record index resolution for _all expressions#135425
record index resolution for _all expressions#135425richard-dennehy merged 15 commits intoelastic:mainfrom
Conversation
|
Pinging @elastic/es-security (Team:Security) |
ywangd
left a comment
There was a problem hiding this comment.
I am not sure about the status of this PR. It has not implemented the CPS resolution yet. Maybe it should be draft?
...security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
Outdated
Show resolved
Hide resolved
...security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I had some more comments.
I think it's also possible to get a pattern like *:_all which takes the other path as opposed to isAllIndices == true. I suspect it may not work as is since indexAbstractionResolver.resolveIndexAbstractions does not handle _all. We can address it separately.
| var resolvedExpressionsBuilder = ResolvedIndexExpressions.builder(); | ||
| Set<String> remoteIndices = Collections.emptySet(); | ||
| if (crossProjectModeDecider.resolvesCrossProject(replaceable)) { | ||
| remoteIndices = CrossProjectIndexExpressionsRewriter.rewriteIndexExpression( | ||
| "*", | ||
| authorizedProjects.originProjectAlias(), | ||
| authorizedProjects.allProjectAliases() | ||
| ).remoteExpressions(); | ||
| } | ||
|
|
||
| resolvedExpressionsBuilder.addExpressions( | ||
| indicesRequest.indices().length > 0 ? indicesRequest.indices()[0] : Metadata.ALL, | ||
| localExpressions, | ||
| ResolvedIndexExpression.LocalIndexResolutionResult.SUCCESS, | ||
| remoteIndices | ||
| ); | ||
| var resolved = resolvedExpressionsBuilder.build(); | ||
|
|
||
| if (crossProjectModeDecider.crossProjectEnabled()) { | ||
| setResolvedIndexExpressionsIfUnset(replaceable, resolved); | ||
| } | ||
| resolvedIndicesBuilder.addLocal(resolved.getLocalIndicesList()); |
There was a problem hiding this comment.
A couple comments:
- It needs to be moved inside the above
if (indicesOptions.expandWildcardExpressions()) {block since there is no need to resolve CPS if something like_allis used along withexpandWildcards=false, i.e. it resolves to nothing everywhere so that we can short circuit - The first argument to
CrossProjectIndexExpressionsRewriter.rewriteIndexExpressionshould use the actual pattern passed in, i.e. something likeindicesRequest.indices() == null || indicesRequest.indices().isEmpty() ? "_all" : indicesRequest.indices()[0]. This should ensure the any selector pattern is included and the current code should throw an exception for them on rewriting as intended. - Code related to CPS is better all put inside the
if (crossProjectModeDecider.resolvesCrossProject(replaceable)) {block so that it is clear they do not apply when the request is not CPS relevant.setResolvedIndexExpressionsIfUnsetis an exception since it is already wrapped with CPS enabled check.
There was a problem hiding this comment.
For 3 - I don't think there's anything I can move; line 395 needs to always happen, to match the existing behaviour - this means everything else currently outside the CPS branch needs to stay out of that branch
There was a problem hiding this comment.
I should have been more specific. I had performance in mind. The index resolution can be performance sensitive when a cluster has a large number of indices.
The original code adds each resolved index inline with resolvedIndicesBuilder.addLocal thus build the list of indices only once.
The proposed change builds a HashSet first. It then builds a List (getLocalIndicesList) and finally calls resolvedIndicesBuilder.addLocal(List) which internally builds yet another list. So I was thinking whether we could separate the CPS path a bit more from the current code path so that it does not impact current production. That said, we can defer this as a follow-up.
...ity/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
Outdated
Show resolved
Hide resolved
...ity/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
Outdated
Show resolved
Hide resolved
...ity/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
Outdated
Show resolved
Hide resolved
ywangd
left a comment
There was a problem hiding this comment.
I think this is almost there for a reasonable first version. Could you please raise a linked serverless side PR to augument the REST test CrossProjectSearchRestIT#testCrossProjectResolveIndexWithUniversalApiKey for the change here?
...security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
Outdated
Show resolved
Hide resolved
...security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
Show resolved
Hide resolved
| var resolvedExpressionsBuilder = ResolvedIndexExpressions.builder(); | ||
| Set<String> remoteIndices = Collections.emptySet(); | ||
| if (crossProjectModeDecider.resolvesCrossProject(replaceable)) { | ||
| remoteIndices = CrossProjectIndexExpressionsRewriter.rewriteIndexExpression( | ||
| "*", | ||
| authorizedProjects.originProjectAlias(), | ||
| authorizedProjects.allProjectAliases() | ||
| ).remoteExpressions(); | ||
| } | ||
|
|
||
| resolvedExpressionsBuilder.addExpressions( | ||
| indicesRequest.indices().length > 0 ? indicesRequest.indices()[0] : Metadata.ALL, | ||
| localExpressions, | ||
| ResolvedIndexExpression.LocalIndexResolutionResult.SUCCESS, | ||
| remoteIndices | ||
| ); | ||
| var resolved = resolvedExpressionsBuilder.build(); | ||
|
|
||
| if (crossProjectModeDecider.crossProjectEnabled()) { | ||
| setResolvedIndexExpressionsIfUnset(replaceable, resolved); | ||
| } | ||
| resolvedIndicesBuilder.addLocal(resolved.getLocalIndicesList()); |
There was a problem hiding this comment.
I should have been more specific. I had performance in mind. The index resolution can be performance sensitive when a cluster has a large number of indices.
The original code adds each resolved index inline with resolvedIndicesBuilder.addLocal thus build the list of indices only once.
The proposed change builds a HashSet first. It then builds a List (getLocalIndicesList) and finally calls resolvedIndicesBuilder.addLocal(List) which internally builds yet another list. So I was thinking whether we could separate the CPS path a bit more from the current code path so that it does not impact current production. That said, we can defer this as a follow-up.
| if (crossProjectModeDecider.crossProjectEnabled()) { | ||
| setResolvedIndexExpressionsIfUnset(replaceable, resolved); | ||
| } | ||
| resolvedIndicesBuilder.addLocal(resolved.getLocalIndicesList()); |
There was a problem hiding this comment.
We need to call resolvedIndicesBuilder.addRemote(resolved.getRemoteIndicesList()) as well to ensure remote indices are not lost after rewriting.
* record index resolution for _all expressions * [CI] Auto commit changes from spotless * cleanup * fix compile * include remote expressions in _all index resolution * address review comments * clean up tests * [CI] Auto commit changes from spotless * address review comments * [CI] Auto commit changes from spotless * update remote indices list * use order-insensitive assertion --------- Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co> Co-authored-by: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Follow up to #135425 As identified, expressions such as `*:_all` currently don't resolve correctly (it appears that it currently tries to authorize the user against the literal index "_all"). This PR fixes the resolution of prefixed `_all` expressions. Relates: ES-13213
Follow up to elastic#135425 As identified, expressions such as `*:_all` currently don't resolve correctly (it appears that it currently tries to authorize the user against the literal index "_all"). This PR fixes the resolution of prefixed `_all` expressions. Relates: ES-13213
Follow up to elastic#135425 As identified, expressions such as `*:_all` currently don't resolve correctly (it appears that it currently tries to authorize the user against the literal index "_all"). This PR fixes the resolution of prefixed `_all` expressions. Relates: ES-13213
Follow up to #135081
Records resolution for
_allindex expressionsResolves: ES-13004