Merge branch 'master' into oel-6

* master:
  Add docs for CCR stats API (elastic#35439)
  Fix the names of CCR stats endpoints in usage API (elastic#35438)
  Switch to default to no build qualifier (elastic#35415)
  Clarify S3 repository storage class parameter (elastic#35400)
  SQL: Fix query translation for scripted queries (elastic#35408)
  [TEST] Instead of ignoring the ccr downgrade to basic license qa test avoid the assertions that check the log files, because that does not work on Windows. The rest of the test is still useful and should work on Windows CI.
  Upgrade to Joda 2.10.1 (elastic#35410)
  HLRest: model role and privileges (elastic#35128)

Author: jasontedor

buildSrc/build.gradle

@@ -245,7 +245,7 @@ class VersionPropertiesLoader {
                       elasticsearch
       )
     }
-    String qualifier = systemProperties.getProperty("build.version_qualifier", "alpha1");
+    String qualifier = systemProperties.getProperty("build.version_qualifier", "");
     if (qualifier.isEmpty() == false) {
       if (qualifier.matches("(alpha|beta|rc)\\d+") == false) {
         throw new IllegalStateException("Invalid qualifier: " + qualifier)

buildSrc/version.properties

@@ -16,6 +16,7 @@ slf4j             = 1.6.2
 jna               = 4.5.1
 
 netty             = 4.1.30.Final
+joda              = 2.10.1
 
 # test dependencies
 randomizedrunner  = 2.7.0

client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/ApplicationResourcePrivileges.java

@@ -0,0 +1,156 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client.security.user.privileges;
+
+import org.elasticsearch.common.ParseField;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.xcontent.ConstructingObjectParser;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentHelper;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.common.xcontent.XContentType;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Objects;
+import java.util.Set;
+
+import static org.elasticsearch.common.xcontent.ConstructingObjectParser.constructorArg;
+
+/**
+ * Represents privileges over resources that are scoped under an application.
+ * The application, resources and privileges are completely managed by the
+ * client and can be arbitrary string identifiers. Elasticsearch is not
+ * concerned by any resources under an application scope.
+ */
+public final class ApplicationResourcePrivileges implements ToXContentObject {
+
+    private static final ParseField APPLICATION = new ParseField("application");
+    private static final ParseField PRIVILEGES = new ParseField("privileges");
+    private static final ParseField RESOURCES = new ParseField("resources");
+
+    @SuppressWarnings("unchecked")
+    static final ConstructingObjectParser<ApplicationResourcePrivileges, Void> PARSER = new ConstructingObjectParser<>(
+            "application_privileges", false, constructorObjects -> {
+                // Don't ignore unknown fields. It is dangerous if the object we parse is also
+                // part of a request that we build later on, and the fields that we now ignore will
+                // end up being implicitly set to null in that request.
+                int i = 0;
+                final String application = (String) constructorObjects[i++];
+                final Collection<String> privileges = (Collection<String>) constructorObjects[i++];
+                final Collection<String> resources = (Collection<String>) constructorObjects[i];
+                return new ApplicationResourcePrivileges(application, privileges, resources);
+            });
+
+    static {
+        PARSER.declareString(constructorArg(), APPLICATION);
+        PARSER.declareStringArray(constructorArg(), PRIVILEGES);
+        PARSER.declareStringArray(constructorArg(), RESOURCES);
+    }
+
+    private final String application;
+    private final Set<String> privileges;
+    private final Set<String> resources;
+
+    /**
+     * Constructs privileges for resources under an application scope.
+     * 
+     * @param application
+     *            The application name. This identifier is completely under the
+     *            clients control.
+     * @param privileges
+     *            The privileges names. Cannot be null or empty. Privilege
+     *            identifiers are completely under the clients control.
+     * @param resources
+     *            The resources names. Cannot be null or empty. Resource identifiers
+     *            are completely under the clients control.
+     */
+    public ApplicationResourcePrivileges(String application, Collection<String> privileges, Collection<String> resources) {
+        if (Strings.isNullOrEmpty(application)) {
+            throw new IllegalArgumentException("application privileges must have an application name");
+        }
+        if (null == privileges || privileges.isEmpty()) {
+            throw new IllegalArgumentException("application privileges must define at least one privilege");
+        }
+        if (null == resources || resources.isEmpty()) {
+            throw new IllegalArgumentException("application privileges must refer to at least one resource");
+        }
+        this.application = application;
+        this.privileges = Collections.unmodifiableSet(new HashSet<>(privileges));
+        this.resources = Collections.unmodifiableSet(new HashSet<>(resources));
+    }
+
+    public String getApplication() {
+        return application;
+    }
+
+    public Set<String> getResources() {
+        return this.resources;
+    }
+
+    public Set<String> getPrivileges() {
+        return this.privileges;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || this.getClass() != o.getClass()) {
+            return false;
+        }
+        ApplicationResourcePrivileges that = (ApplicationResourcePrivileges) o;
+        return application.equals(that.application)
+                && privileges.equals(that.privileges)
+                && resources.equals(that.resources);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(application, privileges, resources);
+    }
+
+    @Override
+    public String toString() {
+        try {
+            return XContentHelper.toXContent(this, XContentType.JSON, true).utf8ToString();
+        } catch (IOException e) {
+            throw new RuntimeException("Unexpected", e);
+        }
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+        builder.field(APPLICATION.getPreferredName(), application);
+        builder.field(PRIVILEGES.getPreferredName(), privileges);
+        builder.field(RESOURCES.getPreferredName(), resources);
+        return builder.endObject();
+    }
+
+    public static ApplicationResourcePrivileges fromXContent(XContentParser parser) {
+        return PARSER.apply(parser, null);
+    }
+
+}

