From 9f812df96a871ac1360c323f85a57269a51f4fa2 Mon Sep 17 00:00:00 2001 From: Matthew Kime Date: Thu, 2 Oct 2025 08:43:31 -0500 Subject: [PATCH 1/3] [Upgrade Assistant] Fix privileges for reindexing indices (#237055) ## Summary Previously Upgrade Assistant was checking for `.tasks` index access when checking privs in order to reindex an index. Only the `superuser` role provides access. Further, access is not needed as its been replaced by the tasks api which is available via `cluster: ['manage']` Additionally, the saved objects client usage required the `superuser` role since the reindex saved object was hidden and we didn't have a way of providing kibana feature privileges for the saved object. The solution is to rely on our our preexisting privilege checks (cluster: manage and 'all' access for the particular indices being reindexed) and use the internal saved object client. Part of https://github.com/elastic/kibana/issues/237054 To test - Create a role with the following (index names could be more limited and it should work) ``` { "cluster": [ "manage" ], "index" : [ { "names": [ "*" ], "privileges": [ "all" ] } ] } ``` assign it to a user. Now try running upgrade assistant and reindexing with that user. It should work. Simplified testing of upgrade assistant - To test, follow directions here - https://github.com/elastic/kibana/pull/228705 Mocked response - https://github.com/elastic/kibana/pull/230021/commits/5aab34cdcee2df76d702a058348388a7d10fb73c#diff-f7eb2d7fe666aad1bedcd73d356612d2f74f81c76ba2e8e26b2983b9fb92a661R50 --- Release note Fixes privilege requirements when reindexing indices via Upgrade Assistant. Previously, the "superuser" role was required. Now "cluster: manage" and "all" privileges for the relevant indices are sufficient. (cherry picked from commit 0250b590f20ac6dcdc5df64ee0a8fd758553957c) # Conflicts: # x-pack/platform/plugins/private/reindex_service/server/src/lib/reindex_service_wrapper.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/batch_reindex_indices.ts # x-pack/platform/plugins/private/reindex_service/server/src/routes/reindex_indices.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts # x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts --- .../lib/reindexing/reindex_service.test.ts | 4 ---- .../server/lib/reindexing/reindex_service.ts | 4 ---- .../reindex_indices/batch_reindex_indices.ts | 15 ++++++++++----- .../routes/reindex_indices/reindex_indices.ts | 18 ++++++++++-------- 4 files changed, 20 insertions(+), 21 deletions(-) diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts index 7726dceffb7d5..de94a66f9ed34 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.test.ts @@ -109,10 +109,6 @@ describe('reindexService', () => { allow_restricted_indices: true, privileges: ['all'], }, - { - names: ['.tasks'], - privileges: ['read'], - }, ], }, }); diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts index 31bfe99f34c75..abcbf1897e4b2 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/lib/reindexing/reindex_service.ts @@ -457,10 +457,6 @@ export const reindexServiceFactory = ( allow_restricted_indices: true, privileges: ['all'], }, - { - names: ['.tasks'], - privileges: ['read'], - }, ], }, }); diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts index 5307299c366d1..203481b00fbfd 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts @@ -7,6 +7,7 @@ import { schema } from '@kbn/config-schema'; import { errors } from '@elastic/elasticsearch'; +import { SavedObjectsClient } from '@kbn/core/server'; import { API_BASE_PATH } from '../../../common/constants'; import { REINDEX_OP_TYPE, ReindexStatus } from '../../../common/types'; @@ -26,12 +27,18 @@ export function registerBatchReindexIndicesRoutes( licensing, log, getSecurityPlugin, + getSavedObjectsService, lib: { handleEsError }, }: RouteDependencies, getWorker: () => ReindexWorker ) { const BASE_PATH = `${API_BASE_PATH}/reindex`; + + const soClient = new SavedObjectsClient( + getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) + ); + // Get the current batch queue router.get( { @@ -47,12 +54,11 @@ export function registerBatchReindexIndicesRoutes( versionCheckHandlerWrapper(async ({ core }, request, response) => { const { elasticsearch: { client: esClient }, - savedObjects, } = await core; - const { getClient } = savedObjects; const callAsCurrentUser = esClient.asCurrentUser; + const reindexActions = reindexActionsFactory( - getClient({ includedHiddenTypes: [REINDEX_OP_TYPE] }), + soClient, callAsCurrentUser ); try { @@ -91,7 +97,6 @@ export function registerBatchReindexIndicesRoutes( }, versionCheckHandlerWrapper(async ({ core }, request, response) => { const { - savedObjects: { getClient }, elasticsearch: { client: esClient }, } = await core; const { indexNames } = request.body; @@ -102,7 +107,7 @@ export function registerBatchReindexIndicesRoutes( for (const indexName of indexNames) { try { const result = await reindexHandler({ - savedObjects: getClient({ includedHiddenTypes: [REINDEX_OP_TYPE] }), + savedObjects: soClient, dataClient: esClient, indexName, log, diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts index 9fc8ff6c0a75a..07364c9d78881 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts @@ -7,6 +7,7 @@ import { schema } from '@kbn/config-schema'; import { errors } from '@elastic/elasticsearch'; +import { SavedObjectsClient } from '@kbn/core/server'; import { API_BASE_PATH } from '../../../common/constants'; import { ReindexStatusResponse, REINDEX_OP_TYPE } from '../../../common/types'; @@ -24,12 +25,17 @@ export function registerReindexIndicesRoutes( licensing, log, getSecurityPlugin, + getSavedObjectsService, lib: { handleEsError }, }: RouteDependencies, getWorker: () => ReindexWorker ) { const BASE_PATH = `${API_BASE_PATH}/reindex`; + const soClient = new SavedObjectsClient( + getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) + ); + // Start reindex for an index router.post( { @@ -48,13 +54,13 @@ export function registerReindexIndicesRoutes( }, versionCheckHandlerWrapper(async ({ core }, request, response) => { const { - savedObjects: { getClient }, elasticsearch: { client: esClient }, } = await core; const { indexName } = request.params; + try { const result = await reindexHandler({ - savedObjects: getClient({ includedHiddenTypes: [REINDEX_OP_TYPE] }), + savedObjects: soClient, dataClient: esClient, indexName, log, @@ -91,16 +97,12 @@ export function registerReindexIndicesRoutes( }, versionCheckHandlerWrapper(async ({ core }, request, response) => { const { - savedObjects, elasticsearch: { client: esClient }, } = await core; - const { getClient } = savedObjects; const { indexName } = request.params; const asCurrentUser = esClient.asCurrentUser; - const reindexActions = reindexActionsFactory( - getClient({ includedHiddenTypes: [REINDEX_OP_TYPE] }), - asCurrentUser - ); + + const reindexActions = reindexActionsFactory( soClient, asCurrentUser); const reindexService = reindexServiceFactory(asCurrentUser, reindexActions, log, licensing); try { From 131805cc30c2424ca06c97f87c00dcb446f2f0b0 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 2 Oct 2025 16:11:13 +0000 Subject: [PATCH 2/3] [CI] Auto-commit changed files from 'node scripts/eslint_all_files --no-cache --fix' --- .../server/routes/reindex_indices/batch_reindex_indices.ts | 6 +----- .../server/routes/reindex_indices/reindex_indices.ts | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts index 203481b00fbfd..8776462e14cb2 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts @@ -34,7 +34,6 @@ export function registerBatchReindexIndicesRoutes( ) { const BASE_PATH = `${API_BASE_PATH}/reindex`; - const soClient = new SavedObjectsClient( getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) ); @@ -57,10 +56,7 @@ export function registerBatchReindexIndicesRoutes( } = await core; const callAsCurrentUser = esClient.asCurrentUser; - const reindexActions = reindexActionsFactory( - soClient, - callAsCurrentUser - ); + const reindexActions = reindexActionsFactory(soClient, callAsCurrentUser); try { const inProgressOps = await reindexActions.findAllByStatus(ReindexStatus.inProgress); const { queue } = sortAndOrderReindexOperations(inProgressOps); diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts index 07364c9d78881..ff62c65843681 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts @@ -102,7 +102,7 @@ export function registerReindexIndicesRoutes( const { indexName } = request.params; const asCurrentUser = esClient.asCurrentUser; - const reindexActions = reindexActionsFactory( soClient, asCurrentUser); + const reindexActions = reindexActionsFactory(soClient, asCurrentUser); const reindexService = reindexServiceFactory(asCurrentUser, reindexActions, log, licensing); try { From c72f6b31aaba332efff13804b15aacd1b405b95d Mon Sep 17 00:00:00 2001 From: Matthew Kime Date: Thu, 2 Oct 2025 11:16:12 -0500 Subject: [PATCH 3/3] fix so service access --- .../reindex_indices/batch_reindex_indices.ts | 14 +++++++++----- .../routes/reindex_indices/reindex_indices.ts | 15 ++++++++++----- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts index 203481b00fbfd..ce47edca18340 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts @@ -34,11 +34,6 @@ export function registerBatchReindexIndicesRoutes( ) { const BASE_PATH = `${API_BASE_PATH}/reindex`; - - const soClient = new SavedObjectsClient( - getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) - ); - // Get the current batch queue router.get( { @@ -57,6 +52,10 @@ export function registerBatchReindexIndicesRoutes( } = await core; const callAsCurrentUser = esClient.asCurrentUser; + const soClient = new SavedObjectsClient( + getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) + ); + const reindexActions = reindexActionsFactory( soClient, callAsCurrentUser @@ -100,6 +99,11 @@ export function registerBatchReindexIndicesRoutes( elasticsearch: { client: esClient }, } = await core; const { indexNames } = request.body; + + const soClient = new SavedObjectsClient( + getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) + ); + const results: PostBatchResponse = { enqueued: [], errors: [], diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts index 07364c9d78881..ad0088da749c0 100644 --- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts +++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts @@ -32,10 +32,6 @@ export function registerReindexIndicesRoutes( ) { const BASE_PATH = `${API_BASE_PATH}/reindex`; - const soClient = new SavedObjectsClient( - getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) - ); - // Start reindex for an index router.post( { @@ -58,6 +54,10 @@ export function registerReindexIndicesRoutes( } = await core; const { indexName } = request.params; + const soClient = new SavedObjectsClient( + getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) + ); + try { const result = await reindexHandler({ savedObjects: soClient, @@ -102,7 +102,12 @@ export function registerReindexIndicesRoutes( const { indexName } = request.params; const asCurrentUser = esClient.asCurrentUser; - const reindexActions = reindexActionsFactory( soClient, asCurrentUser); + + const soClient = new SavedObjectsClient( + getSavedObjectsService().createInternalRepository([REINDEX_OP_TYPE]) + ); + + const reindexActions = reindexActionsFactory(soClient, asCurrentUser); const reindexService = reindexServiceFactory(asCurrentUser, reindexActions, log, licensing); try {