elastic
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java‎
Lines changed: 3 additions & 33 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java‎
Lines changed: 3 additions & 33 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/RemoteIndicesPermission.java‎
Lines changed: 0 additions & 3 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/RemoteIndicesPermission.java‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java‎
Lines changed: 8 additions & 29 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java‎
Lines changed: 8 additions & 29 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java‎
Lines changed: 0 additions & 1 deletion b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java‎
Lines changed: 4 additions & 17 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPrivilege.java‎
Lines changed: 4 additions & 17 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java‎
Lines changed: 47 additions & 7 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java‎
Lines changed: 47 additions & 7 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java‎
Lines changed: 8 additions & 2 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java‎
Lines changed: 8 additions & 2 deletions
@@ -81,13 +81,9 @@ public Builder addGroup(
             FieldPermissions fieldPermissions,
             @Nullable Set<BytesReference> query,
             boolean allowRestrictedIndices,
-            IndexComponentSelectorPrivilege selectorPrivilege,
             String... indices
         ) {
-            assert privilege != IndexPrivilege.ALL || selectorPrivilege.isTotal() : "all privilege must be associated with all selector";
-            groups.add(
-                new Group(privilege, fieldPermissions, query, allowRestrictedIndices, restrictedIndices, selectorPrivilege, indices)
-            );
+            groups.add(new Group(privilege, fieldPermissions, query, allowRestrictedIndices, restrictedIndices, indices));
             return this;
         }
 
@@ -808,34 +804,13 @@ public static class Group {
         // users. Setting this flag true eliminates the special status for the purpose of this permission - restricted indices still have
         // to be covered by the "indices"
         private final boolean allowRestrictedIndices;
-        private final IndexComponentSelectorPrivilege selectorPrivilege;
-
-        public Group(
-            IndexPrivilege privilege,
-            FieldPermissions fieldPermissions,
-            @Nullable Set<BytesReference> query,
-            boolean allowRestrictedIndices,
-            RestrictedIndices restrictedIndices,
-            String... indices
-        ) {
-            this(
-                privilege,
-                fieldPermissions,
-                query,
-                allowRestrictedIndices,
-                restrictedIndices,
-                IndexComponentSelectorPrivilege.DATA,
-                indices
-            );
-        }
 
         public Group(
             IndexPrivilege privilege,
             FieldPermissions fieldPermissions,
             @Nullable Set<BytesReference> query,
             boolean allowRestrictedIndices,
             RestrictedIndices restrictedIndices,
-            IndexComponentSelectorPrivilege selectorPrivilege,
             String... indices
         ) {
             assert indices.length != 0;
@@ -856,7 +831,6 @@ public Group(
             }
             this.fieldPermissions = Objects.requireNonNull(fieldPermissions);
             this.query = query;
-            this.selectorPrivilege = selectorPrivilege;
         }
 
         public IndexPrivilege privilege() {
@@ -890,7 +864,7 @@ boolean hasQuery() {
         }
 
         public IndexComponentSelectorPrivilege getSelectorPrivilege() {
-            return selectorPrivilege;
+            return privilege.getSelectorPrivilege();
         }
 
         public boolean allowRestrictedIndices() {
@@ -906,9 +880,7 @@ boolean isTotal() {
                 && indexNameMatcher.isTotal()
                 && privilege == IndexPrivilege.ALL
                 && query == null
-                && false == fieldPermissions.hasFieldLevelSecurity()
-                // TODO ensure we want this now, not in a follow up instead
-                && selectorPrivilege.isTotal();
+                && false == fieldPermissions.hasFieldLevelSecurity();
         }
 
         @Override
@@ -924,8 +896,6 @@ public String toString() {
                 + query
                 + ", allowRestrictedIndices="
                 + allowRestrictedIndices
-                + ", selectorPrivilege="
-                + selectorPrivilege
                 + '}';
         }
     }
 
@@ -10,7 +10,6 @@
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
-import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 import org.elasticsearch.xpack.core.security.support.StringMatcher;
@@ -67,8 +66,6 @@ public Builder addGroup(
                         // Deliberately passing EMPTY here since *which* indices are restricted is determined not on the querying cluster
                         // but rather on the fulfilling cluster
                         new RestrictedIndices(Automatons.EMPTY),
-                        // TODO
-                        IndexComponentSelectorPrivilege.DATA,
                         indices
                     )
                 );
 
