[PoC] Support ::failures selector and access to failure store with CCS #125448
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nt-using-selectors-for-ccs-ccr
…nt-using-selectors-for-ccs-ccr
slobodanadamovic
added
>non-issue
:Security/Security
| "read", | ||
| "read_cross_cluster", | ||
| "view_index_metadata", | ||
| "read_failure_store" }; |
There was a problem hiding this comment.
read_failure_store must be granted to cross-cluster API keys
| public static final IndexPrivilege READ_CROSS_CLUSTER = new IndexPrivilege( | ||
| "read_cross_cluster", | ||
| READ_CROSS_CLUSTER_AUTOMATON, | ||
| IndexComponentSelectorPredicate.ALL |
There was a problem hiding this comment.
This is the key part: making the read_cross_cluster authorize both data and failure selectors for cross cluster search.
There was a problem hiding this comment.
Pull Request Overview
This PR introduces proof-of-concept support for the ::failures selector and failure store access during cross-cluster search. It adds new Java REST tests for both RCS1 and RCS2, updates privilege definitions to recognize failure store access, and extends selector resolution tests.
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS2FailureStoreRestIT.java | Adds tests for failure store access with RCS2 using the ::failures selector. |
| x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1FailureStoreRestIT.java | Introduces tests for RCS1 scenarios including failure store permissions and access cases. |
| x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/AbstractRemoteClusterSecurityFailureStoreRestIT.java | Provides shared test functionality and setups for failure store based data streams and cluster configurations. |
| x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java | Updates privilege instantiation for READ_CROSS_CLUSTER and adjusts selector resolution logic to include ALL selector privileges. |
| x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.java | Removes explicit failure store privilege validation and relies on the updated privilege resolution. |
| x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/CrossClusterApiKeyRoleDescriptorBuilder.java | Expands indices privilege names to include read_failure_store for improved CCS API key role definitions. |
| server/src/test/java/org/elasticsearch/cluster/metadata/SelectorResolverTests.java | Extends tests to confirm proper resolution of the ::failures selector syntax. |
Comments suppressed due to low confidence (2)
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java:390
- Please verify that privileges with the selector 'ALL' are intentionally added to both failureSelectorAccessPrivileges and dataSelectorAccessPrivileges, as this change may affect the access control behavior.
else if (indexPrivilege.selectorPredicate == IndexComponentSelectorPredicate.ALL) {
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/CrossClusterApiKeyRoleDescriptorBuilder.java:33
- [nitpick] Double-check that all downstream consumers of CCS_INDICES_PRIVILEGE_NAMES properly support the newly added 'read_failure_store' privilege to ensure consistent behavior.
public static final String[] CCS_INDICES_PRIVILEGE_NAMES = { "read", "read_cross_cluster", "view_index_metadata", "read_failure_store" };
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.