TemplateUpgradeService runs updates under existing ThreadContext #30603
Comments
tvernum
added
:Core/Infra/Plugins
|
Pinging @elastic/es-core-infra |
|
Pinging @elastic/es-security |
The TemplateUpgradeService is a system service that allows for plugins to register templates that need to be upgraded. These template upgrades should always happen in a system context as they are not a user initiated action. For security integrations, the lack of running this in a system context could lead to unexpected failures. The changes in this commit set an empty system context for the execution of the template upgrades performed by this service. Closes elastic#30603
|
@tvernum I am removing the discuss label as I am not sure that discussion is needed about this issue. Please add it back and comment about what needs to be discussed if you still believe there is something to discuss. |
|
@ywelsch And I discussed this just after I raised it, and believed that it would be good to discuss this more widely. |
The TemplateUpgradeService is a system service that allows for plugins to register templates that need to be upgraded. These template upgrades should always happen in a system context as they are not a user initiated action. For security integrations, the lack of running this in a system context could lead to unexpected failures. The changes in this commit set an empty system context for the execution of the template upgrades performed by this service. Relates #30603
|
Thanks for the background @tvernum. I moved forward with merging #30621 as an interim fix; the idea that cluster state events should be published in a context unrelated to a user makes sense to me. I would have concerns about making such a change in a bugfix (ie 6.3.x) release as there are unknowns as to what this change would affect. One thing that I'd like to ensure we are on the same page with is that we currently use the term "system context" to mean a context that is used for normal actions (non |
ywelsch
added
the
:Distributed Coordination/Cluster Coordination
|
Pinging @elastic/es-distributed |
The TemplateUpgradeService is a system service that allows for plugins to register templates that need to be upgraded. These template upgrades should always happen in a system context as they are not a user initiated action. For security integrations, the lack of running this in a system context could lead to unexpected failures. The changes in this commit set an empty system context for the execution of the template upgrades performed by this service. Relates #30603
The TemplateUpgradeService is a system service that allows for plugins to register templates that need to be upgraded. These template upgrades should always happen in a system context as they are not a user initiated action. For security integrations, the lack of running this in a system context could lead to unexpected failures. The changes in this commit set an empty system context for the execution of the template upgrades performed by this service. Relates #30603
|
IMO we should make all cluster state handling (appliers + cluster state update tasks) user agnostics - i.e., run with no user context. The reason is that it will take a lot of effort to define and maintain a model here. Cluster state appliers can be called on the master after committing a cluster state, where we can potentially carry things over easily, but they can also be called as a result of an incoming cluster state from the master. Another complication is that both the cluster state update task and the incoming cluster state queue support batching. If we want to make things "correct" we need to make sure that those batches only batch changes that are made by the same (or equivalent) user context. This means we'll need to transfer the user context that have caused a cluster state to change via the publishing mechanism and persist it in the pending cluster state queue. We will also need to change the batching in the cluster state update task executor to be aware of the thread contexts. All in all - it's really complicated and I would really like to avoid it. So far I didn't hear a very compelling need, so I suggest we go with the model of "all cluster state changes/code runs under the system user". This doesn't mean that cluster state update tasks listeners can't restore the context when they get a response. |
The TemplateUpgradeService is a system service that allows for plugins to register templates that need to be upgraded. These template upgrades should always happen in a system context as they are not a user initiated action. For security integrations, the lack of running this in a system context could lead to unexpected failures. The changes in this commit set an empty system context for the execution of the template upgrades performed by this service. Relates elastic#30603
This commit makes it so that cluster state update tasks always run under the system context, only restoring the original context when the listener that was provided with the task is called. A notable exception is the clusterStatePublished(...) callback which will still run under system context, because it's defined on the executor-level, and not the task level, and only called once for the combined batch of tasks and can therefore not be uniquely identified with a task / thread context. Relates #30603
This commit makes it so that cluster state update tasks always run under the system context, only restoring the original context when the listener that was provided with the task is called. A notable exception is the clusterStatePublished(...) callback which will still run under system context, because it's defined on the executor-level, and not the task level, and only called once for the combined batch of tasks and can therefore not be uniquely identified with a task / thread context. Relates #30603
|
Closed by #31241 |
The
TemplateUpgradeServicehas a high level flow of:ClusterChangedEventHowever
ClusterChangedEventcomes in with the sameThreadContextas the action that triggered the event (which might be a node join/leave, but it also might be a settings change or index create/delete over REST).executepreserves theThreadContextfrom the calling code.Consequently, the template update runs with a ThreadContext that matches the original triggering action.
If X-Pack Security is enabled, that means that update which should run as
_systemmight attempt to run as the user which authenticated to the Rest API. That user may not have privileges to perform that update.The text was updated successfully, but these errors were encountered: