-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[alerting event log] change SO references in event log entries to single from nested #55640
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
A couple of random thoughts I had on this.
|
I'm not sure we need to encode the space in the string - thinking we don't right now anyway. Even with "shared saved objects", I don't think that we're considering that an alert in one space could run an action in another space. The alert or action could be shared, but they would need to be visible in whatever space the alert/action is created/run. So that boils down to OTOH, SO itself separates |
Added the |
A note regarding this issue that came up while working on #62015 When we query for the events that relate to a specific Saved Object we only verify that the user has permissions for that SO, but events can currently reference more SOs which we don't verify - if we decide to keep the ability to reference multiple SOs then we should address that hole. |
I'm going to close this issue, after discussing with @pmuellr we couldn't come up with a use case that would require a structure to only have a single saved object. In regards to linking events and such, this can be deferred to a future time as it would only require additional attributes to the mappings. |
Currently the saved object reference mapping for event log entries is nested, allowing multiple saved objects to be associated with a log entry. This seems like it could get complicated though. We probably want to change this to just allow a single reference to a saved object.
Part of the thinking in using a nested property was to handle the case tracking hierarchical references. Eg, an alert runs, schedules actions to run, and the actions are run. It would be nice to associate the event log entry with the action being run, with both the action and alert. It seems like there are probably other ways of handling this; eg, writing two event log entries that can be used to make the association; or perhaps we could have a "parent" saved object reference and treat the existing one as the "primary" reference. In such cases, traversing the chain would be slower (multiple ES calls), but it's likely this might only be needed for ad hoc exploratory purposes anyway.
The text was updated successfully, but these errors were encountered: