Phase 1 support for operator privileges (#65256)

In some Elastic Stack environments, there is a distinction between the operator
of the cluster infrastructure and the administrator of the cluster. This
distinction cannot be supported currently because the "administrator" often has
the superuser role which grants each and every privilege of the cluster.

This PR adds a new feature to protect a fixed set of APIs from the
"administrator" even when it is a highly privileged user such as superuser. It
enhances the Elasticsearch security model to have an additional layer of
restriction in addition to the RBAC.

Co-authored-by: Tim Vernum <[email protected]>

Author: ywangd

docs/reference/rest-api/info.asciidoc

@@ -103,6 +103,10 @@ Example response:
          "available" : true,
          "enabled" : true
       },
+      "operator_privileges": {
+         "available": true,
+         "enabled": false
+      },
       "rollup": {
          "available": true,
          "enabled": true

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -100,7 +100,9 @@ public enum Feature {
 
         ANALYTICS(OperationMode.MISSING, true),
 
-        SEARCHABLE_SNAPSHOTS(OperationMode.ENTERPRISE, true);
+        SEARCHABLE_SNAPSHOTS(OperationMode.ENTERPRISE, true),
+
+        OPERATOR_PRIVILEGES(OperationMode.ENTERPRISE, true);
 
         final OperationMode minimumOperationMode;
         final boolean needsActive;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackField.java

@@ -67,6 +67,8 @@ public final class XPackField {
     public static final String DATA_TIERS = "data_tiers";
     /** Name constant for the aggregate_metric plugin. */
     public static final String AGGREGATE_METRIC = "aggregate_metric";
+    /** Name constant for the operator privileges feature. */
+    public static final String OPERATOR_PRIVILEGES = "operator_privileges";
 
     private XPackField() {}
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/action/XPackInfoFeatureAction.java

@@ -47,14 +47,15 @@ public class XPackInfoFeatureAction extends ActionType<XPackInfoFeatureResponse>
     public static final XPackInfoFeatureAction DATA_STREAMS = new XPackInfoFeatureAction(XPackField.DATA_STREAMS);
     public static final XPackInfoFeatureAction DATA_TIERS = new XPackInfoFeatureAction(XPackField.DATA_TIERS);
     public static final XPackInfoFeatureAction AGGREGATE_METRIC = new XPackInfoFeatureAction(XPackField.AGGREGATE_METRIC);
+    public static final XPackInfoFeatureAction OPERATOR_PRIVILEGES = new XPackInfoFeatureAction(XPackField.OPERATOR_PRIVILEGES);
 
     public static final List<XPackInfoFeatureAction> ALL;
     static {
         final List<XPackInfoFeatureAction> actions = new ArrayList<>();
         actions.addAll(Arrays.asList(
             SECURITY, MONITORING, WATCHER, GRAPH, MACHINE_LEARNING, LOGSTASH, EQL, SQL, ROLLUP, INDEX_LIFECYCLE, SNAPSHOT_LIFECYCLE, CCR,
             TRANSFORM, VECTORS, VOTING_ONLY, FROZEN_INDICES, SPATIAL, ANALYTICS, ENRICH, DATA_STREAMS, SEARCHABLE_SNAPSHOTS, DATA_TIERS,
-            AGGREGATE_METRIC
+            AGGREGATE_METRIC, OPERATOR_PRIVILEGES
         ));
         ALL = Collections.unmodifiableList(actions);
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationField.java

@@ -10,6 +10,8 @@ public final class AuthenticationField {
     public static final String AUTHENTICATION_KEY = "_xpack_security_authentication";
     public static final String API_KEY_ROLE_DESCRIPTORS_KEY = "_security_api_key_role_descriptors";
     public static final String API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY = "_security_api_key_limited_by_role_descriptors";
+    public static final String PRIVILEGE_CATEGORY_KEY = "_security_privilege_category";
+    public static final String PRIVILEGE_CATEGORY_VALUE_OPERATOR = "operator";
 
     private AuthenticationField() {}
 }

x-pack/plugin/security/qa/operator-privileges-tests/build.gradle

@@ -0,0 +1,33 @@
+apply plugin: 'elasticsearch.esplugin'
+apply plugin: 'elasticsearch.java-rest-test'
+
+esplugin {
+  name 'operator-privileges-test'
+  description 'An test plugin for testing hard to get internals'
+  classname 'org.elasticsearch.xpack.security.operator.OperatorPrivilegesTestPlugin'
+}
+
+dependencies {
+  compileOnly project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':client:rest-high-level')
+  javaRestTestImplementation project(':x-pack:plugin:security')
+  // let the javaRestTest see the classpath of main
+  javaRestTestImplementation project.sourceSets.main.runtimeClasspath
+}
+
+testClusters.all {
+  testDistribution = 'DEFAULT'
+  numberOfNodes = 3
+
+  extraConfigFile 'operator_users.yml', file('src/javaRestTest/resources/operator_users.yml')
+  extraConfigFile 'roles.yml', file('src/javaRestTest/resources/roles.yml')
+
+  setting 'xpack.license.self_generated.type', 'trial'
+  setting 'xpack.security.enabled', 'true'
+  setting 'xpack.security.http.ssl.enabled', 'false'
+  setting 'xpack.security.operator_privileges.enabled', "true"
+
+  user username: "test_admin", password: 'x-pack-test-password', role: "superuser"
+  user username: "test_operator", password: 'x-pack-test-password', role: "limited_operator"
+}