x-pack/filebeat/input/entityanalytics/provider/activedirectory: don't publish unmodified updates #41179
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
efd6
added
Filebeat
botelastic
bot
added
needs_team
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
|
|
mergify
bot
added
the
backport-8.x
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
efd6
force-pushed
the
non-mod-entities
branch
from
73f01b5
to
e87a06f
Compare
To avoid redundant work.
No, it should be added with an update. I will reassess. |
|
/test |
chrisberkhout
requested changes
Oct 15, 2024
There was a problem hiding this comment.
As discussed elsewhere, the way forward here may be to:
- do all the additions from incremental changes
- do the deletes only on full sync
Redundant additions could be skipped during full sync but I think it's better to do them anyway, as a way to periodically recover from missed updates.
| p.logger.Errorw("Error running incremental update", "error", err) | ||
| p.metrics.updateError.Inc() | ||
| } | ||
| p.metrics.updateTotal.Inc() | ||
| p.metrics.updateProcessingTime.Update(time.Since(start).Nanoseconds()) | ||
| updateTimer.Reset(p.cfg.UpdateInterval) | ||
| p.logger.Debugf("Next update expected at: %v", time.Now().Add(p.cfg.UpdateInterval)) | ||
| last = start |
There was a problem hiding this comment.
If time was used I think it would be better to get it from state.whenChanged in order to minimize issues from disagreements between client and server time (specifically, when the server doesn't provide all data up to the time of a request).
There was a problem hiding this comment.
It's a little more subtle than that, but I think I have got what you want in my next change.
|
@chrisberkhout PTAL Requires careful review. |
x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go
Outdated
Show resolved
Hide resolved
chrisberkhout
requested changes
Oct 17, 2024
x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go
Outdated
Show resolved
Hide resolved
x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go
Show resolved
Hide resolved
| @@ -350,7 +351,7 @@ func (p *jamfInput) runFullSync(inputCtx v2.Context, store *kvstore.Store, clien | |||
| // runIncrementalUpdate will run an incremental update. The process is similar | |||
| // to full synchronization, except only users which have changed (newly | |||
| // discovered, modified, or deleted) will be published. | |||
There was a problem hiding this comment.
only users which have changed (newly discovered, modified, or deleted) will be published
I don't see deletes being handled anywhere.
In doFetchComputers it will always fetch everything and return whatever is new or modified compared to the store (unless its a fullSync, in which case it returns nothing).
I don't see any mention of deletes in the GET /api/preview/computers documentation.
efd6
force-pushed
the
non-mod-entities
branch
2 times, most recently
from
ddd9e66
to
9e7674c
Compare
efd6
changed the title
|
This pull request is now in conflicts. Could you fix it? 🙏 |
…: don't publish unmodified updates
This leaves a small window when it is possible to send redundant data, but it is simpler and safer than tightening the bounds.
Only mark users as deleted on the basis of full sync since this is the only time that we can know that a user is absent. Also remove users from the store on close if they have been marked as deleted.
efd6
force-pushed
the
non-mod-entities
branch
from
9e7674c
to
3709f8a
Compare
chrisberkhout
approved these changes
Oct 22, 2024
There was a problem hiding this comment.
Looks good 👍
There's a duplicate line in the changelog.
Also the PR description and changelog could say more clearly what the changed behavior is:
- I think "don't publish unmodified updates" is only happening in that the timestamp handling is improved. It's not actually skipping publication of things received from the server but already known (because the incremental sync doesn't get them and the full sync should to do a full publish anyway).
- The other, more important change is that the old version was deleting anything that didn't appear in the new incremental sync response, and now it will only do the deletions during the full sync and only of things that the server actually doesn't have anymore.
CHANGELOG.next.asciidoc
Outdated
| @@ -164,6 +164,8 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] | |||
| - Fixed failed job handling and removed false-positive error logs in the GCS input. {pull}41142[41142] | |||
| - Bump github.com/elastic/go-sfdc dependency used by x-pack/filebeat/input/salesforce. {pull}41192[41192] | |||
| - Log bad handshake details when websocket connection fails {pull}41300[41300] | |||
| - Don't send redundant documents for non-modified entities in the Jamf and Active Directory entityanalytics input. {pull}41179[41179] | |||
There was a problem hiding this comment.
Suggested change
| - Don't send redundant documents for non-modified entities in the Jamf and Active Directory entityanalytics input. {pull}41179[41179] |
mergify bot
pushed a commit
that referenced
this pull request
Oct 22, 2024
…ve modification time and deletion logic (#41179) This improves the update time stamps of modified events by using the documents' whenChanged fields in the case of returned documents, and the current time when a document is identified as having been deleted. The latest of these is used to determine the time filter for the next Active Directory query. Documents are marked as deleted only when they are found to not exist in full sync collection, and are removed from the state store when they are identified as deleted. The change in behaviour to not use updates to identify corrects behaviour that would cause older but not deleted entities to be deleted from the index. (cherry picked from commit 6b54074) # Conflicts: # x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go
mergify bot
pushed a commit
that referenced
this pull request
Oct 22, 2024
…ve modification time and deletion logic (#41179) This improves the update time stamps of modified events by using the documents' whenChanged fields in the case of returned documents, and the current time when a document is identified as having been deleted. The latest of these is used to determine the time filter for the next Active Directory query. Documents are marked as deleted only when they are found to not exist in full sync collection, and are removed from the state store when they are identified as deleted. The change in behaviour to not use updates to identify corrects behaviour that would cause older but not deleted entities to be deleted from the index. (cherry picked from commit 6b54074)
This was referenced Oct 22, 2024
efd6
added a commit
that referenced
this pull request
Oct 23, 2024
…/activedirectory: don't publish unmodified updates (#41386) * x-pack/filebeat/input/entityanalytics/provider/activedirectory: improve modification time and deletion logic (#41179) This improves the update time stamps of modified events by using the documents' whenChanged fields in the case of returned documents, and the current time when a document is identified as having been deleted. The latest of these is used to determine the time filter for the next Active Directory query. Documents are marked as deleted only when they are found to not exist in full sync collection, and are removed from the state store when they are identified as deleted. The change in behaviour to not use updates to identify corrects behaviour that would cause older but not deleted entities to be deleted from the index. (cherry picked from commit 6b54074) * remove irrelevant changelog entry --------- Co-authored-by: Dan Kortschak <[email protected]>
efd6
added a commit
that referenced
this pull request
Oct 23, 2024
…ve modification time and deletion logic (#41179) This improves the update time stamps of modified events by using the documents' whenChanged fields in the case of returned documents, and the current time when a document is identified as having been deleted. The latest of these is used to determine the time filter for the next Active Directory query. Documents are marked as deleted only when they are found to not exist in full sync collection, and are removed from the state store when they are identified as deleted. The change in behaviour to not use updates to identify corrects behaviour that would cause older but not deleted entities to be deleted from the index. (cherry picked from commit 6b54074) # Conflicts: # x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go
efd6
added a commit
that referenced
this pull request
Oct 23, 2024
…r/activedirectory: improve modification time and deletion logic (#41385) * x-pack/filebeat/input/entityanalytics/provider/activedirectory: improve modification time and deletion logic (#41179) This improves the update time stamps of modified events by using the documents' whenChanged fields in the case of returned documents, and the current time when a document is identified as having been deleted. The latest of these is used to determine the time filter for the next Active Directory query. Documents are marked as deleted only when they are found to not exist in full sync collection, and are removed from the state store when they are identified as deleted. The change in behaviour to not use updates to identify corrects behaviour that would cause older but not deleted entities to be deleted from the index. (cherry picked from commit 6b54074) # Conflicts: # x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go * fix cherry pick failures --------- Co-authored-by: Dan Kortschak <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
See title.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Disruptive User Impact
Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs