Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RAC][Rule Registry] Implement RuleDataService.getReader() that skips index bootstrapping #111173

Closed
Tracked by #101016
banderror opened this issue Sep 3, 2021 · 4 comments
Closed
Tracked by #101016

[RAC][Rule Registry] Implement RuleDataService.getReader() that skips index bootstrapping #111173

banderror opened this issue Sep 3, 2021 · 4 comments
Labels
Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete

Comments

@banderror
Copy link
Contributor

Parent ticket: #101016

Summary

Background: #108115 (comment)

The observability plugin initializes an instance of RuleDataClient in order to only be able to read from all observability indices (observability.logs, observability.apm, etc). It does this by calling:

    const ruleDataClient = ruleDataService.initializeIndex({
      feature: 'observability',
      registrationContext: 'observability',
      dataset: Dataset.alerts,
      componentTemplateRefs: [],
      componentTemplates: [],
      indexTemplate: {
        version: 0,
      },
    });

This doesn't lead to any index bootstrapping only because no component templates and other resources are specified. However, this is not super safe and it misuses this method.

We need to expose a separate method for getting a reader that would not even try to check if any bootstrapping is necessary:

    const ruleDataReader = ruleDataService.getReader({
      feature: 'observability',
      registrationContext: 'observability',
      dataset: Dataset.alerts,
    });
@banderror banderror added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete labels Sep 3, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

This was referenced Sep 3, 2021
Merged
Open
@weltenwort
Copy link
Member

The RuleDataClient usage in the observability plugin has been removed in #109346, so from that point of view it's not required anymore.

@banderror
Copy link
Contributor Author

Awesome, yeah, I can see it in the code 👍 Closing the ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weltenwort @banderror @elasticmachine