-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Core should expose a dedicated Elasticsearch client for interacting with Kibana system indices #82716
Comments
If we want |
Pinging @elastic/kibana-platform (Team:Platform) |
Note that ideally, we would only be providing these dedicated clients using the new client API, meaning that all usages of the legacy client to call system indices should be migrated before, or during, the process of implementing that feature. |
I checked To make it happen, we need to understand why plugins still have to rely on the raw ES client usage rather than SO. The main reasons seem to be:
Are there other reasons to prefer the ES client rather than the SO client? For example, SO might not be the best option when working with cross-stack indices ( That looks like a lot to do, and likely we aren't going to work on this any time soon, but it might be preferable to have a long-term vision. Regarding the current issue:
class MyTransport extends Transport {
request (params, options) {
params.path = '/_kibana' + params.path
return super.request(params, options)
}
} This option allows us to reuse the connection pool: const child = parent.child({ Transport: MyTransport }) |
That is correct. We named this so that we could take advantage of the fact that this index should have the same kind of security in place as It's also not SO-shaped - it will eventually become an append-only datastream that should allow arbitrary queries across it, so if it were to be a system index, we'd need those system index API shapes available for it - maybe that's already accounted for, not sure. |
I originally started #80912 to explore these reasons as well. |
I think this could be valuable for other plugins too and don't see an obvious reason we wouldn't be able to add it. I'm not aware of any existing issues, I guess this has just never been brought up. |
It looks like we have to provide SystemIndices Elasticsearch client for some time until plugins migrate to SO service.
We can limit SystemIndices client to a sub-set of ES client API as done for Repository client #81237 (comment) |
👍 Sounds like a good plan. |
@restrry I like the plan as well. Do you think it's feasible for us to allow the SystemIndices ES Client to work with other system's system-indices as well? I believe the current plan is for the upcoming standalone Fleet Server and the Fleet application in Kibana to both communicate with the Fleet system-indices. @ruflin can you confirm this? |
@kobelb Correct: elastic/elasticsearch#64971 |
@kobelb Kibana SystemIndices ES client === a sub-set of ES client API + Kibana specific rules (
I'd suggest using an ES client already provided by the core. Fleet plugin can wrap it in a custom client to declare required API sub-set explicitly #81237 (comment). |
@restrry that's a really good point that the Fleet ES Rest APIs are potentially deviating from the approach of essentially exposing standard ES APIs behind the |
One thing I want to note is that we should verify that this client with the custom transport works well with the upcoming APM instrumentation of |
Per recent changes to #81536 and the introduction of externally managed system indices this is no longer necessary. However, if you all would like to further protect the types of operations plugins can perform using the exposed Elasticsearch client, an approach similar to what is outlined here seems reasonable. |
@elastic/kibana-core wdyt? do we want to keep this open after the implementation changes of #81536? |
Given the new implementation regarding system indices in #81536, we don't think exposing a dedicated client to interact with system indices if worth the cost. The (currently) only identified change we need to do is to make sure requests performed from the dev console do not have this header, to avoid end users querying system indices from the UI. I created #90123 to discuss it. |
Background:
The background context and motivation is outlined in #81536
Implementation
To allow plugins to continue to access Kibana's system indices all requests to Elasticsearch will have to use a path prefixed by
_kibana/
. To reduce the amount of effort to adopt this and maintain the ElasticsearchJS client's typescript types, Core should expose a special system indices Elasticsearch client that will automatically prefix all paths.Investigate deprecating / removing
callAsInternalUser
In most cases the new system index client should replace using the
callAsInternalUser
API. However there are some places where plugins rely on the permission of the kibana system user while access non-system index API's.Interacting with kibana indices that aren't system indices
The following is a list of kibana indices that aren't system indices which probably use the kibana system user
callAsInternalUser
in some way:Accessing ES API's that aren't related to an index / system index
The following places use the internal user to call non-document / non-index API's. We could continue to use the system ElasticsearchJS client for this, but add a remove list to not prefix these API paths.
kibana/x-pack/plugins/alerts/server/routes/health.ts
Lines 55 to 58 in ce45dad
kibana/x-pack/plugins/licensing/server/plugin.ts
Lines 183 to 186 in 5f781dc
kibana/x-pack/plugins/security/server/authentication/api_keys.ts
Line 144 in 9356966
Other places to audit
callAsInternalUser
usagekibana/src/plugins/usage_collection/server/usage_collection.mock.ts
Lines 56 to 57 in 9afd63f
The text was updated successfully, but these errors were encountered: