-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Saved-objects as data #94502
Comments
The @elastic/kibana-alerting-services will eventually have to provide a platform solution while respecting our RBAC model and based itself on the alerts as data story (#93728). If we were to use saved objects for this approach, below are some mentions I've seen brought up when discussing the schema (#93728).
If we do create an index per saved object type, one thought would be to swap Example:
mappings before
mappings after
This allows saved object properties to be stored at the root (ex: ECS fields) while still having a place to store saved object specific fields. |
Pinging @elastic/kibana-core (Team:Core) |
Heya @kobelb. I've got a question/suggestion that's unlikely to be practical, but your answer will help me to get some extra context on the issue. You said
What if we totally broke those expectations and instead did this:
Would that help to solve the issue? What would be the costs/downsides of such an approach? Thanks for humoring me. |
After
@elastic/kibana-security would be the best to answer that, but from my understanding, if this is an option we definitely want to dig, we're pretty far from it right now. Also, RBAC is not the only 'filtering' performed for SO queries, we also got Overall, I think the best approach currently to answer 'SO as data' would be the Kibana Persistence ToolKit we presented during GAH: #102177 |
@kobelb is this still something, or can we potentially close this? |
I think we should leave this one open, solely because I've heard it mentioned recently regarding alerting rules in regard to RAG. |
Starting in 8.0 with the formal implementation of system-indices, it will no longer be possible to use applications like Discover, Visualize, Canvas, Maps, Machine Learning, etc. to analyze saved-objects. While it's technically possible to create visualizations, etc. against any of Kibana's system indices prior to 8.0, it is not supported. Kibana's system indices, and the documents that are stored in these indices, are an implementation detail of Kibana. As such, these indices and the documents that are stored in them are subject to breaking changes in minors. Additionally, Kibana enforces its own entity model and role-based access control. Accessing Kibana's system indices using Elasticsearch APIs side-steps all of these protections.
However, this is a rather unfortunate situation because applications like Discover, Visualize, Lens etc. offer incredibly powerful tools for free-form analysis. This has become a recurring sticking point when discussing how to architect certain features because this free-form analysis is so compelling.
While we've found some interesting short-term solutions, like the one that we're using for Alerts as data, it doesn't fulfill all of our needs. An ideal solution would allow us to perform free-form analysis using tools like Discover, Visualize, Lens, etc. against saved-objects while respecting Kibana's entity model and role-based access control.
The text was updated successfully, but these errors were encountered: