POC support read_failures

docs/reference/rest-api/security/get-builtin-privileges.asciidoc

@@ -155,6 +155,7 @@ A successful call returns an object with "cluster", "index", and "remote_cluster
     "none",
     "read",
     "read_cross_cluster",
+    "read_failures",
     "view_index_metadata",
     "write"
   ],

server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstraction.java

@@ -100,6 +100,10 @@ default boolean isDataStreamRelated() {
         return false;
     }
 
+    default boolean isFailureIndexOfDataStream() {
+        return false;
+    }
+
     /**
      * An index abstraction type.
      */
@@ -193,6 +197,11 @@ public boolean isSystem() {
             return isSystem;
         }
 
+        @Override
+        public boolean isFailureIndexOfDataStream() {
+            return getParentDataStream() != null && getParentDataStream().isFailureStoreIndex(getName());
+        }
+
         @Override
         public boolean equals(Object o) {
             if (this == o) return true;

server/src/main/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolver.java

@@ -21,7 +21,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import java.util.function.Predicate;
+import java.util.function.BiPredicate;
 import java.util.function.Supplier;
 
 public class IndexAbstractionResolver {
@@ -37,7 +37,7 @@ public List<String> resolveIndexAbstractions(
         IndicesOptions indicesOptions,
         Metadata metadata,
         Supplier<Set<String>> allAuthorizedAndAvailable,
-        Predicate<String> isAuthorized,
+        BiPredicate<String, String> isAuthorized,
         boolean includeDataStreams
     ) {
         List<String> finalIndices = new ArrayList<>();
@@ -70,7 +70,8 @@ public List<String> resolveIndexAbstractions(
             if (indicesOptions.expandWildcardExpressions() && Regex.isSimpleMatchPattern(indexAbstraction)) {
                 wildcardSeen = true;
                 Set<String> resolvedIndices = new HashSet<>();
-                for (String authorizedIndex : allAuthorizedAndAvailable.get()) {
+                Set<String> authorizedIndices = allAuthorizedAndAvailable.get();
+                for (String authorizedIndex : authorizedIndices) {
                     if (Regex.simpleMatch(indexAbstraction, authorizedIndex)
                         && isIndexVisible(
                             indexAbstraction,
@@ -103,7 +104,7 @@ && isIndexVisible(
                 resolveSelectorsAndCombine(indexAbstraction, selectorString, indicesOptions, resolvedIndices, metadata);
                 if (minus) {
                     finalIndices.removeAll(resolvedIndices);
-                } else if (indicesOptions.ignoreUnavailable() == false || isAuthorized.test(indexAbstraction)) {
+                } else if (indicesOptions.ignoreUnavailable() == false || isAuthorized.test(indexAbstraction, selectorString)) {
                     // Unauthorized names are considered unavailable, so if `ignoreUnavailable` is `true` they should be silently
                     // discarded from the `finalIndices` list. Other "ways of unavailable" must be handled by the action
                     // handler, see: https://github.com/elastic/elasticsearch/issues/90215

server/src/test/java/org/elasticsearch/cluster/metadata/IndexAbstractionResolverTests.java

@@ -310,6 +310,13 @@ private List<String> resolveAbstractionsSelectorAllowed(List<String> expressions
     }
 
     private List<String> resolveAbstractions(List<String> expressions, IndicesOptions indicesOptions, Supplier<Set<String>> mask) {
-        return indexAbstractionResolver.resolveIndexAbstractions(expressions, indicesOptions, metadata, mask, (idx) -> true, true);
+        return indexAbstractionResolver.resolveIndexAbstractions(
+            expressions,
+            indicesOptions,
+            metadata,
+            mask,
+            (idx, selector) -> true,
+            true
+        );
     }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.java

@@ -295,7 +295,11 @@ interface AuthorizedIndices {
         /**
          * Checks if an index-like resource name is authorized, for an action by a user. The resource might or might not exist.
          */
-        boolean check(String name);
+        default boolean check(String name) {
+            return check(name, null);
+        }
+
+        boolean check(String name, String selector);
     }
 
     /**

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java

@@ -80,9 +80,10 @@ public Builder addGroup(
             FieldPermissions fieldPermissions,
             @Nullable Set<BytesReference> query,
             boolean allowRestrictedIndices,
+            IndexComponentSelector selector,
             String... indices
         ) {
-            groups.add(new Group(privilege, fieldPermissions, query, allowRestrictedIndices, restrictedIndices, indices));
+            groups.add(new Group(privilege, fieldPermissions, query, allowRestrictedIndices, restrictedIndices, selector, indices));
             return this;
         }
 
