Fix privilege requirement for QuerySearchApplicationAction (#96179)

This is a manual backport of #96144 and #96176 that ensures that searching a search_application only requires the read privilege on the underlying alias.

Author: jimczi

server/src/main/java/org/elasticsearch/action/support/IndicesOptions.java

@@ -144,6 +144,10 @@ public enum Option {
         EnumSet.of(Option.FORBID_ALIASES_TO_MULTIPLE_INDICES, Option.FORBID_CLOSED_INDICES),
         EnumSet.noneOf(WildcardStates.class)
     );
+    public static final IndicesOptions STRICT_NO_EXPAND_FORBID_CLOSED = new IndicesOptions(
+        EnumSet.of(Option.FORBID_CLOSED_INDICES),
+        EnumSet.noneOf(WildcardStates.class)
+    );
 
     /**
      * @return Whether specified concrete indices should be ignored when unavailable (missing or closed)
@@ -579,6 +583,13 @@ public static IndicesOptions strictExpandHidden() {
         return STRICT_EXPAND_OPEN_CLOSED_HIDDEN;
     }
 
+    /**
+     * @return indices option that requires each specified index or alias to exist, doesn't expand wildcards.
+     */
+    public static IndicesOptions strictNoExpandForbidClosed() {
+        return STRICT_NO_EXPAND_FORBID_CLOSED;
+    }
+
     /**
      * @return indices option that requires each specified index or alias to exist, doesn't expand wildcards and
      * throws error if any of the aliases resolves to multiple indices

x-pack/plugin/ent-search/qa/rest/build.gradle

@@ -16,6 +16,7 @@ testClusters.configureEach {
   setting 'xpack.security.enabled', 'true'
   setting 'xpack.license.self_generated.type', 'trial'
   extraConfigFile 'roles.yml', file('roles.yml')
-  user username: 'entsearch-admin', password: 'entsearch-admin-password', role: 'superuser'
-  user username: 'entsearch-user', password: 'entsearch-user-password', role: 'entsearch'
+  user username: 'entsearch-superuser', password: 'entsearch-superuser-password', role: 'superuser'
+  user username: 'entsearch-admin', password: 'entsearch-admin-password', role: 'admin'
+  user username: 'entsearch-user', password: 'entsearch-user-password', role: 'user'
 }

x-pack/plugin/ent-search/qa/rest/roles.yml

@@ -1,4 +1,4 @@
-entsearch:
+admin:
   cluster:
     - manage_search_application
     - manage_behavioral_analytics
@@ -12,6 +12,8 @@ entsearch:
         "test-index3",
         "test-index4",
         "test-index-does-not-exist",
+        "test-search-index1",
+        "test-search-index2",
         # Search Applications (needed to create aliases)
         "test-search-application",
         "test-search-application-1",
@@ -23,10 +25,14 @@ entsearch:
         "test-search-application-to-delete",
         "test-nonexistent-search-application",
     ]
-      privileges: [ "manage" ]
+      privileges: [ "manage", "write" ]
+
+user:
+  cluster:
+    - post_behavioral_analytics_event
+  indices:
     - names: [
-      # indices used for indexing and searching
-      "test-search-index1",
-      "test-search-index2",
+      "test-search-application"
     ]
-      privileges: [ "manage", "read", "write" ]
+      privileges: [ "read" ]
+

x-pack/plugin/ent-search/qa/rest/src/yamlRestTest/java/org/elasticsearch/xpack/entsearch/EnterpriseSearchRestIT.java

@@ -30,14 +30,13 @@ public static Iterable<Object[]> parameters() throws Exception {
 
     @Override
     protected Settings restAdminSettings() {
-        final String value = basicAuthHeaderValue("entsearch-admin", new SecureString("entsearch-admin-password".toCharArray()));
+        final String value = basicAuthHeaderValue("entsearch-superuser", new SecureString("entsearch-superuser-password".toCharArray()));
         return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", value).build();
     }
 
     @Override
     protected Settings restClientSettings() {
-        final String value = basicAuthHeaderValue("entsearch-user", new SecureString("entsearch-user-password".toCharArray()));
+        final String value = basicAuthHeaderValue("entsearch-admin", new SecureString("entsearch-admin-password".toCharArray()));
         return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", value).build();
     }
-
 }

x-pack/plugin/ent-search/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/entsearch/55_search_application_search.yml

@@ -84,8 +84,11 @@ teardown:
 
 ---
 "Query Search Application with default parameters":
+  - skip:
+      features: headers
 
   - do:
+      headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" }  # user
       search_application.search:
         name: test-search-application
 
@@ -95,8 +98,11 @@ teardown:
 
 ---
 "Query Search Application overriding part of the parameters":
+  - skip:
+      features: headers
 
   - do:
+      headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" }  # user
       search_application.search:
         name: test-search-application
         body:
@@ -109,8 +115,11 @@ teardown:
 
 ---
 "Query Search Application overriding all parameters":
+  - skip:
+      features: headers
 
   - do:
+      headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" }  # user
       search_application.search:
         name: test-search-application
         body:
@@ -124,36 +133,15 @@ teardown:
 
 ---
 "Query Search Application - not found":
+  - skip:
+      features: headers
 
   - do:
-      catch: "missing"
+      catch: "forbidden"
+      headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" }  # user
       search_application.search:
         name: nonexisting-test-search-application
         body:
           params:
             field_name: field3
             field_value: value3
-
----
-"Query Search Application - no read permissions on index":
-
-  - do:
-      search_application.put:
-        name: test-search-application
-        body:
-          indices: [ "test-search-index1", "test-search-index2", "test-index" ]
-          analytics_collection_name: "test-analytics"
-          template:
-            script:
-              source:
-                query:
-                  term:
-                    "{{field_name}}": "{{field_value}}"
-              params:
-                field_name: field1
-                field_value: value1
-
-  - do:
-      catch: "forbidden"
-      search_application.search:
-        name: test-search-application