-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
6.4.0-SNAPSHOT fails get all aliases with security enabled and no indices exist #31516
Comments
Pinging @elastic/es-core-infra |
@dakrone are you sure that you get the same behaviour with get mappings? I wouldn't expect that. There are limitations when security is enabled, that are documented in our docs: "While creating or retrieving aliases by providing wildcard expressions for alias names, if there are no existing authorized aliases that match the wildcard expression provided an IndexNotFoundException is returned.". The get aliases API is subject to this. Before #31308 the get alias API didn't require In hindsight, this is the behaviour that we should have always seen from the get alias API, in fact before removing This could be seen as a regression, but my personal opinion is that it was a bugfix and this behaviour, although not desirable, is known and documented, it was a mistake that the API didn't behave consistently depending on the provided parameters. We can look as a follow-up at possibly improving this overall behaviour of the get alias API, similar to what we did in 5.0 for indices (we used to have the same limitation around indices but that was fixed), I think we have a way now to remove this limitation for the get alias API in 7.0. |
Just tested this and it does appear to only affect aliases, I'll change the title/body
I think this needs to go into the migration documentation and be marked as a breaking change then, since it did break something (Kibana). I can see how it can be considered a bugfix, but at the same time I think we should strive to be as consistent as possible for a non-security versus security installation
👍 |
@jaymode what's your take on this? I am open to reverting the change on 6.x and working on master to possibly remove the limitation completely. Otherwise we can keep the change in 6.x and document the different behaviour starting from 6.4 as Lee suggested, it's more consistent but breaking and undesired. |
I looked at removing the get alias limitations with security installed on master, and it is not as easy as it was with indices, the reason being that we don't support alias exclusions, hence there is no safe way to send a request through making sure that no aliases will be returned. In fact if there are no matching authorized aliases, we can't replace the aliases with an empty list of aliases as that would mean all aliases once the request is executed by Elasticsearch, which would lead to returning unauthorized aliases. With indices we replace them with an exclusion expression that always resolves to no indices, but given that we don't support aliases exclusions, it is not possible to do the same with aliases. |
I'm personally in favor of reverting so we don't having a breaking API change in a minor. I don't have an idea right now on how we could fix this; I'll need to look at it some more. |
#31308 was reverted on master to prevent any breakage in a minor version. We are looking at removing the get aliases limitations on master. |
Resolving wildcards in aliases expression is challenging as we may end up with no aliases to replace the original expression with, but if we replace with an empty array that means _all which is quite the opposite. Now that we support and serialize the original requested aliases, whenever aliases are replaced we will be able to know what was initially requested. MetaData#findAliases can then be updated to not return anything in case it gets empty aliases, but the original aliases were not empty. That means that empty aliases are interpreted as _all only if they were originally requested that way. Relates to elastic#31516
Resolving wildcards in aliases expression is challenging as we may end up with no aliases to replace the original expression with, but if we replace with an empty array that means _all which is quite the opposite. Now that we support and serialize the original requested aliases, whenever aliases are replaced we will be able to know what was initially requested. `MetaData#findAliases` can then be updated to not return anything in case it gets empty aliases, but the original aliases were not empty. That means that empty aliases are interpreted as _all only if they were originally requested that way. Relates to #31516
Due to: #31308
There is an issue with security when retrieving all aliases and no indices exist.
Reproduction:
xpack.security.enabled: true
inelasticsearch.yml
With 38b1a5f reverted, the correct behavior can be seen:
The text was updated successfully, but these errors were encountered: