Cannot create Index Patterns of remote clusters - Open Distro 1.12 version

Phandora · January 26, 2021, 9:09am

Hi, we are facing some problems creating index patterns in the 1.12 version.

When trying to create the index pattern of a remote cluster we got the error No matching indices found. However, the indexes do exist (the index pattern matches 14 sources).

In step two, we can see there is something wrong before clicking on Create index pattern since the Time field menu does not appear, even when there are indices with timestamps.

We got the following error after creating the index pattern:

If we go to Discover, the documents are displayed, but since there are no fields in the index pattern, it does not allow filtering using the document’s fields.

If we create the index pattern using the API and adding some initial fields, they do appear on Discover and we can filter by them, but the index pattern can not be refreshed (we got the same error No matching indices found) so new fields can not be added to the index pattern.

Is this a known issue?

Best regards

searchymcsearchface · January 26, 2021, 2:26pm

Seems like a permissions issue - does this user have access to the indexes?

Phandora · January 26, 2021, 4:57pm

The user had the following permissions:

  index_permissions:
    - index_patterns:
      - ".kibana"
      - ".kibana_*"
      - ".reporting*"
      - ".monitoring*"
      - ".tasks"
      - ".management-beats*"
      - ".wazuh*"
      - "wazuh-monitoring*"
      - "wazuh-alerts*"
      allowed_actions:
        - indices_all
    - index_patterns:
      - "*"
      allowed_actions:
        - indices:admin/aliases*
        - manage
        - read
        - delete
        - index
  cluster_permissions:
    - "manage"
    - "indices:admin/template/get"
    - "cluster_monitor"
    - "cluster_composite_ops"
    - "cluster:admin/xpack/monitoring*"
    - "indices_monitor"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"

We also thought it could be a permissions issue, so we change it to the following ones (default admin user):

  index_permissions:
    - index_patterns:
      - "*"
      allowed_actions:
      - "*" 
  tenant_permissions:
    - tenant_patterns:
      - "*"
      allowed_actions:
      - kibana_all_write
  cluster_permissions: 
    - "*"

But there is no difference, the issue is still going on.

Cross cluster searches work fine. When we go to Discover, the documents from the remote cluster are displayed:

searchymcsearchface · January 26, 2021, 9:43pm

Without diving too deep, I don’t see the initial problem here. If you could isolate the problem down a tad further, it might be good to add it as an issue on github.

Phandora · January 27, 2021, 8:40am

Thanks. Sure, I will do that.

We have tested it in Elastic 7.10.0 version (oss build) and the index patterns for remote clusters are created and working as usual. The issue only applies to Open Distro 1.12 version (It works in the Open Distro 1.11 version):

When creating the index patterns of remote clusters, the fields of the indices that match the index pattern are not included in the index pattern. We got the error No matching indices found , even when the indices do exist and match.
The index patterns of remote clusters can not be refreshed . Again, we got the error No matching indices found, even when the indices do exist and match.
If we go to Discover and select the created index pattern, the documents from remote clusters are displayed, but since there are no fields in the index pattern, it does not allow filtering using the document’s fields.

Which Github repository should I create the issue in?

Regards

cloud9 · April 2, 2021, 12:55pm

Any new here? having same problem when trying to create index patterns containing remote clusters. Indexes are being found but then fails to list fields in next step with same errors described above.
User has full permissions on both cluster and index level. Can it be that some of these operations are being done by kibanaserver user? What exact permissions then needed to list fields?

Also same user can make API calls and read desired indexes on remote cluster.

Using OD 1.13.1 version

dbbaughe · April 2, 2021, 3:18pm

@cloud9 @Phandora

This looks like it might have been something added in Index Management causing issues reading remote clusters for the FieldCap API requests that Kibana sends. @thalurur can you confirm?

PR fix which is going out in 1.13.2

github.com/opendistro-for-elasticsearch/index-management

Field cap fix

opendistro-for-elasticsearch:main ← thalurur:fieldCapFix

opened 04:00AM - 26 Mar 21 UTC

thalurur

+474 -57

*Issue #, if available:* https://github.com/opendistro-for-elasticsearch/index-…management/issues/418 https://github.com/opendistro-for-elasticsearch/index-management/issues/424 *Description of changes:* Update `FieldCaps` interception to support remote cluster indices, and also supporting both merged and unmerged response rewriting of FieldCapsResponse. * FieldCapsResponse hold unmerged data if its a cross cluster request and merged otherwise. Earlier we were only rewriting merged data. * Introducing a setting to stop interception in case user isn't using rollup - this acts like a kill switch if there are any unexpected behavior from the interception. By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

GitHub issues:

github.com/opendistro-for-elasticsearch/index-management

Cannot create time-based index patterns when using remote cluster indices [BUG]

