Phase 1 support for operator privileges (elastic#65256)

In some Elastic Stack environments, there is a distinction between the operator
of the cluster infrastructure and the administrator of the cluster. This
distinction cannot be supported currently because the "administrator" often has
the superuser role which grants each and every privilege of the cluster.

This PR adds a new feature to protect a fixed set of APIs from the
"administrator" even when it is a highly privileged user such as superuser. It
enhances the Elasticsearch security model to have an additional layer of
restriction in addition to the RBAC.

Co-authored-by: Tim Vernum <[email protected]>

Author: ywangd

docs/reference/rest-api/info.asciidoc

@@ -111,6 +111,10 @@ Example response:
          "available" : true,
          "enabled" : true
       },
+      "operator_privileges": {
+         "available": true,
+         "enabled": false
+      },
       "rollup": {
          "available": true,
          "enabled": true

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -104,7 +104,9 @@ public enum Feature {
 
         AGGREGATE_METRIC(OperationMode.MISSING, true),
 
-        SEARCHABLE_SNAPSHOTS(OperationMode.ENTERPRISE, true);
+        SEARCHABLE_SNAPSHOTS(OperationMode.ENTERPRISE, true),
+
+        OPERATOR_PRIVILEGES(OperationMode.ENTERPRISE, true);
 
         final OperationMode minimumOperationMode;
         final boolean needsActive;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackField.java

@@ -65,6 +65,8 @@ public final class XPackField {
     public static final String DATA_TIERS = "data_tiers";
     /** Name constant for the aggregate_metric plugin. */
     public static final String AGGREGATE_METRIC = "aggregate_metric";
+    /** Name constant for the operator privileges feature. */
+    public static final String OPERATOR_PRIVILEGES = "operator_privileges";
 
     private XPackField() {}
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/action/XPackInfoFeatureAction.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.action;
+
+import org.elasticsearch.action.ActionType;
+import org.elasticsearch.xpack.core.XPackField;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * A base action for info about a feature plugin.
+ *
+ * This action is implemented by each feature plugin, bound to the public constants here. The
+ * {@link XPackInfoAction} implementation iterates over the {@link #ALL} list of actions to form
+ * the complete info result.
+ */
+public class XPackInfoFeatureAction extends ActionType<XPackInfoFeatureResponse> {
+
+    private static final String BASE_NAME = "cluster:monitor/xpack/info/";
+
+    public static final XPackInfoFeatureAction SECURITY = new XPackInfoFeatureAction(XPackField.SECURITY);
+    public static final XPackInfoFeatureAction MONITORING = new XPackInfoFeatureAction(XPackField.MONITORING);
+    public static final XPackInfoFeatureAction WATCHER = new XPackInfoFeatureAction(XPackField.WATCHER);
+    public static final XPackInfoFeatureAction GRAPH = new XPackInfoFeatureAction(XPackField.GRAPH);
+    public static final XPackInfoFeatureAction MACHINE_LEARNING = new XPackInfoFeatureAction(XPackField.MACHINE_LEARNING);
+    public static final XPackInfoFeatureAction LOGSTASH = new XPackInfoFeatureAction(XPackField.LOGSTASH);
+    public static final XPackInfoFeatureAction EQL = new XPackInfoFeatureAction(XPackField.EQL);
+    public static final XPackInfoFeatureAction SQL = new XPackInfoFeatureAction(XPackField.SQL);
+    public static final XPackInfoFeatureAction ROLLUP = new XPackInfoFeatureAction(XPackField.ROLLUP);
+    public static final XPackInfoFeatureAction INDEX_LIFECYCLE = new XPackInfoFeatureAction(XPackField.INDEX_LIFECYCLE);
+    public static final XPackInfoFeatureAction SNAPSHOT_LIFECYCLE = new XPackInfoFeatureAction(XPackField.SNAPSHOT_LIFECYCLE);
+    public static final XPackInfoFeatureAction CCR = new XPackInfoFeatureAction(XPackField.CCR);
+    public static final XPackInfoFeatureAction TRANSFORM = new XPackInfoFeatureAction(XPackField.TRANSFORM);
+    public static final XPackInfoFeatureAction VECTORS = new XPackInfoFeatureAction(XPackField.VECTORS);
+    public static final XPackInfoFeatureAction VOTING_ONLY = new XPackInfoFeatureAction(XPackField.VOTING_ONLY);
+    public static final XPackInfoFeatureAction FROZEN_INDICES = new XPackInfoFeatureAction(XPackField.FROZEN_INDICES);
+    public static final XPackInfoFeatureAction SPATIAL = new XPackInfoFeatureAction(XPackField.SPATIAL);
+    public static final XPackInfoFeatureAction ANALYTICS = new XPackInfoFeatureAction(XPackField.ANALYTICS);
+    public static final XPackInfoFeatureAction ENRICH = new XPackInfoFeatureAction(XPackField.ENRICH);
+    public static final XPackInfoFeatureAction SEARCHABLE_SNAPSHOTS = new XPackInfoFeatureAction(XPackField.SEARCHABLE_SNAPSHOTS);
+    public static final XPackInfoFeatureAction DATA_STREAMS = new XPackInfoFeatureAction(XPackField.DATA_STREAMS);
+    public static final XPackInfoFeatureAction DATA_TIERS = new XPackInfoFeatureAction(XPackField.DATA_TIERS);
+    public static final XPackInfoFeatureAction AGGREGATE_METRIC = new XPackInfoFeatureAction(XPackField.AGGREGATE_METRIC);
+    public static final XPackInfoFeatureAction OPERATOR_PRIVILEGES = new XPackInfoFeatureAction(XPackField.OPERATOR_PRIVILEGES);
+
+    public static final List<XPackInfoFeatureAction> ALL;
+    static {
+        final List<XPackInfoFeatureAction> actions = new ArrayList<>();
+        actions.addAll(Arrays.asList(
+            SECURITY, MONITORING, WATCHER, GRAPH, MACHINE_LEARNING, LOGSTASH, EQL, SQL, ROLLUP, INDEX_LIFECYCLE, SNAPSHOT_LIFECYCLE, CCR,
+            TRANSFORM, VECTORS, VOTING_ONLY, FROZEN_INDICES, SPATIAL, ANALYTICS, ENRICH, DATA_STREAMS, SEARCHABLE_SNAPSHOTS, DATA_TIERS,
+            AGGREGATE_METRIC, OPERATOR_PRIVILEGES
+        ));
+        ALL = Collections.unmodifiableList(actions);
+    }
+
+    private XPackInfoFeatureAction(String name) {
+        super(BASE_NAME + name, XPackInfoFeatureResponse::new);
+    }
+
+    @Override
+    public String toString() {
+        return "ActionType [" + name() + "]";
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationField.java

@@ -10,6 +10,8 @@ public final class AuthenticationField {
     public static final String AUTHENTICATION_KEY = "_xpack_security_authentication";
     public static final String API_KEY_ROLE_DESCRIPTORS_KEY = "_security_api_key_role_descriptors";
     public static final String API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY = "_security_api_key_limited_by_role_descriptors";
+    public static final String PRIVILEGE_CATEGORY_KEY = "_security_privilege_category";
+    public static final String PRIVILEGE_CATEGORY_VALUE_OPERATOR = "operator";
 
     private AuthenticationField() {}
 }

x-pack/plugin/security/qa/operator-privileges-tests/build.gradle

@@ -0,0 +1,33 @@
+apply plugin: 'elasticsearch.esplugin'
+apply plugin: 'elasticsearch.java-rest-test'
+
+esplugin {
+  name 'operator-privileges-test'
+  description 'An test plugin for testing hard to get internals'
+  classname 'org.elasticsearch.xpack.security.operator.OperatorPrivilegesTestPlugin'
+}
+
+dependencies {
+  compileOnly project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':client:rest-high-level')
+  javaRestTestImplementation project(':x-pack:plugin:security')
+  // let the javaRestTest see the classpath of main
+  javaRestTestImplementation project.sourceSets.main.runtimeClasspath
+}
+
+testClusters.all {
+  testDistribution = 'DEFAULT'
+  numberOfNodes = 3
+
+  extraConfigFile 'operator_users.yml', file('src/javaRestTest/resources/operator_users.yml')
+  extraConfigFile 'roles.yml', file('src/javaRestTest/resources/roles.yml')
+
+  setting 'xpack.license.self_generated.type', 'trial'
+  setting 'xpack.security.enabled', 'true'
+  setting 'xpack.security.http.ssl.enabled', 'false'
+  setting 'xpack.security.operator_privileges.enabled', "true"
+
+  user username: "test_admin", password: 'x-pack-test-password', role: "superuser"
+  user username: "test_operator", password: 'x-pack-test-password', role: "limited_operator"
+}