ESQL: Prevent search functions work with a non-STANDARD index

[bpintea]

This introduces verifications to prevent search functions work on fields introduced by a LOOKUP JOIN righthand-side index.

This should be a temporary fix until we can either push these filters down also on the righthand-side of a JOIN or have these functions execute within the engine.

Closes #130561
Closes #129778

[elasticsearchmachine]

Hi @bpintea, I've created a changelog YAML for you.

[elasticsearchmachine]

Hi @bpintea, I've updated the changelog YAML for you.

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[carlosdelest]

have these functions execute within the engine.

@bpintea search functions can be executed within the compute engine. Is there something specific we should do on the LOOKUP JOIN side for the engine to use them?

[carlosdelest]

LGTM from the prevention side - Would like to know more about how we can enable these functions in LOOKUP JOIN 🙂

[bpintea]

Is there something specific we should do on the LOOKUP JOIN side for the engine to use them?

@carlosdelest, it looks like it'll require dedicated work: from the quick look I had, the ShardContext that the evaluators use refer the lefthand-side of the JOIN index only. So the search functions queries end up as MatchNoDocsQuery. And that's why they do execute "fine", but never match.

PS. Since (some of?) these can be evaluated internally, should we enable the EVAL-uation on them? Or having them run on a computed field (ex. | EVAL foo = CONCAT(...) | WHERE MATCH(foo, ...))?

[carlosdelest]

the ShardContext that the evaluators use refer the lefthand-side of the JOIN index only. So the search functions queries end up as MatchNoDocsQuery. And that's why they do execute "fine", but never match.

Got it, thanks! 👍

PS. Since (some of?) these can be evaluated internally, should we enable the EVAL-uation on them?

We could. There are a number of restrictions that we're looking to lift.

Or having them run on a computed field (ex. | EVAL foo = CONCAT(...) | WHERE MATCH(foo, ...))?

That's trickier - full text functions still depend on Lucene, even when being evaluated on the compute engine, so they depend on the field being indexed.

We could implement them on a computed field in case we created a Lucene in-memory index - something doable, but it hasn't been prioritized yet.

[bpintea]

That's trickier - full text functions still depend on Lucene, even when being evaluated on the compute engine, so they depend on the field being indexed.

Right, right. I think EVAL'ing might be handier, this the computed-value idea can wait (also for broader consensus for such a need).

[alex-spies]

Thanks a lot @bpintea ! Only minor comments from me, please consider them at your own discretion.

[alex-spies]

Wouldn't it be more efficient to do esRelation.outputSet().contains(fieldAttribute)?

[bpintea]

It would, ofc, thx!

[alex-spies]

nit: a more natural placement would maybe be inside FullTextFunction rather than Match, as other non-inheritors of Match also reach for this method?

[bpintea]

Yes, was a lost intention, thanks.

[alex-spies]

question: why is fieldSupplier a supplier, rather than using a simple Expression? Seems like we hand it () -> field every time.

[bpintea]

It no longer needs to, refactored.

[bpintea]

Thanks Carlos, Alex!

[elasticsearchmachine]

💔 Backport failed

Status	Branch	Result
✅	9.1
❌	8.19	Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 130638