Skip to content

Commit

Permalink
ES|QL with RCS 2.0 security fix (#107079)
Browse files Browse the repository at this point in the history
This commit provides the ES security changes to support internal ES|QL actions when
running ES|QL queries across clusters that use RCS 2.0 (API keys) as the security model. 
The tests have been updated to illustrate the primary workflow working.
  • Loading branch information
jakelandis committed Apr 12, 2024
1 parent b85b9dc commit 0660f7f
Show file tree
Hide file tree
Showing 5 changed files with 456 additions and 82 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,9 @@ public class ClusterPrivilegeResolver {
RemoteClusterNodesAction.TYPE.name(),
XPackInfoAction.NAME,
// esql enrich
"cluster:monitor/xpack/enrich/esql/resolve_policy"
"cluster:monitor/xpack/enrich/esql/resolve_policy",
"cluster:internal:data/read/esql/open_exchange",
"cluster:internal:data/read/esql/exchange"
);
private static final Set<String> CROSS_CLUSTER_REPLICATION_PATTERN = Set.of(
RemoteClusterService.REMOTE_CLUSTER_HANDSHAKE_ACTION_NAME,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,8 @@ public final class IndexPrivilege extends Privilege {
ClusterSearchShardsAction.NAME,
TransportSearchShardsAction.TYPE.name(),
TransportResolveClusterAction.NAME,
// cross clusters query for ESQL
"internal:data/read/esql/open_exchange",
"internal:data/read/esql/exchange",
"indices:data/read/esql/cluster"
"indices:data/read/esql",
"indices:data/read/esql/compute"
);
private static final Automaton CREATE_AUTOMATON = patterns(
"indices:data/write/index*",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,10 @@ public final class ExchangeService extends AbstractLifecycleComponent {
// TODO: Make this a child action of the data node transport to ensure that exchanges
// are accessed only by the user initialized the session.
public static final String EXCHANGE_ACTION_NAME = "internal:data/read/esql/exchange";
public static final String EXCHANGE_ACTION_NAME_FOR_CCS = "cluster:internal:data/read/esql/exchange";

private static final String OPEN_EXCHANGE_ACTION_NAME = "internal:data/read/esql/open_exchange";
private static final String OPEN_EXCHANGE_ACTION_NAME_FOR_CCS = "cluster:internal:data/read/esql/open_exchange";

/**
* The time interval for an exchange sink handler to be considered inactive and subsequently
Expand Down Expand Up @@ -85,6 +87,21 @@ public void registerTransportHandler(TransportService transportService) {
OpenExchangeRequest::new,
new OpenExchangeRequestHandler()
);

// This allows the system user access this action when executed over CCS and the API key based security model is in use
transportService.registerRequestHandler(
EXCHANGE_ACTION_NAME_FOR_CCS,
this.executor,
ExchangeRequest::new,
new ExchangeTransportAction()
);
transportService.registerRequestHandler(
OPEN_EXCHANGE_ACTION_NAME_FOR_CCS,
this.executor,
OpenExchangeRequest::new,
new OpenExchangeRequestHandler()
);

}

/**
Expand Down

0 comments on commit 0660f7f

Please sign in to comment.