Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Saved-objects as data #94502

Open
kobelb opened this issue Mar 11, 2021 · 6 comments
Open

Saved-objects as data #94502

kobelb opened this issue Mar 11, 2021 · 6 comments
Labels
Feature:Saved Objects Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc unified-security-painpoint Highlights issues that are painpoints as a result of the lack of a unified security model

Comments

@kobelb
Copy link
Contributor

kobelb commented Mar 11, 2021

Starting in 8.0 with the formal implementation of system-indices, it will no longer be possible to use applications like Discover, Visualize, Canvas, Maps, Machine Learning, etc. to analyze saved-objects. While it's technically possible to create visualizations, etc. against any of Kibana's system indices prior to 8.0, it is not supported. Kibana's system indices, and the documents that are stored in these indices, are an implementation detail of Kibana. As such, these indices and the documents that are stored in them are subject to breaking changes in minors. Additionally, Kibana enforces its own entity model and role-based access control. Accessing Kibana's system indices using Elasticsearch APIs side-steps all of these protections.

Saved-Objects as data

However, this is a rather unfortunate situation because applications like Discover, Visualize, Lens etc. offer incredibly powerful tools for free-form analysis. This has become a recurring sticking point when discussing how to architect certain features because this free-form analysis is so compelling.

While we've found some interesting short-term solutions, like the one that we're using for Alerts as data, it doesn't fulfill all of our needs. An ideal solution would allow us to perform free-form analysis using tools like Discover, Visualize, Lens, etc. against saved-objects while respecting Kibana's entity model and role-based access control.

@mikecote
Copy link
Contributor

mikecote commented Mar 25, 2021

The @elastic/kibana-alerting-services will eventually have to provide a platform solution while respecting our RBAC model and based itself on the alerts as data story (#93728). If we were to use saved objects for this approach, below are some mentions I've seen brought up when discussing the schema (#93728).

  • Ability to have an ECS schema ([RAC] Alerts as Data Schema Definition #93728 (comment))
    • If this remains true, we would need to ensure the public contract of this saved object can work with such a structure. (ex: building visualizations on event.kind instead of attributes.event.kind)
  • Support for ILM (thread: [RAC] Alerts as Data Schema Definition #93728 (comment))
    • There is an expectation of using ILM to delete old alert documents
  • Index per rule type
  • Migrations (thread: [RAC] Alerts as Data Schema Definition #93728 (comment))
    • We'll need to create a new index for each release version that includes the latest mappings. The current assumption is additive mappings. The discussions around storing workflow fields make me re-think this.
    • I'm not sure what the saved object migrations should do with existing documents. The existing documents are left in older indices and queried via index patterns across all these indices in the current implementation. It is assumed these indices will have a large (potentially huge) number of documents.

If we do create an index per saved object type, one thought would be to swap attributes for saved_object and allow custom fields at the root while storing saved object specifics within a nested object.

Example:

Before After
type saved_object.type
namespcae saved_object.namespace
rerefences saved_object.references
attributes.ruleType ruleType
attributes.params params
mappings before
{
  "type": { "type": "keyword" },
  "namespace": { "type": "keyword" },
  "references": {
    "type": "nested",
    "properties": {
      "type": { "type": "keyword" },
      "id": { "type": "keyword" },
      "name": { "type": "keyword" }
    }
  },
  "attributes": {
    "properties": {
      "ruleType": { "type": "keyword" },
      "params": {
        "properties": {
          "foo": { "type": "keyword" }
        }
      }
    }
  }
}
mappings after
{
  "saved_object": {
    "type": { "type": "keyword" },
    "namespace": { "type": "keyword" },
    "references": {
      "type": "nested",
      "properties": {
        "type": { "type": "keyword" },
        "id": { "type": "keyword" },
        "name": { "type": "keyword" }
      }
    },
  },
  "ruleType": { "type": "keyword" },
  "params": {
    "properties": {
      "foo": { "type": "keyword" }
    }
  }
}

This allows saved object properties to be stored at the root (ex: ECS fields) while still having a place to store saved object specific fields.

@mikecote mikecote added the Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc label Mar 25, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

@oatkiller
Copy link
Contributor

Heya @kobelb. I've got a question/suggestion that's unlikely to be practical, but your answer will help me to get some extra context on the issue. You said

As such, these indices and the documents that are stored in them are subject to breaking changes in minors. Additionally, Kibana enforces its own entity model and role-based access control.

What if we totally broke those expectations and instead did this:

  • SavedObjects must maintain backwards compatibility during minors
  • All role-based access control must be modeled in Elasticsearch

Would that help to solve the issue? What would be the costs/downsides of such an approach? Thanks for humoring me.

@pgayvallet
Copy link
Contributor

pgayvallet commented Jun 15, 2021

SavedObjects must maintain backwards compatibility during minors

After 8.0, there will no longer be minor/major distinctions, at least regarding breaking changes, meaning that if we do want to declare that the SO model/schema (and other Kibana system indices) is no longer an implement detail, we'll be forced to wait an undetermined amount of time before being able to effectively change it. Not saying this is not necessarily an option, but we need to be aware of that.

All role-based access control must be modeled in Elasticsearch

@elastic/kibana-security would be the best to answer that, but from my understanding, if this is an option we definitely want to dig, we're pretty far from it right now. Also, RBAC is not the only 'filtering' performed for SO queries, we also got spaces for instance, and we're also performing some additional validation (on aggregations for example) due to some ES api/options being too permissive.

Overall, I think the best approach currently to answer 'SO as data' would be the Kibana Persistence ToolKit we presented during GAH: #102177

@pgayvallet
Copy link
Contributor

@kobelb is this still something, or can we potentially close this?

@kobelb
Copy link
Contributor Author

kobelb commented Jul 8, 2024

@kobelb is this still something, or can we potentially close this?

I think we should leave this one open, solely because I've heard it mentioned recently regarding alerting rules in regard to RAG.

@legrego legrego added the unified-security-painpoint Highlights issues that are painpoints as a result of the lack of a unified security model label Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Saved Objects Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc unified-security-painpoint Highlights issues that are painpoints as a result of the lack of a unified security model
Projects
None yet
Development

No branches or pull requests

7 participants