Consistently prevent using exclusion prefix on its own

[ywangd]

The dash character is used as a prefix to signify index exclusion. It should not be used on its own. For example, an expression like *,- should be invalid. However, today this is handled differently depending on whether security is enabled or disabled. When security is enabled, the standalone exclusion char is ignored and the expression is handled as just *. But when security is disabled, the expression encounters an IndexNotFoundException.

This PR fixes the inconsistency by always throwing InvalidIndexNameException. In addition, this PR also fixes #45504 by ensuring InvalidIndexNameException is thrown for empty index name instead of IndexOutOfBoundsException.

Resolves: #45504

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[elasticsearchmachine]

Hi @ywangd, I've created a changelog YAML for you.

[github-actions]

🔍 Preview links for changed docs

• docs/reference/elasticsearch/rest-apis/api-conventions.md

[github-actions]

ℹ️ Important: Docs version tagging

👋 Thanks for updating the docs! Just a friendly reminder that our docs are now cumulative. This means all 9.x versions are documented on the same page and published off of the main branch, instead of creating separate pages for each minor version.

We use applies_to tags to mark version-specific features and changes.

Expand for a quick overview

When to use applies_to tags:

✅ At the page level to indicate which products/deployments the content applies to (mandatory)
✅ When features change state (e.g. preview, ga) in a specific version
✅ When availability differs across deployments and environments

What NOT to do:

❌ Don't remove or replace information that applies to an older version
❌ Don't add new information that applies to a specific version without an applies_to tag
❌ Don't forget that applies_to tags can be used at the page, section, and inline level

🤔 Need help?

• Check out the cumulative docs guidelines
• Reach out in the #docs Slack channel

[ywangd]

Currently, an empty expression encounters an IndexOutOfBoundsException because we call localIndexExpression.charAt(0) a few lines below. With security disabled, the error is IndexNotFoundException. I think it's better for them to both throw IllegalArgumentException. Strictly speaking, this change is not about exclusion. But since it's an issue of similar nature, I decide to include it as well.

[n1v0lg]

Nice, I think this effectively fixes long-standing #45504 👍 Could you add a note to the PR description to close the issue once merged?

[ywangd]

Ah good find. Updated the PR description as well as adding the issue to the changelog.

[ywangd]

In addition to index exclusion, there is also remote cluster exclusion. Currently, an expression such as -:foo encounters a NoSuchRemoteClusterException. We could decide to change the exception to IllegalArgumentException as well. But I'll leave it out for this PR.

[ywangd]

IllegalArgumentException is always wrapped with ElasticsearchSecurityException. I think we could argue whether such wrapping is necessary. But I don't want to go down that path for now. Alternatively, if we want to avoid the wrapping, we could throw either InvalidIndexNameException or IndexNotFoundException instead. Please let me know if you prefer either of these.

[ywangd]

On second thought, I decided to use InvalidIndexNameException which seems more specific for the particular issue. eb9498b

[n1v0lg]

InvalidIndexNameException makes sense to me

[n1v0lg]

LGTM 👍

[n1v0lg]

Nice, I think this effectively fixes long-standing #45504 👍 Could you add a note to the PR description to close the issue once merged?

[n1v0lg]

Nit: I'd add invalidExclusion() and invalidExpression() methods to make the call more self-explanatory (as opposed to the raw boolean arg)

[ywangd]

Sure see aff7f77

[n1v0lg]

I'd also add:

new String[] { "-", "-" },
new String[] { "-testXXX", "-" },
new String[] { "*", "-testXXX", "-" }

[ywangd]

Pushed 3468c92

[n1v0lg]

I'd also add:

new String[] { "_all", "-" }, // interestingly this doesn't work in server/src/test/java/org/elasticsearch/cluster/metadata/IndexNameExpressionResolverTests.java since we don't allow `_` at that validation stage 
new String[] { "-", "-" },
new String[] { "-testXXX", "-" },
new String[] { "*", "-testXXX", "-" }

[ywangd]

I think we should make IndexAbstractionResolver behave the same as IndexNameExpressionResolver for handling _all. It's inconsistent right now. The expression _all is a special match-all only when it is used on its own. Otherwise, it is just a normal name. As a normal name, it is invalid because index cannot begin with _. But with security enabled, an expression like foo*,_all ends up being just _all and expands to match all if foo* matches nothing. But if foo* matches anything, it then encounters InvalidIndexNameException. This is not a sensible behaviour and I think we should instead throw InvalidIndexNameException in both cases.

I added a test for { "_all", "-" } on the core side and assert it throws index name "must. not start with '_'". See 3468c92 along with your suggestion.

[n1v0lg]

Let's also cover:

new String[] { "", "_all" },

[ywangd]

Yep see 3468c92

[n1v0lg]

InvalidIndexNameException makes sense to me

[elasticsearchmachine]

Hi @ywangd, I've updated the changelog YAML for you.

[elasticsearchmachine]

Hi @ywangd, I've updated the changelog YAML for you.

[ywangd]

CI Failure is irrelevant but reproducible. I raised #139576