Saved Object Mapping for Entity Source Sync Configuration#219680
Saved Object Mapping for Entity Source Sync Configuration#219680CAWilson94 merged 69 commits intoelastic:mainfrom
Conversation
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new saved object mapping for monitoring entity source configurations to support privileged user monitoring. It defines the saved object mapping schema with key fields and implements a descriptor client to manage these objects while also adding an OpenAPI-generated Zod schema for API type validation.
- Defined mappings for the new saved object type with fields such as type, name, managed, and matchers.
- Implemented a descriptor client for initializing, updating, and querying the monitoring entity source object.
- Added a generated API file for validating the monitoring entity source descriptor.
Reviewed Changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/saved_object/monitoring_entity_source_type.ts | Created a new saved object type with mappings and a model version update. |
| x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/saved_object/monitoring_entity_source.ts | Added a descriptor client for managing the monitoring entity source object. |
| x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/privilege_monitoring/monitoring_entity_source/monitoring_entity_source.gen.ts | Generated Zod schema for type validation of the monitoring entity source descriptor. |
Files not reviewed (1)
- x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/privilege_monitoring/monitoring_entity_source/monitoring_entity_source.schema.yaml: Language not supported
…s; wired in get and create SO via routes and data client; added to context factory and types in secsol
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new saved object mapping and supporting infrastructure (data client and routes) for Monitoring Entity Source Sync Configuration to support Privileged User Monitoring.
- Adds saved object schema, client, and API routes
- Integrates the new data client into the request context and registers it with the existing privilege monitoring routes
- Provides OpenAPI schema and generated types for the configuration
Reviewed Changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| x-pack/solutions/security/plugins/security_solution/server/types.ts | Added import and context method for the new data client |
| x-pack/solutions/security/plugins/security_solution/server/saved_objects.ts | Registered a new saved object type mapping |
| x-pack/solutions/security/plugins/security_solution/server/request_context_factory.ts | Added memoized method to instantiate the new data client |
| x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/saved_object/monitoring_entity_source_type.ts | Defined the saved object mapping for the monitoring entity source |
| x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/saved_object/monitoring_entity_source.ts | Implemented the saved object client for monitoring entity source operations |
| x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/routes/monitoring_entity_source_sync.ts | Added POST and GET API routes for sync configuration |
| x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/monitoring_entity_source_sync_data_client.ts | Provided the data client that wraps saved object operations |
| x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/privilege_monitoring/monitoring_entity_source/monitoring_entity_source.gen.ts | Introduced auto-generated OpenAPI schema and types |
Files not reviewed (1)
- x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/privilege_monitoring/monitoring_entity_source/monitoring_entity_source.schema.yaml: Language not supported
Comments suppressed due to low confidence (1)
x-pack/solutions/security/plugins/security_solution/server/request_context_factory.ts:268
- Consider renaming this function to 'getMonitoringEntitySourceSyncDataClient' to match the naming of the underlying class and reflect the intended naming conventions mentioned in the PR.
getMonitoringEntitySourceDataClient: memoize(() => {
…e to move blockers while debugging joi issues
… src/core/server/integration_tests/ci_checks'
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#8315[❌] x-pack/test_serverless/functional/test_suites/observability/config.ts: 69/100 tests passed. |
… src/core/server/integration_tests/ci_checks'
| "type": "object" | ||
| }, | ||
| "indexPattern": { | ||
| "index": false, |
There was a problem hiding this comment.
Using index: false is discouraged. Refer to https://docs.elastic.dev/kibana-dev-docs/tutorials/saved-objects to know more:
Never use
enabled: falseorindex: falsein your mappings. Elasticsearch does not support toggling these mapping options, so if your plugin ever needs to query the data, you will not be able to do so. Since these fields cannot be queried, they would require migrating to a new field and making associated code changes. Instead, usedynamic: falsewhich provides the same flexibility while maintaining the future ability to query fields if necessary.
There was a problem hiding this comment.
Thanks!
I was trying to change these to using dynamic: false but I am unsure of this use case --
properties": {
"fields": {
"index": false,
"type": "keyword"
},
"values": {
"index": false,
"type": "keyword"
}
},
"type": "object"
},
My aim here is to make both matchers.find and matchers.values required and non searchable. To achieve this, can I change this to something like this where I rely on the top level - the child attributes should pick be non searchable from here?
properties": {
"dynamic": false
"fields": {
"type": "keyword"
},
"values": {
"type": "keyword"
}
},
"type": "object"
},
There was a problem hiding this comment.
ok I think I have my answer from the docs, this should be good according to the example below:
> export const dashboardVisualization: SavedObjectsType = {
> name: 'dashboard_visualization',
> ...
> mappings: {
> properties: {
> dynamic: false, // ✅ Do this instead
> metadata: {
> // dynamic: false gets inherited from above
> properties: {
> // `created_by` can now be stored but won't be queryable
> }
> },
> // `description` can now be stored but won't be queryable
> }
> }
> };
There was a problem hiding this comment.
@hop-dev I have updated to dynamic now :D but quick reference for the mappings - properties I was a bit blocked with. Time to merge? 🥳
hop-dev
left a comment
hop-dev
left a comment
There was a problem hiding this comment.
🚀 Just the dynamic: true question to resolve and lets get this merged!
| }, | ||
| indexPattern: { | ||
| type: 'keyword', | ||
| dynamic: false, |
There was a problem hiding this comment.
CI is failing with the following error:
info [o.e.c.m.MetadataCreateIndexService] [node-01] failed on parsing mappings on index creation [.kibana_security_solution_9.1.0_001] org.elasticsearch.index.mapper.MapperParsingException: Failed to parse mapping: unknown parameter [dynamic] on mapper [indexPattern] of type [keyword]
AFAIK, dynamic: false is only compatible with objects, not final fields. Since the parent object already has dynamic: false, I'd recommend that you don't declare the field indexPattern if you don't need to index it for now.
You can always add it later if needed.
The same recommendation applies to the other fields that used to have index: false. If you don't plan on using them to query/aggregate, just don't declare them in the mappings (and make sure that dynamic: false is in the parent object).
There was a problem hiding this comment.
Thanks for explaining that, that makes more sense knowing we can leave it out if we aren't searching on it.
afharo
left a comment
afharo
left a comment
There was a problem hiding this comment.
SO changes LGTM. Thanks for iterating and bearing with me.
💔 Build Failed
Failed CI StepsHistory
cc @CAWilson94 |
… src/core/server/integration_tests/ci_checks'
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Public APIs missing exports
Unknown metric groupsAPI count
ESLint disabled in files
Total ESLint disabled count
History
cc @CAWilson94 |
…9680) ## Summary This PR introduces a new Saved Object mapping for Monitoring Entity Source Configurations to support Privileged User Monitoring. ### ✅ Implemented * Saved object mapping schema aligned with the [current spec](https://docs.google.com/document/d/1-c6A82p2CCjYz8Mb6tL6R7BXXemQ4mpWZliKqki0SWo/edit?tab=t.0#heading=h.4axxr154e1lc) * DescriptorClient to handle saved object methods * OpenAPI schema and generated types * Implemented Data Client - SO operations exposed via GET and POST API * Created route and registered with privmonRoutes * Data Client Unit Testing * Rename typename of "monitoring_entity_source-sync" -> "entity-analytics-monitoring-entity-source" [Figma ](https://www.figma.com/board/yBr1pBDGu4JqNxb5ZrULtk/MonEntitySourceSyncTask?node-id=0-1&p=f&t=4hQaGsdvOpghi4QS-0)- currently working in the pink box ## Testing Steps: 1. privilegeMonitoringEnabled: true - set this flag 2. From Dev tools - create a saved object via POST (below) and view this saved object via GET (also below): ``` POST kbn:/api/entity_analytics/monitoring/entity_source { "type": "some-type-here", "name": "name-here", "managed": false, "indexPattern": "logs-*", "enabled": true, "integrationName": "Okta", "matchers": [ { "fields": ["user.role"], "values": ["admin"] } ], "filter": {} } ``` **Expected output:** ``` { "type": "some-type-here", "name": "name-here", "managed": false, "indexPattern": "logs-*", "enabled": true, "integrationName": "Okta", "matchers": [ { "fields": [ "user.role" ], "values": [ "admin" ] } ], "filter": {} } ``` GET Example ``` GET kbn:/api/entity_analytics/monitoring/entity_source ``` Output for get, expected to be the same as that for POST. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…9680) ## Summary This PR introduces a new Saved Object mapping for Monitoring Entity Source Configurations to support Privileged User Monitoring. ### ✅ Implemented * Saved object mapping schema aligned with the [current spec](https://docs.google.com/document/d/1-c6A82p2CCjYz8Mb6tL6R7BXXemQ4mpWZliKqki0SWo/edit?tab=t.0#heading=h.4axxr154e1lc) * DescriptorClient to handle saved object methods * OpenAPI schema and generated types * Implemented Data Client - SO operations exposed via GET and POST API * Created route and registered with privmonRoutes * Data Client Unit Testing * Rename typename of "monitoring_entity_source-sync" -> "entity-analytics-monitoring-entity-source" [Figma ](https://www.figma.com/board/yBr1pBDGu4JqNxb5ZrULtk/MonEntitySourceSyncTask?node-id=0-1&p=f&t=4hQaGsdvOpghi4QS-0)- currently working in the pink box ## Testing Steps: 1. privilegeMonitoringEnabled: true - set this flag 2. From Dev tools - create a saved object via POST (below) and view this saved object via GET (also below): ``` POST kbn:/api/entity_analytics/monitoring/entity_source { "type": "some-type-here", "name": "name-here", "managed": false, "indexPattern": "logs-*", "enabled": true, "integrationName": "Okta", "matchers": [ { "fields": ["user.role"], "values": ["admin"] } ], "filter": {} } ``` **Expected output:** ``` { "type": "some-type-here", "name": "name-here", "managed": false, "indexPattern": "logs-*", "enabled": true, "integrationName": "Okta", "matchers": [ { "fields": [ "user.role" ], "values": [ "admin" ] } ], "filter": {} } ``` GET Example ``` GET kbn:/api/entity_analytics/monitoring/entity_source ``` Output for get, expected to be the same as that for POST. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Summary
This PR introduces a new Saved Object mapping for Monitoring Entity Source Configurations to support Privileged User Monitoring.
✅ Implemented
Figma - currently working in the pink box
Testing Steps:
Expected output:
GET Example
Output for get, expected to be the same as that for POST.