Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] SnapshotUtils has inconsistent behavior when selectedIndices has negative patterns #5627

Closed
cwperks opened this issue Dec 23, 2022 · 1 comment
Closed

[BUG] SnapshotUtils has inconsistent behavior when selectedIndices has negative patterns #5627

cwperks opened this issue Dec 23, 2022 · 1 comment
Assignees
@stephen-crawford
Labels
bug Something isn't working security Anything security related untriaged

Comments

@cwperks
Copy link
Member

cwperks commented Dec 23, 2022

Describe the bug

The issue was uncovered in this issue in the security repo: opensearch-project/security#1652

and thoroughly described in these comments:

SecurityUtils.filterIndices (https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/snapshots/SnapshotUtils.java#LL68C86-L68C101) is used by the security plugin during snapshot restore requests to resolve to indices to restore from a snapshot. It was recently discovered that this method has inconsistent behavior based on the ordering of the indices in the list.

Consider a snapshot that contains:

.opendistro_security
.kibana_1
opensearch_dashboards_sample_data_flights
security-auditlog-2022.12.22

A request with the first pattern in .indices being a negative pattern:

// -.opendistro_security in the front of the list
POST _snapshot/my-first-repo/20221222-snapshot-all/_restore
{
    "indices": ["-.opendistro_security", "open*", "sec*"],
    "include_global_state" : false
}
// Restoring indices: [opensearch_dashboards_sample_data_flights, security-auditlog-2022.12.22, .kibana_1]

In this request, the negative pattern is now second, but the list contains the same three patterns.

// -.opendistro_security in the middle of the list
POST _snapshot/my-first-repo/20221222-snapshot-all/_restore
{
    "indices": ["open*", "-.opendistro_security", "sec*"],
    "include_global_state" : false
}

// Restoring indices: [opensearch_dashboards_sample_data_flights, security-auditlog-2022.12.22]

I would expect that these requests resolve to the same set of indices.

The issue is in SnapshotUtils here (https://github.com/opensearch-project/OpenSearch/blob/main/server/src/main/java/org/opensearch/snapshots/SnapshotUtils.java#L91-L95):

...else if (indexOrPattern.charAt(0) == '-') {
   // if its the first, fill it with all the indices...
   if (i == 0) {
       result = new HashSet<>(availableIndices);
   }
   ...

It is adding all available indices to the result dataset if a negative pattern is first in the list.

That means that in the following scenario:

selectedIndices = ['-foo-2', 'foo-*'] that this will in effect resolve to all indices except for `-foo-2`.

I think the intended behavior should be to resolve positive patterns first and then evaluate negative patterns.

If the list only contains negative patterns then it should be interpreted as all indices except for the ones in the list.

The behavior of this method should be consistent regardless of the order of the indices in selectedIndices
@cwperks cwperks added bug Something isn't working untriaged labels Dec 23, 2022
@cwperks cwperks mentioned this issue Dec 23, 2022
Merged
6 tasks
@tlfeng tlfeng added the security Anything security related label Dec 27, 2022
@stephen-crawford
Copy link
Contributor

Resolved with #5626

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephen-crawford stephen-crawford

Labels
bug Something isn't working security Anything security related untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cwperks @stephen-crawford @tlfeng