[Upgrade Assistant] Fix privileges for reindexing indices#237055
Merged
[Upgrade Assistant] Fix privileges for reindexing indices#237055
Conversation
Contributor
Author
|
/ci |
mattkime
added
Team:Kibana Management
Contributor
⏳ Build in-progress, with failures
Failed CI StepsHistory
cc @mattkime |
Contributor
Author
|
/ci |
Contributor
|
Pinging @elastic/kibana-management (Team:Kibana Management) |
SoniaSanzV
approved these changes
Oct 2, 2025
Contributor
SoniaSanzV
left a comment
SoniaSanzV
left a comment
There was a problem hiding this comment.
Tested locally, LGTM! Thank you for the fix @mattkime
Contributor
|
Starting backport for target branches: 8.18, 8.19, 9.0, 9.1 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
This was referenced Oct 2, 2025
mattkime
added a commit
to mattkime/kibana
that referenced
this pull request
Oct 2, 2025
…7055) ## Summary Previously Upgrade Assistant was checking for `.tasks` index access when checking privs in order to reindex an index. Only the `superuser` role provides access. Further, access is not needed as its been replaced by the tasks api which is available via `cluster: ['manage']` Additionally, the saved objects client usage required the `superuser` role since the reindex saved object was hidden and we didn't have a way of providing kibana feature privileges for the saved object. The solution is to rely on our our preexisting privilege checks (cluster: manage and 'all' access for the particular indices being reindexed) and use the internal saved object client. Part of elastic#237054 To test - Create a role with the following (index names could be more limited and it should work) ``` { "cluster": [ "manage" ], "index" : [ { "names": [ "*" ], "privileges": [ "all" ] } ] } ``` assign it to a user. Now try running upgrade assistant and reindexing with that user. It should work. Simplified testing of upgrade assistant - To test, follow directions here - elastic#228705 Mocked response - elastic@5aab34c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50 --- Release note Fixes privilege requirements when reindexing indices via Upgrade Assistant. Previously, the "superuser" role was required. Now "cluster: manage" and "all" privileges for the relevant indices are sufficient. (cherry picked from commit 0250b59) # Conflicts: # x-pack/platform/plugins/private/reindex_service/server/src/lib/reindex_service_wrapper.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/batch_reindex_indices.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/reindex_indices.ts
mattkime
added a commit
to mattkime/kibana
that referenced
this pull request
Oct 2, 2025
…7055) ## Summary Previously Upgrade Assistant was checking for `.tasks` index access when checking privs in order to reindex an index. Only the `superuser` role provides access. Further, access is not needed as its been replaced by the tasks api which is available via `cluster: ['manage']` Additionally, the saved objects client usage required the `superuser` role since the reindex saved object was hidden and we didn't have a way of providing kibana feature privileges for the saved object. The solution is to rely on our our preexisting privilege checks (cluster: manage and 'all' access for the particular indices being reindexed) and use the internal saved object client. Part of elastic#237054 To test - Create a role with the following (index names could be more limited and it should work) ``` { "cluster": [ "manage" ], "index" : [ { "names": [ "*" ], "privileges": [ "all" ] } ] } ``` assign it to a user. Now try running upgrade assistant and reindexing with that user. It should work. Simplified testing of upgrade assistant - To test, follow directions here - elastic#228705 Mocked response - elastic@5aab34c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50 --- Release note Fixes privilege requirements when reindexing indices via Upgrade Assistant. Previously, the "superuser" role was required. Now "cluster: manage" and "all" privileges for the relevant indices are sufficient. (cherry picked from commit 0250b59) # Conflicts: # x-pack/platform/plugins/private/reindex_service/server/src/lib/reindex_service_wrapper.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/batch_reindex_indices.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/reindex_indices.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts
mattkime
added a commit
to mattkime/kibana
that referenced
this pull request
Oct 2, 2025
…7055) ## Summary Previously Upgrade Assistant was checking for `.tasks` index access when checking privs in order to reindex an index. Only the `superuser` role provides access. Further, access is not needed as its been replaced by the tasks api which is available via `cluster: ['manage']` Additionally, the saved objects client usage required the `superuser` role since the reindex saved object was hidden and we didn't have a way of providing kibana feature privileges for the saved object. The solution is to rely on our our preexisting privilege checks (cluster: manage and 'all' access for the particular indices being reindexed) and use the internal saved object client. Part of elastic#237054 To test - Create a role with the following (index names could be more limited and it should work) ``` { "cluster": [ "manage" ], "index" : [ { "names": [ "*" ], "privileges": [ "all" ] } ] } ``` assign it to a user. Now try running upgrade assistant and reindexing with that user. It should work. Simplified testing of upgrade assistant - To test, follow directions here - elastic#228705 Mocked response - elastic@5aab34c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50 --- Release note Fixes privilege requirements when reindexing indices via Upgrade Assistant. Previously, the "superuser" role was required. Now "cluster: manage" and "all" privileges for the relevant indices are sufficient. (cherry picked from commit 0250b59) # Conflicts: # x-pack/platform/plugins/private/reindex_service/server/src/lib/reindex_service_wrapper.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/batch_reindex_indices.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/reindex_indices.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
mattkime
added a commit
to mattkime/kibana
that referenced
this pull request
Oct 2, 2025
…7055) ## Summary Previously Upgrade Assistant was checking for `.tasks` index access when checking privs in order to reindex an index. Only the `superuser` role provides access. Further, access is not needed as its been replaced by the tasks api which is available via `cluster: ['manage']` Additionally, the saved objects client usage required the `superuser` role since the reindex saved object was hidden and we didn't have a way of providing kibana feature privileges for the saved object. The solution is to rely on our our preexisting privilege checks (cluster: manage and 'all' access for the particular indices being reindexed) and use the internal saved object client. Part of elastic#237054 To test - Create a role with the following (index names could be more limited and it should work) ``` { "cluster": [ "manage" ], "index" : [ { "names": [ "*" ], "privileges": [ "all" ] } ] } ``` assign it to a user. Now try running upgrade assistant and reindexing with that user. It should work. Simplified testing of upgrade assistant - To test, follow directions here - elastic#228705 Mocked response - elastic@5aab34c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50 --- Release note Fixes privilege requirements when reindexing indices via Upgrade Assistant. Previously, the "superuser" role was required. Now "cluster: manage" and "all" privileges for the relevant indices are sufficient. (cherry picked from commit 0250b59) # Conflicts: # x-pack/platform/plugins/private/reindex_service/server/src/lib/reindex_service_wrapper.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/batch_reindex_indices.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/reindex_indices.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts
kibanamachine
added
the
backport missing
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
1 similar comment
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
mattkime
added a commit
that referenced
this pull request
Oct 8, 2025
…7055) (#237350) # Backport This will backport the following commits from `main` to `8.18`: - [[Upgrade Assistant] Fix privileges for reindexing indices (#237055)](#237055) <!--- Backport version: 10.0.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Matthew Kime","email":"matt@mattki.me"},"sourceCommit":{"committedDate":"2025-10-02T13:43:31Z","message":"[Upgrade Assistant] Fix privileges for reindexing indices (#237055)\n\n## Summary\n\nPreviously Upgrade Assistant was checking for `.tasks` index access when\nchecking privs in order to reindex an index. Only the `superuser` role\nprovides access. Further, access is not needed as its been replaced by\nthe tasks api which is available via `cluster: ['manage']`\n\nAdditionally, the saved objects client usage required the `superuser`\nrole since the reindex saved object was hidden and we didn't have a way\nof providing kibana feature privileges for the saved object. The\nsolution is to rely on our our preexisting privilege checks (cluster:\nmanage and 'all' access for the particular indices being reindexed) and\nuse the internal saved object client.\n\nPart of https://github.com/elastic/kibana/issues/237054\n\nTo test -\n\nCreate a role with the following (index names could be more limited and\nit should work)\n```\n{\n \"cluster\": [ \"manage\" ],\n \"index\" : [\n {\n \"names\": [ \"*\" ],\n \"privileges\": [ \"all\" ]\n }\n ]\n}\n```\nassign it to a user. Now try running upgrade assistant and reindexing\nwith that user. It should work.\n\nSimplified testing of upgrade assistant - \nTo test, follow directions here -\nhttps://github.com//pull/228705\nMocked response -\nhttps://github.com//pull/230021/commits/5aab34cdcee2df76d702a058348388a7d10fb73c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50\n\n---\n\nRelease note\n\nFixes privilege requirements when reindexing indices via Upgrade\nAssistant. Previously, the \"superuser\" role was required. Now \"cluster:\nmanage\" and \"all\" privileges for the relevant indices are sufficient.","sha":"0250b590f20ac6dcdc5df64ee0a8fd758553957c","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Kibana Management","Feature:Upgrade Assistant","backport:version","v9.2.0","v8.18.8","v8.19.5","v9.0.8","v9.1.5"],"title":"[Upgrade Assistant] Fix privileges for reindexing indices","number":237055,"url":"https://github.com/elastic/kibana/pull/237055","mergeCommit":{"message":"[Upgrade Assistant] Fix privileges for reindexing indices (#237055)\n\n## Summary\n\nPreviously Upgrade Assistant was checking for `.tasks` index access when\nchecking privs in order to reindex an index. Only the `superuser` role\nprovides access. Further, access is not needed as its been replaced by\nthe tasks api which is available via `cluster: ['manage']`\n\nAdditionally, the saved objects client usage required the `superuser`\nrole since the reindex saved object was hidden and we didn't have a way\nof providing kibana feature privileges for the saved object. The\nsolution is to rely on our our preexisting privilege checks (cluster:\nmanage and 'all' access for the particular indices being reindexed) and\nuse the internal saved object client.\n\nPart of https://github.com/elastic/kibana/issues/237054\n\nTo test -\n\nCreate a role with the following (index names could be more limited and\nit should work)\n```\n{\n \"cluster\": [ \"manage\" ],\n \"index\" : [\n {\n \"names\": [ \"*\" ],\n \"privileges\": [ \"all\" ]\n }\n ]\n}\n```\nassign it to a user. Now try running upgrade assistant and reindexing\nwith that user. It should work.\n\nSimplified testing of upgrade assistant - \nTo test, follow directions here -\nhttps://github.com//pull/228705\nMocked response -\nhttps://github.com//pull/230021/commits/5aab34cdcee2df76d702a058348388a7d10fb73c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50\n\n---\n\nRelease note\n\nFixes privilege requirements when reindexing indices via Upgrade\nAssistant. Previously, the \"superuser\" role was required. Now \"cluster:\nmanage\" and \"all\" privileges for the relevant indices are sufficient.","sha":"0250b590f20ac6dcdc5df64ee0a8fd758553957c"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/237055","number":237055,"mergeCommit":{"message":"[Upgrade Assistant] Fix privileges for reindexing indices (#237055)\n\n## Summary\n\nPreviously Upgrade Assistant was checking for `.tasks` index access when\nchecking privs in order to reindex an index. Only the `superuser` role\nprovides access. Further, access is not needed as its been replaced by\nthe tasks api which is available via `cluster: ['manage']`\n\nAdditionally, the saved objects client usage required the `superuser`\nrole since the reindex saved object was hidden and we didn't have a way\nof providing kibana feature privileges for the saved object. The\nsolution is to rely on our our preexisting privilege checks (cluster:\nmanage and 'all' access for the particular indices being reindexed) and\nuse the internal saved object client.\n\nPart of https://github.com/elastic/kibana/issues/237054\n\nTo test -\n\nCreate a role with the following (index names could be more limited and\nit should work)\n```\n{\n \"cluster\": [ \"manage\" ],\n \"index\" : [\n {\n \"names\": [ \"*\" ],\n \"privileges\": [ \"all\" ]\n }\n ]\n}\n```\nassign it to a user. Now try running upgrade assistant and reindexing\nwith that user. It should work.\n\nSimplified testing of upgrade assistant - \nTo test, follow directions here -\nhttps://github.com//pull/228705\nMocked response -\nhttps://github.com//pull/230021/commits/5aab34cdcee2df76d702a058348388a7d10fb73c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50\n\n---\n\nRelease note\n\nFixes privilege requirements when reindexing indices via Upgrade\nAssistant. Previously, the \"superuser\" role was required. Now \"cluster:\nmanage\" and \"all\" privileges for the relevant indices are sufficient.","sha":"0250b590f20ac6dcdc5df64ee0a8fd758553957c"}},{"branch":"8.18","label":"v8.18.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/237334","number":237334,"state":"OPEN"},{"branch":"9.1","label":"v9.1.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/237326","number":237326,"state":"OPEN"},{"url":"https://github.com/elastic/kibana/pull/237325","number":237325,"branch":"9.2","state":"OPEN"}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
mattkime
added a commit
that referenced
this pull request
Oct 8, 2025
…7055) (#237340) # Backport This will backport the following commits from `main` to `8.19`: - [[Upgrade Assistant] Fix privileges for reindexing indices (#237055)](#237055) <!--- Backport version: 10.0.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Matthew Kime","email":"matt@mattki.me"},"sourceCommit":{"committedDate":"2025-10-02T13:43:31Z","message":"[Upgrade Assistant] Fix privileges for reindexing indices (#237055)\n\n## Summary\n\nPreviously Upgrade Assistant was checking for `.tasks` index access when\nchecking privs in order to reindex an index. Only the `superuser` role\nprovides access. Further, access is not needed as its been replaced by\nthe tasks api which is available via `cluster: ['manage']`\n\nAdditionally, the saved objects client usage required the `superuser`\nrole since the reindex saved object was hidden and we didn't have a way\nof providing kibana feature privileges for the saved object. The\nsolution is to rely on our our preexisting privilege checks (cluster:\nmanage and 'all' access for the particular indices being reindexed) and\nuse the internal saved object client.\n\nPart of https://github.com/elastic/kibana/issues/237054\n\nTo test -\n\nCreate a role with the following (index names could be more limited and\nit should work)\n```\n{\n \"cluster\": [ \"manage\" ],\n \"index\" : [\n {\n \"names\": [ \"*\" ],\n \"privileges\": [ \"all\" ]\n }\n ]\n}\n```\nassign it to a user. Now try running upgrade assistant and reindexing\nwith that user. It should work.\n\nSimplified testing of upgrade assistant - \nTo test, follow directions here -\nhttps://github.com//pull/228705\nMocked response -\nhttps://github.com//pull/230021/commits/5aab34cdcee2df76d702a058348388a7d10fb73c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50\n\n---\n\nRelease note\n\nFixes privilege requirements when reindexing indices via Upgrade\nAssistant. Previously, the \"superuser\" role was required. Now \"cluster:\nmanage\" and \"all\" privileges for the relevant indices are sufficient.","sha":"0250b590f20ac6dcdc5df64ee0a8fd758553957c","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Kibana Management","Feature:Upgrade Assistant","backport:version","v9.2.0","v8.18.8","v8.19.5","v9.0.8","v9.1.5"],"title":"[Upgrade Assistant] Fix privileges for reindexing indices","number":237055,"url":"https://github.com/elastic/kibana/pull/237055","mergeCommit":{"message":"[Upgrade Assistant] Fix privileges for reindexing indices (#237055)\n\n## Summary\n\nPreviously Upgrade Assistant was checking for `.tasks` index access when\nchecking privs in order to reindex an index. Only the `superuser` role\nprovides access. Further, access is not needed as its been replaced by\nthe tasks api which is available via `cluster: ['manage']`\n\nAdditionally, the saved objects client usage required the `superuser`\nrole since the reindex saved object was hidden and we didn't have a way\nof providing kibana feature privileges for the saved object. The\nsolution is to rely on our our preexisting privilege checks (cluster:\nmanage and 'all' access for the particular indices being reindexed) and\nuse the internal saved object client.\n\nPart of https://github.com/elastic/kibana/issues/237054\n\nTo test -\n\nCreate a role with the following (index names could be more limited and\nit should work)\n```\n{\n \"cluster\": [ \"manage\" ],\n \"index\" : [\n {\n \"names\": [ \"*\" ],\n \"privileges\": [ \"all\" ]\n }\n ]\n}\n```\nassign it to a user. Now try running upgrade assistant and reindexing\nwith that user. It should work.\n\nSimplified testing of upgrade assistant - \nTo test, follow directions here -\nhttps://github.com//pull/228705\nMocked response -\nhttps://github.com//pull/230021/commits/5aab34cdcee2df76d702a058348388a7d10fb73c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50\n\n---\n\nRelease note\n\nFixes privilege requirements when reindexing indices via Upgrade\nAssistant. Previously, the \"superuser\" role was required. Now \"cluster:\nmanage\" and \"all\" privileges for the relevant indices are sufficient.","sha":"0250b590f20ac6dcdc5df64ee0a8fd758553957c"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/237055","number":237055,"mergeCommit":{"message":"[Upgrade Assistant] Fix privileges for reindexing indices (#237055)\n\n## Summary\n\nPreviously Upgrade Assistant was checking for `.tasks` index access when\nchecking privs in order to reindex an index. Only the `superuser` role\nprovides access. Further, access is not needed as its been replaced by\nthe tasks api which is available via `cluster: ['manage']`\n\nAdditionally, the saved objects client usage required the `superuser`\nrole since the reindex saved object was hidden and we didn't have a way\nof providing kibana feature privileges for the saved object. The\nsolution is to rely on our our preexisting privilege checks (cluster:\nmanage and 'all' access for the particular indices being reindexed) and\nuse the internal saved object client.\n\nPart of https://github.com/elastic/kibana/issues/237054\n\nTo test -\n\nCreate a role with the following (index names could be more limited and\nit should work)\n```\n{\n \"cluster\": [ \"manage\" ],\n \"index\" : [\n {\n \"names\": [ \"*\" ],\n \"privileges\": [ \"all\" ]\n }\n ]\n}\n```\nassign it to a user. Now try running upgrade assistant and reindexing\nwith that user. It should work.\n\nSimplified testing of upgrade assistant - \nTo test, follow directions here -\nhttps://github.com//pull/228705\nMocked response -\nhttps://github.com//pull/230021/commits/5aab34cdcee2df76d702a058348388a7d10fb73c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50\n\n---\n\nRelease note\n\nFixes privilege requirements when reindexing indices via Upgrade\nAssistant. Previously, the \"superuser\" role was required. Now \"cluster:\nmanage\" and \"all\" privileges for the relevant indices are sufficient.","sha":"0250b590f20ac6dcdc5df64ee0a8fd758553957c"}},{"branch":"8.18","label":"v8.18.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/237334","number":237334,"state":"OPEN"},{"branch":"9.1","label":"v9.1.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/237326","number":237326,"state":"OPEN"},{"url":"https://github.com/elastic/kibana/pull/237325","number":237325,"branch":"9.2","state":"OPEN"}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
added
v8.19.6
and removed
backport missing
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
…7055) ## Summary Previously Upgrade Assistant was checking for `.tasks` index access when checking privs in order to reindex an index. Only the `superuser` role provides access. Further, access is not needed as its been replaced by the tasks api which is available via `cluster: ['manage']` Additionally, the saved objects client usage required the `superuser` role since the reindex saved object was hidden and we didn't have a way of providing kibana feature privileges for the saved object. The solution is to rely on our our preexisting privilege checks (cluster: manage and 'all' access for the particular indices being reindexed) and use the internal saved object client. Part of elastic#237054 To test - Create a role with the following (index names could be more limited and it should work) ``` { "cluster": [ "manage" ], "index" : [ { "names": [ "*" ], "privileges": [ "all" ] } ] } ``` assign it to a user. Now try running upgrade assistant and reindexing with that user. It should work. Simplified testing of upgrade assistant - To test, follow directions here - elastic#228705 Mocked response - elastic@5aab34c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50 --- Release note Fixes privilege requirements when reindexing indices via Upgrade Assistant. Previously, the "superuser" role was required. Now "cluster: manage" and "all" privileges for the relevant indices are sufficient.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Previously Upgrade Assistant was checking for
.tasksindex access when checking privs in order to reindex an index. Only thesuperuserrole provides access. Further, access is not needed as its been replaced by the tasks api which is available viacluster: ['manage']Additionally, the saved objects client usage required the
superuserrole since the reindex saved object was hidden and we didn't have a way of providing kibana feature privileges for the saved object. The solution is to rely on our our preexisting privilege checks (cluster: manage and 'all' access for the particular indices being reindexed) and use the internal saved object client.Part of #237054
To test -
Create a role with the following (index names could be more limited and it should work)
assign it to a user. Now try running upgrade assistant and reindexing with that user. It should work.
Simplified testing of upgrade assistant -
To test, follow directions here - #228705
Mocked response - 5aab34c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50
Release note
Fixes privilege requirements when reindexing indices via Upgrade Assistant. Previously, the "superuser" role was required. Now "cluster: manage" and "all" privileges for the relevant indices are sufficient.