New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
flood_stage not working with x-pack security #33119
Comments
Pinging @elastic/es-distributed |
Pinging @elastic/es-security |
Not sure how these "internal" actions should be handled but I can pick this up, if nobody else is bidding for it. |
@bleskes Sorry, no it dropped off the radar, but I agree it's important. I think there are three changes we should make (in order from highest priority)
|
I would be interested in an assert on access denieds for the system user to try to be more proactive about catching these than relying on logging |
I'll make sure someone picks this up in time for 6.5.0 |
When the `cluster.routing.allocation.disk.watermark.flood_stage` watermark is breached, DiskThresholdMonitor marks the indices as read only. This failed when x-pack security was present as System user does not have privilege for update settings action("indices:admin/settings/update"). This commit adds the required privilege for System user. Also added missing debug logs when access is denied to help future debugging. An assert statement is added to catch any missed privileges required for system user. Closes elastic#33119
When the `cluster.routing.allocation.disk.watermark.flood_stage` watermark is breached, DiskThresholdMonitor marks the indices as read only. This failed when x-pack security was present as System user does not have privilege for update settings action("indices:admin/settings/update"). This commit adds the required privilege for System user. Also added missing debug logs when access is denied to help future debugging. An assert statement is added to catch any missed privileges required for system user. Closes elastic#33119
When the cluster.routing.allocation.disk.watermark.flood_stage watermark is breached, DiskThresholdMonitor marks the indices as read-only. This failed when x-pack security was present as system user does not have the privilege for update settings action("indices:admin/settings/update"). This commit adds the required privilege for the system user. Also added missing debug logs when access is denied to help future debugging. An assert statement is added to catch any missed privileges required for system user. Closes #33119
When the cluster.routing.allocation.disk.watermark.flood_stage watermark is breached, DiskThresholdMonitor marks the indices as read-only. This failed when x-pack security was present as system user does not have the privilege for update settings action("indices:admin/settings/update"). This commit adds the required privilege for the system user. Also added missing debug logs when access is denied to help future debugging. An assert statement is added to catch any missed privileges required for system user. Closes #33119
When the cluster.routing.allocation.disk.watermark.flood_stage watermark is breached, DiskThresholdMonitor marks the indices as read-only. This failed when x-pack security was present as system user does not have the privilege for update settings action("indices:admin/settings/update"). This commit adds the required privilege for the system user. Also added missing debug logs when access is denied to help future debugging. An assert statement is added to catch any missed privileges required for system user. Closes #33119
Elasticsearch version (
bin/elasticsearch --version
): 6.3.2 (but the same symptoms appear with 6.0.1 and 6.4.0, although I did not debug them).Plugins installed: [discovery-file, repository-s3]
JVM version (
java -version
):OS version (
uname -a
if on a Unix-like system):Linux 4efa9a510327 4.4.0-66-generic #87~14.04.1-Ubuntu SMP Fri Mar 3 17:32:36 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Description of the problem including expected versus actual behavior:
cluster.routing.allocation.disk.watermark.flood_stage
does not take effect when x-pack security is installed.The logs show a message like:
but settings are not applied to the indices.
Steps to reproduce:
cluster.routing.allocation.disk.threshold_enabled
is enabled and configurecluster.routing.allocation.disk.watermark.flood_stage
Provide logs (if relevant):
Did some debugging and it appears this exception is thrown:
and after some more debugging, it seems the culprit is https://github.com/elastic/elasticsearch/blob/v6.3.2/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java#L17-L27 which apparently should include (at the very least) permissions for
indices:admin/settings/update
or evenindices:admin/settings/*
(provided it does raise any security concerns).FWIW, I tried that (by compiling that class in 6.3.2 and substituting it) and it worked as expected after it
The text was updated successfully, but these errors were encountered: