martijnvg
diff --git a/‎docs/changelog/137442.yaml‎
Lines changed: 5 additions & 0 deletions b/‎docs/changelog/137442.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎modules/mapper-extras/src/main/java/org/elasticsearch/index/mapper/extras/MatchOnlyTextFieldMapper.java‎
Lines changed: 1 addition & 1 deletion b/‎modules/mapper-extras/src/main/java/org/elasticsearch/index/mapper/extras/MatchOnlyTextFieldMapper.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/src/main/java/org/elasticsearch/index/mapper/IgnoreMalformedStoredValues.java‎
Lines changed: 4 additions & 1 deletion b/‎server/src/main/java/org/elasticsearch/index/mapper/IgnoreMalformedStoredValues.java‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎server/src/main/java/org/elasticsearch/index/mapper/KeywordFieldMapper.java‎
Lines changed: 2 additions & 1 deletion b/‎server/src/main/java/org/elasticsearch/index/mapper/KeywordFieldMapper.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java‎
Lines changed: 37 additions & 9 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java‎
Lines changed: 37 additions & 9 deletions
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java‎
Lines changed: 4 additions & 1 deletion b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/FieldPermissions.java‎
Lines changed: 8 additions & 2 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/FieldPermissions.java‎
Lines changed: 8 additions & 2 deletions
@@ -0,0 +1,5 @@
+pr: 137442
+summary: Handle ._original stored fields with fls
+area: "Authorization"
+type: bug
+issues: []
@@ -202,7 +202,7 @@ public MatchOnlyTextFieldType(
             super(name, true, false, false, tsi, meta);
             this.indexAnalyzer = Objects.requireNonNull(indexAnalyzer);
             this.textFieldType = new TextFieldType(name, isSyntheticSource, syntheticSourceDelegate);
-            this.originalName = isSyntheticSource ? name + "._original" : null;
+            this.originalName = isSyntheticSource ? name + KeywordFieldMapper.FALLBACK_FIELD_NAME_SUFFIX : null;
             this.withinMultiField = withinMultiField;
             this.storedFieldInBinaryFormat = storedFieldInBinaryFormat;
         }
 
@@ -26,6 +26,9 @@
  * {@code _source}.
  */
 public abstract class IgnoreMalformedStoredValues {
+
+    public static final String IGNORE_MALFORMED_FIELD_NAME_SUFFIX = "._ignore_malformed";
+
     /**
      * Creates a stored field that stores malformed data to be used in synthetic source.
      * Name of the stored field is original name of the field with added conventional suffix.
@@ -143,6 +146,6 @@ public void reset() {
     }
 
     public static String name(String fieldName) {
-        return fieldName + "._ignore_malformed";
+        return fieldName + IGNORE_MALFORMED_FIELD_NAME_SUFFIX;
     }
 }
@@ -104,6 +104,7 @@ public final class KeywordFieldMapper extends FieldMapper {
 
     static final NodeFeature KEYWORD_DIMENSION_IGNORE_ABOVE = new NodeFeature("mapper.keyword_dimension_ignore_above", true);
     static final NodeFeature KEYWORD_NORMALIZER_SYNTHETIC_SOURCE = new NodeFeature("mapper.keyword_normalizer_synthetic_source", true);
+    public static final String FALLBACK_FIELD_NAME_SUFFIX = "._original";
 
     public static class Defaults {
         public static final FieldType FIELD_TYPE;
@@ -472,7 +473,7 @@ public KeywordFieldType(
             this.scriptValues = builder.scriptValues();
             this.isDimension = builder.dimension.getValue();
             this.isSyntheticSource = isSyntheticSource;
-            this.originalName = isSyntheticSource ? name + "._original" : null;
+            this.originalName = isSyntheticSource ? name + FALLBACK_FIELD_NAME_SUFFIX : null;
         }
 
         public KeywordFieldType(String name) {
 
@@ -40,7 +40,9 @@
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.core.Tuple;
 import org.elasticsearch.index.mapper.FieldNamesFieldMapper;
+import org.elasticsearch.index.mapper.IgnoreMalformedStoredValues;
 import org.elasticsearch.index.mapper.IgnoredSourceFieldMapper;
+import org.elasticsearch.index.mapper.KeywordFieldMapper;
 import org.elasticsearch.index.mapper.SourceFieldMapper;
 import org.elasticsearch.transport.Transports;
 import org.elasticsearch.xcontent.XContentBuilder;
@@ -54,6 +56,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.function.Function;
 
 /**
  * A {@link FilterLeafReader} that exposes only a subset
@@ -68,36 +71,48 @@ public final class FieldSubsetReader extends SequentialStoredFieldsLeafReader {
      * Note that for convenience, the returned reader
      * can be used normally (e.g. passed to {@link DirectoryReader#openIfChanged(DirectoryReader)})
      * and so on.
-     * @param in reader to filter
-     * @param filter fields to filter.
+     *
+     * @param in       reader to filter
+     * @param filter   fields to filter.
+     * @param isMapped whether a field is mapped or not.
      */
-    public static DirectoryReader wrap(DirectoryReader in, CharacterRunAutomaton filter) throws IOException {
-        return new FieldSubsetDirectoryReader(in, filter);
+    public static DirectoryReader wrap(
+        DirectoryReader in,
+        CharacterRunAutomaton filter,
+        Function<String, Boolean> isMapped
+    ) throws IOException {
+        return new FieldSubsetDirectoryReader(in, filter, isMapped);
     }
 
     // wraps subreaders with fieldsubsetreaders.
     static class FieldSubsetDirectoryReader extends FilterDirectoryReader {
 
         private final CharacterRunAutomaton filter;
+        private final Function<String, Boolean> isMapped;
 
-        FieldSubsetDirectoryReader(DirectoryReader in, final CharacterRunAutomaton filter) throws IOException {
+        FieldSubsetDirectoryReader(
+            DirectoryReader in,
+            final CharacterRunAutomaton filter,
+            Function<String, Boolean> isMapped
+        ) throws IOException {
             super(in, new FilterDirectoryReader.SubReaderWrapper() {
                 @Override
                 public LeafReader wrap(LeafReader reader) {
                     try {
-                        return new FieldSubsetReader(reader, filter);
+                        return new FieldSubsetReader(reader, filter, isMapped);
                     } catch (IOException e) {
                         throw new UncheckedIOException(e);
                     }
                 }
             });
             this.filter = filter;
+            this.isMapped = isMapped;
             verifyNoOtherFieldSubsetDirectoryReaderIsWrapped(in);
         }
 
         @Override
         protected DirectoryReader doWrapDirectoryReader(DirectoryReader in) throws IOException {
-            return new FieldSubsetDirectoryReader(in, filter);
+            return new FieldSubsetDirectoryReader(in, filter, isMapped);
         }
 
         /** Return the automaton that is used to filter fields. */
@@ -133,11 +148,24 @@ public CacheHelper getReaderCacheHelper() {
     /**
      * Wrap a single segment, exposing a subset of its fields.
      */
-    FieldSubsetReader(LeafReader in, CharacterRunAutomaton filter) throws IOException {
+    FieldSubsetReader(
+        LeafReader in,
+        CharacterRunAutomaton filter,
+        Function<String, Boolean> isMapped
+    ) throws IOException {
         super(in);
         ArrayList<FieldInfo> filteredInfos = new ArrayList<>();
         for (FieldInfo fi : in.getFieldInfos()) {
-            if (filter.run(fi.name)) {
+            String name = fi.name;
+            if (fi.getName().endsWith(KeywordFieldMapper.FALLBACK_FIELD_NAME_SUFFIX) && isMapped.apply(fi.getName()) == false) {
+                name = fi.getName().substring(0, fi.getName().length() - KeywordFieldMapper.FALLBACK_FIELD_NAME_SUFFIX.length());
+            }
+            if (fi.getName().endsWith(IgnoreMalformedStoredValues.IGNORE_MALFORMED_FIELD_NAME_SUFFIX)
+                && isMapped.apply(fi.getName()) == false) {
+                name = fi.getName()
+                    .substring(0, fi.getName().length() - IgnoreMalformedStoredValues.IGNORE_MALFORMED_FIELD_NAME_SUFFIX.length());
+            }
+            if (filter.run(name)) {
                 filteredInfos.add(fi);
             }
         }
 
