-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Retire support for V6 configuration #4493
Comments
@scrawfor99 @cwperks @peternied @DarshitChanpura Would be curious on your opinion on this. |
Dropping the V6 configuration format and logic should be fine as long as it is only for version 3.0. I think removing it before then would be considered a breaking change so we would not be able to move it in before 3.0. There is also some translation between the v6 and v7 versions which will need to be replaced with the new version as well. For instance the user object has some fields in v6 which are not present in the v7 equivalent. |
@nibix I have not personally tested it out, but is it possible to get into situations where you can upgrade from ES <= 6 directly into OpenSearch? In those cases are the V6 objects required to read in the old index, but then the Migrate API can help to migrate to V7? Its not recommended to skip major versions, but what happens if someone tries? The recommended upgrade path is to always go to the last release of the next major version. If you want to upgrade multiple versions then you would need to upgrade to each major version as an intermediate step. I think its fine to remove from OS 2 given that it is 2 major versions removed from ES6. It would certainly simplify the code base greatly :) |
According to the docs at https://opensearch.org/docs/latest/upgrade-to/upgrade-to/ this upgrade path is possible:
Regarding the question whether it is possible to upgrade from ES 7.10.2 directly to OpenSearch 2, or whether an intermediate step via OpenSearch 1 is necessary, I only found recommendations, no hard facts. The recommendation is however to upgrade via OpenSearch 1 to OpenSearch 2.
Yes, and with https://opensearch.org/docs/2.15/security/configuration/security-admin/#backup-restore-and-migrate I believe that it is theoretically possible to upgrade from ES 6 with ODFE to OpenSearch 1. |
One interesting data point is also that all versions for ODFE for ES 6 were https://opendistro.github.io/for-elasticsearch-docs/version-history/ The first public version of ODFE for ES 6 was released in March 2019. The first version of ODFE for ES 7 was released in June 2019. |
@scrawfor99
I agree that the clean path is a breaking change in a major release, with a deprecation notice/warning being issued in some preceding version. Is there somewhere information how far OpenSearch 3 is away? |
See also #4495 |
Hi @nibix,
I am not sure but I suspect it will be sometime in 2025. |
So far, I gather from the opinions that the main proposal "Drop support V6 configuration file formats" is not a short-term thing, but should be done for OpenSearch 3. Regarding #3870, we would have two options:
|
[Triage] Hi @nibix, thanks for filing this issue. Going to mark as triaged. |
@scrawfor99 @cwperks @peternied @DarshitChanpura How shall we proceed with the question here? #4493 (comment) In order to illustrate the alternative proposal "Behind the scenes conversion from V6 to V7", I have filed a draft PR that illustrates how it can be done: #4546 |
IMO retiring V6 should be part of 3.0 release. |
@cwperks @DarshitChanpura @stephen-crawford @peternied One more data point, which I found while working on #4546 :
With these data points, I would like to ask again the question whether it's really worth trying to continue supporting v6 configuration. It seems to be an extremely unlikely scenario. Is an investment really justified here? |
IMO I think we should remove them. There is a clear upgrade path to the V7 models by using the migrate API. Clusters still on V6 models would be able to use migrate API to get to V7 and then use securityadmin script to export the security index. Any idea what that last version was that supported V6 models? Assuming its ODFE or OS 1, then the models will still exist in all released minor versions for those. For OS 2.x, these classes provide no value. |
I have to correct myself a bit, I did the mistake of looking only at However, in the branch |
@nibix Should this RFC now be marked closed? |
@cwperks yes! |
Preface
Note: I am asking for opinions and comments on the following topic because it influences the work on #3870.
Current situation
Configuration file formats
At the moment, the security plugin supports two slightly different configuration file formats:
In the
*.yml
files, these can be told apart by the_meta.config_version
property. Internally, there these can be told apart by theV6
vsV7
suffix of class names:RoleV6
vsRoleV7
.V7
in class names corresponds toconfig_version
= 2.Example for the differences:
New, V7:
Old, V6:
Actually, the number 6 in the class names still stems from the Elasticsearch version 6. Thus, the
roles.yml
configuration type allows the specification of document types, even though these are not supported any more in OpenSearch 2. Consequently, the implementation actually ignores this information.Thus, these configuration files stem from the ODFE times, when it was still available for Elasticsearch 6.
Further changes include some cleanup and restructuring of the configuration file format.
Privilege evaluation code
Even though the central privilege evaluation code is located in the class
PrivilegeEvaluator
, the actual logic which interprets the the roles is located in the classesConfigModelV6
andConfigModelV7
:Depending on the used configuration version, either
ConfigModelV6
andConfigModelV7
is used. Even though both classes should apply the same logic, both contain separate implementations. Both implementations are very complex:ConfigModelV6
has 1316 lines of code andConfigModelV7
has 1267 lines of code.Especially for security critical code, it seems to be an anti-pattern to have such fundamental and critical code doubled up. It increases maintenance effort and cognitive load.
An additional drawbacks of the current approach is while the central
SecurityDynamicConfiguration
includes a generic parameter, it is virtually impossible to use this parameter in a safe way. Most APIs just useSecurityDynamicConfiguration<?>
or do unsafe casts.Current work
In the context of #3870, we are going to replace major parts of the
ConfigModel
classes by new code. As the goal of the code is performance improvements, its complexity will actually grow a bit compared to the old implementation. See here for the current state:https://github.com/opensearch-project/security/blob/60af051d28dcd239167a0ce7bcb059ad192f4de3/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java
This implementation presently only supports the
RoleV7
classes.I have doubts whether implementing the same code also for
RoleV6
would make sense. Creating also support forRoleV6
would cause significant effort and significant increase of the code complexity. Meanwhile, I would actually have doubts whether anyone is still using this configuration file format on OpenSearch 2.Proposal: Drop support V6 configuration file formats
Thus, I would propose to drop support for the V6 configuration file formats. I really believe that this is largely just dead code, which just causes maintenance effort.
Alternative proposal: Behind the scenes conversion from V6 to V7.
Alternatively, I would propose to refactor the configuration infrastructure so that the V7 file formats become "first class citizens", while the V6 file formats get "second class citizens", which are never directly processed. The configuration infrastructure code would take care to automatically convert any V6 configuration to V7 configuration. Regular application code would then never need to touch V6 classes.
The V7 classes could then actually drop the V7 suffix to show that these are the main classes.
The text was updated successfully, but these errors were encountered: