Skip to content

Make GetInferenceFieldsAction an Indices Action#140399

Merged
Mikep86 merged 40 commits intoelastic:mainfrom
Mikep86:ccs_use-system-user-for-inference
Jan 14, 2026
Merged

Make GetInferenceFieldsAction an Indices Action#140399
Mikep86 merged 40 commits intoelastic:mainfrom
Mikep86:ccs_use-system-user-for-inference

Conversation

@Mikep86
Copy link
Contributor

@Mikep86 Mikep86 commented Jan 8, 2026
edited
Loading

Makes GetInferenceFieldsAction an indices action dependent on the indices read permission. This allows the action to be executed by users with read access to the indices queried.

Fixes #140193

ebarlas and others added 7 commits January 7, 2026 15:09
@ebarlas
Fix semantic search CCS with RCS 2.0 (API key-based auth)
6a97ca2 
When inference module is loaded and remote clusters use API key-based
authentication, cross-cluster searches with ccs_minimize_roundtrips=false
fail because GetInferenceFieldsAction was executed as internal user _xpack,
which is rejected by CrossClusterAccessTransportInterceptor.

Fix:
- Use system context (SystemUser) for remote inference field requests,
  following CCR's pattern in CcrLicenseChecker.systemClient()
- Add GetInferenceFieldsAction to cross_cluster_search privilege
[CI] Auto commit changes from spotless
49c4a18
@ebarlas
Add GetInferenceFieldsAction to SystemPrivilege for RCS 1.0
21df575 
RCS 1.0 (certificate-based auth) enforces local SystemPrivilege checks,
unlike RCS 2.0 which bypasses them for system context. Add the action
to allow inference CCS query rewrite with both authentication modes.

Also rename test role to avoid conflict with existing remote_search role.
@Mikep86
Update comments
92b9172
@Mikep86
Rename test
1750129
@Mikep86
Extended and cleaned up integration test
99ecf76
@Mikep86
Update test name and comments
b6cf4f0
@Mikep86 Mikep86 requested a review from a team January 8, 2026 20:05
@Mikep86 Mikep86 requested a review from a team as a code owner January 8, 2026 20:05
@Mikep86 Mikep86 added >bug :Security/Security Security issues without another label :Search Relevance/Search Catch all for Search Relevance branch:9.3 labels Jan 8, 2026
@elasticsearchmachine elasticsearchmachine added Team:Security Meta label for security team v9.4.0 v9.3.1 Team:Search Relevance Meta label for the Search Relevance team in Elasticsearch labels Jan 8, 2026
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jan 8, 2026

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jan 8, 2026

Pinging @elastic/es-search-relevance (Team:Search Relevance)

@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jan 8, 2026

Hi @Mikep86, I've created a changelog YAML for you.

@Mikep86 Mikep86 mentioned this pull request Jan 8, 2026
Closed
@Mikep86 Mikep86 marked this pull request as draft January 8, 2026 22:19
@Mikep86
Copy link
Contributor Author

Mikep86 commented Jan 8, 2026

@elasticmachine update branch

@Mikep86 Mikep86 marked this pull request as ready for review January 12, 2026 16:52
jimczi
jimczi approved these changes Jan 12, 2026
View reviewed changes
Copy link
Contributor

@jimczi jimczi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Mikep86
Copy link
Contributor Author

Mikep86 commented Jan 13, 2026

@elasticmachine update branch

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jan 13, 2026

There are no new commits on the base branch.

@Mikep86
Copy link
Contributor Author

Mikep86 commented Jan 13, 2026

@elasticmachine update branch

n1v0lg
n1v0lg approved these changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Note: I only reviewed the privilege change, REST IT, and GetInferenceFieldsAction code.

@Mikep86 I'd love to this discuss with the team tomorrow EMEA morning -- could you hold off merging until then?

@Mikep86 Mikep86 added >non-issue and removed >bug labels Jan 13, 2026
@Mikep86 Mikep86 merged commit b7e695c into elastic:main Jan 14, 2026
41 checks passed
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jan 14, 2026

💔 Backport failed

The backport operation could not be completed due to the following error:

An unhandled error occurred. Please consult the logs

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 140399

@Mikep86 Mikep86 mentioned this pull request Jan 14, 2026
Merged
@Mikep86
Copy link
Contributor Author

Mikep86 commented Jan 14, 2026

💚 All backports created successfully

Status Branch Result
9.3

Questions ?

Please refer to the Backport tool documentation

Mikep86 added a commit to Mikep86/elasticsearch that referenced this pull request Jan 14, 2026
@Mikep86
Make GetInferenceFieldsAction an Indices Action (elastic#140399)
9796790 
Makes GetInferenceFieldsAction an indices action dependent on the indices read permission. This allows the action to be executed by users with read access to the indices queried.

---------

Co-authored-by: Elliot Barlas <elliot.barlas@elastic.co>
(cherry picked from commit b7e695c)

# Conflicts:
#	server/src/main/resources/transport/upper_bounds/9.4.csv
elasticsearchmachine pushed a commit that referenced this pull request Jan 15, 2026
@Mikep86
[9.3] Make GetInferenceFieldsAction an Indices Action (#140399) (#140674
8fac592 
)

* Make GetInferenceFieldsAction an Indices Action (#140399)

Makes GetInferenceFieldsAction an indices action dependent on the indices read permission. This allows the action to be executed by users with read access to the indices queried.

---------

Co-authored-by: Elliot Barlas <elliot.barlas@elastic.co>
(cherry picked from commit b7e695c)

# Conflicts:
#	server/src/main/resources/transport/upper_bounds/9.4.csv

* Unmute tests

* add 9.4.csv
@thecoop thecoop mentioned this pull request Jan 16, 2026
Closed
@Mikep86 Mikep86 mentioned this pull request Jan 20, 2026
Merged
spinscale pushed a commit to spinscale/elasticsearch that referenced this pull request Jan 21, 2026
@Mikep86 @ebarlas @spinscale
Make GetInferenceFieldsAction an Indices Action (elastic#140399)
4cc92bc 
Makes GetInferenceFieldsAction an indices action dependent on the indices read permission. This allows the action to be executed by users with read access to the indices queried.

---------

Co-authored-by: Elliot Barlas <elliot.barlas@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n1v0lg n1v0lg n1v0lg approved these changes

@jimczi jimczi jimczi approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged backport pending >non-issue :Search Relevance/Search Catch all for Search Relevance :Security/Security Security issues without another label Team:Search Relevance Meta label for the Search Relevance team in Elasticsearch Team:Security Meta label for security team v9.3.1 v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Semantic search CCS when ccs_minimize_roundtrips=false is broken in real-world deployments

6 participants

@Mikep86 @elasticsearchmachine @elasticmachine @n1v0lg @jimczi @ebarlas

Comments