Dedicated internal user for cross cluster access (#94531)

This PR introduces a dedicated user `_cross_cluster_access` to perform
internal orchestration actions for cross cluster operations under the
configurable remote cluster security model. This improves the clarity of
audit logs, error messages, and other contexts compared to re-using the
system user.

We perform the switch from a local system user to the
`_cross_cluster_access` internal user on the querying cluster, when we
intercept the outbound request. Semantically, this is the most sensible
approach: the context of the cross cluster internal actions starts on
the querying cluster. Instead of sending the internal user's predefined
role descriptors, we let the fulfilling cluster resolve them. This makes
the approach more robust w.r.t. future changes to the user permissions.

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java

@@ -36,6 +36,7 @@
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
 import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
+import org.elasticsearch.xpack.core.security.user.CrossClusterAccessUser;
 import org.elasticsearch.xpack.core.security.user.SecurityProfileUser;
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
@@ -1407,6 +1408,8 @@ private static User readUserWithoutTrailingBoolean(StreamInput input) throws IOE
                     return SecurityProfileUser.INSTANCE;
                 } else if (AsyncSearchUser.NAME.equals(username)) {
                     return AsyncSearchUser.INSTANCE;
+                } else if (CrossClusterAccessUser.NAME.equals(username)) {
+                    return CrossClusterAccessUser.INSTANCE;
                 }
                 throw new IllegalStateException("username [" + username + "] does not match any internal user");
             }
@@ -1431,6 +1434,8 @@ private static void writeInternalUser(User user, StreamOutput output) throws IOE
                 output.writeString(SecurityProfileUser.NAME);
             } else if (AsyncSearchUser.is(user)) {
                 output.writeString(AsyncSearchUser.NAME);
+            } else if (CrossClusterAccessUser.is(user)) {
+                output.writeString(CrossClusterAccessUser.NAME);
             } else {
                 assert false;
                 throw new IllegalStateException("user [" + user + "] is not internal");

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/CrossClusterAccessSubjectInfo.java

@@ -105,7 +105,6 @@ private static List<RoleDescriptorsBytes> toRoleDescriptorsBytesList(final RoleD
         throws IOException {
         // If we ever lift this restriction, we need to ensure that the serialization of each set of role descriptors to raw bytes is
         // deterministic. We can do so by sorting the role descriptors before serializing.
-
         assert roleDescriptorsIntersection.roleDescriptorsList().stream().noneMatch(rds -> rds.size() > 1)
             : "sets with more than one role descriptor are not supported for cross cluster access authentication";
         final List<RoleDescriptorsBytes> roleDescriptorsBytesList = new ArrayList<>();

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/CrossClusterAccessUser.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.user;
+
+import org.elasticsearch.TransportVersion;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+
+public class CrossClusterAccessUser extends User {
+    public static final String NAME = UsernamesField.CROSS_CLUSTER_ACCESS_NAME;
+
+    private static final RoleDescriptor ROLE_DESCRIPTOR = new RoleDescriptor(
+        UsernamesField.CROSS_CLUSTER_ACCESS_ROLE,
+        new String[] { "cross_cluster_access" },
+        null,
+        null,
+        null,
+        null,
+        null,
+        null,
+        null
+    );
+
+    public static final User INSTANCE = new CrossClusterAccessUser();
+
+    private CrossClusterAccessUser() {
+        super(NAME, Strings.EMPTY_ARRAY);
+        // the following traits, and especially the run-as one, go with all the internal users
+        // TODO abstract in a base `InternalUser` class
+        assert enabled();
+        assert roles() != null && roles().length == 0;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        return INSTANCE == o;
+    }
+
+    @Override
+    public int hashCode() {
+        return System.identityHashCode(this);
+    }
+
+    public static boolean is(User user) {
+        return INSTANCE.equals(user);
+    }
+
+    public static CrossClusterAccessSubjectInfo subjectInfoWithRoleDescriptors(TransportVersion transportVersion, String nodeName) {
+        return subjectInfo(transportVersion, nodeName, new RoleDescriptorsIntersection(ROLE_DESCRIPTOR));
+    }
+
+    public static CrossClusterAccessSubjectInfo subjectInfoWithEmptyRoleDescriptors(TransportVersion transportVersion, String nodeName) {
+        return subjectInfo(transportVersion, nodeName, RoleDescriptorsIntersection.EMPTY);
+    }
+
+    private static CrossClusterAccessSubjectInfo subjectInfo(
+        TransportVersion transportVersion,
+        String nodeName,
+        RoleDescriptorsIntersection roleDescriptorsIntersection
+    ) {
+        try {
+            return new CrossClusterAccessSubjectInfo(
+                Authentication.newInternalAuthentication(INSTANCE, transportVersion, nodeName),
+                roleDescriptorsIntersection
+            );
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/User.java

@@ -152,7 +152,8 @@ public static boolean isInternal(User user) {
             || XPackUser.is(user)
             || XPackSecurityUser.is(user)
             || SecurityProfileUser.is(user)
-            || AsyncSearchUser.is(user);
+            || AsyncSearchUser.is(user)
+            || CrossClusterAccessUser.is(user);
     }
 
     /** Write the given {@link User} */

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/user/UsernamesField.java

@@ -16,6 +16,8 @@ public final class UsernamesField {
     public static final String SYSTEM_ROLE = "_system";
     public static final String XPACK_SECURITY_NAME = "_xpack_security";
     public static final String XPACK_SECURITY_ROLE = "_xpack_security";
+    public static final String CROSS_CLUSTER_ACCESS_NAME = "_cross_cluster_access";
+    public static final String CROSS_CLUSTER_ACCESS_ROLE = "_cross_cluster_access";
     public static final String SECURITY_PROFILE_NAME = "_security_profile";
     public static final String SECURITY_PROFILE_ROLE = "_security_profile";
     public static final String XPACK_NAME = "_xpack";

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java

@@ -30,6 +30,7 @@
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
 import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
+import org.elasticsearch.xpack.core.security.user.CrossClusterAccessUser;
 import org.elasticsearch.xpack.core.security.user.SecurityProfileUser;
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
@@ -81,7 +82,8 @@ public class AuthenticationTestHelper {
         XPackUser.INSTANCE,
         XPackSecurityUser.INSTANCE,
         AsyncSearchUser.INSTANCE,
-        SecurityProfileUser.INSTANCE
+        SecurityProfileUser.INSTANCE,
+        CrossClusterAccessUser.INSTANCE
     );
 
     public static AuthenticationTestBuilder builder() {
@@ -234,35 +236,62 @@ public static String randomInternalRoleName() {
             UsernamesField.XPACK_ROLE,
             UsernamesField.ASYNC_SEARCH_ROLE,
             UsernamesField.XPACK_SECURITY_ROLE,
-            UsernamesField.SECURITY_PROFILE_ROLE
+            UsernamesField.SECURITY_PROFILE_ROLE,
+            UsernamesField.CROSS_CLUSTER_ACCESS_ROLE
         );
     }
 
     public static CrossClusterAccessSubjectInfo randomCrossClusterAccessSubjectInfo(
         RoleDescriptorsIntersection roleDescriptorsIntersection
     ) {
         try {
-            final Authentication authentication = randomCrossClusterAccessSupportedAuthenticationSubject();
+            final Authentication authentication = randomCrossClusterAccessSupportedAuthenticationSubject(false);
             return new CrossClusterAccessSubjectInfo(authentication, roleDescriptorsIntersection);
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
     }
 
-    private static Authentication randomCrossClusterAccessSupportedAuthenticationSubject() {
-        return ESTestCase.randomFrom(
-            AuthenticationTestHelper.builder().realm(),
-            AuthenticationTestHelper.builder().internal(SystemUser.INSTANCE),
-            AuthenticationTestHelper.builder().apiKey()
-        ).build();
+    public static CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfoForInternalUser(boolean emptyRoleDescriptors) {
+        final Authentication authentication = AuthenticationTestHelper.builder().internal(CrossClusterAccessUser.INSTANCE).build();
+        return emptyRoleDescriptors
+            ? CrossClusterAccessUser.subjectInfoWithEmptyRoleDescriptors(
+                authentication.getEffectiveSubject().getTransportVersion(),
+                authentication.getEffectiveSubject().getRealm().getNodeName()
+            )
+            : CrossClusterAccessUser.subjectInfoWithRoleDescriptors(
+                authentication.getEffectiveSubject().getTransportVersion(),
+                authentication.getEffectiveSubject().getRealm().getNodeName()
+            );
+    }
+
+    private static Authentication randomCrossClusterAccessSupportedAuthenticationSubject(boolean allowInternalUser) {
+        final Set<String> allowedTypes = new HashSet<>(Set.of("realm", "apikey"));
+        if (allowInternalUser) {
+            allowedTypes.add("internal");
+        }
+        final String type = ESTestCase.randomFrom(allowedTypes.toArray(new String[0]));
+        return switch (type) {
+            case "realm" -> AuthenticationTestHelper.builder().realm().build();
+            case "apikey" -> AuthenticationTestHelper.builder().apiKey().build();
+            case "internal" -> AuthenticationTestHelper.builder().internal(CrossClusterAccessUser.INSTANCE).build();
+            default -> throw new UnsupportedOperationException("unknown type " + type);
+        };
     }
 
     public static CrossClusterAccessSubjectInfo randomCrossClusterAccessSubjectInfo() {
-        final Authentication authentication = randomCrossClusterAccessSupportedAuthenticationSubject();
+        return randomCrossClusterAccessSubjectInfo(true);
+    }
+
+    public static CrossClusterAccessSubjectInfo randomCrossClusterAccessSubjectInfo(boolean allowInternalUser) {
+        final Authentication authentication = randomCrossClusterAccessSupportedAuthenticationSubject(allowInternalUser);
         return randomCrossClusterAccessSubjectInfo(authentication);
     }
 
     public static CrossClusterAccessSubjectInfo randomCrossClusterAccessSubjectInfo(final Authentication authentication) {
+        if (CrossClusterAccessUser.is(authentication.getEffectiveSubject().getUser())) {
+            return crossClusterAccessSubjectInfoForInternalUser(false);
+        }
         final int numberOfRoleDescriptors;
         if (authentication.isApiKey()) {
             // In case of API keys, we can have either 1 (only owner's - aka limited-by) or 2 role descriptors.

