Fix data stream wildcard resolution bug in eql search api.(#61910)

Backport of #61904 to 7.x branch. The eql search api redirects to the search api. For this reason the eql search api could work with concrete data stream names. However if security is enabled and a data stream name snippet with a wildcard was used then it could not resolve this expressions. This is because the EqlSearchRequest class didn't overwrite the `includeDataStreams()` method. This pr fixes this, so that the security layer can properly expand data stream name wildcard expressions for the eql search api. This commit also moves the eql data stream test to xpack rest tests, so that the test runs with security enabled. This is required to reproduce the bug. Closes #60828
2020-09-03 16:03:57 +02:00 · 2020-09-03 16:03:57 +02:00 · 3d9c12e2d3
parent c90ee32cdc
commit 3d9c12e2d3
3 changed files with 69 additions and 72 deletions
--- a/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/20_data_streams.yml
+++ b/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/20_data_streams.yml
@ -1,72 +0,0 @@
---
-setup:
-  - skip:
-      version: " - 7.99.99"
-      reason: "change to 7.8.99 after backport"
-      features: allowed_warnings
-
-  - do:
-      allowed_warnings:
-        - "index template [my-template1] has index patterns [simple-data-stream1] matching patterns from existing older templates [global] with patterns (global => [*]); this template [my-template1] will take precedence during new index creation"
-      indices.put_index_template:
-        name: my-template1
-        body:
-          index_patterns: [simple-data-stream1]
-          template:
-            mappings:
-              properties:
-                '@timestamp':
-                  type: date
-          data_stream: {}
-
-  - do:
-      indices.create_data_stream:
-        name: simple-data-stream1
-
-  - do:
-      bulk:
-        refresh: true
-        body:
-          - create:
-              _index: simple-data-stream1
-              _id:    1
-          - event:
-              - category: process
-            "@timestamp": 2020-02-03T12:34:56Z
-            user: SYSTEM
-
---
-"Verify data stream resolvability in EQL search API":
-  - do:
-      eql.search:
-        index: simple-data-stream1
-        body:
-          query: "process where user = 'SYSTEM'"
-
-  - match: {timed_out: false}
-  - match: {hits.total.value: 1}
-  - match: {hits.total.relation: "eq"}
-  - match: {hits.events.0._source.user: "SYSTEM"}
-
-  - do:
-      indices.delete_data_stream:
-        name: simple-data-stream1
-  - is_true: acknowledged
-
---
-"Data stream EQL search with wildcard pattern":
-  - do:
-      eql.search:
-        index: simple-data-s*
-        body:
-          query: "process where user = 'SYSTEM'"
-
-  - match: {timed_out: false}
-  - match: {hits.total.value: 1}
-  - match: {hits.total.relation: "eq"}
-  - match: {hits.events.0._source.user: "SYSTEM"}
-
-  - do:
-      indices.delete_data_stream:
-        name: simple-data-stream1
-  - is_true: acknowledged
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java
@ -375,6 +375,11 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
        return new EqlSearchTask(id, type, action, getDescription(), parentTaskId, headers, null, null, keepAlive);
    }

+    @Override
+    public boolean includeDataStreams() {
+        return true;
+    }
+
    @Override
    public String getDescription() {
        StringBuilder sb = new StringBuilder();
--- a/x-pack/plugin/src/test/resources/rest-api-spec/test/data_stream/10_data_stream_resolvability.yml
+++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/data_stream/10_data_stream_resolvability.yml
@ -474,3 +474,67 @@
      indices.delete_data_stream:
        name: simple-data-stream1
  - is_true: acknowledged
+
+---
+"Verify data stream resolvability in EQL search API":
+  - skip:
+      version: " - 7.9.99"
+      reason: "change to 7.9.1 after backport"
+      features: allowed_warnings
+
+  - do:
+      allowed_warnings:
+        - "index template [my-template1] has index patterns [simple-data-stream1] matching patterns from existing older templates [global] with patterns (global => [*]); this template [my-template1] will take precedence during new index creation"
+      indices.put_index_template:
+        name: my-template1
+        body:
+          index_patterns: [simple-data-stream1]
+          template:
+            mappings:
+              properties:
+                '@timestamp':
+                  type: date
+          data_stream: {}
+
+  - do:
+      indices.create_data_stream:
+        name: simple-data-stream1
+
+  - do:
+      bulk:
+        refresh: true
+        body:
+          - create:
+              _index: simple-data-stream1
+              _id:    1
+          - event:
+              - category: process
+            "@timestamp": 2020-02-03T12:34:56Z
+            user: SYSTEM
+
+  - do:
+      eql.search:
+        index: simple-data-stream1
+        body:
+          query: "process where user = 'SYSTEM'"
+
+  - match: {timed_out: false}
+  - match: {hits.total.value: 1}
+  - match: {hits.total.relation: "eq"}
+  - match: {hits.events.0._source.user: "SYSTEM"}
+
+  - do:
+      eql.search:
+        index: simple-data-s*
+        body:
+          query: "process where user = 'SYSTEM'"
+
+  - match: {timed_out: false}
+  - match: {hits.total.value: 1}
+  - match: {hits.total.relation: "eq"}
+  - match: {hits.events.0._source.user: "SYSTEM"}
+
+  - do:
+      indices.delete_data_stream:
+        name: simple-data-stream1
+  - is_true: acknowledged