client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/GlobalOperationPrivilege.java

@@ -0,0 +1,99 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client.security.user.privileges;
+
+import org.elasticsearch.common.xcontent.XContentParser;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Represents generic global cluster privileges that can be scoped by categories
+ * and then further by operations. The privilege's syntactic and semantic
+ * meaning is specific to each category and operation; there is no general
+ * definition template. It is not permitted to define different privileges under
+ * the same category and operation.
+ */
+public class GlobalOperationPrivilege {
+
+    private final String category;
+    private final String operation;
+    private final Map<String, Object> privilege;
+
+    /**
+     * Constructs privileges under a specific {@code category} and for some
+     * {@code operation}. The privilege definition is flexible, it is a {@code Map},
+     * and the semantics is bound to the {@code category} and {@code operation}.
+     * 
+     * @param category
+     *            The category of the privilege.
+     * @param operation
+     *            The operation of the privilege.
+     * @param privilege
+     *            The privilege definition.
+     */
+    public GlobalOperationPrivilege(String category, String operation, Map<String, Object> privilege) {
+        this.category = Objects.requireNonNull(category);
+        this.operation = Objects.requireNonNull(operation);
+        if (privilege == null || privilege.isEmpty()) {
+            throw new IllegalArgumentException("Privileges cannot be empty or null");
+        }
+        this.privilege = Collections.unmodifiableMap(privilege);
+    }
+
+    public String getCategory() {
+        return category;
+    }
+
+    public String getOperation() {
+        return operation;
+    }
+
+    public Map<String, Object> getRaw() {
+        return privilege;
+    }
+
+    public static GlobalOperationPrivilege fromXContent(String category, String operation, XContentParser parser) throws IOException {
+        // parser is still placed on the field name, advance to next token (field value)
+        assert parser.currentToken().equals(XContentParser.Token.FIELD_NAME);
+        parser.nextToken();
+        return new GlobalOperationPrivilege(category, operation, parser.map());
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || (false == this instanceof GlobalOperationPrivilege)) {
+            return false;
+        }
+        final GlobalOperationPrivilege that = (GlobalOperationPrivilege) o;
+        return category.equals(that.category) && operation.equals(that.operation) && privilege.equals(that.privilege);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(category, operation, privilege);
+    }
+
+}