Failure store access - selector-aware role building (elastic#122715)

This PR adds the `read_failure_store` index privilege and extends the role building logic to support selector-aware authorization. Note that this PR only concerns building roles; the actual authorization logic implementation will follow in a separate PR. The overall approach is based on the proof-of-concept PR (elastic#122007). 

The purpose of the `read_failure_store` index privilege is to support granting selective access to the failure store of a data stream via the `::failures` selector in search and related APIs. A role with the `read_failure_store` index privilege grants access to the failure store, without granting access to the data in a data stream. Conversely, the existing `read` privilege only grants access to data and _not_ the failure store. 

This requires changes to both the role building logic, and authorization. Going forward, each named index privilege is assigned a selector it grants access to, e.g., `read` grants access to the implicit `::data` selector, `read_failure_store` grants access to `::failures`. When building a role from role descriptors, we partition its underlying index groups by selector access such that any given group grants access to a single selector (with the exception of `all`, which grants access to all selectors). 

This PR implements this partitioning logic and sets up roles to implement selector-aware authorization in a follow up. Note that parts of the code make assumption around the existence of only two distinct selectors (`::data` and `::failures`) to simplify the implementation; however, it's possible to generalize these sections to support more selectors in the future, if necessary. 

Closes: ES-10872

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java

@@ -11,6 +11,7 @@
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
 import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
@@ -48,7 +49,7 @@ public static ActionRequestValidationException validate(
         if (roleDescriptor.getIndicesPrivileges() != null) {
             for (RoleDescriptor.IndicesPrivileges idp : roleDescriptor.getIndicesPrivileges()) {
                 try {
-                    IndexPrivilege.get(Set.of(idp.getPrivileges()));
+                    IndexPrivilege.resolveBySelectorAccess(Set.of(idp.getPrivileges()));
                 } catch (IllegalArgumentException ile) {
                     validationException = addValidationError(ile.getMessage(), validationException);
                 }
@@ -60,7 +61,13 @@ public static ActionRequestValidationException validate(
                 validationException = addValidationError("remote index cluster alias cannot be an empty string", validationException);
             }
             try {
-                IndexPrivilege.get(Set.of(ridp.indicesPrivileges().getPrivileges()));
+                Set<IndexPrivilege> privileges = IndexPrivilege.resolveBySelectorAccess(Set.of(ridp.indicesPrivileges().getPrivileges()));
+                if (privileges.stream().anyMatch(p -> p.getSelectorPredicate() == IndexComponentSelectorPredicate.FAILURES)) {
+                    validationException = addValidationError(
+                        "remote index privileges cannot contain privileges that grant access to the failure store",
+                        validationException
+                    );
+                }
             } catch (IllegalArgumentException ile) {
                 validationException = addValidationError(ile.getMessage(), validationException);
             }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -27,14 +27,14 @@
 import org.elasticsearch.index.Index;
 import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
 import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
+import org.elasticsearch.xpack.core.security.authz.privilege.IndexComponentSelectorPredicate;
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 import org.elasticsearch.xpack.core.security.support.StringMatcher;
 
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -301,7 +301,7 @@ public boolean checkResourcePrivileges(
                     }
                 }
                 for (String privilege : checkForPrivileges) {
-                    IndexPrivilege indexPrivilege = IndexPrivilege.get(Collections.singleton(privilege));
+                    IndexPrivilege indexPrivilege = IndexPrivilege.get(privilege);
                     if (allowedIndexPrivilegesAutomaton != null
                         && Automatons.subsetOf(indexPrivilege.getAutomaton(), allowedIndexPrivilegesAutomaton)) {
                         if (resourcePrivilegesMapBuilder != null) {
@@ -792,6 +792,7 @@ public static class Group {
         public static final Group[] EMPTY_ARRAY = new Group[0];
 
         private final IndexPrivilege privilege;
+        private final IndexComponentSelectorPredicate selectorPredicate;
         private final Predicate<String> actionMatcher;
         private final String[] indices;
         private final StringMatcher indexNameMatcher;
@@ -815,6 +816,7 @@ public Group(
             assert indices.length != 0;
             this.privilege = privilege;
             this.actionMatcher = privilege.predicate();
+            this.selectorPredicate = privilege.getSelectorPredicate();
             this.indices = indices;
             this.allowRestrictedIndices = allowRestrictedIndices;
             ConcurrentHashMap<String[], Automaton> indexNameAutomatonMemo = new ConcurrentHashMap<>(1);
@@ -862,6 +864,10 @@ boolean hasQuery() {
             return query != null;
         }
 
+        public boolean checkSelector(IndexComponentSelector selector) {
+            return selectorPredicate.test(selector);
+        }
+
         public boolean allowRestrictedIndices() {
             return allowRestrictedIndices;
         }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java

@@ -252,7 +252,19 @@ public Builder runAs(Privilege privilege) {
         }
 
         public Builder add(IndexPrivilege privilege, String... indices) {
-            groups.add(new IndicesPermissionGroupDefinition(privilege, FieldPermissions.DEFAULT, null, false, indices));
+            return add(FieldPermissions.DEFAULT, null, privilege, false, indices);
+        }
+
+        public Builder add(
+            FieldPermissions fieldPermissions,
+            Set<BytesReference> query,
+            Set<IndexPrivilege> privilegesSplitBySelector,
+            boolean allowRestrictedIndices,
+            String... indices
+        ) {
+            for (var indexPrivilege : privilegesSplitBySelector) {
+                add(fieldPermissions, query, indexPrivilege, allowRestrictedIndices, indices);
+            }
             return this;
         }
 
