RCS 2.0 - add remote indices privileges to role models (#90614)

This PR updates role-related data models to allow specifying remote index privileges. The change is only concerned with allowing end-users to specify a remote cluster target via the API (i.e., not files), and to exclude remote index privileges from local authorization. Fetching the relevant remote index privileges and serializing them for cross cluster requests will come in a separate PR. The changes in this PR support specifying remote_indices in the Roles API: POST /_security/role/remote-search { "indices": [ // unchanged { "names": ["*index*"], "privileges": ["read"] } ], "remote_indices": [ { "names": ["*index*"], "privileges": ["read"], "clusters": ["remote-a", "remote-b-*"] } ] }
elastic · Oct 24, 2022 · 0456868 · 0456868
1 parent 1f265eb
commit 0456868
Show file tree

Hide file tree

Showing 23 changed files with 1,664 additions and 100 deletions.
diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle
@@ -142,3 +142,9 @@ if (BuildParams.inFipsJvm){
   // Test clusters run with security disabled
   tasks.named("javaRestTest").configure{enabled = false }
 }
+
+if (BuildParams.isSnapshotBuild() == false) {
+  tasks.named("test").configure {
+    systemProperty 'es.untrusted_remote_cluster_feature_flag_registered', 'true'
+  }
+}
diff --git a/.../core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequest.java b/.../core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequest.java
@@ -42,6 +42,7 @@ public class PutRoleRequest extends ActionRequest implements WriteRequest<PutRol
     private String[] runAs = Strings.EMPTY_ARRAY;
     private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
     private Map<String, Object> metadata;
+    private List<RoleDescriptor.RemoteIndicesPrivileges> remoteIndicesPrivileges = new ArrayList<>();
 
     public PutRoleRequest(StreamInput in) throws IOException {
         super(in);
@@ -57,6 +58,9 @@ public PutRoleRequest(StreamInput in) throws IOException {
         runAs = in.readStringArray();
         refreshPolicy = RefreshPolicy.readFrom(in);
         metadata = in.readMap();
+        if (in.getVersion().onOrAfter(RoleDescriptor.VERSION_REMOTE_INDICES)) {
+            remoteIndicesPrivileges = in.readList(RoleDescriptor.RemoteIndicesPrivileges::new);
+        }
     }
 
     public PutRoleRequest() {}
@@ -87,6 +91,31 @@ public void addIndex(RoleDescriptor.IndicesPrivileges... privileges) {
         this.indicesPrivileges.addAll(Arrays.asList(privileges));
     }
 
+    public void addRemoteIndex(RoleDescriptor.RemoteIndicesPrivileges... privileges) {
+        remoteIndicesPrivileges.addAll(Arrays.asList(privileges));
+    }
+
+    public void addRemoteIndex(
+        final String[] remoteClusters,
+        final String[] indices,
+        final String[] privileges,
+        final String[] grantedFields,
+        final String[] deniedFields,
+        final @Nullable BytesReference query,
+        final boolean allowRestrictedIndices
+    ) {
+        remoteIndicesPrivileges.add(
+            RoleDescriptor.RemoteIndicesPrivileges.builder(remoteClusters)
+                .indices(indices)
+                .privileges(privileges)
+                .grantedFields(grantedFields)
+                .deniedFields(deniedFields)
+                .query(query)
+                .allowRestrictedIndices(allowRestrictedIndices)
+                .build()
+        );
+    }
+
     public void addIndex(
         String[] indices,
         String[] privileges,
@@ -146,6 +175,14 @@ public RoleDescriptor.IndicesPrivileges[] indices() {
         return indicesPrivileges.toArray(new RoleDescriptor.IndicesPrivileges[indicesPrivileges.size()]);
     }
 
+    public RoleDescriptor.RemoteIndicesPrivileges[] remoteIndices() {
+        return remoteIndicesPrivileges.toArray(new RoleDescriptor.RemoteIndicesPrivileges[0]);
+    }
+
+    public boolean hasRemoteIndicesPrivileges() {
+        return false == remoteIndicesPrivileges.isEmpty();
+    }
+
     public List<RoleDescriptor.ApplicationResourcePrivileges> applicationPrivileges() {
         return Collections.unmodifiableList(applicationPrivileges);
     }
@@ -176,6 +213,17 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeStringArray(runAs);
         refreshPolicy.writeTo(out);
         out.writeGenericMap(metadata);
+        if (out.getVersion().onOrAfter(RoleDescriptor.VERSION_REMOTE_INDICES)) {
+            out.writeCollection(remoteIndicesPrivileges);
+        } else if (hasRemoteIndicesPrivileges()) {
+            throw new IllegalArgumentException(
+                "versions of Elasticsearch before ["
+                    + RoleDescriptor.VERSION_REMOTE_INDICES
+                    + "] can't handle remote indices privileges and attempted to send to ["
+                    + out.getVersion()
+                    + "]"
+            );
+        }
     }
 
     public RoleDescriptor roleDescriptor() {
@@ -187,8 +235,8 @@ public RoleDescriptor roleDescriptor() {
             configurableClusterPrivileges,
             runAs,
             metadata,
-            Collections.emptyMap()
+            Collections.emptyMap(),
+            remoteIndicesPrivileges.toArray(new RoleDescriptor.RemoteIndicesPrivileges[0])
         );
     }
-
 }
diff --git a/...rc/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequestBuilder.java b/...rc/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequestBuilder.java
@@ -44,6 +44,7 @@ public PutRoleRequestBuilder source(String name, BytesReference source, XContent
         request.cluster(descriptor.getClusterPrivileges());
         request.conditionalCluster(descriptor.getConditionalClusterPrivileges());
         request.addIndex(descriptor.getIndicesPrivileges());
+        request.addRemoteIndex(descriptor.getRemoteIndicesPrivileges());
         request.addApplicationPrivileges(descriptor.getApplicationPrivileges());
         request.runAs(descriptor.getRunAs());
         request.metadata(descriptor.getMetadata());

diff --git a/...ava/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java b/...ava/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java
@@ -14,6 +14,7 @@
 import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
 
+import java.util.Arrays;
 import java.util.Set;
 
 import static org.elasticsearch.action.ValidateActions.addValidationError;
@@ -51,6 +52,17 @@ public static ActionRequestValidationException validate(
                 }
             }
         }
+        final RoleDescriptor.RemoteIndicesPrivileges[] remoteIndicesPrivileges = roleDescriptor.getRemoteIndicesPrivileges();
+        for (RoleDescriptor.RemoteIndicesPrivileges ridp : remoteIndicesPrivileges) {
+            if (Arrays.asList(ridp.remoteClusters()).contains("")) {
+                validationException = addValidationError("remote index cluster alias cannot be an empty string", validationException);
+            }
+            try {
+                IndexPrivilege.get(Set.of(ridp.indicesPrivileges().getPrivileges()));
+            } catch (IllegalArgumentException ile) {
+                validationException = addValidationError(ile.getMessage(), validationException);
+            }
+        }
         if (roleDescriptor.getApplicationPrivileges() != null) {
             for (RoleDescriptor.ApplicationResourcePrivileges privilege : roleDescriptor.getApplicationPrivileges()) {
                 try {