[RAC] [RBAC] Adds bulk update route to rule registry and bulk update function to alerts client

[dhurley14]

Summary

Adds a bulk update route (POST /internal/rac/alerts/bulk_update) to the rule registry and bulkUpdate function to the alerts as data client.

To be used here: #107141

To test...

1. Download apm server https://www.elastic.co/downloads/apm
2. Create a sample application to send data to APM

// index.js
const apm = require('elastic-apm-node').start({
serviceName: 'demoapp',
  serverUrl: 'http://localhost:8200',
  // Set the service environment
  environment: 'production'
});

const express = require('express');
const app = express();
app.get('/', (req, res) => {
  throw Error('HELLO WORLD!!');
});

app.listen(3000, () => console.log('server running on 3000'));

3. start elasticsearch, start kibana, start apm server (./apm-server -e) then start simple express server above
4. create an apm error count rule (should generate alerts in .alerts-observability-apm
5. execute x-pack/plugins/rule_registry/server/scripts/bulk_update_observability_alert_by_query.sh
6. Should resolve with a 200

Checklist

Delete any items that are not applicable to this PR.

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/apm-ui (Team:apm)

[dhurley14]

@elasticmachine merge upstream

[cauemarcondes]

LGTM

[dhurley14]

@elasticmachine merge upstream

[ymao1]

Alerting changes LGTM with a small suggestion.

[ymao1]

If you are changing the name to getAuthorizationFilter (which makes sense to me), I would make the parameter operation non-optional and not default to ReadOperations.Find. Maybe maintain backwards compatibility by creating a getFindAuthorizationFilter fn that calls this fn and passes in ReadOperations.Find?

[dhurley14]

Awesome will do! Thanks for the review @ymao1

[yctercero]

I know there's been a lot of discussion around what statuses can be. Haven't followed, but might want to double check that these are indeed the terms we're going with and maybe create the type for it to be shared?

[dhurley14]

The alerts as data spreadsheet defines it as Must be one of {open, acknowledged, closed}. so I'll create an exported common type (maybe in the rule registry package where the technical terms are defined) and update that to include acknowledged

good catch!

[yctercero]

LGTM! Left some nits, but looks great. Thanks for all the work here!

[yctercero]

Is this supposed to be:

Suggested change

	this.logger.error(`error in fetchAlertAuthzAlertOperateAlert ${exc}`);
	this.logger.error(`error in fetchAlertAuditOperate ${exc}`);

[yctercero]

Do we want to pull this out? Think we're using it in a couple places.

[yctercero]

Should we add a to do to remind us that we have to follow up to remove us off of _source?

[yctercero]

Should we update these to match so we no longer use OWNER and instead CONSUMER?

[dhurley14]

renaming this field should happen in another PR, but yes we do want to change OWNER to CONSUMER.

[michaelolo24]

fyi: #107857

[jportner]

For audit logging, we have two basic types of operations, write (update, delete, create) and read (get, find).

For the saved objects client, today we have these four paths:

Read operations success path:

1. Check authorization
2. Fetch object
3. Add audit event success
4. Return result

Read operations failure path:

1. Check authorization
2. Add audit event failure
3. Return 403 error

Write operation success path:

1. Check authorization
2. Add audit event w/ outcome "unknown"
3. Create/update/delete object
4. Return result

Write operation failure path:

1. Check authorization
2. Add audit event w/ outcome "unknown"
3. Create/update/delete object
4. Return result

For consistency, I'd like for the alerts client to hew to these paths as much as possible.

---

It appears this PR is drafty/unfinished, which is fine, but it's very hard to review without unit tests in place. I went ahead and made a best effort at a first pass, but I'd like to ask that you add unit tests for the different positive/negative audit event scenarios. I would be happy to re-review at that point.

[jportner]

Optional nit: Jest provides specific functions to deal with these situations, e.g.,

expect(auditLogger.log).toHaveBeenCalledTimes(2);
expect(auditLogger.log).toHaveBeenNthCalledWith(
  1,
  {...}
);
expect(auditLogger.log).toHaveBeenNthCalledWith(
  2,
  {...}
);

[dhurley14]

Thanks! Fixed here: ba1857e

[jportner]

get should never have outcome: 'unknown'; we know the outcome (we fetched the object and returned it to the user, this is a 'success' outcome).

[dhurley14]

Ah! Yes thank you. Good catch.

Fixed here: 36838ab

[jportner]

You have a test case for a get() that results in a successful audit event; what about an audit error when the user is unauthorized?

[dhurley14]

Yes I think I actually removed the test case because with the get we were relying on a search executed with the authorization filter from the alerting framework to only give us back the data we were authorized to view, so there would be no authorization failure because we never attempted to access it in the first place.

I changed this so we are not solely rely on the authorization filter. We also call into ensureAuthorized on each search result (+ utilizing the authorization filter) so adding in an audit failure test makes sense again.

Fixed here: 36838ab

[jportner]

Sorry I think I fat-fingered this and didn't submit my entire review at once!
I think a couple minor things need to be changed and hopefully a few more test cases added but otherwise this is looking great. Thanks for all of the changes so far!

[jportner]

You have a test case for an update() that results in a successful audit event; what about an audit error when the user is unauthorized?

[dhurley14]

Yup very true. Added an audit failure test here: 36838ab

[jportner]

As mentioned in my other comment on the unit test: the outcome should only be 'unknown' if the action is an update.
If outcome is omitted and error is not present, the audit event is written as a a successful event (outcome: 'success')

Suggested change

	outcome: 'unknown',
	...(operation === WriteOperations.Update ? { outcome: 'unknown' } : {}),

[dhurley14]

Fixed here: 36838ab

[jportner]

You don't need to pass operation in if this is not a write operation:

Suggested change

	...(operation === WriteOperations.Update ? { outcome: 'unknown' } : { operation }),
	...(operation === WriteOperations.Update ? { outcome: 'unknown' } : {}),

[dhurley14]

Cleaned this up here: 36838ab

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 04044f5
• Storybooks Preview
• Documentation Changes

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
observability	511.2KB	511.8KB	+617.0B
securitySolution	6.5MB	6.5MB	+617.0B
timelines	273.1KB	273.7KB	+617.0B
total			+1.8KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
infra	149.5KB	150.1KB	+617.0B
uptime	35.1KB	35.7KB	+617.0B
total			+1.2KB

Unknown metric groups

API count

id	before	after	diff
alerting	243	247	+4

API count missing comments

id	before	after	diff
alerting	235	239	+4

References to deprecated APIs

id	before	after	diff
alerting	23	26	+3

History

• 💔 Build #143661 failed 8dd966f
• 💚 Build #143363 succeeded 77f9413
• 💔 Build #143336 failed f5cc9a0
• 💚 Build #143245 succeeded a5a267d
• 💔 Build #143239 failed 4dc9a29

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dhurley14

[jportner]

Great stuff, thanks again for being so responsive to feedback!

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.