[Failure Store] Test FLS/DLS access to failure store (elastic#125792) (elastic#125846)

slobodanadamovic · web-flow · commit bfe3c3738e52 · 2025-03-29T01:44:55.000+11:00
More test coverage for FLS/DLS over failure store indices.
diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/failurestore/FailureStoreSecurityRestIT.java
@@ -17,6 +17,7 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.Maps;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.common.xcontent.support.XContentMapValues;
@@ -1388,8 +1389,7 @@ public void testDlsFls() throws Exception {
             Map.of(dataIndexName, Set.of("@timestamp", "age"))
         );
 
-        // FLS sort of applies to failure store
-        // TODO this will change with FLS handling
+        // FLS applies to failure store
         assertSearchResponseContainsExpectedIndicesAndFields(
             performRequest(user, new Search("test1::failures").toSearchRequest()),
             Map.of(failureIndexName, Set.of("@timestamp"))
@@ -1409,24 +1409,56 @@ public void testDlsFls() throws Exception {
                      {
                         "names": ["test*"],
                         "privileges": ["read_failure_store"],
+                        "field_security": {
+                            "grant": ["error.type", "error.message"]
+                        }
+                     }
+                 ]
+             }""", "test1"), role);
+
+        // FLS applies to regular data stream
+        assertSearchResponseContainsExpectedIndicesAndFields(
+            performRequest(user, new Search(randomFrom("test1", "test1::data")).toSearchRequest()),
+            Map.of(dataIndexName, Set.of("@timestamp", "age"))
+        );
+
+        // FLS applies to failure store
+        assertSearchResponseContainsExpectedIndicesAndFields(
+            performRequest(user, new Search("test1::failures").toSearchRequest()),
+            Map.of(failureIndexName, Set.of("error.type", "error.message"))
+        );
+
+        upsertRole(Strings.format("""
+            {
+                 "cluster": ["all"],
+                 "indices": [
+                     {
+                        "names": ["%s"],
+                        "privileges": ["read"],
                         "field_security": {
                             "grant": ["@timestamp", "age"]
                         }
+                     },
+                     {
+                        "names": ["test*"],
+                        "privileges": ["read_failure_store"],
+                        "field_security": {
+                            "grant": ["error.type", "error.message"]
+                        }
                      }
                  ]
-             }""", randomFrom("test*", "test1")), role);
+             }""", "test*"), role);
 
         // FLS applies to regular data stream
         assertSearchResponseContainsExpectedIndicesAndFields(
             performRequest(user, new Search(randomFrom("test1", "test1::data")).toSearchRequest()),
             Map.of(dataIndexName, Set.of("@timestamp", "age"))
         );
 
-        // FLS sort of applies to failure store
-        // TODO this will change with FLS handling
+        // FLS applies to failure store
         assertSearchResponseContainsExpectedIndicesAndFields(
             performRequest(user, new Search("test1::failures").toSearchRequest()),
-            Map.of(failureIndexName, Set.of("@timestamp"))
+            Map.of(failureIndexName, Set.of("@timestamp", "error.type", "error.message"))
         );
 
         upsertRole("""
@@ -1452,10 +1484,56 @@ public void testDlsFls() throws Exception {
             performRequest(user, new Search(randomFrom("test1", "test1::data")).toSearchRequest()),
             Map.of(dataIndexName, Set.of("@timestamp", "age", "name", "email"))
         );
-
         assertSearchResponseContainsExpectedIndicesAndFields(
             performRequest(user, new Search("test1::failures").toSearchRequest()),
-            Map.of(failureIndexName, Set.of("@timestamp", "document", "error"))
+            Map.of(
+                failureIndexName,
+                Set.of(
+                    "@timestamp",
+                    "document.id",
+                    "document.index",
+                    "document.source.@timestamp",
+                    "document.source.age",
+                    "document.source.email",
+                    "document.source.name",
+                    "error.message",
+                    "error.stack_trace",
+                    "error.type"
+                )
+            )
+        );
+
+        // check that direct read access to backing indices is working
+        upsertRole(Strings.format("""
+            {
+                 "cluster": ["all"],
+                 "indices": [
+                     {
+                        "names": ["%s"],
+                        "privileges": ["read"],
+                        "field_security": {
+                            "grant": ["@timestamp", "age"]
+                        }
+                     },
+                     {
+                        "names": ["%s"],
+                        "privileges": ["read"],
+                        "field_security": {
+                            "grant": ["@timestamp", "document.source.name"]
+                        }
+                     }
+                 ]
+             }""", dataIndexName, failureIndexName), role);
+
+        // FLS applies to backing data index
+        assertSearchResponseContainsExpectedIndicesAndFields(
+            performRequest(user, new Search(randomFrom(dataIndexName, ".ds-*")).toSearchRequest()),
+            Map.of(dataIndexName, Set.of("@timestamp", "age"))
+        );
+        // and backing failure index
+        assertSearchResponseContainsExpectedIndicesAndFields(
+            performRequest(user, new Search(randomFrom(failureIndexName, ".fs-*")).toSearchRequest()),
+            Map.of(failureIndexName, Set.of("@timestamp", "document.source.name"))
         );
 
         // DLS
@@ -1507,6 +1585,21 @@ public void testDlsFls() throws Exception {
              }""", role);
         // DLS does not apply because there is a section without DLS
         expectSearch(user, new Search(randomFrom("test1", "test1::data")), dataIndexDocId);
+
+        // DLS is applicable to backing failure store when granted read directly
+        upsertRole(Strings.format("""
+            {
+                 "cluster": ["all"],
+                 "indices": [
+                     {
+                        "names": ["%s"],
+                        "privileges": ["read"],
+                        "query":{"term":{"document.source.name":{"value":"jack"}}}
+                     }
+                 ]
+             }""", failureIndexName), role);
+        expectSearch(user, new Search(randomFrom(".fs-*", failureIndexName)));
+
     }
 
     private static void expectThrows(ThrowingRunnable runnable, int statusCode) {
@@ -1797,7 +1890,7 @@ protected void assertSearchResponseContainsExpectedIndicesAndFields(
                 assertThat(searchResult.keySet(), equalTo(expectedIndicesAndFields.keySet()));
                 for (String index : expectedIndicesAndFields.keySet()) {
                     Set<String> expectedFields = expectedIndicesAndFields.get(index);
-                    assertThat(searchResult.get(index).keySet(), equalTo(expectedFields));
+                    assertThat(Maps.flatten(searchResult.get(index), false, true).keySet(), equalTo(expectedFields));
                 }
             } finally {
                 response.decRef();
