Support read_failures

n1v0lg · n1v0lg · commit b78a4d4dcbbb · 2025-02-07T11:18:10.000+01:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -179,6 +179,8 @@ public final class IndexPrivilege extends Privilege {
     public static final IndexPrivilege NONE = new IndexPrivilege("none", Automatons.EMPTY);
     public static final IndexPrivilege ALL = new IndexPrivilege("all", ALL_AUTOMATON);
     public static final IndexPrivilege READ = new IndexPrivilege("read", READ_AUTOMATON);
+    // same automaton as read but SPECIAL
+    public static final IndexPrivilege READ_FAILURES = new IndexPrivilege("read_failures", READ_AUTOMATON);
     public static final IndexPrivilege READ_CROSS_CLUSTER = new IndexPrivilege("read_cross_cluster", READ_CROSS_CLUSTER_AUTOMATON);
     public static final IndexPrivilege CREATE = new IndexPrivilege("create", CREATE_AUTOMATON);
     public static final IndexPrivilege INDEX = new IndexPrivilege("index", INDEX_AUTOMATON);
@@ -221,6 +223,7 @@ public final class IndexPrivilege extends Privilege {
             entry("create_index", CREATE_INDEX),
             entry("monitor", MONITOR),
             entry("read", READ),
+            entry("read_failures", READ_FAILURES),
             entry("index", INDEX),
             entry("delete", DELETE),
             entry("write", WRITE),
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
@@ -78,7 +78,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").allowRestrictedIndices(false).build(),
             RoleDescriptor.IndicesPrivileges.builder()
                 .indices("*")
-                .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
+                .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failures")
                 .allowRestrictedIndices(true)
                 .build() },
         new RoleDescriptor.ApplicationResourcePrivileges[] {
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/InternalUsers.java
@@ -161,7 +161,8 @@ public class InternalUsers {
                         IndicesStatsAction.NAME + "*",
                         TransportUpdateSettingsAction.TYPE.name(),
                         DownsampleAction.NAME,
-                        TransportAddIndexBlockAction.TYPE.name()
+                        TransportAddIndexBlockAction.TYPE.name(),
+                        "read_failures"
                     )
                     .allowRestrictedIndices(false)
                     .build(),
@@ -180,7 +181,8 @@ public class InternalUsers {
                         IndicesStatsAction.NAME + "*",
                         TransportUpdateSettingsAction.TYPE.name(),
                         DownsampleAction.NAME,
-                        TransportAddIndexBlockAction.TYPE.name()
+                        TransportAddIndexBlockAction.TYPE.name(),
+                        "read_failures"
                     )
                     .allowRestrictedIndices(true)
                     .build() },
@@ -219,7 +221,8 @@ public class InternalUsers {
                         TransportBulkAction.NAME,
                         TransportIndexAction.NAME,
                         TransportSearchScrollAction.TYPE.name(),
-                        ModifyDataStreamsAction.NAME
+                        ModifyDataStreamsAction.NAME,
+                        "read_failures"
                     )
                     .allowRestrictedIndices(false)
                     .build() },
@@ -243,7 +246,7 @@ public class InternalUsers {
             new RoleDescriptor.IndicesPrivileges[] {
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("*")
-                    .privileges(LazyRolloverAction.NAME)
+                    .privileges(LazyRolloverAction.NAME, "read_failures")
                     .allowRestrictedIndices(true)
                     .build() },
             null,
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/FailureStoreSecurityRestIT.java
@@ -33,28 +33,37 @@ public class FailureStoreSecurityRestIT extends SecurityOnTrialLicenseRestTestCa
 
     private static final String DATA_ACCESS_USER = "data_access_user";
     private static final String FAILURE_STORE_ACCESS_USER = "failure_store_access_user";
+    private static final String BOTH_ACCESS_USER = "both_access_user";
     private static final SecureString PASSWORD = new SecureString("elastic-password");
 
     @SuppressWarnings("unchecked")
     public void testFailureStoreAccess() throws IOException {
         String dataAccessRole = "data_access";
         String failureStoreAccessRole = "failure_store_access";
+        String bothAccessRole = "both_access";
 
         createUser(DATA_ACCESS_USER, PASSWORD, List.of(dataAccessRole));
         createUser(FAILURE_STORE_ACCESS_USER, PASSWORD, List.of(failureStoreAccessRole));
+        createUser(BOTH_ACCESS_USER, PASSWORD, List.of(bothAccessRole));
 
         upsertRole(Strings.format("""
             {
               "description": "Role with data access",
               "cluster": ["all"],
-              "indices": [{"names": ["test*"], "privileges": ["read"], "selectors": ["data"]}]
+              "indices": [{"names": ["test*"], "privileges": ["read"]}]
             }"""), dataAccessRole);
         upsertRole(Strings.format("""
             {
               "description": "Role with failure store access",
               "cluster": ["all"],
-              "indices": [{"names": ["test*"], "privileges": ["read"], "selectors": ["failures"]}]
+              "indices": [{"names": ["test*"], "privileges": ["read_failures"]}]
             }"""), failureStoreAccessRole);
+        upsertRole(Strings.format("""
+            {
+              "description": "Role with failure store access",
+              "cluster": ["all"],
+              "indices": [{"names": ["test*"], "privileges": ["read", "read_failures"]}]
+            }"""), bothAccessRole);
 
         createTemplates();
         List<String> docIds = populateDataStreamWithBulkRequest();
@@ -148,6 +157,23 @@ public void testFailureStoreAccess() throws IOException {
 
         expectThrows404(() -> adminClient().performRequest(new Request("GET", "/test12::failures/_search")));
         expectThrows404(() -> adminClient().performRequest(new Request("GET", "/test2::failures/_search")));
+
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/test1::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/test*::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/*1::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/*::failures/_search")), failedDocId);
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/.fs*/_search")), failedDocId);
+
+        expectThrows404(() -> performRequest(BOTH_ACCESS_USER, new Request("GET", "/test12::failures/_search")));
+        expectThrows404(() -> performRequest(BOTH_ACCESS_USER, new Request("GET", "/test2::failures/_search")));
+
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/test1/_search")), successDocId);
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/test*/_search")), successDocId);
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/*1/_search")), successDocId);
+        assertContainsDocIds(performRequest(BOTH_ACCESS_USER, new Request("GET", "/*/_search")), successDocId);
+
+        expectThrows404(() -> performRequest(BOTH_ACCESS_USER, new Request("GET", "/test12/_search")));
+        expectThrows404(() -> performRequest(BOTH_ACCESS_USER, new Request("GET", "/test2/_search")));
     }
 
     private static void expectThrows404(ThrowingRunnable get) {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java
@@ -483,10 +483,8 @@ public static void buildRoleFromDescriptors(
         final List<ConfigurableClusterPrivilege> configurableClusterPrivileges = new ArrayList<>();
         final Set<String> runAs = new HashSet<>();
 
-        final Map<Set<String>, MergeableIndicesPrivilege> indicesPrivilegesDataMap = new HashMap<>();
-        final Map<Set<String>, MergeableIndicesPrivilege> indicesPrivilegesFailuresMap = new HashMap<>();
-        final Map<Set<String>, MergeableIndicesPrivilege> restrictedIndicesPrivilegesDataMap = new HashMap<>();
-        final Map<Set<String>, MergeableIndicesPrivilege> restrictedIndicesPrivilegesFailuresMap = new HashMap<>();
+        final Map<Set<String>, MergeableIndicesPrivilege> indicesPrivilegesMap = new HashMap<>();
+        final Map<Set<String>, MergeableIndicesPrivilege> restrictedIndicesPrivilegesMap = new HashMap<>();
 
         final Map<Set<String>, Set<IndicesPrivileges>> remoteIndicesPrivilegesByCluster = new HashMap<>();
 
@@ -507,30 +505,8 @@ public static void buildRoleFromDescriptors(
                 runAs.addAll(Arrays.asList(descriptor.getRunAs()));
             }
 
-            MergeableIndicesPrivilege.collatePrivilegesByIndices(
-                descriptor.getIndicesPrivileges(),
-                true,
-                IndexComponentSelector.DATA,
-                restrictedIndicesPrivilegesDataMap
-            );
-            MergeableIndicesPrivilege.collatePrivilegesByIndices(
-                descriptor.getIndicesPrivileges(),
-                false,
-                IndexComponentSelector.DATA,
-                indicesPrivilegesDataMap
-            );
-            MergeableIndicesPrivilege.collatePrivilegesByIndices(
-                descriptor.getIndicesPrivileges(),
-                true,
-                IndexComponentSelector.FAILURES,
-                restrictedIndicesPrivilegesFailuresMap
-            );
-            MergeableIndicesPrivilege.collatePrivilegesByIndices(
-                descriptor.getIndicesPrivileges(),
-                false,
-                IndexComponentSelector.FAILURES,
-                indicesPrivilegesFailuresMap
-            );
+            MergeableIndicesPrivilege.collatePrivilegesByIndices(descriptor.getIndicesPrivileges(), true, restrictedIndicesPrivilegesMap);
+            MergeableIndicesPrivilege.collatePrivilegesByIndices(descriptor.getIndicesPrivileges(), false, indicesPrivilegesMap);
 
             if (descriptor.hasRemoteIndicesPrivileges()) {
                 groupIndexPrivilegesByCluster(descriptor.getRemoteIndicesPrivileges(), remoteIndicesPrivilegesByCluster);
@@ -563,47 +539,57 @@ public static void buildRoleFromDescriptors(
         final Role.Builder builder = Role.builder(restrictedIndices, roleNames.toArray(Strings.EMPTY_ARRAY))
             .cluster(clusterPrivileges, configurableClusterPrivileges)
             .runAs(runAsPrivilege);
-        indicesPrivilegesDataMap.forEach((key, privilege) -> {
-            builder.add(
-                fieldPermissionsCache.getFieldPermissions(privilege.fieldPermissionsDefinition),
-                privilege.query,
-                IndexPrivilege.get(privilege.privileges),
-                false,
-                IndexComponentSelector.DATA,
-                privilege.indices.toArray(Strings.EMPTY_ARRAY)
-            );
 
-        });
-        restrictedIndicesPrivilegesDataMap.forEach((key, privilege) -> {
-            // For a privilege with both failure and non-failure indices, we need to split them into two separate groups
-            builder.add(
-                fieldPermissionsCache.getFieldPermissions(privilege.fieldPermissionsDefinition),
-                privilege.query,
-                IndexPrivilege.get(privilege.privileges),
-                true,
-                IndexComponentSelector.DATA,
-                privilege.indices.toArray(Strings.EMPTY_ARRAY)
-            );
-        });
-        indicesPrivilegesFailuresMap.forEach((key, privilege) -> {
+        indicesPrivilegesMap.forEach((key, privilege) -> {
+            if (privilege.privileges.contains("read_failures")) {
+                builder.add(
+                    fieldPermissionsCache.getFieldPermissions(privilege.fieldPermissionsDefinition),
+                    privilege.query,
+                    IndexPrivilege.get(Set.of("read_failures")),
+                    false,
+                    IndexComponentSelector.FAILURES,
+                    privilege.indices.toArray(Strings.EMPTY_ARRAY)
+                );
+            }
+            Set<String> privilegesWithoutReadFailures = filterOutReadFailures(privilege.privileges);
+            if (privilegesWithoutReadFailures.isEmpty()) {
+                return;
+            }
             builder.add(
                 fieldPermissionsCache.getFieldPermissions(privilege.fieldPermissionsDefinition),
                 privilege.query,
-                IndexPrivilege.get(privilege.privileges),
+                IndexPrivilege.get(privilegesWithoutReadFailures),
                 false,
-                IndexComponentSelector.FAILURES,
+                (privilege.privileges.contains("all") || privilege.privileges.contains("ALL"))
+                    ? IndexComponentSelector.ALL_APPLICABLE
+                    : IndexComponentSelector.DATA,
                 privilege.indices.toArray(Strings.EMPTY_ARRAY)
             );
 
         });
-        restrictedIndicesPrivilegesFailuresMap.forEach((key, privilege) -> {
-            // For a privilege with both failure and non-failure indices, we need to split them into two separate groups
+        restrictedIndicesPrivilegesMap.forEach((key, privilege) -> {
+            if (privilege.privileges.contains("read_failures")) {
+                builder.add(
+                    fieldPermissionsCache.getFieldPermissions(privilege.fieldPermissionsDefinition),
+                    privilege.query,
+                    IndexPrivilege.get(Set.of("read_failures")),
+                    true,
+                    IndexComponentSelector.FAILURES,
+                    privilege.indices.toArray(Strings.EMPTY_ARRAY)
+                );
+            }
+            Set<String> privilegesWithoutReadFailures = filterOutReadFailures(privilege.privileges);
+            if (privilegesWithoutReadFailures.isEmpty()) {
+                return;
+            }
             builder.add(
                 fieldPermissionsCache.getFieldPermissions(privilege.fieldPermissionsDefinition),
                 privilege.query,
                 IndexPrivilege.get(privilege.privileges),
                 true,
-                IndexComponentSelector.FAILURES,
+                (privilege.privileges.contains("all") || privilege.privileges.contains("ALL"))
+                    ? IndexComponentSelector.ALL_APPLICABLE
+                    : IndexComponentSelector.DATA,
                 privilege.indices.toArray(Strings.EMPTY_ARRAY)
             );
         });
@@ -656,6 +642,10 @@ public static void buildRoleFromDescriptors(
         }
     }
 
+    private static Set<String> filterOutReadFailures(Set<String> privileges) {
+        return privileges.stream().filter(p -> p.equals("read_failures") == false).collect(Collectors.toSet());
+    }
+
     public void invalidateAll() {
         numInvalidation.incrementAndGet();
         negativeLookupCache.invalidateAll();
@@ -766,7 +756,6 @@ void merge(MergeableIndicesPrivilege other) {
         private static void collatePrivilegesByIndices(
             final IndicesPrivileges[] indicesPrivileges,
             final boolean allowsRestrictedIndices,
-            final IndexComponentSelector selector,
             final Map<Set<String>, MergeableIndicesPrivilege> indicesPrivilegesMap
         ) {
             // if an index privilege is an explicit denial, then we treat it as non-existent since we skipped these in the past when
@@ -780,9 +769,6 @@ private static void collatePrivilegesByIndices(
                 if (indicesPrivilege.allowRestrictedIndices() != allowsRestrictedIndices) {
                     continue;
                 }
-                if (false == indicesPrivilege.matchesSelector(selector)) {
-                    continue;
-                }
                 final Set<String> key = newHashSet(indicesPrivilege.getIndices());
                 indicesPrivilegesMap.compute(key, (k, value) -> {
                     if (value == null) {
