No longer use generated IDs for X-Opaque-ID / requestId
#123197
Conversation
pgayvallet
added
v7.17.0
v8.0.0
v8.1.0
release_note:skip
| @@ -166,7 +166,7 @@ export class AuditService { | |||
| session_id: sessionId, | |||
| ...event.kibana, | |||
| }, | |||
| trace: { id: request.id }, | |||
| trace: { id: request.opaqueId }, | |||
There was a problem hiding this comment.
@elastic/kibana-security request.id was renamed to request.opaqueId, but is now optional, as we're no longer generating a value when not provided by the client / when the configuration forbid its usage.
Is this change fine, or should we fallback to request.uuid when request.opaqueId is empty?
There was a problem hiding this comment.
JFYI: Kibana sets tracing fields starting from #118466 The value from meta override them (sorry, I need to update the test suite name 😅 )
maybe audit logging should rely on the
trace field supplied by the Kibana server and not overwrite them?
There was a problem hiding this comment.
#118466 was merged on 8.1 only, and not backported though, right?
There was a problem hiding this comment.
yes, it wasn't. because it's not a bug fix
There was a problem hiding this comment.
@elastic/kibana-security
request.idwas renamed torequest.opaqueId, but is now optional, as we're no longer generating a value when not provided by the client / when the configuration forbid its usage.Is this change fine, or should we fallback to
request.uuidwhenrequest.opaqueIdis empty?
I responded to the linked issue in #120124 (comment).
I'm not on board with this change in general as it hamstrings auditing functionality. If we have to go through with this though, we at least need the ability to correlate audit records within the Kibana audit log which originate from the same request. In that case it would be better to fall back to request.uuid.
| if (!this.enabled) return; | ||
| // requestId may not be present in the case of FakeRequest | ||
| // requestId may not be present if unspecified by the client or in the case of FakeRequest | ||
| const requestId = this.requestIdStore.getStore()?.requestId ?? 'unknownId'; | ||
| const executionContext = this.contextStore.getStore()?.toString(); | ||
| const executionContextStr = executionContext ? `;kibana:${executionContext}` : ''; |
There was a problem hiding this comment.
(This is correlated with the change in src/core/server/elasticsearch/client/cluster_client.ts)
ATM we kinda have an inconsistency between when EC is enabled or not, as when EC is enabled, the x-opaque-id value will be coming from EC.getAsHeader, and when it's not, the value is generated within ClusterClient.getScopedHeaders
ATM (with the PR's current change), the value matrix looks like:
| EC enabled | request.opaqueId present | EC present | x-opaque-id sent to ES |
|---|---|---|---|
| true | true | true | '${opaqueId};kibana:${executionContext}' |
| true | true | false | '${opaqueId}' |
| true | false | true | 'unknownId;kibana:${executionContext}' |
| true | false | false | 'unknownId' |
| false | true | true | N/A |
| false | true | false | '${opaqueId}' |
| false | false | true | N/A |
| false | false | false | undefined |
I got a few questions here:
- is this
unknownIddefault value foropaqueIdacceptable?- X-Opaque-ID contains UUID causing ES deduplication to fail #120124 (comment) suggest potentially using
kibanaas the default value, but then, in case of populated execution context, the value would look likekibana;kibana:${executionContext}. Are we fine with this format? Do we just want to usekibana:${executionContext}in that case instead?
- X-Opaque-ID contains UUID causing ES deduplication to fail #120124 (comment) suggest potentially using
- When EC is disabled, the header is populated by
ClusterClient.getScopedHeaders. ATM whenrequest.opaqueIdis not present, we're not sending anyx-opaque-idheader to ES. Do we want to change that to sendkibana(or any constant value we agreed on from the previous point) instead? - (follow-up of next point) Should we decide to have the EC service the single source of truth for the
x-opaque-idheader and havegetAsHeaderalways return a value even when disabled- this would require the
requestIdStoreto always be populated even when EC is disabled, which could be a performance issue as the whole purpose of allowing to disable the EC was for performances reasons
- this would require the
@mshustov @lukeelmers what do you think about this?
There was a problem hiding this comment.
Are we fine with this format? Do we just want to use kibana:${executionContext} in that case instead?
Worth noting, ES doesn't parse x-opaque-id value, so we can use any format. I used kibana static value to simplify parsing when an incoming request contains x-opaque-id. If you find it easier to use kibana;${executionContext}, we can change the format.
ATM when request.opaqueId is not present, we're not sending any x-opaque-id header to ES. Do we want to change that to send kibana (or any constant value we agreed on from the previous point) instead?
@pgomulka what is better for the depreciation service of Elasticsearch?
Should we decide to have the EC service the single source of truth for the x-opaque-id header and have getAsHeader always return a value even when disabled
I didn't put this logic in the EC service to have a proper separation of concerns. The fact we put execution_context in x-opaque-id header of outbound requests is an implementation detail. When the buggage header is available, we will use it for context propagation. Having said that, I'd rather keep this logic on the elasticsearch service level. But we can refactor it a bit.
There was a problem hiding this comment.
ATM when request.opaqueId is not present, we're not sending any x-opaque-id header to ES. Do we want to change that to send kibana (or any constant value we agreed on from the previous point) instead?
@pgomulka what is better for the depreciation service of Elasticsearch?
either way is good. As long as it is constant (or from a finite set). If Kibana wants to send a constant x-opaque-id-from-kibana it would help identifying its requests
There was a problem hiding this comment.
I used kibana static value to simplify parsing when an incoming request contains x-opaque-id. If you find it easier to use kibana;${executionContext}, we can change the format.
Let's not overcomplicate the PR for no good reasons. The current format is good enough to address #120124, let's not change it for now. We'll reevaluate when we'll use the baggage header anyway.
| if (!this.enabled) return; | ||
| // requestId may not be present in the case of FakeRequest | ||
| // requestId may not be present if unspecified by the client or in the case of FakeRequest | ||
| const requestId = this.requestIdStore.getStore()?.requestId ?? 'unknownId'; | ||
| const executionContext = this.contextStore.getStore()?.toString(); | ||
| const executionContextStr = executionContext ? `;kibana:${executionContext}` : ''; |
There was a problem hiding this comment.
Are we fine with this format? Do we just want to use kibana:${executionContext} in that case instead?
Worth noting, ES doesn't parse x-opaque-id value, so we can use any format. I used kibana static value to simplify parsing when an incoming request contains x-opaque-id. If you find it easier to use kibana;${executionContext}, we can change the format.
ATM when request.opaqueId is not present, we're not sending any x-opaque-id header to ES. Do we want to change that to send kibana (or any constant value we agreed on from the previous point) instead?
@pgomulka what is better for the depreciation service of Elasticsearch?
Should we decide to have the EC service the single source of truth for the x-opaque-id header and have getAsHeader always return a value even when disabled
I didn't put this logic in the EC service to have a proper separation of concerns. The fact we put execution_context in x-opaque-id header of outbound requests is an implementation detail. When the buggage header is available, we will use it for context propagation. Having said that, I'd rather keep this logic on the elasticsearch service level. But we can refactor it a bit.
| @@ -166,7 +166,7 @@ export class AuditService { | |||
| session_id: sessionId, | |||
| ...event.kibana, | |||
| }, | |||
| trace: { id: request.id }, | |||
| trace: { id: request.opaqueId }, | |||
There was a problem hiding this comment.
JFYI: Kibana sets tracing fields starting from #118466 The value from meta override them (sorry, I need to update the test suite name 😅 )
maybe audit logging should rely on the
trace field supplied by the Kibana server and not overwrite them?
pgayvallet
added
Feature:elasticsearch
and removed
v8.0.0
v7.17.0
bug
💛 Build succeeded, but was flakyTest Failures
Metrics [docs]Public APIs missing comments
History
To update your PR or re-run it, just comment with: |
|
Closing as stale PR |
Summary
Fix #123737
KibanaRequest.idtoopaqueIdKibanaRequest.opaqueIdwhen thex-opaque-idheader is not provided by the clientChecklist