_root:
     - names: [ "*" ]
       allow_restricted_indices: true
       privileges: [ "ALL" ]
-    - names: [ "*::failures" ]
-      allow_restricted_indices: true
-      privileges: [ "ALL" ]
   run_as: [ "*" ]
   applications:
     - application: "*"

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -80,12 +80,10 @@ public Builder addGroup(
             FieldPermissions fieldPermissions,
             @Nullable Set<BytesReference> query,
             boolean allowRestrictedIndices,
-            boolean allowFailureStoreAccess,
+            IndexComponentSelector selector,
             String... indices
         ) {
-            groups.add(
-                new Group(privilege, fieldPermissions, query, allowRestrictedIndices, restrictedIndices, allowFailureStoreAccess, indices)
-            );
+            groups.add(new Group(privilege, fieldPermissions, query, allowRestrictedIndices, restrictedIndices, selector, indices));
             return this;
         }
 
@@ -157,16 +155,24 @@ private IsResourceAuthorizedPredicate buildIndexMatcherPredicateForAction(String
         for (final Group group : groups) {
             if (group.actionMatcher.test(action)) {
                 if (group.allowRestrictedIndices) {
-                    if (group.failureStoreOnly) {
-                        failureAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
-                    } else {
-                        dataAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                    switch (group.selector) {
+                        case DATA -> dataAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                        case FAILURES -> failureAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                        case ALL_APPLICABLE -> {
+                            dataAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                            failureAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                        }
+                        default -> throw new IllegalStateException("unexpected selector [" + group.selector + "]");
                     }
                 } else {
-                    if (group.failureStoreOnly) {
-                        failureAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
-                    } else {
-                        dataAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                    switch (group.selector) {
+                        case DATA -> dataAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                        case FAILURES -> failureAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                        case ALL_APPLICABLE -> {
+                            dataAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                            failureAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                        }
+                        default -> throw new IllegalStateException("unexpected selector [" + group.selector + "]");
                     }
                 }
             } else if (isMappingUpdateAction && containsPrivilegeThatGrantsMappingUpdatesForBwc(group)) {
@@ -456,30 +462,17 @@ public boolean checkIndex(Group group) {
             final DataStream ds = indexAbstraction == null ? null : indexAbstraction.getParentDataStream();
             if (ds != null) {
                 if (group.checkIndex(ds.getName())) {
-                    // no selector implicitly means include data (?)
-                    if (selector == null || selector.shouldIncludeData()) {
-                        if (ds.isFailureStoreIndex(name)) {
-                            return group.failureStoreOnly;
-                        }
-                        return false == group.failureStoreOnly;
-                    } else {
-                        // TODO this is a simplification:
-                        return group.failureStoreOnly;
+                    // TODO is this right?
+                    if (indexAbstraction.isDataStreamConcreteFailureIndex()) {
+                        return group.checkSelector(IndexComponentSelector.FAILURES);
                     }
+                    return group.checkSelector(selector);
                 }
             }
             if (indexAbstraction != null && indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM) {
-                if (group.checkIndex(name)) {
-                    // no selector implicitly means include data (?)
-                    if (selector == null || selector.shouldIncludeData()) {
-                        return false == group.failureStoreOnly;
-                    } else {
-                        // TODO this is a simplification:
-                        return group.failureStoreOnly;
-                    }
-                }
-                return false;
+                return group.checkIndex(name) && group.checkSelector(selector);
             }
+            // TODO assertions around selector here?
             return group.checkIndex(name);
         }
 
@@ -868,15 +861,15 @@ public static class Group {
         // users. Setting this flag true eliminates the special status for the purpose of this permission - restricted indices still have
         // to be covered by the "indices"
         private final boolean allowRestrictedIndices;
-        public final boolean failureStoreOnly;
+        public final IndexComponentSelector selector;
 
         public Group(
             IndexPrivilege privilege,
             FieldPermissions fieldPermissions,
             @Nullable Set<BytesReference> query,
             boolean allowRestrictedIndices,
             RestrictedIndices restrictedIndices,
-            boolean failureStoreOnly,
+            IndexComponentSelector selector,
             String... indices
         ) {
             assert indices.length != 0;
@@ -897,7 +890,7 @@ public Group(
             }
             this.fieldPermissions = Objects.requireNonNull(fieldPermissions);
             this.query = query;
-            this.failureStoreOnly = failureStoreOnly;
+            this.selector = selector;
         }
 
         public IndexPrivilege privilege() {
@@ -926,6 +919,15 @@ private boolean checkIndex(String index) {
             return indexNameMatcher.test(index);
         }
 
+        private boolean checkSelector(@Nullable IndexComponentSelector selectorToCheck) {
+            if (this.selector == IndexComponentSelector.ALL_APPLICABLE) {
+                return true;
+            }
+            boolean includeData = selectorToCheck == null || selectorToCheck.shouldIncludeData();
+            boolean includeFailures = selectorToCheck != null && selectorToCheck.shouldIncludeFailures();
+            return includeData == this.selector.shouldIncludeData() && includeFailures == this.selector.shouldIncludeFailures();
+        }
+
         boolean hasQuery() {
             return query != null;
         }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/RemoteIndicesPermission.java

@@ -7,6 +7,7 @@
 
 package org.elasticsearch.xpack.core.security.authz.permission;
 
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
@@ -67,7 +68,7 @@ public Builder addGroup(
                         // but rather on the fulfilling cluster
                         new RestrictedIndices(Automatons.EMPTY),
                         // TODO handle failure store access
-                        false,
+                        IndexComponentSelector.DATA,
                         indices
                     )
                 );

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -9,6 +9,7 @@
 
 import org.apache.lucene.util.automaton.Automaton;
 import org.elasticsearch.TransportVersion;
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.cluster.metadata.Metadata;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.util.set.Sets;
@@ -252,7 +253,9 @@ public Builder runAs(Privilege privilege) {
         }
 
         public Builder add(IndexPrivilege privilege, String... indices) {
-            groups.add(new IndicesPermissionGroupDefinition(privilege, FieldPermissions.DEFAULT, null, false, false, indices));
+            groups.add(
+                new IndicesPermissionGroupDefinition(privilege, FieldPermissions.DEFAULT, null, false, IndexComponentSelector.DATA, indices)
+            );
             return this;
         }
 
@@ -264,28 +267,30 @@ public Builder add(
             boolean allowRestrictedIndices,
             String... indices
         ) {
-            return add(fieldPermissions, query, privilege, allowRestrictedIndices, false, indices);
+            return add(fieldPermissions, query, privilege, allowRestrictedIndices, IndexComponentSelector.DATA, indices);
+        }
+
+        public Builder add(
+            FieldPermissions fieldPermissions,
+            Set<BytesReference> query,
+            IndexPrivilege privilege,
+            boolean allowRestrictedIndices,
+            boolean foo,
+            String... indices
+        ) {
+            return add(fieldPermissions, query, privilege, allowRestrictedIndices, IndexComponentSelector.DATA, indices);
         }
 
         public Builder add(
             FieldPermissions fieldPermissions,
             Set<BytesReference> query,
             IndexPrivilege privilege,
             boolean allowRestrictedIndices,
-            boolean allowFailureStoreAccess,
+            IndexComponentSelector selector,
             String... indices
         ) {
             // TODO assert no failures suffixes left
-            groups.add(
-                new IndicesPermissionGroupDefinition(
-                    privilege,
-                    fieldPermissions,
-                    query,
-                    allowRestrictedIndices,
-                    allowFailureStoreAccess,
-                    indices
-                )
-            );
+            groups.add(new IndicesPermissionGroupDefinition(privilege, fieldPermissions, query, allowRestrictedIndices, selector, indices));
             return this;
         }
 
@@ -299,7 +304,16 @@ public Builder addRemoteIndicesGroup(
             final String... indices
         ) {
             remoteIndicesGroups.computeIfAbsent(remoteClusterAliases, k -> new ArrayList<>())
-                .add(new IndicesPermissionGroupDefinition(privilege, fieldPermissions, query, allowRestrictedIndices, false, indices));
+                .add(
+                    new IndicesPermissionGroupDefinition(
+                        privilege,
+                        fieldPermissions,
+                        query,
+                        allowRestrictedIndices,
+                        IndexComponentSelector.DATA,
+                        indices
+                    )
+                );
             return this;
         }
 
@@ -339,7 +353,7 @@ public SimpleRole build() {
                         group.fieldPermissions,
                         group.query,
                         group.allowRestrictedIndices,
-                        group.allowFailureStoreAccess,
+                        group.selector,
                         group.indices
                     );
                 }
@@ -388,22 +402,22 @@ private static class IndicesPermissionGroupDefinition {
             private final FieldPermissions fieldPermissions;
             private final @Nullable Set<BytesReference> query;
             private final boolean allowRestrictedIndices;
-            private final boolean allowFailureStoreAccess;
+            private final IndexComponentSelector selector;
             private final String[] indices;
 
             private IndicesPermissionGroupDefinition(
                 IndexPrivilege privilege,
                 FieldPermissions fieldPermissions,
                 @Nullable Set<BytesReference> query,
                 boolean allowRestrictedIndices,
-                boolean allowFailureStoreAccess,
+                IndexComponentSelector selector,
                 String... indices
             ) {
                 this.privilege = privilege;
                 this.fieldPermissions = fieldPermissions;
                 this.query = query;
                 this.allowRestrictedIndices = allowRestrictedIndices;
-                this.allowFailureStoreAccess = allowFailureStoreAccess;
+                this.selector = selector;
                 this.indices = indices;
             }
         }
@@ -442,21 +456,21 @@ static SimpleRole buildFromRoleDescriptor(
                     indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
                     IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
                     indexPrivilege.allowRestrictedIndices(),
-                    true,
+                    IndexComponentSelector.ALL_APPLICABLE,
+                    indexPrivilege.getIndices()
+                );
+            } else {
+                builder.add(
+                    fieldPermissionsCache.getFieldPermissions(
+                        new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
+                    ),
+                    indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
+                    IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
+                    indexPrivilege.allowRestrictedIndices(),
+                    IndexComponentSelector.DATA,
                     indexPrivilege.getIndices()
                 );
             }
-            builder.add(
-                fieldPermissionsCache.getFieldPermissions(
-                    new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
-                ),
-                indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
-                IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
-                indexPrivilege.allowRestrictedIndices(),
-                // TODO properly handle this
-                false,
-                indexPrivilege.getIndices()
-            );
         }
 
         for (RoleDescriptor.RemoteIndicesPrivileges remoteIndicesPrivileges : roleDescriptor.getRemoteIndicesPrivileges()) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java

@@ -10,6 +10,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.TransportVersions;
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
@@ -419,7 +420,7 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd
                         FieldPermissions.DEFAULT,
                         null,
                         false,
-                        false,
+                        IndexComponentSelector.DATA,
                         indexPatternPrivilege.indexPatterns()
                     );
                 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRoleTests.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction;
 import org.elasticsearch.action.bulk.TransportBulkAction;
 import org.elasticsearch.action.search.TransportSearchAction;
+import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.cluster.metadata.AliasMetadata;
 import org.elasticsearch.cluster.metadata.IndexAbstraction;
 import org.elasticsearch.cluster.metadata.IndexMetadata;
@@ -761,7 +762,15 @@ public void testHasPrivilegesForIndexPatterns() {
         }
         {
             fromRole = Role.builder(EMPTY_RESTRICTED_INDICES, "a-role")
-                .add(FieldPermissions.DEFAULT, Collections.emptySet(), IndexPrivilege.READ, true, false, "ind-1*", ".security")
+                .add(
+                    FieldPermissions.DEFAULT,
+                    Collections.emptySet(),
+                    IndexPrivilege.READ,
+                    true,
+                    IndexComponentSelector.DATA,
+                    "ind-1*",
+                    ".security"
+                )
                 .build();
 
             verifyResourcesPrivileges(