Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAC] Enhance index bootstrapping logic with support for additional aliases and proper ILM rollover per namespace #106428

Closed
Tracked by #101016
banderror opened this issue Jul 21, 2021 · 3 comments
Assignees
Labels
Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete

Comments

@banderror
Copy link
Contributor

Parent ticket: #101016
Needed for: migrating Security Solution's .siem-signals-* indices to the new alerts-as-data indices

Summary

  1. There is currently no ILM policy associated with the concrete indices created by the RuleDataClient. We can start by associating all concrete indices with the default ILM policy created by the rule registry. However, we also need to add an additional index template per index alias in order to specify the rollover_alias for the concrete index. (https://www.elastic.co/guide/en/elasticsearch/reference/current/getting-started-index-lifecycle-management.html#ilm-gs-alias-apply-policy) Without an ILM policy, the index will eventually become much larger than necessary and could hinder performance.
  2. In the security solution, we'd like to add an additional alias to the alerts-as-data indices in order to make them backwards compatible with existing user defined queries and visualizations built on the .siem-signals naming scheme. To accomplish this, we'd add an additional parameter to RuleDataClient that allows callers to specify an optional "secondary alias" that would be added to the concrete indices.

A note regarding ILM policy, index template and namespace:

  • Each alerts-as-data index managed via rule_registry must include a (in general, user-defined) namespace: .alerts-{registrationContext}.{datasetSuffix}-{namespace}
  • At least in Security, this namespace is not known at star-up time (setup phase of the plugin). It becomes known in the scope of a rule instance, e.g. inside the rule type executor.
  • We'd like to have an ILM policy applied to our indices. We'd like to be able to decide, should we use the default shared policy, or specify a custom one for a particular index.
  • Correctly applying a policy with rollover logic requires creating an index template that would be pointing to the corresponding index alias with namespace in it:
    • index.lifecycle.name should be equal to the policy name
    • index.lifecycle.rollover_alias has to be the alias to rollover when the concrete index reaches the condition defined in the policy
  • Since the alias includes the namespace, we need to specify a different index.lifecycle.rollover_alias for every namespace - Elasticsearch doesn't automatically find the correct alias for us.
  • Which means we will have to delay creating/updating the index template until later - until the namespace becomes known.
@banderror banderror added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete labels Jul 21, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

banderror added a commit that referenced this issue Aug 15, 2021
…ing implementation (#108115)

**Addresses:** #106421, #106428, #102089, #106433

## Summary

This PR focuses on consolidation of indexing implementations in `rule_registry` (#101016). It addresses some of the sub-tasks of the parent ticket.

- [x] Encapsulate index bootstrapping logic in a new improved API exposed by `RuleDataService`.
- [x] Enforce allowed values for the `datasetSuffix` on the API level.
- [x] Migrate plugins using the existing `RuleDataService` API to the improved one.
- [x] Make sure index names comply with design architecture.
    - #102089
- [x] Improve the API of `RuleDataClient`.
- [x] Enhance index bootstrapping: support custom ILM policy per index (`{registrationContext}.{datasetSuffix}`).
- [x] Enhance index bootstrapping: create index template per namespace and support rollovers properly
    - based on #107700
- [x] Enhance index bootstrapping: support secondary aliases
    - based on #107700
- [x] Remove `EventLogService` implementation
    - #106433

This will be addressed in follow-up PRs:

- [ ] Enhance index bootstrapping: implement suggestions for backwards compatibility (naming scheme for alias and backing indices; versioning).
- [ ] Enhance index bootstrapping: implement upgrades of existing index templates.
- [ ] Make index bootstrapping logic more robust. This _is partially addressed_ in this PR, but more improvements are needed.
- [ ] Change the way index prefix works.
- [ ] Add support for optional TS schema (static typing).
- [ ] Update `README` in `rule_registry`.

### Checklist

- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials
- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Aug 15, 2021
…ing implementation (elastic#108115)

**Addresses:** elastic#106421, elastic#106428, elastic#102089, elastic#106433

## Summary

This PR focuses on consolidation of indexing implementations in `rule_registry` (elastic#101016). It addresses some of the sub-tasks of the parent ticket.

- [x] Encapsulate index bootstrapping logic in a new improved API exposed by `RuleDataService`.
- [x] Enforce allowed values for the `datasetSuffix` on the API level.
- [x] Migrate plugins using the existing `RuleDataService` API to the improved one.
- [x] Make sure index names comply with design architecture.
    - elastic#102089
- [x] Improve the API of `RuleDataClient`.
- [x] Enhance index bootstrapping: support custom ILM policy per index (`{registrationContext}.{datasetSuffix}`).
- [x] Enhance index bootstrapping: create index template per namespace and support rollovers properly
    - based on elastic#107700
- [x] Enhance index bootstrapping: support secondary aliases
    - based on elastic#107700
- [x] Remove `EventLogService` implementation
    - elastic#106433

This will be addressed in follow-up PRs:

- [ ] Enhance index bootstrapping: implement suggestions for backwards compatibility (naming scheme for alias and backing indices; versioning).
- [ ] Enhance index bootstrapping: implement upgrades of existing index templates.
- [ ] Make index bootstrapping logic more robust. This _is partially addressed_ in this PR, but more improvements are needed.
- [ ] Change the way index prefix works.
- [ ] Add support for optional TS schema (static typing).
- [ ] Update `README` in `rule_registry`.

### Checklist

- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials
- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine added a commit that referenced this issue Aug 15, 2021
…ing implementation (#108115) (#108638)

**Addresses:** #106421, #106428, #102089, #106433

## Summary

This PR focuses on consolidation of indexing implementations in `rule_registry` (#101016). It addresses some of the sub-tasks of the parent ticket.

- [x] Encapsulate index bootstrapping logic in a new improved API exposed by `RuleDataService`.
- [x] Enforce allowed values for the `datasetSuffix` on the API level.
- [x] Migrate plugins using the existing `RuleDataService` API to the improved one.
- [x] Make sure index names comply with design architecture.
    - #102089
- [x] Improve the API of `RuleDataClient`.
- [x] Enhance index bootstrapping: support custom ILM policy per index (`{registrationContext}.{datasetSuffix}`).
- [x] Enhance index bootstrapping: create index template per namespace and support rollovers properly
    - based on #107700
- [x] Enhance index bootstrapping: support secondary aliases
    - based on #107700
- [x] Remove `EventLogService` implementation
    - #106433

This will be addressed in follow-up PRs:

- [ ] Enhance index bootstrapping: implement suggestions for backwards compatibility (naming scheme for alias and backing indices; versioning).
- [ ] Enhance index bootstrapping: implement upgrades of existing index templates.
- [ ] Make index bootstrapping logic more robust. This _is partially addressed_ in this PR, but more improvements are needed.
- [ ] Change the way index prefix works.
- [ ] Add support for optional TS schema (static typing).
- [ ] Update `README` in `rule_registry`.

### Checklist

- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials
- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Georgii Gorbachev <[email protected]>
@banderror
Copy link
Contributor Author

Addressed in #108115

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete
Projects
None yet
Development

No branches or pull requests

3 participants