@@ -96,7 +96,10 @@ public DirectoryReader apply(final DirectoryReader reader) {
                 }
             }
 
-            return permissions.getFieldPermissions().filter(wrappedReader);
+            var searchContext = searchExecutionContextProvider.apply(shardId);
+            Function<String, Boolean> isMapped = searchContext::isFieldMapped;
+
+            return permissions.getFieldPermissions().filter(wrappedReader, isMapped);
         } catch (IOException e) {
             logger.error("Unable to apply field level security");
             throw ExceptionsHelper.convertToElastic(e);
 
@@ -32,6 +32,7 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import static org.apache.lucene.util.automaton.Operations.subsetOf;
@@ -245,11 +246,16 @@ public boolean hasFieldLevelSecurity() {
     }
 
     /** Return a wrapped reader that only exposes allowed fields. */
-    public DirectoryReader filter(DirectoryReader reader) throws IOException {
+    public DirectoryReader filter(DirectoryReader reader, Function<String, Boolean> isMapped)
+        throws IOException {
         if (hasFieldLevelSecurity() == false) {
             return reader;
         }
-        return FieldSubsetReader.wrap(reader, permittedFieldsAutomaton);
+        return FieldSubsetReader.wrap(
+            reader,
+            permittedFieldsAutomaton,
+            isMapped
+        );
     }
 
     Automaton getIncludeAutomaton() {
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ public MatchOnlyTextFieldType(`
`202`	`202`	`super(name, true, false, false, tsi, meta);`
`203`	`203`	`this.indexAnalyzer = Objects.requireNonNull(indexAnalyzer);`
`204`	`204`	`this.textFieldType = new TextFieldType(name, isSyntheticSource, syntheticSourceDelegate);`
`205`		`- this.originalName = isSyntheticSource ? name + "._original" : null;`
	`205`	`+ this.originalName = isSyntheticSource ? name + KeywordFieldMapper.FALLBACK_FIELD_NAME_SUFFIX : null;`
`206`	`206`	`this.withinMultiField = withinMultiField;`
`207`	`207`	`this.storedFieldInBinaryFormat = storedFieldInBinaryFormat;`
`208`	`208`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@`
`26`	`26`	`* {@code _source}.`
`27`	`27`	`*/`
`28`	`28`	`public abstract class IgnoreMalformedStoredValues {`
	`29`	`+`
	`30`	`+ public static final String IGNORE_MALFORMED_FIELD_NAME_SUFFIX = "._ignore_malformed";`
	`31`	`+`
`29`	`32`	`/**`
`30`	`33`	`* Creates a stored field that stores malformed data to be used in synthetic source.`
`31`	`34`	`* Name of the stored field is original name of the field with added conventional suffix.`
`@@ -143,6 +146,6 @@ public void reset() {`
`143`	`146`	`}`
`144`	`147`
`145`	`148`	`public static String name(String fieldName) {`
`146`		`- return fieldName + "._ignore_malformed";`
	`149`	`+ return fieldName + IGNORE_MALFORMED_FIELD_NAME_SUFFIX;`
`147`	`150`	`}`
`148`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,10 @@ public DirectoryReader apply(final DirectoryReader reader) {`
`96`	`96`	`}`
`97`	`97`	`}`
`98`	`98`
`99`		`- return permissions.getFieldPermissions().filter(wrappedReader);`
	`99`	`+ var searchContext = searchExecutionContextProvider.apply(shardId);`
	`100`	`+ Function<String, Boolean> isMapped = searchContext::isFieldMapped;`
	`101`	`+`
	`102`	`+ return permissions.getFieldPermissions().filter(wrappedReader, isMapped);`
`100`	`103`	`} catch (IOException e) {`
`101`	`104`	`logger.error("Unable to apply field level security");`
`102`	`105`	`throw ExceptionsHelper.convertToElastic(e);`