New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Transform] 8.2 transform can not read from < 8.2.0 CCS source #86716
Comments
Thanks @pheyos I am able to reproduce this issue. It seems to me like a regression originating from #84473. The 8.1 remote doesn't understand the request and fails. As CCS supports only one minor back, the problem will disappear once the cluster runs on 8.3 or higher, because the remote must run on 8.2 in this case.
Unfortunately this workaround does not work. @ywangd Please have a look. Can you think of any other workaround? Lesson learned: We have CCS compat system tests, however we are testing the same cluster versions, I will try to extent it to additionally test against a remote from the previous minor version. -> #86727 |
It turns out to be a long standing bug that just got surfaced. It is a rare code path and also we didn't have any version difference for Authentication object till 8.2. The following branch of server transport interceptor does not take connection version into consideration. This leads to an Lines 105 to 117 in 3e7f523
I adjusted the labels and self assigned. |
Pinging @elastic/es-security (Team:Security) |
The SecurityServerTransportInterceptor class is responsible for writing authentication header in a wire compatible format before the request leaving the local node. However, a bug made it ignore the wire version when setting user based on the action origin. This PR fixes it and adds relevant tests. It is an old bug but never manifested itself previously because (1) the code path is rare enuough and (2) authentication didn't have any version difference till 8.2. Resolves: elastic#86716
The SecurityServerTransportInterceptor class is responsible for writing authentication header in a wire compatible format before the request leaving the local node. However, a bug made it ignore the wire version when setting user based on the action origin. This PR fixes it and adds relevant tests. It is an old bug but never manifested itself previously because (1) the code path is rare enuough and (2) authentication didn't have any version difference till 8.2. Resolves: #86716
…6741) The SecurityServerTransportInterceptor class is responsible for writing authentication header in a wire compatible format before the request leaving the local node. However, a bug made it ignore the wire version when setting user based on the action origin. This PR fixes it and adds relevant tests. It is an old bug but never manifested itself previously because (1) the code path is rare enuough and (2) authentication didn't have any version difference till 8.2. Resolves: elastic#86716
…86828) * Ensure authentication is wire compatible when setting user (#86741) The SecurityServerTransportInterceptor class is responsible for writing authentication header in a wire compatible format before the request leaving the local node. However, a bug made it ignore the wire version when setting user based on the action origin. This PR fixes it and adds relevant tests. It is an old bug but never manifested itself previously because (1) the code path is rare enuough and (2) authentication didn't have any version difference till 8.2. Resolves: #86716 * fix compilation
Affected version: 8.2.0
Fixed with: 8.2.1
After upgrading the ML QA long running cluster from 8.1.3 to 8.2.0, transforms with CCS source <8.2.0 (8.1.3 and 8.1.1 in our case) are failing with
The remote cluster log shows related entries:
Running an
_update
request on the transforms to update theheaders._xpack_security_authentication
didn't fix it.Mitigation
or
The text was updated successfully, but these errors were encountered: