System Indices

[jaymode]

This issue serves as an overarching issue for what we call System Indices and details our plan to implement this feature.

As Elasticsearch and the rest of the stack has evolved, there is an increasing reliance on indices as an implementation detail of features. Certain features are critical, like Security, and this implementation detail should not be necessary for a user to know or think about. Unfortunately, this implementation detail has been exposed to users in various ways.

In general, most of the indices that would be considered system indices have names that start with a . and are referred to as dot indices. This is modeled after dot files to suggest that the index is an implementation detail that should not be interacted with. Searches over all indices, such as those done by Kibana by default, include dot indices, while to a user all indices means all indices they created. Snapshots include dot indices by default, but restoring dot indices does not work since the intended index already exists and should be wholly replaced. And upgrades of dot indices are managed with complicated aliases and versioned names, where each dot index has its own versioning and upgrade logic that must be run externally.

Dot indices will be superseded by system indices that are registered through a module or plugin. A special plugin type will be added that defines the system indices that the plugin provides along with the mappings and APIs necessary to access these indices. The existing search API (and other data APIs) will not be able to search a system index. APIs used for monitoring and troubleshooting will continue to operate as they do today and include system indices in their output.

There are some dot indices that do not necessarily fit the mold of a normal system index; instead they store data that the system produces with the intent that users can also query against this data. For these indices we will move to adding a hidden index that will not be resolved by default for wildcards. These indices can be specifically requested or an IndicesOption can be specified so that these indices are not ignored during wildcard resolution. An index may only be marked as hidden at creation time and will be done so through the use of an index setting.

Hidden indices will not may have names that are prefixed by a dot. Hidden indices will not inherit from a global index template.

In order to facilitate the migration from accessing dot indices directly the following phased approach will be taken.

The initial work is the introduction of the infrastructure to define hidden indices and system index plugins with dedicated APIs.

Tasks

• [X] Deprecate the creation with dot indices in 7.x unless the call is made from a system index plugin or the index is hidden. #49959
• [x] Introduce hidden indices. #50452
• [x] Introduce hidden aliases. #52547
• [x] Create .kibana system index plugins with APIs necessary for migration #52385
• [x] Handle hidden indices in the Index Management UI (elastic/kibana#56532)
• [x] Logstash plugin for pipelines #53350

The above steps will get us to a point where other teams can begin migrating from direct access to their system index and make use of the new APIs. The majority of the internal (to Elasticsearch) work will still need to be implemented.

• [x] System index reads in their own threadpool
• [x] System index writes in their own threadpool
• [x] Prioritized recovery of system indices
• [x] Security changes for logstash system index APIs
• [x] System index interaction deprecation
• [x] System indices should always be allowed to be created even with action.auto_create_index set.
• [x] Verify whether we need more than require_alias for hidden indices with a write alias
• [x] Setting in component templates that allows overriding action.auto_create_index. This will enable hidden indices for things like watcher and monitoring to always be created.
• [x] API for deletion of System Indices
• [ ] Allow system indices to opt-in to being created upon startup with specified mappings, settings, aliases
• [x] Snapshot and restore of system indices
• [ ] Allow updating mappings/settings on existing system indices
• [ ] Disallow direct access of system indices
• [x] Enable automated upgrade of indices
• [ ] Add allocation knowledge for cases like hot/warm/cold and availability zones
• [ ] Smarter replication for system indices (continue to use auto expand 0-1 or maybe a new scheme?)
• [ ] Flood stage watermark bypass?

System Index Patterns

IngestGeoIpPlugin

• .geoip_databases

KibanaPlugin

• .kibana_* (alias: .kibana)
• .reporting-*
• .apm-agent-configuration
• .apm-custom-link

AsyncResultsIndexPlugin

• .async-search

EnrichPlugin

• .enrich-*

Fleet

• .fleet-actions~(-results*) (alias: .fleet-actions)
• .fleet-agents*(alias: .fleet-agents)
• .fleet-enrollment-api-keys* (alias: .fleet-enrollment-api-keys)
• .fleet-policies-[0-9]+* (alias: .fleet-policies)
• .fleet-policies-leader* (alias: .fleet-policies-leader)
• .fleet-servers* (alias: .fleet-servers)
• .fleet-artifacts* (alias: .fleet-artifacts)
• .fleet-actions-results

Logstash

• .logstash

MachineLearning

• .ml-meta*
• .ml-config*
• .ml-inference-* [associated indices]
• .ml-anomalies-*
• .ml-state*
• .ml-stats-*
• .ml-notifications*
• .ml-annotations*

SearchableSnapshots

• .snapshot-blob-cache

Security

• .security-[0-9]+ (alias: .security)
• .security-tokens-[0-9]+ (alias: .security-tokens)

Transforms

• .transform-internal-* [associated indices]
• .transform-notifications-*

Watcher

• .watches*
• .triggered_watches*

APIs allowed to access system indices

The APIs that we currently plan to allow system index access for are:

• GET _cluster/health
• GET {index}/_recovery
• GET _cluster/allocation/explain
• GET _cluster/state
• POST _cluster/reroute
• GET {index}/_stats
• GET {index}/_segments
• GET {index}/_shard_stores
• GET _cat/[aliases,indices,health,recovery,shards,segments]

[elasticmachine]

Pinging @elastic/es-core-infra (:Core/Infra/Core)

[hendrikmuhs]

What about POST _refresh?

This currently returns the deprecation warning added in #60945. It's odd that even in case I do not specify a concrete name I get the warning. It's unclear for a user what was wrong. Looks like the resolver should filter out system indices.

[gwbrown]

It's odd that even in case I do not specify a concrete name I get the warning.

This is one of the less intuitive effects of deprecating access to system indices - using a total wildcard (*/_all, as POST _refresh does under the hood) results in a deprecation warning because system indices are indeed accessed as part of that request. The best way to prevent the deprecation warning is to specify an index pattern that does not include system indices.

We went back and forth on this behavior in https://github.com/elastic/elasticsearch/pull/60945, but ultimately decided to accept some odd deprecation warnings as the alternative is sometimes not warning when a request will change behavior in 8.0.

Looks like the resolver should filter out system indices.

This is indeed what we plan to do for 8.0 - but we can't yet as there are few pieces of infrastructure we're still working on. In the checklist in the OP, the items above Disallow direct access of system indices need to be addressed before we can start filtering out system indices. At that time, we'll also remove the deprecation warnings from master. Not that these changes will only be made in master, as filtering system indices from requests in 7.x would be a breaking change.

It was suggested on Slack that we could adjust the text of the deprecation warnings if a total wildcard is in use, to clarify things for users. This is possible, but is not trivial as Security obscures the original index pattern before we emit the deprecation warning - there's code in the history of https://github.com/elastic/elasticsearch/pull/60945 to allow changing the behavior of the deprecation warning for total wildcards, but it's a bit hacky.

[nemhods]

Hey, i just got to the bottom of a problem that prevented Fleet Server from working, and it comes back to this issue. I had an index template set up like { "index_patterns": [ "*" ], "order": 10, "settings": { "number_of_shards": "2", "number_of_replicas": "1" } } }

... which also affected the system indices .fleet-actions and .fleet-policies. This resulted in the fleet server not working, logging lines like:

{"log.level":"info","index":".fleet-actions","ctx":"index monitor","error.message":"elastic fail 400:status_exception:wait_for_advance only supports indices with one shard. [shard count: 2]","@timestamp":"2021-06-13T16:38:14.423Z","message":"failed on waiting for global checkpoints advance"}

I manually repaired this by shrinking the affected indices down to one shard again, as well as changing my custom template. This wouldn't have happened if my custom wildcard template was prevented from tampering with system indices.

More here: https://discuss.elastic.co/t/osquery-live-queries-dont-go-through/274428/5

[williamrandolph]

@nemhods Thanks for reporting this issue with Fleet Server and system indexes. That was impressive detective work, helpfully explained, and we appreciate it a lot. I've created a new issue for some targeted work around templates and system indices: #74271

[hungnguyen-elastic]

What is the plan for the .ds-* data stream indices? They are not really system indices but when users try to delete the index that is part of a data stream, Kibana gives this error which seems more scary than it really is

[gwbrown]

@hungnguyen-elastic That seems like a Kibana bug. Data stream backing indices are hidden indices, and have been since their introduction.

[hungnguyen-elastic]

Thanks @gwbrown - ticket #106040 was created for this

Fyi @nicpenning and @nmprokop

[stefnestor]

Had pasted reformatted table of system indices. It's not "official" in any sense. Removing to sub-drop-down to avoid confusing folks googling.

before

👋🏼 This Github appears to be a popular [system index](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#system-indices) reference point / collection, so expanding known indices/aliases from description list (still hugely WIP): feature | alias | index --|--|-- elastic endgame | `endgame-${version}` | `endgame-${version}-*` elasticsearch enrich geoip | NULL | `.geoip_databases` elasticsearch enrich | UNK | `.enrich-*` elasticsearch index ilm | `ilm-history-${#}` | `ilm-history*` elasticsearch index search async | NULL | `.async-search` elasticsearch index searchable snapshot | NULL | `.snapshot-blob-cache` elasticsearch ingest transform | `.data-frame-internal-${#}` | `.transform-internal-*` elasticsearch ingest transform | `.transform-notifications-read` | `.transform-notifications-*` elasticsearch node (task/threadPool?) | NULL | `.tasks` ([StackOverFlow](https://stackoverflow.com/questions/54882478/elasticsearch-tasks-index-usage)) at least v5.0 through v17.0 elasticsearch security | `.security-tokens` | `.security-tokens-[0-9]+` elasticsearch security | `.slm-history-${#}` | `.security-[0-9]+` elasticsearch snapshot slm | `.slm-history-${#}` | `.slm-history*` elasticsearch watcher | UNK | `.triggered_watches*` elasticsearch watcher | UNK | `.watches*` kibana analytic machine learning | UNK | `.ml-annotations*` kibana analytic machine learning | UNK | `.ml-anomalies-*` kibana analytic machine learning | UNK | `.ml-config*` kibana analytic machine learning | UNK | `.ml-inference-*` kibana analytic machine learning | UNK | `.ml-meta*` kibana analytic machine learning | UNK | `.ml-notifications*` kibana analytic machine learning | UNK | `.ml-state*` kibana analytic machine learning | UNK | `.ml-stats-*` kibana entSearch | UNK | `.ent-search*` kibana fleet | `.fleet-actions` | `.fleet-actions~(-results*)` kibana fleet | `.fleet-agents` | `.fleet-agents*` kibana fleet | `.fleet-artifacts` | `.fleet-artifacts*` kibana fleet | `.fleet-enrollment-api-keys` | `.fleet-enrollment-api-keys*` kibana fleet | `.fleet-policies-leader` | `.fleet-policies-leader*` kibana fleet | `.fleet-policies` | `.fleet-policies-[0-9]+*` kibana fleet | `.fleet-servers` | `.fleet-servers*` kibana fleet | UNK | `.fleet-actions-results` kibana observ apm | UNK | `.apm-agent-configuration` kibana observ apm | UNK | `.apm-custom-link` kibana reporting | UNK | `.reporting-*` kibana security | NULL | `.kibana_security_session*` kibana siem | `.alerts-security.alerts-${space}` | `.alerts-security.alerts-*`, `.siem-signals-${space}-*` kibana siem | `.items-${space}` | `.items-${space}-*` kibana siem | `.lists-${space}` | `.lists-${space}-*` kibana siem | UNK | `.alerts-observability` kibana | `.kibana-event-log-${version}` | `.kibana-event-log-${version}-*` kibana | `.kibana_task_manager` | `.kibana_task_manager_${version}_*` kibana | `.kibana` | `.kibana_${version}_*` logstash | UNK | `.logstash` UNK | UNK | `.metrics-endpoint`

[elasticsearchmachine]

Pinging @elastic/es-core-infra (Team:Core/Infra)

[krishhteja]

Once everything is migrated and access system indices is removed, is it possible to access to system indices with some elevated permissions or using rules? or is it not possible at all?

[williamrandolph]

@krishhteja There are still some back doors for superuser access to system indices, but our intention is that any management of or interaction with a system index can be performed via feature-specific REST APIs. See, for example, the PUT /_security/settings API. If there's something you need to be able to do but we don't have an API for it, we can consider a feature request, though you may want to raise your issue in our discuss forums first.