Backport: Make user.group a nesting of the group field set (#308) (…

…#355) Cherry-pick of PR #308 to 1.0 branch. Original message: Breaking change. Field set name "group" was being used as a leaf field at `user.group`. It had different semantics as the field set: it was a keyword field, instead of being a nesting of the field set. This goes against a driving principle of ECS, and has been corrected. We removed the `user.group` `keyword` field (introduced in #204), and made the `group` field set nestable at `user.group`.
elastic · Mar 5, 2019 · ff9428a · ff9428a
1 parent 05b364e
commit ff9428a
Show file tree

Hide file tree

Showing 9 changed files with 2,072 additions and 23 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,8 +6,15 @@ All notable changes to this project will be documented in this file based on the
 
 ### Breaking changes
 
+* Remove the `user.group` `keyword` field, introduced in #204. Instead,
+  the `group` field set can be nested at `user.group`. #308
+
 ### Bugfixes
 
+* Field set name "group" was being used as a leaf field at `user.group`, instead
+ of being a nesting of the field set. This goes against a driving principle of ECS,
+ and has been corrected. #308
+
 ### Added
 
 ### Improvements

diff --git a/README.md b/README.md
@@ -271,6 +271,10 @@ Note also that the `geo` fields are not expected to be used directly at the top
 The group fields are meant to represent groups that are relevant to the event.
 
 
+The `group` fields are expected to be nested at: `user.group`.
+
+Note also that the `group` fields may be used directly at the top level.
+
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
 | <a name="group.id"></a>group.id | Unique identifier for the group on the system/platform. | extended | keyword |  |
@@ -501,7 +505,6 @@ Note also that the `user` fields may be used directly at the top level.
 | <a name="user.full_name"></a>user.full_name | User's full name, if available. | extended | keyword | `Albert Einstein` |
 | <a name="user.email"></a>user.email | User email address. | extended | keyword |  |
 | <a name="user.hash"></a>user.hash | Unique user hash to correlate information for a user in anonymized form.<br/>Useful if `user.id` or `user.name` contain confidential information and cannot be used. | extended | keyword |  |
-| <a name="user.group"></a>user.group | Group the user is a part of. This field can contain a list of groups, if necessary. | extended | keyword |  |
 
 
 ## <a name="user_agent"></a> User agent fields

diff --git a/code/go/ecs/user.go b/code/go/ecs/user.go
diff --git a/fields.yml b/fields.yml
@@ -768,10 +768,16 @@
     - name: group
       title: Group
       group: 2
+      type: group
       description: >
         The group fields are meant to represent groups that are relevant to the
         event.
-      type: group
+    
+      reusable:
+        top_level: true
+        expected:
+          - user
+
       fields:
 
         - name: id
@@ -1667,13 +1673,6 @@
             Useful if `user.id` or `user.name` contain confidential information and
             cannot be used.
 
-        - name: group
-          level: extended
-          type: keyword
-          description: >
-            Group the user is a part of. This field can contain a list of groups, if
-            necessary.
-    
     - name: user_agent
       title: User agent
       group: 2

diff --git a/schema.csv b/schema.csv
@@ -168,7 +168,6 @@ url.scheme,keyword,extended,https
 url.username,keyword,extended,
 user.email,keyword,extended,
 user.full_name,keyword,extended,Albert Einstein
-user.group,keyword,extended,
 user.hash,keyword,extended,
 user.id,keyword,core,
 user.name,keyword,core,albert