[Connector APIs] Enforce index prefix for managed connectors

[jedrazb]

Changes

For 9.x, Connectors will be deployed in an agentless environment. This means the Fleet service account will now be responsible for generating API keys, enabling the connector to read/write from connector state indices and interact with the content index (where data is synced by connector from the 3rd party data source).

To maintain granular permissions and avoid granting the Fleet service account access to all indices (e.g., *), it has been decided to restrict content index names to those prefixed with content-*.

This PR introduces restrictions and validations to ensure that Elastic-managed connectors (with isNative: true flag) can only attach to indices with the content- prefix. We validate index name on:

• connector creation
• index name update (e.g. native connector cannot have index name changed with illegal prefix)
• isNative property update (we need to first change the attached index to have content- then update the connector to native connector)

Additionally, the ConnectorIndexServiceTests have been unmuted. These tests have been stable for about a year. A few flaky runs (IMO not related to our test logic) had caused them to be muted earlier, but they now run successfully. We need to keep them active.

BCC approval

Relates to [Search Connectors] introduce "content-*" prefix requirement for Elastic-managed connectors dev issue that got green light from bcc.

Verification

• Verified API calls manually.
• YAML end-to-end tests.
• unit tests

[jedrazb]

I realised we would always set status CONFIGURED once changing the is_native flag - it's likely wrong, we got here because I copied logic from Kibana initially https://github.com/elastic/kibana/pull/175536/files

[seanstory]

nice catch.

[jedrazb]

content- index is first alphabetically so order of list API results changes (we sort by index_name by default)

[elasticsearchmachine]

Pinging @elastic/search-eng (Team:SearchOrg)

[elasticsearchmachine]

Pinging @elastic/search-extract-and-transform (Team:Search - Extract & Transform)

[jedrazb]

Rest compatibility failing because it's not a backward compatible change

[seanstory]

the relevant backwards compatibility change proposal is here: https://github.com/elastic/dev/issues/2932

[jedrazb]

This is a workaround for failing bcc changes #118260 (should be merged and backported first)

[jedrazb]

@elasticmachine merge upstream

[jedrazb]

@elasticmachine merge upstream

[elasticsearchmachine]

Hi @jedrazb, I've created a changelog YAML for you.

[jedrazb]

The ConnectorIndexServiceTests has been running fine for almost a year, I saw seemingly unrelated issue in the failed buildkite run that led to muting this

[kderusso]

Looks reasonable to me. Are there any BWC cases that we should be aware of/test? Also are there any docs updates required?

[timgrein]

Suggested change

	// Ensure attached content index is prefixed correctly
	if (isNative && indexName != null && isValidManagedConnectorIndexName(indexName) == false) {
	// Ensure attached content index is prefixed correctly
	boolean doesNotHaveContentPrefix = indexName != null && isValidManagedConnectorIndexName(indexName) == false
	if (isNative && doesNotHaveContentPrefix) {

Rationale: Cognitive load is what matters: complex conditionals

[jedrazb]

Good read! Thank you for linking

[timgrein]

Should this transition be guarded/validated through ConnectorStateMachine?