-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Response Ops][Actions] Keep track of action execution source and show in connector exec log #152030
Conversation
…ce type in action task params. Writing source to event log
@@ -45,6 +45,10 @@ | |||
"relatedSavedObjects": { | |||
"enabled": false, | |||
"type": "object" | |||
}, | |||
"source": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding source
field but not indexing it because we don't need to query on it. Also not adding a migration because this is not a required field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you really need to add it explicitly to the mappings then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we had dynamic: strict
for saved object mappings so we had to identify all the fields even if we didn't need to map them? If that's not the case, I am happy to remove!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're using dynamic:strict
at the root level, but you can add dynamic: false
at the top level of your type's mapping to override it. I thought it was already the case for response ops types tbh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like that is the case for the cases
SO type but not for action
, action_task_params
or alert
SO types. Is that the preferred method? I can add it to action_task_params
in this PR and create a separate PR for the other SO types if so
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think check w/ @XavierM - he's been working on fine-tuning the mappings for dynamic false; he probably has a feel whether we should do these adhoc or wait and do them all at once.
We did recently just add a dynamic: false
to an "inner" struct in the rule SO, and I posted some comments on it. https://github.com/elastic/kibana/pull/148038/files#r1091213922
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
he probably has a feel whether we should do these adhoc or wait and do them all at once
Doing it in another PR works for me, as long as we make sure this new field is in the radar of the other PR/PR author.
I'll approve to unblock and will let you figure out how/when you want to do the field removal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed with Xavier and I will add dynamic:false
to the action_task_params
mappings in this PR, he will make note of the new source field in his PR: #152857 which will also set dynamic:false for the other Response Ops SO types.
@@ -9,6 +9,5 @@ export const EVENT_LOG_PROVIDER = 'actions'; | |||
export const EVENT_LOG_ACTIONS = { | |||
execute: 'execute', | |||
executeStart: 'execute-start', | |||
executeViaHttp: 'execute-via-http', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typically different event log actions means a different document is written out (we write out separate docs for execute
and execute-start
. In this case, it doesn't seem to make sense to write out a different doc for execute-via-http
and it made more sense to store the source in the execute
doc. This value was unused anyway, so I removed it.
…to actions/execution-source
Pinging @elastic/response-ops (Team:ResponseOps) |
@lcawl What do you think would be more user friendly text to show in the UI instead of |
I think that depends on who we think will make use of this information. If it's for debugging purposes only and is hidden by default, then it's less important to clarify their meanings. If, however, we want users to make sense of them, IMO we can keep the keywords but add a legend to explain their meanings (i.e. akin to what you've put in the PR summary). This legend/explanation could exist in a tooltip or popover on that column. If you choose to go that route, I can help with the text. |
Thanks @lcawl! With that feedback, I will leave it as is but lowercase the word so it doesn't sound like it's shouting at you. |
2d6b8a4
to
91209de
Compare
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - testing all the source styles works as expected in the UI and event log.
I didn't see an obvious FT for the notification source; if we can add one easily, would be nice to have here, otherwise create an issue to add one?
@@ -7,19 +7,17 @@ | |||
|
|||
import { v4 as uuidv4 } from 'uuid'; | |||
import { pick } from 'lodash'; | |||
import { pipe } from 'fp-ts/lib/pipeable'; | |||
import { map, fromNullable, getOrElse } from 'fp-ts/lib/Option'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you :-)
@@ -95,6 +96,7 @@ export default function ({ getService }: FtrProviderContext) { | |||
outcome: 'success', | |||
message: `action executed: test.index-record:${createdAction.id}: My action`, | |||
startMessage: `action started: test.index-record:${createdAction.id}: My action`, | |||
source: ActionExecutionSourceType.HTTP_REQUEST, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't seem like we have explicit tests for notification? I imagine there must be a cases FT to test changing assignees that presumably would check to make sure the notification was attempted. That we could add an event log check to. If not, feels like we should open an issue to add one, unless it's super-simple to do in this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked up the PR for notifications and there's a comment in the description that there were no integration tests: #144391
I did not add integration tests due to the complexity of simulating an email server. I added unit test coverage. If integration test coverage is needed we can add the tests on another PR.
I can create a followup issue for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya, please do, and reference that PR. I think we have a fairly simple way of simulating an email server, maybe it's not appropriate for this behavior though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created issue here: #152950
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…to actions/execution-source
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Async chunks
Public APIs missing exports
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @ymao1 |
…w in connector exec log (elastic#152030) Resolves elastic#143984 ## Summary This PR persists an execution source field to the action event log `execute` document which indicates the source of the action. Currently, we have 3 sources of action execution: * `http_request` - these are executions triggered from the `_execute` route in the actions API. This is used by the test connector functionality in the UI but could also be used directly via curl command. We do not differentiate between the two. * `notification` - these are executions triggered by the notifications service. currently, this only occurs when a case is assigned to a user. * `saved_object` - these are executions triggered by another saved object, like the `alert` saved object. Cases also triggers action execution in `x-pack/plugins/cases/server/client/cases/push.ts`. The source will be saved as the type of the saved object that triggered the action After persisting the source, we also updated the connector exec log to show the source in a new column (hidden by default). <img width="1710" alt="Screenshot 2023-03-01 at 4 12 35 PM" src="https://user-images.githubusercontent.com/13104637/222266192-2877ad2b-0309-408e-ad44-ec37ef597afb.png"> ## To Verify 1. Create a connector and run it via the Test Connector tab 2. Create a rule that will fire an action using the connector and let it run 3. Create a case an assign it to a user (other than yourself) 4. Go to the connector exec log view, add the "Source" column and see that it is populated. You can also inspect the event log docs for `provider: "actions"` and see that `kibana.action.execution.source` is populated. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Resolves #143984
Summary
This PR persists an execution source field to the action event log
execute
document which indicates the source of the action. Currently, we have 3 sources of action execution:http_request
- these are executions triggered from the_execute
route in the actions API. This is used by the test connector functionality in the UI but could also be used directly via curl command. We do not differentiate between the two.notification
- these are executions triggered by the notifications service. currently, this only occurs when a case is assigned to a user.saved_object
- these are executions triggered by another saved object, like thealert
saved object. Cases also triggers action execution inx-pack/plugins/cases/server/client/cases/push.ts
. The source will be saved as the type of the saved object that triggered the actionAfter persisting the source, we also updated the connector exec log to show the source in a new column (hidden by default).
To Verify
provider: "actions"
and see thatkibana.action.execution.source
is populated.