Skip to content

Fix search admin page error when ES server returns forbidden

Terri Churequested to merge
tchu-fix-forbidden-causing-save-errors-in-search-admin into master

What does this MR do and why?

I ran into this while testing an omnibus instance and tried to connect to OpenSearch where the cluster returned a forbidden response.

This change adds coverage for all Elastic transport errors when setting up advanced search in the admin ui

more logs from debugging

I tested this in AWS using an EC2 instance running GitLab EE. I added a newly created OpenSearch cluster and saved the admin page. I got a 500 error and the backtrace showed this method being responsible for the error

elasticsearch-transport (7.17.11) lib/elasticsearch/transport/transport/base.rb:218:in `__raise_transport_error'
elasticsearch-transport (7.17.11) lib/elasticsearch/transport/transport/base.rb:341:in `perform_request'
elasticsearch-transport (7.17.11) lib/elasticsearch/transport/transport/http/faraday.rb:36:in `perform_request'
elasticsearch-transport (7.17.11) lib/elasticsearch/transport/client.rb:197:in `perform_request'
lib/gitlab/instrumentation/elasticsearch_transport.rb:12:in `perform_request'
elasticsearch (7.17.11) lib/elasticsearch.rb:41:in `method_missing'
elasticsearch-api (7.17.11) lib/elasticsearch/api/namespace/common.rb:38:in `perform_request'
elasticsearch-api (7.17.11) lib/elasticsearch/api/actions/indices/exists.rb:51:in `block in exists'
elasticsearch-api (7.17.11) lib/elasticsearch/api/utils.rb:218:in `__rescue_from_not_found'
elasticsearch-api (7.17.11) lib/elasticsearch/api/actions/indices/exists.rb:50:in `exists'
ee/lib/gitlab/elastic/helper.rb:232:in `index_exists?'
ee/lib/gitlab/elastic/helper.rb:429:in `create_index'
ee/lib/gitlab/elastic/helper.rb:208:in `create_empty_index'
ee/app/services/ee/application_settings/update_service.rb:121:in `find_or_create_elasticsearch_index'
ee/app/services/ee/application_settings/update_service.rb:29:in `execute'
app/controllers/admin/application_settings_controller.rb:223:in `perform_update'
ee/app/controllers/ee/admin/application_settings_controller.rb:134:in `block (2 levels) in <module:ApplicationSettingsController>'

AI summary

This change improves error handling in the Elasticsearch search functionality by catching an additional type of error that can occur when the system tries to connect to or interact with Elasticsearch. Previously, the code only caught network-related errors, but now it also handles authorization and transport errors from Elasticsearch itself.

The update also adds a new test to verify that when Elasticsearch returns a "Forbidden" error (meaning the system doesn't have permission to perform an action), the application handles it gracefully without crashing. Additionally, some organizational labels were added to the test file to better categorize the different test scenarios for easier maintenance.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. enable elasticsearch in gdk

  2. edit the elasticsearch.yml file in GDK_DIR/elasticsearch/config directory

    # comment out the line below (it should be set to false)
# xpack.security.enabled: false
# add two new lines
xpack.security.enabled: true
xpack.security.authc.anonymous.roles: []  # Disable anonymous access

  3. restart elasticsearch gdk restart elasticsearch

  4. navigate to Admin settings - Settings - Search - Advanced search

  5. check elasticsearch indexing

  6. click save <-- you will get an error on master but not on this branch

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Terri Chu

Merge request reports