METRON-939 Elasticsearch ES5 with Xshield client support

[wardbekker]

Contributor Comments

This is a work-in-progress fix for Elasticsearch ES5 with Xshield client support. I'm opening a pull request to work through the remaining issues with the team. To be clear, the aim is discussion only for now, not for actually pulling in the code. @jasper-k verified the patch is working against a ES5.x Xpack enabled cluster.

Open issues in this pull request:

• To have Storm and Elasticsearch 5.x client happily working together it's needed to have a Storm version that is compiled with log4j-core en log4j-api versions 2.8. This is already merged in the Storm sourcecode (see https://issues.apache.org/jira/browse/STORM-2326), however this fix is not shipping with HDP2.5.x. This fix is shipping withing the HDP 2.6 release.
• While the metron-elasticsearch unit and integration tests are working, the ElasticsearchDataPrunerTest from metron-datamanagement are not. It can't seem to initialize ElasticSearch classes (e.g. java.lang.NoClassDefFoundError: Could not initialize class org.elasticsearch.common.ParseField). It seems to be related with this issue: transport client fails in uber jar - no shortHash elastic/elasticsearch#21627 . I could use some help with resolving this.
• The ES server used in the integration test is not using Xpack authentication. I could not find any public reference on creating an x-pack authentication enabled server via their SDK . Xpack authentication is confirmed to work for the Storm Writer bolt, but no integration test can be added until this issue is resolved.
• I've updated the index template for yaf as used in the integration tests to be ES5.x compatible. Other index templates need the same treatment
• ES & Kibana Mpacks are not updated.

[cestella]

Can we parameterize this?

[cestella]

sorry, nvm, I retract. This is in the integration test component.

[cestella]

Thanks for the contribution!

[cestella]

This path should be relative.

[cestella]

Probably want to throw back up a Runtime Exception

[cestella]

We either want to throw up the exception or at least log it with a logger, rather than stdout.

[wardbekker]

Thanks for the review @cestella I've pushed a commit fixing the reported issues. (Again, not for merging)

[wardbekker]

hey @cestella, @simonellistonball, see updated contributor notes. It's not ready for a official pull request, but this gives a good idea on the impact on the code for a working ES5.x implementation.

[JonZeolla]

@wardbekker Can you please merge master and deconflict?

[wardbekker]

@JonZeolla done.

[simonellistonball]

Seems like this is failing on some un-related temporary test failures. Can we get Travis kicked, and see what's left to do on this?

[justinleet]

As a note, this ticket is slightly impacted by the metaalerts backend ticket (#734). The alerts field in the various templates should be removed and the search queries for meta alerts updated according to https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-sort.html#_ignoring_unmapped_fields, in order to allow for searches against metaalerts without having to have an alert field in each template.

[nickwallen]

This functionality was completed in #840. As mentioned in #840 this inspired much of that work. Is there anything else needed from this PR? If not, can you close this PR @wardbekker ?

Thanks

[wardbekker]

agreed @nickwallen