ADR: Full reindex API access must be elevated
Status
-
Proposed -
Trialing -
Under review -
Approved -
Retired
Context & Scope
Expected use-case for the full reindex API is for disaster recovery scenario as it reindexes everything in a data-partition.
Currently, full reindex API access is set to same level as other reindex APIs. Due to this, users with users.datalake.admin permission can accidently trigger a full reindex. To make matter worse, there are no APIs to cancel ongoing re-index, so this operation can run for hours/days depending on data-partition size. This can have impact on cost and service performance.
Requirements
We need to elevate the permission level for the full reindex API so that users with Admin access cannot accidently trigger a full reindex.
Tradeoff Analysis
This will be breaking change, but it should have low impact as this API is used very rarely/infrequently.
Solution
The proposed solution is that the permission level for full reindex API should be elevated and set to users.datalake.ops.
Consequences
- Change in indexer-core to Reindex API (permission elevation for full reindex) and PartitionSetup API (refactor)
- Indexer service documentation needs to be updated