EQL: reject queries that use a nested field or a sub-field of a nested field

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/analysis/AnalysisUtils.java

@@ -86,11 +86,21 @@ else if (DataTypes.isUnsupported(fa.dataType())) {
                             "Cannot use field [" + fa.name() + "] with unsupported type [" + unsupportedField.getOriginalType() + "]");
                 }
             }
-            // compound fields
-            else if (allowCompound == false && DataTypes.isPrimitive(fa.dataType()) == false) {
+            // compound fields that are not of "nested" type
+            else if (allowCompound == false && DataTypes.isPrimitive(fa.dataType()) == false && fa.dataType() != DataTypes.NESTED) {
                 named = u.withUnresolvedMessage(
                         "Cannot use field [" + fa.name() + "] type [" + fa.dataType().typeName() + "] only its subfields");
             }
+            // "nested" fields
+            else if (fa.dataType() == DataTypes.NESTED) {
+                named = u.withUnresolvedMessage("Cannot use field [" + fa.name() + "] type [" + fa.dataType().typeName() + "] "
+                    + "due to nested fields not being supported yet");
+            }
+            // fields having nested parents
+            else if (fa.isNested()) {
+                named = u.withUnresolvedMessage("Cannot use field [" + fa.name() + "] type [" + fa.dataType().typeName() + "] "
+                    + "with unsupported nested type in hierarchy (field [" + fa.nestedParent().name() +"])");
+            }
         }
         return named;
     }

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/querydsl/container/QueryContainer.java

@@ -95,9 +95,6 @@ private Tuple<QueryContainer, FieldExtraction> asFieldExtraction(Attribute attr)
 
         if (expression instanceof FieldAttribute) {
             FieldAttribute fa = (FieldAttribute) expression;
-            if (fa.isNested()) {
-                throw new UnsupportedOperationException("Nested not yet supported");
-            }
             return new Tuple<>(this, topHitFieldRef(fa));
         }
 

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java

@@ -288,10 +288,13 @@ public void testObject() {
 
     public void testNested() {
         final IndexResolution idxr = loadIndexResolution("mapping-nested.json");
-        accept(idxr, "foo where processes.pid == 0");
-
+        assertEquals("1:11: Cannot use field [processes] type [nested] due to nested fields not being supported yet",
+            error(idxr, "foo where processes == 0"));
+        assertEquals("1:11: Cannot use field [processes.pid] type [long] with unsupported nested type in hierarchy (field [processes])",
+            error(idxr, "foo where processes.pid == 0"));
         assertEquals("1:11: Unknown column [processe.pid], did you mean any of [processes.pid, processes.path, processes.path.keyword]?",
                 error(idxr, "foo where processe.pid == 0"));
+        accept(idxr, "foo where long_field == 123");
     }
 
     public void testGeo() {
@@ -322,20 +325,24 @@ public void testMultiField() {
 
         accept(idxr, "foo where multi_field_options.raw == 'bar'");
         accept(idxr, "foo where multi_field_options.key == 'bar'");
-
         accept(idxr, "foo where multi_field_ambiguous.one == 'bar'");
         accept(idxr, "foo where multi_field_ambiguous.two == 'bar'");
+
         assertEquals("1:11: [multi_field_ambiguous.normalized == 'bar'] cannot operate on first argument field of data type [keyword]: " +
                         "Normalized keyword field cannot be used for exact match operations",
                 error(idxr, "foo where multi_field_ambiguous.normalized == 'bar'"));
-
-        assertEquals("1:11: [multi_field_nested.dep_name == 'bar'] cannot operate on first argument field of data type [text]: " +
-                        "No keyword/multi-field defined exact matches for [dep_name]; define one or use MATCH/QUERY instead",
+        assertEquals("1:11: Cannot use field [multi_field_nested.dep_name] type [text] with unsupported nested type in hierarchy " +
+                        "(field [multi_field_nested])",
                 error(idxr, "foo where multi_field_nested.dep_name == 'bar'"));
-
-        accept(idxr, "foo where multi_field_nested.dep_id.keyword == 'bar'");
-        accept(idxr, "foo where multi_field_nested.end_date == ''");
-        accept(idxr, "foo where multi_field_nested.start_date == 'bar'");
+        assertEquals("1:11: Cannot use field [multi_field_nested.dep_id.keyword] type [keyword] with unsupported nested type in " + 
+                        "hierarchy (field [multi_field_nested])",
+                error(idxr, "foo where multi_field_nested.dep_id.keyword == 'bar'"));
+        assertEquals("1:11: Cannot use field [multi_field_nested.end_date] type [datetime] with unsupported nested type in " + 
+                        "hierarchy (field [multi_field_nested])",
+                error(idxr, "foo where multi_field_nested.end_date == ''"));
+        assertEquals("1:11: Cannot use field [multi_field_nested.start_date] type [datetime] with unsupported nested type in " + 
+                        "hierarchy (field [multi_field_nested])",
+                error(idxr, "foo where multi_field_nested.start_date == 'bar'"));
     }
 
     public void testStringFunctionWithText() {

x-pack/plugin/eql/src/test/resources/mapping-nested.json

@@ -25,6 +25,9 @@
                     }
                 }
             }
+        },
+        "long_field" : {
+            "type" : "long"
         }
     }
 }