[Response Ops][Alerting] Backfill Rule Runs (#177622)

This is the feature branch that contains the following commits. Each individual PR contains a summary and verification instructions. - [Schedule backfill API](#176185) - [Backfill task runner](#177640) - [Get/Find/Delete backfill API](#179975) - [API key invalidation update](#180749) --------- Co-authored-by: kibanamachine <[email protected]>
elastic · Apr 25, 2024 · ee1552f · ee1552f
1 parent 19b0543
commit ee1552f
Show file tree

Hide file tree

Showing 234 changed files with 17,272 additions and 1,136 deletions.
diff --git a/docs/user/security/audit-logging.asciidoc b/docs/user/security/audit-logging.asciidoc
@@ -86,6 +86,10 @@ Refer to the corresponding {es} logs for potential write errors.
 | `unknown` | User is creating a rule.
 | `failure` | User is not authorized to create a rule.
 
+.2+| `ad_hoc_run_create`
+| `unknown` | User is creating an ad hoc run.
+| `failure` | User is not authorized to create an ad hoc run.
+
 .2+| `space_create`
 | `unknown` | User is creating a space.
 | `failure` | User is not authorized to create a space.
@@ -253,6 +257,10 @@ Refer to the corresponding {es} logs for potential write errors.
 | `unknown` | User is deleting a rule.
 | `failure` | User is not authorized to delete a rule.
 
+.2+| `ad_hoc_run_delete`
+| `unknown` | User is deleting an ad hoc run.
+| `failure` | User is not authorized to delete an ad hoc run.
+
 .2+| `space_delete`
 | `unknown` | User is deleting a space.
 | `failure` | User is not authorized to delete a space.
@@ -320,6 +328,18 @@ Refer to the corresponding {es} logs for potential write errors.
 | `success` | User has accessed a rule as part of a search operation.
 | `failure` | User is not authorized to search for rules.
 
+.2+| `rule_schedule_backfill`
+| `success` | User has accessed a rule as part of a backfill schedule operation.
+| `failure` | User is not authorized to access rule for backfill scheduling.
+
+.2+| `ad_hoc_run_get`
+| `success` | User has accessed an ad hoc run.
+| `failure` | User is not authorized to access ad hoc run.
+
+.2+| `ad_hoc_run_find`
+| `success` | User has accessed an ad hoc run as part of a search operation.
+| `failure` | User is not authorized to search for ad hoc runs.
+
 .2+| `space_get`
 | `success` | User has accessed a space.
 | `failure` | User is not authorized to access a space.

diff --git a/packages/core/saved-objects/core-saved-objects-base-server-internal/src/constants.ts b/packages/core/saved-objects/core-saved-objects-base-server-internal/src/constants.ts
@@ -130,6 +130,7 @@ export const DEFAULT_INDEX_TYPES_MAP: IndexTypesMap = {
 export const HASH_TO_VERSION_MAP = {
   'action_task_params|3d1b76c39bfb2cc8296b024d73854724': '10.0.0',
   'action|0be88ebcc8560a075b6898236a202eb1': '10.0.0',
+  'ad_hoc_run_params|6aa8806a2e27d3be492a1da0d7721845': '10.0.0',
   'alert|96a5a144778243a9f4fece0e71c2197f': '10.0.0',
   'api_key_pending_invalidation|16f515278a295f6245149ad7c5ddedb7': '10.0.0',
   'apm-custom-dashboards|561810b957ac3c09fcfc08f32f168e97': '10.0.0',

diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts
@@ -20,6 +20,7 @@ import {
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
+  ALERT_RULE_EXECUTION_TIMESTAMP,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
@@ -118,6 +119,11 @@ export const alertFieldMap = {
     array: false,
     required: true,
   },
+  [ALERT_RULE_EXECUTION_TIMESTAMP]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
   [ALERT_RULE_EXECUTION_UUID]: {
     type: 'keyword',
     array: false,

diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts
@@ -94,6 +94,7 @@ const AlertOptional = rt.partial({
   'kibana.alert.last_detected': schemaDate,
   'kibana.alert.maintenance_window_ids': schemaStringArray,
   'kibana.alert.reason': schemaString,
+  'kibana.alert.rule.execution.timestamp': schemaDate,
   'kibana.alert.rule.execution.uuid': schemaString,
   'kibana.alert.rule.parameters': schemaUnknown,
   'kibana.alert.rule.tags': schemaStringArray,

diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts
@@ -159,6 +159,7 @@ const SecurityAlertOptional = rt.partial({
   'kibana.alert.rule.created_by': schemaString,
   'kibana.alert.rule.description': schemaString,
   'kibana.alert.rule.enabled': schemaString,
+  'kibana.alert.rule.execution.timestamp': schemaDate,
   'kibana.alert.rule.execution.uuid': schemaString,
   'kibana.alert.rule.from': schemaString,
   'kibana.alert.rule.immutable': schemaStringArray,

