[jira] (RANGER-3938) Unable to access audit logs from an elasticsearch alias

Tue, 24 Jan 2023 07:10:53 -0800 


    [ https://issues.apache.org/jira/browse/RANGER-3938 ]


    Suman B N deleted comment on RANGER-3938:
    -----------------------------------

was (Author: sumannewton):
Fixed this issue with approach 1 and raised an MR 
[here|https://github.com/apache/ranger/pull/177].

> Unable to access audit logs from an elasticsearch alias
> -------------------------------------------------------
>
>                 Key: RANGER-3938
>                 URL: https://issues.apache.org/jira/browse/RANGER-3938
>             Project: Ranger
>          Issue Type: Bug
>          Components: audit
>            Reporter: Suman B N
>            Priority: Minor
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Lets say for audit, we configure an elasticsearch alias(rollover alias). And 
> if there are 2 or more indices for an alias then audit API doesn't work. 
> Because while fetching the records, ranger uses multi get request on an 
> alias. 
> It results in below error:
> {noformat}
> Alias [alias-name] has more than one indices associated with it 
> [[index-000002, index-000001]], can't execute a single index op
> {noformat}
> [Code 
> snippet|https://github.com/apache/ranger/blob/6c8a142881896f2c6d1696bcee02c401867a45f9/security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchUtil.java#L175-L180]:
> {code:java}
>         MultiGetRequest multiGetRequest = new MultiGetRequest();
>         for (SearchHit hit : hits) {
>             MultiGetRequest.Item item = new MultiGetRequest.Item(index, null, 
> hit.getId());
>             item.fetchSourceContext(FetchSourceContext.FETCH_SOURCE);
>             multiGetRequest.add(item);
>         }
> {code}
> So there can be 2 possible approaches to resolve this:
> - Approach 1(Quick and fast):
> Use hit.getIndex() instead of index(in this case its has alias) for a 
> MultiGetRequest.Item object.
> So that all the documents can be get by id with its index only instead of 
> alias.
> - Approach 2(Change the MultiGet to search):
> POST /_search
> {code:json}
> {
>     "query": {
>         "ids" : {
>             "values" : ["id1", "id2"]
>         }
>     }
> }
> {code}
> This would be a recommended approach.
> Correct me if I am wrong. If not, Can I pick this up and fix it? I have 
> already fixed it in my local with approach 1 as a quick fix.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to