[ML] Add authorization info to ML config listings#87884
Merged
droberts195 merged 3 commits intoelastic:masterfrom Jun 21, 2022
Merged
[ML] Add authorization info to ML config listings#87884droberts195 merged 3 commits intoelastic:masterfrom
droberts195 merged 3 commits intoelastic:masterfrom
Conversation
ML datafeeds and data frame analytics jobs remember permissions from their time of creation or most recent update. It can be quite hard to determine what these are when listing their configs, which can lead to uncertainty about whether some minor update changed the permissions. This change adds information about the permissions to the config listings. If the last update was from a user then the permissions used are the roles they had at the time, and a list of these roles is added to the new `authorization` field of the datafeed or data frame analytics job config listing. If the last update was using an API key then the permissions of that API key are used for subsequent searches and the new `authorization` field of the datafeed or data frame analytics job config listing shows the API key name and ID. If a service account did the last update then the service account name is added to the new `authorization` field of the datafeed or data frame analytics job config listing.
Collaborator
|
Pinging @elastic/ml-core (Team:ML) |
Collaborator
|
Hi @droberts195, I've created a changelog YAML for you. |
Author
|
Note: there is more unit testing for this functionality in #87570 |
Collaborator
|
Pinging @elastic/clients-team (Team:Clients) |
Same user but different roles
Author
|
Jenkins run elasticsearch-ci/part-2 |
11 tasks
droberts195
added a commit
that referenced
this pull request
Jun 23, 2022
#87884 added authorization information to the datafeed and data frame analytics job configs returned by listing them, but not to the ones returned from creating or updating them. For consistency it's best that the same fields are present in both places.
droberts195
added a commit
to droberts195/elasticsearch
that referenced
this pull request
Dec 12, 2022
Due to elastic#41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to elastic#87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by elastic#92168 and fixed by elastic#92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive.
droberts195
added a commit
that referenced
this pull request
Dec 13, 2022
…2274) Due to #41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to #87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by #92168 and fixed by #92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive.
droberts195
added a commit
to droberts195/elasticsearch
that referenced
this pull request
Dec 13, 2022
…astic#92274) Due to elastic#41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to elastic#87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by elastic#92168 and fixed by elastic#92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive.
elasticsearchmachine
pushed a commit
that referenced
this pull request
Dec 13, 2022
…2274) (#92318) Due to #41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to #87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by #92168 and fixed by #92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive.
droberts195
added a commit
to droberts195/elasticsearch
that referenced
this pull request
Dec 13, 2022
Due to elastic#41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to elastic#87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by elastic#92168 and fixed by elastic#92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive. Backport of elastic#92274
droberts195
added a commit
to droberts195/elasticsearch
that referenced
this pull request
Dec 13, 2022
Due to elastic#41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to elastic#87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by elastic#92168 and fixed by elastic#92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive. Backport of elastic#92274
elasticsearchmachine
pushed a commit
that referenced
this pull request
Dec 13, 2022
…em (#92323) Due to #41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to #87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by #92168 and fixed by #92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive. Backport of #92274
droberts195
added a commit
that referenced
this pull request
Dec 13, 2022
…em (#92324) Due to #41185 datafeeds created prior to 7.0 and not updated since then have unparseable authorization headers in 8.x. In 8.0-8.3 this could easily be a non-issue, as such datafeeds were likely forgotten leftovers and never run. Even if it was a problem, only the datafeed of interest would need updating with any urgency. Due to #87884 datafeeds with authorization headers older than 7.0 prevent _all_ datafeeds being listed in 8.4 and 8.5. This in turn breaks the anomaly detection job management section of the ML UI. The problem is alleviated by #92168 and fixed by #92221, but we should warn users that the problem exists in 8.4.0-8.5.3 inclusive. Backport of #92274
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ML datafeeds and data frame analytics jobs remember permissions
from their time of creation or most recent update. It can be
quite hard to determine what these are when listing their
configs, which can lead to uncertainty about whether some minor
update changed the permissions.
This change adds information about the permissions to the
config listings.
If the last update was from a user then the permissions used
are the roles they had at the time, and a list of these roles
is added to the new
authorizationfield of the datafeed ordata frame analytics job config listing.
If the last update was using an API key then the permissions
of that API key are used for subsequent searches and the new
authorizationfield of the datafeed or data frame analyticsjob config listing shows the API key name and ID.
If a service account did the last update then the service
account name is added to the new
authorizationfield of thedatafeed or data frame analytics job config listing.