Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to read/delete system data streams #92271

Open
andreidan opened this issue Dec 12, 2022 · 2 comments
Open

Unable to read/delete system data streams #92271

andreidan opened this issue Dec 12, 2022 · 2 comments
Assignees
@thecoop
Labels
>bug :Core/Infra/Core Core issues without another label Team:Core/Infra Meta label for core/infra team v8.6.3 v9.0.0

Comments

@andreidan
Copy link
Contributor

andreidan commented Dec 12, 2022
edited
Loading

Elasticsearch Version

All 8.x series

Installed Plugins

No response

Java Version

bundled

OS Version

Darwin

Problem Description

Trying to read or delete a system data stream yields

GET .ds-.fleet-actions-results-2022.12.08-000001/_settings

DELETE _data_stream/.fleet-actions-results

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "Data stream(s) [.fleet-actions-results] use and access is reserved for system operations"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "Data stream(s) [.fleet-actions-results] use and access is reserved for system operations"
  },
  "status": 400
}

System indices are not affected.

Steps to Reproduce

We only have one feature state that has a system data stream - the fleet
feature state - the .fleet-actions-results one.

To reproduce, enroll a fleet agent and have it send some data to fleet (maybe
using the system integration).
We'll need to perform an action for the .fleet-actions-results system data stream
to be created - I navigated to Agents under Management > Fleet and added
some tags to the agent (click on the ... on the right hand side for the agent you
enrolled).

Have a custom role to be sure we can delete system resources:

POST /_security/role/everything_everywhere_all_at_once
{
  "run_as": [ "test" ],
  "cluster": [ "all" ],
  "indices": [
    {
      "names": [ "*" ],
      "privileges": [ "all" ],
      "allow_restricted_indices": true
    }
  ]
}

And assign this role and superuser to a user.

Using the user with these roles attempt to get the _settings for the backing index
or to delete the .fleet-actions-results data stream:

GET .ds-.fleet-actions-results-2022.12.08-000001/_settings

DELETE _data_stream/.fleet-actions-results

Logs (if relevant)

No response
@andreidan andreidan added >bug :Core/Infra/Core Core issues without another label v8.6.1 v8.7.0 labels Dec 12, 2022
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Dec 12, 2022
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@andreidan andreidan mentioned this issue Dec 12, 2022
Closed
@arteam arteam added v8.6.2 and removed v8.6.1 labels Jan 25, 2023
@rjernst rjernst added v8.8.0 and removed v8.7.0 labels Feb 8, 2023
@gmarouli gmarouli added v8.9.0 and removed v8.8.0 labels Apr 26, 2023
@quux00 quux00 added v8.11.0 and removed v8.10.0 labels Aug 16, 2023
@mattc58 mattc58 added v8.12.0 and removed v8.11.0 labels Oct 4, 2023
@stefnestor
Copy link
Contributor

Linking earlier escalation: #89261

@williamrandolph williamrandolph self-assigned this Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thecoop thecoop

Labels
>bug :Core/Infra/Core Core issues without another label Team:Core/Infra Meta label for core/infra team v8.6.3 v9.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests