-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAC][Rule Registry] Implement versioning and backing indices #109276
[RAC][Rule Registry] Implement versioning and backing indices #109276
Conversation
cdd14cf
to
e7a8b2b
Compare
e2fad72
to
e8427ec
Compare
a11a013
to
5cf15e9
Compare
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uptime changes LGTM and the existing CI concerns don't seem to overlap.
5b29455
to
aefd13e
Compare
@kobelb thank you for the approval and your feedback 👍 I'm not 100% sure that we need to completely remove the upgrade/rollover logic from 7.15, but I share your general concerns about it, and in particular with regards to its "compatibility" with the backwards compatibility ideas ("further investigation is required to determine how this approach will work with the backward compatibility layer that we've proposed adding"). I agree that we should have to think and work on that more, we just synced within the team and we'll schedule a meeting for that. |
Thanks, @banderror, please feel free to pull me into these meetings.
Do we have any mitigations put in place to prevent us from accidentally introducing incompatible mappings and preventing the rollover? |
💚 Build SucceededMetrics [docs]Public APIs missing comments
Async chunks
History
To update your PR or re-run it, just comment with: cc @banderror |
@kobelb that's a difficult question, let me try to answer. Right now we don't have any; if we change our component templates in the code (either one of the common ones like "technical mappings", or one of the solution-specific ones) in an incompatible manner, the logic will do the rollover.
Imho the problem is when we don't do the rollover when we should. Do you see a case when the problem is in doing the rollover when we shouldn't? |
I will go ahead and merge this PR. Thanks everyone, that was a great feedback 👍 We will definitely need to address Brandon's concerns in 7.15, I'm just not sure how exactly right now.
|
…c#109276) **Ticket:** elastic#109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
…c#109276) **Ticket:** elastic#109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
… (#110125) **Ticket:** #109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
… (#110126) **Ticket:** #109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
For visibility, here's a summary of the topics and decisions from the meeting with @kobelb about removing index upgrade logic. The bullets are ordered from "most immediate tasks" to "longer term goals":
Other open questions:
Thanks to @marshallmain for putting this summary together. |
Thanks for the summary. I wonder if the plan to not update mappings in place is at all compatible with mutating the alert documents. How can we reliably update the documents in old indices if they don't have the most recent mappings. Maybe we should consider a "hybrid" approach in which an "update" means we write a document to the current write index (which we can assume to have the most recent mapping) and we delete the document from the index it was previously in? That would be almost like a reindex-on-write approach. The main risk I see is that we don't have a transaction to make this operation atomic, so we might have intermittently missing or duplicate alert docs. 🤔 What do you think? |
@weltenwort I think so, because it's a temporary measure that will be in place between 7.15.0 and most likely 7.15.x. Please check these for more info and let me know if you still think that there can be issues with this feature flag: |
Interesting. Sounds like a reasonable thing to do in Observability because old alerts can be recovered, and it doesn't make a lot of sense to keep them in old indices. And you're saying you need to update the |
@weltenwort We would have the ability to update mappings in place by applying runtime fields and aliases, but I think generally we wouldn't be applying this update to the write index alone. Instead these updated mappings would be applied as kind of a pseudo-migration, where we want to make all existing indices forwards-compatible with e.g. field renames or reformatting field values. Even if we update the write index mapping in place, we'd still have the issue with older non-write indices not having the most recent mappings. So it may make sense to just update all the existing index mappings in place with backwards compatibility updates and separate that logic from the logic of "making a write index with the correct new mappings". Even if we do update-on-write, any application logic will still have to handle the possibility of a document having outdated mappings indefinitely so I don't think updating on write would solve our issue. I think in the case where we add a new field mapping, application logic will just have to define what to do in the case where the field is missing - or if the field is absolutely critical for all alerts (even old ones) to have, then we'd have to add it with a runtime field or a proper migration on startup. |
Also, updating a document will always cause it to be reindexed in its current index so we could allow new regular field mappings to be added to old indices in addition to runtime fields and aliases and that would be a simple way of implementing update-on-write. |
Yes, that was my comment during the PR review as well. I agree with your analysis. But the discovery of #110519 got me thinking about other ways to reduce the risk of future update conflicts. Moving the updated documents to the most recent write index would mean we need to make the old indices backwards-compatible only for reading but not for writing. Not sure how much of an advantage it would be, but I wanted to put the idea out there. |
Ticket: #109293
🚨 This PR is critical for Observability 7.15 🚨
Summary
This PR fixes the indexing implementation in
rule_registry
. It implements the suggestions for backwards compatibility described in the ticket:TODO:
version
fromIndexOptions
(parameters provided by solutions/plugins when initializing alerts-as-data indices)Checklist