ES-12295 [S2D30] Painless/execute in CPS requires qualified index expression

[alexey-ivanov-es]

This change add support for cross-project requests to Painless/execute endpoint.

The painless/execute API is unique in that it works cross-cluster but it only allows you to query one index at a time.
In contrast to other CPS-enabled endpoints all expressions should be interpreted as "canonical" like GET _settings or GET _mappings, but also "happens" to allow to specify a remote. So logs means _origin:logs. Origin project alias is also allowed, so if the origin project has the alias p1 p1:logs also means _origin:logs.

Endpoint does not support project routing.

Implementation details:
PainlessExecuteAction.Request implements IndicesRequest.SingleIndexNoWildcards (the only such request) which handled by a branch in IndicesAndAliasesResolver parallel to one handling IndicesRequest.Replaceble. In CPS, this branch resolves the index expression in the request against the authorized projects. If the expression resolves to a local index, the request is marked as local, so even if it has clusterAlias, it won't be sent to a remote cluster when executed.

[elasticsearchmachine]

Pinging @elastic/es-core-infra (Team:Core/Infra)

[alexey-ivanov-es]

Do we have any canonical way to set IndicesOptions.resolveCrossProjectIndexExpression to false for child requests?

[quux00]

maybe org.elasticsearch.search.crossproject.CrossProjectIndexResolutionValidator.indicesOptionsForCrossProjectFanout ?

I've just started to read your PR, so not sure that's the right method for your scenario, but maybe start there?

[quux00]

Didn't finish reviewing yet. I'll pick it up again Monday, but sending a few initial comments/questions for now.

[quux00]

Where do you handle _origin:myindex? Will it ("_origin") have been stripped off before this is called? Otherwise RemoteClusterAware.isRemoteIndexName("_origin:myindex) would return true right?

[alexey-ivanov-es]

The flow is:

1. In IndicesAndAliasesResolver, we check if the request is SingleIndexNoWildcards and indicesOptions().resolveCrossProjectIndexExpression()
2. We detect if the index expression is local (no cluster prefix or has _origin or has origin alias prefix)
3. If local, we call setLocal(true) which strips off the cluster alias from the index in the request

So the cluster alias stripping happens during the security action filter call. This differs from my original approach, but I think it's the best way since we have the origin alias available there but not when execute is called on the transport action.

[ywangd]

I have a few comments.

Also, ContextSetup is a bit odd in that it parses remote index synatx on its own and keeps them separately in clusterAlias and index fields. Then it still exposes the original expression via SingleShardRequest#index by combing them again. Is it really necessary? I think it is mainly responsible for the different methods of index, setIndex and setLocal that do almost the same thing. Can we look into simplify them?

[ywangd]

Can we tigthen this method so that it is obviously only a single index is supported?

1. Instead String[] indices, can we have String index as the parameter?
2. Do we really need groupProjectIndices? I think RemoteClusterAware#splitIndexName should do that job since there is only one index?

[ywangd]

The API does not support wildcard in remote cluster/project name (doc). The current implementation throws NoSuchRemoteClusterException when it tries to get remote client. I think we can consider erroring out earlier here. It is rather odd that we resolve an expression such as *:index to all remote clusters/projects which seems both incorrect and unnecessary.

[alexey-ivanov-es]

This is already checked in this method:

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

Line 230 in bb327cf

if (split.getLocal().isEmpty() && split.getRemote().isEmpty()) {

[alexey-ivanov-es]

Can we tigthen this method so that it is obviously only a single index is supported?
Instead String[] indices, can we have String index as the parameter?
Do we really need groupProjectIndices? I think RemoteClusterAware#splitIndexName should do that job since there is only one index?

I wanted to keep CPS and CCS consistent, so I used the same approach we use in CCS but with a different set of cluster aliases.

I believe, we use RemoteClusterAware.groupClusterIndices because it supports cluster exclusion expressions. The original intention was probably to allow SingleIndexNoWildcards requests with complex index expressions that resolve to a single index.

However, Painless/execute only supports one index expression, and it's currently the only request implementing SingleIndexNoWildcards. So I agree we can simplify this to only allow a single index without cluster exclusion support for both CCS/CPS.

@quux00 wdyt?

[quux00]

Painless/execute supports neither wildcards nor index expression exclusions:

  "context_setup": {
    "index": "*:blogs",

// results in error
"reason": "no such remote cluster: [*]"

    "index": "-blogs",

// results in error:
        "type": "index_not_found_exception",
        "reason": "no such index [-blogs] and if you intended to exclude this index, ensure that you use wildcards that include it before explicitly excluding it",

And that last error message is actually misleading as you can't do that in painless/execute.

So that's an argument in favor of what Yang recommends. The tricky part is that if you switch to using RemoteClusterAware#splitIndexName you can't just blindly accept the project alias - it could be invalid (a wildcard, start with a - sign or reference a project that doesn't exist), so you'd need to have something check for it's validity. I haven't traced the code enough to know if that would happen downstream of this method call or if you need to detect that error here.

[quux00]

I wanted to keep CPS and CCS consistent, so I used the same approach we use in CCS but with a different set of cluster aliases.

If we do change this for CSP, we can file a follow-on ticket to change CCS as well, so I wouldn't let consistency between them be a blocker when the CCS error messages here aren't that great.

[alexey-ivanov-es]

The tricky part is that if you switch to using RemoteClusterAware#splitIndexName you can't just blindly accept the project alias - it could be invalid (a wildcard, start with a - sign or reference a project that doesn't exist), so you'd need to have something check for it's validity. I haven't traced the code enough to know if that would happen downstream of this method call or if you need to detect that error here.

It shouldn't be a problem - there is TargetProjects authorizedProjects containing aliases of the linked projects, so I can check if the cluster alias valid. And for CCS I can use IndicesAndAliasesResolver.RemoteClusterResolver.clusters for the validation

[ywangd]

I don't think we want to use a transient volatile field to controle this. In other places, e.g. ResolveIndex, we construct the IndicesOptions with cross-project when CPS is enabled. Cross-project indices options is then disabled before sending a newly instantiated child request to the remote.

[alexey-ivanov-es]

I've updated the implementation, but still need a transient field here since the request doesn't have an existing field for storing indices options. I am not sure about volatile, but it's probably better to have it than to have some concurrent bugs

[ywangd]

Thanks for the update 👍

I don't think volatile is necessary since there is no concurrent access to the field, i.e. the request object is passed around, maybe cross threads, in a serial fashion. Same reason for it not being a volatile field in other request types, such as SearchRequest.

[ywangd]

In contrast to other CPS-enabled endpoints all expressions should be interpreted as "canonical" like GET _settings or GET _mappings, but also "happens" to allow to specify a remote. So logs means _origin:logs. Origin project alias is also allowed, so if the origin project has the alias p1 p1:logs also means _origin:logs.

Just want to double confirm this is what we want. It means the flat-world model does NOT apply to this API, i.e. logs means local project only. Is this explicilty discussed and agreed upon? @quux00

[alexey-ivanov-es]

Also, ContextSetup is a bit odd in that it parses remote index synatx on its own and keeps them separately in clusterAlias and index fields. Then it still exposes the original expression via SingleShardRequest#index by combing them again. Is it really necessary? I think it is mainly responsible for the different methods of index, setIndex and setLocal that do almost the same thing. Can we look into simplify them?

Do we really need setLocal and setIndex methods? Can we reuse the existing index(...) method?

The problem with the current index method is that it's not in SingleIndexNoWildcards. We could move it there, making SingleIndexNoWildcards similar to Replaceable and allowing IndicesAndAliasesResolver to set the index on the request when it has an origin/origin alias prefix (instead of calling setLocal).
This would work, but I didn't go that route because it gives too much flexibility to SingleIndexNoWildcards's users. Users could set the index name to something completely different from what was originally received. This is especially problematic here because the index originally comes from ContextSetup, so having different indices in the request and context setup would cause confusion

[quux00]

In contrast to other CPS-enabled endpoints all expressions should be interpreted as "canonical" like GET _settings or GET _mappings, but also "happens" to allow to specify a remote. So logs means _origin:logs. Origin project alias is also allowed, so if the origin project has the alias p1 p1:logs also means _origin:logs.

Just want to double confirm this is what we want. It means the flat-world model does NOT apply to this API, i.e. logs means local project only. Is this explicilty discussed and agreed upon? @quux00

@ywangd - Yes, this is the agreed upon model with Product. We discussed several options, all of them bad. This option is the least-bad option based on Najwa's analysis of how Kibana uses this endpoint. I'll send you a link to the Slack discussion.

[ywangd]

@alexey-ivanov-es

The problem with the current index method is that it's not in SingleIndexNoWildcards.

Thanks for explaining. I see the issue now. The two methods still look a bit confusing to me. Can I suggest the followings:

1. setLocal does not need to take any parameter since it seems always true
2. No need for a setIndex method, we can rely on the existing index(String) method.

That is, something like

Request(Script script, String scriptContextName, ContextSetup setup) {
    ...
    if (setup != null) {
       ...
        if (contextSetup.getClusterAlias() == null) {
            index(contextSetup.getIndex());
        } else {
            index(contextSetup.getClusterAlias() + RemoteClusterAware.REMOTE_CLUSTER_INDEX_SEPARATOR + contextSetup.getIndex());
        }
    } else { ... }
}

@Override
public void setLocal() {
    index(contextSetup.getIndex());
}

[ywangd]

We making change so that UIAM authentication and authorized project resolution are separated from CPS index resolution so that they can be available for more request types. Please refer to the relevant change for this file here. Thanks!

[quux00]

This looks good to me. Thank you!

[ywangd]

LGTM