@@ -267,6 +279,20 @@ public Builder add(
             return this;
         }
 
+        public Builder addRemoteIndicesGroup(
+            final Set<String> remoteClusterAliases,
+            final FieldPermissions fieldPermissions,
+            final Set<BytesReference> query,
+            final Set<IndexPrivilege> privilegesSplitBySelector,
+            final boolean allowRestrictedIndices,
+            final String... indices
+        ) {
+            for (var indexPrivilege : privilegesSplitBySelector) {
+                addRemoteIndicesGroup(remoteClusterAliases, fieldPermissions, query, indexPrivilege, allowRestrictedIndices, indices);
+            }
+            return this;
+        }
+
         public Builder addRemoteIndicesGroup(
             final Set<String> remoteClusterAliases,
             final FieldPermissions fieldPermissions,
@@ -411,7 +437,7 @@ static SimpleRole buildFromRoleDescriptor(
                     new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields())
                 ),
                 indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()),
-                IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())),
+                IndexPrivilege.resolveBySelectorAccess(Set.of(indexPrivilege.getPrivileges())),
                 indexPrivilege.allowRestrictedIndices(),
                 indexPrivilege.getIndices()
             );
@@ -428,7 +454,7 @@ static SimpleRole buildFromRoleDescriptor(
                     new FieldPermissionsDefinition(indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields())
                 ),
                 indicesPrivileges.getQuery() == null ? null : Collections.singleton(indicesPrivileges.getQuery()),
-                IndexPrivilege.get(Set.of(indicesPrivileges.getPrivileges())),
+                IndexPrivilege.resolveBySelectorAccess(Set.of(indicesPrivileges.getPrivileges())),
                 indicesPrivileges.allowRestrictedIndices(),
                 indicesPrivileges.getIndices()
             );

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ConfigurableClusterPrivileges.java

@@ -414,13 +414,18 @@ public ManageRolesPrivilege(List<ManageRolesIndexPermissionGroup> manageRolesInd
             this.requestPredicateSupplier = (restrictedIndices) -> {
                 IndicesPermission.Builder indicesPermissionBuilder = new IndicesPermission.Builder(restrictedIndices);
                 for (ManageRolesIndexPermissionGroup indexPatternPrivilege : manageRolesIndexPermissionGroups) {
-                    indicesPermissionBuilder.addGroup(
-                        IndexPrivilege.get(Set.of(indexPatternPrivilege.privileges())),
-                        FieldPermissions.DEFAULT,
-                        null,
-                        false,
-                        indexPatternPrivilege.indexPatterns()
-                    );
+                    Set<IndexPrivilege> privileges = IndexPrivilege.resolveBySelectorAccess(Set.of(indexPatternPrivilege.privileges()));
+                    assert privileges.stream().allMatch(p -> p.getSelectorPredicate() != IndexComponentSelectorPredicate.FAILURES)
+                        : "not support for failures store access yet";
+                    for (IndexPrivilege indexPrivilege : privileges) {
+                        indicesPermissionBuilder.addGroup(
+                            indexPrivilege,
+                            FieldPermissions.DEFAULT,
+                            null,
+                            false,
+                            indexPatternPrivilege.indexPatterns()
+                        );
+                    }
                 }
                 final IndicesPermission indicesPermission = indicesPermissionBuilder.build();
 
@@ -555,6 +560,15 @@ public static ManageRolesPrivilege parse(XContentParser parser) throws IOExcepti
                 if (indexPrivilege.privileges == null || indexPrivilege.privileges.length == 0) {
                     throw new IllegalArgumentException("Indices privileges must define at least one privilege");
                 }
+                for (String privilege : indexPrivilege.privileges) {
+                    IndexPrivilege namedPrivilege = IndexPrivilege.getNamedOrNull(privilege);
+                    if (namedPrivilege != null && namedPrivilege.getSelectorPredicate() == IndexComponentSelectorPredicate.FAILURES) {
+                        throw new IllegalArgumentException(
+                            "Failure store related privileges are not supported as targets of manage roles but found [" + privilege + "]"
+                        );
+                    }
+                }
+
             }
             return new ManageRolesPrivilege(indexPrivileges);
         }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexComponentSelectorPredicate.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.authz.privilege;
+
+import org.elasticsearch.action.support.IndexComponentSelector;
+import org.elasticsearch.core.Predicates;
+
+import java.util.Set;
+import java.util.function.Predicate;
+
+/**
+ * A predicate to capture role access by {@link IndexComponentSelector}.
+ * This is assigned to each {@link org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission.Group} during role building.
+ * See also {@link org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege#resolveBySelectorAccess(Set)}.
+ */
+public record IndexComponentSelectorPredicate(Set<String> names, Predicate<IndexComponentSelector> predicate)
+    implements
+        Predicate<IndexComponentSelector> {
+    IndexComponentSelectorPredicate(String name, Predicate<IndexComponentSelector> predicate) {
+        this(Set.of(name), predicate);
+    }
+
+    public static final IndexComponentSelectorPredicate ALL = new IndexComponentSelectorPredicate("all", Predicates.always());
+    public static final IndexComponentSelectorPredicate DATA = new IndexComponentSelectorPredicate(
+        "data",
+        IndexComponentSelector.DATA::equals
+    );
+    public static final IndexComponentSelectorPredicate FAILURES = new IndexComponentSelectorPredicate(
+        "failures",
+        IndexComponentSelector.FAILURES::equals
+    );
+
+    @Override
+    public boolean test(IndexComponentSelector selector) {
+        return predicate.test(selector);
+    }
+}