@@ -253,20 +253,17 @@ public Builder runAs(Privilege privilege) {
         }
 
         public Builder add(IndexPrivilege privilege, String... indices) {
-            return add(FieldPermissions.DEFAULT, null, privilege, false, IndexComponentSelectorPrivilege.DATA, indices);
+            return add(FieldPermissions.DEFAULT, null, privilege, false, indices);
         }
 
         public Builder add(
             FieldPermissions fieldPermissions,
             Set<BytesReference> query,
             IndexPrivilege privilege,
             boolean allowRestrictedIndices,
-            IndexComponentSelectorPrivilege selectorPrivilege,
             String... indices
         ) {
-            groups.add(
-                new IndicesPermissionGroupDefinition(privilege, fieldPermissions, query, allowRestrictedIndices, selectorPrivilege, indices)
-            );
+            groups.add(new IndicesPermissionGroupDefinition(privilege, fieldPermissions, query, allowRestrictedIndices, indices));
             return this;
         }
 
@@ -279,17 +276,7 @@ public Builder addRemoteIndicesGroup(
             final String... indices
         ) {
             remoteIndicesGroups.computeIfAbsent(remoteClusterAliases, k -> new ArrayList<>())
-                .add(
-                    new IndicesPermissionGroupDefinition(
-                        privilege,
-                        fieldPermissions,
-                        query,
-                        allowRestrictedIndices,
-                        // TODO
-                        IndexComponentSelectorPrivilege.DATA,
-                        indices
-                    )
-                );
+                .add(new IndicesPermissionGroupDefinition(privilege, fieldPermissions, query, allowRestrictedIndices, indices));
             return this;
         }
 
@@ -329,7 +316,6 @@ public SimpleRole build() {
                         group.fieldPermissions,
                         group.query,
                         group.allowRestrictedIndices,
-                        group.selectorPrivilege,
                         group.indices
                     );
                 }
@@ -378,22 +364,19 @@ private static class IndicesPermissionGroupDefinition {
             private final FieldPermissions fieldPermissions;
             private final @Nullable Set<BytesReference> query;
             private final boolean allowRestrictedIndices;
-            private final IndexComponentSelectorPrivilege selectorPrivilege;
             private final String[] indices;
 
             private IndicesPermissionGroupDefinition(
                 IndexPrivilege privilege,
                 FieldPermissions fieldPermissions,
                 @Nullable Set<BytesReference> query,
                 boolean allowRestrictedIndices,
-                IndexComponentSelectorPrivilege selectorPrivilege,
                 String... indices
             ) {
                 this.privilege = privilege;
                 this.fieldPermissions = fieldPermissions;
                 this.query = query;
                 this.allowRestrictedIndices = allowRestrictedIndices;
-                this.selectorPrivilege = selectorPrivilege;
                 this.indices = indices;
             }
         }
@@ -428,18 +411,14 @@ static SimpleRole buildFromRoleDescriptor(
             );
             Set<BytesReference> query = indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery());
             boolean allowRestrictedIndices = indexPrivilege.allowRestrictedIndices();
-            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.groupBySelector(
+            Map<IndexComponentSelectorPrivilege, Set<String>> split = IndexComponentSelectorPrivilege.partitionBySelectorPrivilege(
                 indexPrivilege.getPrivileges()
             );
             for (var entry : split.entrySet()) {
-                builder.add(
-                    fieldPermissions,
-                    query,
-                    IndexPrivilege.get(entry.getValue()),
-                    allowRestrictedIndices,
-                    entry.getKey(),
-                    indexPrivilege.getIndices()
-                );
+                IndexPrivilege privilege = IndexPrivilege.get(entry.getValue());
+                assert privilege.getSelectorPrivilege() == entry.getKey()
+                    : "expected selector privilege to match the partitioned privilege";
+                builder.add(fieldPermissions, query, privilege, allowRestrictedIndices, indexPrivilege.getIndices());
             }
         }
 
 
@@ -420,7 +420,6 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd
                         null,
                         false,
                         // TODO
-                        IndexComponentSelectorPrivilege.DATA,
                         indexPatternPrivilege.indexPatterns()
                     );
                 }
 
@@ -27,11 +27,6 @@ public record IndexComponentSelectorPrivilege(String name, Predicate<IndexCompon
         IndexComponentSelector.FAILURES::equals
     );
 
-    private static final Set<IndexPrivilege> FAILURE_STORE_PRIVILEGE_NAMES = Set.of(
-        IndexPrivilege.READ_FAILURE_STORE,
-        IndexPrivilege.MANAGE_FAILURE_STORE_INTERNAL
-    );
-
     public boolean grants(IndexComponentSelector selector) {
         return predicate.test(selector);
     }
@@ -44,11 +39,11 @@ public static Set<IndexComponentSelectorPrivilege> get(Set<String> indexPrivileg
         return indexPrivileges.stream().map(IndexComponentSelectorPrivilege::get).collect(Collectors.toSet());
     }
 
-    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelector(String... indexPrivileges) {
-        return groupBySelector(Set.of(indexPrivileges));
+    public static Map<IndexComponentSelectorPrivilege, Set<String>> partitionBySelectorPrivilege(String... indexPrivileges) {
+        return partitionBySelectorPrivilege(Set.of(indexPrivileges));
     }
 
-    public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelector(Set<String> indexPrivileges) {
+    public static Map<IndexComponentSelectorPrivilege, Set<String>> partitionBySelectorPrivilege(Set<String> indexPrivileges) {
         final Set<String> dataAccessPrivileges = new HashSet<>();
         final Set<String> failuresAccessPrivileges = new HashSet<>();
 
@@ -82,14 +77,6 @@ public static Map<IndexComponentSelectorPrivilege, Set<String>> groupBySelector(
     private static IndexComponentSelectorPrivilege get(String indexPrivilegeName) {
         final IndexPrivilege indexPrivilege = IndexPrivilege.getNamedOrNull(indexPrivilegeName);
         // `null` means we got a raw action instead of a named privilege; all raw actions are treated as data access
-        if (indexPrivilege == null) {
-            return DATA;
-        } else if (indexPrivilege == IndexPrivilege.ALL) {
-            return ALL;
-        } else if (FAILURE_STORE_PRIVILEGE_NAMES.contains(indexPrivilege)) {
-            return FAILURES;
-        } else {
-            return DATA;
-        }
+        return indexPrivilege == null ? DATA : indexPrivilege.getSelectorPrivilege();
     }
 }
@@ -178,12 +178,16 @@ public final class IndexPrivilege extends Privilege {
     );
 
     public static final IndexPrivilege NONE = new IndexPrivilege("none", Automatons.EMPTY);
-    public static final IndexPrivilege ALL = new IndexPrivilege("all", ALL_AUTOMATON);
-    // TODO explain
-    public static final IndexPrivilege READ_FAILURE_STORE = new IndexPrivilege("read_failure_store", READ_AUTOMATON);
+    public static final IndexPrivilege ALL = new IndexPrivilege("all", ALL_AUTOMATON, IndexComponentSelectorPrivilege.ALL);
+    public static final IndexPrivilege READ_FAILURE_STORE = new IndexPrivilege(
+        "read_failure_store",
+        READ_AUTOMATON,
+        IndexComponentSelectorPrivilege.FAILURES
+    );
     public static final IndexPrivilege MANAGE_FAILURE_STORE_INTERNAL = new IndexPrivilege(
         "manage_failure_store_internal",
-        MANAGE_AUTOMATON
+        MANAGE_AUTOMATON,
+        IndexComponentSelectorPrivilege.FAILURES
     );
     public static final IndexPrivilege READ = new IndexPrivilege("read", READ_AUTOMATON);
     public static final IndexPrivilege READ_CROSS_CLUSTER = new IndexPrivilege("read_cross_cluster", READ_CROSS_CLUSTER_AUTOMATON);
@@ -253,12 +257,23 @@ public final class IndexPrivilege extends Privilege {
 
     private static final ConcurrentHashMap<Set<String>, IndexPrivilege> CACHE = new ConcurrentHashMap<>();
 
+    private final IndexComponentSelectorPrivilege selectorPrivilege;
+
     private IndexPrivilege(String name, Automaton automaton) {
-        super(Collections.singleton(name), automaton);
+        this(Collections.singleton(name), automaton);
+    }
+
+    private IndexPrivilege(String name, Automaton automaton, IndexComponentSelectorPrivilege selectorPrivilege) {
+        this(Collections.singleton(name), automaton, selectorPrivilege);
     }
 
     private IndexPrivilege(Set<String> name, Automaton automaton) {
+        this(name, automaton, IndexComponentSelectorPrivilege.DATA);
+    }
+
+    private IndexPrivilege(Set<String> name, Automaton automaton, IndexComponentSelectorPrivilege selectorPrivilege) {
         super(name, automaton);
+        this.selectorPrivilege = selectorPrivilege;
     }
 
     public static IndexPrivilege get(Set<String> name) {
@@ -271,6 +286,10 @@ public static IndexPrivilege get(Set<String> name) {
         });
     }
 
+    public IndexComponentSelectorPrivilege getSelectorPrivilege() {
+        return selectorPrivilege;
+    }
+
     public String getSingleName() {
         if (name().size() != 1) {
             throw new IllegalStateException("Expected a single name, but got: " + name());
@@ -291,6 +310,7 @@ private static IndexPrivilege resolve(Set<String> name) {
 
         Set<String> actions = new HashSet<>();
         Set<Automaton> automata = new HashSet<>();
+        Set<IndexComponentSelectorPrivilege> selectorPrivileges = new HashSet<>();
         for (String part : name) {
             part = part.toLowerCase(Locale.ROOT);
             if (ACTION_MATCHER.test(part)) {
@@ -301,6 +321,7 @@ private static IndexPrivilege resolve(Set<String> name) {
                     return indexPrivilege;
                 } else if (indexPrivilege != null) {
                     automata.add(indexPrivilege.automaton);
+                    selectorPrivileges.add(indexPrivilege.getSelectorPrivilege());
                 } else {
                     String errorMessage = "unknown index privilege ["
                         + part
@@ -317,8 +338,20 @@ private static IndexPrivilege resolve(Set<String> name) {
 
         if (actions.isEmpty() == false) {
             automata.add(patterns(actions));
+            selectorPrivileges.add(IndexComponentSelectorPrivilege.DATA);
+        }
+
+        for (IndexComponentSelectorPrivilege selectorPrivilege : selectorPrivileges) {
+            if (selectorPrivilege == IndexComponentSelectorPrivilege.ALL) {
+                return new IndexPrivilege(name, unionAndMinimize(automata), IndexComponentSelectorPrivilege.ALL);
+            }
+        }
+        if (selectorPrivileges.size() != 1) {
+            // TODO assertion and make this clearer
+            throw new IllegalArgumentException("Cannot mix different selector privileges in a single index privilege for [" + name + "]");
         }
-        return new IndexPrivilege(name, unionAndMinimize(automata));
+
+        return new IndexPrivilege(name, unionAndMinimize(automata), selectorPrivileges.iterator().next());
     }
 
     static Map<String, IndexPrivilege> values() {
@@ -336,6 +369,13 @@ public static Set<String> names() {
      * @see Privilege#sortByAccessLevel
      */
     public static Collection<String> findPrivilegesThatGrant(String action) {
-        return VALUES.entrySet().stream().filter(e -> e.getValue().predicate.test(action)).map(e -> e.getKey()).toList();
+        return VALUES.entrySet()
+            .stream()
+            .filter(e -> e.getValue().predicate.test(action))
+            // Filter out the failure store privileges since these are confusing w.r.t. authorization failure messages are a handled
+            // separately
+            .filter(e -> false == (e.getValue().getSelectorPrivilege() == IndexComponentSelectorPrivilege.FAILURES))
+            .map(Map.Entry::getKey)
+            .toList();
     }
 }
@@ -11,6 +11,7 @@
 import org.elasticsearch.action.admin.cluster.repositories.get.GetRepositoriesAction;
 import org.elasticsearch.action.admin.indices.alias.TransportIndicesAliasesAction;
 import org.elasticsearch.action.admin.indices.rollover.RolloverAction;
+import org.elasticsearch.cluster.metadata.DataStream;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.util.set.Sets;
@@ -78,7 +79,12 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             RoleDescriptor.IndicesPrivileges.builder().indices("*").privileges("all").allowRestrictedIndices(false).build(),
             RoleDescriptor.IndicesPrivileges.builder()
                 .indices("*")
-                .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store")
+                .privileges(
+                    // TODO are there edge-cases where this is a bad idea?
+                    DataStream.isFailureStoreFeatureFlagEnabled()
+                        ? new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store" }
+                        : new String[] { "monitor", "read", "view_index_metadata", "read_cross_cluster" }
+                )
                 .allowRestrictedIndices(true)
                 .build() },
         new RoleDescriptor.ApplicationResourcePrivileges[] {
@@ -95,7 +101,7 @@ public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListene
             new RoleDescriptor.RemoteIndicesPrivileges(
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("*")
-                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster", "read_failure_store")
+                    .privileges("monitor", "read", "view_index_metadata", "read_cross_cluster")
                     .allowRestrictedIndices(true)
                     .build(),
                 "*"
Original file line number	Diff line number	Diff line change
`@@ -420,7 +420,6 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd`
`420`	`420`	`null,`
`421`	`421`	`false,`
`422`	`422`	`// TODO`
`423`		`- IndexComponentSelectorPrivilege.DATA,`
`424`	`423`	`indexPatternPrivilege.indexPatterns()`
`425`	`424`	`);`
`426`	`425`	`}`