Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add user to .fleet-actions mapping #95935

Merged
merged 3 commits into from
Mar 31, 2021
Merged

Add user to .fleet-actions mapping #95935

merged 3 commits into from
Mar 31, 2021

Conversation

aleksmaus
Copy link
Member

Summary

Add user field mapping to .fleet-actions index mappings. The format conforms to ECS
https://www.elastic.co/guide/en/ecs/current/ecs-user.html
but doesn't include all the fields.

This allows to assign the user data to the action that can be filtered/searched and rendered in UI as needed.

What do you think?

@aleksmaus aleksmaus requested a review from a team as a code owner March 31, 2021 13:47
@botelastic botelastic bot added the Team:Fleet Team label for Observability Data Collection Fleet team label Mar 31, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@aleksmaus aleksmaus added auto-backport Deprecated - use backport:version if exact versions are needed v7.13.0 v8.0.0 release_note:skip Skip the PR/issue when compiling release notes labels Mar 31, 2021
nchaulet
nchaulet approved these changes Mar 31, 2021
View reviewed changes
Copy link
Member

@nchaulet nchaulet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

pzl
pzl approved these changes Mar 31, 2021
View reviewed changes
Copy link
Member

@pzl pzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

ruflin
ruflin reviewed Mar 31, 2021
View reviewed changes
Copy link
Member

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super keen on adding too much metadata to each action event. I wonder if perhaps we could it in a different way that we only add user.id and reference to a user table? Where is user.id coming from? Is this an Elasticsearch user?

@scunningham Would be good to get your take on this one.

@aleksmaus We need to make sure these changes will also make it into the system indices.

x-pack/plugins/fleet/server/services/fleet_server/elasticsearch/fleet_actions.json Outdated
"email" : {
"type" : "keyword"
},
"full_name" : {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need the text parts of ECS? Will we run text queries on these?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This conforms to ECS definition of the fields.
Can add user.id only for sure.
Thought the extra user fields make the actions easier to render on UI without cross referencing between the indices.
Denormalization of the data seems pretty usual with nosql dbs

@aleksmaus
Copy link
Member Author

Where is user.id coming from? Is this an Elasticsearch user?

Thought the user info from .security index would be utilized here, for example the content of the user record:

      {
        "_index" : ".security-7",
        "_id" : "user-aleksmaus",
        "_score" : 1.0,
        "_source" : {
          "username" : "aleksmaus",
          "password" : "$2a$10$SZfmVRiP3WYjobZYHXwLSe1Yjmsjp4W4X05r1jEx2y1fWkWSsBapW",
          "roles" : [
            "superuser"
          ],
          "full_name" : "Aleksandr Maus",
          "email" : "[email protected]",
          "metadata" : null,
          "enabled" : true,
          "type" : "user"
        }
      }
      
      ```

@aleksmaus
Copy link
Member Author

aleksmaus commented Mar 31, 2021
edited
Loading

Thinking of the cases where you want to render a list of actions with the corresponding user and possibly email link on UI.
Also if the user is deleted we still have the original user info with the action.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@aleksmaus aleksmaus merged commit 524ce98 into elastic:master Mar 31, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Mar 31, 2021
@aleksmaus @kibanamachine
Add user to .fleet-actions mapping (elastic#95935)
066c9a4 
* Add user to .fleet-actions mapping

* Leave only user.id, remove the rest of added fields

* Flatten to user_id
@kibanamachine kibanamachine mentioned this pull request Mar 31, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

7.x / #95968

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Mar 31, 2021
@kibanamachine @aleksmaus
Add user to .fleet-actions mapping (#95935) (#95968)
141c818 
* Add user to .fleet-actions mapping

* Leave only user.id, remove the rest of added fields

* Flatten to user_id

Co-authored-by: Aleksandr Maus <[email protected]>
This was referenced Apr 1, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin left review comments

@nchaulet nchaulet nchaulet approved these changes

@pzl pzl pzl approved these changes

@scunningham scunningham scunningham approved these changes

@lykkin lykkin Awaiting requested review from lykkin

@patrykkopycinski patrykkopycinski Awaiting requested review from patrykkopycinski

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v7.13.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@aleksmaus @elasticmachine @kibanamachine @ruflin @scunningham @pzl @nchaulet