Skip to content

Comments

Mark empty _terms_enum results due to DLS as incomplete (#91720)#2

Open
MitchLewis930 wants to merge 1 commit intopr_012_beforefrom
pr_012_after
Open

Mark empty _terms_enum results due to DLS as incomplete (#91720)#2
MitchLewis930 wants to merge 1 commit intopr_012_beforefrom
pr_012_after

Conversation

@MitchLewis930
Copy link

@MitchLewis930 MitchLewis930 commented Jan 31, 2026

PR_012

Mark empty _terms_enum results due to DLS as incomplete (elastic#91720
635a4fe 
)

Today `_terms_enum` returns empty results for indices with document level
security. Elasticsearch should return some hint in case the user hits empty
results due to DLS limitation so the caller (ie. Kibana) can fall back to other
strategies or notify the user with some appropriate error message.

This changes the behaviour of the NodeTransportHandler so that it returns a
NodeTermsEnumResponse with an error indication. The resulting API response will
flag the enum as "incomplete" and list the error in the shard errors section.
Clients can choose to react to this in the appropriate way.

Closes elastic#88321
@MitchLewis930 MitchLewis930 requested a review from Copilot January 31, 2026 00:35
Copilot AI reviewed Jan 31, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modifies the _terms_enum API behavior when Document Level Security (DLS) or Field Level Security (FLS) restrictions prevent access to shards. When DLS/FLS restrictions apply, the API now returns an incomplete result with shard failure information instead of silently returning empty results.

Changes:

  • Modified TransportTermsEnumAction to return incomplete responses with explicit error messages when DLS/FLS restrictions block shard access
  • Updated YAML REST API tests to verify the new incomplete response behavior with appropriate shard failure metadata
  • Added changelog entry documenting the enhancement

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
TransportTermsEnumAction.java Added logic to return incomplete response with error message when DLS/FLS restricts shard access
10_basic.yml Added test assertions verifying incomplete responses and shard failures for DLS/FLS scenarios
91720.yaml Added changelog entry for the enhancement

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

...re/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java
+ "DLS/FLS security restrictions.",
false
)
);
Copy link

Copilot AI Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The method returns early when canAccess fails but doesn't return from the method, allowing execution to continue to line 731. This should include a return statement after listener.onResponse() to prevent further processing.

Suggested change
);
);
return;

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MitchLewis930