resolve indices for prefixed _all expressions

[richard-dennehy]

Follow up to #135425

As identified, expressions such as *:_all currently don't resolve correctly (it appears that it currently tries to authorize the user against the literal index "_all").

This PR fixes the resolution of prefixed _all expressions.

Relates: ES-13213

[richard-dennehy]

I noticed that I could just set all cross project requests to go down the "all indices" path and all the tests would pass, even though this is obviously wrong; I've added this test which fails under that scenario

[ywangd]

all the tests would pass

Do you mean all tests in this test class? I am surprised unless all existing tests are effectively resolving to all accessible indices. Is that the case? Also, I assume tests in other places, e.g. the serverless REST test, should fail?

[richard-dennehy]

I think it's because the majority of the other tests in this file have CPS mode disabled; I'll see if the REST test guards against this, but I don't want it to be the only test that would fail - it makes the feedback loop too long

[richard-dennehy]

Confirmed that the REST test fails when this functionality is implemented incorrectly

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[ywangd]

This look mostly good. I have only minor comments.

Can you also have a serverless side PR to update the test scenarios?

[ywangd]

This matches what I was thinking, i.e. let cases like *:_all go through the all indices handling. I suggest we use RemoteClusterAware#splitIndexName instead of rewriteIndexExpression. It is lighter and we don't care about resolving projects at this point. It also needs to handle syntax like selector. I'd prefer we don't error out at isAllIndices check. The unsupported syntax will still be caught later when we call rewriteIndexExpression. So overall I am suggeting something like

IndexNameExpressionResolver.isAllIndices(
    indicesList(indicesRequest.indices()), 
    expr -> {
        IndexNameExpressionResolver.splitSelectorExpression(RemoteClusterAware.splitIndexName(expr)[1]).v1()
    }
)

[richard-dennehy]

It appears this isn't enough, as this means any expression targeting _all will resolve all indices on the local project, even if that expression is e.g. some_remote_project:_all.

We need to check if the expression is _all, and that the prefix includes the local project. It looks to me like rewriteIndexExpression handles all the edge cases here, even if it does more than what's necessary here.

[ywangd]

Yes we will resolve local indices unnecessarily in this case. But I think local indices should still be excluded because of this code. I was going to leave the unnecessary expansion for a future optimization.

Even if we use rewriteIndexExpression here, it is not sufficient due to project_routing, e.g. we will still expand local indices unnecessarily when the request has expression _all and project routing some_remote_project. If you are keen to avoid local expansion, I'd rather prefer we solve this more comprehensively to cover this TODO as well.

What I have in mind is something like the follows:

1. Still use the splitIndexName and splitSelectorExpression for checking isAllIndices which IMO should be interpreted as "is it an all indices pattern for any project".
2. Before expanding local indices, check crossProjectModeDecider.resolvesCrossProject and only expand locally if the final resolved projects include the origin project.

[ywangd]

But I think local indices should still be excluded because of this code.

It appears that this logic only handles project routing filtering but not the qualified projects in index expression. So it does not work for linked_project:_all.

I am still a little suspicious on the latest change. IIUC, it means an expression like linked_project:_all goes through the else branch of the isAllIndices check? While expressions like *:_all or _all with project routing linked_project still go through the if branch. The later is functionally equivalent to linked_project:_all and it would great if they follow the same path. Maybe we just need to resolve the project routing before invoking rewriteIndexExpression? If we take this path, I think we should also rename the isAllIndices variable to something like containsLocalAllIndices?

[richard-dennehy]

I've switched back to using splitIndexName again, and extended the shouldExcludeLocalResolution check to check if localExpression is set, and this seems to work (including the REST test). Does this align with what you were thinking?

I could also take a look at moving the condition earlier to see if we can skip the redundant local expansion as well.

[ywangd]

That works for me as well. We can have separate PR to address the TODO for skipping redundant local expansion.

[ywangd]

all the tests would pass

Do you mean all tests in this test class? I am surprised unless all existing tests are effectively resolving to all accessible indices. Is that the case? Also, I assume tests in other places, e.g. the serverless REST test, should fail?

[ywangd]

LGTM

[ywangd]

Nit: I think unprefixed cannot be null?