POC: Cross-Project Search #131168
POC: Cross-Project Search #131168
Conversation
elasticsearchmachine
added
v9.2.0
serverless-linked
|
|
||
| boolean checkRemote(List<RemoteClusterService.RemoteTag> tags); | ||
|
|
||
| record RewrittenIndexExpression(String original, List<String> rewritten) {} |
There was a problem hiding this comment.
I think we also need to check (and track) whether each component of the rewritten list is flat or qualified? Is that left for a later impl or do you think we don't need to track that here?
| (ns, key) -> boolSetting(key, true, new RemoteConnectionEnabled<>(ns, key), Setting.Property.Dynamic, Setting.Property.NodeScope) | ||
| ); | ||
|
|
||
| public record RemoteTag(String key, String value) { |
There was a problem hiding this comment.
The local project also has tags, so my guess is that this doesn't belong in RemoteClusterService and shouldn't be called RemoteTag? Maybe MetadataTag or ProjectTag?
There was a problem hiding this comment.
Yes, ProjectTag makes sense though we might also go broader and just call it metadata in case we also want it to cover project alias and such.
| if (routingTags != null) { | ||
| searchRequest.routingTags( | ||
| Arrays.stream(Strings.splitStringByCommaToArray(routingTags)).map(RemoteClusterService.RemoteTag::fromString).toList() | ||
| ); |
There was a problem hiding this comment.
Can you give an example of the type/format of tags you are allowing here? And is there an implicit "ANDing" of those tags?
As a first impl that might be useful.
Of course to state the obvious (not a criticism)
- it doesn't handle ES|QL if that is embedded in the query
- it doesn't support the complex AND, OR, NOT and grouping logic we'll eventually have to implement
so later we'll need some additional constructs/interfaces around parsing that more complex scenario.
| for (var replacedExpression : replacedExpressionMap.values()) { | ||
| if (false == replacedExpression.authorized()) { | ||
| // TODO actual security exception with details here | ||
| replacedExpression.setAuthorizationError( |
There was a problem hiding this comment.
I think we need to do this dance (mark authorized=false first, then later fill in the error details) since we don't have the right context (authentication, role info) in the IndicesAndAliasesResolver. Maybe we can expose that info to IndicesAndAliasesResolver though, we would let us avoid this split here.
There was a problem hiding this comment.
Are the authentcation and role info not available in the threadContext?
There was a problem hiding this comment.
I think they are. What I stated above though is actually misleading. Let me clarify:
- IndicesAndAliasesResolver is in xpack and we can change it to have access to authentication and role info via ThreadContext (I'm fairly confident)
- The place where we set authorized however, is in IndexAbstractionResolver -- that's in core so that doesn't have access to the classes
Authenticationetc
So while we could expose this info to IndicesAndAliasesResolver, we can't expose it to IndexAbstractionResolver which is what we'd need to do to avoid the 2 step process of "set authorized", then "set exception".
server/src/main/java/org/elasticsearch/action/AuthorizedProjectsSupplier.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/action/CrossProjectReplacedIndexExpressions.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/action/IndicesRequest.java
Outdated
Show resolved
Hide resolved
| // TODO this behavior could be pluggable | ||
| if (indicesRequest instanceof IndicesRequest.CrossProjectSearchCapable crossProjectSearchCapableRequest | ||
| && targetProjects != AuthorizedProjectsSupplier.AuthorizedProjects.NOT_CROSS_PROJECT) { |
There was a problem hiding this comment.
IIUC, the pluggable behaviour can already be achieved with different AuthorizedProjects implemenations, i.e. wrap the instanceof check and the code in this if block inside an AuthorizedProjects implementation provided by serverless?
|
|
||
| replacedExpressionMap.put( | ||
| original, | ||
| new ReplacedIndexExpression(original, combined, local.authorized(), local.existsAndVisible(), null) |
There was a problem hiding this comment.
This means both authorized and existsAndVisible are applicable only to the local expression in the combined list. Might be ok. But it does feel a bit odd.
There was a problem hiding this comment.
