-
Notifications
You must be signed in to change notification settings - Fork 24.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ML] Machine Learning datafeeds fail on remote clusters due to _has_privileges check #87832
Comments
Pinging @elastic/ml-core (Team:ML) |
A workaround to this issue is to have a user with |
I can confirm I was able to reproduce the issue in Elastic Cloud, with a couple of Steps to reproduce
|
The fact that it worked in 7.17 but not 8.2 is interesting. We didn't change anything in the ML code between these two versions. #72715 (comment) contains this interesting snippet:
It makes me think this is how it was working for datafeeds in 7.x too. And now datafeeds is broken in 8.2 transforms probably is too. @elastic/es-security were there changes in how I am thinking that for the fix in 8.x we should just stop using |
There were no changes to how I followed steps to reproduce from #87832 (comment) and I was able to reproduce the same error on 7.17.4 cluster. Could it be that you were logged in with a different user when testing in 7.17 cluster?
|
I found a workaround by granting (dummy) read access to the local index To do so, I have created the corresponding role "ml_log_reader_dummy" and assigend it to my (less-privileged) user.
Looks like Of course, this workaround will break as soon as the index/data-view string is parsed differently. |
Looking into this again it seems that the same problem affects transforms. It turns out some of our transform tests have had to use the workaround mentioned above too, for example: Line 43 in 312a0e2
We'll change the up-front privilege validation for both datafeeds and transforms so that it ignores configured source indices if they contain colons (indicating cross-cluster patterns). |
Elasticsearch Version
8.2.3
Installed Plugins
No response
Java Version
bundled
OS Version
Elastic Cloud
Problem Description
On our Cross Cluster Search primary cluster we have several Machine Learning jobs and Datafeeds using the data on the remote clusters. This worked fine in 7.X, but it appears that they are all in a closed state in 8.2.3 due to the
_has_privileges
api check failing on the remote clusters. We are unable to create new datafeeds using the CCS configuration. It is a known issue that_has_privileges
does not work on remote CCS cluster indices so at this time Machine Learning does not support CCS due to this API check.#67798
Steps to Reproduce
Create multiple clusters and configure them to use Cross Cluster Search. On the primary cluster create a Machine Learning job and datafeed referencing the remote cluster. The Machine Learning job will fail the permissions check when creating a new datafeed.
Logs (if relevant)
No response
The text was updated successfully, but these errors were encountered: