-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to 8.0: Reindexing .security
index fails if security-index-template-v6
is still present
#86801
Comments
Pinging @elastic/es-security (Team:Security) |
I was able to reproduce this. I have tried migrating a Security index created in version 6. If there is a template (I've only tested a legacy templates, but I think the composite templates behave the same), and the I don't think we should apply templates when we migrate the .security index. |
The unexpected effects of templates on important internal indices were a big motivation for creating system indices in the first place. Unfortunately, we didn't manage to get to #42508 before the 8.0 release, so now anything we do needs to be backwards-compatible. But it's a big problem and I need to work on a solution for it. For this specific issue, we could add a pre-migration hook to the @Override
public void prepareForIndicesMigration(ClusterService clusterService, Client client, ActionListener<Map<String, Object>> listener) {
Client originClient = new OriginSettingClient(client, ClientHelper.SECURITY_ORIGIN);
originClient.execute(
DeleteIndexTemplateAction.INSTANCE,
new DeleteIndexTemplateRequest("security-index-template-v6"),
ActionListener.wrap(response -> listener.onResponse(Map.of()), listener::onFailure)
);
} I'm not sure if there's something better to do with the listener; the map is used for passing state to a post-upgrade hook. |
I tried to reproduce this with a 6.8-to-7.17 upgrade. There was no The migration issues a create index request, and the code in the The core-infra team is going to sync up next week and we'll report back with a plan of action. This is a symptom of an old, old problem (see #42508) and we need a plan for getting past it. |
We talked this over today and decided to try two things:
If we can get these two fixes merged, we'll prevent future 7.x-to-8.x upgrades from having this problem, and avoid having the issue keep biting us in the 8.x line of releases. |
Elasticsearch Version
7.17
Installed Plugins
No response
Java Version
bundled
OS Version
Any
Problem Description
Symptoms
This problem can occur during the running of the
7.17
Upgrade AssistantMigrate system indices
action:System indices migration failed. An error occurred while migrating system indices for security: exception
error is reported."reason": "mapping set to strict, dynamic introduction of [allow_restricted_indices] within [indices] is not allowed"
, and other similar messages for the new.security-7-reindexed-for-8
index.GET /_migration/system_features
.security-index-template-v6
), that matches the.security-*
index pattern.Fix/Workaround
The following should be done to fix the migration issue:
security-index-template-v6
..security-7-reindexed-for-8
index.Migrate system indices
action form the Upgrade Assistant.Steps to Reproduce
The required reindexing step of the
.security-7
index may fail, if older index templates matching the.security-*
index pattern are still present. This may occur on clusters that were originally created on version 5.x.Logs (if relevant)
No response
The text was updated successfully, but these errors were encountered: