[RAC] Fix index names used by RBAC, delete hardcoded map of Kibana features to index names #109567
Conversation
banderror
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
banderror
force-pushed
the
rule-registry-rbac-mapping-to-index-names
branch
from
6b46e84 to
42d995e
Compare
botelastic
bot
added
the
Team:Uptime - DEPRECATED
|
Pinging @elastic/uptime (Team:uptime) |
| // TODO: Remove space id from the index name and make sure the app works well. | ||
| // We should not include space id into the index name, because a | ||
| // namespace goes into the index name, and it's user-defined in general. | ||
| // The user can set a custom namespace per rule instance which could be != space id. |
There was a problem hiding this comment.
namespaces can have whitespace chars in them, correct? That could be a reason to use space id over namespace. Not sure we would want whitespace chars in index names or maybe those get hyphenated?
There was a problem hiding this comment.
We had a chat with @dhurley14 on this comment. For visibility I will post a summary here (Devin is on PTO right now).
My point was: namespaces, according to the design document, are supposed to be user-defined. But in Security they will be equal to the space id by default. But still, the user will be able to set a custom namespace for a single rule instance.
- if we include a space id in the index name when reading data, we will omit the alerts generated by this rule instance
- namespaces should not include whitespace characters I guess, but they can contain dashes; basically they can contain any characters a space id can
- when reading from RAC indices, we should omit the namespace part from the queries to ES
Devin's point is:
that all makes sense except for the last bullet point:
when reading from RAC indices, we should omit the namespace part from the queries to ES
We are doing that as part of the authorization filter. This requirement came early on from Brandon I think so that would need to be discussed further.
I'm fine with whichever decision is made going forward (sounds like it'll be namespaces > space ids) but I just want to make sure that change is also reflected in places we use space id for authorization in the alerts as data client.
Im not sure what should be done in this PR regarding that, to be honest. Maybe I just don’t understand why this function (getAuthorizedAlertsIndices) needs to include space id to the index name. I don’t know how the HTTP endpoint that calls this function is actually used in the app. Where the index names from the endpoint's response are being propagated to, etc. Maybe I'm just missing something.
I will remove this TODO comment to avoid confusion (especially if it's misleading) and try to figure out the usage of space id in this function later.
banderror
force-pushed
the
rule-registry-rbac-mapping-to-index-names
branch
from
42d995e to
e9014a6
Compare
| const indicesAssociatedWithFeature = this.indicesByFeatureId.get(indexOptions.feature) ?? []; | ||
| this.indicesByFeatureId.set(indexOptions.feature, [...indicesAssociatedWithFeature, indexInfo]); | ||
| this.indicesByBaseName.set(indexInfo.baseName, indexInfo); |
There was a problem hiding this comment.
This works fine, but it makes me wonder if we shouldn't just keep a Set() of IndexInfos (with added feature ids) and .filter() it when we need to query by some property. 🤔 That would be a much simpler datastructure. Definitely not a high priority for this PR, though.
There was a problem hiding this comment.
This is not obvious to me right away, I'll revisit this comment tomorrow.
| import { AlertsClient } from './alerts_client'; | ||
|
|
||
| export interface AlertsClientFactoryProps { | ||
| logger: Logger; | ||
| esClient: ElasticsearchClient; | ||
| getAlertingAuthorization: (request: KibanaRequest) => PublicMethodsOf<AlertingAuthorization>; | ||
| securityPluginSetup: SecurityPluginSetup | undefined; | ||
| ruleDataService: RuleDataPluginService | null; |
There was a problem hiding this comment.
Why do we allow null here? Doesn't this together with the assertion in private ruleDataService! break type safety?
There was a problem hiding this comment.
I'll revisit this comment tomorrow.
| export const mapConsumerToIndexName: Record<AlertConsumers, string | string[]> = { | ||
| apm: '.alerts-observability-apm', | ||
| logs: '.alerts-observability.logs', | ||
| infrastructure: '.alerts-observability.metrics', | ||
| observability: '.alerts-observability', | ||
| siem: '.alerts-security.alerts', | ||
| uptime: '.alerts-observability.uptime', | ||
| }; | ||
| export type ValidFeatureId = keyof typeof mapConsumerToIndexName; | ||
| export type ValidFeatureId = AlertConsumers; | ||
|
|
||
| export const validFeatureIds = Object.keys(mapConsumerToIndexName); |
There was a problem hiding this comment.
Besides deleting the map itself, this PR actually fixes the names of the indices, particularly .alerts-observability-apm -> .alerts-observability.apm.alerts.
The current rule data client in the master branch writes to .alerts-observability.apm.alerts.
banderror
force-pushed
the
rule-registry-rbac-mapping-to-index-names
branch
from
e9014a6 to
213d269
Compare
banderror
force-pushed
the
rule-registry-rbac-mapping-to-index-names
branch
from
213d269 to
c3e2a8f
Compare
|
Thank you @dhurley14 @weltenwort @dominiqueclarke for your reviews 🙏 |
💚 Build SucceededMetrics [docs]Public APIs missing comments
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @banderror |
…atures to index names (elastic#109567) **Ticket:** elastic#102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of elastic#109346 and replaces elastic#108872. TODO: - [x] Address elastic#109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close elastic#108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
…atures to index names (elastic#109567) **Ticket:** elastic#102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of elastic#109346 and replaces elastic#108872. TODO: - [x] Address elastic#109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close elastic#108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
…atures to index names (#109567) (#110068) **Ticket:** #102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of #109346 and replaces #108872. TODO: - [x] Address #109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close #108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <[email protected]>
…atures to index names (#109567) (#110067) **Ticket:** #102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of #109346 and replaces #108872. TODO: - [x] Address #109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close #108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <[email protected]>
Ticket: #102089
🚨 This PR is critical for Observability 7.15 🚨
Summary
This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of #109346 and replaces #108872.
TODO:
AlertsClient.getAuthorizedAlertsIndices()so it starts usingRuleDataServiceto get index names by feature ids.mapConsumerToIndexNamewhere we had incorrect index names.Checklist
Delete any items that are not applicable to this PR.