diff --git a/packages/kbn-check-mappings-update-cli/current_fields.json b/packages/kbn-check-mappings-update-cli/current_fields.json
@@ -4,6 +4,15 @@
     "name"
   ],
   "action_task_params": [],
+  "ad_hoc_run_params": [
+    "apiKeyId",
+    "createdAt",
+    "end",
+    "rule",
+    "rule.alertTypeId",
+    "rule.consumer",
+    "start"
+  ],
   "alert": [
     "actions",
     "actions.actionRef",

diff --git a/packages/kbn-check-mappings-update-cli/current_mappings.json b/packages/kbn-check-mappings-update-cli/current_mappings.json
@@ -19,6 +19,33 @@
     "dynamic": false,
     "properties": {}
   },
+  "ad_hoc_run_params": {
+    "dynamic": false,
+    "properties": {
+      "apiKeyId": {
+        "type": "keyword"
+      },
+      "createdAt": {
+        "type": "date"
+      },
+      "end": {
+        "type": "date"
+      },
+      "rule": {
+        "properties": {
+          "alertTypeId": {
+            "type": "keyword"
+          },
+          "consumer": {
+            "type": "keyword"
+          }
+        }
+      },
+      "start": {
+        "type": "date"
+      }
+    }
+  },
   "alert": {
     "dynamic": false,
     "properties": {

diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -82,6 +82,9 @@ const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
 // kibana.alert.rule.consumer - consumer for rule that generated this alert
 const ALERT_RULE_CONSUMER = `${ALERT_RULE_NAMESPACE}.consumer` as const;
 
+// kibana.alert.rule.execution.timestamp - timestamp of the rule execution that generated this alert
+const ALERT_RULE_EXECUTION_TIMESTAMP = `${ALERT_RULE_NAMESPACE}.execution.timestamp` as const;
+
 // kibana.alert.rule.execution.uuid - unique ID for the rule execution that generated this alert
 const ALERT_RULE_EXECUTION_UUID = `${ALERT_RULE_NAMESPACE}.execution.uuid` as const;
 
@@ -129,6 +132,7 @@ const fields = {
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
+  ALERT_RULE_EXECUTION_TIMESTAMP,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
@@ -170,6 +174,7 @@ export {
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
+  ALERT_RULE_EXECUTION_TIMESTAMP,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,

diff --git a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
@@ -57,6 +57,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
       Object {
         "action": "cc93fe2c0c76e57c2568c63170e05daea897c136",
         "action_task_params": "96e27e7f4e8273ffcd87060221e2b75e81912dd5",
+        "ad_hoc_run_params": "d4e3c5c794151d0a4f5c71e886b2aa638da73ad2",
         "alert": "3a67d3f1db80af36bd57aaea47ecfef87e43c58f",
         "api_key_pending_invalidation": "1399e87ca37b3d3a65d269c924eda70726cfe886",
         "apm-custom-dashboards": "b67128f78160c288bd7efe25b2da6e2afd5e82fc",

diff --git a/src/core/server/integration_tests/saved_objects/migrations/group3/type_registrations.test.ts b/src/core/server/integration_tests/saved_objects/migrations/group3/type_registrations.test.ts
@@ -13,6 +13,7 @@ import { createRoot } from '@kbn/core-test-helpers-kbn-server';
 const previouslyRegisteredTypes = [
   'action',
   'action_task_params',
+  'ad_hoc_run_params',
   'alert',
   'api_key_pending_invalidation',
   'apm-custom-dashboards',

diff --git a/src/core/server/integration_tests/saved_objects/migrations/group5/dot_kibana_split.test.ts b/src/core/server/integration_tests/saved_objects/migrations/group5/dot_kibana_split.test.ts
@@ -179,6 +179,7 @@ describe('split .kibana index into multiple system indices', () => {
           ".kibana": Array [
             "action",
             "action_task_params",
+            "ad_hoc_run_params",
             "alert",
             "api_key_pending_invalidation",
             "apm-custom-dashboards",

diff --git a/x-pack/plugins/alerting/README.md b/x-pack/plugins/alerting/README.md
@@ -692,6 +692,8 @@ When a user is granted the `read` role in the Alerting Framework, they will be a
 - `getAlertSummary`
 - `getExecutionLog`
 - `find`
+- `findBackfill`
+- `getBackfill`
 
 When a user is granted the `all` role in the Alerting Framework, they will be able to execute all of the `read` privileged api calls, but in addition they'll be granted the following calls:
 
@@ -705,6 +707,8 @@ When a user is granted the `all` role in the Alerting Framework, they will be ab
 - `unmuteAll`
 - `muteAlert`
 - `unmuteAlert`
+- `scheduleBackfill`
+- `deleteBackfill`
 
 Finally, all users, whether they're granted any role or not, are privileged to call the following:
 

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -261,6 +261,9 @@ describe('mappingFromFieldMap', () => {
                     },
                     execution: {
                       properties: {
+                        timestamp: {
+                          type: 'date',
+                        },
                         uuid: {
                           type: 'keyword',
                         },

diff --git a/x-pack/plugins/alerting/common/constants/ad_hoc_run_status.ts b/x-pack/plugins/alerting/common/constants/ad_hoc_run_status.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const adHocRunStatus = {
+  COMPLETE: 'complete',
+  PENDING: 'pending',
+  RUNNING: 'running',
+  ERROR: 'error',
+  TIMEOUT: 'timeout',
+} as const;
+export type AdHocRunStatus = typeof adHocRunStatus[keyof typeof adHocRunStatus];
diff --git a/x-pack/plugins/alerting/common/constants/backfill.ts b/x-pack/plugins/alerting/common/constants/backfill.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const MAX_SCHEDULE_BACKFILL_BULK_SIZE = 100;
diff --git a/x-pack/plugins/alerting/common/constants/index.ts b/x-pack/plugins/alerting/common/constants/index.ts
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export type { AdHocRunStatus } from './ad_hoc_run_status';
+export { adHocRunStatus } from './ad_hoc_run_status';
+export { MAX_SCHEDULE_BACKFILL_BULK_SIZE } from './backfill';
+export { PLUGIN } from './plugin';
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/delete/index.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/delete/index.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { deleteParamsSchema } from './schemas/latest';
+export type { DeleteBackfillRequestParams } from './types/latest';
+
+export { deleteParamsSchema as deleteParamsSchemaV1 } from './schemas/v1';
+export type { DeleteBackfillRequestParams as DeleteBackfillRequestParamsV1 } from './types/v1';
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/delete/schemas/latest.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/delete/schemas/latest.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './v1';
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/delete/schemas/v1.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/delete/schemas/v1.ts
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { schema } from '@kbn/config-schema';
+
+export const deleteParamsSchema = schema.object({
+  id: schema.string(),
+});
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/delete/types/latest.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/delete/types/latest.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './v1';
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/delete/types/v1.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/delete/types/v1.ts
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { TypeOf } from '@kbn/config-schema';
+import { deleteParamsSchemaV1 } from '..';
+
+export type DeleteBackfillRequestParams = TypeOf<typeof deleteParamsSchemaV1>;
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/find/index.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/find/index.ts
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { findQuerySchema, findResponseSchema } from './schemas/latest';
+export type {
+  FindBackfillRequestQuery,
+  FindBackfillResponseBody,
+  FindBackfillResponse,
+} from './types/latest';
+
+export {
+  findQuerySchema as findQuerySchemaV1,
+  findResponseSchema as findResponseSchemaV1,
+} from './schemas/v1';
+export type {
+  FindBackfillRequestQuery as FindBackfillRequestQueryV1,
+  FindBackfillResponseBody as FindBackfillResponseBodyV1,
+  FindBackfillResponse as FindBackfillResponseV1,
+} from './types/v1';
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/find/schemas/latest.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/find/schemas/latest.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './v1';
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/find/schemas/v1.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/find/schemas/v1.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { schema } from '@kbn/config-schema';
+import { backfillResponseSchemaV1 } from '../../../response';
+
+export const findQuerySchema = schema.object(
+  {
+    end: schema.maybe(schema.string()),
+    page: schema.number({ defaultValue: 1, min: 1 }),
+    per_page: schema.number({ defaultValue: 10, min: 0 }),
+    rule_ids: schema.maybe(schema.string()),
+    start: schema.maybe(schema.string()),
+    sort_field: schema.maybe(schema.oneOf([schema.literal('createdAt'), schema.literal('start')])),
+    sort_order: schema.maybe(schema.oneOf([schema.literal('asc'), schema.literal('desc')])),
+  },
+  {
+    validate({ start, end }) {
+      if (start) {
+        const parsedStart = Date.parse(start);
+        if (isNaN(parsedStart)) {
+          return `[start]: query start must be valid date`;
+        }
+      }
+      if (end) {
+        const parsedEnd = Date.parse(end);
+        if (isNaN(parsedEnd)) {
+          return `[end]: query end must be valid date`;
+        }
+      }
+    },
+  }
+);
+
+export const findResponseSchema = schema.object({
+  page: schema.number(),
+  per_page: schema.number(),
+  total: schema.number(),
+  data: schema.arrayOf(backfillResponseSchemaV1),
+});
diff --git a/x-pack/plugins/alerting/common/routes/backfill/apis/find/types/latest.ts b/x-pack/plugins/alerting/common/routes/backfill/apis/find/types/latest.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './v1';