opened 08:36PM - 16 Mar 21 UTC

closed 05:54PM - 04 May 21 UTC

verbecee

bug

Not sure if I should paste here or in the Kibana index management plugin repo. …**Describe the bug** Context: We are moving from a single behemoth cluster to a multicluster architecture. The new architecture will consist of 3 remote clusters (spread across 3 AZs) and a coordinating cluster. The coordinating cluster is our behemoth cluster, so we have 180 TB of data on that cluster and are shrinking it down over time. Since we have data on our coordinating cluster AND in our indices on the 3 clusters, I need to create an index pattern that will span all 4 clusters. I can perform searches and this works: GET /sample_index*,*:sample_index*/_search When I go to create an index pattern, I am able to locate the indexes in the remote and coordinating clusters: ![image](https://user-images.githubusercontent.com/43911219/111376131-11048c00-866d-11eb-8d5a-ca67e8f15b0b.png) When I hit "Next Step", I don't have the option to specify @timestamp as the time field. ![image](https://user-images.githubusercontent.com/43911219/111376189-224d9880-866d-11eb-8e37-dade6fb9e365.png) This issue also occurs if I only have the remote cluster pattern set, too. I.e. all of these patterns also do not allow me to select a time field: *:sample_index* cluster_zone_a:sample_index* cluster_zone_b:sample_index* cluster_zone_c:sample_index* This impacts all 150 index patterns, i.e. it isn't a single index issue. There is @timestamp in every log in the remote clusters. The index template as @timestamp defined as well. I added index templates via CURL to each remote cluster. ` { "order":2, "index_patterns":[ "*log*" ], "mappings":{ "_meta":{ "version":"1.7.0" }, "date_detection":false, "dynamic_templates":[ { "strings_as_keyword":{ "mapping":{ "ignore_above":1024, "type":"keyword" }, "match_mapping_type":"string" } } ], "properties":{ "@timestamp":{ "type":"date" }, ` ^ Note that this obviously isn't complete json. Here is a sample log from the remote cluster, @timestamp is halfway down the log: ![image](https://user-images.githubusercontent.com/43911219/111376304-48733880-866d-11eb-8f8a-cbfb51173cf9.png) **Other plugins installed* Kibana reporting, security **To Reproduce** Steps to reproduce the behavior: 1. Add remote cluster (and connect it to the coordinating cluster) 2. Add data to remote cluster, with the field @timestamp as a part of the data 3. In coordinating cluster, try to create an index pattern **Expected behavior** Since @timestamp is present in each log in Elasticsearch, I would expect to be able to create time-based index patterns. **Screenshots** Added above. **Desktop (please complete the following information):** - OS: iOS - Browser Chrome - Version 89.0 **Additional context** Add any other context about the problem here. **Other plugins installed* Kibana reporting, security **To Reproduce** Steps to reproduce the behavior: 1. Add remote cluster (and connect it to the coordinating cluster) 2. Add data to remote cluster 3. In coordinating cluster, try to create an index pattern **Expected behavior** Since @timestamp is present in each log in Elasticsearch, I would expect to be able to create time-based index patterns. **Screenshots** Added. **Desktop (please complete the following information):** - OS: iOS - Browser Chrome - Version 89.0 **Additional context** Add any other context about the problem here.

github.com/opendistro-for-elasticsearch/index-management

_field_caps API fails with cross cluster search

opened 08:30PM - 26 Mar 21 UTC

closed 07:16AM - 10 Apr 21 UTC

jimmyjones2

Reported in a few forum threads: * https://discuss.opendistrocommunity.dev/t/cr…oss-cluster-search-with-secured-clusters/5162/7 * https://discuss.opendistrocommunity.dev/t/cross-cluster-search-with-secured-local-and-remote-clusters/5109/3 * https://discuss.opendistrocommunity.dev/t/kibana-ccs-fails/5405 Was working on 1.9.0, 1.10.1, 1.11. Fails on 1.12.0, 1.13.0 and 1.13.1 I’m trying to use Kibana to search indices in a remote cluster - following [CCS docs](https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/cross-cluster-search/) When I try and add an index pattern for odfe-cluster1:books I can see a 404 to http://127.0.0.1:5601/api/index_patterns/_fields_for_wildcard?pattern=odfe-cluster1%3Abooks&meta_fields=_source&meta_fields=_id&meta_fields=_type&meta_fields=_index&meta_fields=_score Digging into the source for what that calls, it looks like the `_field_caps` API doesn’t support CCS: ``` curl -XGET -k -u booksuser:password 'https://localhost:9250/odfe-cluster1:books/_field_caps?fields=_id' {"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [odfe-cluster1:books]","resource.type":"index_or_alias","resource.id":"odfe-cluster1:books","index_uuid":"_na_","index":"odfe-cluster1:books"}],"type":"index_not_found_exception","reason":"no such index [odfe-cluster1:books]","resource.type":"index_or_alias","resource.id":"odfe-cluster1:books","index_uuid":"_na_","index":"odfe-cluster1:books"},"status":404} ``` As this works without the security plugin installed, I presume the issue is there.

thalurur · April 2, 2021, 4:15pm

Yes, it looks like the same issue. As @dbbaughe mentioned the fix is in pipeline to be released as part of 1.13.2

cloud9 · April 6, 2021, 1:46pm

Any estimates on when 1.13.2 is planned for release? We got quite some unhappy people after upgrade, unfortunately our pre-prod env do not have cross cluster search so this one slipped through untested

thalurur · April 6, 2021, 6:05pm

@cloud9 current ETA is 4/7

Topic		Replies	Views
Cross cluster search with secured local and remote clusters Open Source Elasticsearch and Kibana	4	1340	April 6, 2021
Cross cluster search with secured clusters Security	18	1879	April 16, 2021
Kibana Cross Cluster Search Open Source Elasticsearch and Kibana	4	2023	October 22, 2021
Looking to create index pattern for viewing the logs on dashboard using the api General Feedback configure , index-management	2	2483	August 31, 2022
Index Pattern Problems after Snapshot Restore Index Management	1	502	September 8, 2023

Cannot create Index Patterns of remote clusters - Open Distro 1.12 version

Related topics