From b10c1e42763dbb4169677af2b5f5240b30e3fc1b Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 22 Jan 2019 20:43:49 -0500 Subject: [PATCH 1/4] Make `user.group` a nesting of the `group` field set, not a keyword. --- README.md | 5 ++++- code/go/ecs/user.go | 4 ---- fields.yml | 15 +++++++-------- schema.csv | 1 - schema.json | 10 ---------- schemas/group.yml | 8 +++++++- schemas/user.yml | 7 ------- template.json | 4 ---- 8 files changed, 18 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index db2ef4bfe7..c0c2414dc1 100644 --- a/README.md +++ b/README.md @@ -271,6 +271,10 @@ Note also that the `geo` fields are not expected to be used directly at the top The group fields are meant to represent groups that are relevant to the event. +The `group` fields are expected to be nested at: `user.group`. + +Note also that the `group` fields may be used directly at the top level. + | Field | Description | Level | Type | Example | |---|---|---|---|---| | group.id | Unique identifier for the group on the system/platform. | extended | keyword | | @@ -501,7 +505,6 @@ Note also that the `user` fields may be used directly at the top level. | user.full_name | User's full name, if available. | extended | keyword | `Albert Einstein` | | user.email | User email address. | extended | keyword | | | user.hash | Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and cannot be used. | extended | keyword | | -| user.group | Group the user is a part of. This field can contain a list of groups, if necessary. | extended | keyword | | ## User agent fields diff --git a/code/go/ecs/user.go b/code/go/ecs/user.go index f43f0687c4..7759266993 100644 --- a/code/go/ecs/user.go +++ b/code/go/ecs/user.go @@ -39,8 +39,4 @@ type User struct { // Useful if `user.id` or `user.name` contain confidential information and // cannot be used. Hash string `ecs:"hash"` - - // Group the user is a part of. This field can contain a list of groups, if - // necessary. - Group string `ecs:"group"` } diff --git a/fields.yml b/fields.yml index 68c9184f5b..e8efcc38a7 100644 --- a/fields.yml +++ b/fields.yml @@ -770,10 +770,16 @@ - name: group title: Group group: 2 + type: group description: > The group fields are meant to represent groups that are relevant to the event. - type: group + + reusable: + top_level: true + expected: + - user + fields: - name: id @@ -1669,13 +1675,6 @@ Useful if `user.id` or `user.name` contain confidential information and cannot be used. - - name: group - level: extended - type: keyword - description: > - Group the user is a part of. This field can contain a list of groups, if - necessary. - - name: user_agent title: User agent group: 2 diff --git a/schema.csv b/schema.csv index 35a6c9c1c2..d869fc33e1 100644 --- a/schema.csv +++ b/schema.csv @@ -168,7 +168,6 @@ url.scheme,keyword,extended,https url.username,keyword,extended, user.email,keyword,extended, user.full_name,keyword,extended,Albert Einstein -user.group,keyword,extended, user.hash,keyword,extended, user.id,keyword,core, user.name,keyword,core,albert diff --git a/schema.json b/schema.json index 96f14a5c24..05923e6664 100644 --- a/schema.json +++ b/schema.json @@ -1917,16 +1917,6 @@ "required": false, "type": "keyword" }, - "user.group": { - "description": "Group the user is a part of. This field can contain a list of groups, if necessary.", - "example": "", - "footnote": "", - "group": 2, - "level": "extended", - "name": "user.group", - "required": false, - "type": "keyword" - }, "user.hash": { "description": "Unique user hash to correlate information for a user in anonymized form.\nUseful if `user.id` or `user.name` contain confidential information and cannot be used.", "example": "", diff --git a/schemas/group.yml b/schemas/group.yml index e0effddbd9..b9394f4772 100644 --- a/schemas/group.yml +++ b/schemas/group.yml @@ -2,10 +2,16 @@ - name: group title: Group group: 2 + type: group description: > The group fields are meant to represent groups that are relevant to the event. - type: group + + reusable: + top_level: true + expected: + - user + fields: - name: id diff --git a/schemas/user.yml b/schemas/user.yml index 8598a41e0d..8f66e183e6 100644 --- a/schemas/user.yml +++ b/schemas/user.yml @@ -52,10 +52,3 @@ Useful if `user.id` or `user.name` contain confidential information and cannot be used. - - - name: group - level: extended - type: keyword - description: > - Group the user is a part of. This field can contain a list of groups, if - necessary. diff --git a/template.json b/template.json index 687b063982..cb173afd26 100644 --- a/template.json +++ b/template.json @@ -788,10 +788,6 @@ "ignore_above": 1024, "type": "keyword" }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, "hash": { "ignore_above": 1024, "type": "keyword" From 89289d97c77bfd5ccb58adf3e85c2022eec5bcf5 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 22 Jan 2019 20:57:20 -0500 Subject: [PATCH 2/4] Changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c4bead62c..652942dac8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ All notable changes to this project will be documented in this file based on the ### Breaking changes +* Remove the `user.group` `keyword` field, introduced in #204. Instead, + the `group` field set can be nested at `user.group` #308 + ### Bugfixes ### Added From 98839512c72221786d7d87f015be28f737250e18 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 23 Jan 2019 09:10:14 -0500 Subject: [PATCH 3/4] Changelog bugfix as well --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 652942dac8..d789fa66ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,9 @@ All notable changes to this project will be documented in this file based on the ### Bugfixes +* Remove the `user.group` `keyword` field, introduced in #204. Instead, + the `group` field set can be nested at `user.group` #308 + ### Added ### Improvements From 4e034698713ff568698b9499bd9e57dca0f13eb2 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Wed, 23 Jan 2019 13:28:48 -0500 Subject: [PATCH 4/4] Changelog tweak for bugfix. Hopefully not too chatty... --- CHANGELOG.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d789fa66ab..e060dadde6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,12 +7,13 @@ All notable changes to this project will be documented in this file based on the ### Breaking changes * Remove the `user.group` `keyword` field, introduced in #204. Instead, - the `group` field set can be nested at `user.group` #308 + the `group` field set can be nested at `user.group`. #308 ### Bugfixes -* Remove the `user.group` `keyword` field, introduced in #204. Instead, - the `group` field set can be nested at `user.group` #308 +* Field set name "group" was being used as a leaf field at `user.group`, instead + of being a nesting of the field set. This goes against a driving principle of ECS, + and has been corrected. #308 ### Added