-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAC] [RBAC] working find route for alerts as data client #107982
Conversation
…ts aggs, copied from what saved objects aggs types are allowed
…sts need to be worked through more
…d api when rule registry feature flag is enabled
…lerts aggs table, adds integration tests
…ty hits when querying alert index the user is not authorized to query, so I added an extra check to determine if the user is querying the appropriate index and if they are authorized to even execute queries against the provided index
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Alerts trends graph and count table are working perfectly with the new API! Thank you for updating the API call. 👏 |
aggs, | ||
_source, | ||
// eslint-disable-next-line @typescript-eslint/naming-convention | ||
track_total_hits, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Probably should prefer track_total_hits: trackTotalHits
here, instead of the eslint exception?
…elds, uses recursive validation with io-ts at the find route level, adds tests for when nested aggs are present and tests for when nested aggs have scripts field
…r with track total hits, make extra params optional so we are not adding undefined everywhere in the code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a shallow high-level look and posted a few silly questions.
Sorry about that, my head is not working anymore.
I will approve the PR, and hope to be able to take a deeper look tomorrow.
If anyone could do a proper in-depth review, it would be great.
export type PutIndexTemplateRequest = estypes.IndicesPutIndexTemplateRequest & { | ||
body?: { composed_of?: string[] }; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can be deleted, estypes.IndicesPutIndexTemplateRequest
contains composed_of
:
export interface IndicesPutIndexTemplateRequest extends RequestBase {
name: Name
body?: {
index_patterns?: Indices
composed_of?: Name[]
template?: IndicesPutIndexTemplateIndexTemplateMapping
data_stream?: EmptyObject
priority?: integer
version?: VersionNumber
_meta?: Metadata
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah good catch. I copied some of these types from elsewhere in kibana so didn't look too deeply at the types but I will update this. Thanks!
if (alerts == null) { | ||
return response.notFound({ | ||
body: { message: `alerts with query and index ${index} not found` }, | ||
}); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the use case for 404, could it be 200 with an empty array if nothing is found? Less cases for handling on the client side imho.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the alerts have an empty hits array we will respond with that (200 + the Elasticsearch response), but if for some reason the response from Elasticsearch is null (either because of an error or something else) then I figured a 404 is better than throwing a 500.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But yes in general when we execute a search and no hits are found (but we receive a 200 from Elasticsearch) we will respond with exactly that, an empty array.
public async find<Params extends AlertTypeParams = never>({ | ||
query, | ||
aggs, | ||
_source, | ||
// eslint-disable-next-line @typescript-eslint/naming-convention | ||
track_total_hits, | ||
size, | ||
index, | ||
}: { | ||
query?: object | undefined; | ||
aggs?: object | undefined; | ||
index: string | undefined; | ||
track_total_hits?: boolean | undefined; | ||
_source?: string[] | undefined; | ||
size?: number | undefined; | ||
}) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does this find()
method compare to RuleDataClient.getReader().search()
, when should we use which one, etc? Do we even need RuleDataClient.getReader()
in the current form?
…re aggs.terms.missing field could be a string or a number
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job, thank you for adding the test around the aggs and script. Now I feel it is golden!!!
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @dhurley14 |
…7982) Addition of a find api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page.
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…109034) Addition of a find api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page. Co-authored-by: Devin W. Hurley <[email protected]>
Summary
Addition of a
find
api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page.To test (no need for any rule registry env vars to be turned on)
*:*
Pages without data...
Overview page - no data
Alerts page - no data
Pages with data...
Overview page with data
Alerts page with data
Checklist
Delete any items that are not applicable to this PR.
For maintainers