Stop accessing System Indices directly in REST tests #62501
Comments
gwbrown
added
>test
|
Pinging @elastic/es-core-infra (:Core/Infra/Build) |
|
Pinging @elastic/es-security (:Security/Security) |
|
Pinging @elastic/es-core-features (:Core/Features/Watcher) |
|
Pinging @elastic/ml-core (:ml) |
|
Pinging @elastic/es-distributed (:Distributed/Task Management) |
|
Pinging @elastic/ml-core (:ml/Transform) |
elasticmachine
added
Team:Core/Infra
|
As for some of the transform tests: Some tests challenge the robustness of the system (e.g. It would be good to have a way to mark single tests as valid case, similar to |
|
cc @elastic/clients-team this will affect us as well. |
Validating the behavior of the system in the event of a user doing something they shouldn't like this is a valid use case for either using this parameter and/or ignoring deprecation warnings as necessary for as long as this behavior is allowed. However, our intent is to disable access to System Indices via REST entirely, so these tests would no longer be valid at that time (because the user can no longer be evil and delete the transform index). In that case, we should note that the test case can be removed when it is no longer possible to access System Indices via REST.
These cases still run into the same issue - eventually, it will not be possible to access these indices via the general-purpose index APIs. For these, I can think of a few options - we could either move the mapping verification into Elasticsearch and expose it as an endpoint (e.g. |
This raises a very important question. At the moment all indices are removed in between YAML tests. This is done in the test client. What is the plan for system indices in between YAML tests? Will they eventually not be cleaned up in between YAML tests like user-visible indices? Or will there be a special API to delete all system indices in between YAML tests? Basically, the problem Martijn outlined doesn't just affect the language clients maintained by the clients team but also the test harness used within the Elasticsearch repo, and the solution should be the same for both. |
|
System Indices will be wiped between REST tests (both YAML and Java) at the same point they are today. Exactly how we're going to implement this when the Reworking the tests to not wipe system indices between tests would be a large undertaking, and has not been something we've even seriously considered thus far. |
|
I think a "factory reset" API should be added as a must to the meta issue before eventually locking the access to system indices. We see users doing a manual reset by deleting the indices very often in ML. A challenge to that: For a factory reset any jobs(ml/transform/rollup/...) must be stopped. You also might not want to reset everything but only parts. I think it makes sense to have a reset per feature and a global reset that calls all of them. |
|
I like the idea of a "factory reset" API. That would make our cleanup in between tests as simple as "call the factory reset API". At the moment we have lots of bits of cleanup code that are written differently for internal cluster tests, REST tests and integration tests that use the node client. If that logic was moved into Elasticsearch server-side then the client-side cleanup code would be trivial. This would also help the language clients in the long run (after the initial pain of switching over). At the moment they have to try to mimic the various bits of cleanup code we run in every language.
Yes agreed. To properly "factory reset" would involve more than simply deleting all the system indices. In fact, having a documented API that just deletes all system indices could cause problems. For ML if system indices are deleted before persistent tasks are cancelled then those persistent tasks become hard to deal with. Also, ML has a mix of hidden and system indices, and deleting the system indices while leaving the hidden indices behind will cause weird effects if ML is used again afterwards. So a factory reset would look something like:
|
|
@hendrikmuhs @droberts195 I've opened #62778 to cover that issue, and linked it from the |
This test accesses system indices for 2 reasons. First, it creates a filter that has a different type. This was done to assert that filter is not returned from the APIs. However, now that access to the `.ml-meta` index is restricted, it is not really a concern. Second, it creates a `.ml-meta` index without mappings to test the get API does not fail due to lack of mappings on a sorted field, namely the `filter_id`. Once again, this test is less useful once system indices have restricted access. Relates elastic#62501
Make use of the new query watches api to simply list watches or to delete all watches using the delete watch api. Relates to #62501
Backporting elastic#65835 to 7.x branch. Make use of the new query watches api to simply list watches or to delete all watches using the delete watch api. Relates to elastic#62501
Make use for the cluster state api to check the index.format setting of the .watches index instead of querying the index settings api. This removes the last direct usage of .watches index mentioned in elastic#62501.
Make use for the cluster state api to check the index.format setting of the .watches index instead of querying the index settings api. This removes the last direct usage of .watches index mentioned in #62501.
Backport elastic#65884 to 7.x branch. Make use for the cluster state api to check the index.format setting of the .watches index instead of querying the index settings api. This removes the last direct usage of .watches index mentioned in elastic#62501.
mark-vieira
removed
:Delivery/Build
|
FYI, I'm removing the Delivery team label here since the focus here is on specific test implementations not testing infrastructure. |
|
Pinging @elastic/ml-core (Team:ML) |
|
Pinging @elastic/es-security (Team:Security) |
|
Pinging @elastic/es-distributed (Team:Distributed) |
|
Pinging @elastic/es-data-management (Team:Data Management) |
dakrone
removed
:Data Management/Watcher
Team:Data Management
As part of formalizing System Indices in Elasticsearch (#50251), we will be restricting access to System Indices via the REST interface, except by means of purpose-built APIs. For example, accessing
.watchesdirectly will not be allowed - all interaction with the.watchesindex via the REST API should use the purpose-built Watcher APIs.If it is necessary to access System Indices via the REST API today, an API should be added to fulfill that need rather than using generic APIs to do so.
There are a number of places in our REST tests which access System Indices directly. These tests will be modified by #60945 to avoid failures by consuming the deprecation warning as necessary, but that is not a long-term solution. The tests below should be evaluated to determine if there is a necessary API that is currently missing, and if so, add that API and convert the test to use it. If not, we should determine an alternate method for testing the functionality which does not directly access System Indices via the REST API.
Tests/test-related methods which currently access System Indices directly via the REST API:
Test Framework
ESRestTestCase.wipeAllIndices- @williamrandolphTasks
delete_by_query/80_slices.yml - Multiple slices with wait_for_completion=falsedelete_by_query/80_slices.yml - Multiple slices with rethrottlereindex/80_slices.yml - Multiple slices with wait_for_completion=falsereindex/80_slices.yml - Multiple slices with rethrottleupdate_by_query/80_slices.yml - Multiple slices with wait_for_completion=falseupdate_by_query/80_slices.yml - Multiple slices with rethrottlerolling_upgrade..upgraded_cluster/10_basic.yml - Find a task result record from the old clusterTransforms
TransformUsageIT.testUsageTransformConfigurationIndexIT.testDeleteConfigurationLeftOverTranformInternalIndexIT.testUpdateDeletesOldTransformConfigTransformRestTestCase.wipeTransformsTranformRobustnessIT.beEvilAndDeleteTheTransformIndexrolling-upgrade..upgraded_cluster/80_transform_jobs_crud.yml - Test index mappings for latest internal index and audit indexML
MlMappingsUpgradeIT.assertUpgradedConfigMappingsIndexMappingTemplateAsserter.assertMlMappingsMatchTemplatesInferenceIngestIT.cleanUpDataml/calendar_crud.yml - Test delete calendar deletes eventsml/custom_all_field.yml - Test wildcard job idml/filter_crud.yml - setup([ML] Remove direct access to system index from filter_crud REST test #63111)ml/filter_crud.yml - Test get all filter given index exists but no mapping for filter_id([ML] Remove direct access to system index from filter_crud REST test #63111)ml/inference_stats_crud.yml - setupml/inference_crud.yml - setupml/index_layout.yml - Test force close does not create stateml/index_layout.yml - Test CRUD on two jobs in shared indexWatcher
WatcherRestTestCase.stopWatcherRemove more usages of .watches system index. #65835WatcherYamlSuiteTestCase.stopWatcherRemove more usages of .watches system index. #65835MonitoringWithWatcherIT.cleanExportersRemove more usages of .watches system index. #65835MonitoringWithWatcherIT.assertTotalWatchCountAdd query watches api to retrieve multiple watches. #64582FullClusterRestartIT.testWatcherRemove usage of .watches system index in full cluster restart. #65884watcher/activate_watch/10_basic.yml - Test activate watch apiUse watcher get api instead of .watches index. #64199watcher/ack_watch/10_basic.yml - Test ack watch apiUse watcher get api instead of .watches index. #64199watcher/delete_watch/10_basic.yml - Test delete watch apiUse watcher get api instead of .watches index. #64199watcher/get_watch/10_basic.yml - Test get watch apiUse watcher get api instead of .watches index. #64199watcher/put_watch/80_put_get_watch_with_passwords.yml - Test putting a watch with a redacted password with old seq no returns an errorUse watcher get api instead of .watches index. #64199managing_watches.asciidocRemove more usages of .watches system index. #65835Security
FullClusterRestartIT.testSecurityNativeRealmusers/10_basic.yml - Test put user with password hashThe text was updated successfully, but these errors were encountered: