Add deprecation warning when unknown SO types are present #111268
Conversation
There was a problem hiding this comment.
@Bamieh @lukeelmers this is still in POC state.
Just to be sure we're all on the same page regarding the approach, could you take a quick look, to make sure I took the correct direction?
src/core/server/saved_objects/routes/deprecations/delete_unknown_types.ts
Outdated
Show resolved
Hide resolved
src/core/server/saved_objects/deprecations/unknown_object_types.ts
Outdated
Show resolved
Hide resolved
| const { body } = await esClient.asInternalUser.search<SavedObjectsRawDocSource>({ | ||
| index: targetIndices, | ||
| body: { | ||
| size: 10000, |
There was a problem hiding this comment.
What should I do if this throws? Should I just not register the deprecation?
There was a problem hiding this comment.
i think the deprecation service needs to support sending an error inside the returned array from the getDeprecation function.
Currently if the whole getDeprecation throws then the service will show failed to fetch deprecation for x feature. We might need to mimic this behavior inside the array entries just like we do for the whole function.
Maybe until we support this we are OK with throwing everything (es connectivity issue usually means ES is unreachable or something).
| }), | ||
| level: 'critical', | ||
| requireRestart: false, | ||
| deprecationType: undefined, // not config nor feature... |
There was a problem hiding this comment.
Do you have in ind a specific deprecation type we can add or are you comfortable with undefined?
There was a problem hiding this comment.
As suggested by the UA team in another issue, I think we should have this field mandatory and at least add an other category
| const { body } = await esClient.asInternalUser.search<SavedObjectsRawDocSource>({ | ||
| index: targetIndices, | ||
| body: { | ||
| size: 10000, |
There was a problem hiding this comment.
i think the deprecation service needs to support sending an error inside the returned array from the getDeprecation function.
Currently if the whole getDeprecation throws then the service will show failed to fetch deprecation for x feature. We might need to mimic this behavior inside the array entries just like we do for the whole function.
Maybe until we support this we are OK with throwing everything (es connectivity issue usually means ES is unreachable or something).
|
Did we already reach a decision on the long-term support for unknown types in 8.0 #107678? |
@rudolf @kobelb @lukeelmers please correct me if I'm wrong here, but from our last conversations, the consensus was that due to both the timeframe and the complexity of introducing a quarantine mechanism, the target solution for 8.0 was to have Kibana fail to start when unknown types are encountered, if this option was considered acceptable by all parties. |
…n-types-deprecation-warning
pgayvallet
added
Feature:Saved Objects
Feature:Upgrade Assistant
release_note:skip
|
Pinging @elastic/kibana-core (Team:Core) |
| manualSteps: [ | ||
| i18n.translate('core.savedObjects.deprecations.unknownTypes.manualSteps.1', { | ||
| defaultMessage: 'If plugins are disabled, re-enable the, then restart Kibana.', | ||
| }), | ||
| i18n.translate('core.savedObjects.deprecations.unknownTypes.manualSteps.2', { | ||
| defaultMessage: | ||
| 'If no plugins are disabled, or if enabling them does not fix the issue, delete the documents.', | ||
| }), |
There was a problem hiding this comment.
Not really sure what to put in the manualSteps, as we're mostly expecting the user to use the automated resolve instead.
We could potentially list all the faulty objects as we're doing in the checkForUnknownDocs migration task's warning, but that really don't work well in the UA UI.
There was a problem hiding this comment.
The steps make sense to me. Maybe we can specify how to find these document ids by checking the server logs.
| router.post( | ||
| { | ||
| path: '/deprecations/_delete_unknown_types', | ||
| validate: false, | ||
| }, |
There was a problem hiding this comment.
A small security concern here: as we can't leverage the SOR to perform the cleanup, we're using the internal ES client instead (which also make sense, because we want to be able to delete all the unknown docs anyway, and because the SO security does not work with unknown types...).
However, this means that any authenticated user can potentially hit this endpoint, and cause the removal of the unknown docs. We could restrict the route with a access: tag, however this endpoint needs to be reachable by anyone having access to the UA management section to resolve the deprecation.
I don't think this is that big of a deal, but still worth a comment: are we fine with this?
There was a problem hiding this comment.
The likelihood is low that this gets abused and in most cases the impact will be low, it will probably just delete unused data.
But as a pattern this feels wrong, it feels like something that will crop up for other teams too that have destructive correctiveActions e.g. https://github.com/elastic/kibana/blob/master/x-pack/plugins/reporting/server/routes/deprecations.ts#L100
In reporting's case, security is enforced by Elasticsearch. So there's some precedent that just because you're able to use the upgrade assistant doesn't mean you'll automatically be able to perform all corrective actions.
I wonder if it wouldn't be fine to require the kibana_admin to perform these upgrade assistant fixes?
There was a problem hiding this comment.
I wonder if it wouldn't be fine to require the kibana_admin to perform these upgrade assistant fixes?
we could use the scoped client instead of the internal one, that would do it, but then other users would still see the deprecation, and clicking the button would throw a server error... I don't really like it either to be honest.
| const afterDelete = await fetchIndexContent(); | ||
| // we're deleting with `wait_for_completion: false` and we don't surface | ||
| // the task ID in the API, so we're forced to use pooling for the FTR tests | ||
| if (afterDelete.map((obj) => obj.type).includes('unknown-type') && i < 10) { | ||
| await delay(1000); | ||
| continue; | ||
| } |
There was a problem hiding this comment.
As explained in the comment, we're deleting with wait_for_completion: false, and the API does not surface the taskId. I could have added it to the deleteUnknownTypeObjects return value and to the HTTP endpoint's response, but that didn't felt right, as the only need was for FTR tests, so I'm using a dumb loop instead.
| title: i18n.translate('core.savedObjects.deprecations.unknownTypes.title', { | ||
| defaultMessage: 'Saved objects with unknown types are present in Kibana system indices', | ||
| }), | ||
| message: i18n.translate('core.savedObjects.deprecations.unknownTypes.message', { | ||
| defaultMessage: | ||
| 'Upgrades will fail for 8.0+ because documents were found for unknown saved object types.' + | ||
| `To ensure that upgrades will succeed in the future, either re-enable plugins or delete these documents from the Kibana indices`, | ||
| }), |
There was a problem hiding this comment.
Should we surface the number of unknown docs, of their types, in the deprecation's message?
There was a problem hiding this comment.
In the deprecation guide we recommend not writing upgrade will fail in version x.x
There was a problem hiding this comment.
If we already have the number of unknown docs i think it makes sense to surface them here.
Thank you for the clarification! |
…n-types-deprecation-warning
…n-types-deprecation-warning
| title: i18n.translate('core.savedObjects.deprecations.unknownTypes.title', { | ||
| defaultMessage: 'Saved objects with unknown types are present in Kibana system indices', | ||
| }), | ||
| message: i18n.translate('core.savedObjects.deprecations.unknownTypes.message', { | ||
| defaultMessage: | ||
| 'Upgrades will fail for 8.0+ because documents were found for unknown saved object types.' + | ||
| `To ensure that upgrades will succeed in the future, either re-enable plugins or delete these documents from the Kibana indices`, | ||
| }), |
There was a problem hiding this comment.
In the deprecation guide we recommend not writing upgrade will fail in version x.x
| title: i18n.translate('core.savedObjects.deprecations.unknownTypes.title', { | ||
| defaultMessage: 'Saved objects with unknown types are present in Kibana system indices', | ||
| }), | ||
| message: i18n.translate('core.savedObjects.deprecations.unknownTypes.message', { | ||
| defaultMessage: | ||
| 'Upgrades will fail for 8.0+ because documents were found for unknown saved object types.' + | ||
| `To ensure that upgrades will succeed in the future, either re-enable plugins or delete these documents from the Kibana indices`, | ||
| }), |
There was a problem hiding this comment.
If we already have the number of unknown docs i think it makes sense to surface them here.
src/core/server/saved_objects/deprecations/unknown_object_types.ts
Outdated
Show resolved
Hide resolved
| manualSteps: [ | ||
| i18n.translate('core.savedObjects.deprecations.unknownTypes.manualSteps.1', { | ||
| defaultMessage: 'If plugins are disabled, re-enable the, then restart Kibana.', | ||
| }), | ||
| i18n.translate('core.savedObjects.deprecations.unknownTypes.manualSteps.2', { | ||
| defaultMessage: | ||
| 'If no plugins are disabled, or if enabling them does not fix the issue, delete the documents.', | ||
| }), |
There was a problem hiding this comment.
The steps make sense to me. Maybe we can specify how to find these document ids by checking the server logs.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
pgayvallet
added
the
auto-backport
💔 Backport failed
To backport manually run: |
…1268) * Add deprecation warning when unknown types are present * fix and add service tests * remove export * plug deprecation route * add integration test for new route * add unit test for getIndexForType * add unit tests * improve deprecation messages * add FTR test * fix things due to merge * change the name of the deprecation provider * improve message * improve message again # Conflicts: # src/core/server/saved_objects/saved_objects_service.ts
) (#112112) * Add deprecation warning when unknown SO types are present (#111268) * Add deprecation warning when unknown types are present * fix and add service tests * remove export * plug deprecation route * add integration test for new route * add unit test for getIndexForType * add unit tests * improve deprecation messages * add FTR test * fix things due to merge * change the name of the deprecation provider * improve message * improve message again # Conflicts: # src/core/server/saved_objects/saved_objects_service.ts * fix types
Summary
Fix #105272
Checklist