Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move Security to use auto-managed system indices #68375

Merged
merged 10 commits into from
Feb 9, 2021
Merged

Move Security to use auto-managed system indices #68375

merged 10 commits into from
Feb 9, 2021

Conversation

pugnascotia
Copy link
Contributor

Backport of #67114. Part of #61656.

Change the Security plugin so that its system indices are managed automatically
by the system indices infrastructure.

Also add an origin field to CreateIndexRequest and UpdateSettingsRequest.

@pugnascotia
Move Security to use auto-managed system indices
70a1472 
Backport of elastic#67114. Part of elastic#61656.

Change the Security plugin so that its system indices are managed automatically
by the system indices infrastructure.

Also add an `origin` field to `CreateIndexRequest` and `UpdateSettingsRequest`.
@pugnascotia pugnascotia added >refactoring :Security/Security Security issues without another label backport v7.12.0 labels Feb 2, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Feb 2, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@mark-vieira
Copy link
Contributor

@elasticmachine update branch

@pugnascotia
Copy link
Contributor Author

@jaymode / @albertzaharovits there was a test failure in this backport:

https://gradle-enterprise.elastic.co/s/2vx2uqtnhvfc6/tests/:x-pack:qa:rolling-upgrade:v6.8.14%23oneThirdUpgradedTest/org.elasticsearch.upgrades.UpgradeClusterClientYamlTestSuiteIT/test%20%7Bp0=mixed_cluster%2F120_api_key_auth%2FTest%20API%20key%20authentication%20will%20work%20in%20a%20mixed%20cluster%7D#1

I think it's legitimate but it's intermittent - looks like in an upgrade scenario, a test tried to create an API key, but it couldn't because the mappings on .security weren't updated yet from the 6.8 mappings, so they lacked a mapping for realm_type. This situation would have worked before, because although strict mapping was in effect, the SecurityIndexManager would have upgraded the mappings before indexing a document.

I could reinstate that behaviour in SecurityIndexManager, but then:

  • It would be doing something different to SystemIndexManager
  • What mappings should it apply in mixed version cluster?

Or, I could change ApiKeyService to only index the realm_type field if the .security index has a mapping for realm_type. I'm not sure what I think about that.

Thoughts appreciated.

@jaymode
Copy link
Member

jaymode commented Feb 4, 2021

In these situations, I would prefer to be able to support these features in a mixed version cluster if the changes to the index can be applied (the index change doesn't require a feature only available in a new version). For the purposes of this PR, I'd put the behavior into SecurityIndexManager.

As a later TODO I think we could generalize this behavior into a special system index class/client that would enable non-breaking updates during rolling upgrades independent of the master version.

@albertzaharovits
Copy link
Contributor

For the purposes of this PR, I'd put the behavior into SecurityIndexManager.

I agree.
Looks like in 7.x, in a mixed scenario from 6.8, creating an API key on the new node and then another new APi key on some old node my turn up to be problematic. For this reason, I would maintain the existing behavior. I'll take it to investigate and raise an issue.

jaymode
jaymode reviewed Feb 5, 2021
View reviewed changes
...in/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityIndexManager.java Outdated
@@ -219,6 +226,19 @@ private boolean checkIndexAvailable(ClusterState state) {
}
}

private boolean checkIndexMappingUpToDate(ClusterState clusterState) {
return checkIndexMappingVersionMatches(clusterState, Version.CURRENT::equals);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be onOrAfter?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, good catch 👍

jaymode
jaymode approved these changes Feb 8, 2021
View reviewed changes
Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left one comment, but otherwise LGTM

.../src/main/java/org/elasticsearch/action/admin/indices/create/TransportCreateIndexAction.java
// different mappings, settings etc. This is so that rolling upgrade scenarios still work.
// We check this via the request's origin. Eventually, `SystemIndexManager` will reconfigure
// the index to the latest settings.
if (isSystemIndex && Strings.isNullOrEmpty(request.origin())) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty minor but request.origin() should never be null based on my reading of the code. Is this correct? If it should never be null, then I believe we should just call request.origin().isEmpty() here and the other two places.

@pugnascotia pugnascotia merged commit 9d38152 into elastic:7.x Feb 9, 2021
@pugnascotia pugnascotia deleted the 61656-auto-create-security-7x branch February 9, 2021 09:46
pugnascotia added a commit to pugnascotia/elasticsearch that referenced this pull request Feb 9, 2021
@pugnascotia
Allow SecurityIndexManager to update mappings
4dbf80a 
While backporting elastic#67114 via elastic#68375, I realised that there are existing
upgrade scenarios that expect the `SecurityIndexManager` to update index
mappings, so in the backport PR, this capability was reinstated. This
commit does the same in `master`.
This was referenced Feb 9, 2021
Merged
Merged
pugnascotia added a commit that referenced this pull request Feb 9, 2021
@pugnascotia
Fix version compat in CreateIndexRequest/UpdateSettingsRequest (#68736)
c894a4f 
I forgot to update the serialisation version checks in `CreateIndexRequest`
and `UpdateSettingsRequest` after merging the backport #68375. Fix it.
@javanna javanna mentioned this pull request Feb 9, 2021
Closed
pugnascotia added a commit that referenced this pull request Feb 9, 2021
@pugnascotia
Allow SecurityIndexManager to update index mappings (#68729)
dd2e1d7 
While backporting #67114 via #68375, I realised that there are existing
upgrade scenarios that expect the `SecurityIndexManager` to update index
mappings, so in the backport PR, this capability was reinstated. This
commit does the same in `master`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaymode jaymode jaymode approved these changes

@albertzaharovits albertzaharovits Awaiting requested review from albertzaharovits

Assignees
No one assigned
Labels
backport >refactoring :Security/Security Security issues without another label Team:Security Meta label for security team v7.12.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pugnascotia @elasticmachine @mark-vieira @jaymode @albertzaharovits