Research approach for RAC when making rules and connectors share-capable #107161
Comments
mikecote
added
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Is it already possible to reference rules and connectors using the new SO ids (which don't include namespace)? Since alerts-as-data documents are not released yet (so these are not existing objects which would require some sort of migration), what we could do is we could use the new SO ids when writing alerts, so there’s nothing to break and migrate in the future (data-wise). We would need to be able to:
|
Unfortunately this is not possible. We plan to use However, that uses SHA1 hashing, there is no way to invert that. Edited response below for clarity If you have a regular ES document that needs to store a link to a saved object, I see two options. Option 1 (preferable)
Option 2 If for some reason Option 1 is not tenable, you could predict what the new saved object ID will be, and start recording both the old (current) Note: just to be 100% clear, it is not necessary to do this if you have one saved object linked to another saved object. If this is the case, you just need to store one saved object ID in the other saved object's root-level |
|
@banderror Is it possible to use the |
Thanks @jportner , I think some of the confusion comes from a lack of familiarity across the domains in question. We're not talking about SOs here, just ES documents, but these could end up being huge indices, potentially millions of documents in ES by the time a customer upgrades from 7.16.x to 8.x. Option 2 could work for alerts-as-data I think, right @banderror ? |
|
Sorry for missing your replies @jportner @chrisronline @gmmorris is right, we're talking about slightly different things here. RAC "alerts as data" documents are not Saved Objects, they are regular ES documents stored in separate indices. There can be potentially millions of them. They will contain fields like ( We will have exactly the same problem with RAC "evaluation" documents (same concept, same schema, different indices, not released yet). And we will have similar problem with documents stored in
So, unfortunately no, because they are not SOs.
Yes, absolutely, I agree with that. We should avoid data migration, and instead prepare our code and RAC documents for this change beforehand. I tried to propose a way to handle that (#107161 (comment)), maybe articulated not very clearly... What I meant is what Gidi formulated better than me:
Right now (ideally before 7.15 FF), we'd need an API exposed from Kibana Core that would return:
We shouldn't need to fetch those SOs to use this API. Do we have such an API or is it possible to create and expose it?
I think so, sounds good to me. I was thinking to store only new ("predicted") SO ids in It's important to check the details though within the RAC group. |
|
Brilliant, thanks @banderror
You'll need both I think as the new IDs won't kick in until 8.0 |
|
We're looking into this problem in Event Log though and I think we'll solve it by querying for both the new and the old IDs when querying the Event Log. |
OK, there have been a couple of other use cases for such a Core API, I think it's quite reasonable and I can have a PR up for it today. For the API you'll need three inputs:
I'll reply here when I have a PR up. |
|
I like the idea of storing both, with the legacy one clearly indicated as legacy in its field name(s) It would be fantastic if whatever we are using to get the current ID to store could also just return both IDs so we can index both of them, and not worry too much about making a separate call for this. But having an API to give us the new ID based on these criteria is a huge step in the right direction, so thank you for moving on that. |
|
The original issue regarding sharing saved objects describes an "alias" document that maps an old ID to a new ID. Is that still going to be built as part of the SO ID migration? It seems like a very important feature to be able to convert back and forth between old and new SO IDs. If so, we could use that in 8.0+ to find the old ID given a new ID and build queries that search for both. We'd probably also want to store an additional version number on the alert next SO ID is legacy or 8.0+. |
Yes, there is a "legacy-url-alias" saved object type ("alias" for short). Each time an object is converted, if its ID changes, a new alias will be created that contains the old ID with a pointer to the new ID.
We really, really don't want consumers relying on the old object IDs anymore. And we really don't want to support aliases long-term. There is a significant amount of technical debt that we have introduced to convert these saved object types and add/support aliases, and we want to eventually be able to pay it down. Legacy URL aliases are only intended to be used internally by the |
PR: #107767 |
|
thanks for the quick turn around @jportner :elasticheart: |
Related to #100067
In 8.0, we plan to run a migration that removes the namespace from the saved-object serialized ID. To do so, new rule and connector IDs will be generated. With this issue, we should research the impacts this will have on the RAC "alerts as data" when documents reference old rule or connector IDs, draft a proposal and work / discuss with the @elastic/kibana-security if we need anything further from them to support this.
This work is related to #100666 so we should be able to share/discuss options and workflows together.
The text was updated successfully, but these errors were encountered: