[Transform] Fix privileges check failures by adding allow_restricted_indices flag
#95187
Conversation
przemekwitek
added
>bug
>non-issue
:ml/Transform
|
Pinging @elastic/ml-core (Team:ML) |
|
Hi @przemekwitek, I've created a changelog YAML for you. |
There was a problem hiding this comment.
LGTM
I am happy to merge this to fix the immediate problem.
It wouldn't surprise me if another problem emerges in this area though. The docs for _has_privileges say that allow_restricted_indices is an option for that endpoint to stop spurious failures from indices that users might not know exist. For example, before if a user had *agents* as their source index pattern and it was matching my-own-agents-1 and my-own-agents-2 then the previous check would have passed but the new one will fail because it will also match .fleet-agents-1 and the user won't have access to that. Hopefully what will help us avoid this is that most index patterns don't begin with a wildcard, and all system indices begin with a dot. So hopefully the change in this PR won't fix one situation but break a load of others.
|
Thanks for putting this up! I checked it out and tested against Kibana and we're now able to install our integration correctly.
Our transforms get installed: And our transform dependent feature is working: LGTM from a functionality POV |
Thanks for verifying this fix! |
## Summary Resolves #154740 #154741 These tests were skipped due to an ES promotion block. This PR: elastic/elasticsearch#95187 was added on the ES side and another snapshot was promoted which should allow us to un skip these tests. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Kibana Machine <[email protected]>
This PR adds
allow_restricted_indicesflag to theHasPrivilegesRequests issued byTransformPrivilegeChecker.This allows having restricted indices as transforms' source indices so cases like Fleet are supported.
Relates #93259