Add refresh .security index call between security migrations (#114879)

* Add refresh .security index call between security migrations

Author: jfreden

docs/changelog/114879.yaml

@@ -0,0 +1,5 @@
+pr: 114879
+summary: Add refresh `.security` index call between security migrations
+area: Security
+type: enhancement
+issues: []

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityMigrationExecutor.java

@@ -10,6 +10,8 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.admin.indices.refresh.RefreshAction;
+import org.elasticsearch.action.admin.indices.refresh.RefreshRequest;
 import org.elasticsearch.action.support.ThreadedActionListener;
 import org.elasticsearch.client.internal.Client;
 import org.elasticsearch.core.TimeValue;
@@ -20,10 +22,14 @@
 import org.elasticsearch.xpack.core.security.action.UpdateIndexMigrationVersionAction;
 import org.elasticsearch.xpack.core.security.support.SecurityMigrationTaskParams;
 
+import java.util.Arrays;
 import java.util.Map;
 import java.util.TreeMap;
 import java.util.concurrent.Executor;
 
+import static org.elasticsearch.xpack.core.ClientHelper.SECURITY_ORIGIN;
+import static org.elasticsearch.xpack.core.ClientHelper.executeAsyncWithOrigin;
+
 public class SecurityMigrationExecutor extends PersistentTasksExecutor<SecurityMigrationTaskParams> {
 
     private static final Logger logger = LogManager.getLogger(SecurityMigrationExecutor.class);
@@ -55,20 +61,29 @@ protected void nodeOperation(AllocatedPersistentTask task, SecurityMigrationTask
             updateMigrationVersion(
                 params.getMigrationVersion(),
                 securityIndexManager.getConcreteIndexName(),
-                ActionListener.wrap(response -> {
+                listener.delegateFailureAndWrap((l, response) -> {
                     logger.info("Security migration not needed. Setting current version to: [" + params.getMigrationVersion() + "]");
-                    listener.onResponse(response);
-                }, listener::onFailure)
+                    l.onResponse(response);
+                })
             );
             return;
         }
 
-        applyOutstandingMigrations(task, params.getMigrationVersion(), listener);
+        refreshSecurityIndex(
+            new ThreadedActionListener<>(
+                this.getExecutor(),
+                listener.delegateFailureIgnoreResponseAndWrap(l -> applyOutstandingMigrations(task, params.getMigrationVersion(), l))
+            )
+        );
     }
 
-    private void applyOutstandingMigrations(AllocatedPersistentTask task, int currentMigrationVersion, ActionListener<Void> listener) {
+    private void applyOutstandingMigrations(
+        AllocatedPersistentTask task,
+        int currentMigrationVersion,
+        ActionListener<Void> migrationsListener
+    ) {
         if (task.isCancelled()) {
-            listener.onFailure(new TaskCancelledException("Security migration task cancelled"));
+            migrationsListener.onFailure(new TaskCancelledException("Security migration task cancelled"));
             return;
         }
         Map.Entry<Integer, SecurityMigrations.SecurityMigration> migrationEntry = migrationByVersion.higherEntry(currentMigrationVersion);
@@ -79,34 +94,56 @@ private void applyOutstandingMigrations(AllocatedPersistentTask task, int curren
                 .migrate(
                     securityIndexManager,
                     client,
-                    ActionListener.wrap(
-                        response -> updateMigrationVersion(
+                    migrationsListener.delegateFailureIgnoreResponseAndWrap(
+                        updateVersionListener -> updateMigrationVersion(
                             migrationEntry.getKey(),
                             securityIndexManager.getConcreteIndexName(),
                             new ThreadedActionListener<>(
                                 this.getExecutor(),
-                                ActionListener.wrap(
-                                    updateResponse -> applyOutstandingMigrations(task, migrationEntry.getKey(), listener),
-                                    listener::onFailure
-                                )
+                                updateVersionListener.delegateFailureIgnoreResponseAndWrap(refreshListener -> {
+                                    refreshSecurityIndex(
+                                        new ThreadedActionListener<>(
+                                            this.getExecutor(),
+                                            refreshListener.delegateFailureIgnoreResponseAndWrap(
+                                                l -> applyOutstandingMigrations(task, migrationEntry.getKey(), l)
+                                            )
+                                        )
+                                    );
+                                })
                             )
-                        ),
-                        listener::onFailure
+                        )
                     )
                 );
         } else {
             logger.info("Security migrations applied until version: [" + currentMigrationVersion + "]");
-            listener.onResponse(null);
+            migrationsListener.onResponse(null);
         }
     }
 
