Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAC][Rule Registry] Fix bug where namespaces with dashes could cause conflicts #107991

Merged
merged 4 commits into from
Aug 17, 2021

Conversation

marshallmain
Copy link
Contributor

@marshallmain marshallmain commented Aug 10, 2021

Summary

Related to #107704

If one namespace is a prefix of another namespace followed by a dash, then the -* at the end of an index pattern would cause the pattern to match both namespace's indices. For example, spaces named managers and managers-usa would conflict because in the index creation logic if managers-usa creates an index first then this would cause createWriteTargetIfNeeded to find indices that match .alerts-...-managers-* and not create any index for the managers namespace. This PR fixes that issue by fetching indices for a specific alias and also filtering by the index pattern, only creating a new write index if no existing indices are found.

Checklist

Delete any items that are not applicable to this PR.

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk Probability Severity Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space. Low High Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. High Low Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled. Medium High Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

@marshallmain marshallmain added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.15.0 labels Aug 10, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

Copy link
Member

@weltenwort weltenwort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nesting depth of the trys and ifs is reaching a concerning level, but it looks correct to me. This is one of the instances when using a flat promise chain might pay off.

Copy link
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to see some unit / integration tests codifying the proposed fix here.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great 👍

We could probably refactor createWriteTargetIfNeeded a bit, but this can be done later (I'll make sure to do some cleanup work after all the important issues are addressed).

The comments are incredibly helpful 🙏

I agree with @dhurley14 that we need to start covering indexing logic with tests, I'd try to start working on tests in 7.15 as a separate task if we have enough time and free hands.

What I did: review the changes.
What I didn't do: checkout and test locally.

Comment on lines +244 to +254
try {
// When a new namespace is created we expect getAlias to return a 404 error,
// we'll catch it below and continue on. A non-404 error is a real problem so we throw.

// It's critical that we specify *both* the index pattern and alias in this request. The alias prevents the
// request from finding other namespaces that could match the -* part of the index pattern
// (see https://github.com/elastic/kibana/issues/107704). The index pattern prevents the request from
// finding legacy .siem-signals indices that we add the alias to for backwards compatibility reasons. Together,
// the index pattern and alias should ensure that we retrieve only the "new" backing indices for this
// particular alias.
const { body: aliases } = await clusterClient.indices.getAlias({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are awesome comments in the code 👍 👍

@banderror banderror added the Theme: rac label obsolete label Aug 17, 2021
@marshallmain marshallmain merged commit edfb981 into elastic:master Aug 17, 2021
marshallmain added a commit to marshallmain/kibana that referenced this pull request Aug 17, 2021
… conflicts (elastic#107991)

* Fix bug where namespaces with dashes could cause conflicts

* Missing word in comment

* Apply logic changes to consolidated RuleData implementation
marshallmain added a commit that referenced this pull request Aug 18, 2021
… conflicts (#107991) (#109005)

* Fix bug where namespaces with dashes could cause conflicts

* Missing word in comment

* Apply logic changes to consolidated RuleData implementation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete v7.15.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants