[Security Solution] [Detections] Remove allow_no_indices to prevent error being thrown in response of field capabilities #89927
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dhurley14
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
dhurley14
added
the
Feature:Detection Rules
dhurley14
changed the title
marshallmain
reviewed
Feb 1, 2021
x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
Outdated
Show resolved
Hide resolved
rylnd
approved these changes
Feb 2, 2021
There was a problem hiding this comment.
It looks like there are still some failing integration tests that were relying on the previous rule behavior. Related to this, it would be nice to have an integration test that explicitly captures this new behavior: the rule will fail with an error if no source indices exist.
LGTM once CI is happy 👍
|
@elasticmachine merge upstream |
marshallmain
approved these changes
Feb 2, 2021
…ices property then write error status with index patterns provided to rule
…e should fail and when one index pattern does exist but another does not, the rule should succeed
dhurley14
force-pushed
the
fix-privileges-indices-error
branch
from
c60f8e9
to
e41de31
Compare
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Feb 2, 2021
…rror being thrown in response of field capabilities (elastic#89927) * remove allow_no_indices param, adds a check if response has empty indices property then write error status with index patterns provided to rule * fix tests * fix tests and update with comments * update integration tests * adds integration test for when an index pattern doesn't exist the rule should fail and when one index pattern does exist but another does not, the rule should succeed
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Feb 2, 2021
…rror being thrown in response of field capabilities (elastic#89927) * remove allow_no_indices param, adds a check if response has empty indices property then write error status with index patterns provided to rule * fix tests * fix tests and update with comments * update integration tests * adds integration test for when an index pattern doesn't exist the rule should fail and when one index pattern does exist but another does not, the rule should succeed
phillipb
added a commit
to phillipb/kibana
that referenced
this pull request
Feb 2, 2021
…-ml-jobs * 'master' of github.com:elastic/kibana: (254 commits) [Security Solution] [Detections] Remove allow_no_indices to prevent error being thrown in response of field capabilities (elastic#89927) Skip test for cloud (elastic#89450) [Fleet] Fix duplicate data streams being shown in UI (elastic#89812) Bump package dependencies (elastic#90034) [App Search] DRY helper for encoding/decoding routes that can have special characters in params (elastic#89811) TypeScript project references for Observability plugin (elastic#89320) [SearchSource] Combine sort and parent fields when serializing (elastic#89808) Made imports static (elastic#89935) [ml] migrate file_data_visualizer/import route to file_upload plugin (elastic#89640) [Discover] Adapt default column behavior (elastic#89826) Round start and end values (elastic#89030) Rename getProxyAgents to getCustomAgents (elastic#89813) [Form lib] UseField `onError` listener (elastic#89895) [APM] use latency sum instead of avg for impact (elastic#89990) migrate more core-owned plugins to tsproject ref (elastic#89975) [Logs UI] Load <LogStream> entries via async searches (elastic#86899) [APM] Abort browser requests when appropriate (elastic#89557) [Alerting] Allow user to select existing connector of same type when fixing broken connector (elastic#89062) [Data Table] Use shared CSV export mechanism (elastic#89702) chore(NA): improve logic check when installing Bazel tools (elastic#89634) ...
dhurley14
added a commit
that referenced
this pull request
Feb 2, 2021
…vent error being thrown in response of field capabilities (#89927) (#90072) * remove allow_no_indices param, adds a check if response has empty indices property then write error status with index patterns provided to rule * fix tests * fix tests and update with comments * update integration tests * adds integration test for when an index pattern doesn't exist the rule should fail and when one index pattern does exist but another does not, the rule should succeed
dhurley14
added a commit
that referenced
this pull request
Feb 2, 2021
…event error being thrown in response of field capabilities (#89927) (#90073) * remove allow_no_indices param, adds a check if response has empty indices property then write error status with index patterns provided to rule * fix tests * fix tests and update with comments * update integration tests * adds integration test for when an index pattern doesn't exist the rule should fail and when one index pattern does exist but another does not, the rule should succeed
rylnd
reviewed
Feb 4, 2021
| @@ -46,11 +47,13 @@ export default ({ getService }: FtrProviderContext) => { | |||
| describe('creating rules', () => { | |||
| beforeEach(async () => { | |||
| await createSignalsIndex(supertest); | |||
| await esArchiver.load('auditbeat/hosts'); | |||
There was a problem hiding this comment.
For posterity: these indices were added so that the rule would not fail on the initial permissions check due to a lack of indices.
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Removes
allow_no_indicesparam. Specifying this option meant that our field_capabilities check was throwing an error if the rule included an index pattern that did not exist. This would be most typical in e.g. a prepackaged rule using the default index patterns.If we pass the field capabilities api an index pattern that does not match any indices in Elasticsearch, that index pattern is not returned as a part of the response with indices that have that field "unmapped". This adds a check if the response from field capabilities api has empty
indicesproperty then write error status with index patterns provided to rule. This essentially tells the user there are no concrete indices matching any of the provided index patterns.Checklist
Delete any items that are not applicable to this PR.
For maintainers