Add redacted cluster credentials to RemoteConnectionInfo response (#94527)

This PR adds a redacted cluster_credentials field to the
RemoteConnctionInfo API response to differenitate between basic and RCS
remote clusters. The new field is available only for RCS remote
clusters.

Author: ywangd

qa/ccs-common-rest/src/yamlRestTest/java/org/elasticsearch/test/rest/yaml/CcsCommonYamlTestSuiteIT.java

@@ -176,6 +176,7 @@ public void initSearchClient() throws IOException {
             assertOK(response);
             ObjectPath responseObject = ObjectPath.createFromResponse(response);
             assertNotNull(responseObject.evaluate(REMOTE_CLUSTER_NAME));
+            assertNull(responseObject.evaluate(REMOTE_CLUSTER_NAME + ".cluster_credentials"));
             logger.info("Established connection to remote cluster [" + REMOTE_CLUSTER_NAME + "]");
         }
 

qa/ccs-common-rest/src/yamlRestTest/java/org/elasticsearch/test/rest/yaml/RcsCcsCommonYamlTestSuiteIT.java

@@ -194,6 +194,7 @@ public void initSearchClient() throws IOException {
             assertOK(response);
             ObjectPath responseObject = ObjectPath.createFromResponse(response);
             assertNotNull(responseObject.evaluate(REMOTE_CLUSTER_NAME));
+            assertEquals("::es_redacted::", responseObject.evaluate(REMOTE_CLUSTER_NAME + ".cluster_credentials"));
             logger.info("Established connection to remote cluster [" + REMOTE_CLUSTER_NAME + "]");
         }
 

server/src/main/java/org/elasticsearch/transport/RemoteClusterConnection.java

@@ -197,7 +197,13 @@ boolean isNodeConnected(final DiscoveryNode node) {
      * Get the information about remote nodes to be rendered on {@code _remote/info} requests.
      */
     public RemoteConnectionInfo getConnectionInfo() {
-        return new RemoteConnectionInfo(clusterAlias, connectionStrategy.getModeInfo(), initialConnectionTimeout, skipUnavailable);
+        return new RemoteConnectionInfo(
+            clusterAlias,
+            connectionStrategy.getModeInfo(),
+            initialConnectionTimeout,
+            skipUnavailable,
+            REMOTE_CLUSTER_PROFILE.equals(remoteConnectionManager.getConnectionProfile().getTransportProfile())
+        );
     }
 
     int getNumNodesConnected() {

server/src/main/java/org/elasticsearch/transport/RemoteClusterPortSettings.java

@@ -8,6 +8,7 @@
 
 package org.elasticsearch.transport;
 
+import org.elasticsearch.TransportVersion;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.ByteSizeValue;
@@ -35,6 +36,9 @@
  * Contains the settings and some associated logic for the settings related to the Remote Access port, used by Remote Cluster Security 2.0.
  */
 public class RemoteClusterPortSettings {
+
+    public static final TransportVersion TRANSPORT_VERSION_REMOTE_CLUSTER_SECURITY = TransportVersion.V_8_8_0;
+
     public static final String REMOTE_CLUSTER_PROFILE = "_remote_cluster";
     public static final String REMOTE_CLUSTER_PREFIX = "remote_cluster.";
 

server/src/main/java/org/elasticsearch/transport/RemoteConnectionInfo.java

@@ -21,6 +21,8 @@
 import java.util.List;
 import java.util.Objects;
 
+import static org.elasticsearch.transport.RemoteClusterPortSettings.TRANSPORT_VERSION_REMOTE_CLUSTER_SECURITY;
+
 /**
  * This class encapsulates all remote cluster information to be rendered on
  * {@code _remote/info} requests.
@@ -31,12 +33,20 @@ public final class RemoteConnectionInfo implements ToXContentFragment, Writeable
     final TimeValue initialConnectionTimeout;
     final String clusterAlias;
     final boolean skipUnavailable;
-
-    public RemoteConnectionInfo(String clusterAlias, ModeInfo modeInfo, TimeValue initialConnectionTimeout, boolean skipUnavailable) {
+    final boolean hasClusterCredentials;
+
+    public RemoteConnectionInfo(
+        String clusterAlias,
+        ModeInfo modeInfo,
+        TimeValue initialConnectionTimeout,
+        boolean skipUnavailable,
+        boolean hasClusterCredentials
+    ) {
         this.clusterAlias = clusterAlias;
         this.modeInfo = modeInfo;
         this.initialConnectionTimeout = initialConnectionTimeout;
         this.skipUnavailable = skipUnavailable;
+        this.hasClusterCredentials = hasClusterCredentials;
     }
 
     public RemoteConnectionInfo(StreamInput input) throws IOException {
@@ -46,6 +56,11 @@ public RemoteConnectionInfo(StreamInput input) throws IOException {
             initialConnectionTimeout = input.readTimeValue();
             clusterAlias = input.readString();
             skipUnavailable = input.readBoolean();
+            if (input.getTransportVersion().onOrAfter(TRANSPORT_VERSION_REMOTE_CLUSTER_SECURITY)) {
+                hasClusterCredentials = input.readBoolean();
+            } else {
+                hasClusterCredentials = false;
+            }
         } else {
             List<String> seedNodes = Arrays.asList(input.readStringArray());
             int connectionsPerCluster = input.readVInt();
@@ -54,6 +69,7 @@ public RemoteConnectionInfo(StreamInput input) throws IOException {
             clusterAlias = input.readString();
             skipUnavailable = input.readBoolean();
             modeInfo = new SniffConnectionStrategy.SniffModeInfo(seedNodes, connectionsPerCluster, numNodesConnected);
+            hasClusterCredentials = false;
         }
     }
 
@@ -99,6 +115,9 @@ public void writeTo(StreamOutput out) throws IOException {
         }
         out.writeString(clusterAlias);
         out.writeBoolean(skipUnavailable);
+        if (out.getTransportVersion().onOrAfter(TRANSPORT_VERSION_REMOTE_CLUSTER_SECURITY)) {
+            out.writeBoolean(hasClusterCredentials);
+        }
     }
 
     @Override
@@ -110,6 +129,9 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
             modeInfo.toXContent(builder, params);
             builder.field("initial_connect_timeout", initialConnectionTimeout);
             builder.field("skip_unavailable", skipUnavailable);
+            if (hasClusterCredentials) {
+                builder.field("cluster_credentials", "::es_redacted::");
+            }
         }
         builder.endObject();
         return builder;
@@ -123,12 +145,13 @@ public boolean equals(Object o) {
         return skipUnavailable == that.skipUnavailable
             && Objects.equals(modeInfo, that.modeInfo)
             && Objects.equals(initialConnectionTimeout, that.initialConnectionTimeout)
-            && Objects.equals(clusterAlias, that.clusterAlias);
+            && Objects.equals(clusterAlias, that.clusterAlias)
+            && hasClusterCredentials == that.hasClusterCredentials;
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(modeInfo, initialConnectionTimeout, clusterAlias, skipUnavailable);
+        return Objects.hash(modeInfo, initialConnectionTimeout, clusterAlias, skipUnavailable, hasClusterCredentials);
     }
 
     public interface ModeInfo extends ToXContentFragment, Writeable {

server/src/test/java/org/elasticsearch/transport/RemoteClusterConnectionTests.java

@@ -374,18 +374,58 @@ public void run() {
     }
 
     public void testGetConnectionInfo() throws Exception {
+        doTestGetConnectionInfo(false);
+        doTestGetConnectionInfo(true);
+    }
+
+    private void doTestGetConnectionInfo(boolean hasClusterCredentials) throws Exception {
         List<DiscoveryNode> knownNodes = new CopyOnWriteArrayList<>();
+        final Settings seedTransportSettings;
+        if (hasClusterCredentials) {
+            seedTransportSettings = Settings.builder()
+                .put(RemoteClusterPortSettings.REMOTE_CLUSTER_SERVER_ENABLED.getKey(), "true")
+                .put(RemoteClusterPortSettings.PORT.getKey(), "0")
+                .build();
+        } else {
+            seedTransportSettings = Settings.EMPTY;
+        }
         try (
-            MockTransportService transport1 = startTransport("seed_node", knownNodes, Version.CURRENT, TransportVersion.CURRENT);
-            MockTransportService transport2 = startTransport("seed_node_1", knownNodes, Version.CURRENT, TransportVersion.CURRENT);
-            MockTransportService transport3 = startTransport("discoverable_node", knownNodes, Version.CURRENT, TransportVersion.CURRENT)
+            MockTransportService transport1 = startTransport(
+                "seed_node",
+                knownNodes,
+                Version.CURRENT,
+                TransportVersion.CURRENT,
+                threadPool,
+                seedTransportSettings
+            );
+            MockTransportService transport2 = startTransport(
+                "seed_node_1",
+                knownNodes,
+                Version.CURRENT,
+                TransportVersion.CURRENT,
+                threadPool,
+                seedTransportSettings
+            );
+            MockTransportService transport3 = startTransport(
+                "discoverable_node",
+                knownNodes,
+                Version.CURRENT,
+                TransportVersion.CURRENT,
+                threadPool,
+                seedTransportSettings
+            )
         ) {
             DiscoveryNode node1 = transport1.getLocalDiscoNode();
             DiscoveryNode node2 = transport3.getLocalDiscoNode();
             DiscoveryNode node3 = transport2.getLocalDiscoNode();
-            knownNodes.add(transport1.getLocalDiscoNode());
-            knownNodes.add(transport3.getLocalDiscoNode());
-            knownNodes.add(transport2.getLocalDiscoNode());
+            if (hasClusterCredentials) {
+                node1 = node1.withTransportAddress(transport1.boundRemoteAccessAddress().publishAddress());
+                node2 = node2.withTransportAddress(transport3.boundRemoteAccessAddress().publishAddress());
+                node3 = node3.withTransportAddress(transport2.boundRemoteAccessAddress().publishAddress());
+            }
+            knownNodes.add(node1);
+            knownNodes.add(node2);
+            knownNodes.add(node3);
             Collections.shuffle(knownNodes, random());
             List<String> seedNodes = addresses(node3, node1, node2);
             Collections.shuffle(seedNodes, random());
@@ -407,6 +447,15 @@ public void testGetConnectionInfo() throws Exception {
                     .put(buildSniffSettings(clusterAlias, seedNodes))
                     .put(SniffConnectionStrategy.REMOTE_CONNECTIONS_PER_CLUSTER.getKey(), maxNumConnections)
                     .build();
+                if (hasClusterCredentials) {
+                    settings = Settings.builder()
+                        .put(settings)
+                        .put(
+                            RemoteClusterService.REMOTE_CLUSTER_AUTHORIZATION.getConcreteSettingForNamespace(clusterAlias).getKey(),
+                            randomAlphaOfLength(20)
+                        )
+                        .build();
+                }
                 try (RemoteClusterConnection connection = new RemoteClusterConnection(settings, clusterAlias, service)) {
                     // test no nodes connected
                     RemoteConnectionInfo remoteConnectionInfo = assertSerialization(connection.getConnectionInfo());
@@ -416,6 +465,7 @@ public void testGetConnectionInfo() throws Exception {
                     assertEquals(3, sniffInfo.seedNodes.size());
                     assertEquals(maxNumConnections, sniffInfo.maxConnectionsPerCluster);
                     assertEquals(clusterAlias, remoteConnectionInfo.clusterAlias);
+                    assertEquals(hasClusterCredentials, remoteConnectionInfo.hasClusterCredentials);
                 }
             }
         }
@@ -436,22 +486,26 @@ public void testRemoteConnectionInfo() throws IOException {
             modeInfo2 = new ProxyConnectionStrategy.ProxyModeInfo(remoteAddresses.get(0), serverName, 18, 17);
         }
 
-        RemoteConnectionInfo stats = new RemoteConnectionInfo("test_cluster", modeInfo1, TimeValue.timeValueMinutes(30), false);
+        RemoteConnectionInfo stats = new RemoteConnectionInfo("test_cluster", modeInfo1, TimeValue.timeValueMinutes(30), false, false);
         assertSerialization(stats);
 
-        RemoteConnectionInfo stats1 = new RemoteConnectionInfo("test_cluster", modeInfo1, TimeValue.timeValueMinutes(30), true);
+        RemoteConnectionInfo stats1 = new RemoteConnectionInfo("test_cluster", modeInfo1, TimeValue.timeValueMinutes(30), true, false);
         assertSerialization(stats1);
         assertNotEquals(stats, stats1);
 
-        stats1 = new RemoteConnectionInfo("test_cluster_1", modeInfo1, TimeValue.timeValueMinutes(30), false);
+        stats1 = new RemoteConnectionInfo("test_cluster_1", modeInfo1, TimeValue.timeValueMinutes(30), false, false);
         assertSerialization(stats1);
         assertNotEquals(stats, stats1);
 
-        stats1 = new RemoteConnectionInfo("test_cluster", modeInfo1, TimeValue.timeValueMinutes(325), false);
+        stats1 = new RemoteConnectionInfo("test_cluster", modeInfo1, TimeValue.timeValueMinutes(325), false, false);
         assertSerialization(stats1);
         assertNotEquals(stats, stats1);
 
-        stats1 = new RemoteConnectionInfo("test_cluster", modeInfo2, TimeValue.timeValueMinutes(30), false);
+        stats1 = new RemoteConnectionInfo("test_cluster", modeInfo2, TimeValue.timeValueMinutes(30), false, false);
+        assertSerialization(stats1);
+        assertNotEquals(stats, stats1);
+
+        stats1 = new RemoteConnectionInfo("test_cluster", modeInfo1, TimeValue.timeValueMinutes(30), false, true);
         assertSerialization(stats1);
         assertNotEquals(stats, stats1);
     }
@@ -481,16 +535,23 @@ public void testRenderConnectionInfoXContent() throws IOException {
         } else {
             modeInfo = new ProxyConnectionStrategy.ProxyModeInfo(remoteAddresses.get(0), serverName, 18, 16);
         }
-
-        RemoteConnectionInfo stats = new RemoteConnectionInfo("test_cluster", modeInfo, TimeValue.timeValueMinutes(30), true);
+        final boolean hasClusterCredentials = randomBoolean();
+
+        RemoteConnectionInfo stats = new RemoteConnectionInfo(
+            "test_cluster",
+            modeInfo,
+            TimeValue.timeValueMinutes(30),
+            true,
+            hasClusterCredentials
+        );
         stats = assertSerialization(stats);
         XContentBuilder builder = XContentFactory.jsonBuilder();
         builder.startObject();
         stats.toXContent(builder, null);
         builder.endObject();
 
         if (sniff) {
-            assertEquals(XContentHelper.stripWhitespace("""
+            assertEquals(XContentHelper.stripWhitespace(Strings.format("""
                 {
                   "test_cluster": {
                     "connected": true,
@@ -499,11 +560,11 @@ public void testRenderConnectionInfoXContent() throws IOException {
                     "num_nodes_connected": 2,
                     "max_connections_per_cluster": 3,
                     "initial_connect_timeout": "30m",
-                    "skip_unavailable": true
+                    "skip_unavailable": true%s
                   }
-                }"""), Strings.toString(builder));
+                }""", hasClusterCredentials ? ",\"cluster_credentials\":\"::es_redacted::\"" : "")), Strings.toString(builder));
         } else {
-            assertEquals(XContentHelper.stripWhitespace("""
+            assertEquals(XContentHelper.stripWhitespace(Strings.format("""
                 {
                   "test_cluster": {
                     "connected": true,
@@ -513,9 +574,9 @@ public void testRenderConnectionInfoXContent() throws IOException {
                     "num_proxy_sockets_connected": 16,
                     "max_proxy_socket_connections": 18,
                     "initial_connect_timeout": "30m",
-                    "skip_unavailable": true
+                    "skip_unavailable": true%s
                   }
-                }"""), Strings.toString(builder));
+                }""", hasClusterCredentials ? ",\"cluster_credentials\":\"::es_redacted::\"" : "")), Strings.toString(builder));
         }
     }
 

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/AbstractRemoteClusterSecurityTestCase.java

@@ -128,6 +128,7 @@ protected String configureRemoteClustersWithApiKey(String indicesPrivilegesJson,
             if (false == isProxyMode) {
                 assertThat(ObjectPath.eval("my_remote_cluster.num_nodes_connected", remoteInfoMap), equalTo(numberOfFcNodes));
             }
+            assertThat(ObjectPath.eval("my_remote_cluster.cluster_credentials", remoteInfoMap), equalTo("::es_redacted::"));
         });
 
         return (String) apiKeyMap.get("id");