Handle the indices pattern ["*", "-*"] when grouping indices by cluster name #128610
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| LGTM |
| Yes, I'll mention the issue and yes, this is a different codepath. We need to handle this index pattern only when the security is turned on (as of now; I don't think we're using it elsewhere AFAIK). |
| I've given it another thought: the issue you mentioned specifically talks about the unsecured model. Here, the issue is due to the pattern that's being injected by the auth-related code and to me, that seems like a different, yet tangential issue. |
smalyshev approved these changes May 29, 2025
javanna reviewed Jun 2, 2025
server/src/main/java/org/elasticsearch/transport/RemoteClusterService.java Outdated Show resolved Hide resolved
pawankartik-elastic added >bug Team:Search Foundations 
| Pinging @elastic/es-search-foundations (Team:Search Foundations) |
| Hi @pawankartik-elastic, I've created a changelog YAML for you. |
pawankartik-elastic added the auto-backport javanna approved these changes Jun 2, 2025
| final Map<String, OriginalIndices> originalIndicesMap = new HashMap<>(); | ||
| final Map<String, List<String>> groupedIndices = groupClusterIndices(remoteClusterNames, indices); | ||
| final Map<String, List<String>> groupedIndices; | ||
| if (returnLocalAll == false && IndexNameExpressionResolver.isNoneExpression(indices)) { |
There was a problem hiding this comment.
perhaps add a comment here, that explains the semantics of returnLocalAll and where it's used set to false.
I wonder if in the longer run, we should consider making resolve cluster go through a specific method that resolves clusters instead of indices, and remove this flag that makes things a little difficult to read. What do you think? Do we ever consume the indices names (values in the map) or only the cluster aliases (keys in the map)?
There was a problem hiding this comment.
Although we don't return the indices names directly, the _resolve/cluster call's response has a key matching_indices that tells if the specified cluster has the specified index.
💔 Backport failed
You can use sqren/backport to manually backport by running |
pawankartik-elastic added a commit to pawankartik-elastic/elasticsearch that referenced this pull request Jun 3, 2025
…ster name (elastic#128610) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster.
elasticsearchmachine pushed a commit that referenced this pull request Jun 3, 2025
…ster name (#128610) (#128822) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster.
joshua-adams-1 pushed a commit to joshua-adams-1/elasticsearch that referenced this pull request Jun 3, 2025
…ster name (elastic#128610) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster.
| Ugh, backport tool is broken. I'll manually do the porting tomorrow morning. |
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
pawankartik-elastic added a commit to pawankartik-elastic/elasticsearch that referenced this pull request Jun 3, 2025
…ster name (elastic#128610) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster. (cherry picked from commit 3f1e1b3) # Conflicts: # server/src/main/java/org/elasticsearch/transport/RemoteClusterService.java
pawankartik-elastic added a commit to pawankartik-elastic/elasticsearch that referenced this pull request Jun 3, 2025
…ster name (elastic#128610) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster. (cherry picked from commit 3f1e1b3) # Conflicts: # server/src/main/java/org/elasticsearch/transport/RemoteClusterService.java
elasticsearchmachine pushed a commit that referenced this pull request Jun 3, 2025
…ster name (#128610) (#128843) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster. (cherry picked from commit 3f1e1b3) # Conflicts: # server/src/main/java/org/elasticsearch/transport/RemoteClusterService.java
pawankartik-elastic added a commit that referenced this pull request Jun 4, 2025
…ster name (#128610) (#128842) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster. (cherry picked from commit 3f1e1b3)
Samiul-TheSoccerFan pushed a commit to Samiul-TheSoccerFan/elasticsearch that referenced this pull request Jun 5, 2025
…ster name (elastic#128610) The auth code injects the pattern `["*", "-*"]` to specify that it's okay to return an empty response because user's patterns did not match any remote clusters. However, we fail to recognise this specific pattern and `groupIndices()` eventually associates it with the local cluster. This causes Elasticsearch to fallback to the local cluster unknowingly and return its details back to the user even though the user hasn't requested any info about the local cluster.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
The authorisation code uses the pattern
["*", "-*"]whose semantics mean that it's alright to return an empty response. However, we don't seem to handle this scenario in most (if not all) endpoints and especially ingroupIndices(). When such a pattern is not handled,groupIndices()associates both the indices with the local cluster and we unknowingly end up including the local cluster in the response. This is why the_resolve/clusterendpoint will include the local cluster in the response when you specify a pattern that does not match any remote. E.g.:_resolve/cluster/my_nonexistent_*:w*.When you have security turned on and run an ES|QL query where the remote pattern does not match any clusters, you're fine and do not get back results from the local cluster (unsecured model was prone to this bug which mpeterson fixed in October last year). However,
_resolve/clusteris affected under the same security model. There's discrepancy here: sometimes we fallback to the local cluster and sometimes we don't. IMO, ideally, we shouldn't and this is problematic.There could be other endpoints that maybe affected in a similar way. The best way forward I see is to handle it in a place that's most likely to trip. Otherwise, we'll have to run a precheck everywhere to detect such a pattern before we call APIs like
groupIndices(). This is cumbersome and we could easily forget to do so.