-
Notifications
You must be signed in to change notification settings - Fork 11.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elasticsearch: Fix URL creation and allowlist for /_mapping
requests
#80970
Conversation
This PR must be merged before a backport PR will be created. |
This PR must be merged before a backport PR will be created. |
@@ -205,7 +205,18 @@ export class ElasticDatasource | |||
indexList = [this.indexPattern.getIndexForToday()]; | |||
} | |||
|
|||
const indexUrlList = indexList.map((index) => index + url); | |||
// make sure `url` does not start with a slash | |||
url = url.replace(/^\//, ''); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
requestAllIndices
is private function used only in return this.requestAllIndices('/_mapping', range)
. Can't we just remove /
from /_mapping
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, we can, but shouldn't we then also hardcode requestAllIndices
to not accept an url
parameter? Because what if the next person/developer wants to use requestAllIndices
at a different place.
I removed it in 3367a8c but would still leave the detection and "normalization" as part of requestAllIndices
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but shouldn't we then also hardcode requestAllIndices to not accept an url parameter?
I think that it make sense then. And it is more clear and understandable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in d464811
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! LGTM.
…g` requests (#81057) Elasticsearch: Fix URL creation and allowlist for `/_mapping` requests (#80970) * Elasticsearch: Fix URL creation for mapping requests * remove leading slash by default * add comment for es route * hardcode `_mapping` * update doc (cherry picked from commit 3d03383) Co-authored-by: Sven Grossmann <sven.grossmann@grafana.com>
#80970) * Elasticsearch: Fix URL creation for mapping requests * remove leading slash by default * add comment for es route * hardcode `_mapping` * update doc
@jcalisto Out of curiosity, what's the reason for this backport? |
…g` requests (#87711) Elasticsearch: Fix URL creation and allowlist for `/_mapping` requests (#80970) * Elasticsearch: Fix URL creation for mapping requests * remove leading slash by default * add comment for es route * hardcode `_mapping` * update doc (cherry picked from commit 3d03383) Co-authored-by: Sven Grossmann <sven.grossmann@grafana.com>
What is this feature?
When Elasticsearch datasources were configured without an indexname one of the requested URLs ended in
//_mapping
. In our cloud infrastructured that was normalized to_mapping
, which ended up in a 403 thrown by the datasource backend.This PR fixes two things:
//_mapping
should not happen again._mapping
.