direct access to backing data indices should work with FLS

slobodanadamovic · slobodanadamovic · commit a9efba4cde36 · 2025-03-25T10:55:11.000+01:00
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
@@ -1523,6 +1523,13 @@ public void testDlsFls() throws Exception {
             {
                  "cluster": ["all"],
                  "indices": [
+                     {
+                        "names": ["%s"],
+                        "privileges": ["read"],
+                        "field_security": {
+                            "grant": ["@timestamp", "age"]
+                        }
+                     },
                      {
                         "names": ["%s"],
                         "privileges": ["read"],
@@ -1531,7 +1538,17 @@ public void testDlsFls() throws Exception {
                         }
                      }
                  ]
-             }""", failureIndexName), role);
+             }""", dataIndexName, failureIndexName), role);
+
+        // FLS applies to backing data index
+        assertSearchResponseContainsExpectedIndicesAndFields(
+            performRequest(user, new Search(dataIndexName).toSearchRequest()),
+            Map.of(dataIndexName, Set.of("@timestamp", "age"))
+        );
+        assertSearchResponseContainsExpectedIndicesAndFields(
+            performRequest(user, new Search(".ds-*").toSearchRequest()),
+            Map.of(dataIndexName, Set.of("@timestamp", "age"))
+        );
         // FLS is not applicable to backing failure store indices
         expectFlsDlsError(() -> performRequest(user, new Search(failureIndexName).toSearchRequest()));
         expectFlsDlsError(() -> performRequest(user, new Search(".fs-*").toSearchRequest()));
