Added layer for creating and updating the workflow #831
Conversation
Signed-off-by: Stevan Buzejic <[email protected]>
Signed-off-by: Stevan Buzejic <[email protected]>
| @@ -299,6 +299,312 @@ | |||
| } | |||
| } | |||
| }, | |||
| "workflow": { | |||
There was a problem hiding this comment.
The schema version at the top needs to be incremented.
| } | ||
| } | ||
| }, | ||
| "triggers": { |
There was a problem hiding this comment.
This is not in the workflow object. ref: https://github.com/opensearch-project/common-utils/pull/380/files#diff-bba54255f406156efae1c6e081dd845fa7cd3444b381314a2fb58064cdb0e76d
This also seems like we are storing all the monitor information here and if we create monitors based on the workflows, this doesnt make sense to duplicate the data.
There was a problem hiding this comment.
Yes I agree. It should be removed.
core/build.gradle
Outdated
| @@ -15,7 +15,7 @@ dependencies { | |||
| implementation "com.cronutils:cron-utils:9.1.6" | |||
| api "org.opensearch.client:opensearch-rest-client:${opensearch_version}" | |||
| implementation 'com.google.googlejavaformat:google-java-format:1.10.0' | |||
| api "org.opensearch:common-utils:${common_utils_version}" | |||
| api files("/home/stevan/git/opensearch/repo/common-utils/build/libs/common-utils-2.7.0.0-SNAPSHOT.jar") | |||
There was a problem hiding this comment.
Please remove this from the PR. You can keep this locally for testing.
There was a problem hiding this comment.
A-ha ok cool - will do. Added in order to be "visible" that we need to merge the common-util first. Tnx
| } | ||
| } | ||
|
|
||
| suspend fun validateRequest(request: IndexWorkflowRequest) { |
There was a problem hiding this comment.
Should there be another check to make sure there is only 1 input since that is what is being supported here?
|
Can you share the integ test runs in here to add confidence on things working? |
I think I added - it's just reduced view because of it's size. Here is the integ-test file |
Signed-off-by: Stevan Buzejic <[email protected]>
|
|
||
| val user = readUserFromThreadContext(client) | ||
|
|
||
| if (!validateUserBackendRoles(user, actionListener)) { |
There was a problem hiding this comment.
can we also validate if the user has EXECUTE permission on the delegate monitors?
| } | ||
|
|
||
| if (user == null) { | ||
| // Security is disabled, add empty user to Monitor. user is null for older versions. |
There was a problem hiding this comment.
plz write a workflow relevant comment instead
| transformedRequest.rbacRoles != null | ||
| ) { | ||
| if (transformedRequest.rbacRoles?.stream()?.anyMatch { !user.backendRoles.contains(it) } == true) { | ||
| log.debug( |
| // Retry mapping of monitor | ||
| onCreateMappingsResponse(true) | ||
| } | ||
| } else { |
There was a problem hiding this comment.
Add error log:
log.error("Failed to create workflow", e)
There was a problem hiding this comment.
plz add error log with such messages at every failure/exception
| // Retry mapping of monitor | ||
| onCreateMappingsResponse(true) | ||
| } | ||
| } else { |
There was a problem hiding this comment.
plz add error log with such messages at every failure/exception
| prepareWorkflowIndexing() | ||
| IndexUtils.scheduledJobIndexUpdated() | ||
| } else { | ||
| log.info("Create $SCHEDULED_JOBS_INDEX mappings call not acknowledged.") |
| onUpdateMappingsResponse(response) | ||
| } | ||
|
|
||
| override fun onFailure(t: Exception) { |
| indexResponse.primaryTerm, request.workflow | ||
| ) | ||
| ) | ||
| } catch (t: Exception) { |
Sorry didn't understood you correctly :) will attach the test results |
Signed-off-by: Stevan Buzejic <[email protected]>
| actionListener.onResponse( | ||
| IndexWorkflowResponse( | ||
| indexResponse.id, indexResponse.version, indexResponse.seqNo, | ||
| indexResponse.primaryTerm, request.workflow |
There was a problem hiding this comment.
can we set workflow id in workflow object
Signed-off-by: Stevan Buzejic <[email protected]>
| private suspend fun getDelegateMonitors( | ||
| monitorIds: MutableList<String> | ||
| ): List<Monitor> { |
There was a problem hiding this comment.
We dont check if the user has access to these monitors. We need to also check for the backend roles. Lastly, we need to ensure the users have access to the indices in the monitors for when it tries to execute those monitors.
| "monitor_id": { | ||
| "type": "keyword" | ||
| }, | ||
| "chained_findings": { |
There was a problem hiding this comment.
this should be chained_monitor_findings, right?
There was a problem hiding this comment.
Ah... Good catch! Hm... But wrong param naming went on common-util feature branch -> I renamed the property but forgot to rename the property used in a builder:
https://github.com/opensearch-project/common-utils/blob/feature/composite-monitors/src/main/kotlin/org/opensearch/commons/alerting/model/Delegate.kt#L77
So we have inconsistency now in property naming and mapping. What do you suggest? Should I do a change on common-util first and then change the mappings here or? Tnx
There was a problem hiding this comment.
Yea lets get both updated. Since these are going into the feature branch, we can do both at the same time.
Signed-off-by: Stevan Buzejic <[email protected]>
| request.workflow = request.workflow | ||
| .copy(user = User(user.name, currentWorkflow.user!!.backendRoles, user.roles, user.customAttNames)) | ||
| } | ||
| log.debug("Update monitor backend roles to: ${request.workflow.user?.backendRoles}") |
There was a problem hiding this comment.
nitpick: change this to Update workflow instead of Update monitor
Signed-off-by: Stevan Buzejic <[email protected]>
| @@ -418,7 +418,7 @@ | |||
| "monitor_id": { | |||
| "type": "keyword" | |||
| }, | |||
| "chained_findings": { | |||
| "chained_monitor_findings": { | |||
There was a problem hiding this comment.
do we need to fix this in common utils for the model also ?
There was a problem hiding this comment.
I see the PR https://github.com/opensearch-project/common-utils/pull/390/files
thank you
…t#831) * Renamed chainedFindings to chainedMonitorFindings * Removed unecessary mappings from workflow definition * Improved logging when saving the workflows * Added a workflow id in response * Added role check and index access once the workflow is being created * Updated mappings for the workflow --------- Signed-off-by: Stevan Buzejic <[email protected]>
…t#831) * Renamed chainedFindings to chainedMonitorFindings * Removed unecessary mappings from workflow definition * Improved logging when saving the workflows * Added a workflow id in response * Added role check and index access once the workflow is being created * Updated mappings for the workflow --------- Signed-off-by: Stevan Buzejic <[email protected]>
…t#831) * Renamed chainedFindings to chainedMonitorFindings * Removed unecessary mappings from workflow definition * Improved logging when saving the workflows * Added a workflow id in response * Added role check and index access once the workflow is being created * Updated mappings for the workflow --------- Signed-off-by: Stevan Buzejic <[email protected]>
…t#831) * Renamed chainedFindings to chainedMonitorFindings * Removed unecessary mappings from workflow definition * Improved logging when saving the workflows * Added a workflow id in response * Added role check and index access once the workflow is being created * Updated mappings for the workflow --------- Signed-off-by: Stevan Buzejic <[email protected]>
* Added layer for creating and updating the workflow (#831) * Renamed chainedFindings to chainedMonitorFindings * Removed unecessary mappings from workflow definition * Improved logging when saving the workflows * Added a workflow id in response * Added role check and index access once the workflow is being created * Updated mappings for the workflow --------- Signed-off-by: Stevan Buzejic <[email protected]> * Fixed xContent dependencies due to OSCore changes (#839) Signed-off-by: Angie Zhang <[email protected]> * Dependency fix (#846) Signed-off-by: Stevan Buzejic <[email protected]> * Refactored workflowIndexing validation - removed coroutine and contex… (#857) * Refactored workflowIndexing validation - removed coroutine and context client context lost Signed-off-by: Stevan Buzejic <[email protected]> * refactored getting the workflows Signed-off-by: Stevan Buzejic <[email protected]> * Changed the logic according to secure test findings Signed-off-by: Stevan Buzejic <[email protected]> * [Backport 2.x] Notification security fix (#861) (#863) * Notification security fix (#852) * added injecting whole user object in threadContext before calling notification APIs so that backend roles are available to notification plugin * compile fix * refactored user_info injection to use InjectSecurity * ktlint fix --------- (cherry picked from commit e0b7a5a) * remove unneeded import --------- Signed-off-by: Ashish Agrawal <[email protected]> Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Co-authored-by: Petar Dzepina <[email protected]> Co-authored-by: Ashish Agrawal <[email protected]> * Stashed user together with it's roles Signed-off-by: Stevan Buzejic <[email protected]> --------- Signed-off-by: Stevan Buzejic <[email protected]> Signed-off-by: Ashish Agrawal <[email protected]> Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Co-authored-by: Petar Dzepina <[email protected]> Co-authored-by: Ashish Agrawal <[email protected]> * Added workflow execution logic (#850) * Added workflow execution logic Signed-off-by: Stevan Buzejic <[email protected]> * Adjusted code according to comments Signed-off-by: Stevan Buzejic <[email protected]> * Updated version of the findings json Signed-off-by: Stevan Buzejic <[email protected]> * Updating the workflow metadata in the case of updating flag set to false while the metadata alerady exist Signed-off-by: Stevan Buzejic <[email protected]> * Added logging for workflow metadata update Signed-off-by: Stevan Buzejic <[email protected]> * Added Rest Execute Workflow action Signed-off-by: Stevan Buzejic <[email protected]> * Extended workflow context with workflowMetadataId. Adjusted the doc level monitor findings Signed-off-by: Stevan Buzejic <[email protected]> * Updated conditions for unstashing the context when indexing and deleting the workflow Signed-off-by: Stevan Buzejic <[email protected]> --------- Signed-off-by: Stevan Buzejic <[email protected]> * Added fix when executing the workflow and when chained findings index… (#890) Signed-off-by: Stevan Buzejic <[email protected]> * Fixed deleting monitor workflow metadata (#882) * Fixed deleting monitor metadata and workflow metadata. Signed-off-by: Stevan Buzejic <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]> * fix monitor metadata error from conflict resolution Signed-off-by: Surya Sashank Nistala <[email protected]> * remove unused import Signed-off-by: Surya Sashank Nistala <[email protected]> * remove rest execute workflow action Signed-off-by: Surya Sashank Nistala <[email protected]> * increment schema version for findings mapping json Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Stevan Buzejic <[email protected]> Signed-off-by: Angie Zhang <[email protected]> Signed-off-by: Ashish Agrawal <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]> Co-authored-by: Stevan Buzejic <[email protected]> Co-authored-by: Angie Zhang <[email protected]> Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Co-authored-by: Petar Dzepina <[email protected]> Co-authored-by: Ashish Agrawal <[email protected]>
Issue #, if available:
#834
Description of changes:
Added transport layer for creating/updating of the workflows and appropriate integration tests
CheckList:
[ ] Commits are signed per the DCO using --signoff
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.