Open n1v0lg opened 2 years ago
Pinging @elastic/es-core-infra (Team:Core/Infra)
To add a bit of context to this, when we see a new index get created in the .security-tokens*
pattern, we grab that descriptor and apply it to the newly-created index - including the alias from the descriptor, if it has one. That alias now points at two indices, so writes to the alias fail.
This only happens if users are messing around in system-index-reserved namespaces, but it's still surprising that this can happen and possibly we should fail earlier, or handle the case of a second index being created for a descriptor that has an alias configured differently.
In the original implementation, I think we could only autocreate an index with the primary index descriptor, and any attempt to autocreate a different index matching the system index descriptor would write to the primary index. https://github.com/elastic/elasticsearch/pull/77045
I'm going to see if I can isolate this behavior in the autocreate logic, for simplicity. Since we want to be able to reindex system indices for migration, I don't think we should catch this in the reindex code.
I've reproduced this with the logic to auto-create system indices:
IllegalArgumentException
: no write index is defined...We need to make sure we propagate changes to existing indices and aliases too. Right now the logic for doing that would go in the SystemIndexMetatdataUpgradeService
class.
Elasticsearch Version
local cluster running master commit 22824e47bc894e7d06e27a6fa7b221488516cb35, 8.2.0-SNAPSHOT
Installed Plugins
No response
Java Version
17
OS Version
Darwin Kernel Version 21.3.0
Problem Description
In ES 8.x, re-indexing
.security-tokens
to a new index in the right namespace, e.g.,.security-tokens-8
, results in the creation of a new "duplicate" index and a subsequent error state when attempting to use the.security-tokens
index, effectively breaking it. The underlying issue is that the.security-tokens
alias consequently points to two indeces.This likely extends to other system indeces as well, not just
.security-tokens
.Instead of allowing the re-index to proceed, we should prevent the operation, similar to how we prevent creating a new index
.security-tokens-*
within the namespace if an index already exists.Steps to Reproduce
Trigger
.security-tokens
index creation:Re-index:
Attempt to use index again:
Results in 400 and error log:
Running
GET /_cat/indices?expand_wildcards=all
shows that there are now two indeces for the.security-tokens
alias (.security-tokens-42
and.security-tokens-7
)