-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ML] [Transforms] prefer secondary auth headers for transforms #86757
[ML] [Transforms] prefer secondary auth headers for transforms #86757
Conversation
Pinging @elastic/ml-core (Team:ML) |
Hi @benwtrent, I've created a changelog YAML for you. |
…:benwtrent/elasticsearch into feature/ml-transforms-prefer-sec-headers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commit also fixes a bug with
_start
transform that didn't utilize the stored headers to create the destination index.
Shouldn't there be a change to TransportStartTransformAction.java
for this part?
Have you got a commit locally that made that part of the change but isn't pushed to GitHub?
@@ -24,6 +24,12 @@ Requires the following privileges: | |||
* source indices: `read`, `view_index_metadata` | |||
* destination index: `read`, `create_index`, `index`. If a `retention_policy` is configured, the `delete` privilege is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could also modify the start transform docs page to remove the index permission requirements if they're no longer needed.
The x-pack/plugin/transform/src/main/java/org/elasticsearch/xpack/transform/persistence/TransformIndex.java contains the fix. Its about the creating destination index as part of |
Co-authored-by: David Roberts <dave.roberts@elastic.co>
Ah, OK, thanks. It’s getting late for me today. I’ll have a proper look tomorrow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM on the secondary credentials.
I think there's another problem in the code with permissions for start vs create. That could be fixed in a separate PR as it's really nothing to do with secondary credentials, which is the subject of this PR.
Changing how permissions work for transforms is a more noticeable change for end users than introducing the secondary credentials option (which is more of an internal technical detail). So ideally we'd have a release note that emphasises this point.
Given that the PR is mixing two things, please can you do one of the following (whichever is less effort):
- Move the permissions fix for the destination index permissions into a separate PR and also fix the permissions required on the source index by the start API in that PR
- Open a new PR to fix the permissions required on the source index by the start API but release note it as fixing both the permissions problems
Either way that means we'll have something in the release notes that alerts users to the change. I don't see how anybody can complain because we're making the distinction in permissions required for different operations clearer and no operation will require more permissions than it did before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
When creating and updating transforms, it is possible for clients to provide secondary headers.
When PUT, _preview, _update is called with secondary authorization headers, those are then used or stored with the transform.
closes: #86731