-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alias information in field caps API #53291
Comments
Pinging @elastic/es-search (:Search/Search) |
I can see how this behaviour can be surprising, but it aligns with how search, get and other API work: we have never guaranteed that once aliases are requested, the response won't refer to the corresponding concrete indices. It's always been the other way around: the response will refer to the concrete indices that hold the data. With that said I would close this with no further action. Please feel free to comment or reopen if you think otherwise. |
Note this has security implications see #75810 (and its related issues). |
The security implications are not local to the field caps API and I believe the entire alias support in Elasticsearch is subject to it. For this, I believe the issue to follow is #29874 . While the issue around field_caps can be worked around with an additional call, the PIT issue you linked above is slightly worse because you get a PIT id that can't be authorized against the aliases, which you must provide to the API to get more results. To clarify, I can see how this is problematic but I don't see it being resolved by simply adapting the field_caps output alone. It's a structural problem around aliases and how they are handled by an Elasticsearch API and how they are authorized. I did not get the link to CCS in this conversation, could I ask you to expand on the CCS related issue you mentioned? |
To me the above is another side-effect of how aliases are treated in ES - they are considered 'symlinks' (redirects) when in fact they act as a view on top of one or multiple indices, both from a content perspective (filter with query) and/or security (alias with different permissions than the target index). QL relies on field_caps to get metadata about indices and aliases which is used also for CCS. However since there's no aliasing information in field_caps for remote clusters QL cannot get this information and treats everything as an index (table) which exacerbates the security problem in case it exists:
Overall not a pleasant experience. Aliasing information would give proper insight into the actual mapping and differentiate between concrete vs lookalike indices. |
Thanks for all the context, I am re-opening for discussion with the team. I think what you were referring to for the CCS scenario is that the additional call to resolve aliases that can be made in the local cluster can't be sent to the remote cluster as that API does not support cross-cluster calls. So while you are able to work-around the problem in the local cluster, when CCS comes into play that is no longer possible. One more question: indices appear globally as well as per field. Do you envision an additional entry for each field that returns the potentially matching aliases, as well as an aliases array at the top-level? |
Thanks. |
Pinging @elastic/es-search (Team:Search) |
This has been open for quite a while with no activity. While it is something that may be interesting to solve, it does not align with our current priorities. For now I'm going to close this as something we aren't planning on implementing. We can re-open it later if needed. |
Field caps returns information only concrete indices which, when using the API against indices makes it difficult to interpret the response.
For example, take an alias
alias_one
which points to indexindex_a
andindex_b
andalias_two
which points toindex_c
.A field caps on
alias*
will properly matchalias_one
andalias_two
but the response will refer to the backing indices only, namelyindex_a
,index_b
andindex_c
. Not only the indices name do not match the pattern which is surprising (I asked foralias*
which do I getindex_a
) but also one can't tell the relationship between aliases and indices and thus what fields belong to what alias.The workaround is to ask the aliases for all matching indices - not a deal breaker but it is an extra call and further more, the API is not CCS-compatible.
It would be helpful to have the alias information in the response, as we do for indices.
The text was updated successfully, but these errors were encountered: