[Security Solution] Rule find requests failing due to migration error #198647

xcrzx · 2024-11-01T09:48:43Z

Summary

Requests to /kbn/internal/alerting/rules/_find fail when called with the fields param. This occurs when documents created under the first rule model version are read after another rule model version is added. Migration fails as a result of the attempt to migrate a partial document due to the fields parameter in the find API.

Steps to Reproduce

Create rules under the first rule model version.
Introduce the second rule model version. Here's the second model version introduced by ResponseOps: https://github.com/elastic/kibana/pull/190019/files#diff-12c3ecfb676c8d71cfbd3ca6e4ce29223604dfa58d35a3a108ee6399da34f8da
Attempt a find API call with specified fields (e.g., this call used on the rules management table).
Observe 500 Server Error due to failed migration

Root Cause

The fields parameter in the find API limits document fields read from ES:

kibana/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/apis/find.ts

Line 188 in 343e43d

_source: includedFields(allowedTypes, fields),
Migration helpers expect a full document, leading to failure if partial data is provided:

kibana/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/apis/helpers/migration.ts

Line 71 in 343e43d

return this.migrator.migrateDocument(doc, { allowDowngrade: true }) as SavedObject<T>;
The error message is: Failed to migrate document to the latest version.: [name]: expected value of type [string] but got [undefined]

Proposed Solution

To mitigate the problem short-term we can remove the fields param from the find request
Consider either disabling migration on partial reads or enforcing a full read before migration.
Another potential approach is modifying the find API to include all required fields when performing migrations.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2024-11-01T09:48:46Z

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine · 2024-11-01T09:48:46Z

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine · 2024-11-01T09:48:46Z

Pinging @elastic/security-solution (Team: SecuritySolution)

xcrzx · 2024-11-01T11:46:54Z

Lowering the impact as the error is only reproducible during down migrations, not up.

Will be fixed on the Core side: #198655

xcrzx added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. and removed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Nov 1, 2024

xcrzx closed this as completed Nov 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security Solution] Rule find requests failing due to migration error #198647

[Security Solution] Rule find requests failing due to migration error #198647

xcrzx commented Nov 1, 2024

elasticmachine commented Nov 1, 2024

elasticmachine commented Nov 1, 2024

elasticmachine commented Nov 1, 2024

xcrzx commented Nov 1, 2024 •

edited

Loading

[Security Solution] Rule find requests failing due to migration error #198647

[Security Solution] Rule find requests failing due to migration error #198647

Comments

xcrzx commented Nov 1, 2024

Summary

Steps to Reproduce

Root Cause

Proposed Solution

elasticmachine commented Nov 1, 2024

elasticmachine commented Nov 1, 2024

elasticmachine commented Nov 1, 2024

xcrzx commented Nov 1, 2024 • edited Loading

xcrzx commented Nov 1, 2024 •

edited

Loading