Commit Graph

129 Commits

Author SHA1 Message Date
lcawl 1efee66d16 [DOCS] Creates redirects for role management APIs page 2018-08-17 21:55:18 -07:00
Zachary Tong 899e94a29b [Docs] Tweaks and fixes to rollup docs
- Missing links to new IndexCaps API
- Incorrect security permissions on IndexCaps API
- GetJobs API must supply a job (or `_all`), omitting throws error
- Link to search/agg limitations from RollupSearch API
- Tweak URLs in quick reference
- Formatting of overview page
2018-08-17 13:37:11 -04:00
Lisa Cawley c5de9ec79d
[DOCS] Splits the roles API documentation into multiple pages (#32794) 2018-08-17 09:18:08 -07:00
Dimitris Athanasiou 4d2144a2a0
[ML][DOCS] Refer to rules feature as custom rules (#32785) 2018-08-13 14:51:13 +01:00
Zachary Tong fc9fb64ad5
[Rollup] Improve ID scheme for rollup documents (#32558)
Previously, we were using a simple CRC32 for the IDs of rollup documents.
This is a very poor choice however, since 32bit IDs leads to collisions
between documents very quickly.

This commit moves Rollups over to a 128bit ID.  The ID is a concatenation
of all the keys in the document (similar to the rolling CRC before),
hashed with 128bit Murmur3, then base64 encoded.  Finally, the job
ID and a delimiter (`$`) are prepended to the ID.

This gurantees that there are 128bits per-job.  128bits should
essentially remove all chances of collisions, and the prepended
job ID means that _if_ there is a collision, it stays "within"
the job.

BWC notes:

We can only upgrade the ID scheme after we know there has been a good
checkpoint during indexing.  We don't rely on a STARTED/STOPPED
status since we can't guarantee that resulted from a real checkpoint,
or other state.  So we only upgrade the ID after we have reached
a checkpoint state during an active index run, and only after the
checkpoint has been confirmed.

Once a job has been upgraded and checkpointed, the version increments
and the new ID is used in the future.  All new jobs use the
new ID from the start
2018-08-03 11:13:25 -04:00
Dimitris Athanasiou c5140170f7
[ML] Improve error for functions with limited rule condition support (#32548)
Closes #32545
2018-08-01 18:15:46 +01:00
Dimitris Athanasiou b88b3d81c8 [ML][DOCS] Fix typo applied_to => applies_to 2018-07-31 17:00:55 +01:00
lcawl 67a884ec88 [DOCS] Fixes formatting of scope object in job resource 2018-07-26 12:28:26 -07:00
lcawl 6832aa6797 [DOCS] Adds link from bucket_span property to common time units 2018-07-25 08:31:52 -07:00
Dimitris Athanasiou 9a7a649755
[ML][DOCS] Add documentation for detector rules and filters (#32013) 2018-07-25 16:10:32 +01:00
Tim Vernum 387c3c7f1d Introduce Application Privileges with support for Kibana RBAC (#32309)
This commit introduces "Application Privileges" to the X-Pack security
model.

Application Privileges are managed within Elasticsearch, and can be
tested with the _has_privileges API, but do not grant access to any
actions or resources within Elasticsearch. Their purpose is to allow
applications outside of Elasticsearch to represent and store their own
privileges model within Elasticsearch roles.

Access to manage application privileges is handled in a new way that
grants permission to specific application names only. This lays the
foundation for more OLS on cluster privileges, which is implemented by
allowing a cluster permission to inspect not just the action being
executed, but also the request to which the action is applied.
To support this, a "conditional cluster privilege" is introduced, which
is like the existing cluster privilege, except that it has a Predicate
over the request as well as over the action name.

Specifically, this adds
- GET/PUT/DELETE actions for defining application level privileges
- application privileges in role definitions
- application privileges in the has_privileges API
- changes to the cluster permission class to support checking of request
  objects
- a new "global" element on role definition to provide cluster object
  level security (only for manage application privileges)
- changes to `kibana_user`, `kibana_dashboard_only_user` and
  `kibana_system` roles to use and manage application privileges

Closes #29820
Closes #31559
2018-07-24 10:34:46 -06:00
David Kyle 177750719d [DOCS] Rollup Caps API incorrectly mentions GET Jobs API (#32280) 2018-07-24 10:23:13 +01:00
Zachary Tong 791b9b147c
[Rollup] Add new capabilities endpoint for concrete rollup indices (#30401)
This introduces a new GetRollupIndexCaps API which allows the user to retrieve rollup capabilities of a specific rollup index (or index pattern). This is distinct from the existing RollupCaps endpoint.

- Multiple jobs can be stored in multiple indices and point to a single target data index pattern (logstash-*). The existing API finds capabilities/config of all jobs matching that data index pattern.
- One rollup index can hold data from multiple jobs, targeting multiple data index patterns. This new API finds the capabilities based on the concrete rollup indices.
2018-07-16 17:20:50 -04:00
Michael Basnight 637cac9061
Watcher: Store username on watch execution (#31873)
There is currently no way to see what user executed a watch. This commit
adds the decrypted username to each execution in the watch history, in a
new field "user".

Closes #31772
2018-07-16 14:20:16 -05:00
Michael Basnight e85bb734cf
Docs: add security delete role to api call table (#31907) 2018-07-10 11:17:21 -05:00
Hendrik Muhs e9f8442bee
[ML] Return statistics about forecasts as part of the jobsstats and usage API (#31647)
This change adds stats about forecasts, to the jobstats api as well as xpack/_usage. The following 
information is collected:

_xpack/ml/anomaly_detectors/{jobid|_all}/_stats:

 -  total number of forecasts
 -  memory statistics (mean/min/max)
 -  runtime statistics
 -  record statistics
 -  counts by status

_xpack/usage

 -  collected by job status as well as overall (_all):
     -  total number of forecasts
     -  number of jobs that have at least 1 forecast
     -  memory, runtime, record statistics
     -  counts by status

Fixes #31395
2018-07-04 08:15:45 +02:00
Lisa Cawley 438591566f
[DOCS] Add code snippet testing in more ML APIs (#31339) 2018-06-21 11:32:11 -07:00
Lisa Cawley 68ec958873
[DOCS] Move migration APIs to docs (#31473) 2018-06-21 08:19:23 -07:00
Lisa Cawley f012de0f00
[DOCS] Move licensing APIs to docs (#31445) 2018-06-20 08:17:11 -07:00
Lisa Cawley 8fd1f5fbed
[DOCS] Moves the info API to docs (#31121) 2018-06-19 10:33:57 -07:00
Lisa Cawley cfb470429e
[DOCS] Add code snippet testing for more ML APIs (#31404) 2018-06-19 08:49:32 -07:00
Lisa Cawley ea92864eb1
[DOCS] Adds testing for security APIs (#31345) 2018-06-18 08:48:23 -07:00
Tim Brooks 605dbbeabd
Remove trial status info from start trial doc (#31365)
This is related to #31325. There is currently information about the
get-trial-status api on the start-trial api documentation page. It also
has the incorrect route for that api. This commit removes that
information as the start-trial page properly links to a page providing
documenation about get-trial-status.
2018-06-15 12:39:25 -06:00
lcawl 509729f9c1 [DOCS] Shortens ML API intros 2018-06-13 13:43:15 -07:00
Zachary Tong d4262de83a
[Docs] All Rollup docs experimental, agg limitations, clarify DeleteJob (#31299)
- All rollup pages should be marked as experimental instead of just
the top page
- While the job config docs state which aggregations are allowed, adding
a section which specifically details this in one place is more convenient
for the user
- Add a clarification that the DeleteJob API does not delete the rollup
data, just the rollup job.
2018-06-13 15:42:20 -04:00
lcawl 7c05f69c39 [DOCS] Creates rest-api folder in docs 2018-06-05 16:43:55 -07:00
David Roberts 50c34b2a9b
[ML] Reverse engineer Grok patterns from categorization results (#30125)
This change adds a grok_pattern field to the GET categories API
output in ML. It's calculated using the regex and examples in the
categorization result, and applying a list of candidate Grok
patterns to the bits in between the tokens that are considered to
define the category.

This can currently be considered a prototype, as the Grok patterns
it produces are not optimal. However, enough people have said it
would be useful for it to be worthwhile exposing it as experimental
functionality for interested parties to try out.
2018-05-15 09:02:38 +01:00
Tim Brooks 592481e4ed
Require acknowledgement to start_trial license (#30135)
This is related to #30134. It modifies the start_trial action to require
an acknowledgement parameter in the rest request to actually start the
trial license. There are backwards compatibility issues as prior ES
versions did not support this parameter. To handle this, it is assumed
that a request coming from a node prior to 6.3 is acknowledged. And
attempts to write a non-acknowledged request to a prior to 6.3 node will
throw an exception.

Additionally this PR adds messages about the trial license the user is
generating.
2018-04-26 21:42:44 -04:00
Ryan Ernst 2efd22454a Migrate x-pack-elasticsearch source to elasticsearch 2018-04-20 15:29:54 -07:00