Fix remote cluster credential secure settings reload

docs/changelog/111535.yaml

@@ -0,0 +1,5 @@
+pr: 111535
+summary: Fix reload secure settings privileges
+area: Authorization
+type: bug
+issues: []

server/src/main/java/org/elasticsearch/action/admin/cluster/node/reload/TransportNodesReloadSecureSettingsAction.java

@@ -123,6 +123,7 @@ protected NodesReloadSecureSettingsResponse.NodeResponse nodeOperation(
             final List<Exception> exceptions = new ArrayList<>();
             // broadcast the new settings object (with the open embedded keystore) to all reloadable plugins
             pluginsService.filterPlugins(ReloadablePlugin.class).forEach(p -> {
+                logger.debug("Reloading plugin [" + p.getClass().getSimpleName() + "]");
                 try {
                     p.reload(settingsWithKeystore);
                 } catch (final Exception e) {

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/AbstractRemoteClusterSecurityTestCase.java

@@ -10,6 +10,7 @@
 import org.apache.http.HttpHost;
 import org.apache.http.client.methods.HttpPost;
 import org.elasticsearch.client.Request;
+import org.elasticsearch.client.RequestOptions;
 import org.elasticsearch.client.Response;
 import org.elasticsearch.client.RestClient;
 import org.elasticsearch.client.RestClientBuilder;
@@ -48,6 +49,7 @@ public abstract class AbstractRemoteClusterSecurityTestCase extends ESRestTestCa
     protected static final String USER = "test_user";
     protected static final SecureString PASS = new SecureString("x-pack-test-password".toCharArray());
     protected static final String REMOTE_SEARCH_USER = "remote_search_user";
+    protected static final String MANAGE_USER = "manage_user";
     protected static final String REMOTE_METRIC_USER = "remote_metric_user";
     protected static final String REMOTE_TRANSFORM_USER = "remote_transform_user";
     protected static final String REMOTE_SEARCH_ROLE = "remote_search";
@@ -220,7 +222,7 @@ protected void removeRemoteClusterCredentials(String clusterAlias, MutableSettin
     private void reloadSecureSettings() throws IOException {
         final Request request = new Request("POST", "/_nodes/reload_secure_settings");
         request.setJsonEntity("{\"secure_settings_password\":\"" + KEYSTORE_PASSWORD + "\"}");
-        final Response reloadResponse = adminClient().performRequest(request);
+        final Response reloadResponse = performRequestWithManageUser(request);
         assertOK(reloadResponse);
         final Map<String, Object> map = entityAsMap(reloadResponse);
         assertThat(map.get("nodes"), instanceOf(Map.class));
@@ -233,6 +235,11 @@ private void reloadSecureSettings() throws IOException {
         }
     }
 
+    private Response performRequestWithManageUser(final Request request) throws IOException {
+        request.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", headerFromRandomAuthMethod(MANAGE_USER, PASS)));
+        return client().performRequest(request);
+    }
+
     protected void putRemoteClusterSettings(
         String clusterAlias,
         ElasticsearchCluster targetFulfillingCluster,

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityReloadCredentialsRestIT.java

@@ -78,6 +78,7 @@ public class RemoteClusterSecurityReloadCredentialsRestIT extends AbstractRemote
             })
             .rolesFile(Resource.fromClasspath("roles.yml"))
             .user(REMOTE_SEARCH_USER, PASS.toString(), "read_remote_shared_logs", false)
+            .user(MANAGE_USER, PASS.toString(), "manage_role", false)
             .build();
     }
 

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/resources/roles.yml

@@ -38,3 +38,6 @@ ccr_user_role:
     - names: [ 'leader-index', 'shared-*', 'metrics-*' ]
       privileges: [ 'cross_cluster_replication' ]
       clusters: [ "*" ]
+
+manage_role:
+  cluster: [ 'manage' ]

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -2202,13 +2202,19 @@ private void reloadRemoteClusterCredentials(Settings settingsWithKeystore) {
             return;
         }
 
-        final PlainActionFuture<ActionResponse.Empty> future = new UnsafePlainActionFuture<>(ThreadPool.Names.GENERIC);
-        getClient().execute(
-            ActionTypes.RELOAD_REMOTE_CLUSTER_CREDENTIALS_ACTION,
-            new TransportReloadRemoteClusterCredentialsAction.Request(settingsWithKeystore),
-            future
-        );
-        future.actionGet();
+        // Run this action in system context -- it was authorized upstream and should not be tied to end-user permissions
+        final ThreadContext ctx = getClient().threadPool().getThreadContext();
+        assert ctx != null : "Thread context must be set for reload call";
+        try (ThreadContext.StoredContext ignore = ctx.stashContext()) {
+            ctx.markAsSystemContext();
+            final PlainActionFuture<ActionResponse.Empty> future = new UnsafePlainActionFuture<>(ThreadPool.Names.GENERIC);
+            getClient().execute(
+                ActionTypes.RELOAD_REMOTE_CLUSTER_CREDENTIALS_ACTION,
+                new TransportReloadRemoteClusterCredentialsAction.Request(settingsWithKeystore),
+                future
+            );
+            future.actionGet();
+        }
     }
 
     public Map<String, String> getAuthContextForSlowLog() {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java

@@ -14,7 +14,6 @@
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.ActionModule;
 import org.elasticsearch.action.ActionResponse;
-import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.client.internal.Client;
 import org.elasticsearch.cluster.ClusterName;
 import org.elasticsearch.cluster.ClusterState;
@@ -960,8 +959,11 @@ public <T> List<T> loadExtensions(Class<T> extensionPointType) {
     public void testReload() throws Exception {
         final Settings settings = Settings.builder().put("xpack.security.enabled", true).put("path.home", createTempDir()).build();
 
-        final PlainActionFuture<ActionResponse.Empty> value = new PlainActionFuture<>();
+        final ThreadPool threadPool = mock(ThreadPool.class);
+        threadContext = new ThreadContext(Settings.EMPTY);
+        when(threadPool.getThreadContext()).thenReturn(threadContext);
         final Client mockedClient = mock(Client.class);
+        when(mockedClient.threadPool()).thenReturn(threadPool);
 
         final JwtRealm mockedJwtRealm = mock(JwtRealm.class);
         final List<ReloadableSecurityComponent> reloadableComponents = List.of(mockedJwtRealm);
@@ -992,11 +994,17 @@ protected List<ReloadableSecurityComponent> getReloadableSecurityComponents() {
         verify(mockedJwtRealm).reload(same(inputSettings));
     }
 
-    public void testReloadWithFailures() throws Exception {
+    public void testReloadWithFailures() {
         final Settings settings = Settings.builder().put("xpack.security.enabled", true).put("path.home", createTempDir()).build();
 
         final boolean failRemoteClusterCredentialsReload = randomBoolean();
+
+        final ThreadPool threadPool = mock(ThreadPool.class);
+        threadContext = new ThreadContext(Settings.EMPTY);
+        when(threadPool.getThreadContext()).thenReturn(threadContext);
         final Client mockedClient = mock(Client.class);
+        when(mockedClient.threadPool()).thenReturn(threadPool);
+
         final JwtRealm mockedJwtRealm = mock(JwtRealm.class);
         final List<ReloadableSecurityComponent> reloadableComponents = List.of(mockedJwtRealm);
         if (failRemoteClusterCredentialsReload) {