Merge branch 'main' into sql/cli_cps

Author: luigidellaquila

build-tools-internal/src/integTest/groovy/org/elasticsearch/gradle/internal/info/GlobalBuildInfoPluginOfflineBranchesFallbackFuncTest.groovy

@@ -0,0 +1,139 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.gradle.internal.info
+
+import org.elasticsearch.gradle.fixtures.AbstractGradleFuncTest
+import org.gradle.testkit.runner.TaskOutcome
+
+class GlobalBuildInfoPluginOfflineBranchesFallbackFuncTest extends AbstractGradleFuncTest {
+
+    def setup() {
+        // This plugin reads files from the workspace and performs environment detection
+        // that is not compatible with the configuration cache in functional tests.
+        configurationCacheCompatible = false
+    }
+
+    def "offline mode falls back to local branches.json when present"() {
+        given:
+        writeBwcVersionSource()
+        writeBranchesJson()
+        writeBuildThatResolvesBwcVersions()
+
+        when:
+        def result = gradleRunner(
+            "resolveBwcVersions",
+            "--offline",
+            // Make any accidental outbound HTTPS attempt fail deterministically.
+            "-Dhttps.proxyHost=127.0.0.1",
+            "-Dhttps.proxyPort=1",
+            "-Dhttp.proxyHost=127.0.0.1",
+            "-Dhttp.proxyPort=1",
+            "-DBWC_VERSION_SOURCE=${file("Version.java").absolutePath}"
+        ).build()
+
+        then:
+        result.task(":resolveBwcVersions").outcome == TaskOutcome.SUCCESS
+        assertOutputContains(
+            result.output,
+            "Gradle is running in offline mode; falling back to local branches.json"
+        )
+        assertOutputContains(result.output, "BWC_VERSIONS_RESOLVED")
+    }
+
+    def "offline mode without local branches.json retains failure behavior"() {
+        given:
+        writeBwcVersionSource()
+        // Intentionally do not create branches.json
+        writeBuildThatResolvesBwcVersions()
+
+        when:
+        def result = gradleRunner(
+            "resolveBwcVersions",
+            "--offline",
+            "-Dhttps.proxyHost=127.0.0.1",
+            "-Dhttps.proxyPort=1",
+            "-Dhttp.proxyHost=127.0.0.1",
+            "-Dhttp.proxyPort=1",
+            "-DBWC_VERSION_SOURCE=${file("Version.java").absolutePath}"
+        ).buildAndFail()
+
+        then:
+        assertOutputContains(result.output, "Failed to download branches.json from:")
+        assertOutputMissing(result.output, "falling back to local branches.json")
+    }
+
+    def "non-offline mode does not fall back to local branches.json"() {
+        given:
+        writeBwcVersionSource()
+        writeBranchesJson()
+        writeBuildThatResolvesBwcVersions()
+
+        when:
+        def result = gradleRunner(
+            "resolveBwcVersions",
+            // Not passing --offline on purpose.
+            "-Dhttps.proxyHost=127.0.0.1",
+            "-Dhttps.proxyPort=1",
+            "-Dhttp.proxyHost=127.0.0.1",
+            "-Dhttp.proxyPort=1",
+            "-DBWC_VERSION_SOURCE=${file("Version.java").absolutePath}"
+        ).buildAndFail()
+
+        then:
+        assertOutputContains(result.output, "Failed to download branches.json from:")
+        assertOutputMissing(result.output, "falling back to local branches.json")
+    }
+
+    private void writeBuildThatResolvesBwcVersions() {
+        buildFile.text = """
+            plugins {
+              id 'elasticsearch.global-build-info'
+            }
+
+            tasks.register("resolveBwcVersions") {
+              doLast {
+                // Force bwcVersions resolution, which triggers branches.json loading.
+                def bwcVersions = buildParams.bwcVersionsProvider.get()
+                println "BWC_VERSIONS_RESOLVED=[" + bwcVersions + "]"
+              }
+            }
+        """
+    }
+
+    private void writeBranchesJson() {
+        file("branches.json").text = """\
+            {
+              "branches": [
+                { "branch": "main", "version": "9.1.0" },
+                { "branch": "9.0", "version": "9.0.0" }
+              ]
+            }
+        """.stripIndent()
+    }
+
+    private void writeBwcVersionSource() {
+        // This file is parsed via regex; version constants must have a non-word
+        // character before `public` and must end with `);` to match the pattern.
+        file("Version.java").text = """\
+package org.elasticsearch;
+
+public class Version {
+  // Only used by GlobalBuildInfoPlugin in tests via regex parsing.
+   public static final Version V_9_0_0 = Version.fromId(9000000);
+   public static final Version V_9_1_0 = Version.fromId(9010000);
+
+  private static Version fromId(int id) {
+    return new Version();
+  }
+}
+"""
+    }
+}
+

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/info/GlobalBuildInfoPlugin.java

@@ -214,9 +214,24 @@ private List<Version> parseVersionLines(List<String> versionLines) {
     }
 
     private List<DevelopmentBranch> getDevelopmentBranches() {
-        String branchesFileLocation = project.getProviders()
-            .gradleProperty(BRANCHES_FILE_LOCATION_PROPERTY)
-            .getOrElse(DEFAULT_BRANCHES_FILE_URL);
+        Provider<String> branchesFileLocationProperty = project.getProviders().gradleProperty(BRANCHES_FILE_LOCATION_PROPERTY);
+        boolean hasExplicitBranchesFileLocation = branchesFileLocationProperty.isPresent();
+        String branchesFileLocation = hasExplicitBranchesFileLocation ? branchesFileLocationProperty.get() : DEFAULT_BRANCHES_FILE_URL;
+        if (hasExplicitBranchesFileLocation == false
+            && project.getGradle().getStartParameter().isOffline()
+            && branchesFileLocation.startsWith("http")) {
+            File localBranchesFile = new File(Util.locateElasticsearchWorkspace(project.getGradle()), "branches.json");
+            if (localBranchesFile.isFile()) {
+                LOGGER.warn(
+                    "Gradle is running in offline mode; falling back to local branches.json at [{}] instead of downloading from [{}]. "
+                        + "To override, set Gradle property [{}].",
+                    localBranchesFile.getAbsolutePath(),
+                    branchesFileLocation,
+                    BRANCHES_FILE_LOCATION_PROPERTY
+                );
+                branchesFileLocation = localBranchesFile.getAbsolutePath();
+            }
+        }
         LOGGER.info("Reading branches.json from {}", branchesFileLocation);
         byte[] branchesBytes;
         if (branchesFileLocation.startsWith("http")) {

build-tools-internal/src/test/java/org/elasticsearch/gradle/internal/EmptyDirTaskTests.java

@@ -15,6 +15,10 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.attribute.PosixFilePermission;
+import java.util.Collections;
+import java.util.Set;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -61,9 +65,8 @@ public void testCreateEmptyDirNoPermissions() throws Exception {
 
         assertTrue(newEmptyFolder.exists());
         assertTrue(newEmptyFolder.isDirectory());
-        assertFalse(newEmptyFolder.canExecute());
-        assertFalse(newEmptyFolder.canRead());
-        assertFalse(newEmptyFolder.canWrite());
+        Set<PosixFilePermission> permissions = Files.getPosixFilePermissions(newEmptyFolder.toPath());
+        assertEquals(Collections.emptySet(), permissions);
 
         // cleanup
         newEmptyFolder.delete();

distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile

@@ -25,7 +25,7 @@
 # Extract Elasticsearch artifact
 ################################################################################
 
-FROM docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:efc70f02cdc8aaa7eb5196c5d17719098a3f4bba347aa966a85f7e5452d0a0ca AS builder
+FROM docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:e4cb92038b58c8c881962a17ec0b9970857a801c0a52f75550258f92f1e93ca1 AS builder
 
 # Install required packages to extract the Elasticsearch distribution
 RUN <%= retry.loop(package_manager, "export DEBIAN_FRONTEND=noninteractive && ${package_manager} update && ${package_manager} update && ${package_manager} add --no-cache curl") %>
@@ -104,7 +104,7 @@ WORKDIR /usr/share/elasticsearch/config
 # Add entrypoint
 ################################################################################
 
-FROM docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:efc70f02cdc8aaa7eb5196c5d17719098a3f4bba347aa966a85f7e5452d0a0ca
+FROM docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:e4cb92038b58c8c881962a17ec0b9970857a801c0a52f75550258f92f1e93ca1
 
 RUN <%= retry.loop(package_manager,
           "export DEBIAN_FRONTEND=noninteractive && \n" +

distribution/docker/src/docker/dockerfiles/wolfi/Dockerfile

@@ -25,7 +25,7 @@
 # Extract Elasticsearch artifact
 ################################################################################
 
-FROM docker.elastic.co/wolfi/chainguard-base:latest@sha256:4a82c706003370964df94913adfc47aab9a55b4fb2490260e7f7ebcf27cc4240 AS builder
+FROM docker.elastic.co/wolfi/chainguard-base:latest@sha256:568df5fb0e237c3a2139399d4bd8e80994f24321fa8469aec565b8566704e83a AS builder
 
 # Install required packages to extract the Elasticsearch distribution
 RUN <%= retry.loop(package_manager, "export DEBIAN_FRONTEND=noninteractive && ${package_manager} update && ${package_manager} update && ${package_manager} add --no-cache curl") %>
@@ -80,7 +80,7 @@ RUN sed -i -e 's/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/' bin/elas
 # Add entrypoint
 ################################################################################
 
-FROM docker.elastic.co/wolfi/chainguard-base:latest@sha256:4a82c706003370964df94913adfc47aab9a55b4fb2490260e7f7ebcf27cc4240
+FROM docker.elastic.co/wolfi/chainguard-base:latest@sha256:568df5fb0e237c3a2139399d4bd8e80994f24321fa8469aec565b8566704e83a
 
 RUN <%= retry.loop(package_manager,
           "export DEBIAN_FRONTEND=noninteractive && \n" +

docs/changelog/142021.yaml

@@ -0,0 +1,5 @@
+area: SQL
+issues: []
+pr: 142021
+summary: Add support for API key to JDBC and CLI
+type: enhancement

docs/changelog/142900.yaml

@@ -0,0 +1,5 @@
+area: ES|QL
+issues: []
+pr: 142900
+summary: Add support for ORC file format
+type: feature

docs/reference/query-languages/sql/sql-cli.md

@@ -28,6 +28,22 @@ If security is enabled on your cluster, you can pass the username and password i
 $ ./bin/elasticsearch-sql-cli https://sql_user:strongpassword@some.server:9200
 ```
 
+### API Key Authentication [sql-cli-apikey]
+
+As an alternative to basic authentication, you can use API key authentication with the `--apikey` option. API keys can be created using the [Create API key API](docs-content://deploy-manage/api-keys/elasticsearch-api-keys.md). The API key should be provided in its encoded form (the `encoded` value returned by the Create API key API):
+
+```bash
+$ ./bin/elasticsearch-sql-cli --apikey <encoded-api-key> https://some.server:9200
+```
+
+::::{note}
+When using API key authentication, do not include username and password in the URL. The CLI will return an error if both API key and basic authentication credentials are provided.
+::::
+
+::::{warning}
+Command line arguments are visible to other users on the system through process listing commands like `ps aux` or by inspecting `/proc/<pid>/cmdline`. Avoid using this method on shared systems where other users might be able to view your credentials.
+::::
+
 Once the CLI is running you can use any [query](elasticsearch://reference/query-languages/sql/sql-spec.md) that Elasticsearch supports:
 
 ```sql

docs/reference/query-languages/sql/sql-jdbc.md

@@ -120,6 +120,24 @@ $$$jdbc-cfg-timezone$$$
 :   Basic Authentication password
 
 
+### API Key Authentication [jdbc-cfg-auth-apikey]
+
+As an alternative to basic authentication, you can use API key authentication. API keys can be created using the [Create API key API](docs-content://deploy-manage/api-keys/elasticsearch-api-keys.md). The API key should be provided in its encoded form (the `encoded` value returned by the Create API key API).
+
+`apiKey`
+:   Encoded API key for authentication. Cannot be used together with `user`/`password` basic authentication.
+
+::::{note}
+When using API key authentication, do not specify `user` or `password`. The driver will return an error if both API key and basic authentication credentials are provided.
+::::
+
+Example connection URL using API key:
+
+```text
+jdbc:es://http://server:9200/?apiKey=<encoded-api-key>
+```
+
+
 ### SSL [jdbc-cfg-ssl]
 
 `ssl` (default `false`)

docs/reference/query-languages/sql/sql-security.md

@@ -20,11 +20,14 @@ In case of an encrypted transport, the SSL/TLS support needs to be enabled in El
 
 ## Authentication [_authentication]
 
-The authentication support in {{es}} SQL is of two types:
+The authentication support in {{es}} SQL is of three types:
 
 Username/Password
 :   Set these through `user` and `password` properties.
 
+API Key
+:   Use an API key for authentication by setting the `apiKey` property. API keys can be created using the [Create API key API](docs-content://deploy-manage/api-keys/elasticsearch-api-keys.md). The API key should be provided in its encoded form (the `encoded` value returned by the Create API key API). This is an alternative to username/password authentication and cannot be used together with it. For the CLI, use the `--apikey` command line option.
+
 PKI/X.509
 :   Use X.509 certificates to authenticate {{es}} SQL to {{es}}. For this, one would need to setup the `keystore` containing the private key and certificate to the appropriate user (configured in {{es}}) and the `truststore` with the CA certificate used to sign the SSL/TLS certificates in the {{es}} cluster. That is, one should setup the key to authenticate {{es}} SQL and also to verify that is the right one. To do so, one should set the `ssl.keystore.location` and `ssl.truststore.location` properties to indicate the `keystore` and `truststore` to use. It is recommended to have these secured through a password in which case `ssl.keystore.pass` and `ssl.truststore.pass` properties are required.