Remove resolve fields action from read_cross_cluster (elastic#111643)

The `indices:data/read/esql/resolve_fields` action is already granted by `read`, and therefore is not necessary to be included in `read_cross_cluster`. Since both privileges are required for ES|QL with CCS it's safe to omit from `read_cross_cluster`. It was added provisionally in elastic#110738, but there are subtle implications that make the permissions model of ES|QL slightly more confusing when used with aliases and indices, so this PR removes it.
leemthompo · Aug 7, 2024 · b0a486d · b0a486d
1 parent b7ccf43
commit b0a486d
Showing 1 changed file with 0 additions and 1 deletion.
diff --git a/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java b/...e/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java
@@ -86,7 +86,6 @@ public final class IndexPrivilege extends Privilege {
         TransportClusterSearchShardsAction.TYPE.name(),
         TransportSearchShardsAction.TYPE.name(),
         TransportResolveClusterAction.NAME,
-        "indices:data/read/esql/resolve_fields",
         "indices:data/read/esql",
         "indices:data/read/esql/compute"
     );