prevent using ::data selector as well

slobodanadamovic · slobodanadamovic · commit 0fe3ec54fe5e · 2025-03-26T15:04:16.000+01:00
diff --git a/server/src/main/java/org/elasticsearch/cluster/metadata/IndexNameExpressionResolver.java b/server/src/main/java/org/elasticsearch/cluster/metadata/IndexNameExpressionResolver.java
@@ -2368,7 +2368,7 @@ private static <V> V splitSelectorExpression(String expression, BiFunction<Strin
                 IndexComponentSelector selector = resolveAndValidateSelectorString(() -> expression, suffix);
                 String expressionBase = expression.substring(0, lastDoubleColon);
                 ensureNoMoreSelectorSeparators(expressionBase, expression);
-                ensureNoCrossClusterExpressionWithFailuresSelector(expressionBase, selector, expression);
+                ensureNoCrossClusterExpressionWithSelectorSeparator(expressionBase, selector, expression);
                 return bindFunction.apply(expressionBase, suffix);
             }
             // Otherwise accept the default
@@ -2423,20 +2423,20 @@ private static void ensureNoMoreSelectorSeparators(String remainingExpression, S
          * Checks the expression for cross-cluster syntax and throws an exception if it is combined with ::failures selector.
          * @throws IllegalArgumentException if cross-cluster syntax is detected after parsing the selector expression
          */
-        private static void ensureNoCrossClusterExpressionWithFailuresSelector(
+        private static void ensureNoCrossClusterExpressionWithSelectorSeparator(
             String expressionWithoutSelector,
             IndexComponentSelector selector,
             String originalExpression
         ) {
-            if (selector == IndexComponentSelector.FAILURES) {
+            if (selector != null) {
                 if (RemoteClusterAware.isRemoteIndexName(expressionWithoutSelector)) {
                     throw new IllegalArgumentException(
                         "Invalid usage of ["
                             + SELECTOR_SEPARATOR
                             + selector.getKey()
                             + "] selector in ["
                             + originalExpression
-                            + "], failures selector is not supported with cross-cluster expressions"
+                            + "], selectors are not supported with cross-cluster expressions"
                     );
                 }
             }
diff --git a/server/src/test/java/org/elasticsearch/cluster/metadata/SelectorResolverTests.java b/server/src/test/java/org/elasticsearch/cluster/metadata/SelectorResolverTests.java
@@ -17,6 +17,8 @@
 import org.elasticsearch.indices.SystemIndices;
 import org.elasticsearch.test.ESTestCase;
 
+import java.util.Set;
+
 import static org.elasticsearch.action.support.IndexComponentSelector.DATA;
 import static org.elasticsearch.action.support.IndexComponentSelector.FAILURES;
 import static org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.Context;
@@ -74,11 +76,8 @@ public void testResolveExpression() {
         // Empty index name is not necessarily disallowed, but will be filtered out in the next steps of resolution
         assertThat(resolve(selectorsAllowed, "::data"), equalTo(new ResolvedExpression("", DATA)));
         assertThat(resolve(selectorsAllowed, "::failures"), equalTo(new ResolvedExpression("", FAILURES)));
-        // Remote cluster syntax is respected, even if code higher up the call stack is likely to already have handled it already
-        assertThat(resolve(selectorsAllowed, "cluster:index::data"), equalTo(new ResolvedExpression("cluster:index", DATA)));
-        // CCS with an empty index name is not necessarily disallowed, though other code in the resolution logic will likely throw
-        assertThat(resolve(selectorsAllowed, "cluster:::data"), equalTo(new ResolvedExpression("cluster:", DATA)));
-        // Same for empty cluster and index names
+        // CCS with an empty index and cluster name is not necessarily disallowed, though other code in the resolution logic will likely
+        // throw
         assertThat(resolve(selectorsAllowed, ":::data"), equalTo(new ResolvedExpression(":", DATA)));
         assertThat(resolve(selectorsAllowed, ":::failures"), equalTo(new ResolvedExpression(":", FAILURES)));
         // Any more prefix colon characters will trigger the multiple separators error logic
@@ -88,25 +87,37 @@ public void testResolveExpression() {
         // Suffix case is not supported because there is no component named with the empty string
         expectThrows(InvalidIndexNameException.class, () -> resolve(selectorsAllowed, "index::"));
 
-        // remote cluster syntax is not allowed with ::failures selector
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "cluster:index::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(noSelectors, "cluster:index::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "cluster-*:index::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "cluster-*:index-*::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "cluster-*:*::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "*:index-*::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "*:*::failures");
-        // even with an empty index name
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "cluster:::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "failures:index::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "data:index::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "failures:failures::failures");
-        assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(selectorsAllowed, "data:data::failures");
-    }
-
-    public void assertFailuresSelectorNotSupportedWithRemoteClusterExpressions(Context context, String expression) {
-        var e = expectThrows(IllegalArgumentException.class, () -> resolve(context, expression));
-        assertThat(e.getMessage(), containsString("failures selector is not supported with cross-cluster expressions"));
+        // remote cluster syntax is not allowed with :: selectors
+        final Set<String> remoteClusterExpressionsWithSelectors = Set.of(
+            "cluster:index::failures",
+            "cluster-*:index::failures",
+            "cluster-*:index-*::failures",
+            "cluster-*:*::failures",
+            "*:index-*::failures",
+            "*:*::failures",
+            "*:-test*,*::failures",
+            "cluster:::failures",
+            "failures:index::failures",
+            "data:index::failures",
+            "failures:failures::failures",
+            "data:data::failures",
+            "cluster:index::data",
+            "cluster-*:index::data",
+            "cluster-*:index-*::data",
+            "cluster-*:*::data",
+            "*:index-*::data",
+            "*:*::data",
+            "cluster:::data",
+            "failures:index::data",
+            "data:index::data",
+            "failures:failures::data",
+            "data:data::data",
+            "*:-test*,*::data"
+        );
+        for (String expression : remoteClusterExpressionsWithSelectors) {
+            var e = expectThrows(IllegalArgumentException.class, () -> resolve(selectorsAllowed, expression));
+            assertThat(e.getMessage(), containsString("selectors are not supported with cross-cluster expressions"));
+        }
     }
 
     public void testResolveMatchAllToSelectors() {
diff --git a/x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/AbstractRemoteClusterSecurityFailureStoreRestIT.java b/x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/AbstractRemoteClusterSecurityFailureStoreRestIT.java
@@ -169,9 +169,9 @@ protected Tuple<String, String> getSingleDataAndFailureIndices(String dataStream
         return new Tuple<>(indices.v1().get(0), indices.v2().get(0));
     }
 
-    protected static void assertFailuresSelectorNotSupported(ResponseException exception) {
+    protected static void assertSelectorsNotSupported(ResponseException exception) {
         assertThat(exception.getResponse().getStatusLine().getStatusCode(), equalTo(403));
-        assertThat(exception.getMessage(), containsString("failures selector is not supported with cross-cluster expressions"));
+        assertThat(exception.getMessage(), containsString("selectors are not supported with cross-cluster expressions"));
     }
 
 }
diff --git a/x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1FailureStoreRestIT.java b/x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1FailureStoreRestIT.java
@@ -83,9 +83,9 @@ public void testRCS1CrossClusterSearch() throws Exception {
         final String otherBackingDataIndexName = otherBackingIndices.v1();
         final String otherBackingFailureIndexName = otherBackingIndices.v2();
 
-        testCcsWithDataSelectorSupported(backingDataIndexName, ccsMinimizeRoundtrips);
+        testCcsWithDataSelectorNotSupported(ccsMinimizeRoundtrips);
         testCcsWithFailuresSelectorNotSupported(ccsMinimizeRoundtrips);
-
+        testCcsWithoutSelectorsSupported(backingDataIndexName, ccsMinimizeRoundtrips);
         testSearchingUnauthorizedIndices(otherBackingFailureIndexName, otherBackingDataIndexName, ccsMinimizeRoundtrips);
         testSearchingWithAccessToAllIndices(ccsMinimizeRoundtrips, backingDataIndexName, otherBackingDataIndexName);
         testBackingFailureIndexAccess(ccsMinimizeRoundtrips, backingFailureIndexName);
@@ -264,10 +264,9 @@ private void testBackingFailureIndexAccess(boolean ccsMinimizeRoundtrips, String
 
     }
 
-    private void testCcsWithDataSelectorSupported(String backingDataIndexName, boolean ccsMinimizeRoundtrips) throws IOException {
+    public void testCcsWithoutSelectorsSupported(String backingDataIndexName, boolean ccsMinimizeRoundtrips) throws IOException {
         final String[] users = { FAILURE_STORE_ACCESS, DATA_ACCESS };
         for (String user : users) {
-            // query remote cluster using ::data selector should succeed
             final boolean alsoSearchLocally = randomBoolean();
             final Request dataSearchRequest = new Request(
                 "GET",
@@ -276,7 +275,7 @@ private void testCcsWithDataSelectorSupported(String backingDataIndexName, boole
                     "/%s%s:%s/_search?ccs_minimize_roundtrips=%s",
                     alsoSearchLocally ? "local_index," : "",
                     randomFrom("my_remote_cluster", "*", "my_remote_*"),
-                    randomFrom("test1::data", "test1", "test*", "test*::data", "*", "*::data", backingDataIndexName),
+                    randomFrom("test1", "test*", "*", backingDataIndexName),
                     ccsMinimizeRoundtrips
                 )
             );
@@ -287,6 +286,29 @@ private void testCcsWithDataSelectorSupported(String backingDataIndexName, boole
         }
     }
 
+    private void testCcsWithDataSelectorNotSupported(boolean ccsMinimizeRoundtrips) throws IOException {
+        final String[] users = { FAILURE_STORE_ACCESS, DATA_ACCESS, ALL_ACCESS };
+        for (String user : users) {
+            // query remote cluster using ::data selector should not succeed
+            final boolean alsoSearchLocally = randomBoolean();
+            final Request dataSearchRequest = new Request(
+                "GET",
+                String.format(
+                    Locale.ROOT,
+                    "/%s:%s/_search?ccs_minimize_roundtrips=%s",
+                    randomFrom("my_remote_cluster", "*", "my_remote_*"),
+                    randomFrom("test1::data", "test*::data", "*::data", "non-existing::data"),
+                    ccsMinimizeRoundtrips
+                )
+            );
+            final ResponseException exception = expectThrows(
+                ResponseException.class,
+                () -> performRequestWithUser(user, dataSearchRequest)
+            );
+            assertSelectorsNotSupported(exception);
+        }
+    }
+
     private void testCcsWithFailuresSelectorNotSupported(boolean ccsMinimizeRoundtrips) {
         final String[] users = {
             FAILURE_STORE_ACCESS,
@@ -313,7 +335,7 @@ private void testCcsWithFailuresSelectorNotSupported(boolean ccsMinimizeRoundtri
                     )
                 )
             );
-            assertFailuresSelectorNotSupported(exception);
+            assertSelectorsNotSupported(exception);
         }
     }
 
diff --git a/x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS2FailureStoreRestIT.java b/x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS2FailureStoreRestIT.java
@@ -89,7 +89,7 @@ public void testRCS2CrossClusterSearch() throws Exception {
         final String backingDataIndexName = backingIndices.v1();
         final String backingFailureIndexName = backingIndices.v2();
         {
-            // query remote cluster using ::data selector should succeed
+            // query remote cluster without selectors should succeed
             final boolean alsoSearchLocally = randomBoolean();
             final Request dataSearchRequest = new Request(
                 "GET",
@@ -98,7 +98,7 @@ public void testRCS2CrossClusterSearch() throws Exception {
                     "/%s%s:%s/_search?ccs_minimize_roundtrips=%s&ignore_unavailable=false",
                     alsoSearchLocally ? "local_index," : "",
                     randomFrom("my_remote_cluster", "*", "my_remote_*"),
-                    randomFrom("test1::data", "test1", "test*", "test*::data", "*", "*::data", backingDataIndexName),
+                    randomFrom("test1", "test*", "*", backingDataIndexName),
                     ccsMinimizeRoundtrips
                 )
             );
@@ -107,6 +107,25 @@ public void testRCS2CrossClusterSearch() throws Exception {
                 : new String[] { backingDataIndexName };
             assertSearchResponseContainsIndices(performRequestWithRemoteSearchUser(dataSearchRequest), expectedIndices);
         }
+        {
+            // query remote cluster using ::data selector should fail
+            final boolean alsoSearchLocally = randomBoolean();
+            final Request dataSearchRequest = new Request(
+                "GET",
+                String.format(
+                    Locale.ROOT,
+                    "/%s:%s/_search?ccs_minimize_roundtrips=%s&ignore_unavailable=false",
+                    randomFrom("my_remote_cluster", "*", "my_remote_*"),
+                    randomFrom("test1::data", "test*::data", "*::data", "non-existing::data"),
+                    ccsMinimizeRoundtrips
+                )
+            );
+            final ResponseException exception = expectThrows(
+                ResponseException.class,
+                () -> performRequestWithRemoteSearchUser(dataSearchRequest)
+            );
+            assertSelectorsNotSupported(exception);
+        }
         {
             // query remote cluster using ::failures selector should fail
             final ResponseException exception = expectThrows(
@@ -117,13 +136,13 @@ public void testRCS2CrossClusterSearch() throws Exception {
                         String.format(
                             Locale.ROOT,
                             "/my_remote_cluster:%s/_search?ccs_minimize_roundtrips=%s",
-                            randomFrom("test1::failures", "test*::failures", "*::failures"),
+                            randomFrom("test1::failures", "test*::failures", "*::failures", "non-existing::failures"),
                             ccsMinimizeRoundtrips
                         )
                     )
                 )
             );
-            assertFailuresSelectorNotSupported(exception);
+            assertSelectorsNotSupported(exception);
         }
         {
             // direct access to backing failure index is not allowed - no explicit read privileges over .fs-* indices

Original file line number	Diff line number	Diff line change
`@@ -169,9 +169,9 @@ protected Tuple<String, String> getSingleDataAndFailureIndices(String dataStream`
`169`	`169`	`return new Tuple<>(indices.v1().get(0), indices.v2().get(0));`
`170`	`170`	`}`
`171`	`171`
`172`		`- protected static void assertFailuresSelectorNotSupported(ResponseException exception) {`
	`172`	`+ protected static void assertSelectorsNotSupported(ResponseException exception) {`
`173`	`173`	`assertThat(exception.getResponse().getStatusLine().getStatusCode(), equalTo(403));`
`174`		`- assertThat(exception.getMessage(), containsString("failures selector is not supported with cross-cluster expressions"));`
	`174`	`+ assertThat(exception.getMessage(), containsString("selectors are not supported with cross-cluster expressions"));`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`}`