WIldcard IndicesPermissions don't cover .security

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java

@@ -428,6 +428,7 @@ private static RoleDescriptor.IndicesPrivileges parseIndex(String roleName, XCon
         String[] privileges = null;
         String[] grantedFields = null;
         String[] deniedFields = null;
+        boolean allow_restricted_indices = false;
         while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) {
             if (token == XContentParser.Token.FIELD_NAME) {
                 currentFieldName = parser.currentName();
@@ -444,6 +445,13 @@ private static RoleDescriptor.IndicesPrivileges parseIndex(String roleName, XCon
                     throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected field [{}] " +
                             "value to be a string or an array of strings, but found [{}] instead", roleName, currentFieldName, token);
                 }
+            } else if (Fields.ALLOW_RESTRICTED_INDICES.match(currentFieldName, parser.getDeprecationHandler())) {
+                if (token == XContentParser.Token.VALUE_BOOLEAN) {
+                    allow_restricted_indices = parser.booleanValue();
+                } else {
+                    throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected field [{}] " +
+                            "value to be a boolean, but found [{}] instead", roleName, currentFieldName, token);
+                }
             } else if (Fields.QUERY.match(currentFieldName, parser.getDeprecationHandler())) {
                 if (token == XContentParser.Token.START_OBJECT) {
                     XContentBuilder builder = JsonXContent.contentBuilder();
@@ -543,6 +551,7 @@ private static RoleDescriptor.IndicesPrivileges parseIndex(String roleName, XCon
                 .grantedFields(grantedFields)
                 .deniedFields(deniedFields)
                 .query(query)
+                .allowRestrictedIndices(allow_restricted_indices)
                 .build();
     }
 
@@ -590,6 +599,10 @@ public static class IndicesPrivileges implements ToXContentObject, Writeable {
         private String[] grantedFields = null;
         private String[] deniedFields = null;
         private BytesReference query;
+        // by default certain restricted indices are exempted when granting privileges, as they should generally be hidden for ordinary
+        // users. Setting this flag eliminates this special status, and any index name pattern in the permission will cover restricted
+        // indices as well.
+        private boolean allow_restricted_indices = false;
 
         private IndicesPrivileges() {
         }
@@ -600,6 +613,11 @@ public IndicesPrivileges(StreamInput in) throws IOException {
             this.deniedFields = in.readOptionalStringArray();
             this.privileges = in.readStringArray();
             this.query = in.readOptionalBytesReference();
+            if (in.getVersion().onOrAfter(Version.V_6_7_0)) {
+                allow_restricted_indices = in.readBoolean();
+            } else {
+                allow_restricted_indices = false;
+            }
         }
 
         @Override
@@ -609,6 +627,9 @@ public void writeTo(StreamOutput out) throws IOException {
             out.writeOptionalStringArray(deniedFields);
             out.writeStringArray(privileges);
             out.writeOptionalBytesReference(query);
+            if (out.getVersion().onOrAfter(Version.V_6_7_0)) {
+                out.writeBoolean(allow_restricted_indices);
+            }
         }
 
         public static Builder builder() {
@@ -646,6 +667,10 @@ public boolean isUsingFieldLevelSecurity() {
             return hasDeniedFields() || hasGrantedFields();
         }
 
+        public boolean allowsRestrictedIndices() {
+            return allow_restricted_indices;
+        }
+
         private boolean hasDeniedFields() {
             return deniedFields != null && deniedFields.length > 0;
         }
@@ -666,6 +691,7 @@ private boolean hasGrantedFields() {
         public String toString() {
             StringBuilder sb = new StringBuilder("IndicesPrivileges[");
             sb.append("indices=[").append(Strings.arrayToCommaDelimitedString(indices));
+            sb.append("], allows_restricted_indices=[").append(allow_restricted_indices);
             sb.append("], privileges=[").append(Strings.arrayToCommaDelimitedString(privileges));
             sb.append("], ");
             if (grantedFields != null || deniedFields != null) {
@@ -702,6 +728,7 @@ public boolean equals(Object o) {
             IndicesPrivileges that = (IndicesPrivileges) o;
 
             if (!Arrays.equals(indices, that.indices)) return false;
+            if (allow_restricted_indices != that.allow_restricted_indices) return false;
             if (!Arrays.equals(privileges, that.privileges)) return false;
             if (!Arrays.equals(grantedFields, that.grantedFields)) return false;
             if (!Arrays.equals(deniedFields, that.deniedFields)) return false;
@@ -711,6 +738,7 @@ public boolean equals(Object o) {
         @Override
         public int hashCode() {
             int result = Arrays.hashCode(indices);
+            result = 31 * result + (allow_restricted_indices ? 1 : 0);
             result = 31 * result + Arrays.hashCode(privileges);
             result = 31 * result + Arrays.hashCode(grantedFields);
             result = 31 * result + Arrays.hashCode(deniedFields);
@@ -736,6 +764,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
             if (query != null) {
                 builder.field("query", query.utf8ToString());
             }
+            builder.field(RoleDescriptor.Fields.ALLOW_RESTRICTED_INDICES.getPreferredName(), allow_restricted_indices);
             return builder.endObject();
         }
 
@@ -774,6 +803,11 @@ public Builder query(@Nullable String query) {
                 return query(query == null ? null : new BytesArray(query));
             }
 
+            public Builder allowRestrictedIndices(boolean allow) {
+                indicesPrivileges.allow_restricted_indices = allow;
+                return this;
+            }
+
             public Builder query(@Nullable BytesReference query) {
                 if (query == null) {
                     indicesPrivileges.query = null;
@@ -954,6 +988,7 @@ public interface Fields {
         ParseField APPLICATIONS = new ParseField("applications");
         ParseField RUN_AS = new ParseField("run_as");
         ParseField NAMES = new ParseField("names");
+        ParseField ALLOW_RESTRICTED_INDICES = new ParseField("allow_restricted_indices");
         ParseField RESOURCES = new ParseField("resources");
         ParseField QUERY = new ParseField("query");
         ParseField PRIVILEGES = new ParseField("privileges");