[RAC] [RBAC] working find route for alerts as data client #107982
Conversation
…ts aggs, copied from what saved objects aggs types are allowed
…sts need to be worked through more
…d api when rule registry feature flag is enabled
…lerts aggs table, adds integration tests
…ty hits when querying alert index the user is not authorized to query, so I added an extra check to determine if the user is querying the appropriate index and if they are authorized to even execute queries against the provided index
dhurley14
added
auto-backport
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
dhurley14
added
release_note:feature
|
Alerts trends graph and count table are working perfectly with the new API! Thank you for updating the API call. 👏 |
|
Somehow I got into a state where the alerts table refreshed, but the histogram didn't... is that expected?
|
| aggs, | ||
| _source, | ||
| // eslint-disable-next-line @typescript-eslint/naming-convention | ||
| track_total_hits, |
There was a problem hiding this comment.
Nit: Probably should prefer track_total_hits: trackTotalHits here, instead of the eslint exception?
…elds, uses recursive validation with io-ts at the find route level, adds tests for when nested aggs are present and tests for when nested aggs have scripts field
…r with track total hits, make extra params optional so we are not adding undefined everywhere in the code
| export type PutIndexTemplateRequest = estypes.IndicesPutIndexTemplateRequest & { | ||
| body?: { composed_of?: string[] }; | ||
| }; |
There was a problem hiding this comment.
Can be deleted, estypes.IndicesPutIndexTemplateRequest contains composed_of:
export interface IndicesPutIndexTemplateRequest extends RequestBase {
name: Name
body?: {
index_patterns?: Indices
composed_of?: Name[]
template?: IndicesPutIndexTemplateIndexTemplateMapping
data_stream?: EmptyObject
priority?: integer
version?: VersionNumber
_meta?: Metadata
}
}There was a problem hiding this comment.
ah good catch. I copied some of these types from elsewhere in kibana so didn't look too deeply at the types but I will update this. Thanks!
| if (alerts == null) { | ||
| return response.notFound({ | ||
| body: { message: `alerts with query and index ${index} not found` }, | ||
| }); | ||
| } |
There was a problem hiding this comment.
What's the use case for 404, could it be 200 with an empty array if nothing is found? Less cases for handling on the client side imho.
There was a problem hiding this comment.
If the alerts have an empty hits array we will respond with that (200 + the Elasticsearch response), but if for some reason the response from Elasticsearch is null (either because of an error or something else) then I figured a 404 is better than throwing a 500.
There was a problem hiding this comment.
But yes in general when we execute a search and no hits are found (but we receive a 200 from Elasticsearch) we will respond with exactly that, an empty array.
| public async find<Params extends AlertTypeParams = never>({ | ||
| query, | ||
| aggs, | ||
| _source, | ||
| // eslint-disable-next-line @typescript-eslint/naming-convention | ||
| track_total_hits, | ||
| size, | ||
| index, | ||
| }: { | ||
| query?: object | undefined; | ||
| aggs?: object | undefined; | ||
| index: string | undefined; | ||
| track_total_hits?: boolean | undefined; | ||
| _source?: string[] | undefined; | ||
| size?: number | undefined; | ||
| }) { |
There was a problem hiding this comment.
How does this find() method compare to RuleDataClient.getReader().search(), when should we use which one, etc? Do we even need RuleDataClient.getReader() in the current form?
…re aggs.terms.missing field could be a string or a number
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @dhurley14 |
…7982) Addition of a find api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page.
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…109034) Addition of a find api to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page. Co-authored-by: Devin W. Hurley <devin.hurley@elastic.co>
Summary
Addition of a
findapi to the alerts client to authorize requests using RBAC, updates alerts histograms to use new API on alerts page, updates new alerts aggs data table on alerts page, and updates alerts histogram on overview page.To test (no need for any rule registry env vars to be turned on)
*:*Pages without data...
Overview page - no data
Alerts page - no data
Pages with data...
Overview page with data
Alerts page with data
Checklist
Delete any items that are not applicable to this PR.
For maintainers