Move credentials settings merging out of RemoteClusterService

server/src/main/java/org/elasticsearch/transport/RemoteClusterService.java

@@ -26,6 +26,7 @@
 import org.elasticsearch.cluster.node.DiscoveryNodeRole;
 import org.elasticsearch.cluster.project.ProjectResolver;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.TriFunction;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ConcurrentCollections;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
@@ -106,6 +107,10 @@ public boolean isRemoteClusterServerEnabled() {
         this.crossProjectEnabled = settings.getAsBoolean("serverless.cross_project.enabled", false);
     }
 
+    public ProjectResolver getProjectResolver() {
+        return projectResolver;
+    }
+
     /**
      * Group indices by cluster alias mapped to OriginalIndices for that cluster.
      * @param remoteClusterNames Set of configured remote cluster names.
@@ -302,11 +307,20 @@ public void skipUnavailableChanged(
         }
     }
 
-    @FixForMultiProject(description = "Refactor as needed to support project specific changes to linked remotes.")
-    public synchronized void updateRemoteClusterCredentials(Supplier<Settings> settingsSupplier, ActionListener<Void> listener) {
+    /**
+     * Rebuilds linked project connections as needed for updated remote cluster credentials.
+     * @param settingsSupplier A {@link Supplier} for the updated credentials {@link Settings}.
+     * @param configFunction A function that builds a {@link LinkedProjectConfig} for an alias, static settings, and new settings.
+     * @param listener An {@link ActionListener} invoked once all connection modifications have been completed.
+     */
+    public synchronized void updateRemoteClusterCredentials(
+        Supplier<Settings> settingsSupplier,
+        TriFunction<String, Settings, Settings, LinkedProjectConfig> configFunction,
+        ActionListener<Void> listener
+    ) {
         final var projectId = projectResolver.getProjectId();
-        final Settings settings = settingsSupplier.get();
-        final UpdateRemoteClusterCredentialsResult result = remoteClusterCredentialsManager.updateClusterCredentials(settings);
+        final Settings newSettings = settingsSupplier.get();
+        final UpdateRemoteClusterCredentialsResult result = remoteClusterCredentialsManager.updateClusterCredentials(newSettings);
         // We only need to rebuild connections when a credential was newly added or removed for a cluster alias, not if the credential
         // value was updated. Therefore, only consider added or removed aliases
         final int totalConnectionsToRebuild = result.addedClusterAliases().size() + result.removedClusterAliases().size();
@@ -318,20 +332,17 @@ public synchronized void updateRemoteClusterCredentials(Supplier<Settings> setti
         logger.info("project [{}] rebuilding [{}] connections after credentials update", projectId, totalConnectionsToRebuild);
         try (var connectionRefs = new RefCountingRunnable(() -> listener.onResponse(null))) {
             for (var clusterAlias : result.addedClusterAliases()) {
-                maybeRebuildConnectionOnCredentialsChange(projectId, clusterAlias, settings, connectionRefs);
+                maybeRebuildConnectionOnCredentialsChange(configFunction.apply(clusterAlias, settings, newSettings), connectionRefs);
             }
             for (var clusterAlias : result.removedClusterAliases()) {
-                maybeRebuildConnectionOnCredentialsChange(projectId, clusterAlias, settings, connectionRefs);
+                maybeRebuildConnectionOnCredentialsChange(configFunction.apply(clusterAlias, settings, newSettings), connectionRefs);
             }
         }
     }
 
-    private void maybeRebuildConnectionOnCredentialsChange(
-        ProjectId projectId,
-        String clusterAlias,
-        Settings newSettings,
-        RefCountingRunnable connectionRefs
-    ) {
+    private void maybeRebuildConnectionOnCredentialsChange(LinkedProjectConfig config, RefCountingRunnable connectionRefs) {
+        final var projectId = config.originProjectId();
+        final var clusterAlias = config.linkedProjectAlias();
         final var connectionsMap = getConnectionsMapForProject(projectId);
         if (false == connectionsMap.containsKey(clusterAlias)) {
             // A credential was added or removed before a remote connection was configured.
@@ -344,8 +355,6 @@ private void maybeRebuildConnectionOnCredentialsChange(
             return;
         }
 
-        final var mergedSettings = Settings.builder().put(settings, false).put(newSettings, false).build();
-        final var config = RemoteClusterSettings.toConfig(projectId, ProjectId.DEFAULT, clusterAlias, mergedSettings);
         updateRemoteCluster(config, true, ActionListener.releaseAfter(new ActionListener<>() {
             @Override
             public void onResponse(RemoteClusterConnectionStatus status) {

server/src/test/java/org/elasticsearch/transport/RemoteClusterServiceTests.java

@@ -1627,7 +1627,7 @@ public void testUpdateRemoteClusterCredentialsRebuildsConnectionWithCorrectProfi
                         secureSettings.setString("cluster.remote.cluster_1.credentials", randomAlphaOfLength(10));
                         final PlainActionFuture<Void> listener = new PlainActionFuture<>();
                         final Settings settings = Settings.builder().put(clusterSettings).setSecureSettings(secureSettings).build();
-                        service.updateRemoteClusterCredentials(() -> settings, listener);
+                        service.updateRemoteClusterCredentials(() -> settings, this::buildLinkedProjectConfig, listener);
                         listener.actionGet(10, TimeUnit.SECONDS);
                     }
 
@@ -1641,6 +1641,7 @@ public void testUpdateRemoteClusterCredentialsRebuildsConnectionWithCorrectProfi
                         service.updateRemoteClusterCredentials(
                             // Settings without credentials constitute credentials removal
                             () -> clusterSettings,
+                            this::buildLinkedProjectConfig,
                             listener
                         );
                         listener.actionGet(10, TimeUnit.SECONDS);
@@ -1730,7 +1731,7 @@ public void testUpdateRemoteClusterCredentialsRebuildsMultipleConnectionsDespite
                             .put(cluster2Settings)
                             .setSecureSettings(secureSettings)
                             .build();
-                        service.updateRemoteClusterCredentials(() -> settings, listener);
+                        service.updateRemoteClusterCredentials(() -> settings, this::buildLinkedProjectConfig, listener);
                         listener.actionGet(10, TimeUnit.SECONDS);
                     }
 
@@ -1750,6 +1751,7 @@ public void testUpdateRemoteClusterCredentialsRebuildsMultipleConnectionsDespite
                         service.updateRemoteClusterCredentials(
                             // Settings without credentials constitute credentials removal
                             () -> settings,
+                            this::buildLinkedProjectConfig,
                             listener
                         );
                         listener.actionGet(10, TimeUnit.SECONDS);
@@ -1828,6 +1830,12 @@ public void testLogsConnectionResult() throws IOException {
         }
     }
 
+    @FixForMultiProject(description = "Refactor to add the linked project ID associated with the alias.")
+    private LinkedProjectConfig buildLinkedProjectConfig(String alias, Settings staticSettings, Settings newSettings) {
+        final var mergedSettings = Settings.builder().put(staticSettings, false).put(newSettings, false).build();
+        return RemoteClusterSettings.toConfig(projectResolver.getProjectId(), ProjectId.DEFAULT, alias, mergedSettings);
+    }
+
     private void updateRemoteCluster(
         RemoteClusterService service,
         String alias,

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/settings/TransportReloadRemoteClusterCredentialsAction.java

@@ -16,14 +16,19 @@
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;
+import org.elasticsearch.cluster.metadata.ProjectId;
 import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.common.TriFunction;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
+import org.elasticsearch.core.FixForMultiProject;
 import org.elasticsearch.injection.guice.Inject;
 import org.elasticsearch.rest.action.admin.cluster.RestReloadSecureSettingsAction;
 import org.elasticsearch.tasks.Task;
+import org.elasticsearch.transport.LinkedProjectConfig;
 import org.elasticsearch.transport.RemoteClusterService;
+import org.elasticsearch.transport.RemoteClusterSettings;
 import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.transport.Transports;
 import org.elasticsearch.xpack.core.security.action.ActionTypes;
@@ -79,7 +84,17 @@ protected void doExecute(Task task, Request request, ActionListener<ActionRespon
             final Settings transientSettings = clusterState.metadata().transientSettings();
             return Settings.builder().put(request.getSettings(), true).put(persistentSettings, false).put(transientSettings, false).build();
         };
-        remoteClusterService.updateRemoteClusterCredentials(settingsSupplier, listener.safeMap(ignored -> ActionResponse.Empty.INSTANCE));
+        @FixForMultiProject(description = "Supply the linked project ID when building the LinkedProjectConfig object.")
+        final TriFunction<String, Settings, Settings, LinkedProjectConfig> configBuilder = (clusterAlias, staticSettings, newSettings) -> {
+            final var projectId = remoteClusterService.getProjectResolver().getProjectId();
+            final var mergedSettings = Settings.builder().put(staticSettings, false).put(newSettings, false).build();
+            return RemoteClusterSettings.toConfig(projectId, ProjectId.DEFAULT, clusterAlias, mergedSettings);
+        };
+        remoteClusterService.updateRemoteClusterCredentials(
+            settingsSupplier,
+            configBuilder,
+            listener.safeMap(ignored -> ActionResponse.Empty.INSTANCE)
+        );
     }
 
     private ClusterBlockException checkBlock(ClusterState clusterState) {