Extended detector use-cases to consider the workflow #394
Conversation
Signed-off-by: Stevan Buzejic <[email protected]>
| @@ -51,6 +51,8 @@ public class Detector implements Writeable, ToXContentObject { | |||
| public static final String ENABLED_TIME_FIELD = "enabled_time"; | |||
| public static final String ALERTING_MONITOR_ID = "monitor_id"; | |||
|
|
|||
| public static final String ALERTING_WORKFLOW_ID = "workflow_ids"; | |||
There was a problem hiding this comment.
NIT: shouldnt we have single workflow id?
Any motivations for list?
There was a problem hiding this comment.
Hope we are not exposing workflow id in response serialized to user
There was a problem hiding this comment.
I added list because I though it's more generic solution - which will allow us (if we are going consider that scenario in one moment) to add multiple workflows without taking care about the detectors created in the period once we had only one workflow (and creating special case branches in the code with some if-else logic).
Does this makes sense? If not, I will remove it
There was a problem hiding this comment.
what happens
- User creates detector in 2.6
- upgrades cluster to version where workflows are introduced
- updates detector rules? Will new workflow be created and the monitors be disabled? or will we not create workflows for existing detectors.
- let's closely check the udpate scenario
| case ALERTING_WORKFLOW_ID: | ||
| XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_ARRAY, xcp.currentToken(), xcp); | ||
| while (xcp.nextToken() != XContentParser.Token.END_ARRAY) { | ||
| String workflowId = xcp.text(); |
| errorStatusSupplier.trySet(response.getStatus()); | ||
| return true; | ||
| // If detector doesn't have the workflows it means that older version of the plugin is used | ||
| if (detector.isWorkflowSupported()) { |
There was a problem hiding this comment.
debug log "deleting workflow before deleting detector
| workflowService.deleteWorkflow(detector.getWorkflowIds().get(0), | ||
| new ActionListener<>() { | ||
| @Override | ||
| public void onResponse(DeleteWorkflowResponse deleteWorkflowResponse) { |
There was a problem hiding this comment.
debug log "workflow deleted. deleting monitors before detector deletion"
| } | ||
| return false; | ||
| }).count() > 0) { | ||
| onFailures(new OpenSearchStatusException("Monitor associated with detected could not be deleted", errorStatusSupplier.get())); |
There was a problem hiding this comment.
It is not removed - it's extracted to monitor service. Check it out here
| log.error("Detector not being deleted because monitor [{}] could not be deleted. Status [{}]", response.getId(), response.getStatus()); | ||
| errorStatusSupplier.trySet(response.getStatus()); | ||
| return true; | ||
| // If detector doesn't have the workflows it means that older version of the plugin is used |
There was a problem hiding this comment.
we can use step listener instead of repeating logic
first step is deleting workflow. if workflow doesnt exist listener can return success response or soemthing like that.
much more cleaner and understandable that way
| if (numberOfUnprocessedResponses == 0) { | ||
| workflowService.upsertWorkflow( | ||
| monitorResponses.stream().map(IndexMonitorResponse::getId).collect(Collectors.toList()), | ||
| null, |
There was a problem hiding this comment.
which field is being set as null?
|
|
||
| @Override | ||
| public void onFailure(Exception e) { | ||
| listener.onFailure(e); |
There was a problem hiding this comment.
delete monitors if we fail to create workflow?
There was a problem hiding this comment.
we are deleting the monitors in workflowService.upsertWorkflow if upserts fails
There was a problem hiding this comment.
Can the same monitor be referred to other workflow?
There was a problem hiding this comment.
@getsaurabh02 Yes - one monitor can be part of delegate list of two different workflows
|
|
||
| @Override | ||
| public void onFailure(Exception e) { | ||
| listener.onFailure(e); |
There was a problem hiding this comment.
add error logs everywhere log.error("message", e)
|
|
||
| @Override | ||
| public void onFailure(Exception e) { | ||
| listener.onFailure(e); |
| @@ -1141,7 +1230,30 @@ public void onResponse(IndexResponse response) { | |||
|
|
|||
| @Override | |||
| public void onFailure(Exception e) { | |||
| onFailures(e); | |||
| // Revert the workflow and monitors created in previous steps | |||
| workflowService.deleteWorkflow(request.getDetector().getWorkflowIds().get(0), | |||
There was a problem hiding this comment.
what if workflow never gets created
There was a problem hiding this comment.
how will we delete monitors then
There was a problem hiding this comment.
Then it's an error in program flow - if the workflow is not created (because of the error) the detector won't be created.
| } | ||
| @Override | ||
| public void onFailure(Exception e) { | ||
| listener.onFailure(e); |
There was a problem hiding this comment.
error logs for e and e.suppressedExceptions
There was a problem hiding this comment.
I thought to add something like this:
log.error("Error deleting monitors", e);
When you say e.suppressedExceptions you mean we should also do
log.error("Error deleting monitors", e.getSuppressed()); or?
| import org.opensearch.commons.alerting.action.DeleteMonitorResponse; | ||
| import org.opensearch.rest.RestStatus; | ||
|
|
||
| public class MonitorService { |
There was a problem hiding this comment.
java doc to explain this is an Alerting commons interface
| import org.opensearch.rest.RestRequest.Method; | ||
| import org.opensearch.securityanalytics.model.Detector; | ||
|
|
||
| public class WorkflowService { |
There was a problem hiding this comment.
java doc to explain this is an Alerting commons interface
| @@ -88,6 +88,9 @@ | |||
| } | |||
| } | |||
| }, | |||
| "workflow_ids": { | |||
There was a problem hiding this comment.
Makes sense to be keyword
Check it out here |
Signed-off-by: Stevan Buzejic <[email protected]>
…ed loggings Signed-off-by: Stevan Buzejic <[email protected]>
|
@stevanbz
|
Yeah sure. Makes sense. Will add the flag. Just one correction re the item 4. |
… enable_workflow_usage. Added integration test that verify that the workflow is not created during update Signed-off-by: Stevan Buzejic <[email protected]>
| @@ -546,7 +707,7 @@ private IndexMonitorRequest createBucketLevelMonitorRequest( | |||
| triggers.add(bucketLevelTrigger1); | |||
There was a problem hiding this comment.
i still do not see the bucket level triggers passed to the workflow. will it be part of a future pr?
There was a problem hiding this comment.
Will address this in a quick follow up PR
| verifyWorkflow(detectorMap, monitorIds, 2); | ||
| } | ||
|
|
||
| public void testCreateDetector_verifyWorkflowExecutionBucketLevelDocLevelMonitors_success() throws IOException { |
There was a problem hiding this comment.
can this test case be create a detector with an aggregation sigma rule with a detector trigger that generates a finding but not an alert?
can we add another test case to create a detector with an aggregation sigma rule with a detector trigger that generates a finding & also an alert?
There was a problem hiding this comment.
Will address this in a quick follow up PR
Enables workflow creation - all the monitors related with the given detector will be part of the detector Enables workflow update during detector update Deletes the workflow during the detector deletion Adds additional field to a detector Signed-off-by: Stevan Buzejic <[email protected]>
Enables workflow creation - all the monitors related with the given detector will be part of the detector Enables workflow update during detector update Deletes the workflow during the detector deletion Adds additional field to a detector Signed-off-by: Stevan Buzejic <[email protected]>
Enables workflow creation - all the monitors related with the given detector will be part of the detector Enables workflow update during detector update Deletes the workflow during the detector deletion Adds additional field to a detector Signed-off-by: Stevan Buzejic <[email protected]>
Enables workflow creation - all the monitors related with the given detector will be part of the detector Enables workflow update during detector update Deletes the workflow during the detector deletion Adds additional field to a detector Signed-off-by: Stevan Buzejic <[email protected]>
* Using alerting workflows in detectors (#394) Enables workflow creation - all the monitors related with the given detector will be part of the detector Enables workflow update during detector update Deletes the workflow during the detector deletion Adds additional field to a detector Signed-off-by: Stevan Buzejic <[email protected]> * disable delegate monitors as workflow is synced to detector enabled/disabled flag Signed-off-by: Surya Sashank Nistala <[email protected]> * fix test Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Stevan Buzejic <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]> Signed-off-by: Subhobrata Dey <[email protected]> Co-authored-by: Stevan Buzejic <[email protected]> Co-authored-by: Subhobrata Dey <[email protected]>
Enables workflow creation - all the monitors related with the given detector will be part of the detector Enables workflow update during detector update Deletes the workflow during the detector deletion Adds additional field to a detector Signed-off-by: Stevan Buzejic <[email protected]>
…oject#394 (opensearch-project#396) Signed-off-by: Jovan Cvetkovic <[email protected]>
Description
This PR contains the changes related with workflow.
This PR considers if the current detectors are supporting the workflow or not
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.