Add basic alias support for data streams #72613
Conversation
martijnvg
force-pushed
the
data_stream_aliases_basics
branch
from
fbaa9b4 to
9732815
Compare
| @@ -192,8 +192,8 @@ teardown: | |||
|
|
|||
| - do: | |||
| headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user | |||
| indices.get_alias: | |||
| name: easy* | |||
| indices.get: | |||
There was a problem hiding this comment.
get_alias api now support data streams, so changed this test to use get index api to test
that apis that don't data streams do not include data streams among authorised indices.
| @@ -138,6 +138,7 @@ tasks.named("yamlRestCompatTest").configure { | |||
| 'security/authz/14_cat_indices/Test explicit request while multiple authorized indices', | |||
| 'security/authz/14_cat_indices/Test explicit request while multiple opened/closed authorized indices', | |||
| 'security/authz/14_cat_indices/Test wildcard request with multiple authorized indices', | |||
| 'security/authz/50_data_streams/Test that requests not supporting data streams do not include data streams among authorized indices', | |||
There was a problem hiding this comment.
In 7.x, this test uses get alias api, but that api now supports data streams,
so this yaml rest combat test needs to be muted.
There was a problem hiding this comment.
Hi @martijnvg I am testing in 7.14.0 with wildcard matching on the data streams indices and it does not seem to work. Not sure what I did wrong here
But not using wild card does work
There was a problem hiding this comment.
Hey @hungnguyen-elastic, thanks for reporting! I checked this locally and ran into the same issue. I will work on a fix for this.
There was a problem hiding this comment.
I've opened #75456 to track this bug.
Aliases to data streams can be defined via the existing update aliases api. Aliases can either only refer to data streams or to indices (not both). Also the existing get aliases api has been modified to support returning aliases that refer to data streams. Aliases for data streams are stored separately from data streams and and refer to data streams by name and not to the backing indices of a data stream. This means that when backing indices are added or removed from a data stream that then the data stream alias doesn't need to be updated. The authorization model for aliases that refer to data streams is the same as for aliases the refer to indices. In security privileges can be defined on aliases, indices and data streams. When a privilege is granted on an alias then access is also granted on the indices that an alias refers to (irregardless whether privileges are granted or denied on the actual indices). The same will apply for aliases that refer to data streams. See for more details: elastic#66163 (comment) Relates to elastic#66163
martijnvg
force-pushed
the
data_stream_aliases_basics
branch
from
801c2bf to
63ad677
Compare
martijnvg
added
:Data Management/Data streams
|
Pinging @elastic/es-core-features (Team:Core/Features) |
There was a problem hiding this comment.
Definitely a lot of stuff happening in this PR! I have some suggestions, but nothing blocking.
- I'd suggest getting @jrodewig to look over the doc changes for consistency, wording, etc.
- I believe the merge conflict in
DataStreamMetadatais due to a recent change by Armin that makes that class immutable. I'd suggest doing the same thing with the newdataStreamAliasesmember that you're adding here. - Along the lines of the previous item, I'd suggest making
DataStreamAliasimmutable as its list of data streams is currently mutable. - I wonder if it makes sense to introduce a new
IndexAbstraction.Typemember since index aliases and data stream aliases are different. As it stands,IndexAbstraction.DataStreamAliasis the only implementation ofIndexAbstractionthat does not have its own type. - More broadly, and perhaps not a question for this PR specifically, but with data stream aliases limited to data streams, they won't support the use case of migrating a Kibana dashboard gradually from indices to data streams. Were we to want to support that use case in the future, it seems like it would require a lot of rework to this implementation rather than just an iterative refinement of it.
|
Thanks for reviewing @danhermann!
👍
👍
Data stream alias are a different kind of alias compared to indices aliases, but both are similar enough that the functionality that these kinds of aliases provide can abstracted behind the Also for someone setting up aliases, there isn't a real notion of data stream aliases or indices aliases. The update aliases api or get alias api don't make a distinction between the two, it is just that an alias either refers to indices or data streams. It is just that certain alias options (like routing) aren't supported for aliases that refer to data streams. APIs that use aliases just resolve an alias to a set of indices (irregardless what type of alias or whether an alias refers to a data stream and that data stream refers to backing indices).
I don't see data stream aliases play a role in this case. If an alias is used in front of these indices then the migrate data stream api can be used. If not, then currently there isn't much we can do to help migration to data streams. We would need ES to support index renaming (atomically) in order to be of any help here. |
There was a problem hiding this comment.
Thanks for putting this together @martijnvg. I left some suggestions, but feel free to ignore them if wanted.
Some additional doc changes are required, but I'll handle those in a separate PR. I'll add you as a reviewer there.
Co-authored-by: James Rodewig <[email protected]>
Co-authored-by: James Rodewig <[email protected]>
|
@elasticmachine update branch |
|
Thanks for reviewing @jrodewig! |
Backporting elastic#72613 to 7.x. Aliases to data streams can be defined via the existing update aliases api. Aliases can either only refer to data streams or to indices (not both). Also the existing get aliases api has been modified to support returning aliases that refer to data streams. Aliases for data streams are stored separately from data streams and and refer to data streams by name and not to the backing indices of a data stream. This means that when backing indices are added or removed from a data stream that then the data stream alias doesn't need to be updated. The authorization model for aliases that refer to data streams is the same as for aliases the refer to indices. In security privileges can be defined on aliases, indices and data streams. When a privilege is granted on an alias then access is also granted on the indices that an alias refers to (irregardless whether privileges are granted or denied on the actual indices). The same will apply for aliases that refer to data streams. See for more details: elastic#66163 (comment) Relates to elastic#66163
Backporting #72613 to 7.x. Aliases to data streams can be defined via the existing update aliases api. Aliases can either only refer to data streams or to indices (not both). Also the existing get aliases api has been modified to support returning aliases that refer to data streams. Aliases for data streams are stored separately from data streams and and refer to data streams by name and not to the backing indices of a data stream. This means that when backing indices are added or removed from a data stream that then the data stream alias doesn't need to be updated. The authorization model for aliases that refer to data streams is the same as for aliases the refer to indices. In security privileges can be defined on aliases, indices and data streams. When a privilege is granted on an alias then access is also granted on the indices that an alias refers to (irregardless whether privileges are granted or denied on the actual indices). The same will apply for aliases that refer to data streams. See for more details: #66163 (comment) Relates to #66163 * made code compatible with java 8
#72613 adds data stream support to aliases. This adds an `alias` glossary entry and removes out the current `index alias` entry.
#72613 adds data stream support to aliases. This adds an `alias` glossary entry and removes out the current `index alias` entry.
Aliases to data streams can be defined via the existing update aliases api.
Aliases can either only refer to data streams or to indices (not both).
Also the existing get aliases api has been modified to support returning
aliases that refer to data streams.
Aliases for data streams are stored separately from data streams and
and refer to data streams by name and not to the backing indices of
a data stream. This means that when backing indices are added or removed
from a data stream that then the data stream alias doesn't need to be
updated. When a data stream alias is used in an api then all the backing indices
of the data streams the alias currently refers to are resolved.
The authorization model for aliases that refer to data streams is the
same as for aliases the refer to indices. In security privileges can
be defined on aliases, indices and data streams. When a privilege is
granted on an alias then access is also granted on the indices that
an alias refers to (irregardless whether privileges are granted or denied
on the actual indices). The same will apply for aliases that refer
to data streams. See for more details: #66163 (comment)