Stop relying on index template for session index #134900
Conversation
legrego
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
x-pack/plugins/security/server/session_management/session_index.ts
Outdated
Show resolved
Hide resolved
| /** | ||
| * Creates the session index if it doesn't already exist. | ||
| */ | ||
| private async ensureSessionIndexExists() { |
There was a problem hiding this comment.
note This was extracted from the initialize function above so that it can be reused in the create function.
| @@ -213,17 +209,30 @@ export class SessionIndex { | |||
| 'Attempted to create a new session while session index is initializing.' | |||
| ); | |||
| await this.indexInitialization; | |||
| } else { | |||
| await this.ensureSessionIndexExists(); | |||
There was a problem hiding this comment.
I don't love the extra round-trip that this incurs, but I don't see a way around it given the design of ES's APIs.
|
@azasypkin this is ready for the next round of reviews |
There was a problem hiding this comment.
Looks and works great! Thanks for adding tests to verify all aspects of a new functionality.
No need to change anything is this PR, just wondering if it'd make sense to (eventually) use index alias for the rest of the session operations as well (get, update, invalidate)?
| 'Attempted to create a new session, but session index or alias was missing.' | ||
| ); | ||
| await this.ensureSessionIndexExists(); | ||
| ({ body, statusCode } = await this.writeNewSessionDocument(sessionValue, { |
There was a problem hiding this comment.
nit: statusCode isn't used here
| ({ body, statusCode } = await this.writeNewSessionDocument(sessionValue, { | |
| ({ body } = await this.writeNewSessionDocument(sessionValue, { |
There was a problem hiding this comment.
Looks like you unintentionally returned unused statusCode back 🙂
There was a problem hiding this comment.
Looks like you unintentionally returned unused
statusCodeback 🙂
This is actually required to avoid an eslint error, because both body and statusCode are part of the same let block above. If I remove statusCode here, it complains that statusCode isn't a const above. I could either fix this by reintroducing the unused statusCode reference here, or break up the destructured assignment above into multiple lines. Reintroducing statusCode here felt less bad to me, but I don't feel strongly about this if you would prefer that I change it around.
There was a problem hiding this comment.
This is actually required to avoid an eslint error, because both body and statusCode are part of the same let block above. If I remove statusCode here, it complains that statusCode isn't a const above.
Ahh, I see now, thanks for clarifying! Please, keep it as is then.
| // Prior to https://github.com/elastic/kibana/pull/134900, sessions would be written directly against the session index. | ||
| // Now, we write sessions against a new session index alias. This call ensures that the alias exists, and is attached to the index. | ||
| // This operation is safe to repeat, even if the alias already exists. This seems safer than retrieving the index details, and inspecting | ||
| // it to see if the alias already exists. |
There was a problem hiding this comment.
note: thank you for adding comment! I agree using putAlias feels safer.
x-pack/plugins/security/server/session_management/session_index.test.ts
Outdated
Show resolved
Hide resolved
I was wondering the same thing. If we were writing this from scratch today, would we opt to do this? If so, then I'm happy to attempt these changes as part of this PR. If it turns out to be a lot of work, then I can open a followup issue for one of us to tackle in the future. I can't think of a good reason not to do this, other than "unknown unknowns". |
Co-authored-by: Aleh Zasypkin <[email protected]>
…-session-index-template
I'd say yes.
Sounds good to me, thank you! |
| ignore404: true, | ||
| }); | ||
|
|
||
| if (statusCode === 404) { |
There was a problem hiding this comment.
question: do we handle 404 for updates just to account for a case when the alias is missing, but the index exists? I mean if index doesn't exist then the session we're trying to update doesn't exist either...
There was a problem hiding this comment.
Yes my intention here was to handle the case where we have an index without an alias
There was a problem hiding this comment.
Got it, thanks. We usually retrieve session (via alias now) before we update it, but there is still a possibility for the race condition and handling 404 in update wouldn't hurt anyway 👍
| 'Attempted to create a new session, but session index or alias was missing.' | ||
| ); | ||
| await this.ensureSessionIndexExists(); | ||
| ({ body, statusCode } = await this.writeNewSessionDocument(sessionValue, { |
There was a problem hiding this comment.
Looks like you unintentionally returned unused statusCode back 🙂
| ignore404: true, | ||
| }); | ||
|
|
||
| if (statusCode === 404) { |
There was a problem hiding this comment.
Got it, thanks. We usually retrieve session (via alias now) before we update it, but there is still a possibility for the race condition and handling 404 in update wouldn't hurt anyway 👍
AHHH How did I miss those? 😢 |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
Summary
Resolves #134897
This moves the index settings and mappings into the session index directly, rather than defining them on an index template. This also removes the index template if it already exists.