2929import org .opensearch .test .framework .data .TestIndex ;
3030import org .opensearch .test .framework .data .TestIndexOrAliasOrDatastream ;
3131import org .opensearch .test .framework .data .TestIndexTemplate ;
32- import org .opensearch .test .framework .TestSecurityConfig ;
33- import org .opensearch .test .framework .cluster .LocalCluster ;
34- import org .opensearch .test .framework .cluster .TestRestClient ;
3532import org .opensearch .test .framework .matcher .RestIndexMatchers ;
3633
3734import static org .hamcrest .MatcherAssert .assertThat ;
3835import static org .hamcrest .Matchers .is ;
3936import static org .opensearch .test .framework .TestSecurityConfig .AuthcDomain .AUTHC_HTTPBASIC_INTERNAL ;
4037import static org .opensearch .test .framework .data .TestIndex .openSearchSecurityConfigIndex ;
41- import static org .opensearch .test .framework .TestSecurityConfig .AuthcDomain .AUTHC_HTTPBASIC_INTERNAL ;
4238import static org .opensearch .test .framework .matcher .RestIndexMatchers .OnResponseIndexMatcher .containsExactly ;
4339import static org .opensearch .test .framework .matcher .RestIndexMatchers .OnUserIndexMatcher .limitedTo ;
4440import static org .opensearch .test .framework .matcher .RestIndexMatchers .OnUserIndexMatcher .limitedToNone ;
@@ -277,7 +273,7 @@ public void search_noPattern_allowNoIndicesFalse() throws Exception {
277273 if (user != LIMITED_USER_OTHER_PRIVILEGES ) {
278274 assertThat (
279275 httpResponse ,
280- containsExactly (ALL_INDICES ).at ("hits.hits[*]._index" )
276+ containsExactly (ALL_INDICES_EXCEPT_SYSTEM_INDICES ).at ("hits.hits[*]._index" )
281277 .reducedBy (user .reference (READ ))
282278 .whenEmpty (clusterConfig .allowsEmptyResultSets ? isNotFound () : isForbidden ())
283279 );
@@ -391,38 +387,14 @@ public void search_indexPattern() throws Exception {
391387 public void search_indexPattern_minus () throws Exception {
392388 try (TestRestClient restClient = cluster .getRestClient (user )) {
393389 TestRestClient .HttpResponse httpResponse = restClient .get ("ds_a*,ds_b*,-ds_b2,-ds_b3/_search?size=1000" );
394- if (user == SUPER_UNLIMITED_USER || user == UNLIMITED_USER ) {
395- // does not handle the expression ds_a*,ds_b*,-ds_b2,-ds_b3 in a way that excludes the data streams. See
396- // search_indexPattern_minus_backingIndices for an alternative.
397- assertThat (
390+ // OpenSearch does not handle the expression ds_a*,ds_b*,-ds_b2,-ds_b3 in a way that excludes the data streams. See
391+ // search_indexPattern_minus_backingIndices for an alternative.
392+ assertThat (
398393 httpResponse ,
399394 containsExactly (ds_a1 , ds_a2 , ds_a3 , ds_b1 , ds_b2 , ds_b3 ).at ("hits.hits[*]._index" )
400- .reducedBy (user .reference (READ ))
401- .whenEmpty (clusterConfig .allowsEmptyResultSets ? isOk () : isForbidden ())
402- );
403- } else {
404- // The IndexResolverReplacer fails to interpret the minus patterns and falls back to interpreting the given index names
405- // literally
406- // In the logs, this then looks like this:
407- // | indices:data/read/search |
408- // -ds_b2| MISSING |
409- // -ds_b3| MISSING |
410- // ds_b* | MISSING |
411- // ds_a* | MISSING |
412- // This has the effect that granted privileges using wildcards might work, but granted privileges without wildcards won't
413- // work
414- if (user == LIMITED_USER_B1 ) {
415- // No wildcard in the index pattern
416- assertThat (httpResponse , isForbidden ());
417- } else {
418- assertThat (
419- httpResponse ,
420- containsExactly (ds_a1 , ds_a2 , ds_a3 , ds_b1 , ds_b2 , ds_b3 ).at ("hits.hits[*]._index" )
421395 .reducedBy (user .reference (READ ))
422396 .whenEmpty (clusterConfig .allowsEmptyResultSets ? isOk () : isForbidden ())
423- );
424- }
425- }
397+ );
426398 }
427399 }
428400
@@ -438,7 +410,6 @@ public void search_indexPattern_minus_backingIndices() throws Exception {
438410 .whenEmpty (clusterConfig .allowsEmptyResultSets ? isOk () : isForbidden ())
439411 );
440412 } else {
441-
442413 // dnfof has the effect that the index expression is interpreted differently and that ds_b2 and ds_b3 get included
443414 assertThat (
444415 httpResponse ,
@@ -457,19 +428,13 @@ public void search_indexPattern_nonExistingIndex_ignoreUnavailable() throws Exce
457428 "ds_a*,ds_b*,xxx_non_existing/_search?size=1000&ignore_unavailable=true"
458429 );
459430
460- // The presence of a non existing index has the effect that the other patterns are not resolved by IndexResolverReplacer
461- // This causes a few more 403 errors where the granted index patterns do not use wildcards
462-
463- if (user == LIMITED_USER_B1 ) {
464- assertThat (httpResponse , isForbidden ());
465- } else {
466431 assertThat (
467432 httpResponse ,
468433 containsExactly (ds_a1 , ds_a2 , ds_a3 , ds_b1 , ds_b2 , ds_b3 ).at ("hits.hits[*]._index" )
469434 .reducedBy (user .reference (READ ))
470435 .whenEmpty (clusterConfig .allowsEmptyResultSets ? isOk () : isForbidden ())
471436 );
472- }
437+
473438 }
474439 }
475440
@@ -484,14 +449,6 @@ public void search_indexPattern_noWildcards() throws Exception {
484449 } else {
485450 assertThat (httpResponse , isOk ());
486451 assertThat (httpResponse , containsExactly ().at ("hits.hits[*]._index" ));
487- } else {
488- // dnfof makes the expand_wildcards=none option ineffective
489- assertThat (
490- httpResponse ,
491- containsExactly (ds_a1 , ds_a2 , ds_a3 , ds_b1 , ds_b2 , ds_b3 ).at ("hits.hits[*]._index" )
492- .reducedBy (user .reference (READ ))
493- .whenEmpty (clusterConfig .allowsEmptyResultSets ? isOk () : isForbidden ())
494- );
495452 }
496453 }
497454 }
@@ -537,7 +494,7 @@ public void search_termsAggregation_index() throws Exception {
537494
538495 assertThat (
539496 httpResponse ,
540- containsExactly (ALL_INDICES ).at ("aggregations.indices.buckets[*].key" ).reducedBy (user .reference (READ )).whenEmpty (isOk ())
497+ containsExactly (ALL_INDICES_EXCEPT_SYSTEM_INDICES ).at ("aggregations.indices.buckets[*].key" ).reducedBy (user .reference (READ )).whenEmpty (isOk ())
541498 );
542499
543500 }
0 commit comments