-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Discover] Extend Elasticsearch query rule with search source based data fetching #124534
Conversation
x-pack/plugins/stack_alerts/public/alert_types/es_query/constans.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/stack_alerts/public/alert_types/es_query/index_threshold_expression.tsx
Outdated
Show resolved
Hide resolved
…elastic-query-rule # Conflicts: # x-pack/plugins/stack_alerts/server/alert_types/es_query/alert_type.ts
x-pack/plugins/stack_alerts/public/alert_types/es_query/search_source_threshold_expression.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/stack_alerts/public/alert_types/es_query/search_source_threshold_expression.tsx
Outdated
Show resolved
Hide resolved
This comment was marked as resolved.
This comment was marked as resolved.
@elasticmachine merge upstream |
FIxed. |
…elastic-query-rule # Conflicts: # src/plugins/discover/public/plugin.tsx
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💛 Build succeeded, but was flakyTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
References to deprecated APIs
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
I agree it behaves correctly, but it still leads to a confusing user experience. Once this is added to RFC for future consideration, I'm ok with this to ship. |
Friendly reminder: Looks like this PR hasn’t been backported yet. |
…sumers (#192321) ## Summary Alerts use its own RBAC model. The RBAC relies on a property called `consumer`. The consumer is tight coupled with the feature ID. It denotes the user's access to the rule and the alerts. For example, a user with access to the "Logs" feature has access only to alerts and rules with the `consumer` set as `logs`. Users can create an ES Query rule from Discover. When the feature was [implemented](#124534) (v8.3.0) the consumer was set to `discover`. Then it [changed](#166032) (v8.11.0) to `stackAlerts` (visible only on the stack management page) and then [to](#171364) (v8.12.0) `alerts` so it can be visible in Observability. Users who created rules that generated alerts with the `discover` consumer cannot see the alerts generated by the rule when they upgrade Kibana to 8.11+ even as superusers. This PR fixes the issues around the `discover` consumer. I added the following alert document to the `data.json.gz` to test for alerts with `discover` consumer. ``` { "type": "doc", "value": { "id": "1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97", "index": ".internal.alerts-stack.alerts-default-000001", "source": { "@timestamp": "2021-10-19T14:00:38.749Z", "event.action": "active", "event.kind": "signal", "kibana.alert.duration.us": 1370302000, "kibana.alert.evaluation.threshold": -1, "kibana.alert.evaluation.value": 80, "kibana.alert.instance.id": "query matched", "kibana.alert.reason": "Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.", "kibana.alert.rule.category": "Elasticsearch query", "kibana.alert.rule.consumer": "discover", "kibana.alert.rule.name": "EsQuery discover", "kibana.alert.rule.producer": "stackAlerts", "kibana.alert.rule.rule_type_id": ".es-query", "kibana.alert.rule.uuid": "25c14920-faa7-4a9a-830c-ce32c8211237", "kibana.alert.start": "2021-10-19T15:00:41.555Z", "kibana.alert.status": "active", "kibana.alert.time_range": { "gte": "2021-10-19T15:00:41.555Z" }, "kibana.alert.uuid": "23237979-75bf-4b68-a210-ce5056b93356", "kibana.alert.workflow_status": "open", "kibana.space_ids": [ "default" ], "kibana.version": "8.0.0", "tags": [] } } } ``` ## Testing 1. Create a rule with the consumer as `discover`. See #184595 for instructions. 2. Go to the rule details page. 3. Verify that you do not get any error toaster and you can see the alerts. Fixes: #184595 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release notes Fix an issue with rules not being accessible created from Discover before 8.11.0. --------- Co-authored-by: Elastic Machine <[email protected]>
…sumers (elastic#192321) ## Summary Alerts use its own RBAC model. The RBAC relies on a property called `consumer`. The consumer is tight coupled with the feature ID. It denotes the user's access to the rule and the alerts. For example, a user with access to the "Logs" feature has access only to alerts and rules with the `consumer` set as `logs`. Users can create an ES Query rule from Discover. When the feature was [implemented](elastic#124534) (v8.3.0) the consumer was set to `discover`. Then it [changed](elastic#166032) (v8.11.0) to `stackAlerts` (visible only on the stack management page) and then [to](elastic#171364) (v8.12.0) `alerts` so it can be visible in Observability. Users who created rules that generated alerts with the `discover` consumer cannot see the alerts generated by the rule when they upgrade Kibana to 8.11+ even as superusers. This PR fixes the issues around the `discover` consumer. I added the following alert document to the `data.json.gz` to test for alerts with `discover` consumer. ``` { "type": "doc", "value": { "id": "1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97", "index": ".internal.alerts-stack.alerts-default-000001", "source": { "@timestamp": "2021-10-19T14:00:38.749Z", "event.action": "active", "event.kind": "signal", "kibana.alert.duration.us": 1370302000, "kibana.alert.evaluation.threshold": -1, "kibana.alert.evaluation.value": 80, "kibana.alert.instance.id": "query matched", "kibana.alert.reason": "Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.", "kibana.alert.rule.category": "Elasticsearch query", "kibana.alert.rule.consumer": "discover", "kibana.alert.rule.name": "EsQuery discover", "kibana.alert.rule.producer": "stackAlerts", "kibana.alert.rule.rule_type_id": ".es-query", "kibana.alert.rule.uuid": "25c14920-faa7-4a9a-830c-ce32c8211237", "kibana.alert.start": "2021-10-19T15:00:41.555Z", "kibana.alert.status": "active", "kibana.alert.time_range": { "gte": "2021-10-19T15:00:41.555Z" }, "kibana.alert.uuid": "23237979-75bf-4b68-a210-ce5056b93356", "kibana.alert.workflow_status": "open", "kibana.space_ids": [ "default" ], "kibana.version": "8.0.0", "tags": [] } } } ``` ## Testing 1. Create a rule with the consumer as `discover`. See elastic#184595 for instructions. 2. Go to the rule details page. 3. Verify that you do not get any error toaster and you can see the alerts. Fixes: elastic#184595 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release notes Fix an issue with rules not being accessible created from Discover before 8.11.0. --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 396931f)
…sumers (elastic#192321) ## Summary Alerts use its own RBAC model. The RBAC relies on a property called `consumer`. The consumer is tight coupled with the feature ID. It denotes the user's access to the rule and the alerts. For example, a user with access to the "Logs" feature has access only to alerts and rules with the `consumer` set as `logs`. Users can create an ES Query rule from Discover. When the feature was [implemented](elastic#124534) (v8.3.0) the consumer was set to `discover`. Then it [changed](elastic#166032) (v8.11.0) to `stackAlerts` (visible only on the stack management page) and then [to](elastic#171364) (v8.12.0) `alerts` so it can be visible in Observability. Users who created rules that generated alerts with the `discover` consumer cannot see the alerts generated by the rule when they upgrade Kibana to 8.11+ even as superusers. This PR fixes the issues around the `discover` consumer. I added the following alert document to the `data.json.gz` to test for alerts with `discover` consumer. ``` { "type": "doc", "value": { "id": "1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97", "index": ".internal.alerts-stack.alerts-default-000001", "source": { "@timestamp": "2021-10-19T14:00:38.749Z", "event.action": "active", "event.kind": "signal", "kibana.alert.duration.us": 1370302000, "kibana.alert.evaluation.threshold": -1, "kibana.alert.evaluation.value": 80, "kibana.alert.instance.id": "query matched", "kibana.alert.reason": "Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.", "kibana.alert.rule.category": "Elasticsearch query", "kibana.alert.rule.consumer": "discover", "kibana.alert.rule.name": "EsQuery discover", "kibana.alert.rule.producer": "stackAlerts", "kibana.alert.rule.rule_type_id": ".es-query", "kibana.alert.rule.uuid": "25c14920-faa7-4a9a-830c-ce32c8211237", "kibana.alert.start": "2021-10-19T15:00:41.555Z", "kibana.alert.status": "active", "kibana.alert.time_range": { "gte": "2021-10-19T15:00:41.555Z" }, "kibana.alert.uuid": "23237979-75bf-4b68-a210-ce5056b93356", "kibana.alert.workflow_status": "open", "kibana.space_ids": [ "default" ], "kibana.version": "8.0.0", "tags": [] } } } ``` ## Testing 1. Create a rule with the consumer as `discover`. See elastic#184595 for instructions. 2. Go to the rule details page. 3. Verify that you do not get any error toaster and you can see the alerts. Fixes: elastic#184595 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release notes Fix an issue with rules not being accessible created from Discover before 8.11.0. --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 396931f)
…over` as consumers (#192321) (#194440) # Backport This will backport the following commits from `main` to `8.15`: - [[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)](#192321) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Christos Nasikas","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-30T14:11:00Z","message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Feature:Alerting","Team:ResponseOps","v9.0.0","Feature:Alerting/RulesFramework","backport:prev-major","v8.16.0","v8.15.3"],"title":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers","number":192321,"url":"https://github.com/elastic/kibana/pull/192321","mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192321","number":192321,"mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Christos Nasikas <[email protected]>
…ver` as consumers (#192321) (#194441) # Backport This will backport the following commits from `main` to `8.x`: - [[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)](#192321) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Christos Nasikas","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-30T14:11:00Z","message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Feature:Alerting","Team:ResponseOps","v9.0.0","Feature:Alerting/RulesFramework","backport:prev-major","v8.16.0","v8.15.3"],"title":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers","number":192321,"url":"https://github.com/elastic/kibana/pull/192321","mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.15"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192321","number":192321,"mergeCommit":{"message":"[ResponseOps][Alerts] Fix authorization issues with `discover` as consumers (#192321)\n\n## Summary\r\n\r\nAlerts use its own RBAC model. The RBAC relies on a property called\r\n`consumer`. The consumer is tight coupled with the feature ID. It\r\ndenotes the user's access to the rule and the alerts. For example, a\r\nuser with access to the \"Logs\" feature has access only to alerts and\r\nrules with the `consumer` set as `logs`. Users can create an ES Query\r\nrule from Discover. When the feature was\r\n[implemented](#124534) (v8.3.0)\r\nthe consumer was set to `discover`. Then it\r\n[changed](#166032) (v8.11.0) to\r\n`stackAlerts` (visible only on the stack management page) and then\r\n[to](#171364) (v8.12.0) `alerts`\r\nso it can be visible in Observability. Users who created rules that\r\ngenerated alerts with the `discover` consumer cannot see the alerts\r\ngenerated by the rule when they upgrade Kibana to 8.11+ even as\r\nsuperusers. This PR fixes the issues around the `discover` consumer.\r\n\r\nI added the following alert document to the `data.json.gz` to test for\r\nalerts with `discover` consumer.\r\n\r\n```\r\n{\r\n \"type\": \"doc\",\r\n \"value\": {\r\n \"id\": \"1b75bfe9-d2f5-47e9-bac6-b082dd9c9e97\",\r\n \"index\": \".internal.alerts-stack.alerts-default-000001\",\r\n \"source\": {\r\n \"@timestamp\": \"2021-10-19T14:00:38.749Z\",\r\n \"event.action\": \"active\",\r\n \"event.kind\": \"signal\",\r\n \"kibana.alert.duration.us\": 1370302000,\r\n \"kibana.alert.evaluation.threshold\": -1,\r\n \"kibana.alert.evaluation.value\": 80,\r\n \"kibana.alert.instance.id\": \"query matched\",\r\n \"kibana.alert.reason\": \"Document count is 80 in the last 100d in .kibana_alerting_cases index. Alert when greater than -1.\",\r\n \"kibana.alert.rule.category\": \"Elasticsearch query\",\r\n \"kibana.alert.rule.consumer\": \"discover\",\r\n \"kibana.alert.rule.name\": \"EsQuery discover\",\r\n \"kibana.alert.rule.producer\": \"stackAlerts\",\r\n \"kibana.alert.rule.rule_type_id\": \".es-query\",\r\n \"kibana.alert.rule.uuid\": \"25c14920-faa7-4a9a-830c-ce32c8211237\",\r\n \"kibana.alert.start\": \"2021-10-19T15:00:41.555Z\",\r\n \"kibana.alert.status\": \"active\",\r\n \"kibana.alert.time_range\": {\r\n \"gte\": \"2021-10-19T15:00:41.555Z\"\r\n },\r\n \"kibana.alert.uuid\": \"23237979-75bf-4b68-a210-ce5056b93356\",\r\n \"kibana.alert.workflow_status\": \"open\",\r\n \"kibana.space_ids\": [\r\n \"default\"\r\n ],\r\n \"kibana.version\": \"8.0.0\",\r\n \"tags\": []\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Testing\r\n\r\n1. Create a rule with the consumer as `discover`. See\r\nhttps://github.com//issues/184595 for instructions.\r\n2. Go to the rule details page.\r\n3. Verify that you do not get any error toaster and you can see the\r\nalerts.\r\n\r\nFixes: https://github.com/elastic/kibana/issues/184595\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [x] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n## Release notes\r\nFix an issue with rules not being accessible created from Discover\r\nbefore 8.11.0.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"396931f5056600e633dba64dab81a66096d05f72"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Christos Nasikas <[email protected]>
Summary
Closes #117532
This PR extends Elasticsearch query rule to enable the creation of an alert rule in Discover via
Search source
. See all details in the linked issue.Test
Alerts
in top nav menuAlert creation sidebar
Tool tip with explanation about missed time field in data view
Toast info notification about possible difference to the documents that triggered alert when user follows link provided by rule connector
Checklist
Delete any items that are not applicable to this PR.