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java

@@ -140,7 +140,7 @@ public void testCanAccessResourcesOf() {
 
     public void testCrossClusterAccessCanAccessResourceOf() throws IOException {
         final String apiKeyId1 = randomAlphaOfLengthBetween(10, 20);
-        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo1 = randomCrossClusterAccessSubjectInfo(
+        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo1 = AuthenticationTestHelper.randomCrossClusterAccessSubjectInfo(
             AuthenticationTestHelper.builder().realm().build()
         );
         final Authentication authentication = AuthenticationTestHelper.builder()

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/crossclusteraccess/CrossClusterAccessHeadersForCcsRestIT.java

@@ -49,7 +49,7 @@
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
 import org.elasticsearch.xpack.core.security.authz.permission.Role;
-import org.elasticsearch.xpack.core.security.user.SystemUser;
+import org.elasticsearch.xpack.core.security.user.CrossClusterAccessUser;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.SecurityOnTrialLicenseRestTestCase;
 import org.elasticsearch.xpack.security.authc.ApiKeyService;
@@ -942,23 +942,19 @@ private void expectActionsAndHeadersForCluster(
         );
         for (CapturedActionWithHeaders actual : actualActionsWithHeaders) {
             switch (actual.action) {
-                // this action is run by the system user, so we expect a cross cluster access header with an internal user authentication
-                // and empty role descriptors intersection
+                // this action is run by the cross cluster access user, so we expect a cross cluster access header with an internal user
+                // authentication and pre-defined role descriptors intersection
                 case RemoteClusterNodesAction.NAME -> {
                     assertContainsCrossClusterAccessHeaders(actual.headers());
                     assertContainsCrossClusterAccessCredentialsHeader(encodedCredential, actual);
                     final var actualCrossClusterAccessSubjectInfo = CrossClusterAccessSubjectInfo.decode(
                         actual.headers().get(CrossClusterAccessSubjectInfo.CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY)
                     );
-                    final var expectedCrossClusterAccessSubjectInfo = new CrossClusterAccessSubjectInfo(
-                        Authentication.newInternalAuthentication(
-                            SystemUser.INSTANCE,
-                            TransportVersion.CURRENT,
-                            // Since we are running on a multi-node cluster the actual node name may be different between runs
-                            // so just copy the one from the actual result
-                            actualCrossClusterAccessSubjectInfo.getAuthentication().getEffectiveSubject().getRealm().getNodeName()
-                        ),
-                        RoleDescriptorsIntersection.EMPTY
+                    final var expectedCrossClusterAccessSubjectInfo = CrossClusterAccessUser.subjectInfoWithEmptyRoleDescriptors(
+                        TransportVersion.CURRENT,
+                        // Since we are running on a multi-node cluster the actual node name may be different between runs
+                        // so just copy the one from the actual result
+                        actualCrossClusterAccessSubjectInfo.getAuthentication().getEffectiveSubject().getRealm().getNodeName()
                     );
                     assertThat(actualCrossClusterAccessSubjectInfo, equalTo(expectedCrossClusterAccessSubjectInfo));
                 }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/integration/InternalUserAndRoleIntegTests.java

@@ -14,6 +14,7 @@
 import org.elasticsearch.xpack.core.XPackPlugin;
 import org.elasticsearch.xpack.core.security.authc.support.Hasher;
 import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
+import org.elasticsearch.xpack.core.security.user.CrossClusterAccessUser;
 import org.elasticsearch.xpack.core.security.user.SecurityProfileUser;
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.UsernamesField;
@@ -30,14 +31,16 @@ public class InternalUserAndRoleIntegTests extends AbstractPrivilegeTestCase {
         XPackUser.NAME,
         XPackSecurityUser.NAME,
         AsyncSearchUser.NAME,
-        SecurityProfileUser.NAME };
+        SecurityProfileUser.NAME,
+        CrossClusterAccessUser.NAME };
 
     private static final String[] INTERNAL_ROLE_NAMES = new String[] {
         UsernamesField.SYSTEM_ROLE,
         UsernamesField.XPACK_ROLE,
         UsernamesField.XPACK_SECURITY_ROLE,
         UsernamesField.ASYNC_SEARCH_ROLE,
-        UsernamesField.SECURITY_PROFILE_ROLE };
+        UsernamesField.SECURITY_PROFILE_ROLE,
+        UsernamesField.CROSS_CLUSTER_ACCESS_ROLE };
     public static final String NON_INTERNAL_USERNAME = "user";
     public static final String NON_INTERNAL_ROLE_NAME = "role";