I just received a bug report concerning a plugin we wrote. The user reports that despite being the superuser it receives:
{"error":{"root_cause":[{"type":"security_exception","reason":"action [ltr:featurestore/data] is unauthorized for user [elastic]"}],"type":"security_exception","reason":"action [ltr:featurestore/data] is unauthorized for user [elastic]"},"status":403}
Should I as a plugin developer do something particular to have a fluent integration with X-Pack when I declare custom TransportActions or is it just a special configuration with X-Pack that I should mention in the plugin documentation?
Hi David, thanks for posting your question! Unfortunately, our plugin API is still in the process of being stabilized (as you may have noticed). And until then, we can't provide any official guidance on how to integrate plugins with Kibana or X-Pack because any changes we make could easily invalidate that guidance. Does this make sense?
EDIT: Oops, sorry! I'm on the Kibana team and I had assumed you were writing a Kibana plugin, but I see you're writing an Elasticsearch one. I'll ping someone on that team to help you.
Thanks for the response @cjcenizal... Was wondering if you heard anything? We've heard from a couple XPack and Elastic Cloud users about problems with the LTR plugin.
The user here sends an HTTP request that targets a REST endpoint declared by the plugin.
I tried to make the REST layer relatively thin and it should execute only one Transport action per REST request.
Sometimes I use existing Transport action (i.e. creating an index), and it seems to work well with X-Pack.
The problem appears to happen when the plugin uses its own transport action, where in this case X-Pack seems to intercept the transport action. The custom actions are all named ltr:something/something.
It's unclear to me what you mean by headers and additional request. Are these HTTPrequests & headers? Because I don't seem to find where you can set headers on transport actions.
what I am saying is, that if you are executing a request using a Client in your transport action, this request needs to know its credentials from somewhere. I think what is happening is that those credentials are not set and thus the corresponding headers need to be set.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.