Alias to closed index when Security is enabled

[albertzaharovits]

When security is enabled (xpack.security.enabled: true and license is non basic) Indices requests with wildcard patterns might touch closed indices and throw. This happens if the wildcard (incl _all) includes an alias (that is authorized for the user) and the alias points to a closed index.
For example

PUT /foo
{
  "settings": {
    "number_of_replicas": 0,
    "number_of_shards": 1
  },
  "aliases": {
    "bar": {}
  }
}
POST /foo/_close
GET /_stats

IndexClosedException[closed]
org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:216)
org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndexNames(IndexNameExpressionResolver.java:138)
org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndexNames(IndexNameExpressionResolver.java:71)
org.elasticsearch.action.support.broadcast.node.TransportBroadcastByNodeAction$AsyncAction.<init>(TransportBroadcastByNodeAction.java:253)
org.elasticsearch.action.support.broadcast.node.TransportBroadcastByNodeAction.doExecute(TransportBroadcastByNodeAction.java:226)

The writing is on the wall #31520 (comment)
and

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java

Line 420 in 5afcbb8

//TODO investigate supporting expandWildcards option for aliases too, like es core does.

In detail, when security is enable it will pre-expand wildcards to indices and aliases that are authorized for the user. When expanding indices it's simple to check and not expand to closed indices. However an authorized alias can point to closed and open indices.

I think the root problem is that when we expand wildcards to concrete aliases it comes to the core as if the user specifically requested this alias, when in fact it requested a wildcard, which the core will otherwise gracefully expand only to the open indices.

CC @javanna @talevy

[elasticmachine]

Pinging @elastic/es-security

[albertzaharovits]

I can own this but I am not sure yet of the fix. Suggestions are welcome.

[javanna]

The problem here is that in security, we don't want to expand aliases to their concrete indices, as roles may be set up for aliases (to allow for document level security through filtered aliases) rather than their concrete indices. When you have an alias that points to multiple indices, and e.g. one is open while the other is closed, we have to decide what to do with the alias: Elasticsearch would expand that alias to only the opened index, and silently leave the closed index out. But Security has to either leave the alias (what it does today causing the error) or leave it out but then the opened index would be ignored which is a bug too.

I've seen this come up in the past, see #32238 which looks like the same issue. The solution to this would be to switch to authorizing indices names only (see #29874).

[jaymode]

@albertzaharovits I am closing this as a duplicate of #32238. As @javanna said, the solution is authorizing indices only, which I believe you plan to work on.