[APM] Annotations API

[dgieselaar]

Closes #58320.

I've scoped this down a bit to make sure we get this in for 7.8. Mainly, I'm focused on enabling deployment annotations for APM. I'm deviating from the original issue in a couple of places:

• No public search API. There isn't really a public use case right now (that I know of), and users could always fall back to searching the index directly.
• annotation.content and annotation.tags have moved to the ECS fields message and tags
• The index is not created on startup, as the kibana_system user does not have the appropriate permissions. Instead, the index is created on-the-fly when an annotation is indexed, with the credentials of the user that has triggered the request. This has the added benefit of not creating an index when the user doesn't plan on using annotations.

Rough outline

• Adds a server plugin for Observability.
• This plugin exposes a factory function that will return an annotations client when annotations are enabled (and by default they are).
• The annotations client takes care of searching, creating and deleting annotations.
• The Observability server plugin exposes three (untagged) API endpoints, for creating an annotation, and searching or deleting by id. These endpoints can be accessed from outside of Kibana via API keys or basic auth.
• When an annotation is created, the index is created on the fly with the requesting user's privileges.
• Searching for annotations will currently only return the first page, and size is configurable. No pagination is possible.
• The APM server plugin adds an optional dependency on the Observability server plugin, and adds another endpoint POST /api/apm/services/{serviceName}/annotation that will use the annotations client to create an annotation. It will prefill/override certain fields, like annotation.type, tags and service.name.
• When the APM App requests annotations, two requests will run in parallel: one that will get the derived deployment annotations, as we have today, and another to get the persisted annotations. If there are any persisted annotations, it will only show those.

[dgieselaar]

this deletes a document, not an index, so I've added the correct type.

[dgieselaar]

This is what we previously had (derived annotations), moved to separate file.

[dgieselaar]

I might change this to something that will start both requests, but return as soon as the stored annotations are resolved. The aggregation to get the derived annotations can be quite costly.

[dgieselaar]

done

[dgieselaar]

Users can easily work around this by writing to the index directly, but I wanted to keep things consistent with the agent config APIs. Thoughts?

[sorenlouv]

Thoughts around the security model? I think this is good. Now at least it's possible to lock down the index and only give api access.

[sorenlouv]

... oh, you can pass in tags.. yeah not sure I understand that part.

[dgieselaar]

you mean tags on an annotation? or tags on the route?

[sorenlouv]

Disregard the above comments. tags for annotations make sense 👍

[dgieselaar]

This needs some work I think. Open to suggestions to make it better.

[sorenlouv]

Perhaps extract everything related to the API into a create_anotations_api.ts so it's clear that bootstrap_annotations.ts creates the API and a returns a client as well.

[dgieselaar]

moved it into register_annotation_apis (named it as such to distinguish it from create_annotations_client)

[dgieselaar]

this file was moved from apm to observability.

[dgieselaar]

Right now this is just a thin wrapper around _search. I've added it because we are planning on querying multiple sources in the near future (for instance, the event log). I was talking to @sqren about this and we wonder if we should even have it, or expect consumers of annotations to query the index directly. Having validation when indexing documents is definitely valuable but do we need a (limiting) abstraction around searching as well?

[sorenlouv]

I think it's better to remove it until there is a need.

[dgieselaar]

removed, APM now talks to ES directly to get the stored annotations

[cauemarcondes]

Can't you do it like this?

Suggested change

	let annotationsClient: ScopedAnnotationsClient | undefined;
	const annotationsClient = await context.plugins.observability?.getScopedAnnotationsClient(
	request
	);

[dgieselaar]

Changed, thanks!

[andrewvc]

I'm very excited about annotations! I haven't had a chance to do a deep dive into the code, but I do have some security related questions:

Is this space aware at all? Have we discussed the security considerations for annotations made in one space being viewable in another? Were saved objects ruled out here?

Is it correct that we will need to update our security docs to include index creation permissions for Kibana observability users?

[dgieselaar]

@andrewvc It's not space-aware at this point. Saved objects were considered, but if I remember correctly, ECS compatibility and ILM possibilities were some of the reasons why we decided to go with a custom index. Another one could be ease of querying.

Indeed documentation should be updated, I'll make sure to sync with @bmorelli25 about what needs to be updated where.

[sorenlouv]

I know this was not introduced in this PR but...
it seems wrong to fetch annotations data here. The responsibility of ChartsSyncContext was simply to keep the hover state in sync between multiple charts.

What about pulling the annotations fetching out to a separate hook and call it where needed? I suspect it's only two places:

• kibana/x-pack/plugins/apm/public/components/shared/charts/TransactionCharts/TransactionLineChart/index.tsx

  Line 45 in 7002fa8

  const syncedChartsProps = useChartsSync();

• kibana/x-pack/plugins/apm/public/components/shared/charts/MetricsChart/index.tsx

  Line 40 in 7002fa8

  const syncedChartProps = useChartsSync();

[dgieselaar]

I've thought about this for a bit but I'm not sold. To me, ChartsSyncContext is just a place where we store state common to all charts. I'm not sure if splitting this up would improve things, sounds easy to forget. Do you have any specific concerns, other than responsibility?

[sorenlouv]

This should be the default so should not matter

[dgieselaar]

The default is 10000 rather than false. See the responses for not setting it and setting it to false:

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : null,
    "hits" : [ ]
  }
}

vs

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "max_score" : null,
    "hits" : [ ]
  }
}

I'll remove it though, it won't make any significant difference in terms of performance.

[sorenlouv]

ah, didn't think about that. Good point 👍

[sorenlouv]

I think this would be a lot simpler to read:

[
    { term: { [PROCESSOR_EVENT]: 'transaction' } },
    { term: { [SERVICE_NAME]: serviceName } },
    { term: { [SERVICE_VERSION]: version } }
]

(I ❤️ boring, repetitive code )

[dgieselaar]

I've now also added slightly more complicated handling of the environment filter. I'll simplify this to two concats, LMK what you think.

[sorenlouv]

Do you mind flipping this around. Putting the short branch first makes it possible to understand the full picture immediately and dedent the second branch

  if (versions.length === 0) {
    return { annotations: [] };
  }

I secretly call the other approach "cliffhanger-code" because I feel like I have to cheat when I jump to the bottom to figure out the ending :p

[sorenlouv]

Not needed (afaik)

[sorenlouv]

Perhaps add a comment here that explains what a derived annotation is (compared to a normal annotation)

[dgieselaar]

done

[sorenlouv]

don't we normally call this timestamp? or timestamp.us to indicate the precision?

[dgieselaar]

changed to @timestamp

[sorenlouv]

It's quite hard to read - perhaps extract mappings

[dgieselaar]

done

[sorenlouv]

Faking an ES response like this feels wrong.

[dgieselaar]

removed (along with the search method)

[sorenlouv]

Could it have unintended consequences to update the mappings every time an annotation is created ?

[dgieselaar]

I'll add a indices.exists call before.

[sorenlouv]

I think splitting it into two lines will make it look more familiar to most people.

Suggested change

	this.initContext.logger.get('annotations').warn(err);
	const logger = this.initContext.logger.get('annotations');
	logger.warn(err);

[dgieselaar]

done

[sorenlouv]

nit:

Suggested change

	return annotationsApiPromise
	? (await annotationsApiPromise).getScopedAnnotationsClient(...args)
	: undefined;
	const api = await annotationsApiPromise;
	return api?.getScopedAnnotationsClient(...args);

[dgieselaar]

done

[sorenlouv]

Thorough test 👍 I bet it made you think twice about the API design :)

[Kerry350]

LGTM 👍

Left one minor comment, needn’t hold up merging though.

[Kerry350]

Super minor nit: I think it’d be nice to keep imports from other plugins to a minimum, or from a location that denotes sharing. Could this type be added to the Observability plugin directly? Or exported from the apm plugin in one of the locations that denotes it’s part of the shared / public contract?

[sorenlouv]

Moving PromiseReturnType to the observability plugin sounds like a good idea 👍

[skh]

👍 from Ingest Management, looking forward to learning more about annotations!

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: dd6348c

History

• 💚 Build #45438 succeeded e941a37
• 💔 Build #45433 failed 983222b
• 💚 Build #44778 succeeded 292bf95
• 💚 Build #44358 succeeded 15301b2
• 💔 Build #44339 failed 232c1922b547928e4e5af17f6561a52cd02985f8

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[andrewvc]

@dgieselaar What is the access control story we want to tell? It seems odd that we would let people segment their data completely with RBAC and spaces but annotations would cross those boundaries.

The additional index maxes sense, but something here feels weird from an administrative standpoint. If I were an operator trying to reason about my indices this one feels like the odd one out. If this is the best option that makes sense, but having just reworked our security docs this adds a whole new dimension of complexity that worries me.

[dgieselaar]

@andrewvc I think we can make this space-aware in the future by storing the index name in a saved object, both for reading and writing. The APM app is not space aware so I figure we'd start out simple. Do you have any concerns around merging this in for 7.7 (it will be marked as Beta), and figuring out access control later?

[sorenlouv]

@dgieselaar How hard would it be to make this space-aware for 7.8? I can live without it for now but I just want to make sure this doesn't force us do migration or other things to preserve backwards compatibility when we do add spaces and RBAC

[dgieselaar]

@sqren I don't think it would be particularly hard in terms of implementation. index, which is now a sync getter, would need to become an async operation where it reads from the (user's?) saved objects repository. But, it would probably need some UI, and functional tests, and I don't feel comfortable making a change like that this close to FF. I would prefer us to document any migration scenarios if we should need them.

[dgieselaar]

@andrewvc I've created an issue to track the access control issue. I'll merge this in now given the time constraints (apologies 😃)

[andrewvc]

I don't think any of the concerns I've raised need to block this PR, but we revisit the decisions here at some point to inform a more ergonomic way of defining privileges in the future.