[Response Ops][Alerting] Migrate installation of context-specific component templates, index templates and concrete write index to framework for alerts-as-data #151792
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ymao1
force-pushed
the
alerting/faad-resources-component
branch
2 times, most recently
from
c24a423 to
9ea206c
Compare
ymao1
commented
Feb 27, 2023
| @@ -0,0 +1,20 @@ | |||
| /* | |||
There was a problem hiding this comment.
Moved from x-pack/plugins/rule_registry/common/assets/field_maps/experimental_rule_field_map.ts
ymao1
commented
Feb 27, 2023
x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts
Show resolved
Hide resolved
…mework install context specific resources
ymao1
force-pushed
the
alerting/faad-resources-component
branch
from
22a7324 to
cc24f4d
Compare
ymao1
changed the title
ymao1
changed the title
ymao1
commented
Feb 27, 2023
x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
Outdated
Show resolved
Hide resolved
ymao1
commented
Feb 27, 2023
| if (!isEqual(fieldMap, registeredFieldMap)) { | ||
| throw new Error(`${context} has already been registered with a different mapping`); | ||
| const registeredOptions = this.registeredContexts.get(context); | ||
| if (!isEqual(opts, registeredOptions)) { |
There was a problem hiding this comment.
Testing equality of all options to catch the possibility of rule types registering with the same context but different useEcs or useLegacyAlerts flags.
ymao1
commented
Feb 27, 2023
| @@ -326,6 +361,14 @@ export class AlertsService implements IAlertsService { | |||
| ) { | |||
| this.options.logger.info(`Installing index template ${indexPatterns.template}`); | |||
|
|
|||
| const indexMetadata: Metadata = { | |||
There was a problem hiding this comment.
Added this to align with metadata that rule registry is outputting
ymao1
commented
Feb 27, 2023
| /** | ||
| * Optional secondary alias to use. This alias should not include the namespace. | ||
| */ | ||
| secondaryAlias?: string; |
There was a problem hiding this comment.
Added to allow detection alerts to specify siem.signals alias
ymao1
added
Feature:Alerting
Team:ResponseOps
mikecote
reviewed
Mar 2, 2023
x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
Outdated
Show resolved
Hide resolved
| @@ -16,6 +16,7 @@ import { | |||
| DEFAULT_ALERTS_ILM_POLICY, | |||
There was a problem hiding this comment.
I'm not sure if this is a concern given we can do a diff down the line but:
question: do we have something in place to prevent registrationContext from differentiating to what is provided to the rule type via alerts object? (thinking in case a new rule type is in the works somewhere or soemthing.. until we remove the need for registrationContext)
There was a problem hiding this comment.
If a new rule type is added to the rule registry without also being registered with the framework and the framework handles the installation the context specific resources, any run of the rule type that generates an alert will throw an error on execution. I believe this should be caught during development but if we want an additional check, I think we could add a check to the initializeIndex function in the rule registry RuleDataService that verifies any context registered with the rule data service is also registered in the framework.
There was a problem hiding this comment.
I think adding the function within the rule registry's initializeIndex or doing a manual check when switching the framework alerts feature flag will be ok. If it's trivial to do the manual check, maybe we just do that when validating the feature flag PR?
x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts
Show resolved
Hide resolved
x-pack/plugins/alerting/server/alerts_service/create_resource_installation_helper.ts
Outdated
Show resolved
Hide resolved
mikecote
approved these changes
Mar 6, 2023
|
@elasticmachine merge upstream |
kdelemme
approved these changes
Mar 6, 2023
dominiqueclarke
approved these changes
Mar 6, 2023
marshallmain
approved these changes
Mar 6, 2023
crespocarlos
approved these changes
Mar 7, 2023
andrew-goldstein
approved these changes
Mar 7, 2023
dgieselaar
approved these changes
Mar 8, 2023
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @ymao1 |
bmorelli25
pushed a commit
to bmorelli25/kibana
that referenced
this pull request
Mar 10, 2023
…ponent templates, index templates and concrete write index to framework for alerts-as-data (elastic#151792) Resolves elastic#151697 ## Summary In a previous [PR](elastic#145581) we started installing a context-specific component templates, index templates and concrete write indices for framework alerts as data when the `xpack.alerting.enableFrameworkAlerts` config flag is set to true. In that PR we used a different naming pattern than what is used by the rule registry for those resources. In this PR, we are aligning the naming of these resources with the rule registry and installing these resources on alerting plugin setup when `enableFrameworkAlerts: true`. If the flag is set to false, the rule registry will continue to handle this resource installation. In this PR we are doing the following: * Registering all rules currently registered with the rule registry with the alerting framework. This registration allows the alerting framework to build context specific component templates. Because this PR only addresses resource installation, rules will continue to be registered with the rule registry. * When `enableFrameworkAlerts: true`: * The framework installs the context specific component template with the following naming convention: `.alerts-{context}.alerts-mappings`. This matches what the rule registry currently installs so the transition should be seamless * The framework installs the context specific index template for the `default` space with the following name: `.alerts-{context}.alerts-default-index-template`. Space awareness will be addressed in a followup PR. This matches the current rule registry naming.This index template will reference (1) ECS component template (if `useEcs: true`), (2) context-specific component template, (3) legacy alert component template and (4) framework component template where the legacy alert component template + framework component template = technical component template (from the rule registry). * The framework creates or updates the concrete write index for the `default` space with the naming convention: `.internal.alerts-{context}.alerts-default-000001`. Space awareness will be addressed in a followup PR. This matches the current rule registry naming. * The installation of the index template & write index differs from the rule registry in that it occurs on alerting plugin start vs the first rule run. * We modified the rule registry resource installer to skip installation of these resources when `enableFrameworkAlerts: true`. In addition, it will wait for the alerting resource installation promise so if a rule runs before its resources are fully initialized, it will wait for initialization to complete before writing. ## To Verify The following rule registry contexts are affected: `observability.apm` `observability.logs` `observability.metrics` `observability.slo` `observability.uptime` `security` For each context, we should verify the following: `Note that if your rule context references the ECS mappings, there may be differences in those mappings between main and this branch depending on whether you're running main with enableFrameworkAlerts true or false. These differences are explained in the summary of this prior PR: elastic#150384 but essentially we're aligning with the latest ECS fields. In the instructions, I suggest running main with enableFrameworkAlerts: true to minimize the differences caused by ECS changes` **While running `main` with `enableFrameworkAlerts: true`:** 1. Get the context specific component template `GET _component_template/.alerts-{context}.alerts-mappings` 2. Create rule for this context that creates an alert and then 3. Get the index template `GET _index_template/.alerts-{context}.alerts-default-index-template` 4. Get the index mapping for the concrete index: `GET .internal.alerts-{context}.alerts-default-000001/_mapping` **While running this branch with `xpack.alerting.enableFrameworkAlerts: true` (with a fresh ES instance):** 5. Get the context specific component template `GET _component_template/.alerts-{context}.alerts-mappings` 6. Get the index template `GET _index_template/.alerts-{context}.alerts-default-index-template` 7. Get the index mapping for the concrete index: `GET .internal.alerts-{context}.alerts-default-000001/_mapping` Note that you should not have to create a rule that generates alerts before seeing these resources installed. **Compare the component templates** Compare 1 and 5. The difference should be: * component template from this branch should have `_meta.managed: true`. This is a flag indicating to the user that these templates are system managed and should not be manually modified. **Compare the index templates** Compare 3 and 6. The differences should be: * index template from this branch should have `managed: true` in the `_meta` fields * index template from this branch should not have a `priority` field. This will be addressed in a followup PR * index template from this branch should be composed of `.alerts-legacy-alert-mappings` and `.alerts-framework-mappings` instead of `.alerts-technical-mappings` but under the hood, these mappings are equivalent. **Compare the index mappings** Compare 4 and 7. The difference should be: * index mappings from this branch should have `_meta.managed: true`. ### Verify that installed resources templates work as expected 1. Run this branch on a fresh ES install with `xpack.alerting.enableFrameworkAlerts: true`. 2. Create a rule in your context that generates alerts. 3. Verify that there are no errors during rule execution. 4. Verify that the alerts show up in your alerts table as expected. 5. (For detection rules only): Run this branch with `xpack.alerting.enableFrameworkAlerts: true` and verify rules in a non-default space continue to create resources on first rule run and run as expected. 6. (For detection rules only): Run this branch with `xpack.alerting.enableFrameworkAlerts: true` and verify rule preview continue to work as expected ### Verify that installed resources templates work with existing rule registry resources. 1. Run `main` or a previous version and create a rule in your context that generates alerts. 2. Using the same ES data, switch to this branch with `xpack.alerting.enableFrameworkAlerts: false` and verify Kibana starts with no rule registry errors and the rule continues to run as expected. 3. Using the same ES data, switch to this branch with `xpack.alerting.enableFrameworkAlerts: true` and verify Kibana starts with no alerting or rule registry errors and the rule continues to run as expected. 4. Verify the alerts show up on the alerts table as expected. 5. (For detection rules only): Run this branch with `xpack.alerting.enableFrameworkAlerts: true` and verify rules in a non-default space continue to create resources on first rule run and run as expected. 6. (For detection rules only): Run this branch with `xpack.alerting.enableFrameworkAlerts: true` and verify rule preview continue to work as expected --------- Co-authored-by: Kibana Machine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #151697
Summary
In a previous PR we started installing a context-specific component templates, index templates and concrete write indices for framework alerts as data when the
xpack.alerting.enableFrameworkAlertsconfig flag is set to true. In that PR we used a different naming pattern than what is used by the rule registry for those resources. In this PR, we are aligning the naming of these resources with the rule registry and installing these resources on alerting plugin setup whenenableFrameworkAlerts: true. If the flag is set to false, the rule registry will continue to handle this resource installation.In this PR we are doing the following:
enableFrameworkAlerts: true:.alerts-{context}.alerts-mappings. This matches what the rule registry currently installs so the transition should be seamlessdefaultspace with the following name:.alerts-{context}.alerts-default-index-template. Space awareness will be addressed in a followup PR. This matches the current rule registry naming.This index template will reference(1) ECS component template (if
useEcs: true),(2) context-specific component template,
(3) legacy alert component template and
(4) framework component template
where the legacy alert component template + framework component template = technical component template (from the rule registry).
defaultspace with the naming convention:.internal.alerts-{context}.alerts-default-000001. Space awareness will be addressed in a followup PR. This matches the current rule registry naming.enableFrameworkAlerts: true. In addition, it will wait for the alerting resource installation promise so if a rule runs before its resources are fully initialized, it will wait for initialization to complete before writing.To Verify
The following rule registry contexts are affected:
observability.apmobservability.logsobservability.metricsobservability.sloobservability.uptimesecurityFor each context, we should verify the following:
Note that if your rule context references the ECS mappings, there may be differences in those mappings between main and this branch depending on whether you're running main with enableFrameworkAlerts true or false. These differences are explained in the summary of this prior PR: https://github.com/elastic/kibana/pull/150384 but essentially we're aligning with the latest ECS fields. In the instructions, I suggest running main with enableFrameworkAlerts: true to minimize the differences caused by ECS changesWhile running
mainwithenableFrameworkAlerts: true:GET _component_template/.alerts-{context}.alerts-mappingsGET _index_template/.alerts-{context}.alerts-default-index-templateGET .internal.alerts-{context}.alerts-default-000001/_mappingWhile running this branch with
xpack.alerting.enableFrameworkAlerts: true(with a fresh ES instance):5. Get the context specific component template
GET _component_template/.alerts-{context}.alerts-mappings6. Get the index template
GET _index_template/.alerts-{context}.alerts-default-index-template7. Get the index mapping for the concrete index:
GET .internal.alerts-{context}.alerts-default-000001/_mappingNote that you should not have to create a rule that generates alerts before seeing these resources installed.
Compare the component templates
Compare 1 and 5. The difference should be:
_meta.managed: true. This is a flag indicating to the user that these templates are system managed and should not be manually modified.Compare the index templates
Compare 3 and 6. The differences should be:
managed: truein the_metafieldspriorityfield. This will be addressed in a followup PR.alerts-legacy-alert-mappingsand.alerts-framework-mappingsinstead of.alerts-technical-mappingsbut under the hood, these mappings are equivalent.Compare the index mappings
Compare 4 and 7. The difference should be:
_meta.managed: true.Verify that installed resources templates work as expected
xpack.alerting.enableFrameworkAlerts: true.xpack.alerting.enableFrameworkAlerts: trueand verify rules in a non-default space continue to create resources on first rule run and run as expected.xpack.alerting.enableFrameworkAlerts: trueand verify rule preview continue to work as expectedVerify that installed resources templates work with existing rule registry resources.
mainor a previous version and create a rule in your context that generates alerts.xpack.alerting.enableFrameworkAlerts: falseand verify Kibana starts with no rule registry errors and the rule continues to run as expected.xpack.alerting.enableFrameworkAlerts: trueand verify Kibana starts with no alerting or rule registry errors and the rule continues to run as expected.xpack.alerting.enableFrameworkAlerts: trueand verify rules in a non-default space continue to create resources on first rule run and run as expected.xpack.alerting.enableFrameworkAlerts: trueand verify rule preview continue to work as expected