[Transform] Fix transform validation to reject PUT and _start when user lacks remote index permissions

[valeriy42]

When a transform is configured with a remote (cross-cluster) source index and the user lacks permissions to access it, the _preview API correctly fails -- but PUT _transform and _start silently succeed, allowing unauthorized transforms to be created and started. The root cause is that validateQuery in AbstractCompositeAggFunction only checks the response status code, which is OK even when IndicesOptions.LENIENT_EXPAND_OPEN causes unauthorized indices to be silently ignored. The search returns null aggregations in this case, but unlike preview(), validateQuery() never checks for that condition.

This PR introduces a SourceAccessDiagnostics class that inspects the SearchResponse for security-related failures at both the CCS cluster level (SKIPPED/FAILED clusters with ElasticsearchSecurityException) and the shard level (FORBIDDEN/UNAUTHORIZED status). A null-aggregation check is added to validateQuery(), but -- critically -- it only rejects the request when a security failure is positively identified. When no security failure is found, validation passes through silently. This distinction avoids the regression that caused PR #95318 to be reverted in #95562: that earlier change unconditionally failed on null aggregations, which broke integrations (such as Elastic Defend) that create and start transforms with wildcard source patterns before any matching indices exist. Since defer_validation only defers from PUT to _start, there was no way for those integrations to bypass the check. Our approach preserves backward compatibility for the empty-indices case while catching the unauthorized-remote-index case. The preview() method also delegates to the same diagnostics class, so all three APIs now produce consistent, actionable error messages when a security failure is detected, falling back to the original generic message otherwise.

The multi-cluster YAML integration tests are updated to verify that both PUT _transform and _start now reject unauthorized remote transforms. A new test case creates a transform with defer_validation: true and confirms that _start catches the permission issue. Unit tests for SourceAccessDiagnostics cover cluster-level SKIPPED/FAILED scenarios, shard-level security exceptions, FORBIDDEN/UNAUTHORIZED status codes, and the fallback to the generic message for non-security failures.

Fixes #95367

[elasticsearchmachine]

Pinging @elastic/ml-core (Team:ML)

[Copilot]

Pull request overview

Fixes transform source validation so that unauthorized cross-cluster (remote) source indices cause PUT _transform and _start to fail consistently (matching _preview), with clearer diagnostics.

Changes:

• Add SourceAccessDiagnostics to detect security-related CCS/shard failures and return actionable error messages.
• Update preview() and validateQuery() to use diagnostics when aggregations are null.
• Expand multi-cluster security YAML tests and add unit tests for the new diagnostics behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/transforms/common/SourceAccessDiagnostics.java	Adds centralized diagnostics for permission vs missing-index cases when aggregations are null.
x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/transforms/common/AbstractCompositeAggFunction.java	Uses diagnostics in preview() and adds null-aggregation validation in validateQuery().
x-pack/plugin/transform/src/test/java/org/elasticsearch/xpack/transform/transforms/common/SourceAccessDiagnosticsTests.java	Adds unit coverage for cluster/shard security failures and fallback behavior.
x-pack/plugin/transform/qa/multi-cluster-tests-with-security/src/test/resources/rest-api-spec/test/multi_cluster/80_transform.yml	Updates/extends integration tests to assert PUT and _start reject unauthorized remote sources.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[valeriy42]

Here's the PR comment text:

---

Historical context: PR #95318 and its revert #95562

While investigating this fix, I discovered that the same null-aggregation check in validateQuery() was previously attempted in PR #95318 (April 2023) and reverted five days later in #95562. The revert message gives no explanation, but a Slack thread between the transform team and the Elastic Defend/Fleet teams documents the full story.

What happened:

PR #95318 added an unconditional aggregations == null check to validateQuery(), causing it to fail with "Source indices have been deleted or closed." This broke the Elastic Defend integration (Kibana issue #155709), which installs transforms via Fleet with source patterns like metrics-endpoint.metadata-*. The transforms are created with defer_validation=true and started immediately, but at that point no data has been ingested yet -- the wildcard resolves to zero indices.

The key insight is that defer_validation only moves validation from PUT to _start. There is no mechanism to defer past _start. So the new check simply moved the failure from PUT to _start, breaking all integrations that start transforms before source data exists. Hendrik Muhs recommended reverting on the release branch and investigating on main, noting that the improvement might need to be saved for a major release if it cannot be made backward-compatible.

How this PR avoids the same regression:

Instead of unconditionally failing on null aggregations, validateQuery() now calls SourceAccessDiagnostics.diagnoseSourceAccessFailure(response) and only rejects the request when a security failure is positively identified (e.g., ElasticsearchSecurityException in CCS cluster-level or shard-level failures). When no security failure is found, the diagnostics returns the generic fallback message, and validation passes through silently -- preserving the existing lenient behavior for the empty-indices case.

Open question:

Whether this approach catches all unauthorized-remote-index scenarios depends on how IndicesOptions.LENIENT_EXPAND_OPEN interacts with CCS authorization failures. If the lenient options suppress security exceptions from appearing in the SearchResponse metadata entirely (no cluster-level SKIPPED/FAILED status, no shard failures), then diagnoseSourceAccessFailure() would return the fallback message and validation would still pass through. The multi-cluster integration tests will confirm this. If it turns out that security failures are not surfaced in the response, we may need an alternative detection strategy (e.g., checking whether source indices include remote patterns and applying stricter validation only for that path).

cc @elastic/fleet

[elasticsearchmachine]

Hi @valeriy42, I've created a changelog YAML for you.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

cluster.getFailures() can be null for clusters without recorded failures, which would throw an NPE during iteration. Add a null/empty check before iterating (or iterate over an empty list when failures is null) to make this safe for all SearchResponse.Cluster instances.

[Copilot]

Control flow is determined by comparing the returned message string to SOURCE_INDICES_MISSING, which is brittle (message wording becomes part of the API contract). Consider changing SourceAccessDiagnostics to return a structured result (e.g., Optional<String> for a detected security message, or an enum + message), so validateQuery() can branch on an explicit signal rather than string equality.

[elasticsearchmachine]

💔 Backport failed

Status	Branch	Result
✅	9.3
❌	8.19	Commit could not be cherrypicked due to conflicts
❌	9.2	Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 142403

[valeriy42]

💚 All backports created successfully

Status	Branch	Result
✅	9.2
✅	8.19

Questions ?

Please refer to the Backport tool documentation