@@ -142,17 +143,37 @@ public boolean hasFieldOrDocumentLevelSecurity() {
     }
 
     private IsResourceAuthorizedPredicate buildIndexMatcherPredicateForAction(String action) {
-        final Set<String> ordinaryIndices = new HashSet<>();
-        final Set<String> restrictedIndices = new HashSet<>();
+        final Set<String> dataAccessOrdinaryIndices = new HashSet<>();
+        final Set<String> failureAccessOrdinaryIndices = new HashSet<>();
+        final Set<String> dataAccessRestrictedIndices = new HashSet<>();
+        final Set<String> failureAccessRestrictedIndices = new HashSet<>();
+
+        // TODO do we need to worry about failure access here?
         final Set<String> grantMappingUpdatesOnIndices = new HashSet<>();
         final Set<String> grantMappingUpdatesOnRestrictedIndices = new HashSet<>();
         final boolean isMappingUpdateAction = isMappingUpdateAction(action);
         for (final Group group : groups) {
             if (group.actionMatcher.test(action)) {
                 if (group.allowRestrictedIndices) {
-                    restrictedIndices.addAll(Arrays.asList(group.indices()));
+                    switch (group.selector) {
+                        case DATA -> dataAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                        case FAILURES -> failureAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                        case ALL_APPLICABLE -> {
+                            dataAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                            failureAccessRestrictedIndices.addAll(Arrays.asList(group.indices()));
+                        }
+                        default -> throw new IllegalStateException("unexpected selector [" + group.selector + "]");
+                    }
                 } else {
-                    ordinaryIndices.addAll(Arrays.asList(group.indices()));
+                    switch (group.selector) {
+                        case DATA -> dataAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                        case FAILURES -> failureAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                        case ALL_APPLICABLE -> {
+                            dataAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                            failureAccessOrdinaryIndices.addAll(Arrays.asList(group.indices()));
+                        }
+                        default -> throw new IllegalStateException("unexpected selector [" + group.selector + "]");
+                    }
                 }
             } else if (isMappingUpdateAction && containsPrivilegeThatGrantsMappingUpdatesForBwc(group)) {
                 // special BWC case for certain privileges: allow put mapping on indices and aliases (but not on data streams), even if
@@ -164,40 +185,55 @@ private IsResourceAuthorizedPredicate buildIndexMatcherPredicateForAction(String
                 }
             }
         }
-        final StringMatcher nameMatcher = indexMatcher(ordinaryIndices, restrictedIndices);
+        final StringMatcher dataAccessNameMatcher = indexMatcher(dataAccessOrdinaryIndices, dataAccessRestrictedIndices);
+        final StringMatcher failureAccessNameMatcher = indexMatcher(failureAccessOrdinaryIndices, failureAccessRestrictedIndices);
         final StringMatcher bwcSpecialCaseMatcher = indexMatcher(grantMappingUpdatesOnIndices, grantMappingUpdatesOnRestrictedIndices);
-        return new IsResourceAuthorizedPredicate(nameMatcher, bwcSpecialCaseMatcher);
+        return new IsResourceAuthorizedPredicate(dataAccessNameMatcher, failureAccessNameMatcher, bwcSpecialCaseMatcher);
     }
 
     /**
      * This encapsulates the authorization test for resources.
      * There is an additional test for resources that are missing or that are not a datastream or a backing index.
      */
-    public static class IsResourceAuthorizedPredicate implements BiPredicate<String, IndexAbstraction> {
+    public static class IsResourceAuthorizedPredicate {
 
         private final BiPredicate<String, IndexAbstraction> biPredicate;
+        private final BiPredicate<String, IndexAbstraction> failureAccessBiPredicate;
 
         // public for tests
-        public IsResourceAuthorizedPredicate(StringMatcher resourceNameMatcher, StringMatcher additionalNonDatastreamNameMatcher) {
+        public IsResourceAuthorizedPredicate(
+            StringMatcher resourceNameMatcher,
+            StringMatcher failureAccessNameMatcher,
+            StringMatcher additionalNonDatastreamNameMatcher
+        ) {
             this((String name, @Nullable IndexAbstraction indexAbstraction) -> {
                 assert indexAbstraction == null || name.equals(indexAbstraction.getName());
                 return resourceNameMatcher.test(name)
                     || (isPartOfDatastream(indexAbstraction) == false && additionalNonDatastreamNameMatcher.test(name));
+            }, (String name, @Nullable IndexAbstraction indexAbstraction) -> {
+                assert indexAbstraction == null || name.equals(indexAbstraction.getName());
+                return failureAccessNameMatcher.test(name);
             });
         }
 
-        private IsResourceAuthorizedPredicate(BiPredicate<String, IndexAbstraction> biPredicate) {
+        private IsResourceAuthorizedPredicate(
+            BiPredicate<String, IndexAbstraction> biPredicate,
+            BiPredicate<String, IndexAbstraction> failureAccessBiPredicate
+        ) {
             this.biPredicate = biPredicate;
+            this.failureAccessBiPredicate = failureAccessBiPredicate;
         }
 
         /**
         * Given another {@link IsResourceAuthorizedPredicate} instance in {@param other},
         * return a new {@link IsResourceAuthorizedPredicate} instance that is equivalent to the conjunction of
         * authorization tests of that other instance and this one.
         */
-        @Override
-        public final IsResourceAuthorizedPredicate and(BiPredicate<? super String, ? super IndexAbstraction> other) {
-            return new IsResourceAuthorizedPredicate(this.biPredicate.and(other));
+        public final IsResourceAuthorizedPredicate and(IsResourceAuthorizedPredicate other) {
+            return new IsResourceAuthorizedPredicate(
+                this.biPredicate.and(other.biPredicate),
+                this.failureAccessBiPredicate.and(other.failureAccessBiPredicate)
+            );
         }
 
         /**
@@ -206,7 +242,11 @@ public final IsResourceAuthorizedPredicate and(BiPredicate<? super String, ? sup
          * Returns {@code true} if access to the given resource is authorized or {@code false} otherwise.
          */
         public final boolean test(IndexAbstraction indexAbstraction) {
-            return test(indexAbstraction.getName(), indexAbstraction);
+            return test(indexAbstraction.getName(), indexAbstraction, null);
+        }
+
+        public final boolean test(IndexAbstraction indexAbstraction, @Nullable String selector) {
+            return test(indexAbstraction.getName(), indexAbstraction, selector);
         }
 
         /**
@@ -215,9 +255,19 @@ public final boolean test(IndexAbstraction indexAbstraction) {
          * if it doesn't.
          * Returns {@code true} if access to the given resource is authorized or {@code false} otherwise.
          */
-        @Override
         public boolean test(String name, @Nullable IndexAbstraction indexAbstraction) {
-            return biPredicate.test(name, indexAbstraction);
+            return test(name, indexAbstraction, null);
+        }
+
+        public boolean test(String name, @Nullable IndexAbstraction indexAbstraction, @Nullable String selector) {
+            if (selector == null || IndexComponentSelector.DATA.getKey().equals(selector)) {
+                return biPredicate.test(name, indexAbstraction);
+            } else if (IndexComponentSelector.FAILURES.getKey().equals(selector)) {
+                return failureAccessBiPredicate.test(name, indexAbstraction);
+            } else {
+                assert selector.equals(IndexComponentSelector.ALL_APPLICABLE.getKey()) : "unexpected selector [" + selector + "]";
+                return biPredicate.test(name, indexAbstraction) && failureAccessBiPredicate.test(name, indexAbstraction);
+            }
         }
 
         private static boolean isPartOfDatastream(IndexAbstraction indexAbstraction) {
@@ -246,13 +296,15 @@ public boolean checkResourcePrivileges(
         Set<String> checkForIndexPatterns,
         boolean allowRestrictedIndices,
         Set<String> checkForPrivileges,
+        @Nullable IndexComponentSelector selector,
         @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
     ) {
         return checkResourcePrivileges(
             checkForIndexPatterns,
             allowRestrictedIndices,
             checkForPrivileges,
             false,
+            selector,
             resourcePrivilegesMapBuilder
         );
     }
@@ -276,11 +328,13 @@ public boolean checkResourcePrivileges(
         boolean allowRestrictedIndices,
         Set<String> checkForPrivileges,
         boolean combineIndexGroups,
+        @Nullable IndexComponentSelector selector,
         @Nullable ResourcePrivilegesMap.Builder resourcePrivilegesMapBuilder
     ) {
         boolean allMatch = true;
         Map<Automaton, Automaton> indexGroupAutomatons = indexGroupAutomatons(
-            combineIndexGroups && checkForIndexPatterns.stream().anyMatch(Automatons::isLuceneRegex)
+            combineIndexGroups && checkForIndexPatterns.stream().anyMatch(Automatons::isLuceneRegex),
+            selector
         );
         for (String forIndexPattern : checkForIndexPatterns) {
             Automaton checkIndexAutomaton = Automatons.patterns(forIndexPattern);
@@ -340,7 +394,8 @@ public boolean checkResourcePrivileges(
     public Automaton allowedActionsMatcher(String index) {
         List<Automaton> automatonList = new ArrayList<>();
         for (Group group : groups) {
-            if (group.indexNameMatcher.test(index)) {
+            // TODO failure store?
+            if (group.checkIndex(index) && group.checkSelector(null)) {
                 automatonList.add(group.privilege.getAutomaton());
             }
         }
@@ -412,10 +467,15 @@ public boolean checkIndex(Group group) {
             final DataStream ds = indexAbstraction == null ? null : indexAbstraction.getParentDataStream();
             if (ds != null) {
                 if (group.checkIndex(ds.getName())) {
-                    return true;
+                    final IndexComponentSelector selectorToCheck = indexAbstraction.isFailureIndexOfDataStream()
+                        ? IndexComponentSelector.FAILURES
+                        : selector;
+                    if (group.checkSelector(selectorToCheck)) {
+                        return true;
+                    }
                 }
             }
-            return group.checkIndex(name);
+            return group.checkIndex(name) && group.checkSelector(selector);
         }
 
         /**
@@ -754,10 +814,13 @@ private static boolean containsPrivilegeThatGrantsMappingUpdatesForBwc(Group gro
      *
      * @return a map of all index and privilege pattern automatons
      */
-    private Map<Automaton, Automaton> indexGroupAutomatons(boolean combine) {
+    private Map<Automaton, Automaton> indexGroupAutomatons(boolean combine, @Nullable IndexComponentSelector selector) {
         // Map of privilege automaton object references (cached by IndexPrivilege::CACHE)
         Map<Automaton, Automaton> allAutomatons = new HashMap<>();
         for (Group group : groups) {
+            if (false == group.checkSelector(selector)) {
+                continue;
+            }
             Automaton indexAutomaton = group.getIndexMatcherAutomaton();
             allAutomatons.compute(
                 group.privilege().getAutomaton(),
@@ -803,13 +866,15 @@ public static class Group {
         // users. Setting this flag true eliminates the special status for the purpose of this permission - restricted indices still have
         // to be covered by the "indices"
         private final boolean allowRestrictedIndices;
+        public final IndexComponentSelector selector;
 
         public Group(
             IndexPrivilege privilege,
             FieldPermissions fieldPermissions,
             @Nullable Set<BytesReference> query,
             boolean allowRestrictedIndices,
             RestrictedIndices restrictedIndices,
+            IndexComponentSelector selector,
             String... indices
         ) {
             assert indices.length != 0;
@@ -830,6 +895,7 @@ public Group(
             }
             this.fieldPermissions = Objects.requireNonNull(fieldPermissions);
             this.query = query;
+            this.selector = selector;
         }
 
         public IndexPrivilege privilege() {
@@ -858,6 +924,15 @@ private boolean checkIndex(String index) {
             return indexNameMatcher.test(index);
         }
 
+        private boolean checkSelector(@Nullable IndexComponentSelector selectorToCheck) {
+            if (this.selector == IndexComponentSelector.ALL_APPLICABLE) {
+                return true;
+            }
+            boolean includeData = selectorToCheck == null || selectorToCheck.shouldIncludeData();
+            boolean includeFailures = selectorToCheck != null && selectorToCheck.shouldIncludeFailures();
+            return includeData == this.selector.shouldIncludeData() && includeFailures == this.selector.shouldIncludeFailures();
+        }
+
         boolean hasQuery() {
             return query != null;
         }
@@ -871,6 +946,7 @@ public Automaton getIndexMatcherAutomaton() {
         }
 
         boolean isTotal() {
+            // TODO add selector?
             return allowRestrictedIndices
                 && indexNameMatcher.isTotal()
                 && privilege == IndexPrivilege.ALL
@@ -880,6 +956,7 @@ boolean isTotal() {
 
         @Override
         public String toString() {
+            // TODO add selector?
             return "Group{"
                 + "privilege="
                 + privilege