-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Only apply field aliases to legacy .siem-signals indices #115290
Merged
marshallmain
merged 17 commits into
elastic:main
from
marshallmain:signals-index-aliases
Oct 29, 2021
Merged
Changes from all commits
Commits
Show all changes
17 commits
Select commit
Hold shift + click to select a range
81a899d
Only apply field aliases to legacy .siem-signals indices
marshallmain 0025cf7
Fix unit test mocks
marshallmain c462a00
Merge branch 'master' into signals-index-aliases
kibanamachine 0961a04
Add new function for special index existence check
marshallmain f419b3c
Actually add new function for special index existence check
marshallmain 6f35eae
Undo getIndexVersion change
marshallmain a0d11fd
Merge branch 'master' into signals-index-aliases
kibanamachine e5c860e
Add basic integration tests for field alias logic
marshallmain 69eb783
Merge branch 'signals-index-aliases' of github.com:marshallmain/kiban…
marshallmain 4623144
Merge branch 'master' into signals-index-aliases
marshallmain e3ebdfa
Merge branch 'master' into signals-index-aliases
kibanamachine bffab2a
Merge branch 'master' into signals-index-aliases
marshallmain fb5e0da
Add back create_index to test list
marshallmain 3e72cd0
Add missing markdown to readme
marshallmain 1532ae9
Revert change to delete_index_route
marshallmain d61a8f7
Merge branch 'master' into signals-index-aliases
kibanamachine bc1ee67
Merge branch 'master' into signals-index-aliases
kibanamachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
37 changes: 37 additions & 0 deletions
37
packages/kbn-securitysolution-es-utils/src/get_bootstrap_index_exists/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
import type { ElasticsearchClient } from '../elasticsearch_client'; | ||
|
||
/** | ||
* This function is similar to getIndexExists, but is limited to searching indices that match | ||
* the index pattern used as concrete backing indices (e.g. .siem-signals-default-000001). | ||
* This allows us to separate the indices that are actually .siem-signals indices from | ||
* alerts as data indices that only share the .siem-signals alias. | ||
* | ||
* @param esClient Elasticsearch client to use to make the request | ||
* @param index Index alias name to check for existence | ||
*/ | ||
export const getBootstrapIndexExists = async ( | ||
esClient: ElasticsearchClient, | ||
index: string | ||
): Promise<boolean> => { | ||
try { | ||
const { body } = await esClient.indices.getAlias({ | ||
index: `${index}-*`, | ||
name: index, | ||
}); | ||
return Object.keys(body).length > 0; | ||
} catch (err) { | ||
if (err.body != null && err.body.status === 404) { | ||
return false; | ||
} else { | ||
throw err.body ? err.body : err; | ||
} | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import expect from '@kbn/expect'; | ||
import { | ||
DEFAULT_ALERTS_INDEX, | ||
DETECTION_ENGINE_INDEX_URL, | ||
} from '../../../../plugins/security_solution/common/constants'; | ||
|
||
import { FtrProviderContext } from '../../common/ftr_provider_context'; | ||
import { deleteSignalsIndex } from '../../utils'; | ||
|
||
// eslint-disable-next-line import/no-default-export | ||
export default ({ getService }: FtrProviderContext) => { | ||
const supertest = getService('supertest'); | ||
const esArchiver = getService('esArchiver'); | ||
const es = getService('es'); | ||
|
||
describe('create_index', () => { | ||
afterEach(async () => { | ||
await deleteSignalsIndex(supertest); | ||
}); | ||
|
||
describe('elastic admin', () => { | ||
describe('with another index that shares index alias', () => { | ||
before(async () => { | ||
await esArchiver.load('x-pack/test/functional/es_archives/signals/index_alias_clash'); | ||
}); | ||
|
||
after(async () => { | ||
await esArchiver.unload('x-pack/test/functional/es_archives/signals/index_alias_clash'); | ||
}); | ||
|
||
it.skip('should report that signals index does not exist', async () => { | ||
const { body } = await supertest.get(DETECTION_ENGINE_INDEX_URL).send().expect(404); | ||
expect(body).to.eql({ message: 'index for this space does not exist', status_code: 404 }); | ||
}); | ||
|
||
it('should return 200 for create_index', async () => { | ||
const { body } = await supertest | ||
.post(DETECTION_ENGINE_INDEX_URL) | ||
.set('kbn-xsrf', 'true') | ||
.send() | ||
.expect(200); | ||
expect(body).to.eql({ acknowledged: true }); | ||
}); | ||
}); | ||
|
||
describe('with an outdated signals index', () => { | ||
beforeEach(async () => { | ||
await esArchiver.load('x-pack/test/functional/es_archives/endpoint/resolver/signals'); | ||
}); | ||
|
||
afterEach(async () => { | ||
await esArchiver.unload('x-pack/test/functional/es_archives/endpoint/resolver/signals'); | ||
}); | ||
|
||
it('should report that signals index is outdated', async () => { | ||
const { body } = await supertest.get(DETECTION_ENGINE_INDEX_URL).send().expect(200); | ||
expect(body).to.eql({ | ||
index_mapping_outdated: true, | ||
name: `${DEFAULT_ALERTS_INDEX}-default`, | ||
}); | ||
}); | ||
|
||
it('should return 200 for create_index and add field aliases', async () => { | ||
const { body } = await supertest | ||
.post(DETECTION_ENGINE_INDEX_URL) | ||
.set('kbn-xsrf', 'true') | ||
.send() | ||
.expect(200); | ||
expect(body).to.eql({ acknowledged: true }); | ||
|
||
const mappings = await es.indices.get({ | ||
index: '.siem-signals-default-000001', | ||
}); | ||
// Make sure that aliases_version has been updated on the existing index | ||
expect(mappings['.siem-signals-default-000001'].mappings?._meta?.aliases_version).to.eql( | ||
1 | ||
); | ||
}); | ||
}); | ||
}); | ||
}); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
x-pack/test/functional/es_archives/signals/index_alias_clash/data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"type": "doc", | ||
"value": { | ||
"id": "1", | ||
"index": "signal_name_clash", | ||
"source": { | ||
"@timestamp": "2020-10-28T05:08:53.000Z" | ||
}, | ||
"type": "_doc" | ||
} | ||
} |
24 changes: 24 additions & 0 deletions
24
x-pack/test/functional/es_archives/signals/index_alias_clash/mappings.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
{ | ||
"type": "index", | ||
"value": { | ||
"aliases": { | ||
".siem-signals-default": { | ||
"is_write_index": false | ||
} | ||
}, | ||
"index": "index_alias_clash", | ||
"mappings": { | ||
"properties": { | ||
"@timestamp": { | ||
"type": "date" | ||
} | ||
} | ||
}, | ||
"settings": { | ||
"index": { | ||
"number_of_replicas": "1", | ||
"number_of_shards": "1" | ||
} | ||
} | ||
} | ||
} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
getBootstrapIndexExists
requires eitherview_index_metadata
ormanage
privileges for the concrete backing indices, which is not technically a required permission for detection engine users. To avoid potential permissions issues the internal user is used here, with the theory being that any user who has the Kibana application privilege to use this Security Solution API at all is authorized to know if the.siem-signals
index exists - so this isn't a data leakage.