Types removal security index template#39705
Merged
bizybot merged 3 commits intoelastic:masterfrom Mar 6, 2019
Merged
Conversation
As we are moving to single type indices, we need to address this change in security-related indexes. To address this, we are - updating index templates to use preferred type name `_doc` - updating the API calls to use preferred type name `_doc` Upgrade impact:- In case of an upgrade from 6.x, the security index has type `doc` and this will keep working as there is a single type and `_doc` works as an alias to an existing type. The change is handled in the `SecurityIndexManager` when we load mappings and settings from the template. Previously, we used to do a `PutIndexTemplateRequest` with the mapping source JSON with the type name. This has been modified to remove the type name from the source. So in the case of an upgrade, the `doc` type is updated whereas for fresh installs `_doc` is updated. This happens as backend handles `_doc` as an alias to the existing type name. An optional step is to `reindex` security index and update the type to `_doc`. Since we do not support the security audit log index, that template has been deleted. Relates: elastic#38637
Collaborator
|
Pinging @elastic/es-security |
jpountz
approved these changes
Mar 5, 2019
tvernum
reviewed
Mar 6, 2019
Contributor
tvernum
left a comment
There was a problem hiding this comment.
Looks good, but I think my sample parsing code needs to be productionised a bit more with clearer failure cases.
| } | ||
| } | ||
| } | ||
| throw new ElasticsearchException("cannot read mapping from security template"); |
Contributor
There was a problem hiding this comment.
I recognise that this was pulled from my sample code, but I think we ought to provide more details in this error.
At the very least, what is the currentToken and location that caused a problem.
Alternatively we could switch those nextToken calls to use XContentParserUtils.ensureExpectedToken instead which will handle the exception for us.
Contributor
Author
There was a problem hiding this comment.
Yes, I have updated this to use ensureExpectedToken and ensureFieldName. Thank you.
| DeprecationHandler.THROW_UNSUPPORTED_OPERATION, mappingSource)) { | ||
| // remove the type wrapping to get the mapping | ||
| if (parser.nextToken() == XContentParser.Token.START_OBJECT) { // { | ||
| if (parser.nextToken() == XContentParser.Token.FIELD_NAME) { // "_doc" |
Contributor
There was a problem hiding this comment.
We probably want a check (maybe just an assert) on the field name
Contributor
Author
There was a problem hiding this comment.
changed this to use ensureFieldName checks for the expected field (_doc). Thank you
4 tasks
bizybot
added a commit
to bizybot/elasticsearch
that referenced
this pull request
Mar 6, 2019
As we are moving to single type indices, we need to address this change in security-related indexes. To address this, we are - updating index templates to use preferred type name `_doc` - updating the API calls to use preferred type name `_doc` Upgrade impact:- In case of an upgrade from 6.x, the security index has type `doc` and this will keep working as there is a single type and `_doc` works as an alias to an existing type. The change is handled in the `SecurityIndexManager` when we load mappings and settings from the template. Previously, we used to do a `PutIndexTemplateRequest` with the mapping source JSON with the type name. This has been modified to remove the type name from the source. So in the case of an upgrade, the `doc` type is updated whereas for fresh installs `_doc` is updated. This happens as backend handles `_doc` as an alias to the existing type name. An optional step is to `reindex` security index and update the type to `_doc`. Since we do not support the security audit log index, that template has been deleted. Relates: elastic#38637
bizybot
added a commit
to bizybot/elasticsearch
that referenced
this pull request
Mar 6, 2019
As we are moving to single type indices, we need to address this change in security-related indexes. To address this, we are - updating index templates to use preferred type name `_doc` - updating the API calls to use preferred type name `_doc` Upgrade impact:- In case of an upgrade from 6.x, the security index has type `doc` and this will keep working as there is a single type and `_doc` works as an alias to an existing type. The change is handled in the `SecurityIndexManager` when we load mappings and settings from the template. Previously, we used to do a `PutIndexTemplateRequest` with the mapping source JSON with the type name. This has been modified to remove the type name from the source. So in the case of an upgrade, the `doc` type is updated whereas for fresh installs `_doc` is updated. This happens as backend handles `_doc` as an alias to the existing type name. An optional step is to `reindex` security index and update the type to `_doc`. Since we do not support the security audit log index, that template has been deleted. Relates: elastic#38637
bizybot
added a commit
that referenced
this pull request
Mar 6, 2019
As we are moving to single type indices, we need to address this change in security-related indexes. To address this, we are - updating index templates to use preferred type name `_doc` - updating the API calls to use preferred type name `_doc` Upgrade impact:- In case of an upgrade from 6.x, the security index has type `doc` and this will keep working as there is a single type and `_doc` works as an alias to an existing type. The change is handled in the `SecurityIndexManager` when we load mappings and settings from the template. Previously, we used to do a `PutIndexTemplateRequest` with the mapping source JSON with the type name. This has been modified to remove the type name from the source. So in the case of an upgrade, the `doc` type is updated whereas for fresh installs `_doc` is updated. This happens as backend handles `_doc` as an alias to the existing type name. An optional step is to `reindex` security index and update the type to `_doc`. Since we do not support the security audit log index, that template has been deleted. Relates: #38637
bizybot
added a commit
that referenced
this pull request
Mar 6, 2019
As we are moving to single type indices, we need to address this change in security-related indexes. To address this, we are - updating index templates to use preferred type name `_doc` - updating the API calls to use preferred type name `_doc` Upgrade impact:- In case of an upgrade from 6.x, the security index has type `doc` and this will keep working as there is a single type and `_doc` works as an alias to an existing type. The change is handled in the `SecurityIndexManager` when we load mappings and settings from the template. Previously, we used to do a `PutIndexTemplateRequest` with the mapping source JSON with the type name. This has been modified to remove the type name from the source. So in the case of an upgrade, the `doc` type is updated whereas for fresh installs `_doc` is updated. This happens as backend handles `_doc` as an alias to the existing type name. An optional step is to `reindex` security index and update the type to `_doc`. Since we do not support the security audit log index, that template has been deleted. Relates: #38637
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As we are moving to single type indices,
we need to address this change in security-related indexes.
To address this, we are
_doc_docUpgrade impact:-
In case of an upgrade from 6.x, the security index has type
docand this will keep working as there is a single type and_docworks as an alias to an existing type. The change is handled in the
SecurityIndexManagerwhen we load mappings and settings fromthe template. Previously, we used to do a
PutIndexTemplateRequestwith the mapping source JSON with the type name. This has been
modified to remove the type name from the source.
So in the case of an upgrade, the
doctype is updatedwhereas for fresh installs
_docis updated. This happens asbackend handles
_docas an alias to the existing type name.An optional step is to
reindexsecurity index and update thetype to
_doc.Since we do not support the security audit log index,
that template has been deleted.
Relates: #38637