Skip to content

[9.1] [Upgrade Assistant] Fix privileges for reindexing indices (#237055)#237326

Closed
mattkime wants to merge 1 commit intoelastic:9.1from
mattkime:backport/9.1/pr-237055
Closed

[9.1] [Upgrade Assistant] Fix privileges for reindexing indices (#237055)#237326
mattkime wants to merge 1 commit intoelastic:9.1from
mattkime:backport/9.1/pr-237055

Conversation

@mattkime
Copy link
Contributor

@mattkime mattkime commented Oct 2, 2025

Backport

This will backport the following commits from main to 9.1:

Questions ?

Please refer to the Backport tool documentation

@mattkime
[Upgrade Assistant] Fix privileges for reindexing indices (elastic#23…
2a50c58 
…7055)

## Summary

Previously Upgrade Assistant was checking for `.tasks` index access when
checking privs in order to reindex an index. Only the `superuser` role
provides access. Further, access is not needed as its been replaced by
the tasks api which is available via `cluster: ['manage']`

Additionally, the saved objects client usage required the `superuser`
role since the reindex saved object was hidden and we didn't have a way
of providing kibana feature privileges for the saved object. The
solution is to rely on our our preexisting privilege checks (cluster:
manage and 'all' access for the particular indices being reindexed) and
use the internal saved object client.

Part of elastic#237054

To test -

Create a role with the following (index names could be more limited and
it should work)
```
{
  "cluster": [ "manage" ],
  "index" : [
    {
      "names": [ "*" ],
      "privileges": [ "all" ]
    }
  ]
}
```
assign it to a user. Now try running upgrade assistant and reindexing
with that user. It should work.

Simplified testing of upgrade assistant -
To test, follow directions here -
elastic#228705
Mocked response -
elastic@5aab34c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50

---

Release note

Fixes privilege requirements when reindexing indices via Upgrade
Assistant. Previously, the "superuser" role was required. Now "cluster:
manage" and "all" privileges for the relevant indices are sufficient.

(cherry picked from commit 0250b59)

# Conflicts:
#	x-pack/platform/plugins/private/reindex_service/server/src/lib/reindex_service_wrapper.ts
#	x-pack/platform/plugins/private/reindex_service/server/src/routes/batch_reindex_indices.ts
#	x-pack/platform/plugins/private/reindex_service/server/src/routes/reindex_indices.ts
@mattkime mattkime added the backport This PR is a backport of another PR label Oct 2, 2025
@mattkime mattkime enabled auto-merge (squash) October 2, 2025 15:23
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 2, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #12 / reindex API GET /api/upgrade_assistant/reindex/{indexName} returns es errors
  • [job] [logs] Jest Tests #12 / reindex API GET /api/upgrade_assistant/reindex/{indexName} returns es errors
  • [job] [logs] Jest Tests #12 / reindex API GET /api/upgrade_assistant/reindex/{indexName} returns null for both if reindex operation doesn't exist and index doesn't exist
  • [job] [logs] Jest Tests #12 / reindex API GET /api/upgrade_assistant/reindex/{indexName} returns null for both if reindex operation doesn't exist and index doesn't exist
  • [job] [logs] Jest Tests #12 / reindex API GET /api/upgrade_assistant/reindex/{indexName} returns the attributes of the reindex operation and reindex warnings
  • [job] [logs] Jest Tests #12 / reindex API GET /api/upgrade_assistant/reindex/{indexName} returns the attributes of the reindex operation and reindex warnings
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} calls worker.forceRefresh
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} calls worker.forceRefresh
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} creates a new reindexOp
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} creates a new reindexOp
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} inserts headers into the credentialStore
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} inserts headers into the credentialStore
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} resumes a reindexOp if it is paused
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} resumes a reindexOp if it is paused
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} returns a 403 if required privileges fails
  • [job] [logs] Jest Tests #12 / reindex API POST /api/upgrade_assistant/reindex/{indexName} returns a 403 if required privileges fails
  • [job] [logs] Jest Tests #12 / reindexService hasRequiredPrivileges calls security API with basic requirements
  • [job] [logs] Jest Tests #12 / reindexService hasRequiredPrivileges calls security API with basic requirements

Metrics [docs]

✅ unchanged

History

@mattkime mattkime closed this Oct 3, 2025
auto-merge was automatically disabled October 3, 2025 01:32

Pull request was closed

@mattkime mattkime deleted the backport/9.1/pr-237055 branch October 3, 2025 01:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattkime @elasticmachine