[RAM] add the must/must_not/should in the alert search strategy #179775
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
XavierM
added
bug
|
Pinging @elastic/response-ops (Team:ResponseOps) |
maryam-saeidi
approved these changes
Apr 2, 2024
| strategy: 'privateRuleRegistryAlertsSearchStrategy', | ||
| space: 'default', | ||
| }); | ||
| expect(result.rawResponse.hits.total).to.eql(0); |
There was a problem hiding this comment.
nit: Maybe we can have a test to ensure should or must query is applied correctly and the number of retrieved items is what we expect. (something other than zero.)
There was a problem hiding this comment.
When the must and filter will be together. ES will return no hits!
There was a problem hiding this comment.
here the explanation between the difference attribute ine the query -> https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-bool-query.html
and here a good example taht I found
The should clause of the bool query is for optional search criteria. Let's say you are looking for hotels and would prefer for the hotel to have a swimming pool, but you would also like to see hotels without a swimming pool in the search results, then the query for swimming pool would be in the should clause. Elasticsearch will give the documents that match more should queries a higher score, so those documents will be ranked higher in the search results.
When you only have a should clause (as in your first query), then at least one of the should clauses must match for a document to be considered a hit.
When you combine a should clause with a filter than all should clauses are optional, so even documents that only match the filter will be returned. You can change that behavior by [setting minimum_should_match 573](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-minimum-should-match.html) on the bool query. You could set that for example to 1 to make it mandatory for at least one should clause to match
💚 Build Succeeded
Metrics [docs]
To update your PR or re-run it, just comment with: |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 3, 2024
…tic#179775) ## Summary We realized that the filter from the search bar is NOT using `must`, `must_not` and `should` in the elastic search `query`. When we created our search strategy for alerts, we only supported the `filter` parameter to make sure, we won't by pass our rbac filter on top of the alerts. We think that we can open this different parameters now after few testing. We created API test integration to validate that we won't broken our RBAC filter with these new params + I did few test in the dev tools like ``` PUT /my-index { "settings": { "number_of_shards": 1 }, "mappings": { "properties": { "pet": { "type": "text" } } } } POST my-index/_doc/ { "pet": "cat" } POST my-index/_doc/ { "pet": "dog" } POST my-index/_doc/ { "pet": "bird" } ``` Then, we did few tests like ``` ### MUST query POST test/_search { "query": { "bool": { "filter": [ { "terms": { "pet": [ "cat" ] } } ], "must": [ { "terms": { "pet": [ "bird" ] } } ] } } } ### Response { "took": 0, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } } ``` ``` ### MUST_NOT query PUT /test { "settings": { "number_of_shards": 1 }, "mappings": { "properties": { "pet": { "type": "text" } } } } POST test/_search { "query": { "bool": { "filter": [ { "terms": { "pet": [ "cat" ] } } ], "must_not": [ { "terms": { "pet": [ "cat" ] } } ] } } } ### Response { "took": 0, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } } ``` ``` ### SHOULD query POST test/_search { "query": { "bool": { "filter": [ { "terms": { "pet": [ "cat" ] } } ], "should": [ { "terms": { "pet": [ "bird" ] } } ] } } } ### Response { "took": 0, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 1, "relation": "eq" }, "max_score": 0, "hits": [ { "_index": "test", "_id": "1", "_score": 0, "_source": { "pet": "cat" } } ] } } ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 538a10b)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Apr 3, 2024
#179775) (#179929) # Backport This will backport the following commits from `main` to `8.13`: - [[RAM] add the must/must_not/should in the alert search strategy (#179775)](#179775) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Xavier Mouligneau","email":"xavier.mouligneau@elastic.co"},"sourceCommit":{"committedDate":"2024-04-03T13:08:51Z","message":"[RAM] add the must/must_not/should in the alert search strategy (#179775)\n\n## Summary\r\n\r\nWe realized that the filter from the search bar is NOT using `must`,\r\n`must_not` and `should` in the elastic search `query`. When we created\r\nour search strategy for alerts, we only supported the `filter` parameter\r\nto make sure, we won't by pass our rbac filter on top of the alerts. We\r\nthink that we can open this different parameters now after few testing.\r\n\r\nWe created API test integration to validate that we won't broken our\r\nRBAC filter with these new params + I did few test in the dev tools like\r\n```\r\nPUT /my-index\r\n{\r\n \"settings\": {\r\n \"number_of_shards\": 1\r\n },\r\n \"mappings\": {\r\n \"properties\": {\r\n \"pet\": { \"type\": \"text\" }\r\n }\r\n }\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"cat\"\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"dog\"\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"bird\"\r\n}\r\n```\r\n\r\nThen, we did few tests like\r\n```\r\n### MUST query\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"must\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"bird\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 0,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": null,\r\n \"hits\": []\r\n }\r\n}\r\n```\r\n\r\n```\r\n### MUST_NOT query\r\nPUT /test\r\n{\r\n \"settings\": {\r\n \"number_of_shards\": 1\r\n },\r\n \"mappings\": {\r\n \"properties\": {\r\n \"pet\": { \"type\": \"text\" }\r\n }\r\n }\r\n}\r\n\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"must_not\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 0,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": null,\r\n \"hits\": []\r\n }\r\n}\r\n```\r\n\r\n\r\n```\r\n### SHOULD query\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"should\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"bird\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 1,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": 0,\r\n \"hits\": [\r\n {\r\n \"_index\": \"test\",\r\n \"_id\": \"1\",\r\n \"_score\": 0,\r\n \"_source\": {\r\n \"pet\": \"cat\"\r\n }\r\n }\r\n ]\r\n }\r\n}\r\n```\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"538a10b85de66ccf08371ba89c01cf9e7495f7ba","branchLabelMapping":{"^v8.14.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:ResponseOps","v8.14.0","v8.13.1"],"title":"[RAM] add the must/must_not/should in the alert search strategy","number":179775,"url":"https://github.com/elastic/kibana/pull/179775","mergeCommit":{"message":"[RAM] add the must/must_not/should in the alert search strategy (#179775)\n\n## Summary\r\n\r\nWe realized that the filter from the search bar is NOT using `must`,\r\n`must_not` and `should` in the elastic search `query`. When we created\r\nour search strategy for alerts, we only supported the `filter` parameter\r\nto make sure, we won't by pass our rbac filter on top of the alerts. We\r\nthink that we can open this different parameters now after few testing.\r\n\r\nWe created API test integration to validate that we won't broken our\r\nRBAC filter with these new params + I did few test in the dev tools like\r\n```\r\nPUT /my-index\r\n{\r\n \"settings\": {\r\n \"number_of_shards\": 1\r\n },\r\n \"mappings\": {\r\n \"properties\": {\r\n \"pet\": { \"type\": \"text\" }\r\n }\r\n }\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"cat\"\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"dog\"\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"bird\"\r\n}\r\n```\r\n\r\nThen, we did few tests like\r\n```\r\n### MUST query\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"must\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"bird\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 0,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": null,\r\n \"hits\": []\r\n }\r\n}\r\n```\r\n\r\n```\r\n### MUST_NOT query\r\nPUT /test\r\n{\r\n \"settings\": {\r\n \"number_of_shards\": 1\r\n },\r\n \"mappings\": {\r\n \"properties\": {\r\n \"pet\": { \"type\": \"text\" }\r\n }\r\n }\r\n}\r\n\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"must_not\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 0,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": null,\r\n \"hits\": []\r\n }\r\n}\r\n```\r\n\r\n\r\n```\r\n### SHOULD query\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"should\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"bird\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 1,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": 0,\r\n \"hits\": [\r\n {\r\n \"_index\": \"test\",\r\n \"_id\": \"1\",\r\n \"_score\": 0,\r\n \"_source\": {\r\n \"pet\": \"cat\"\r\n }\r\n }\r\n ]\r\n }\r\n}\r\n```\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"538a10b85de66ccf08371ba89c01cf9e7495f7ba"}},"sourceBranch":"main","suggestedTargetBranches":["8.13"],"targetPullRequestStates":[{"branch":"main","label":"v8.14.0","branchLabelMappingKey":"^v8.14.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/179775","number":179775,"mergeCommit":{"message":"[RAM] add the must/must_not/should in the alert search strategy (#179775)\n\n## Summary\r\n\r\nWe realized that the filter from the search bar is NOT using `must`,\r\n`must_not` and `should` in the elastic search `query`. When we created\r\nour search strategy for alerts, we only supported the `filter` parameter\r\nto make sure, we won't by pass our rbac filter on top of the alerts. We\r\nthink that we can open this different parameters now after few testing.\r\n\r\nWe created API test integration to validate that we won't broken our\r\nRBAC filter with these new params + I did few test in the dev tools like\r\n```\r\nPUT /my-index\r\n{\r\n \"settings\": {\r\n \"number_of_shards\": 1\r\n },\r\n \"mappings\": {\r\n \"properties\": {\r\n \"pet\": { \"type\": \"text\" }\r\n }\r\n }\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"cat\"\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"dog\"\r\n}\r\n\r\nPOST my-index/_doc/\r\n{\r\n \"pet\": \"bird\"\r\n}\r\n```\r\n\r\nThen, we did few tests like\r\n```\r\n### MUST query\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"must\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"bird\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 0,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": null,\r\n \"hits\": []\r\n }\r\n}\r\n```\r\n\r\n```\r\n### MUST_NOT query\r\nPUT /test\r\n{\r\n \"settings\": {\r\n \"number_of_shards\": 1\r\n },\r\n \"mappings\": {\r\n \"properties\": {\r\n \"pet\": { \"type\": \"text\" }\r\n }\r\n }\r\n}\r\n\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"must_not\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 0,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": null,\r\n \"hits\": []\r\n }\r\n}\r\n```\r\n\r\n\r\n```\r\n### SHOULD query\r\nPOST test/_search\r\n{\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"cat\"\r\n ]\r\n }\r\n }\r\n ],\r\n \"should\": [\r\n {\r\n \"terms\": {\r\n \"pet\": [\r\n \"bird\"\r\n ]\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n\r\n### Response\r\n{\r\n \"took\": 0,\r\n \"timed_out\": false,\r\n \"_shards\": {\r\n \"total\": 1,\r\n \"successful\": 1,\r\n \"skipped\": 0,\r\n \"failed\": 0\r\n },\r\n \"hits\": {\r\n \"total\": {\r\n \"value\": 1,\r\n \"relation\": \"eq\"\r\n },\r\n \"max_score\": 0,\r\n \"hits\": [\r\n {\r\n \"_index\": \"test\",\r\n \"_id\": \"1\",\r\n \"_score\": 0,\r\n \"_source\": {\r\n \"pet\": \"cat\"\r\n }\r\n }\r\n ]\r\n }\r\n}\r\n```\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"538a10b85de66ccf08371ba89c01cf9e7495f7ba"}},{"branch":"8.13","label":"v8.13.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
We realized that the filter from the search bar is NOT using
must,must_notandshouldin the elastic searchquery. When we created our search strategy for alerts, we only supported thefilterparameter to make sure, we won't by pass our rbac filter on top of the alerts. We think that we can open this different parameters now after few testing.We created API test integration to validate that we won't broken our RBAC filter with these new params + I did few test in the dev tools like
Then, we did few tests like
Checklist