Add ECK Role Mapping Cleanup #115823
Merged
Add ECK Role Mapping Cleanup #115823
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pinging @elastic/es-security (Team:Security) |
|
Hi @jfreden, I've created a changelog YAML for you. |
n1v0lg
approved these changes
Oct 29, 2024
| // i.e. it is NOT created in a previous ES version that potentially didn't index the role metadata | ||
| // * or, the .security index has been migrated (using an internal update-by-query) such that the metadata is queryable | ||
| return frozenSecurityIndex.isCreatedOnLatestVersion() | ||
| return frozenSecurityIndex.isCreatedOnLatestMigrationVersion() |
There was a problem hiding this comment.
Lets rename this back to isCreatedOnLatestVersion
| "metadata.indices" | ||
| ); | ||
| assertNotNull(indices); | ||
| // JsonMapView doesn't support . prefixed indices (splits on .) |
There was a problem hiding this comment.
Should we assert that indices contain a key for .security-7?
|
Hi @jfreden, I've created a changelog YAML for you. |
jfreden
added
the
auto-backport
💔 Backport failedThe backport operation could not be completed due to the following error: You can use sqren/backport to manually backport by running |
jfreden
added a commit
to jfreden/elasticsearch
that referenced
this pull request
Oct 29, 2024
* Add security migration for cleaning up ECK role mappings (cherry picked from commit a7031d8) # Conflicts: # server/src/main/java/org/elasticsearch/index/IndexVersions.java # x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityMigrations.java # x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java
💔 Some backports could not be created
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
This was referenced Oct 29, 2024
jfreden
added a commit
to jfreden/elasticsearch
that referenced
this pull request
Nov 4, 2024
* Add security migration for cleaning up ECK role mappings
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a cleanup security migration for role mapping duplicates that exist both in cluster state and the
.securityindex. The cleanup task is implemented as a security migration.The task compares the names of the role mappings in the operator-defined settings.json and the names of the role mappings in the
.securityindex and removes the ones in the.securityindex.See related PR for full review: #114830
Issue
This cleanup is done because there was a bug (fixed #114337) that caused ECK customers to have the same role mappings with the same names present both in cluster state and the .security index. The effective role mapping is the combination of the .security index mapping and the cluster state one. After the bug #114337, if the mapping in cluster state is modified (through setting.json), the .security index will still contain the old mapping and this could lead to unintended behaviour.