[RAC] Make sure index names comply with design architecture #102089

dgieselaar · 2021-06-14T16:03:39Z

📝 Summary

Index names

For RAC, the index names should take the following format:

.alerts-{registrationContext}.{datasetSuffix}-{namespace}-000001

datasetSuffix will be alert for the mutable/changeable alert document, which is what we are focusing in on for now. It will likely be event for the other document, but that is still largely TBD. namespace is user defined, so it can/should be ignored by the component and index templates. It will be a value stored on the rule.

The methods/logic in the rule data service should reflect these names. Other asset names should be re-evaluated as well.

Field names

The fields introduced as part of the alert-as-data effort, which are not covered by ECS, should be prefixed with kibana.alert in order to avoid collisions with ECS fields.

✔️ Acceptance criteria

Alerts are written to the indices whose names adhere to the specified patterns.
The rule data client for writing alerts accepts a namespace value that it uses for writing alerts, which uses "default" for this value by default.
The "technical" fields are prefixed with kibana.alert instead of kibana.rac.alert.

The text was updated successfully, but these errors were encountered:

jasonrhodes · 2021-06-16T03:28:48Z

I clarified a little. Thanks for the ticket, we definitely need to incorporate these.

weltenwort · 2021-06-16T10:20:05Z

The -000001 suggests this is an ILM-controlled index. Do the shared component templates ensure that?

elasticmachine · 2021-06-29T18:53:01Z

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine · 2021-06-29T18:53:37Z

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

gmmorris · 2021-06-30T17:07:15Z

Haha there's been some Team label juggling over here.
I believe this will be implemented by Security Solution, so adding them back.

weltenwort · 2021-07-01T10:31:39Z

Currently every plugin registering assets (such as index templates) needs to ensure they're specifying the correct names, so it's hard to assign this to a specific team. Maybe a validation in the rule_registry could provide a safety net?

weltenwort · 2021-07-20T13:15:52Z

ℹ️ As discussed I updated the description and ACs to include aligning the field name prefix.

paulb-elastic · 2021-08-02T11:42:54Z

@jasonrhodes has there been any movement on the names of the indices?

…ing implementation (#108115) **Addresses:** #106421, #106428, #102089, #106433 ## Summary This PR focuses on consolidation of indexing implementations in `rule_registry` (#101016). It addresses some of the sub-tasks of the parent ticket. - [x] Encapsulate index bootstrapping logic in a new improved API exposed by `RuleDataService`. - [x] Enforce allowed values for the `datasetSuffix` on the API level. - [x] Migrate plugins using the existing `RuleDataService` API to the improved one. - [x] Make sure index names comply with design architecture. - #102089 - [x] Improve the API of `RuleDataClient`. - [x] Enhance index bootstrapping: support custom ILM policy per index (`{registrationContext}.{datasetSuffix}`). - [x] Enhance index bootstrapping: create index template per namespace and support rollovers properly - based on #107700 - [x] Enhance index bootstrapping: support secondary aliases - based on #107700 - [x] Remove `EventLogService` implementation - #106433 This will be addressed in follow-up PRs: - [ ] Enhance index bootstrapping: implement suggestions for backwards compatibility (naming scheme for alias and backing indices; versioning). - [ ] Enhance index bootstrapping: implement upgrades of existing index templates. - [ ] Make index bootstrapping logic more robust. This _is partially addressed_ in this PR, but more improvements are needed. - [ ] Change the way index prefix works. - [ ] Add support for optional TS schema (static typing). - [ ] Update `README` in `rule_registry`. ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

…ing implementation (elastic#108115) **Addresses:** elastic#106421, elastic#106428, elastic#102089, elastic#106433 ## Summary This PR focuses on consolidation of indexing implementations in `rule_registry` (elastic#101016). It addresses some of the sub-tasks of the parent ticket. - [x] Encapsulate index bootstrapping logic in a new improved API exposed by `RuleDataService`. - [x] Enforce allowed values for the `datasetSuffix` on the API level. - [x] Migrate plugins using the existing `RuleDataService` API to the improved one. - [x] Make sure index names comply with design architecture. - elastic#102089 - [x] Improve the API of `RuleDataClient`. - [x] Enhance index bootstrapping: support custom ILM policy per index (`{registrationContext}.{datasetSuffix}`). - [x] Enhance index bootstrapping: create index template per namespace and support rollovers properly - based on elastic#107700 - [x] Enhance index bootstrapping: support secondary aliases - based on elastic#107700 - [x] Remove `EventLogService` implementation - elastic#106433 This will be addressed in follow-up PRs: - [ ] Enhance index bootstrapping: implement suggestions for backwards compatibility (naming scheme for alias and backing indices; versioning). - [ ] Enhance index bootstrapping: implement upgrades of existing index templates. - [ ] Make index bootstrapping logic more robust. This _is partially addressed_ in this PR, but more improvements are needed. - [ ] Change the way index prefix works. - [ ] Add support for optional TS schema (static typing). - [ ] Update `README` in `rule_registry`. ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

…ing implementation (#108115) (#108638) **Addresses:** #106421, #106428, #102089, #106433 ## Summary This PR focuses on consolidation of indexing implementations in `rule_registry` (#101016). It addresses some of the sub-tasks of the parent ticket. - [x] Encapsulate index bootstrapping logic in a new improved API exposed by `RuleDataService`. - [x] Enforce allowed values for the `datasetSuffix` on the API level. - [x] Migrate plugins using the existing `RuleDataService` API to the improved one. - [x] Make sure index names comply with design architecture. - #102089 - [x] Improve the API of `RuleDataClient`. - [x] Enhance index bootstrapping: support custom ILM policy per index (`{registrationContext}.{datasetSuffix}`). - [x] Enhance index bootstrapping: create index template per namespace and support rollovers properly - based on #107700 - [x] Enhance index bootstrapping: support secondary aliases - based on #107700 - [x] Remove `EventLogService` implementation - #106433 This will be addressed in follow-up PRs: - [ ] Enhance index bootstrapping: implement suggestions for backwards compatibility (naming scheme for alias and backing indices; versioning). - [ ] Enhance index bootstrapping: implement upgrades of existing index templates. - [ ] Make index bootstrapping logic more robust. This _is partially addressed_ in this PR, but more improvements are needed. - [ ] Change the way index prefix works. - [ ] Add support for optional TS schema (static typing). - [ ] Update `README` in `rule_registry`. ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>

banderror · 2021-08-16T08:53:52Z

@weltenwort @jasonrhodes this should be resolved after merging #108115
All the ACs should be ✅

weltenwort · 2021-08-16T10:36:40Z

Looks like the might be additional places where these indices are mentioned and must be adjusted, such as

kibana/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts

Lines 32 to 39 in c2d5d1b

    
           export const mapConsumerToIndexName: Record<AlertConsumers, string | string[]> = { 
        
             apm: '.alerts-observability-apm', 
        
             logs: '.alerts-observability.logs', 
        
             infrastructure: '.alerts-observability.metrics', 
        
             observability: '.alerts-observability', 
        
             siem: ['.alerts-security.alerts', '.siem-signals'], 
        
             synthetics: '.alerts-observability-synthetics', 
        
           };

banderror · 2021-08-16T14:39:24Z

The Uptime index naming is being fixed in #108200

banderror · 2021-08-17T11:43:38Z

I hope I addressed the rest in #108872
@weltenwort could you please help with adding proper team labels and pinging the teams?

…atures to index names (#109567) **Ticket:** #102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of #109346 and replaces #108872. TODO: - [x] Address #109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close #108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

…atures to index names (elastic#109567) **Ticket:** elastic#102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of elastic#109346 and replaces elastic#108872. TODO: - [x] Address elastic#109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close elastic#108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

…atures to index names (#109567) (#110068) **Ticket:** #102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of #109346 and replaces #108872. TODO: - [x] Address #109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close #108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>

…atures to index names (#109567) (#110067) **Ticket:** #102089 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR introduces changes that fix the usage of alerts-as-data index naming in RBAC. It builds on top of #109346 and replaces #108872. TODO: - [x] Address #109346 (review) - [x] Make changes to `AlertsClient.getAuthorizedAlertsIndices()` so it starts using `RuleDataService` to get index names by feature ids. - [x] Delete the hardcoded `mapConsumerToIndexName` where we had incorrect index names. - [x] Close #108872 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>

banderror · 2021-08-25T17:04:14Z

#109567 is merged and backported.
@weltenwort I hope we can close this, finally 🙂

weltenwort · 2021-08-31T09:16:15Z

Yes, thank you!

dgieselaar added the Theme: rac label obsolete label Jun 14, 2021

botelastic bot added the needs-team Issues missing a team label label Jun 14, 2021

jportner added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Jun 29, 2021

botelastic bot removed the needs-team Issues missing a team label label Jun 29, 2021

jportner added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) and removed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jun 29, 2021

gmmorris added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Jun 30, 2021

jasonrhodes self-assigned this Jul 7, 2021

jasonrhodes added the refined Issue refined, ready to work on label Jul 12, 2021

weltenwort mentioned this issue Jul 13, 2021

[Logs UI] Register log threshold rule as lifecycle rule #104341

Merged

weltenwort mentioned this issue Jul 20, 2021

[Logs UI] Index reason in log threshold executor #106291

Merged

banderror mentioned this issue Jul 21, 2021

[RAC][Meta] Consolidate the two indexing implementations in rule_registry plugin #101016

Open

41 tasks

banderror mentioned this issue Aug 10, 2021

[RAC][Rule Registry] Improve RuleDataService API and index bootstrapping implementation #108115

Merged

17 tasks

banderror mentioned this issue Aug 17, 2021

[RAC] Update RBAC mapping of features to index names to comply with the index naming scheme #108872

Closed

1 task

banderror mentioned this issue Aug 21, 2021

[RAC] Fix index names used by RBAC, delete hardcoded map of Kibana features to index names #109567

Merged

5 tasks

weltenwort closed this as completed Aug 31, 2021

kobelb added the needs-team Issues missing a team label label Jan 31, 2022

botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[RAC] Make sure index names comply with design architecture #102089

[RAC] Make sure index names comply with design architecture #102089

dgieselaar commented Jun 14, 2021 •

edited by weltenwort

Loading

jasonrhodes commented Jun 16, 2021

weltenwort commented Jun 16, 2021

elasticmachine commented Jun 29, 2021

elasticmachine commented Jun 29, 2021

gmmorris commented Jun 30, 2021

weltenwort commented Jul 1, 2021

weltenwort commented Jul 20, 2021

paulb-elastic commented Aug 2, 2021

banderror commented Aug 16, 2021

weltenwort commented Aug 16, 2021

banderror commented Aug 16, 2021

banderror commented Aug 17, 2021

banderror commented Aug 25, 2021

weltenwort commented Aug 31, 2021

[RAC] Make sure index names comply with design architecture #102089

[RAC] Make sure index names comply with design architecture #102089

Comments

dgieselaar commented Jun 14, 2021 • edited by weltenwort Loading

📝 Summary

Index names

Field names

✔️ Acceptance criteria

jasonrhodes commented Jun 16, 2021

weltenwort commented Jun 16, 2021

elasticmachine commented Jun 29, 2021

elasticmachine commented Jun 29, 2021

gmmorris commented Jun 30, 2021

weltenwort commented Jul 1, 2021

weltenwort commented Jul 20, 2021

paulb-elastic commented Aug 2, 2021

banderror commented Aug 16, 2021

weltenwort commented Aug 16, 2021

banderror commented Aug 16, 2021

banderror commented Aug 17, 2021

banderror commented Aug 25, 2021

weltenwort commented Aug 31, 2021

dgieselaar commented Jun 14, 2021 •

edited by weltenwort

Loading