ES|QL: Disallow brackets in unquoted index patterns

[luigidellaquila]

To avoid collisions with subquery syntax, we disallow the usage of ( and ) in unquoted index patterns and enrich policy names.

Fixes: #130378

[elasticsearchmachine]

Hi @luigidellaquila, I've created a changelog YAML for you.

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[idegtiarenko]

I believe we keep enrich policy definition in cluster state. Should we prohibit creation of new ones with brackets? What should we do with ones previously created with brackets in names? Please let me know if this concerns are separate from this change

[luigidellaquila]

Should we prohibit creation of new ones with brackets?

Enrich policies allow brackets, so I don't think we can just prohibit it.
With this change, we can allow brackets also in policy names, as long as they are quoted.

Yaml tests apparently have problems creating policies with brackets, but I'll add a Java integration test for it.

[luigidellaquila]

This has to be a separate file and with a single test, just because the policy delete doesn't seem to work with brackets

  - do:
      enrich.delete_policy:
        name: <name with brackets here>

Apparently the bracket collides with some regex evaluation that happens during the process.
I couldn't find a way to work around this problem, but it seems unrelated to ES|QL, so I guess we can handle it separately.

[luigidellaquila]

No way, I had to skip the test.
If I don't delete the enrich policy, it will make other tests fail.

[luigidellaquila]

#130740

[luigidellaquila]

@idegtiarenko I added a test that uses an enrich policy with brackets (with quotes), and it works as expected.

[astefan]

Looks good, but you need to be paranoid with grammar changes and add more tests. I've put in some examples which should be extended to other commands that use index names patterns.

[astefan]

Typo

[astefan]

Please, add more unit tests here. The above ones are the bare minimum imo, but it's always good to be paranoid with grammar changes as the devil is in the edge cases :-)).

from te()st
from \"te()st\"
from concat(foo, bar)
from ((((()))))
from (((abc)))
from *()*
from *test()*
from *:test()
from *:()
from *:test)
from remote1:test(),remote2:test

and use these also for other places where index names are used (enrich, lookup join, fork etc).

[astefan]

LGTM. Thanks

[astefan]

No 9.1 version backport? Just curious

[luigidellaquila]

No 9.1 version backport?

We absolutely need to backport it to 9.1 as well, thanks for pointing it out.
Fixed!

[luigidellaquila]

Actually, I think we want it only in 9.2, 9.1, and 8.19.
It's a bug fix, but it's breaking, so I'm not sure we want to port it further back.
I'm removing 9.0 label for now, in case I'll do further backports manually

[elasticsearchmachine]

💔 Backport failed

Status	Branch	Result
❌	8.19	Commit could not be cherrypicked due to conflicts
❌	9.1	Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 130427

[luigidellaquila]

Backports here:

• [9.1] ES|QL: Disallow brackets in unquoted index patterns (#130427) #130938
• [8.19] ES|QL: Disallow brackets in unquoted index patterns (#130427) (#130938) #130984

[ioanatia]

this test is causing bwc test failures since FORK is not available in 8.19