[Security Solution] add package_policy_id to .fleet-policies inputs #137355
Conversation
joeypoon
added
release_note:skip
| const policies = await agentPolicyService.getByIDsAsMap(soClient, agentPolicyIds); | ||
| const fullPolicies = await Promise.all( | ||
| agentPolicyIds.map((agentPolicyId) => | ||
| // TODO: make this a bulk |
There was a problem hiding this comment.
making this a bulk seemed a bit more involved so wanted to get some thoughts on logic so far and whether this would even be needed.
There was a problem hiding this comment.
Taking a bit deeper look at getFullAgentPolicy, using it this way will fetch a few objects that will be re-used across agent policies (outputs, settings, upgrade download source uri), so we could save some round trips to ES in doing these fetches once and re-using them here.
This will likely only be a problem for users that have many thousands of agent policies, which we do have some users who use that many.
That said, this migration is a one time event for users upgrading from <8.5 so I don't want to spend a whole of time refactoring this if we can avoid it. @kpollich what do you think about deferring on optimizing this?
There was a problem hiding this comment.
I'm +1 on deferring those optimizations here with the caveat that we capture essentially what @joshdover has said above in a code comment replacing the current TODO
| refresh: 'wait_for', | ||
| }); | ||
|
|
||
| // TODO: make this a bulk |
There was a problem hiding this comment.
| } | ||
| }) | ||
| ); | ||
| await agentPolicyService.deployPolicies(soClient, outdatedAgentPolicyIds); |
There was a problem hiding this comment.
this change wasn't really necessary but since I took the time to make deployPolicies, I figured it was a quick change 🤷♂️ .
x-pack/plugins/fleet/server/services/setup/upgrade_agent_policy_schema_version.ts
Show resolved
Hide resolved
joeypoon
force-pushed
the
feature/package-policy-id
branch
from
3892256 to
2a77c2f
Compare
|
Pinging @elastic/fleet (Team:Fleet) |
| }, [] as FleetServerPolicy[]); | ||
|
|
||
| const fleetServerPoliciesBulkBody = fleetServerPolicies.flatMap((fleetServerPolicy) => [ | ||
| { index: { _id: uuid() } }, |
There was a problem hiding this comment.
Since this migration could potentially be executed more than once by different Kibana nodes, I think we should use a deterministic ID here to avoid creating duplicate documents in .fleet-policies.
In other places in Kibana, we've used uuid.v5() with an appropriate seed for this. IMO the policy_id and revision_idx fields should be sufficient, something like this:
import uuidv5 from 'uuid/v5';
// ...
{ index: { _id: uuidv5(`${fleetServerPolicy.policy_id}:${fleetServerPolicy.revision_idx}`, uuidv5.DNS) } }We'll then need to handle the error on the esClient.bulk correctly (and maybe log a debug message?)
There was a problem hiding this comment.
makes sense, I'll get this updated.
There was a problem hiding this comment.
Awesome work so far, @joeypoon - I've just left a few comments here and there. I'll review further in depth when @joshdover's requested changes are made.
| soClient: SavedObjectsClientContract, | ||
| ids: string[], | ||
| options: { fields?: string[] } = {} | ||
| ): Promise<{ [id: string]: AgentPolicy }> { |
There was a problem hiding this comment.
I think this function could likely be shortened or possibly replaced by keyBy from Lodash, especially since we only consume this public method in one place. The service methods don't need to be overly concerned with the structure of the results if callers can use transformation utilities directly.
x-pack/plugins/fleet/server/services/setup/upgrade_agent_policy_schema_version.ts
Show resolved
Hide resolved
x-pack/plugins/fleet/server/services/setup/upgrade_agent_policy_schema_version.ts
Show resolved
Hide resolved
| const policies = await agentPolicyService.getByIDsAsMap(soClient, agentPolicyIds); | ||
| const fullPolicies = await Promise.all( | ||
| agentPolicyIds.map((agentPolicyId) => | ||
| // TODO: make this a bulk |
There was a problem hiding this comment.
| // TODO: make this a bulk | |
| // There are some potential performance concerns around using `getFullAgentPolicy` in this context, e.g. | |
| // re-fetching outputs, settings, and upgrade download source URI data for each policy. This could potentially | |
| // be a bottleneck in environments with several thousand agent policies being deployed here. |
joeypoon
force-pushed
the
feature/package-policy-id
branch
from
1050a35 to
cc71d01
Compare
|
@elasticmachine merge upstream |
|
|
||
| import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common/constants'; | ||
|
|
||
| import { lt } from 'semver'; |
There was a problem hiding this comment.
(nit) Can we group this dependency with the other "external package" imports above - e.g. below p-map?
| if (!policy) { | ||
| return acc; | ||
| } |
There was a problem hiding this comment.
Thanks for using a guard clause here - much appreciated 👍
| return [...acc, value]; | ||
| }, [] as BulkResponseItem[]); | ||
|
|
||
| logger.debug(`deployPolicies failed to index: ${JSON.stringify(erroredDocuments)}`); |
There was a problem hiding this comment.
Hmm, super nitpicky here, but could we avoid having the method name in this debug log and lean towards "plain english" logging output? e.g.
logger.debug(`Failed to index documents during policy deployment: ${JSON.stringify(erroredDocuments)}`)
joeypoon
force-pushed
the
feature/package-policy-id
branch
from
b5323fa to
a3a9992
Compare
…-ref HEAD~1..HEAD --fix'
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Saved Objects .kibana field count
History
To update your PR or re-run it, just comment with: |
Summary
Add migration for enriching
.fleet-policies.inputswithpackage_policy_idas discussed in https://github.com/elastic/security-team/issues/3918#issuecomment-1176815273.Checklist
For maintainers