re-do the ticket in Continuation-passing style. Previous unanswered questions around CI/CD are resolved.

Author: ankit--sethi

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -33,8 +33,13 @@
 import org.elasticsearch.action.search.TransportSearchShardsAction;
 import org.elasticsearch.action.support.IndexComponentSelector;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.cache.Cache;
+import org.elasticsearch.common.cache.CacheBuilder;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.core.Nullable;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.index.seqno.RetentionLeaseActions;
 import org.elasticsearch.xpack.core.ccr.action.ForgetFollowerAction;
 import org.elasticsearch.xpack.core.ccr.action.PutFollowAction;
@@ -53,7 +58,7 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.SortedMap;
-import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ExecutionException;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -285,7 +290,21 @@ private static Map<String, IndexPrivilege> combineSortedInOrder(
     public static final Predicate<String> ACTION_MATCHER = ALL.predicate();
     public static final Predicate<String> CREATE_INDEX_MATCHER = CREATE_INDEX.predicate();
 
-    private static final ConcurrentHashMap<Set<String>, Set<IndexPrivilege>> CACHE = new ConcurrentHashMap<>();
+    static final Setting<Integer> CACHE_SIZE = Setting.intSetting(
+        "xpack.security.privilege.index.cache.size",
+        10_000,
+        Setting.Property.NodeScope
+    );
+    static final Setting<TimeValue> CACHE_TTL = Setting.timeSetting(
+        "xpack.security.privilege.index.cache.ttl",
+        TimeValue.timeValueHours(48),
+        Setting.Property.NodeScope
+    );
+
+    private static final Cache<Set<String>, Set<IndexPrivilege>> CACHE = CacheBuilder.<Set<String>, Set<IndexPrivilege>>builder()
+        .setExpireAfterAccess(CACHE_TTL.get(Settings.EMPTY))
+        .setMaximumWeight(CACHE_SIZE.get(Settings.EMPTY))
+        .build();
 
     private final IndexComponentSelectorPredicate selectorPredicate;
 
@@ -340,13 +359,17 @@ public static IndexPrivilege get(String actionOrPrivilege) {
      * All raw actions are treated as granting access to the {@link IndexComponentSelector#DATA} selector.
      */
     public static Set<IndexPrivilege> resolveBySelectorAccess(Set<String> names) {
-        return CACHE.computeIfAbsent(names, (theName) -> {
-            if (theName.isEmpty()) {
-                return Set.of(NONE);
-            } else {
-                return resolve(theName);
-            }
-        });
+        try {
+            return CACHE.computeIfAbsent(names, (theName) -> {
+                if (theName.isEmpty()) {
+                    return Set.of(NONE);
+                } else {
+                    return resolve(theName);
+                }
+            });
+        } catch (ExecutionException e) {
+            throw new RuntimeException(e);
+        }
     }
 
     @Nullable

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java

@@ -19,35 +19,40 @@
 import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.security.action.user.ChangePasswordRequest;
+import org.elasticsearch.xpack.core.security.authc.Realm;
+import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings;
 import org.elasticsearch.xpack.core.security.authc.support.Hasher;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
+import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.Realms;
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
-import org.elasticsearch.xpack.security.authc.file.FileUserPasswdStore;
+import org.elasticsearch.xpack.security.authc.file.FileRealm;
 
 import java.util.Locale;
+import java.util.Optional;
 
-import static org.elasticsearch.core.Strings.format;
 import static org.elasticsearch.xpack.core.security.user.UsernamesField.ELASTIC_NAME;
+import static org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.USER_NOT_FOUND_MESSAGE;
 
 public class TransportChangePasswordAction extends HandledTransportAction<ChangePasswordRequest, ActionResponse.Empty> {
 
     public static final ActionType<ActionResponse.Empty> TYPE = new ActionType<>("cluster:admin/xpack/security/user/change_password");
     private final Settings settings;
     private final NativeUsersStore nativeUsersStore;
-    private final FileUserPasswdStore fileUserPasswdStore;
+    private final Realms realms;
 
     @Inject
     public TransportChangePasswordAction(
         Settings settings,
         TransportService transportService,
         ActionFilters actionFilters,
         NativeUsersStore nativeUsersStore,
-        FileUserPasswdStore fileUserPasswdStore
+        Realms realms
     ) {
         super(TYPE.name(), transportService, actionFilters, ChangePasswordRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
         this.settings = settings;
         this.nativeUsersStore = nativeUsersStore;
-        this.fileUserPasswdStore = fileUserPasswdStore;
+        this.realms = realms;
     }
 
     @Override
@@ -71,24 +76,57 @@ protected void doExecute(Task task, ChangePasswordRequest request, ActionListene
             return;
         }
 
-        if (fileUserPasswdStore.userExists(request.username())) {
-            // File realm users cannot be managed through this API.
-            // unresolved q: is it possible a username is repeated across file and native realms, such that stopping here is incorrect?
-            logger.debug(() -> format("failed to change password for user [%s]", request.username()));
-            ValidationException validationException = new ValidationException();
-            validationException.addValidationError(
-                "user ["
-                    + username
-                    + "] is file-based and cannot be managed via this API."
-                    + (ELASTIC_NAME.equalsIgnoreCase(username)
-                        ? " To update the '" + ELASTIC_NAME + "' user in a cloud deployment, use the console."
-                        : "")
-            );
-            listener.onFailure(validationException);
-            return;
-        }
+        // check if user exists in the native realm
+        nativeUsersStore.getUser(username, new ActionListener<>() {
+            @Override
+            public void onResponse(User user) {
+                Optional<Realm> realm = realms.stream().filter(t -> FileRealmSettings.TYPE.equalsIgnoreCase(t.type())).findAny();
+                if (user == null && realm.isPresent()) {
+                    // we should check if this request is mistakenly trying to reset a file realm user
+                    FileRealm fileRealm = (FileRealm) realm.get();
+                    fileRealm.lookupUser(username, new ActionListener<>() {
+                        @Override
+                        public void onResponse(User user) {
+                            if (user != null) {
+                                ValidationException validationException = new ValidationException();
+                                validationException.addValidationError(
+                                    "user ["
+                                        + username
+                                        + "] is file-based and cannot be managed via this API."
+                                        + (ELASTIC_NAME.equalsIgnoreCase(username)
+                                            ? " To update the '" + ELASTIC_NAME + "' user in a cloud deployment, use the console."
+                                            : "")
+                                );
+                                onFailure(validationException);
+                            } else {
+                                onFailure(createUserNotFoundException());
+                            }
+                        }
 
-        nativeUsersStore.changePassword(request, listener.safeMap(v -> ActionResponse.Empty.INSTANCE));
+                        @Override
+                        public void onFailure(Exception e) {
+                            listener.onFailure(e);
+                        }
+                    });
+                } else if (user == null) {
+                    listener.onFailure(createUserNotFoundException());
+                } else {
+                    // safe to proceed
+                    nativeUsersStore.changePassword(request, listener.safeMap(v -> ActionResponse.Empty.INSTANCE));
+                }
+            }
+
+            @Override
+            public void onFailure(Exception e) {
+                listener.onFailure(e);
+            }
+        });
+
+    }
 
+    private static ValidationException createUserNotFoundException() {
+        ValidationException validationException = new ValidationException();
+        validationException.addValidationError(USER_NOT_FOUND_MESSAGE);
+        return validationException;
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java

@@ -82,6 +82,7 @@ public class NativeUsersStore {
 
     public static final String USER_DOC_TYPE = "user";
     public static final String RESERVED_USER_TYPE = "reserved-user";
+    public static final String USER_NOT_FOUND_MESSAGE = "user must exist in order to change password";
     private static final Logger logger = LogManager.getLogger(NativeUsersStore.class);
 
     private final Settings settings;
@@ -316,7 +317,7 @@ public void onFailure(Exception e) {
                             } else {
                                 logger.debug(() -> format("failed to change password for user [%s]", request.username()), e);
                                 ValidationException validationException = new ValidationException();
-                                validationException.addValidationError("user must exist in order to change password");
+                                validationException.addValidationError(USER_NOT_FOUND_MESSAGE);
                                 listener.onFailure(validationException);
                             }
                         } else {