[Transform] Skip remote clusters when performing up front privileges validation (#91788)

Author: przemekwitek

docs/changelog/91788.yaml

@@ -0,0 +1,5 @@
+pr: 91788
+summary: Skip remote clusters when performing up front privileges validation
+area: Transform
+type: bug
+issues: []

x-pack/plugin/transform/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/multi_cluster/80_transform.yml

@@ -26,7 +26,6 @@ setup:
   - do:
       security.put_role:
         name: "x_cluster_role"
-        # gh#72715: the my_remote_cluster privileges should not be needed
         body:  >
           {
             "cluster": [],
@@ -38,10 +37,6 @@ setup:
               {
                 "names": ["simple-remote-transform*", "simple-local-remote-transform", "same-index-local-and-remote-transform"],
                 "privileges": ["create_index", "index", "read"]
-              },
-              {
-                "names": ["my_remote_cluster:remote_test_i*", "my_remote_cluster:aliased_test_index", "my_remote_cluster:same_index_local_and_remote"],
-                "privileges": ["read", "view_index_metadata"]
               }
             ]
           }
@@ -156,7 +151,7 @@ teardown:
         transform_id: "simple-remote-transform"
 
   - do:
-      catch: /Cannot preview transform \[simple-remote-transform\] because user bob lacks the required permissions \[my_remote_cluster:remote_test_index\*:\[read, view_index_metadata\], simple-remote-transform:\[\]\]/
+      catch: /Source indices have been deleted or closed./
       headers: { Authorization: "Basic Ym9iOnRyYW5zZm9ybS1wYXNzd29yZA==" }  # This is bob
       transform.preview_transform:
         transform_id: "simple-remote-transform"
@@ -311,14 +306,13 @@ teardown:
 ---
 "Batch transform from remote cluster when the user is not authorized":
   - do:
-      catch: /Cannot create transform \[simple-remote-transform\] because user bob lacks the required permissions \[my_remote_cluster:remote_test_index:\[read, view_index_metadata\], simple-remote-transform:\[\]\]/
       headers: { Authorization: "Basic Ym9iOnRyYW5zZm9ybS1wYXNzd29yZA==" }  # This is bob
       transform.put_transform:
-        transform_id: "simple-remote-transform"
+        transform_id: "simple-remote-transform-3"
         body: >
           {
             "source": { "index": "my_remote_cluster:remote_test_index" },
-            "dest": { "index": "simple-remote-transform" },
+            "dest": { "index": "simple-remote-transform-3" },
             "pivot": {
               "group_by": { "user": {"terms": {"field": "user"}}},
               "aggs": { "avg_stars": {"avg": {"field": "stars"}}}
@@ -342,7 +336,6 @@ teardown:
           }
   - match: { acknowledged: true }
   - do:
-      catch: /Cannot update transform \[simple-remote-transform-2\] because user bob lacks the required permissions \[my_remote_cluster:remote_test_index:\[read, view_index_metadata\], simple-remote-transform-2:\[\]\]/
       headers: { Authorization: "Basic Ym9iOnRyYW5zZm9ybS1wYXNzd29yZA==" }  # This is bob
       transform.update_transform:
         transform_id: "simple-remote-transform-2"
@@ -355,7 +348,7 @@ teardown:
 ---
 "Batch transform preview from remote cluster when the user is not authorized":
   - do:
-      catch: /Cannot preview transform \[transform-preview\] because user bob lacks the required permissions \[my_remote_cluster:remote_test_index:\[read, view_index_metadata\], simple-remote-transform-2:\[\]\]/
+      catch: /Source indices have been deleted or closed./
       headers: { Authorization: "Basic Ym9iOnRyYW5zZm9ybS1wYXNzd29yZA==" }  # This is bob
       transform.preview_transform:
         body: >
@@ -368,7 +361,7 @@ teardown:
             }
           }
   - do:
-      catch: /Cannot preview transform \[transform-preview\] because user bob lacks the required permissions \[my_remote_cluster:test_index:\[read, view_index_metadata\]\]/
+      catch: /Source indices have been deleted or closed./
       headers: { Authorization: "Basic Ym9iOnRyYW5zZm9ybS1wYXNzd29yZA==" }  # This is bob
       transform.preview_transform:
         body: >

x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/action/TransformPrivilegeChecker.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.license.RemoteClusterLicenseChecker;
 import org.elasticsearch.xpack.core.security.SecurityContext;
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
@@ -23,9 +24,11 @@
 import org.elasticsearch.xpack.core.transform.transforms.TransformConfig;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
+import static java.util.function.Predicate.not;
 import static java.util.stream.Collectors.joining;
 import static java.util.stream.Collectors.toList;
 import static org.elasticsearch.xpack.transform.utils.SecondaryAuthorizationUtils.useSecondaryAuthIfAvailable;
@@ -60,7 +63,11 @@ static void checkPrivileges(
                 username,
                 checkDestIndexPrivileges
             );
-            client.execute(HasPrivilegesAction.INSTANCE, hasPrivilegesRequest, hasPrivilegesResponseListener);
+            if (hasPrivilegesRequest.indexPrivileges().length == 0) {
+                listener.onResponse(null);
+            } else {
+                client.execute(HasPrivilegesAction.INSTANCE, hasPrivilegesRequest, hasPrivilegesResponseListener);
+            }
         });
     }
 
@@ -73,13 +80,19 @@ private static HasPrivilegesRequest buildPrivilegesRequest(
     ) {
         List<RoleDescriptor.IndicesPrivileges> indicesPrivileges = new ArrayList<>(2);
 
-        RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
-            .indices(config.getSource().getIndex())
-            // We need to read the source indices mapping to deduce the destination mapping, hence the need for view_index_metadata
-            .privileges("read", "view_index_metadata")
-            .build();
-        indicesPrivileges.add(sourceIndexPrivileges);
+        // TODO: Remove this filter once https://github.com/elastic/elasticsearch/issues/67798 is fixed.
+        String[] sourceIndex = Arrays.stream(config.getSource().getIndex())
+            .filter(not(RemoteClusterLicenseChecker::isRemoteIndex))
+            .toArray(String[]::new);
 
+        if (sourceIndex.length > 0) {
+            RoleDescriptor.IndicesPrivileges sourceIndexPrivileges = RoleDescriptor.IndicesPrivileges.builder()
+                .indices(sourceIndex)
+                // We need to read the source indices mapping to deduce the destination mapping, hence the need for view_index_metadata
+                .privileges("read", "view_index_metadata")
+                .build();
+            indicesPrivileges.add(sourceIndexPrivileges);
+        }
         if (checkDestIndexPrivileges) {
             final String destIndex = config.getDestination().getIndex();
             final String[] concreteDest = indexNameExpressionResolver.concreteIndexNames(

x-pack/plugin/transform/src/test/java/org/elasticsearch/xpack/transform/action/TransformPrivilegeCheckerTests.java

@@ -45,6 +45,7 @@
 import static org.hamcrest.Matchers.emptyArray;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.nullValue;
 
 public class TransformPrivilegeCheckerTests extends ESTestCase {
 
@@ -61,6 +62,7 @@ public class TransformPrivilegeCheckerTests extends ESTestCase {
         .addPrivilege("view_index_metadata", true)
         .addPrivilege("read", false)
         .build();
+    private static final String REMOTE_SOURCE_INDEX_NAME = "some-remote-cluster:some-remote-source-index";
     private static final String DEST_INDEX_NAME = "some-dest-index";
     private static final ResourcePrivileges DEST_INDEX_NAME_PRIVILEGES = ResourcePrivileges.builder(DEST_INDEX_NAME)
         .addPrivilege("index", true)
@@ -103,27 +105,48 @@ public void tearDownClient() {
     }
 
     public void testCheckPrivileges_NoCheckDestIndexPrivileges() {
+        TransformConfig config = new TransformConfig.Builder(TRANSFORM_CONFIG).setSource(
+            new SourceConfig(SOURCE_INDEX_NAME, REMOTE_SOURCE_INDEX_NAME)
+        ).build();
         TransformPrivilegeChecker.checkPrivileges(
             OPERATION_NAME,
             securityContext,
             indexNameExpressionResolver,
             ClusterState.EMPTY_STATE,
             client,
-            TRANSFORM_CONFIG,
+            config,
             false,
             ActionListener.wrap(aVoid -> {
                 HasPrivilegesRequest request = client.lastHasPrivilegesRequest;
                 assertThat(request.username(), is(equalTo(USER_NAME)));
                 assertThat(request.applicationPrivileges(), is(emptyArray()));
                 assertThat(request.clusterPrivileges(), is(emptyArray()));
-                assertThat(request.indexPrivileges(), is(arrayWithSize(1)));
+                assertThat(request.indexPrivileges(), is(arrayWithSize(1)));  // remote index is filtered out
                 RoleDescriptor.IndicesPrivileges sourceIndicesPrivileges = request.indexPrivileges()[0];
                 assertThat(sourceIndicesPrivileges.getIndices(), is(arrayContaining(SOURCE_INDEX_NAME)));
                 assertThat(sourceIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "view_index_metadata")));
             }, e -> fail(e.getMessage()))
         );
     }
 
+    public void testCheckPrivileges_NoLocalIndices_NoCheckDestIndexPrivileges() {
+        TransformConfig config = new TransformConfig.Builder(TRANSFORM_CONFIG).setSource(new SourceConfig(REMOTE_SOURCE_INDEX_NAME))
+            .build();
+        TransformPrivilegeChecker.checkPrivileges(
+            OPERATION_NAME,
+            securityContext,
+            indexNameExpressionResolver,
+            ClusterState.EMPTY_STATE,
+            client,
+            config,
+            false,
+            ActionListener.wrap(aVoid -> {
+                // _has_privileges API is not called for the remote index
+                assertThat(client.lastHasPrivilegesRequest, is(nullValue()));
+            }, e -> fail(e.getMessage()))
+        );
+    }
+
     public void testCheckPrivileges_CheckDestIndexPrivileges_DestIndexDoesNotExist() {
         TransformPrivilegeChecker.checkPrivileges(
             OPERATION_NAME,
@@ -180,6 +203,36 @@ public void testCheckPrivileges_CheckDestIndexPrivileges_DestIndexExists() {
         );
     }
 
+    public void testCheckPrivileges_NoLocalIndices_CheckDestIndexPrivileges_DestIndexExists() {
+        ClusterState clusterState = ClusterState.builder(ClusterName.DEFAULT)
+            .metadata(
+                Metadata.builder()
+                    .put(IndexMetadata.builder(DEST_INDEX_NAME).settings(settings(Version.CURRENT)).numberOfShards(1).numberOfReplicas(0))
+            )
+            .build();
+        TransformConfig config = new TransformConfig.Builder(TRANSFORM_CONFIG).setSource(new SourceConfig(REMOTE_SOURCE_INDEX_NAME))
+            .build();
+        TransformPrivilegeChecker.checkPrivileges(
+            OPERATION_NAME,
+            securityContext,
+            indexNameExpressionResolver,
+            clusterState,
+            client,
+            config,
+            true,
+            ActionListener.wrap(aVoid -> {
+                HasPrivilegesRequest request = client.lastHasPrivilegesRequest;
+                assertThat(request.username(), is(equalTo(USER_NAME)));
+                assertThat(request.applicationPrivileges(), is(emptyArray()));
+                assertThat(request.clusterPrivileges(), is(emptyArray()));
+                assertThat(request.indexPrivileges(), is(arrayWithSize(1)));
+                RoleDescriptor.IndicesPrivileges destIndicesPrivileges = request.indexPrivileges()[0];
+                assertThat(destIndicesPrivileges.getIndices(), is(arrayContaining(DEST_INDEX_NAME)));
+                assertThat(destIndicesPrivileges.getPrivileges(), is(arrayContaining("read", "index")));
+            }, e -> fail(e.getMessage()))
+        );
+    }
+
     public void testCheckPrivileges_CheckDestIndexPrivileges_DestIndexExistsWithRetentionPolicy() {
         ClusterState clusterState = ClusterState.builder(ClusterName.DEFAULT)
             .metadata(