Skip to content

[ML] Give the kibana user read/write access to reindexed hidden ml indices #121897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
davidkyle merged 3 commits into from
Feb 7, 2025
Merged

[ML] Give the kibana user read/write access to reindexed hidden ml indices #121897

davidkyle merged 3 commits into from
Feb 7, 2025

Conversation

@davidkyle
Copy link
Member

@davidkyle davidkyle commented Feb 6, 2025
edited
Loading

The .ml-annotations-* and .ml-notifications-* indices are accessed directly by the UI via the Kibana System user. The Kibana system user needs permission to read and write to those indices which is granted in KibanaOwnedReservedRoleDescriptors.

The upgrade assistant in 8.18 will automatically reindex the legacy v7.ml-annotations-* and .ml-notifications-* indices, once reindexed the original content is in a new index of the same name prefixed with .reindexed-v8- and the source indices are deleted. This breaks certain actions in the UI as it does not have permission to write to the new .reindexed-v8-ml-XXX-* indices.

This PR adds read & write permission for the reindexed indices to the Kibana role. Non issue as fixing a bug in unreleased code

Closes elastic/kibana#209801

@davidkyle davidkyle requested a review from a team as a code owner February 6, 2025 12:45
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label v9.1.0 labels Feb 6, 2025
@davidkyle davidkyle added :ml Machine learning v9.0.0 v8.18.0 v8.19.0 auto-backport Automatically create backport pull requests when merged >non-issue and removed needs:triage Requires assignment of a team area label labels Feb 6, 2025
@elasticsearchmachine elasticsearchmachine added the Team:ML Meta label for the ML team label Feb 6, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 6, 2025

Pinging @elastic/ml-core (Team:ML)

@davidkyle davidkyle mentioned this pull request Feb 6, 2025
Closed
@kc13greiner kc13greiner self-requested a review February 6, 2025 13:21
@kc13greiner
Copy link
Contributor

kc13greiner commented Feb 6, 2025
edited
Loading

Thank you for the detailed explanation!

I think there are 2 typos in the description where you refer to ml-annotations, the kibana_system appears to have access to the system index with the same name: .indices(".ml-annotations*", ".ml-notifications*")

It's a nit for sure, but we often refer back to these PRs, so this clarification might be important!

kc13greiner
kc13greiner approved these changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@kc13greiner kc13greiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Please see my comment about updating the PR description

...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
.build(),
// And the reindex indices from v7
RoleDescriptor.IndicesPrivileges.builder()
.indices(".reindexed-v8-ml-annotations*", ".reindexed-v8-ml-notifications*")
Copy link
Contributor

@kc13greiner kc13greiner Feb 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++ thanks again for the detailed PR summary!

While we generally do not want the kibana_system user having write access to system indices, an exception can be made for these specific index patterns since they are reindexes of indices for which kibana_system has existing privileges

@davidkyle
Update x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/…
0e37591 
…security/authz/store/KibanaOwnedReservedRoleDescriptors.java
@davidkyle davidkyle enabled auto-merge (squash) February 7, 2025 08:43
@davidkyle davidkyle merged commit 8d4f034 into elastic:main Feb 7, 2025
16 of 17 checks passed
@davidkyle davidkyle mentioned this pull request Feb 7, 2025
Merged
davidkyle added a commit to davidkyle/elasticsearch that referenced this pull request Feb 7, 2025
@davidkyle
[ML] Give the kibana user read/write access to reindexed hidden ml in…
4d13580 
…dices (elastic#121897)

Indices are reindexed on upgrade. Adds an index pattern to the role
descriptor matching the upgraded indices
davidkyle added a commit to davidkyle/elasticsearch that referenced this pull request Feb 7, 2025
@davidkyle
[ML] Give the kibana user read/write access to reindexed hidden ml in…
b5642b7 
…dices (elastic#121897)

Indices are reindexed on upgrade. Adds an index pattern to the role
descriptor matching the upgraded indices
This was referenced Feb 7, 2025
Merged
Merged
davidkyle added a commit to davidkyle/elasticsearch that referenced this pull request Feb 7, 2025
@davidkyle
[ML] Give the kibana user read/write access to reindexed hidden ml in…
f89abef 
…dices (elastic#121897)

Indices are reindexed on upgrade. Adds an index pattern to the role
descriptor matching the upgraded indices
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Feb 7, 2025

💚 Backport successful

Status Branch Result
9.0
8.18
8.x

elasticsearchmachine pushed a commit that referenced this pull request Feb 7, 2025
@davidkyle
[ML] Give the kibana user read/write access to reindexed hidden ml in…
f61c937 
…dices (#121897) (#122037)

Indices are reindexed on upgrade. Adds an index pattern to the role
descriptor matching the upgraded indices
elasticsearchmachine pushed a commit that referenced this pull request Feb 7, 2025
@davidkyle
[ML] Give the kibana user read/write access to reindexed hidden ml in…
ca126ba 
…dices (#121897) (#122039)

Indices are reindexed on upgrade. Adds an index pattern to the role
descriptor matching the upgraded indices
elasticsearchmachine pushed a commit that referenced this pull request Feb 10, 2025
@davidkyle
[ML] Give the kibana user read/write access to reindexed hidden ml in…
a6d55ed 
…dices (#121897) (#122038)

Indices are reindexed on upgrade. Adds an index pattern to the role
descriptor matching the upgraded indices
@jgowdyelastic jgowdyelastic mentioned this pull request Feb 10, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kc13greiner kc13greiner kc13greiner approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged :ml Machine learning >non-issue Team:ML Meta label for the ML team v8.18.0 v8.19.0 v9.0.0 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ML] After upgrade from 7.17 to 9.0, anomaly detection jobs annotations can't be updated.

3 participants

@davidkyle @elasticsearchmachine @kc13greiner