ES|QL with RCS 2.0 security fix (#107079)

This commit provides the ES security changes to support internal ES|QL actions when running ES|QL queries across clusters that use RCS 2.0 (API keys) as the security model. The tests have been updated to illustrate the primary workflow working.
elastic · Apr 12, 2024 · 0660f7f · 0660f7f
1 parent b85b9dc
commit 0660f7f
Show file tree

Hide file tree

Showing 5 changed files with 456 additions and 82 deletions.
diff --git a/.../java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/.../java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
@@ -180,7 +180,9 @@ public class ClusterPrivilegeResolver {
         RemoteClusterNodesAction.TYPE.name(),
         XPackInfoAction.NAME,
         // esql enrich
-        "cluster:monitor/xpack/enrich/esql/resolve_policy"
+        "cluster:monitor/xpack/enrich/esql/resolve_policy",
+        "cluster:internal:data/read/esql/open_exchange",
+        "cluster:internal:data/read/esql/exchange"
     );
     private static final Set<String> CROSS_CLUSTER_REPLICATION_PATTERN = Set.of(
         RemoteClusterService.REMOTE_CLUSTER_HANDSHAKE_ACTION_NAME,

diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -86,10 +86,8 @@ public final class IndexPrivilege extends Privilege {
         ClusterSearchShardsAction.NAME,
         TransportSearchShardsAction.TYPE.name(),
         TransportResolveClusterAction.NAME,
-        // cross clusters query for ESQL
-        "internal:data/read/esql/open_exchange",
-        "internal:data/read/esql/exchange",
-        "indices:data/read/esql/cluster"
+        "indices:data/read/esql",
+        "indices:data/read/esql/compute"
     );
     private static final Automaton CREATE_AUTOMATON = patterns(
         "indices:data/write/index*",

diff --git a/...ql/compute/src/main/java/org/elasticsearch/compute/operator/exchange/ExchangeService.java b/...ql/compute/src/main/java/org/elasticsearch/compute/operator/exchange/ExchangeService.java
@@ -50,8 +50,10 @@ public final class ExchangeService extends AbstractLifecycleComponent {
     // TODO: Make this a child action of the data node transport to ensure that exchanges
     // are accessed only by the user initialized the session.
     public static final String EXCHANGE_ACTION_NAME = "internal:data/read/esql/exchange";
+    public static final String EXCHANGE_ACTION_NAME_FOR_CCS = "cluster:internal:data/read/esql/exchange";
 
     private static final String OPEN_EXCHANGE_ACTION_NAME = "internal:data/read/esql/open_exchange";
+    private static final String OPEN_EXCHANGE_ACTION_NAME_FOR_CCS = "cluster:internal:data/read/esql/open_exchange";
 
     /**
      * The time interval for an exchange sink handler to be considered inactive and subsequently
@@ -85,6 +87,21 @@ public void registerTransportHandler(TransportService transportService) {
             OpenExchangeRequest::new,
             new OpenExchangeRequestHandler()
         );
+
+        // This allows the system user access this action when executed over CCS and the API key based security model is in use
+        transportService.registerRequestHandler(
+            EXCHANGE_ACTION_NAME_FOR_CCS,
+            this.executor,
+            ExchangeRequest::new,
+            new ExchangeTransportAction()
+        );
+        transportService.registerRequestHandler(
+            OPEN_EXCHANGE_ACTION_NAME_FOR_CCS,
+            this.executor,
+            OpenExchangeRequest::new,
+            new OpenExchangeRequestHandler()
+        );
+
     }
 
     /**