Yes true, and yes it's odd. I don't think CrossProjectReplacedIndexExpressions is quite the right abstraction (or at least not the right shape) for the job still...
| indicesRequest.includeDataStreams() | ||
| ); | ||
| crossProjectReplacedIndexExpressions.replaceLocalExpressions(replacedExpressions); | ||
| crossProjectSearchCapableRequest.setReplacedIndexExpressions(crossProjectReplacedIndexExpressions); |
There was a problem hiding this comment.
The expressions set here are unexpanded for remote indices, e.g. remote:foo*, which are then expanded by downstream actions, e.g. ResolveIndexAction. We will process the final expanded results for error handling. But do I understand it correctly that we will never store the final results back into the request itself and this is something completely up to downstream actions?
There was a problem hiding this comment.
Correct, that was my thinking: keep 'em unexpanded for remotes, leave everything to the downstream action, don't store the final results on the request.
| for (var replacedExpression : replacedExpressionMap.values()) { | ||
| if (false == replacedExpression.authorized()) { | ||
| // TODO actual security exception with details here | ||
| replacedExpression.setAuthorizationError( |
There was a problem hiding this comment.
Are the authentcation and role info not available in the threadContext?
| private Request buildFanoutRequest(boolean crossProjectMode, OriginalIndices originalIndices) { | ||
| return new Request(originalIndices.indices(), getIndicesOptions(crossProjectMode, originalIndices), crossProjectMode); | ||
| } | ||
|
|
||
| private IndicesOptions getIndicesOptions(boolean crossProjectMode, OriginalIndices localIndices) { | ||
| return crossProjectMode ? lenientIndicesOptions(localIndices.indicesOptions()) : localIndices.indicesOptions(); | ||
| } | ||
|
|
||
| private static IndicesOptions lenientIndicesOptions(IndicesOptions indicesOptions) { | ||
| return IndicesOptions.builder(indicesOptions) | ||
| .concreteTargetOptions(new IndicesOptions.ConcreteTargetOptions(true)) | ||
| .wildcardOptions( | ||
| IndicesOptions.WildcardOptions.builder(indicesOptions.wildcardOptions()).allowEmptyExpressions(true).build() | ||
| ) | ||
| .build(); | ||
| } |
There was a problem hiding this comment.
I'd prefer to see these handled by the request itself. It likely require some refactoring of existing fanout logic in ResolveIndex. Is it too much?
There was a problem hiding this comment.
You mean something like originalRequest.toRemoteFanoutRequest()? Indeed could work 👍
| // TODO probably makes more sense on a service class as opposed to the request itself | ||
| default <T extends ResponseWithReplacedIndexExpressions> void remoteFanoutErrorHandling(Map<String, T> remoteResults) {} |
There was a problem hiding this comment.
I think this method is needed only on CrossProjectSearchCapable and not here?
| import java.util.List; | ||
| import java.util.Map; | ||
|
|
||
| public class CrossProjectSearchErrorHandler { |
There was a problem hiding this comment.
I think this class can also have different implementations and the one with actual error handling is provided by serverless.
| // Complete marker interface, can be folded into Replaceable if necessary | ||
| interface CrossProjectSearchCapable extends Replaceable { | ||
| @Override | ||
| default boolean allowsRemoteIndices() { | ||
| return true; | ||
| } | ||
| } |
There was a problem hiding this comment.
Yeah unless we want to move getProjectRouting back here, the interface does not seem useful as is.
| // Could this be useful? | ||
| default IndexResolutionMode indexResolutionMode() { | ||
| return IndexResolutionMode.CANONICAL; | ||
| } |
There was a problem hiding this comment.
This feels like another variant of the previous boolean crossProjectMode() method. I'd prefer we rely on the AuthorizedProjectSupplier if possible. I understand the intention is to explicitly tell no flat expansion is required. But I feel exploring other alternatives is more preferrable since this flag can in theory be configured contradictory to the setup and/or we can sometimes have 2 sources of truth.
|
|
||
| public ReplacedIndexExpression( | ||
| String original, | ||
| List<String> replacedBy, |
There was a problem hiding this comment.
Looking the usage of this field, it does seem make sense to split it into remote and local.
- On the origin cluster, it has both remote and local. Remote ones are sent to linked projects. Local ones are locally resolved with
IndexAbstractionResolver. So the usages are separate. - On the linked cluster, only local ones make sense since there is no chaining.
If we represent remote and local with different objects, we can also fold ResolutionResult and exception into the object for local ones. The type for remote ones may simply be a List<String>.
Or maybe the split can be even higher up ReplacedIndexExpression which has a base version just for local and a subclass with the remote ones. The base one should be what we use mostly because they should be the ones used by the linked projects.
There was a problem hiding this comment.
Indeed. I've pushed #134783 as a first pass on the data model. Fits quite cleanly IMO
| final Runnable terminalHandler = () -> { | ||
| if (completionCounter.countDown()) { | ||
| try { | ||
| crossProjectSearchService.errorHandling(request, remoteResponses); |
There was a problem hiding this comment.
Proposal: This method should only be called if this transport action is the primary one. Checking ThreadContext for its status in the TransportAction chain?
That applies to two scenarios:
- I'm the "remote" secondary where you don't have enough information to call this method
- I'm the "local" secondary and some other transport action will deal with checking the status of qualified resources
Otherwise, we have an opaque system of double checks and unintended "delegation" that is going to get confusing. ES|QL intentionally delegates some of that work to field-caps, but I don't think _search wants that.
There was a problem hiding this comment.
We probably still want to call the method but exactly as you say, we'll check ThreadContext for a marker telling us whether we are on a remote or not -- along with other conditions such as whether we're even in a CPS environment -- under the hood and make it a noop accordingly.
As @ywangd suggests here we might inject the error handling implementation via SPI in which case the call will be a noop outside of CPS, and for CPS will involve additional checks as outlined above.
Ideally, transport actions should have as little responsibility as possible w.r.t. to flat world error handling and instead make use of tooling. Otherwise, we end up with a brittle implementation where each action rolls its own error handling and runs the risk of not actually failing flows post fan-out that should have failed. How generic we can make this depends on the various transport actions we work on (ResolveIndex, Search, FieldCaps, ES|QL) but I think the following pattern holds:
- A CPS compatible action tracks the original expression, its rewrite, and local index resolution results
- It calls a fanout action for all remotes to perform remote index resolution (and potentially obtain additional metadata, in the case of FieldCaps)
- It uses the info from step 1 and 2 to decide whether to throw an error or not, then proceeds.
One thing we've touched on during our sync yesterday is that the CPS capable action -- in the case of e.g. Search -- needs to know the final list of remotes that actually have data on them, or more generally needs the output of the fanout actions that it called to make further decisions about its subsequent execution. Definitely something that the tooling around flat-world error should not get in the way of.
Lets iterate on this during the actual implementation. I think the way we structure this will evolve as we port more actions to CPS and get a clearer picture of the usage patterns.
cc @piergm
|
Hm well this was fun while it lasted, but I guess "1,8k files changed" probably makes this PR of limited value, at this point... |
5 participants
This is a POC for cross-project search support. It covers integration points with UIAM (via transport interceptor changes) and updates to index resolution logic.
The main index resolution changes are:
The security interceptor rewrites CPS-capable requests and records resolution and error information for CPS error handling. It uses the AuthorizedProjectsSupplier to decide whether to handle such requests as CPS or CCS. The interceptor marks any CPS-capable request as in CPS mode or not, allowing downstream consumers to apply the correct logic (CPS vs CCS).
The end-to-end flow is demonstrated in ResolveIndexAction, which is a good starting point for understanding the changes.
Further details:
Indices.Replaceable now supports storing index resolution results via the new ReplacedIndexExpressions class. This class tracks the original expression and its resolved form (e.g., logs* → logs), as well as missing or unauthorized resources to support CPS error handling. This required generalizing IndexAbstractionResolver#resolveIndexAbstractions to record replacements and authorization status. The same logic is used both for CPS fan-out actions and for resolving local expressions in CPS requests.
CrossProjectSearchCapable is a new interface marking request classes that support CPS (in the POC only ResolveIndexAction.Request, but intended for SearchRequest and others). In this POC it implements CPS error handling—though that logic may move elsewhere—and provides a crossProjectMode method indicating whether the request should be handled under CPS rules or as a CCS request.
For now, Indices.Replaceable supports both ReplacedIndexExpressions and String[] indices side by side, but a broader refactor may consolidate on ReplacedIndexExpressions.