Prevent access for users with DLS/FLS to the failure store

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java

@@ -47,6 +47,7 @@
 import java.util.stream.Collectors;
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
@@ -1388,12 +1389,8 @@ public void testDlsFls() throws Exception {
             Map.of(dataIndexName, Set.of("@timestamp", "age"))
         );
 
-        // FLS sort of applies to failure store
-        // TODO this will change with FLS handling
-        assertSearchResponseContainsExpectedIndicesAndFields(
-            performRequest(user, new Search("test1::failures").toSearchRequest()),
-            Map.of(failureIndexName, Set.of("@timestamp"))
-        );
+        // FLS does not apply to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole(Strings.format("""
             {
@@ -1422,12 +1419,8 @@ public void testDlsFls() throws Exception {
             Map.of(dataIndexName, Set.of("@timestamp", "age"))
         );
 
-        // FLS sort of applies to failure store
-        // TODO this will change with FLS handling
-        assertSearchResponseContainsExpectedIndicesAndFields(
-            performRequest(user, new Search("test1::failures").toSearchRequest()),
-            Map.of(failureIndexName, Set.of("@timestamp"))
-        );
+        // FLS does not apply to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole("""
             {
@@ -1473,7 +1466,8 @@ public void testDlsFls() throws Exception {
              }""", role);
         // DLS applies and no docs match the query
         expectSearch(user, new Search(randomFrom("test1", "test1::data")));
-        expectSearch(user, new Search("test1::failures"));
+        // DLS is not applicable to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole("""
             {
@@ -1488,7 +1482,8 @@ public void testDlsFls() throws Exception {
              }""", role);
         // DLS applies and doc matches the query
         expectSearch(user, new Search(randomFrom("test1", "test1::data")), dataIndexDocId);
-        expectSearch(user, new Search("test1::failures"));
+        // DLS is not applicable to failure store
+        expectFlsDlsError(() -> performRequest(user, new Search("test1::failures").toSearchRequest()));
 
         upsertRole("""
             {
@@ -1827,4 +1822,14 @@ private Tuple<String, String> getSingleDataAndFailureIndices(String dataStreamNa
         assertThat(indices.v2().size(), equalTo(1));
         return new Tuple<>(indices.v1().get(0), indices.v2().get(0));
     }
+
+    private static void expectFlsDlsError(ThrowingRunnable runnable) {
+        var exception = expectThrows(ResponseException.class, runnable);
+        assertThat(
+            exception.getMessage(),
+            containsString(
+                "Failure store access is not allowed for users who have field or document level security enabled on one of the indices"
+            )
+        );
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -29,6 +29,7 @@
 import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.client.internal.Client;
 import org.elasticsearch.cluster.ClusterState;
+import org.elasticsearch.cluster.metadata.DataStream;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.cluster.metadata.IndexTemplateMetadata;
 import org.elasticsearch.cluster.metadata.ProjectId;
@@ -328,6 +329,7 @@
 import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache;
 import org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor;
 import org.elasticsearch.xpack.security.authz.interceptor.DlsFlsLicenseRequestInterceptor;
+import org.elasticsearch.xpack.security.authz.interceptor.FailureStoreRequestInterceptor;
 import org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor;
 import org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor;
 import org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor;
@@ -1139,6 +1141,9 @@ Collection<Object> createComponents(
                     new ValidateRequestInterceptor(threadPool, getLicenseState())
                 )
             );
+            if (DataStream.isFailureStoreFeatureFlagEnabled()) {
+                requestInterceptors.add(new FailureStoreRequestInterceptor(threadPool, getLicenseState()));
+            }
         }
         requestInterceptors = Collections.unmodifiableSet(requestInterceptors);
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FailureStoreRequestInterceptor.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authz.interceptor;
+
+import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.IndicesRequest;
+import org.elasticsearch.action.support.IndexComponentSelector;
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.rest.RestStatus;
+import org.elasticsearch.threadpool.ThreadPool;
+import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
+
+import java.util.Map;
+
+public class FailureStoreRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor {
+
+    public FailureStoreRequestInterceptor(ThreadPool threadPool, XPackLicenseState licenseState) {
+        super(threadPool.getThreadContext(), licenseState);
+    }
+
+    @Override
+    void disableFeatures(
+        IndicesRequest indicesRequest,
+        Map<String, IndicesAccessControl.IndexAccessControl> indicesAccessControlByIndex,
+        ActionListener<Void> listener
+    ) {
+        for (var indexAccessControl : indicesAccessControlByIndex.entrySet()) {
+            if (hasFailuresSelectorSuffix(indexAccessControl.getKey()) && hasDlsFlsPermissions(indexAccessControl.getValue())) {
+                listener.onFailure(
+                    new ElasticsearchSecurityException(
+                        "Failure store access is not allowed for users who have "
+                            + "field or document level security enabled on one of the indices",
+                        RestStatus.BAD_REQUEST
+                    )
+                );
+                return;
+            }
+        }
+        listener.onResponse(null);
+    }
+
+    @Override
+    boolean supports(IndicesRequest request) {
+        if (request.indicesOptions().allowSelectors()) {
+            for (String index : request.indices()) {
+                if (hasFailuresSelectorSuffix(index)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    private boolean hasFailuresSelectorSuffix(String name) {
+        return IndexNameExpressionResolver.hasSelectorSuffix(name)
+            && IndexComponentSelector.getByKey(
+                IndexNameExpressionResolver.splitSelectorExpression(name).v2()
+            ) == IndexComponentSelector.FAILURES;
+    }
+
+    private boolean hasDlsFlsPermissions(IndicesAccessControl.IndexAccessControl indexAccessControl) {
+        return indexAccessControl.getDocumentPermissions().hasDocumentLevelPermissions()
+            || indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
+    }
+
+}