[ES Query] Make rule created in Discover visible in Observability #171364
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Zacqary
added
release_note:enhancement
Team:ResponseOps
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
…com/Zacqary/kibana into 170497-discover-esquery-scopeselect
|
Pinging @elastic/response-ops (Team:ResponseOps) |
Zacqary
added
the
Team:obs-ux-management
|
Pinging @elastic/obs-ux-management-team (Team:obs-ux-management) |
Zacqary
added
the
Feature:Alerting/RulesManagement
…com/Zacqary/kibana into 170497-discover-esquery-scopeselect
…uery-scopeselect # Conflicts: # src/plugins/discover/tsconfig.json
Zacqary
commented
Nov 22, 2023
src/plugins/discover/public/application/main/components/top_nav/open_alerts_popover.tsx
Show resolved
Hide resolved
XavierM
reviewed
Nov 30, 2023
x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form.tsx
Outdated
Show resolved
Hide resolved
XavierM
reviewed
Nov 30, 2023
x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form.tsx
Outdated
Show resolved
Hide resolved
XavierM
requested changes
Nov 30, 2023
There was a problem hiding this comment.
@Zacqary I tested your PR and realized that it was removing some functionality that has been implemented. We need to add more functional testing so we do not reproduce the effect that everything is good until someone test it.
I think we can make discover rule work like the new o11y threshold and es query by just doing that https://gist.github.com/XavierM/a87f9ef5f4df7b1b6a0cb29f37922cf3.
In stateful, the user we will have to pick between logs, infrastructure and stackAlerts like we do in the rule management page. However, when we are in server-less, it will default it to observability and for the other project like search and security, it will default it to stackAlerts without any user interaction.
XavierM
reviewed
Nov 30, 2023
x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_add.test.tsx
Show resolved
Hide resolved
XavierM
reviewed
Dec 1, 2023
| @@ -75,4 +75,12 @@ function registerNavigation(alerting: AlertingSetup) { | |||
| return; | |||
| } | |||
| ); | |||
| alerting.registerNavigation( | |||
There was a problem hiding this comment.
You can thank the failing tests for this one
XavierM
reviewed
Dec 1, 2023
| @@ -115,8 +123,8 @@ export const RuleFormConsumerSelection = (props: RuleFormConsumerSelectionProps) | |||
| }, [consumers]); | |||
|
|
|||
| useEffect(() => { | |||
| // At initialization we set to NULL to know that nobody selected anything | |||
| onChange(null); | |||
| // At initialization, select the first value | |||
There was a problem hiding this comment.
Since initialSelectedConsumer?: RuleCreationValidConsumer | null; can be undefined or null. Do you think it will be a good idea to do something like that to make sure that STACK_ALERTS_FEATURE_ID is selected if a dev forget to initialize the value
useEffect(() => {
// At initialization, select the first value
if (!validatedSelectedConsumer) {
if(consumers.includes(STACK_ALERTS_FEATURE_ID) {
onChange(STACK_ALERTS_FEATURE_ID);
return;
}
onChange(consumers[0] as RuleCreationValidConsumer);
}
// eslint-disable-next-line react-hooks/exhaustive-deps
}, []);There was a problem hiding this comment.
Sure, that makes sense
XavierM
approved these changes
Dec 1, 2023
There was a problem hiding this comment.
@Zacqary I tested this different scenario and it works like a charm.
I created es-query and o11y custom threshold in all the different project in server-less and for observability project we used the new observability feature id as consumer and for search/security project, we are using stackAlerts.
For the stateful, everything work as expected. My es-query rule from discover will default to logs and same when I created this rule from o11y rule management and if I created from the stack management, then we are using stackAlerts. Then, I created a role where I am excluding logs feature. At this point, we will default to Metrics/Infrastructure as it should be and keep it as stackAlerts for stack rule management page.
marshallmain
approved these changes
Dec 1, 2023
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
References to deprecated APIs
History
To update your PR or re-run it, just comment with: |
davismcphee
approved these changes
Dec 1, 2023
There was a problem hiding this comment.
Discover changes LGTM 👍
I tested creating a rule with the default selection in Discover in stateful both as a user with and without o11y privileges:
- The dropdown was visible for the user with management and o11y privileges, and the rule appeared in both management and o11y.
- The dropdown was not visible for the user with only management privileges, and the rule only appeared in management.
The only thing that surprised me was that when I created a rule in Discover as the user with both privileges, and left the dropdown selection as the logs default, the rule wasn't visible in management by the user who only had management privileges. This is a change I wasn't expecting, but I assume it's working as intended and users will now have to select "Stack Rules" in order for the rule to show up in management for those who don't have o11y privileges?
I also tested in an o11y project and a search project -- the dropdown was visible in neither, I was able to create a rule in Discover in both, and the rule was visible in each project's available rule page.
mgiota
approved these changes
Dec 4, 2023
@mgiota By default, Discover is not visible in Serverless, but if you select a data view in |
2 tasks
cnasikas
added a commit
that referenced
this pull request
Sep 30, 2024
…sumers (#192321) ## Summary Alerts use its own RBAC model. The RBAC relies on a property called `consumer`. The consumer is tight coupled with the feature ID. It denotes the user's access to the rule and the alerts. For example, a user with access to the "Logs" feature has access only to alerts and rules with the `consumer` set as `logs`. Users can create an ES Query rule from Discover. When the feature was [implemented](#124534) (v8.3.0) the consumer was set to `discover`. Then it [changed](#166032) (v8.11.0) to `stackAlerts` (visible only on the stack management page) and then [to](#171364) (v8.12.0) `alerts` so it can be visible in Observability. Users who created rules that generated alerts with the `discover` consumer cannot see the alerts generated by the rule when they upgrade Kibana to 8.11+ even as superusers. This PR fixes the issues around the `discover` consumer. I added the following alert document to the `data.json.gz` to test for alerts with `discover` consumer. ``` { "type": "doc", "value": { "id": "1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97", "index": ".internal.alerts-stack.alerts-default-000001", "source": { "@timestamp": "2021-10-19T14:00:38.749Z", "event.action": "active", "event.kind": "signal", "kibana.alert.duration.us": 1370302000, "kibana.alert.evaluation.threshold": -1, "kibana.alert.evaluation.value": 80, "kibana.alert.instance.id": "query matched", "kibana.alert.reason": "Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.", "kibana.alert.rule.category": "Elasticsearch query", "kibana.alert.rule.consumer": "discover", "kibana.alert.rule.name": "EsQuery discover", "kibana.alert.rule.producer": "stackAlerts", "kibana.alert.rule.rule_type_id": ".es-query", "kibana.alert.rule.uuid": "25c14920-faa7-4a9a-830c-ce32c8211237", "kibana.alert.start": "2021-10-19T15:00:41.555Z", "kibana.alert.status": "active", "kibana.alert.time_range": { "gte": "2021-10-19T15:00:41.555Z" }, "kibana.alert.uuid": "23237979-75bf-4b68-a210-ce5056b93356", "kibana.alert.workflow_status": "open", "kibana.space_ids": [ "default" ], "kibana.version": "8.0.0", "tags": [] } } } ``` ## Testing 1. Create a rule with the consumer as `discover`. See #184595 for instructions. 2. Go to the rule details page. 3. Verify that you do not get any error toaster and you can see the alerts. Fixes: #184595 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release notes Fix an issue with rules not being accessible created from Discover before 8.11.0. --------- Co-authored-by: Elastic Machine <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 30, 2024
…sumers (elastic#192321) ## Summary Alerts use its own RBAC model. The RBAC relies on a property called `consumer`. The consumer is tight coupled with the feature ID. It denotes the user's access to the rule and the alerts. For example, a user with access to the "Logs" feature has access only to alerts and rules with the `consumer` set as `logs`. Users can create an ES Query rule from Discover. When the feature was [implemented](elastic#124534) (v8.3.0) the consumer was set to `discover`. Then it [changed](elastic#166032) (v8.11.0) to `stackAlerts` (visible only on the stack management page) and then [to](elastic#171364) (v8.12.0) `alerts` so it can be visible in Observability. Users who created rules that generated alerts with the `discover` consumer cannot see the alerts generated by the rule when they upgrade Kibana to 8.11+ even as superusers. This PR fixes the issues around the `discover` consumer. I added the following alert document to the `data.json.gz` to test for alerts with `discover` consumer. ``` { "type": "doc", "value": { "id": "1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97", "index": ".internal.alerts-stack.alerts-default-000001", "source": { "@timestamp": "2021-10-19T14:00:38.749Z", "event.action": "active", "event.kind": "signal", "kibana.alert.duration.us": 1370302000, "kibana.alert.evaluation.threshold": -1, "kibana.alert.evaluation.value": 80, "kibana.alert.instance.id": "query matched", "kibana.alert.reason": "Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.", "kibana.alert.rule.category": "Elasticsearch query", "kibana.alert.rule.consumer": "discover", "kibana.alert.rule.name": "EsQuery discover", "kibana.alert.rule.producer": "stackAlerts", "kibana.alert.rule.rule_type_id": ".es-query", "kibana.alert.rule.uuid": "25c14920-faa7-4a9a-830c-ce32c8211237", "kibana.alert.start": "2021-10-19T15:00:41.555Z", "kibana.alert.status": "active", "kibana.alert.time_range": { "gte": "2021-10-19T15:00:41.555Z" }, "kibana.alert.uuid": "23237979-75bf-4b68-a210-ce5056b93356", "kibana.alert.workflow_status": "open", "kibana.space_ids": [ "default" ], "kibana.version": "8.0.0", "tags": [] } } } ``` ## Testing 1. Create a rule with the consumer as `discover`. See elastic#184595 for instructions. 2. Go to the rule details page. 3. Verify that you do not get any error toaster and you can see the alerts. Fixes: elastic#184595 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release notes Fix an issue with rules not being accessible created from Discover before 8.11.0. --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 396931f)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 30, 2024
…sumers (elastic#192321) ## Summary Alerts use its own RBAC model. The RBAC relies on a property called `consumer`. The consumer is tight coupled with the feature ID. It denotes the user's access to the rule and the alerts. For example, a user with access to the "Logs" feature has access only to alerts and rules with the `consumer` set as `logs`. Users can create an ES Query rule from Discover. When the feature was [implemented](elastic#124534) (v8.3.0) the consumer was set to `discover`. Then it [changed](elastic#166032) (v8.11.0) to `stackAlerts` (visible only on the stack management page) and then [to](elastic#171364) (v8.12.0) `alerts` so it can be visible in Observability. Users who created rules that generated alerts with the `discover` consumer cannot see the alerts generated by the rule when they upgrade Kibana to 8.11+ even as superusers. This PR fixes the issues around the `discover` consumer. I added the following alert document to the `data.json.gz` to test for alerts with `discover` consumer. ``` { "type": "doc", "value": { "id": "1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97", "index": ".internal.alerts-stack.alerts-default-000001", "source": { "@timestamp": "2021-10-19T14:00:38.749Z", "event.action": "active", "event.kind": "signal", "kibana.alert.duration.us": 1370302000, "kibana.alert.evaluation.threshold": -1, "kibana.alert.evaluation.value": 80, "kibana.alert.instance.id": "query matched", "kibana.alert.reason": "Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.", "kibana.alert.rule.category": "Elasticsearch query", "kibana.alert.rule.consumer": "discover", "kibana.alert.rule.name": "EsQuery discover", "kibana.alert.rule.producer": "stackAlerts", "kibana.alert.rule.rule_type_id": ".es-query", "kibana.alert.rule.uuid": "25c14920-faa7-4a9a-830c-ce32c8211237", "kibana.alert.start": "2021-10-19T15:00:41.555Z", "kibana.alert.status": "active", "kibana.alert.time_range": { "gte": "2021-10-19T15:00:41.555Z" }, "kibana.alert.uuid": "23237979-75bf-4b68-a210-ce5056b93356", "kibana.alert.workflow_status": "open", "kibana.space_ids": [ "default" ], "kibana.version": "8.0.0", "tags": [] } } } ``` ## Testing 1. Create a rule with the consumer as `discover`. See elastic#184595 for instructions. 2. Go to the rule details page. 3. Verify that you do not get any error toaster and you can see the alerts. Fixes: elastic#184595 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release notes Fix an issue with rules not being accessible created from Discover before 8.11.0. --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 396931f)
kibanamachine
added a commit
that referenced
this pull request
Sep 30, 2024
…over` as consumers (#192321) (#194440) # Backport This will backport the following commits from `main` to `8.15`: - [[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)](#192321) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Christos Nasikas","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-30T14:11:00Z","message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Feature:Alerting","Team:ResponseOps","v9.0.0","Feature:Alerting/RulesFramework","backport:prev-major","v8.16.0","v8.15.3"],"title":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers","number":192321,"url":"https://github.com/elastic/kibana/pull/192321","mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192321","number":192321,"mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Christos Nasikas <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Sep 30, 2024
…ver` as consumers (#192321) (#194441) # Backport This will backport the following commits from `main` to `8.x`: - [[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)](#192321) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Christos Nasikas","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-30T14:11:00Z","message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Feature:Alerting","Team:ResponseOps","v9.0.0","Feature:Alerting/RulesFramework","backport:prev-major","v8.16.0","v8.15.3"],"title":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers","number":192321,"url":"https://github.com/elastic/kibana/pull/192321","mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192321","number":192321,"mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Christos Nasikas <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Closes #170497
Adds scope dropdown to ES Query rules created from Discovery. If Logs or Metrics are selected, rules created here will be visible in Observability.
Also makes
Logsthe default consumer when creating a rule from either Discovery and Observability.Checklist