POC: plug ES|QL project routing into index resolution

Author: n1v0lg

server/src/main/java/org/elasticsearch/action/fieldcaps/FieldCapabilitiesRequest.java

@@ -18,6 +18,7 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.core.Nullable;
 import org.elasticsearch.index.query.BoolQueryBuilder;
 import org.elasticsearch.index.query.BoostingQueryBuilder;
 import org.elasticsearch.index.query.ConstantScoreQueryBuilder;
@@ -46,6 +47,9 @@ public final class FieldCapabilitiesRequest extends LegacyActionRequest implemen
 
     private String clusterAlias = RemoteClusterAware.LOCAL_CLUSTER_GROUP_KEY;
 
+    @Nullable
+    private String projectRouting;
+
     private String[] indices = Strings.EMPTY_ARRAY;
     private IndicesOptions indicesOptions = DEFAULT_INDICES_OPTIONS;
     private String[] fields = Strings.EMPTY_ARRAY;
@@ -113,6 +117,15 @@ String clusterAlias() {
         return clusterAlias;
     }
 
+    @Nullable
+    public String projectRouting() {
+        return projectRouting;
+    }
+
+    public void projectRouting(String projectRouting) {
+        this.projectRouting = projectRouting;
+    }
+
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/esql/EsqlAsyncActionNames.java

@@ -13,4 +13,5 @@
 public class EsqlAsyncActionNames {
     public static final String ESQL_ASYNC_GET_RESULT_ACTION_NAME = "indices:data/read/esql/async/get";
     public static final String ESQL_ASYNC_STOP_ACTION_NAME = "indices:data/read/esql/async/stop";
+
 }

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/action/EsqlProjectRoutingAction.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.esql.action;
+
+import org.elasticsearch.action.ActionType;
+
+public class EsqlProjectRoutingAction extends ActionType<EsqlProjectRoutingResponse> {
+    public static final String NAME = "cluster:monitor/xpack/esql/project_routing";
+    public static final EsqlProjectRoutingAction INSTANCE = new EsqlProjectRoutingAction(NAME);
+
+    public EsqlProjectRoutingAction(String name) {
+        super(NAME);
+    }
+}

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/action/EsqlProjectRoutingRequest.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.esql.action;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.TransportAction;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.util.List;
+
+public class EsqlProjectRoutingRequest extends ActionRequest {
+    public EsqlProjectRoutingRequest(List<String> projects, String projectRoutingQuery) {
+
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        return null;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        TransportAction.localOnly();
+    }
+}

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/action/EsqlProjectRoutingResponse.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.esql.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.util.List;
+
+public class EsqlProjectRoutingResponse extends ActionResponse {
+
+    private final List<String> projects;
+
+    public EsqlProjectRoutingResponse(List<String> projects) {
+        this.projects = projects;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeGenericList(projects, StreamOutput::writeString);
+    }
+
+    public List<String> getProjects() {
+        return projects;
+    }
+}

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/action/TransportEsqlProjectRoutingAction.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.esql.action;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.support.ActionFilters;
+import org.elasticsearch.action.support.TransportAction;
+import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.EsExecutors;
+import org.elasticsearch.injection.guice.Inject;
+import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.TransportService;
+
+import java.util.List;
+
+public class TransportEsqlProjectRoutingAction extends TransportAction<EsqlProjectRoutingRequest, EsqlProjectRoutingResponse> {
+    @Inject
+    public TransportEsqlProjectRoutingAction(
+        Settings settings,
+        TransportService transportService,
+        ActionFilters actionFilters,
+        ClusterService clusterService
+    ) {
+        super(EsqlProjectRoutingAction.NAME, actionFilters, transportService.getTaskManager(), EsExecutors.DIRECT_EXECUTOR_SERVICE);
+    }
+
+    @Override
+    protected void doExecute(Task task, EsqlProjectRoutingRequest request, ActionListener<EsqlProjectRoutingResponse> listener) {
+        // whatever fancy ES|QL needs to happen here can happen here
+        listener.onResponse(new EsqlProjectRoutingResponse(List.of("project1", "project2", "project3")));
+    }
+}

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/plugin/EsqlPlugin.java

@@ -57,6 +57,7 @@
 import org.elasticsearch.xpack.esql.action.EsqlAsyncStopAction;
 import org.elasticsearch.xpack.esql.action.EsqlGetQueryAction;
 import org.elasticsearch.xpack.esql.action.EsqlListQueriesAction;
+import org.elasticsearch.xpack.esql.action.EsqlProjectRoutingAction;
 import org.elasticsearch.xpack.esql.action.EsqlQueryAction;
 import org.elasticsearch.xpack.esql.action.EsqlQueryRequestBuilder;
 import org.elasticsearch.xpack.esql.action.EsqlResolveFieldsAction;
@@ -67,6 +68,7 @@
 import org.elasticsearch.xpack.esql.action.RestEsqlListQueriesAction;
 import org.elasticsearch.xpack.esql.action.RestEsqlQueryAction;
 import org.elasticsearch.xpack.esql.action.RestEsqlStopAsyncAction;
+import org.elasticsearch.xpack.esql.action.TransportEsqlProjectRoutingAction;
 import org.elasticsearch.xpack.esql.analysis.PlanCheckerProvider;
 import org.elasticsearch.xpack.esql.common.Failures;
 import org.elasticsearch.xpack.esql.enrich.EnrichLookupOperator;
@@ -276,7 +278,8 @@ public List<ActionHandler> getActions() {
             new ActionHandler(EsqlSearchShardsAction.TYPE, EsqlSearchShardsAction.class),
             new ActionHandler(EsqlAsyncStopAction.INSTANCE, TransportEsqlAsyncStopAction.class),
             new ActionHandler(EsqlListQueriesAction.INSTANCE, TransportEsqlListQueriesAction.class),
-            new ActionHandler(EsqlGetQueryAction.INSTANCE, TransportEsqlGetQueryAction.class)
+            new ActionHandler(EsqlGetQueryAction.INSTANCE, TransportEsqlGetQueryAction.class),
+            new ActionHandler(EsqlProjectRoutingAction.INSTANCE, TransportEsqlProjectRoutingAction.class)
         );
     }
 

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/session/IndexResolver.java

@@ -270,6 +270,8 @@ private static FieldCapabilitiesRequest createFieldCapsRequest(String index, Set
         req.fields(fieldNames.toArray(String[]::new));
         req.includeUnmapped(true);
         req.indexFilter(requestFilter);
+        // Note: this is just some bogus query to demonstrate that we can invoke the full ES|QL engine from the security layer
+        req.projectRouting("row a = 1, b = \"x\", c = 1000000000000, d = 1.1");
         // lenient because we throw our own errors looking at the response e.g. if something was not resolved
         // also because this way security doesn't throw authorization exceptions but rather honors ignore_unavailable
         req.indicesOptions(FIELD_CAPS_INDICES_OPTIONS);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/EsqlProjectRouter.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.client.internal.Client;
+import org.elasticsearch.xpack.core.esql.action.EsqlQueryRequest;
+import org.elasticsearch.xpack.core.esql.action.EsqlQueryRequestBuilder;
+import org.elasticsearch.xpack.core.esql.action.EsqlQueryResponse;
+
+import java.util.List;
+
+public class EsqlProjectRouter {
+
+    private static final Logger logger = LogManager.getLogger(EsqlProjectRouter.class);
+
+    private final Client client;
+
+    public EsqlProjectRouter(Client client) {
+        this.client = client;
+    }
+
+    public List<String> route(List<String> projects, String projectRoutingQuery) {
+        // Note: this just demonstrates that we can invoke the full ES|QL engine from the security layer
+        // we certainly don't want to just run a generic ES|QL query
+
+        // Instead we should expose the EsqlProjectRoutingAction to be called the same way we
+        // expose the EsqlQueryAction and call EsqlProjectRoutingAction here
+        // (we will need to repeat the dance done in https://github.com/elastic/elasticsearch/issues/104413)
+
+        // EsqlProjectRoutingAction will be localOnly as it will only access an on-the fly in-memory index
+        // so there are no network costs associated
+
+        @SuppressWarnings("unchecked")
+        EsqlQueryRequestBuilder<EsqlQueryRequest, EsqlQueryResponse> b = (EsqlQueryRequestBuilder<
+            EsqlQueryRequest,
+            EsqlQueryResponse>) EsqlQueryRequestBuilder.newRequestBuilder(client);
+
+        b.query(projectRoutingQuery).execute(new ActionListener<>() {
+            @Override
+            public void onResponse(EsqlQueryResponse response) {
+                logger.info("EsqlProjectRouter response: {}", response);
+            }
+
+            @Override
+            public void onFailure(Exception e) {
+                logger.warn("EsqlProjectRouter failure", e);
+            }
+        });
+
+        return projects;
+    }
+}

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -1130,7 +1130,8 @@ Collection<Object> createComponents(
             operatorPrivilegesService.get(),
             restrictedIndices,
             authorizationDenialMessages.get(),
-            projectResolver
+            projectResolver,
+            new EsqlProjectRouter(client)
         );
 
         components.add(nativeRolesStore); // used by roles actions