Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load FLS suggestions on-demand #98681

Merged
merged 10 commits into from May 5, 2021
Merged

Load FLS suggestions on-demand #98681

merged 10 commits into from May 5, 2021

Conversation

legrego
Copy link
Member

@legrego legrego commented Apr 28, 2021
edited

Summary

Improves the loading of field-level security ("FLS") suggestions on the role management page:

Fields suggestions are no longer eagerly loaded

Previously, the role management page would load all FLS suggestions on page load. This caused a lot of unnecessary overhead, and has resulted in a number of failure conditions over the past couple of years.

With this change, FLS suggestions are loaded "just in time":

  1. When the FLS fields are brought into focus
  2. When the selected indices have changed, and FLS is enabled
  3. When FLS changes from disabled -> enabled

As with the previous implementation, the suggestions are cached on the client, so that we do not unnecessarily tax the cluster or Kibana's server.

The field mapping response has been filtered to only include the necessary fields from Elasticsearch

The response from Elasticsearch's Get Field Mappings API is quite verbose. If we are trying to retrieve field names for a large number of indices, or for indices with a large number of fields, then this can put undue strain on the cluster or Kibana server. We have seen OOM errors on the Kibana side in the past as a result of this.

It turns out that we only need a small subset of the response in order to retrieve the available fields. Luckily, ES has a common filter_path query parameter that we can use to prevent including unneeded fields in the response.

In my local testing, this dramatically reduced the number of bytes sent over the wire, which is both faster to send, and faster to parse/process in Node.js.

My test had an initial payload of ~1.2MB, while the filtered payload was merely 260KB - this is roughly a 76% payload reduction!

Resolves #47378

@legrego legrego added release_note:fix Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.13.1 v7.14.0 v8.0.0 labels Apr 29, 2021
@legrego legrego marked this pull request as ready for review April 29, 2021 13:59
@legrego legrego requested a review from a team as a code owner April 29, 2021 13:59
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego
Copy link
Member Author

legrego commented May 3, 2021

@elasticmachine merge upstream

@legrego
Copy link
Member Author

legrego commented May 3, 2021

@elasticmachine merge upstream

azasypkin
azasypkin reviewed May 4, 2021
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks and works perfectly except for one weird thing: for some reason, I cannot select fields with the mouse clicks anymore, only with the keyboard (for Chromium and Firefox). I tried to re-bootstrap, but it didn't help. Do you see the same, or I just messed up with my environment somehow?

x-pack/test/api_integration/apis/security/index_fields.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/public/management/roles/indices_api_client.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/public/management/roles/indices_api_client.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/public/management/roles/indices_api_client.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/routes/indices/get_fields.ts
@@ -25,6 +25,7 @@ export function defineGetFieldsRoutes({ router }: RouteDefinitionParams) {
fields: '*',
allow_no_indices: false,
include_defaults: true,
filter_path: '*.mappings.*.mapping.*.type',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great find! 🏅

x-pack/plugins/security/public/management/roles/edit_role/privileges/es/index_privileges.tsx Show resolved Hide resolved
...ck/plugins/security/public/management/roles/edit_role/privileges/es/index_privilege_form.tsx
// This is distinct from the field within `this.state`.
// We want to make sure that only one request for fields is in-flight at a time,
// and relying on state for this is error prone.
private isFieldListLoading: boolean = false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: just for my own education, would you mind explaining a bit when storing this flag only is state leads to errors?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

React can decide to batch/defer state updates, so calling this.setState() doesn't guarantee that your state will be updated within a specific period of time. Having this private field outside of state works around this by giving us a synchronously updating field that always reflects reality.

watson
watson reviewed May 4, 2021
View reviewed changes
Copy link
Member

@watson watson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to backport this to 7.13.1. It seems more like a feature than a bug fix to me

...ck/plugins/security/public/management/roles/edit_role/privileges/es/index_privilege_form.tsx Show resolved Hide resolved
@legrego
Copy link
Member Author

legrego commented May 4, 2021

Do we need to backport this to 7.13.1. It seems more like a feature than a bug fix to me

Not a strict requirement. We originally marked this as an enhancement, but recently decided to mark it as a bug due to the rather nasty side effects the current implementation has (OOM on the Kibana server, ES cluster instability, etc.).

Happy to wait for 7.14 if we're not comfortable with this scope of work being backported.

@watson
Copy link
Member

watson commented May 4, 2021

[...] but recently decided to mark it as a bug due to the rather nasty side effects the current implementation has (OOM on the Kibana server, ES cluster instability, etc.).

Sounds reasonable - Just wanted to hear if it was intentional

@legrego
Copy link
Member Author

legrego commented May 4, 2021

Looks and works perfectly except for one weird thing: for some reason, I cannot select fields with the mouse clicks anymore, only with the keyboard (for Chromium and Firefox). I tried to re-bootstrap, but it didn't help. Do you see the same, or I just messed up with my environment somehow?

@azasypkin great catch! It looks like the onFocus callbacks I registered on the comboboxes were to blame. I removed them, and instead reverted to loading FLS suggestions on page load instead. This is less than ideal, but I'm hoping the other mitigations we've put in place will resolve the issues we've seen in the past.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
security 764.3KB 764.9KB +600.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego legrego requested a review from azasypkin May 4, 2021 20:52
azasypkin
azasypkin approved these changes May 5, 2021
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@legrego legrego added auto-backport Deprecated: Automatically backport this PR after it's merged and removed v7.13.1 labels May 5, 2021
@legrego legrego requested a review from watson May 5, 2021 14:05
@legrego legrego merged commit 656206c into elastic:master May 5, 2021
@legrego legrego deleted the legrego/issue47378 branch May 5, 2021 14:22
@kibanamachine kibanamachine mentioned this pull request May 5, 2021
Merged
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request May 5, 2021
@legrego @kibanamachine
Load FLS suggestions on-demand (elastic#98681)
46dc3ed 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request May 5, 2021
@kibanamachine @legrego
Load FLS suggestions on-demand (#98681) (#99349)
dca374c 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
@legrego legrego mentioned this pull request Aug 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@watson watson watson approved these changes

@azasypkin azasypkin azasypkin approved these changes

Assignees
No one assigned
Labels
auto-backport Deprecated: Automatically backport this PR after it's merged release_note:fix Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.14.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Role Management UI should not eagerly load field suggestions for FLS
5 participants
@legrego @elasticmachine @watson @kibanamachine @azasypkin