Skip to content

Fix security index creation race condition #128825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 4, 2025
Merged

Fix security index creation race condition #128825

merged 3 commits into from
Jun 4, 2025

Conversation

@jfreden
Copy link
Contributor

@jfreden jfreden commented Jun 3, 2025
edited
Loading

Resolves: #127694, #122863

The error occurs when trying to authenticate the activate profile request:

[2025-05-05T01:02:23,272][WARN ][o.e.x.s.a.RealmsAuthenticator][testActivateProfileForJWT] An error occurred while attempting to authenticate ['aud:es-01' 'groups:admin' 'iss:my-issuer-01' 'sub:me'] against realm [jwt0]
1> org.elasticsearch.action.UnavailableShardsException: at least one search shard for the index [.security-7] is unavailable

Before the test, the creation of the .security index is skipped:

[2025-05-05T01:02:23,174][INFO ][o.e.x.s.a.j.JwtRealmSingleNodeTests][testActivateProfileForJWT] Security index already exists, ignoring.

And before that we see:

[2025-05-05T01:02:23,127][INFO ][o.e.c.m.MetadataCreateIndexService][node_s_0][masterService#updateTask][T#1] creating index [.security-7] in project [default], cause [api], templates [], shards [1]/[1]
[2025-05-05T01:02:23,134][INFO ][o.e.c.r.a.AllocationService][node_s_0][masterService#updateTask][T#1] in project [default] updating number_of_replicas to [0] for indices [.security-7]

Even earlier we see:

[2025-05-05T01:02:22,854][INFO ][o.e.x.s.s.SecurityIndexManager][node_s_0][generic][T#6] security index does not exist, creating [.security-7] with alias [.security]

This is triggered by prepareIndexIfNeededThenExecute.

What I think is happening is that the index is created but not available and therefore it fails. If we check if exists and also wait for it to become available this might not happen.

@jfreden jfreden requested a review from slobodanadamovic June 3, 2025 13:07
@jfreden jfreden added >test Issues or PRs that are addressing/adding tests :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Jun 3, 2025
@elasticsearchmachine elasticsearchmachine added Team:Security Meta label for security team v9.1.0 labels Jun 3, 2025
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 3, 2025

Pinging @elastic/es-security (Team:Security)

slobodanadamovic
slobodanadamovic approved these changes Jun 3, 2025
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM Thanks for fixing this 👍

@jfreden jfreden merged commit 696ff89 into elastic:main Jun 4, 2025
18 checks passed
@jfreden jfreden mentioned this pull request Jun 4, 2025
Closed
@ankit--sethi ankit--sethi mentioned this pull request Jul 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slobodanadamovic slobodanadamovic slobodanadamovic approved these changes

Assignees

No one assigned

Labels

:Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test Issues or PRs that are addressing/adding tests v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CI] JwtRealmSingleNodeTests testActivateProfileForJWT failing

3 participants

@jfreden @elasticsearchmachine @slobodanadamovic