[index patterns] Add pattern validation method to index patterns fetcher #90170
Conversation
stephmilovic
added
Feature:Data Views
| ) | ||
| ); | ||
| return result.reduce( | ||
| (acc: string[], { body: indexLookup }, patternListIndex) => |
There was a problem hiding this comment.
are we sure this is exactly what elasticsearch would do if we would request fieldcaps for a comma seperated list of patterns ?
| const fieldCapsResponse = await getFieldCapabilities( | ||
| this.elasticsearchClient, | ||
| pattern, | ||
| patternListActive.length > 0 ? patternListActive : patternList, |
There was a problem hiding this comment.
if none of the patterns are active, pass the original list to get an error:
There was a problem hiding this comment.
Would be good to add this as a comment to the code. It definitely makes sense but its not obvious why this is being done.
| async validatePatternListActive(patternList: string[]) { | ||
| const result = await Promise.all( | ||
| patternList.map((pattern) => | ||
| this.elasticsearchClient.count({ |
There was a problem hiding this comment.
I changed from the _resolve/indexapi to the count api as read only users got 403'd on the resolve. count works well: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-count.html
There was a problem hiding this comment.
Its annoying that the resolve endpoint works this way but this is a good choice.
There was a problem hiding this comment.
yes it is annoying. i would not have caught it if it weren't for that ML test!
There was a problem hiding this comment.
I also tried ElasticsearchClient.indices.exists and it appears read-only users get 403'd on those indices methods as well. I'm not sure if this has been taken into account for testing anywhere that uses the getFieldsForTimePattern which eventually calls ElasticsearchClient.indices.getAlias: https://github.com/elastic/kibana/blob/master/src/plugins/data/server/index_patterns/fetcher/lib/es_api.ts#L42
There was a problem hiding this comment.
That code needs to be removed, time pattern index patterns were dropped in 7.x.
src/plugins/data/server/index_patterns/fetcher/index_patterns_fetcher.ts
Outdated
Show resolved
Hide resolved
| const fieldCapsResponse = await getFieldCapabilities( | ||
| this.elasticsearchClient, | ||
| pattern, | ||
| patternListActive.length > 0 ? patternListActive : patternList, |
There was a problem hiding this comment.
Would be good to add this as a comment to the code. It definitely makes sense but its not obvious why this is being done.
| async validatePatternListActive(patternList: string[]) { | ||
| const result = await Promise.all( | ||
| patternList.map((pattern) => | ||
| this.elasticsearchClient.count({ |
There was a problem hiding this comment.
Its annoying that the resolve endpoint works this way but this is a good choice.
| }) | ||
| ) | ||
| .map((p) => | ||
| p.catch((e) => { |
There was a problem hiding this comment.
the count api will return count: 0 for a pattern like nothingbeat-* but will throw the index_not_found_exception on non-wildcard, like nothingbeat-exact
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
Summary
The
IndexPatternsFetcher.getFieldsForWildcardmethod cannot handle an index pattern that contains patterns that do not match indices. The Security Solutions team needs to define a pattern list that will work whether or not the user has the matching indices for each pattern on the list.For example, given the pattern
auditbeat-*,fakebeat-*:Adding a validation check in
IndexPatternsFetcher.getFieldsForWildcardfor each pattern and only querying patterns that match indices fixes the issue:Checklist
For maintainers