EQL: Add the ability for EQL to perform CCSes (#74399)

This introduces the ability for EQL to perform searches on a remote cluster, leveraging ES's CCS capabilities.

The remote cluster needs to be on the same version as the local cluster.

Author: bpintea

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/BaseEqlSpecTestCase.java

@@ -14,7 +14,6 @@
 import org.elasticsearch.client.RequestOptions;
 import org.elasticsearch.client.ResponseException;
 import org.elasticsearch.client.RestClient;
-import org.elasticsearch.client.RestClientBuilder;
 import org.elasticsearch.client.RestHighLevelClient;
 import org.elasticsearch.client.eql.EqlSearchRequest;
 import org.elasticsearch.client.eql.EqlSearchResponse;
@@ -24,21 +23,18 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.logging.LoggerMessageFormat;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.core.TimeValue;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.junit.AfterClass;
 import org.junit.Before;
 
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
 import java.util.StringJoiner;
 
 import static java.util.stream.Collectors.toList;
 
-public abstract class BaseEqlSpecTestCase extends ESRestTestCase {
+public abstract class BaseEqlSpecTestCase extends RemoteClusterAwareEqlRestTestCase {
 
     protected static final String PARAM_FORMATTING = "%2$s";
 
@@ -51,15 +47,16 @@ public abstract class BaseEqlSpecTestCase extends ESRestTestCase {
 
     @Before
     public void setup() throws Exception {
-        if (client().performRequest(new Request("HEAD", "/" + index)).getStatusLine().getStatusCode() == 404) {
-            DataLoader.loadDatasetIntoEs(highLevelClient(), this::createParser);
+        RestClient provisioningClient = provisioningClient();
+        if (provisioningClient.performRequest(new Request("HEAD", "/" + unqualifiedIndexName())).getStatusLine().getStatusCode() == 404) {
+            DataLoader.loadDatasetIntoEs(highLevelClient(provisioningClient), this::createParser);
         }
     }
 
     @AfterClass
     public static void wipeTestData() throws IOException {
         try {
-            adminClient().performRequest(new Request("DELETE", "/*"));
+            provisioningAdminClient().performRequest(new Request("DELETE", "/*"));
         } catch (ResponseException e) {
             // 404 here just means we had no indexes
             if (e.getResponse().getStatusLine().getStatusCode() != 404) {
@@ -144,12 +141,7 @@ protected EqlClient eqlClient() {
 
     private RestHighLevelClient highLevelClient() {
         if (highLevelClient == null) {
-            highLevelClient = new RestHighLevelClient(
-                    client(),
-                    ignore -> {
-                    },
-                    Collections.emptyList()) {
-            };
+            highLevelClient = highLevelClient(client());
         }
         return highLevelClient;
     }
@@ -204,17 +196,7 @@ protected boolean preserveClusterUponCompletion() {
 
     @Override
     protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException {
-        RestClientBuilder builder = RestClient.builder(hosts);
-        configureClient(builder, settings);
-
-        int timeout = Math.toIntExact(timeout().millis());
-        builder.setRequestConfigCallback(
-            requestConfigBuilder -> requestConfigBuilder.setConnectTimeout(timeout)
-                .setConnectionRequestTimeout(timeout)
-                .setSocketTimeout(timeout)
-        );
-        builder.setStrictDeprecationMode(true);
-        return builder.build();
+        return clientBuilder(settings, hosts);
     }
 
     protected String timestamp() {
@@ -240,7 +222,9 @@ protected String requestResultPosition() {
         return randomBoolean() ? "head" : "tail";
     }
 
-    protected TimeValue timeout() {
-        return TimeValue.timeValueSeconds(10);
+    // strip any qualification from the received index string
+    private String unqualifiedIndexName() {
+        int offset = index.indexOf(':');
+        return offset >= 0 ? index.substring(offset + 1) : index;
     }
 }

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlDateNanosSpecTestCase.java

@@ -21,8 +21,14 @@ public static List<Object[]> readTestSpecs() throws Exception {
         return asArray(EqlSpecLoader.load("/test_queries_date_nanos.toml", new HashSet<>()));
     }
 
+    // constructor for "local" rest tests
     public EqlDateNanosSpecTestCase(String query, String name, long[] eventIds) {
-        super(DATE_NANOS_INDEX, query, name, eventIds);
+        this(DATE_NANOS_INDEX, query, name, eventIds);
+    }
+
+    // constructor for multi-cluster tests
+    public EqlDateNanosSpecTestCase(String index, String query, String name, long[] eventIds) {
+        super(index, query, name, eventIds);
     }
 
     @Override

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlExtraSpecTestCase.java

@@ -21,8 +21,14 @@ public static List<Object[]> readTestSpecs() throws Exception {
         return asArray(EqlSpecLoader.load("/test_extra.toml", new HashSet<>()));
     }
 
+    // constructor for "local" rest tests
     public EqlExtraSpecTestCase(String query, String name, long[] eventIds) {
-        super(TEST_EXTRA_INDEX, query, name, eventIds);
+        this(TEST_EXTRA_INDEX, query, name, eventIds);
+    }
+
+    // constructor for multi-cluster tests
+    public EqlExtraSpecTestCase(String index, String query, String name, long[] eventIds) {
+        super(index, query, name, eventIds);
     }
 
     @Override

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlRestTestCase.java

@@ -10,10 +10,8 @@
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.Response;
 import org.elasticsearch.client.ResponseException;
-import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.common.xcontent.json.JsonXContent;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.junit.After;
 
 import java.io.IOException;
@@ -27,7 +25,7 @@
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
 
-public abstract class EqlRestTestCase extends ESRestTestCase {
+public abstract class EqlRestTestCase extends RemoteClusterAwareEqlRestTestCase {
 
     private static final String defaultValidationIndexName = "eql_search_validation_test";
     private static final String validQuery = "process where user = \\\"SYSTEM\\\"";
@@ -49,11 +47,11 @@ public void checkSearchContent() throws Exception {
     };
 
     public void testBadRequests() throws Exception {
-        createIndex(defaultValidationIndexName, Settings.EMPTY);
+        createIndex(defaultValidationIndexName, (String) null);
 
         final String contentType = "application/json";
         for (String[] test : testBadRequests) {
-            final String endpoint = "/" + defaultValidationIndexName + "/_eql/search";
+            final String endpoint = "/" + indexPattern(defaultValidationIndexName) + "/_eql/search";
             Request request = new Request("GET", endpoint);
             request.setJsonEntity(test[0]);
 
@@ -70,8 +68,8 @@ public void testBadRequests() throws Exception {
 
     @SuppressWarnings("unchecked")
     public void testIndexWildcardPatterns() throws Exception {
-        createIndex("test1", Settings.EMPTY, null, "\"my_alias\" : {}, \"test_alias\" : {}");
-        createIndex("test2", Settings.EMPTY, null, "\"my_alias\" : {}");
+        createIndex("test1", "\"my_alias\" : {}, \"test_alias\" : {}");
+        createIndex("test2", "\"my_alias\" : {}");
 
         StringBuilder bulk = new StringBuilder();
         bulk.append("{\"index\": {\"_index\": \"test1\", \"_id\": 1}}\n");
@@ -86,7 +84,7 @@ public void testIndexWildcardPatterns() throws Exception {
         };
 
         for (String indexPattern : wildcardRequests) {
-            String endpoint = "/" + indexPattern + "/_eql/search";
+            String endpoint = "/" + indexPattern(indexPattern) + "/_eql/search";
             Request request = new Request("GET", endpoint);
             request.setJsonEntity("{\"query\":\"process where true\"}");
             Response response = client().performRequest(request);
@@ -108,7 +106,7 @@ public void testIndexWildcardPatterns() throws Exception {
 
     @SuppressWarnings("unchecked")
     public void testUnicodeChars() throws Exception {
-        createIndex("test", Settings.EMPTY, null, null);
+        createIndex("test", (String) null);
 
         StringBuilder bulk = new StringBuilder();
         bulk.append("{\"index\": {\"_index\": \"test\", \"_id\": 1}}\n");
@@ -117,7 +115,7 @@ public void testUnicodeChars() throws Exception {
         bulk.append("{\"event\":{\"category\":\"process\"},\"@timestamp\":\"2020-09-05T12:34:57Z\",\"log\" : \"prefix_𖠋_suffix\"}\n");
         bulkIndex(bulk.toString());
 
-        String endpoint = "/test/_eql/search";
+        String endpoint = "/" + indexPattern("test") + "/_eql/search";
         Request request = new Request("GET", endpoint);
         request.setJsonEntity("{\"query\":\"process where log==\\\"prefix_\\\\u{0eb}_suffix\\\"\"}");
         Response response = client().performRequest(request);
@@ -150,9 +148,13 @@ private void bulkIndex(String bulk) throws IOException {
         bulkRequest.setJsonEntity(bulk);
         bulkRequest.addParameter("refresh", "true");
 
-        Response response = client().performRequest(bulkRequest);
+        Response response = provisioningClient().performRequest(bulkRequest);
         assertThat(response.getStatusLine().getStatusCode(), equalTo(200));
         String bulkResponse = EntityUtils.toString(response.getEntity());
         assertThat(bulkResponse, not(containsString("\"errors\": true")));
     }
+
+    protected String indexPattern(String pattern) {
+        return pattern;
+    }
 }

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlRestValidationTestCase.java

@@ -11,10 +11,8 @@
 import org.elasticsearch.client.Response;
 import org.elasticsearch.client.ResponseException;
 import org.elasticsearch.common.Strings;
-import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.json.JsonXContent;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.junit.Before;
 
 import java.io.IOException;
@@ -24,7 +22,7 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 
-public abstract class EqlRestValidationTestCase extends ESRestTestCase {
+public abstract class EqlRestValidationTestCase extends RemoteClusterAwareEqlRestTestCase {
 
     private static final String indexName = "test_eql";
     protected static final String[] existentIndexWithWildcard = new String[] {indexName + ",inexistent*", indexName + "*,inexistent*",
@@ -35,8 +33,8 @@ public abstract class EqlRestValidationTestCase extends ESRestTestCase {
 
     @Before
     public void prepareIndices() throws IOException {
-        if (client().performRequest(new Request("HEAD", "/" + indexName)).getStatusLine().getStatusCode() == 404) {
-            createIndex(indexName, Settings.EMPTY);
+        if (provisioningClient().performRequest(new Request("HEAD", "/" + indexName)).getStatusLine().getStatusCode() == 404) {
+            createIndex(indexName, (String) null);
         }
 
         Object[] fieldsAndValues = new Object[] {"event_type", "my_event", "@timestamp", "2020-10-08T12:35:48Z", "val", 0};
@@ -47,9 +45,9 @@ public void prepareIndices() throws IOException {
         document.endObject();
         final Request request = new Request("POST", "/" + indexName + "/_doc/" + 0);
         request.setJsonEntity(Strings.toString(document));
-        assertOK(client().performRequest(request));
+        assertOK(provisioningClient().performRequest(request));
 
-        assertOK(adminClient().performRequest(new Request("POST", "/" + indexName + "/_refresh")));
+        assertOK(provisioningAdminClient().performRequest(new Request("POST", "/" + indexName + "/_refresh")));
     }
 
     protected abstract String getInexistentIndexErrorMessage();
@@ -82,7 +80,7 @@ public void testAllowNoIndicesOption() throws IOException {
 
     protected void assertErrorMessages(String[] indices, String reqParameter, String errorMessage) throws IOException {
         for (String indexName : indices) {
-            assertErrorMessage(indexName, reqParameter, errorMessage + "[" + indexName + "]");
+            assertErrorMessage(indexName, reqParameter, errorMessage + "[" + indexPattern(indexName) + "]");
         }
     }
 
@@ -95,7 +93,7 @@ protected void assertErrorMessage(String indexName, String reqParameter, String
     }
 
     private Request createRequest(String indexName, String reqParameter) throws IOException {
-        final Request request = new Request("POST", "/" + indexName + "/_eql/search" + reqParameter);
+        final Request request = new Request("POST", "/" + indexPattern(indexName) + "/_eql/search" + reqParameter);
         request.setJsonEntity(Strings.toString(JsonXContent.contentBuilder()
             .startObject()
             .field("event_category_field", "event_type")
@@ -112,4 +110,8 @@ private void assertValidRequestOnIndices(String[] indices, String reqParameter)
             assertOK(response);
         }
     }
+
+    protected String indexPattern(String index) {
+        return index;
+    }
 }

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlSpecTestCase.java

@@ -34,7 +34,13 @@ protected String tiebreaker() {
         return "serial_event_id";
     }
 
+    // constructor for "local" rest tests
     public EqlSpecTestCase(String query, String name, long[] eventIds) {
-        super(TEST_INDEX, query, name, eventIds);
+        this(TEST_INDEX, query, name, eventIds);
+    }
+
+    // constructor for multi-cluster tests
+    public EqlSpecTestCase(String index, String query, String name, long[] eventIds) {
+        super(index, query, name, eventIds);
     }
 }