More fixes to issues raised in tests and fixes to tests

Author: gwbrown

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Group.java

@@ -131,7 +131,8 @@ public IndicesPermission.AuthorizedComponents check(String name, IndexAbstractio
                     && group.hasMappingUpdateBwcPermissions
                     && resource != null
                     && resource.getParentDataStream() == null
-                    && resource.getType() != IndexAbstraction.Type.DATA_STREAM) { // ATHE does this grant too often?
+                    && resource.getType() != IndexAbstraction.Type.DATA_STREAM
+                    && group.indexNameMatcher.test(name)) {
                     boolean alreadyLogged = deprecationLogEmitted.getAndSet(true);
                     if (alreadyLogged == false) {
                         for (String privilegeName : group.privilege.name()) {
@@ -239,16 +240,12 @@ Automaton getIndexMatcherAutomaton() {
         return indexNameAutomaton.get();
     }
 
-    boolean noFieldLevelSecurity() {
+    boolean allowsTotalDataIndexAccess() {
         return allowRestrictedIndices
             && indexNameMatcher.isTotal()
-            && privilege.name().contains(IndexPrivilege.ALL)
-            && query == null
-            && false == fieldPermissions.hasFieldLevelSecurity();
-    }
-
-    boolean noRestrictions() {
-        return noFieldLevelSecurity() && hasReadFailuresPrivilege;
+            && privilege.name().contains("all") // ATHE: probably make this into a constant
+            && hasReadFailuresPrivilege
+            && query == null;
     }
 
     @Override

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -147,7 +147,7 @@ public IndicesPermission build() {
     private IndicesPermission(RestrictedIndices restrictedIndices, Group[] groups) {
         this.restrictedIndices = restrictedIndices;
         this.groups = groups;
-        this.hasFieldOrDocumentLevelSecurity = Arrays.stream(groups).noneMatch(Group::noFieldLevelSecurity)
+        this.hasFieldOrDocumentLevelSecurity = Arrays.stream(groups).noneMatch(Group::allowsTotalDataIndexAccess)
             && Arrays.stream(groups).anyMatch(g -> g.hasQuery() || g.getFieldPermissions().hasFieldLevelSecurity());
     }
 
@@ -432,13 +432,6 @@ public IndicesAccessControl authorize(
         Map<String, IndexAbstraction> lookup,
         FieldPermissionsCache fieldPermissionsCache
     ) {
-        // Short circuit if the indicesPermission allows all access to every index
-        for (Group group : groups) {
-            if (group.noRestrictions()) {
-                return IndicesAccessControl.allowAll();
-            }
-        }
-
         final Map<String, IndexResource> resources = Maps.newMapWithExpectedSize(requestedIndicesOrAliases.size());
         int totalResourceCount = 0;
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

@@ -455,12 +455,9 @@ static String getPutMappingIndexOrAlias(PutMappingRequest request, Predicate<Str
                 for (var aliasMd : foundAliases.values()) {
                     String aliasName = aliasMd.alias();
                     IndexAbstraction aliasAbstraction = metadata.getIndicesLookup().get(aliasName);
-                    List<Index> indices = aliasAbstraction.getIndices();
-                    if (indices.size() == 1 || Boolean.TRUE.equals(aliasMd.writeIndex())) {
-                        return aliasName;
-                    } else {
-                        assert aliasAbstraction.getType() == IndexAbstraction.Type.ALIAS;
-                        Index writeIndex = aliasAbstraction.getWriteIndex();
+                    assert aliasAbstraction.getType() == IndexAbstraction.Type.ALIAS;
+                    Index writeIndex = aliasAbstraction.getWriteIndex();
+                    if (writeIndex != null) {
                         if (concreteIndexName.equals(writeIndex.getName()) && isAuthorized.test(aliasName)) {
                             return aliasName;
                         }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java

@@ -42,6 +42,7 @@
 import org.elasticsearch.cluster.metadata.Metadata;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.UUIDs;
 import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;
@@ -341,7 +342,7 @@ public void setup() {
             new RoleDescriptor(
                 "data_stream_test3",
                 null,
-                new IndicesPrivileges[] { IndicesPrivileges.builder().indices("logs*").privileges("all").build() },
+                new IndicesPrivileges[] { IndicesPrivileges.builder().indices("logs*").privileges("all", "read_failures").build() },
                 null
             )
         );
@@ -1929,40 +1930,45 @@ public void testAliasDateMathExpressionNotSupported() {
         assertThat(request.aliases(), arrayContainingInAnyOrder("<datetime-{now/M}>"));
     }
 
-    // public void testDynamicPutMappingRequestFromAlias() {
-    // PutMappingRequest request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index("foofoo", UUIDs.base64UUID()));
-    // User user = new User("alias-writer", "alias_read_write");
-    // AuthorizedIndices authorizedIndices = buildAuthorizedIndices(user, TransportPutMappingAction.TYPE.name());
-    //
-    // String putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, authorizedIndices::check, metadata);
-    // assertEquals("barbaz", putMappingIndexOrAlias);
-    //
-    // // multiple indices map to an alias so we can only return the concrete index
-    // final String index = randomFrom("foo", "foobar");
-    // request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index(index, UUIDs.base64UUID()));
-    // putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, authorizedIndices::check, metadata);
-    // assertEquals(index, putMappingIndexOrAlias);
-    // }
-    //
-    // public void testWhenAliasToMultipleIndicesAndUserIsAuthorizedUsingAliasReturnsAliasNameForDynamicPutMappingRequestOnWriteIndex() {
-    // String index = "logs-00003"; // write index
-    // PutMappingRequest request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index(index, UUIDs.base64UUID()));
-    // assert metadata.getIndicesLookup().get("logs-alias").getIndices().size() == 3;
-    // String putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, "logs-alias"::equals, metadata);
-    // String message = "user is authorized to access `logs-alias` and the put mapping request is for a write index"
-    // + "so this should have returned the alias name";
-    // assertEquals(message, "logs-alias", putMappingIndexOrAlias);
-    // }
-
-    // public void testWhenAliasToMultipleIndicesAndUserIsAuthorizedUsingAliasReturnsIndexNameForDynamicPutMappingRequestOnReadIndex() {
-    // String index = "logs-00002"; // read index
-    // PutMappingRequest request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index(index, UUIDs.base64UUID()));
-    // assert metadata.getIndicesLookup().get("logs-alias").getIndices().size() == 3;
-    // String putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, "logs-alias"::equals, metadata);
-    // String message = "user is authorized to access `logs-alias` and the put mapping request is for a read index"
-    // + "so this should have returned the concrete index as fallback";
-    // assertEquals(message, index, putMappingIndexOrAlias);
-    // }
+    public void testDynamicPutMappingRequestFromAlias() {
+        PutMappingRequest request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index("foofoo", UUIDs.base64UUID()));
+        User user = new User("alias-writer", "alias_read_write");
+        AuthorizedIndices authorizedIndices = buildAuthorizedIndices(user, TransportPutMappingAction.TYPE.name());
+
+        String putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, authorizedIndices::check, metadata);
+        assertEquals("barbaz", putMappingIndexOrAlias);
+
+        // multiple indices map to an alias so we can only return the concrete index
+        final String index = randomFrom("foo", "foobar");
+        request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index(index, UUIDs.base64UUID()));
+        putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, authorizedIndices::check, metadata);
+        assertEquals(index, putMappingIndexOrAlias);
+        assertWarnings(
+            "the index privilege [write] allowed the update mapping action [indices:admin/mapping/put] on "
+                + "index [barbaz], this privilege will not permit mapping updates in the next major release - users who require access to "
+                + "update mappings must be granted explicit privileges"
+        );
+    }
+
+    public void testWhenAliasToMultipleIndicesAndUserIsAuthorizedUsingAliasReturnsAliasNameForDynamicPutMappingRequestOnWriteIndex() {
+        String index = "logs-00003"; // write index
+        PutMappingRequest request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index(index, UUIDs.base64UUID()));
+        assert metadata.getIndicesLookup().get("logs-alias").getIndices().size() == 3;
+        String putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, "logs-alias"::equals, metadata);
+        String message = "user is authorized to access `logs-alias` and the put mapping request is for a write index"
+            + "so this should have returned the alias name";
+        assertEquals(message, "logs-alias", putMappingIndexOrAlias);
+    }
+
+    public void testWhenAliasToMultipleIndicesAndUserIsAuthorizedUsingAliasReturnsIndexNameForDynamicPutMappingRequestOnReadIndex() {
+        String index = "logs-00002"; // read index
+        PutMappingRequest request = new PutMappingRequest(Strings.EMPTY_ARRAY).setConcreteIndex(new Index(index, UUIDs.base64UUID()));
+        assert metadata.getIndicesLookup().get("logs-alias").getIndices().size() == 3;
+        String putMappingIndexOrAlias = IndicesAndAliasesResolver.getPutMappingIndexOrAlias(request, "logs-alias"::equals, metadata);
+        String message = "user is authorized to access `logs-alias` and the put mapping request is for a read index"
+            + "so this should have returned the concrete index as fallback";
+        assertEquals(message, index, putMappingIndexOrAlias);
+    }
 
     public void testHiddenIndicesResolution() {
         SearchRequest searchRequest = new SearchRequest();

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java

@@ -582,11 +582,6 @@ public void testAuthorizationForMappingUpdates() {
                 + "] on "
                 + "index [test_write1], this privilege will not permit mapping updates in the next major release - "
                 + "users who require access to update mappings must be granted explicit privileges",
-            "the index privilege [write] allowed the update mapping action ["
-                + TransportPutMappingAction.TYPE.name()
-                + "] on "
-                + "index [test1], this privilege will not permit mapping updates in the next major release - "
-                + "users who require access to update mappings must be granted explicit privileges",
             "the index privilege [write] allowed the update mapping action ["
                 + TransportPutMappingAction.TYPE.name()
                 + "] on "
@@ -679,9 +674,10 @@ public void testIndicesPermissionHasFieldOrDocumentLevelSecurity() {
         ).build();
         assertThat(indicesPermission2.hasFieldOrDocumentLevelSecurity(), is(false));
 
-        // IsTotal means NO DLS/FLS even when there is another group that has DLS/FLS
+        // allowsTotalDataIndexAccess means NO DLS/FLS even when there is another group that has DLS/FLS
+        // failure store indices are not considered as
         final IndicesPermission indicesPermission3 = new IndicesPermission.Builder(RESTRICTED_INDICES).addGroup(
-            IndexPrivilege.ALL,
+            IndexPrivilege.get(Set.of("all", "read_failures")),
             FieldPermissions.DEFAULT,
             null,
             true,