+    /**
+     * Refresh security index to make sure that docs that were migrated are visible to the next migration and to prevent version conflicts
+     * or unexpected behaviour by APIs relying on migrated docs.
+     */
+    private void refreshSecurityIndex(ActionListener<Void> listener) {
+        RefreshRequest refreshRequest = new RefreshRequest(securityIndexManager.getConcreteIndexName());
+        executeAsyncWithOrigin(client, SECURITY_ORIGIN, RefreshAction.INSTANCE, refreshRequest, ActionListener.wrap(response -> {
+            if (response.getFailedShards() != 0) {
+                // Log a warning but do not stop migration, since this is not a critical operation
+                logger.warn("Failed to refresh security index during security migration {}", Arrays.toString(response.getShardFailures()));
+            }
+            listener.onResponse(null);
+        }, exception -> {
+            // Log a warning but do not stop migration, since this is not a critical operation
+            logger.warn("Failed to refresh security index during security migration", exception);
+            listener.onResponse(null);
+        }));
+    }
+
     private void updateMigrationVersion(int migrationVersion, String indexName, ActionListener<Void> listener) {
         client.execute(
             UpdateIndexMigrationVersionAction.INSTANCE,
             new UpdateIndexMigrationVersionAction.Request(TimeValue.MAX_VALUE, migrationVersion, indexName),
-            ActionListener.wrap((response) -> {
-                listener.onResponse(null);
-            }, listener::onFailure)
+            listener.delegateFailureIgnoreResponseAndWrap(l -> l.onResponse(null))
         );
     }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityMigrationExecutorTests.java

@@ -10,6 +10,8 @@
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.action.ActionType;
+import org.elasticsearch.action.admin.indices.refresh.RefreshRequest;
+import org.elasticsearch.action.support.broadcast.BroadcastResponse;
 import org.elasticsearch.client.internal.Client;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
@@ -20,10 +22,12 @@
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.client.NoOpClient;
 import org.elasticsearch.threadpool.ThreadPool;
+import org.elasticsearch.xpack.core.security.action.UpdateIndexMigrationVersionAction;
 import org.elasticsearch.xpack.core.security.action.UpdateIndexMigrationVersionResponse;
 import org.elasticsearch.xpack.core.security.support.SecurityMigrationTaskParams;
 import org.junit.Before;
 
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
@@ -40,8 +44,11 @@ public class SecurityMigrationExecutorTests extends ESTestCase {
     private SecurityIndexManager securityIndexManager;
 
     private int updateIndexMigrationVersionActionInvocations;
+    private int refreshActionInvocations;
 
-    private boolean clientShouldThrowException = false;
+    private boolean updateVersionShouldThrowException = false;
+
+    private boolean refreshIndexShouldThrowException = false;
 
     private AllocatedPersistentTask mockTask = mock(AllocatedPersistentTask.class);
 
@@ -51,6 +58,7 @@ public void setUpMocks() {
         when(threadPool.getThreadContext()).thenReturn(new ThreadContext(Settings.EMPTY));
         when(threadPool.generic()).thenReturn(EsExecutors.DIRECT_EXECUTOR_SERVICE);
         updateIndexMigrationVersionActionInvocations = 0;
+        refreshActionInvocations = 0;
         client = new NoOpClient(threadPool) {
             @Override
             @SuppressWarnings("unchecked")
@@ -59,12 +67,27 @@ protected <Request extends ActionRequest, Response extends ActionResponse> void
                 Request request,
                 ActionListener<Response> listener
             ) {
-                if (clientShouldThrowException) {
-                    listener.onFailure(new IllegalStateException("Bad client"));
-                    return;
+                if (request instanceof RefreshRequest) {
+                    if (refreshIndexShouldThrowException) {
+                        if (randomBoolean()) {
+                            listener.onFailure(new IllegalStateException("Refresh index failed"));
+                        } else {
+                            listener.onResponse((Response) new BroadcastResponse(1, 0, 1, List.of()));
+                        }
+                    } else {
+                        refreshActionInvocations++;
+                        listener.onResponse((Response) new BroadcastResponse(1, 1, 0, List.of()));
+                    }
+                } else if (request instanceof UpdateIndexMigrationVersionAction.Request) {
+                    if (updateVersionShouldThrowException) {
+                        listener.onFailure(new IllegalStateException("Update version failed"));
+                    } else {
+                        updateIndexMigrationVersionActionInvocations++;
+                        listener.onResponse((Response) new UpdateIndexMigrationVersionResponse());
+                    }
+                } else {
+                    fail("Unexpected client request");
                 }
-                updateIndexMigrationVersionActionInvocations++;
-                listener.onResponse((Response) new UpdateIndexMigrationVersionResponse());
 
             }
         };
@@ -85,6 +108,7 @@ public void testSuccessfulMigration() {
         verify(mockTask, times(1)).markAsCompleted();
         verify(mockTask, times(0)).markAsFailed(any());
         assertEquals(2, updateIndexMigrationVersionActionInvocations);
+        assertEquals(3, refreshActionInvocations);
         assertEquals(2, migrateInvocations[0]);
     }
 
@@ -111,6 +135,7 @@ public void testNoMigrationMeetsRequirements() {
         verify(mockTask, times(1)).markAsCompleted();
         verify(mockTask, times(0)).markAsFailed(any());
         assertEquals(0, updateIndexMigrationVersionActionInvocations);
+        assertEquals(1, refreshActionInvocations);
         assertEquals(0, migrateInvocationsCounter[0]);
     }
 
@@ -140,6 +165,7 @@ public void testPartialMigration() {
         securityMigrationExecutor.nodeOperation(mockTask, new SecurityMigrationTaskParams(0, true), mock(PersistentTaskState.class));
         verify(mockTask, times(1)).markAsCompleted();
         verify(mockTask, times(0)).markAsFailed(any());
+        assertEquals(3, refreshActionInvocations);
         assertEquals(2, updateIndexMigrationVersionActionInvocations);
         assertEquals(2, migrateInvocations[0]);
     }
@@ -158,6 +184,7 @@ public void testNoMigrationNeeded() {
         verify(mockTask, times(1)).markAsCompleted();
         verify(mockTask, times(0)).markAsFailed(any());
         assertEquals(0, updateIndexMigrationVersionActionInvocations);
+        assertEquals(1, refreshActionInvocations);
         assertEquals(0, migrateInvocations[0]);
     }
 
@@ -186,14 +213,13 @@ public int minMappingVersion() {
             }))
         );
 
-        assertThrows(
-            IllegalStateException.class,
-            () -> securityMigrationExecutor.nodeOperation(
+        securityMigrationExecutor.nodeOperation(
                 mockTask,
                 new SecurityMigrationTaskParams(0, true),
                 mock(PersistentTaskState.class)
-            )
-        );
+            );
+        verify(mockTask, times(1)).markAsFailed(any());
+        verify(mockTask, times(0)).markAsCompleted();
     }
 
     public void testUpdateMigrationVersionThrowsException() {
@@ -205,12 +231,27 @@ public void testUpdateMigrationVersionThrowsException() {
             client,
             new TreeMap<>(Map.of(1, generateMigration(migrateInvocations, true), 2, generateMigration(migrateInvocations, true)))
         );
-        clientShouldThrowException = true;
+        updateVersionShouldThrowException = true;
         securityMigrationExecutor.nodeOperation(mockTask, new SecurityMigrationTaskParams(0, true), mock(PersistentTaskState.class));
         verify(mockTask, times(1)).markAsFailed(any());
         verify(mockTask, times(0)).markAsCompleted();
     }
 
+    public void testRefreshSecurityIndexThrowsException() {
+        final int[] migrateInvocations = new int[1];
+        SecurityMigrationExecutor securityMigrationExecutor = new SecurityMigrationExecutor(
+            "test-task",
+            threadPool.generic(),
+            securityIndexManager,
+            client,
+            new TreeMap<>(Map.of(1, generateMigration(migrateInvocations, true), 2, generateMigration(migrateInvocations, true)))
+        );
+        refreshIndexShouldThrowException = true;
+        securityMigrationExecutor.nodeOperation(mockTask, new SecurityMigrationTaskParams(0, true), mock(PersistentTaskState.class));
+        verify(mockTask, times(0)).markAsFailed(any());
+        verify(mockTask, times(1)).markAsCompleted();
+    }
+
     private SecurityMigrations.SecurityMigration generateMigration(int[] migrateInvocationsCounter, boolean isEligible) {
         SecurityMigrations.SecurityMigration migration = new SecurityMigrations.SecurityMigration() {
             @Override