diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d59505ce5b1e..9078ba5fcbe73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Changed - Create generic DocRequest to better categorize ActionRequests ([#18269](https://github.com/opensearch-project/OpenSearch/pull/18269))) +- Fix permissions issue with _update_by_query API that requires permission for indices:data/read/scroll/clear ([#17250](https://github.com/opensearch-project/OpenSearch/pull/17250))) ### Dependencies - Bump `com.google.code.gson:gson` from 2.12.1 to 2.13.1 ([#17923](https://github.com/opensearch-project/OpenSearch/pull/17923), [#18266](https://github.com/opensearch-project/OpenSearch/pull/18266)) diff --git a/modules/reindex/src/main/java/org/opensearch/index/reindex/TransportUpdateByQueryAction.java b/modules/reindex/src/main/java/org/opensearch/index/reindex/TransportUpdateByQueryAction.java index 0039002c23f07..490ccbc86f3ed 100644 --- a/modules/reindex/src/main/java/org/opensearch/index/reindex/TransportUpdateByQueryAction.java +++ b/modules/reindex/src/main/java/org/opensearch/index/reindex/TransportUpdateByQueryAction.java @@ -39,6 +39,8 @@ import org.opensearch.cluster.ClusterState; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.inject.Inject; +import org.opensearch.common.util.concurrent.ThreadContext; +import org.opensearch.common.util.concurrent.ThreadContextAccess; import org.opensearch.core.action.ActionListener; import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.index.mapper.IdFieldMapper; @@ -85,25 +87,37 @@ public TransportUpdateByQueryAction( @Override protected void doExecute(Task task, UpdateByQueryRequest request, ActionListener listener) { - BulkByScrollTask bulkByScrollTask = (BulkByScrollTask) task; - BulkByScrollParallelizationHelper.startSlicedAction( - request, - bulkByScrollTask, - UpdateByQueryAction.INSTANCE, - listener, - client, - clusterService.localNode(), - () -> { - ClusterState state = clusterService.state(); - ParentTaskAssigningClient assigningClient = new ParentTaskAssigningClient( - client, - clusterService.localNode(), - bulkByScrollTask - ); - new AsyncIndexBySearchAction(bulkByScrollTask, logger, assigningClient, threadPool, scriptService, request, state, listener) - .start(); - } - ); + final ThreadContext threadContext = threadPool.getThreadContext(); + try (ThreadContext.StoredContext ignore = threadContext.stashContext()) { + ThreadContextAccess.doPrivilegedVoid(threadContext::markAsSystemContext); + BulkByScrollTask bulkByScrollTask = (BulkByScrollTask) task; + BulkByScrollParallelizationHelper.startSlicedAction( + request, + bulkByScrollTask, + UpdateByQueryAction.INSTANCE, + listener, + client, + clusterService.localNode(), + () -> { + ClusterState state = clusterService.state(); + ParentTaskAssigningClient assigningClient = new ParentTaskAssigningClient( + client, + clusterService.localNode(), + bulkByScrollTask + ); + new AsyncIndexBySearchAction( + bulkByScrollTask, + logger, + assigningClient, + threadPool, + scriptService, + request, + state, + listener + ).start(); + } + ); + } } /** diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy index ebb446fb6bd11..2ab059029833b 100644 --- a/modules/reindex/src/main/plugin-metadata/plugin-security.policy +++ b/modules/reindex/src/main/plugin-metadata/plugin-security.policy @@ -33,6 +33,7 @@ grant { // reindex opens socket connections using the rest client permission java.net.SocketPermission "*", "connect"; + permission org.opensearch.secure_sm.ThreadContextPermission "markAsSystemContext"; }; grant codeBase "${codebase.opensearch-rest-client}" {