Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAC] [RBAC] working find route for alerts as data client #107982

Merged
merged 25 commits into from
Aug 18, 2021

Conversation

dhurley14
Copy link
Contributor

@dhurley14 dhurley14 commented Aug 9, 2021

Summary

Addition of a find api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page.

To test (no need for any rule registry env vars to be turned on)

  1. Just turn on auditbeat etc..
  2. Write a rule to query *:*
  3. View data
Pages without data...

Overview page - no data

overview_page_alerts_histogram

Alerts page - no data

alerts_histogram_aggs
Pages with data...

Overview page with data

overview_page_with_data

Alerts page with data

alerts_page_with_data

Checklist

Delete any items that are not applicable to this PR.

For maintainers

…ts aggs, copied from what saved objects aggs types are allowed
…d api when rule registry feature flag is enabled
…ty hits when querying alert index the user is not authorized to query, so I added an extra check to determine if the user is querying the appropriate index and if they are authorized to even execute queries against the provided index
@dhurley14 dhurley14 self-assigned this Aug 15, 2021
@dhurley14 dhurley14 added auto-backport Deprecated - use backport:version if exact versions are needed Feature:Detection Rules Security Solution rules and Detection Engine Feature:Detection Alerts Security Solution Detection Alerts Feature Feature:RAC label obsolete review Team:Detections and Resp Security Detection Response Team Theme: rac label obsolete v7.15.0 v8.0.0 labels Aug 15, 2021
@dhurley14 dhurley14 marked this pull request as ready for review August 15, 2021 02:58
@dhurley14 dhurley14 requested a review from a team as a code owner August 15, 2021 02:58
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@dhurley14 dhurley14 added release_note:feature Makes this part of the condensed release notes release_note:enhancement and removed release_note:feature Makes this part of the condensed release notes labels Aug 15, 2021
@machadoum
Copy link
Member

Alerts trends graph and count table are working perfectly with the new API! Thank you for updating the API call. 👏

@peluja1012 peluja1012 mentioned this pull request Aug 16, 2021
13 tasks
@madirey
Copy link
Contributor

madirey commented Aug 17, 2021

Somehow I got into a state where the alerts table refreshed, but the histogram didn't... is that expected?

image

aggs,
_source,
// eslint-disable-next-line @typescript-eslint/naming-convention
track_total_hits,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Probably should prefer track_total_hits: trackTotalHits here, instead of the eslint exception?

…elds, uses recursive validation with io-ts at the find route level, adds tests for when nested aggs are present and tests for when nested aggs have scripts field
…r with track total hits, make extra params optional so we are not adding undefined everywhere in the code
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a shallow high-level look and posted a few silly questions.
Sorry about that, my head is not working anymore.
I will approve the PR, and hope to be able to take a deeper look tomorrow.
If anyone could do a proper in-depth review, it would be great.

Comment on lines +270 to +272
export type PutIndexTemplateRequest = estypes.IndicesPutIndexTemplateRequest & {
body?: { composed_of?: string[] };
};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be deleted, estypes.IndicesPutIndexTemplateRequest contains composed_of:

export interface IndicesPutIndexTemplateRequest extends RequestBase {
  name: Name
  body?: {
    index_patterns?: Indices
    composed_of?: Name[]
    template?: IndicesPutIndexTemplateIndexTemplateMapping
    data_stream?: EmptyObject
    priority?: integer
    version?: VersionNumber
    _meta?: Metadata
  }
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah good catch. I copied some of these types from elsewhere in kibana so didn't look too deeply at the types but I will update this. Thanks!

Comment on lines +56 to +60
if (alerts == null) {
return response.notFound({
body: { message: `alerts with query and index ${index} not found` },
});
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the use case for 404, could it be 200 with an empty array if nothing is found? Less cases for handling on the client side imho.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the alerts have an empty hits array we will respond with that (200 + the Elasticsearch response), but if for some reason the response from Elasticsearch is null (either because of an error or something else) then I figured a 404 is better than throwing a 500.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But yes in general when we execute a search and no hits are found (but we receive a 200 from Elasticsearch) we will respond with exactly that, an empty array.

Comment on lines 611 to 626
public async find<Params extends AlertTypeParams = never>({
query,
aggs,
_source,
// eslint-disable-next-line @typescript-eslint/naming-convention
track_total_hits,
size,
index,
}: {
query?: object | undefined;
aggs?: object | undefined;
index: string | undefined;
track_total_hits?: boolean | undefined;
_source?: string[] | undefined;
size?: number | undefined;
}) {
Copy link
Contributor

@banderror banderror Aug 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this find() method compare to RuleDataClient.getReader().search(), when should we use which one, etc? Do we even need RuleDataClient.getReader() in the current form?

…re aggs.terms.missing field could be a string or a number
Copy link
Contributor

@XavierM XavierM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job, thank you for adding the test around the aggs and script. Now I feel it is golden!!!

@dhurley14 dhurley14 enabled auto-merge (squash) August 18, 2021 00:27
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 6.5MB 6.5MB +648.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 211.8KB 211.9KB +145.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dhurley14

@dhurley14 dhurley14 merged commit c3ccda9 into elastic:master Aug 18, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Aug 18, 2021
…7982)

Addition of a find api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page.
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Aug 18, 2021
…109034)

Addition of a find api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page.

Co-authored-by: Devin W. Hurley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:Detection Alerts Security Solution Detection Alerts Feature Feature:Detection Rules Security Solution rules and Detection Engine Feature:RAC label obsolete release_note:enhancement review Team:Detections and Resp Security Detection Response Team Theme: rac label obsolete v7.15.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants