[plugin-development] Custom transport actions and X-Pack integration

dcausse · December 8, 2017, 9:05am

Hi,

I just received a bug report concerning a plugin we wrote. The user reports that despite being the superuser it receives:

{"error":{"root_cause":[{"type":"security_exception","reason":"action [ltr:featurestore/data] is unauthorized for user [elastic]"}],"type":"security_exception","reason":"action [ltr:featurestore/data] is unauthorized for user [elastic]"},"status":403}

The plugin code is https://github.com/o19s/elasticsearch-learning-to-rank/blob/master/src/main/java/com/o19s/es/ltr/action/FeatureStoreAction.java#L42 .

Should I as a plugin developer do something particular to have a fluent integration with X-Pack when I declare custom TransportActions or is it just a special configuration with X-Pack that I should mention in the plugin documentation?

Thanks for your help.

cjcenizal · December 9, 2017, 12:29am

Hi David, thanks for posting your question! Unfortunately, our plugin API is still in the process of being stabilized (as you may have noticed). And until then, we can't provide any official guidance on how to integrate plugins with Kibana or X-Pack because any changes we make could easily invalidate that guidance. Does this make sense?

EDIT: Oops, sorry! I'm on the Kibana team and I had assumed you were writing a Kibana plugin, but I see you're writing an Elasticsearch one. I'll ping someone on that team to help you.

Thanks,
CJ

softwaredoug · December 15, 2017, 1:17am

Thanks for the response @cjcenizal... Was wondering if you heard anything? We've heard from a couple XPack and Elastic Cloud users about problems with the LTR plugin.

spinscale · December 15, 2017, 8:46am

Is it possible, that the client in the corresponding transport action does execute an additional request without setting any headers?

dcausse · December 15, 2017, 9:54am

Hi @spinscale,

I'm not sure to understand your question.

The user here sends an HTTP request that targets a REST endpoint declared by the plugin.
I tried to make the REST layer relatively thin and it should execute only one Transport action per REST request.
Sometimes I use existing Transport action (i.e. creating an index), and it seems to work well with X-Pack.
The problem appears to happen when the plugin uses its own transport action, where in this case X-Pack seems to intercept the transport action. The custom actions are all named ltr:something/something.

It's unclear to me what you mean by headers and additional request. Are these HTTP requests & headers? Because I don't seem to find where you can set headers on transport actions.

Thanks for your help!

spinscale · December 18, 2017, 8:25am

Hey,

what I am saying is, that if you are executing a request using a Client in your transport action, this request needs to know its credentials from somewhere. I think what is happening is that those credentials are not set and thus the corresponding headers need to be set.

See also https://www.elastic.co/guide/en/x-pack/6.0/java-clients.html#transport-client

Hope this helps!

--Alex

dcausse · December 19, 2017, 8:26am

Many thanks for the clarification!

system · January 16, 2018, 8:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[plugin-development] Custom X-Pack action plugin Elasticsearch elastic-stack-monitoring , elastic-stack-alerting	5	550	March 20, 2020
Elasticsearch 5.6.2 (x-pack) secured cluster with custom plugin : action [indices:data/read/search] is unauthorized for user [_system] Elasticsearch	1	631	February 2, 2020
X-Pack on Elastic in the cloud Elasticsearch	7	2039	December 20, 2016
Testing plugin actions via transport client results in an NPE, 2.0.0.rc1 Elasticsearch	1	816	July 5, 2017
0.19 plugin question: Mapping Actions to TransportActions Elasticsearch	2	271	July 6, 2017

[plugin-development] Custom transport actions and X-Pack integration

Related topics