Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lazy rollover causes writes to fail if writer lacks manage index privilege #104732

Closed
axw opened this issue Jan 25, 2024 · 3 comments · Fixed by #104905
Closed

Lazy rollover causes writes to fail if writer lacks manage index privilege #104732

axw opened this issue Jan 25, 2024 · 3 comments · Fixed by #104905
Assignees
@gmarouli
Labels
>bug :Data Management/Data streams Data streams and their lifecycles Team:Data Management Meta label for data/management team

Comments

@axw
Copy link
Member

axw commented Jan 25, 2024

Elasticsearch Version

8.13.0-SNAPSHOT

Installed Plugins

No response

Java Version

bundled

OS Version

N/A

Problem Description

After a lazy rollover, document writes will start failing if the writer lacks index management privileges. This means that lazy rollover is not transparent to writers, and requires additional privileges of writers when compared to synchronous rollover.

Steps to Reproduce

ELASTICSEARCH_URL=http://admin:changeme@localhost:9200

# Create a data stream.
curl -XPUT $ELASTICSEARCH_URL/_data_stream/logs-rollover-bug

# Rollover the data stream lazily.
curl -XPOST $ELASTICSEARCH_URL/logs-rollover-bug/_rollover?lazy

# Create an API Key that can only auto_configure (create on index) data streams, and create documents. This matches what Fleet configures for Elastic Agent.
API_KEY=$(curl -XPOST -H Content-Type:application/json $ELASTICSEARCH_URL/_security/api_key --data-binary '{
  "name": "writer-key",
  "expiration": "1d",   
  "role_descriptors": { 
    "writer": {
      "indices": [
        {
          "names": ["logs-*"],
          "privileges": ["auto_configure", "create_doc"]
        }
      ]
    }
  }
}' | jq -r .encoded)

# Attempt to index a document. This will fail with an error about the `indices:admin/rollover` action.
curl -XPOST -H "Authorization: ApiKey $API_KEY" -H Content-Type:application/json $ELASTICSEARCH_URL/logs-rollover-bug/_doc --data '{"@timestamp": "2024-01-25"}'

Logs (if relevant)

{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/rollover] is unauthorized for API key id [pdmdP40BivS0Pj5zQ7AE] of user [admin] on indices [logs-rollover-bug], this action is granted by the index privileges [manage_follow_index,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/rollover] is unauthorized for API key id [pdmdP40BivS0Pj5zQ7AE] of user [admin] on indices [logs-rollover-bug], this action is granted by the index privileges [manage_follow_index,manage,all]"},"status":403}
@axw axw added >bug needs:triage Requires assignment of a team area label labels Jan 25, 2024
This was referenced Jan 25, 2024
Merged
Merged
@jlind23 jlind23 mentioned this issue Jan 25, 2024
Closed
@mattc58 mattc58 added the Team:Data Management Meta label for data/management team label Jan 25, 2024
@elasticsearchmachine elasticsearchmachine removed the Team:Data Management Meta label for data/management team label Jan 25, 2024
@mattc58 mattc58 added :Data Management/Data streams Data streams and their lifecycles Team:Data Management Meta label for data/management team labels Jan 25, 2024
@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Jan 25, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-data-management (Team:Data Management)

elasticsearchmachine pushed a commit that referenced this issue Jan 26, 2024
@axw
Revert "x-pack/plugin/core: make automatic rollovers lazy" (#104734)
807147d 
Reverts #104597

Reverting due to #104732,
will reinstate it when the bug is fixed.
@kpollich
Copy link
Member

Hello @elastic/es-data-management - would we be able to get a sense for the level of priority on this ask? Is this likely to land in 8.13 or 8.14? We'd like to determine when we can un-revert elastic/kibana#174790 to make Fleet's rollover process lazy. This will greatly improve Fleet's stability when it comes to integration upgrades, so we're eager to get that change in, but it's blocked by this issue on the ES side.

Thanks for taking a look!

@mattc58
Copy link
Contributor

mattc58 commented Jan 29, 2024

Hey @kpollich we'll be doing this for 8.13.0. Thanks for the ping on it.

gmarouli added a commit to gmarouli/elasticsearch that referenced this issue Jan 30, 2024
@gmarouli
Create test to reproduce elastic#104732
806367b
@gmarouli gmarouli mentioned this issue Jan 30, 2024
Merged
gmarouli added a commit that referenced this issue Feb 7, 2024
@gmarouli
Execute lazy rollover with an internal dedicated user #104732 (#104905)
0118763 
The unconditional rollover that is a consequence of a lazy rollover command is triggered by the creation of a document. In many cases, the user triggering this rollover won't have sufficient privileges to ensure the successful execution of this rollover. For this reason, we introduce a dedicated rollover action and a dedicated internal user to cover this case and enable this functionality.
@axw axw mentioned this issue Feb 8, 2024
Merged
elasticsearchmachine pushed a commit that referenced this issue Feb 9, 2024
@axw
Revert "Revert "x-pack/plugin/core: make automatic rollovers lazy"" (#…
071dd31 
…105273)

Reverts #104734.
#104732 has been fixed,
so it's safe to use lazy rollovers now.

Fixes #104083
@juliaElastic juliaElastic mentioned this issue Feb 9, 2024
Merged
juliaElastic added a commit to elastic/kibana that referenced this issue Feb 9, 2024
@juliaElastic @nchaulet
[Fleet] Make datastream rollover lazy (#174790) (#176565)
240e5ef 
## Summary

Add back changes in #174790 after
elastic/elasticsearch#104732 is fixed

Resolve #174480

Co-authored-by: Nicolas Chaulet <nicolas.chaulet@elastic.co>
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this issue Feb 15, 2024
@juliaElastic @nchaulet @CoenWarmer
[Fleet] Make datastream rollover lazy (elastic#174790) (elastic#176565)
c7655ce 
## Summary

Add back changes in elastic#174790 after
elastic/elasticsearch#104732 is fixed

Resolve elastic#174480

Co-authored-by: Nicolas Chaulet <nicolas.chaulet@elastic.co>
fkanout pushed a commit to fkanout/kibana that referenced this issue Mar 4, 2024
@juliaElastic @nchaulet @fkanout
[Fleet] Make datastream rollover lazy (elastic#174790) (elastic#176565)
336ad2b 
## Summary

Add back changes in elastic#174790 after
elastic/elasticsearch#104732 is fixed

Resolve elastic#174480

Co-authored-by: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gmarouli gmarouli

Labels
>bug :Data Management/Data streams Data streams and their lifecycles Team:Data Management Meta label for data/management team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Execute lazy rollover with an internal dedicated user #104732 gmarouli/elasticsearch
5 participants
@mattc58 @axw @gmarouli @kpollich @elasticsearchmachine