Add security migration for cleaning up ECK role mappings

Author: jfreden

server/src/main/java/org/elasticsearch/index/IndexVersions.java

@@ -117,6 +117,7 @@ private static IndexVersion def(int id, Version luceneVersion) {
     public static final IndexVersion ENABLE_IGNORE_MALFORMED_LOGSDB = def(8_514_00_0, Version.LUCENE_9_11_1);
     public static final IndexVersion MERGE_ON_RECOVERY_VERSION = def(8_515_00_0, Version.LUCENE_9_11_1);
     public static final IndexVersion UPGRADE_TO_LUCENE_9_12 = def(8_516_00_0, Version.LUCENE_9_12_0);
+    public static final IndexVersion ADD_ROLE_MAPPING_MIGRATION = def(8_517_00_0, Version.LUCENE_9_12_0);
 
     /*
      * STOP! READ THIS FIRST! No, really,

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatures.java

@@ -17,13 +17,14 @@
 import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SECURITY_MIGRATION_FRAMEWORK;
 import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SECURITY_PROFILE_ORIGIN_FEATURE;
 import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SECURITY_ROLES_METADATA_FLATTENED;
+import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SECURITY_ROLE_MAPPING_CLEANUP;
 import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.VERSION_SECURITY_PROFILE_ORIGIN;
 
 public class SecurityFeatures implements FeatureSpecification {
 
     @Override
     public Set<NodeFeature> getFeatures() {
-        return Set.of(SECURITY_ROLES_METADATA_FLATTENED, SECURITY_MIGRATION_FRAMEWORK);
+        return Set.of(SECURITY_ROLE_MAPPING_CLEANUP, SECURITY_ROLES_METADATA_FLATTENED, SECURITY_MIGRATION_FRAMEWORK);
     }
 
     @Override

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityIndexManager.java

@@ -31,6 +31,7 @@
 import org.elasticsearch.cluster.metadata.IndexMetadata;
 import org.elasticsearch.cluster.metadata.MappingMetadata;
 import org.elasticsearch.cluster.metadata.Metadata;
+import org.elasticsearch.cluster.metadata.ReservedStateMetadata;
 import org.elasticsearch.cluster.routing.IndexRoutingTable;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.core.TimeValue;
@@ -46,6 +47,8 @@
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.threadpool.Scheduler;
 import org.elasticsearch.xcontent.XContentType;
+import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
+import org.elasticsearch.xpack.core.security.authz.RoleMappingMetadata;
 import org.elasticsearch.xpack.security.SecurityFeatures;
 
 import java.time.Instant;
@@ -74,7 +77,8 @@
 public class SecurityIndexManager implements ClusterStateListener {
 
     public static final String SECURITY_VERSION_STRING = "security-version";
-
+    private static final String FILE_SETTINGS_METADATA_NAMESPACE = "file_settings";
+    private static final String HANDLER_ROLE_MAPPINGS_NAME = "role_mappings";
     private static final Logger logger = LogManager.getLogger(SecurityIndexManager.class);
 
     /**
@@ -267,6 +271,22 @@ private static boolean isCreatedOnLatestVersion(IndexMetadata indexMetadata) {
         return indexVersionCreated != null && indexVersionCreated.onOrAfter(IndexVersion.current());
     }
 
+    private static Set<String> getFileSettingsMetadataHandlerRoleMappingKeys(ClusterState clusterState) {
+        ReservedStateMetadata fileSettingsMetadata = clusterState.metadata().reservedStateMetadata().get(FILE_SETTINGS_METADATA_NAMESPACE);
+        if (fileSettingsMetadata != null && fileSettingsMetadata.handlers().containsKey(HANDLER_ROLE_MAPPINGS_NAME)) {
+            return fileSettingsMetadata.handlers().get(HANDLER_ROLE_MAPPINGS_NAME).keys();
+        }
+        return Set.of();
+    }
+
+    private static Set<ExpressionRoleMapping> getRoleMappingMetadataMappings(ClusterState clusterState) {
+        RoleMappingMetadata roleMappingMetadata = RoleMappingMetadata.getFromClusterState(clusterState);
+        if (roleMappingMetadata != null) {
+            return roleMappingMetadata.getRoleMappings();
+        }
+        return Set.of();
+    }
+
     @Override
     public void clusterChanged(ClusterChangedEvent event) {
         if (event.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
@@ -284,6 +304,9 @@ public void clusterChanged(ClusterChangedEvent event) {
         Tuple<Boolean, Boolean> available = checkIndexAvailable(event.state());
         final boolean indexAvailableForWrite = available.v1();
         final boolean indexAvailableForSearch = available.v2();
+        final Set<String> reservedStateRoleMappingNames = getFileSettingsMetadataHandlerRoleMappingKeys(event.state());
+        final boolean reservedRoleMappingsSynced = reservedStateRoleMappingNames.size() == getRoleMappingMetadataMappings(event.state())
+            .size();
         final boolean mappingIsUpToDate = indexMetadata == null || checkIndexMappingUpToDate(event.state());
         final int migrationsVersion = getMigrationVersionFromIndexMetadata(indexMetadata);
         final SystemIndexDescriptor.MappingsVersion minClusterMappingVersion = getMinSecurityIndexMappingVersion(event.state());
@@ -314,6 +337,7 @@ public void clusterChanged(ClusterChangedEvent event) {
             indexAvailableForWrite,
             mappingIsUpToDate,
             createdOnLatestVersion,
+            reservedRoleMappingsSynced,
             migrationsVersion,
             minClusterMappingVersion,
             indexMappingVersion,
@@ -323,7 +347,8 @@ public void clusterChanged(ClusterChangedEvent event) {
             indexUUID,
             allSecurityFeatures.stream()
                 .filter(feature -> featureService.clusterHasFeature(event.state(), feature))
-                .collect(Collectors.toSet())
+                .collect(Collectors.toSet()),
+            reservedStateRoleMappingNames
         );
         this.state = newState;
 
@@ -334,6 +359,10 @@ public void clusterChanged(ClusterChangedEvent event) {
         }
     }
 
+    public Set<String> getReservedStateRoleMappingNames() {
+        return state.reservedStateRoleMappingNames;
+    }
+
     public static int getMigrationVersionFromIndexMetadata(IndexMetadata indexMetadata) {
         Map<String, String> customMetadata = indexMetadata == null ? null : indexMetadata.getCustomData(MIGRATION_VERSION_CUSTOM_KEY);
         if (customMetadata == null) {
@@ -438,7 +467,8 @@ private Tuple<Boolean, Boolean> checkIndexAvailable(ClusterState state) {
 
     public boolean isEligibleSecurityMigration(SecurityMigrations.SecurityMigration securityMigration) {
         return state.securityFeatures.containsAll(securityMigration.nodeFeaturesRequired())
-            && state.indexMappingVersion >= securityMigration.minMappingVersion();
+            && state.indexMappingVersion >= securityMigration.minMappingVersion()
+            && securityMigration.checkPreConditions(state);
     }
 
     public boolean isReadyForSecurityMigration(SecurityMigrations.SecurityMigration securityMigration) {
@@ -671,13 +701,15 @@ public static class State {
             false,
             false,
             false,
+            false,
             null,
             null,
             null,
             null,
             null,
             null,
             null,
+            Set.of(),
             Set.of()
         );
         public final Instant creationTime;
@@ -686,6 +718,7 @@ public static class State {
         public final boolean indexAvailableForWrite;
         public final boolean mappingUpToDate;
         public final boolean createdOnLatestVersion;
+        public final boolean reservedRoleMappingsSynced;
         public final Integer migrationsVersion;
         // Min mapping version supported by the descriptors in the cluster
         public final SystemIndexDescriptor.MappingsVersion minClusterMappingVersion;
@@ -696,6 +729,7 @@ public static class State {
         public final IndexMetadata.State indexState;
         public final String indexUUID;
         public final Set<NodeFeature> securityFeatures;
+        public final Set<String> reservedStateRoleMappingNames;
 
         public State(
             Instant creationTime,
@@ -704,14 +738,16 @@ public State(
             boolean indexAvailableForWrite,
             boolean mappingUpToDate,
             boolean createdOnLatestVersion,
+            boolean reservedRoleMappingsSynced,
             Integer migrationsVersion,
             SystemIndexDescriptor.MappingsVersion minClusterMappingVersion,
             Integer indexMappingVersion,
             String concreteIndexName,
             ClusterHealthStatus indexHealth,
             IndexMetadata.State indexState,
             String indexUUID,
-            Set<NodeFeature> securityFeatures
+            Set<NodeFeature> securityFeatures,
+            Set<String> reservedStateRoleMappingNames
         ) {
             this.creationTime = creationTime;
             this.isIndexUpToDate = isIndexUpToDate;
@@ -720,13 +756,15 @@ public State(
             this.mappingUpToDate = mappingUpToDate;
             this.migrationsVersion = migrationsVersion;
             this.createdOnLatestVersion = createdOnLatestVersion;
+            this.reservedRoleMappingsSynced = reservedRoleMappingsSynced;
             this.minClusterMappingVersion = minClusterMappingVersion;
             this.indexMappingVersion = indexMappingVersion;
             this.concreteIndexName = concreteIndexName;
             this.indexHealth = indexHealth;
             this.indexState = indexState;
             this.indexUUID = indexUUID;
             this.securityFeatures = securityFeatures;
+            this.reservedStateRoleMappingNames = reservedStateRoleMappingNames;
         }
 
         @Override
@@ -740,13 +778,15 @@ public boolean equals(Object o) {
                 && indexAvailableForWrite == state.indexAvailableForWrite
                 && mappingUpToDate == state.mappingUpToDate
                 && createdOnLatestVersion == state.createdOnLatestVersion
+                && reservedRoleMappingsSynced == state.reservedRoleMappingsSynced
                 && Objects.equals(indexMappingVersion, state.indexMappingVersion)
                 && Objects.equals(migrationsVersion, state.migrationsVersion)
                 && Objects.equals(minClusterMappingVersion, state.minClusterMappingVersion)
                 && Objects.equals(concreteIndexName, state.concreteIndexName)
                 && indexHealth == state.indexHealth
                 && indexState == state.indexState
-                && Objects.equals(securityFeatures, state.securityFeatures);
+                && Objects.equals(securityFeatures, state.securityFeatures)
+                && Objects.equals(reservedStateRoleMappingNames, state.reservedStateRoleMappingNames);
         }
 
         public boolean indexExists() {
@@ -762,12 +802,14 @@ public int hashCode() {
                 indexAvailableForWrite,
                 mappingUpToDate,
                 createdOnLatestVersion,
+                reservedRoleMappingsSynced,
                 migrationsVersion,
                 minClusterMappingVersion,
                 indexMappingVersion,
                 concreteIndexName,
                 indexHealth,
-                securityFeatures
+                securityFeatures,
+                reservedStateRoleMappingNames
             );
         }
 
@@ -786,6 +828,8 @@ public String toString() {
                 + mappingUpToDate
                 + ", createdOnLatestVersion="
                 + createdOnLatestVersion
+                + ", reservedRoleMappingsSynced="
+                + reservedRoleMappingsSynced
                 + ", migrationsVersion="
                 + migrationsVersion
                 + ", minClusterMappingVersion="
@@ -804,6 +848,8 @@ public String toString() {
                 + '\''
                 + ", securityFeatures="
                 + securityFeatures
+                + ", reservedStateRoleMappingNames="
+                + reservedStateRoleMappingNames
                 + '}';
         }
     }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityMigrations.java

@@ -11,6 +11,7 @@
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.search.SearchRequest;
+import org.elasticsearch.action.support.WriteRequest;
 import org.elasticsearch.client.internal.Client;
 import org.elasticsearch.features.NodeFeature;
 import org.elasticsearch.index.query.BoolQueryBuilder;
@@ -20,12 +21,23 @@
 import org.elasticsearch.script.Script;
 import org.elasticsearch.script.ScriptType;
 import org.elasticsearch.search.builder.SearchSourceBuilder;
+import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingAction;
+import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingRequestBuilder;
+import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsAction;
+import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsRequestBuilder;
+import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
 
+import java.util.Arrays;
 import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
 
+import static org.elasticsearch.TransportVersions.ADD_MANAGE_ROLES_PRIVILEGE;
+import static org.elasticsearch.xpack.core.ClientHelper.SECURITY_ORIGIN;
+import static org.elasticsearch.xpack.core.ClientHelper.executeAsyncWithOrigin;
 import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SecurityMainIndexMappingVersion.ADD_REMOTE_CLUSTER_AND_DESCRIPTION_FIELDS;
 
 /**
@@ -52,6 +64,16 @@ public interface SecurityMigration {
          */
         Set<NodeFeature> nodeFeaturesRequired();
 
+        /**
+         * Check that any pre-conditions are met before launching migration
+         *
+         * @param securityIndexManagerState current state of the security index
+         * @return true if pre-conditions met, otherwise false
+         */
+        default boolean checkPreConditions(SecurityIndexManager.State securityIndexManagerState) {
+            return true;
+        }
+
         /**
          * The min mapping version required to support this migration. This makes sure that the index has at least the min mapping that is
          * required to support the migration.
@@ -62,11 +84,11 @@ public interface SecurityMigration {
     }
 
     public static final Integer ROLE_METADATA_FLATTENED_MIGRATION_VERSION = 1;
+    public static final Integer ROLE_MAPPING_CLEANUP_DUPLICATES = 2;
+    private static final Logger logger = LogManager.getLogger(SecurityMigration.class);
 
     public static final TreeMap<Integer, SecurityMigration> MIGRATIONS_BY_VERSION = new TreeMap<>(
         Map.of(ROLE_METADATA_FLATTENED_MIGRATION_VERSION, new SecurityMigration() {
-            private static final Logger logger = LogManager.getLogger(SecurityMigration.class);
-
             @Override
             public void migrate(SecurityIndexManager indexManager, Client client, ActionListener<Void> listener) {
                 BoolQueryBuilder filterQuery = new BoolQueryBuilder().filter(QueryBuilders.termQuery("type", "role"))
@@ -119,6 +141,73 @@ public Set<NodeFeature> nodeFeaturesRequired() {
             public int minMappingVersion() {
                 return ADD_REMOTE_CLUSTER_AND_DESCRIPTION_FIELDS.id();
             }
+        }, ROLE_MAPPING_CLEANUP_DUPLICATES, new SecurityMigration() {
+            @Override
+            public void migrate(SecurityIndexManager indexManager, Client client, ActionListener<Void> listener) {
+                Set<String> clusterStateRoleMappingNames = indexManager.getReservedStateRoleMappingNames();
+
+                // No role mappings in cluster state -> no cleanup needed
+                if (clusterStateRoleMappingNames.isEmpty()) {
+                    listener.onResponse(null);
+                    return;
+                }
+
+                getNativeRoleMappings(client, ActionListener.wrap(roleMappings -> {
+                    logger.info("Found [" + roleMappings.size() + "] role mappings to cleanup in .security index.");
+                    deleteNativeRoleMappings(client, roleMappings.iterator(), listener);
+                }, listener::onFailure), clusterStateRoleMappingNames.toArray(String[]::new));
+            }
+
+            private void getNativeRoleMappings(Client client, ActionListener<List<String>> listener, String... mappingNames) {
+                executeAsyncWithOrigin(
+                    client,
+                    SECURITY_ORIGIN,
+                    GetRoleMappingsAction.INSTANCE,
+                    new GetRoleMappingsRequestBuilder(client).names(mappingNames).request(),
+                    ActionListener.wrap(
+                        response -> listener.onResponse(Arrays.stream(response.mappings()).map(ExpressionRoleMapping::getName).toList()),
+                        listener::onFailure
+                    )
+                );
+            }
+
+            private void deleteNativeRoleMappings(Client client, Iterator<String> namesIterator, ActionListener<Void> listener) {
+                String name = namesIterator.next();
+                executeAsyncWithOrigin(
+                    client,
+                    SECURITY_ORIGIN,
+                    DeleteRoleMappingAction.INSTANCE,
+                    new DeleteRoleMappingRequestBuilder(client).name(name).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).request(),
+                    ActionListener.wrap(response -> {
+                        if (response.isFound() == false) {
+                            logger.warn("Expected role mapping [" + name + "] not found during role mapping clean up.");
+                        } else {
+                            logger.info("Deleted duplicated role mapping [" + name + "] from .security index");
+                        }
+                        if (namesIterator.hasNext()) {
+                            deleteNativeRoleMappings(client, namesIterator, listener);
+                        } else {
+                            listener.onResponse(null);
+                        }
+                    }, listener::onFailure)
+                );
+            }
+
+            @Override
+            public boolean checkPreConditions(SecurityIndexManager.State securityIndexManagerState) {
+                // If there are operator defined role mappings, make sure they've been loaded in to cluster state before launching migration
+                return securityIndexManagerState.reservedRoleMappingsSynced;
+            }
+
+            @Override
+            public Set<NodeFeature> nodeFeaturesRequired() {
+                return Set.of(SecuritySystemIndices.SECURITY_ROLE_MAPPING_CLEANUP);
+            }
+
+            @Override
+            public int minMappingVersion() {
+                return ADD_MANAGE_ROLES_PRIVILEGE.id();
+            }
         })
     );
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecuritySystemIndices.java

@@ -61,6 +61,7 @@ public class SecuritySystemIndices {
     public static final NodeFeature SECURITY_PROFILE_ORIGIN_FEATURE = new NodeFeature("security.security_profile_origin");
     public static final NodeFeature SECURITY_MIGRATION_FRAMEWORK = new NodeFeature("security.migration_framework");
     public static final NodeFeature SECURITY_ROLES_METADATA_FLATTENED = new NodeFeature("security.roles_metadata_flattened");
+    public static final NodeFeature SECURITY_ROLE_MAPPING_CLEANUP = new NodeFeature("security.role_mapping_cleanup");
 
     /**
      * Security managed index mappings used to be updated based on the product version. They are now updated based on per-index mappings