-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAC] Rule registry index bootstrapping: implement suggestions for backwards compatibility #109293
Closed
2 tasks done
Tracked by
#101016
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: rac
label obsolete
v7.15.0
v7.16.0
v8.0.0
Comments
41 tasks
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
7 tasks
banderror
added a commit
that referenced
this issue
Aug 25, 2021
**Ticket:** #109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Aug 25, 2021
…c#109276) **Ticket:** elastic#109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Aug 25, 2021
…c#109276) **Ticket:** elastic#109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
added a commit
that referenced
this issue
Aug 25, 2021
… (#110125) **Ticket:** #109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
kibanamachine
added a commit
that referenced
this issue
Aug 25, 2021
… (#110126) **Ticket:** #109293 🚨 **This PR is critical for Observability 7.15** 🚨 ## Summary This PR fixes the indexing implementation in `rule_registry`. It implements the suggestions for backwards compatibility described in the ticket: - changes the naming scheme and introduces the concept of "backing indices", so that names of the concrete ("backing") indices != names of their aliases - adds versioning based on the current Kibana version TODO: - [x] Change index naming (implement the concept of backing indices) - [x] Include Kibana version into the index template metadata - [x] Include Kibana version into the document fields - [x] Remove `version` from `IndexOptions` (parameters provided by solutions/plugins when initializing alerts-as-data indices) - [x] Fix CI ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Closed this one. Brandon's concerns regarding the index upgrade/rollover logic (#109276 (comment)) will be addressed as part of the parent ticket (#101016) which will be updated accordingly. |
This was referenced Aug 31, 2021
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: rac
label obsolete
v7.15.0
v7.16.0
v8.0.0
Parent ticket: #101016
Summary
We need to fix the indexing implementation in
rule_registry
plugin in such a way so it can provide backwards compatibility for alerts-as-data indices in the future. Alerts-as-data schema can evolve, and we might need to introduce breaking changes into it. These breaking changes should be handled in one way or another, for example by:Background of the problem
The current Alerts as Data implementation uses the same (well, similar) method that Fleet does for upgrading packages for "migrating" the alerts data indices. However, the approach that Fleet packages use for upgrading indices isn't appropriate to use for Alerts as Data because we want to maintain backward compatibility for all alerts data and the Fleet package upgrade approach doesn't provide backward compatibility and it's only focused on allowing data to be ingested in the new format. Additionally, the index-naming scheme without an index alias doesn't leave us with the option of using a reindex operation in the future.
Issues:
.alerts-{registrationContext}.{datasetSuffix}-{namespace}-{leftPaddedIncrementingNumber}
. This will likely result in users creating Dashboards, Visualization, etc. against index patterns like the following:.alerts-security.alerts-*
,.alerts-*
. If we discover that we need to reindex the data and perform a migration, it will require us to create a new index and copy all of the data from the original indices into the new indices while performing a transformation. If we were to add a version to the index-naming pattern to designate that we have a new version, there's a high risk that the index-patterns that users have been using will match both the old and the new indices. For example, if we were to add the version right after.alerts-
in the index-name, this would result in us having a.alerts-security.alerts-default-000001
index and a.alerts-v2-security.alerts.default-000001
index, and the.alerts-*
index-pattern would match both.Solution for 7.15
We need to separate naming schemes for index aliases and concrete indices. This will allow us to implement reindexing in the future.
Aliases will be used for reading and writing data:
Concrete indices will have a different naming scheme:
How this enables reindexing: after reindexing a new (target) index will be created; we will be able to add the alias to it, and remove the alias from the old (source) index.
Also, we need to use versioning for index templates and documents being written into those indices. This will help us apply field aliases, runtime fields etc to the old indices when we need it.
Our decisions previously discussed:
.internal.alerts-security.alerts-default-000001-r8.0.0
.internal.alerts
000002
r8.0.0
, not included by default, only included into a target index name after reindexing_meta.kibana.version
=7.16.0
_meta
andmappings._meta
kibana.version
=7.16.0
Sub-tasks
.internal.alerts
prefix.Brandon's concerns regarding the index upgrade/rollover logic (#109276 (comment)) will be addressed as part of the parent ticket (#101016).
The text was updated successfully, but these errors were encountered: