[plugin-development] Custom transport actions and X-Pack integration

Hi,

I just received a bug report concerning a plugin we wrote. The user reports that despite being the superuser it receives:

{"error":{"root_cause":[{"type":"security_exception","reason":"action [ltr:featurestore/data] is unauthorized for user [elastic]"}],"type":"security_exception","reason":"action [ltr:featurestore/data] is unauthorized for user [elastic]"},"status":403}

The plugin code is https://github.com/o19s/elasticsearch-learning-to-rank/blob/master/src/main/java/com/o19s/es/ltr/action/FeatureStoreAction.java#L42 .

Should I as a plugin developer do something particular to have a fluent integration with X-Pack when I declare custom TransportActions or is it just a special configuration with X-Pack that I should mention in the plugin documentation?

Thanks for your help.

1 Like

Hi David, thanks for posting your question! Unfortunately, our plugin API is still in the process of being stabilized (as you may have noticed). And until then, we can't provide any official guidance on how to integrate plugins with Kibana or X-Pack because any changes we make could easily invalidate that guidance. Does this make sense?

EDIT: Oops, sorry! I'm on the Kibana team and I had assumed you were writing a Kibana plugin, but I see you're writing an Elasticsearch one. I'll ping someone on that team to help you.

Thanks,
CJ

Thanks for the response @cjcenizal... Was wondering if you heard anything? We've heard from a couple XPack and Elastic Cloud users about problems with the LTR plugin.

Is it possible, that the client in the corresponding transport action does execute an additional request without setting any headers?

Hi @spinscale,

I'm not sure to understand your question.

The user here sends an HTTP request that targets a REST endpoint declared by the plugin.
I tried to make the REST layer relatively thin and it should execute only one Transport action per REST request.
Sometimes I use existing Transport action (i.e. creating an index), and it seems to work well with X-Pack.
The problem appears to happen when the plugin uses its own transport action, where in this case X-Pack seems to intercept the transport action. The custom actions are all named ltr:something/something.

It's unclear to me what you mean by headers and additional request. Are these HTTP requests & headers? Because I don't seem to find where you can set headers on transport actions.

Thanks for your help!

Hey,

what I am saying is, that if you are executing a request using a Client in your transport action, this request needs to know its credentials from somewhere. I think what is happening is that those credentials are not set and thus the corresponding headers need to be set.

See also https://www.elastic.co/guide/en/x-pack/6.0/java-clients.html#transport-client

Hope this helps!

--Alex

Many thanks for the clarification!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.