Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Alerting] Rules are storing actions using predefined connectors in references array #109247

Closed
ymao1 opened this issue Aug 19, 2021 · 3 comments · Fixed by #109437
Closed

[Alerting] Rules are storing actions using predefined connectors in references array #109247

ymao1 opened this issue Aug 19, 2021 · 3 comments · Fixed by #109437
Assignees
@ymao1
Labels
estimate:medium Medium Estimated Level of Effort Feature:Actions Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@ymao1
Copy link
Contributor

ymao1 commented Aug 19, 2021

Currently, when rules are created/updated, the connector IDs for their associated actions are extracted and stored in the SO references array. This is being done regardless of whether the connector is predefined or not. With the upcoming changes to make rules and connectors share-capable, all the IDs in the references array for SOs in a non-default space will be re-generated. This means the IDs for pre-defined connectors will be updated, even though they should not be, and the link between rule action and predefined connector will be lost.

Example Rule prior to migration:

{
    "_index" : ".kibana_7.14.1_001",
    "_id" : "yo:alert:139523f0-0069-11ec-aa21-059e5fd523e6",
    "_score" : 0.0,
    "_source" : {
        "alert" : {
            ...other rule stuff
            "actions" : [
              {
                "actionTypeId" : ".server-log",
                "params" : {
                  "level" : "info",
                  "message" : "PRECONFIGURED"
                },
                "actionRef" : "action_0",
                "group" : "small"
              },
              {
                "actionTypeId" : ".server-log",
                "params" : {
                  "level" : "info",
                  "message" : "NOT PRECONFIGURED"
                },
                "actionRef" : "action_1",
                "group" : "small"
              }
            ],
        },
        "type" : "alert",
        "references" : [
            {
              "id" : "preconfigured-server-log",
              "name" : "action_0",
              "type" : "action"
            },
            {
              "id" : "0c8a5080-0069-11ec-aa21-059e5fd523e6",
              "name" : "action_1",
              "type" : "action"
            }
        ],
      }
  }

and after migration to share-capable:

{
    "_index" : ".kibana_8.0.0_001",
    "_id" : "alert:6b75b1f9-90a0-58ed-884b-72ba8134a8a2",
    "_score" : 0.0,
    "_source" : {
        "alert" : {
            ...other rule stuff
            "actions" : [
              {
                "actionTypeId" : ".server-log",
                "params" : {
                  "level" : "info",
                  "message" : "PRECONFIGURED"
                },
                "actionRef" : "action_0",
                "group" : "small"
              },
              {
                "actionTypeId" : ".server-log",
                "params" : {
                  "level" : "info",
                  "message" : "NOT PRECONFIGURED"
                },
                "actionRef" : "action_1",
                "group" : "small"
              }
            ],
        },
        "type" : "alert",
        "references" : [
            {
              "id" : "a3334f61-dd79-5ecd-9788-76a9a69dfd99",
              "name" : "action_0",
              "type" : "action"
            },
            {
              "id" : "4521fe6b-1929-56c6-9ce7-a1a8d13bfb27",
              "name" : "action_1",
              "type" : "action"
            }
        ],
      }
  }

Note that the ID for reference entry action_0 has changed from preconfigured-server-log to a3334f61-dd79-5ecd-9788-76a9a69dfd99. When this rule tries to execute actions post-migration, it will fail with a saved object not found error when trying to retrieve the connector for a3334f61-dd79-5ecd-9788-76a9a69dfd99.
@ymao1 ymao1 added Feature:Alerting Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Aug 19, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@ymao1
Copy link
Contributor Author

ymao1 commented Aug 19, 2021

We will need to update the create/update behavior in the rules client to not store pre-defined connector IDs in the references array and also write a migration to fix previous rules.

@ymao1 ymao1 added the estimate:medium Medium Estimated Level of Effort label Aug 19, 2021
@ymao1 ymao1 self-assigned this Aug 19, 2021
@ymao1
Copy link
Contributor Author

ymao1 commented Aug 20, 2021

One side effect of removing preconfigured connectors from being stored in the references array is that when connectors are retrieved using GET /api/actions/connectors, there is an aggregation that is performed to determine how many rules are using each connector. This aggregation is performed against the references array

kibana/x-pack/plugins/actions/server/actions_client.ts

Lines 536 to 590 in 92ec225

async function injectExtraFindData(
defaultKibanaIndex: string,
scopedClusterClient: IScopedClusterClient,
actionResults: ActionResult[]
): Promise<FindActionResult[]> {
const aggs: Record<string, estypes.AggregationsAggregationContainer> = {};
for (const actionResult of actionResults) {
aggs[actionResult.id] = {
filter: {
bool: {
must: {
nested: {
path: 'references',
query: {
bool: {
filter: {
bool: {
must: [
{
term: {
'references.id': actionResult.id,
},
},
{
term: {
'references.type': 'action',
},
},
],
},
},
},
},
},
},
},
},
};
}
const { body: aggregationResult } = await scopedClusterClient.asInternalUser.search({
index: defaultKibanaIndex,
body: {
aggs,
size: 0,
query: {
match_all: {},
},
},
});
return actionResults.map((actionResult) => ({
...actionResult,
// @ts-expect-error aggegation type is not specified
referencedByCount: aggregationResult.aggregations[actionResult.id].doc_count,
}));
}

If we're not storing preconfigured connector IDs in the references array, their referencedByCount value will always be 0. What I can't find is anywhere this value is used.

@ymao1 ymao1 mentioned this issue Aug 24, 2021
Merged
1 task
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ymao1 ymao1

Labels
estimate:medium Medium Estimated Level of Effort Feature:Actions Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Alerting] Remove predefined connectors from rule reference array ymao1/kibana
3 participants
@kobelb @ymao1 @elasticmachine