Description
openedon Feb 10, 2021
Describe the feature:
7.11.0 introduces a privilege check to ensure the rule has read
privileges to the index patterns provided, and another check which determines if any index patterns are missing the @timestamp
field or the provided timestamp override field from their mappings (which is used by the rule to sort on).
Describe a specific use case for the feature:
With the introduction of these 'sanity checks', some users might benefit from being able to control whether these checks are performed. There might be instances where a rule is complaining of old concrete indices missing a timestamp field but the customer doesn't care to see the rule in a 'partial failure' state because this is known, so this check could be skipped to help improve the user experience.
Another instance might be related to the _has_privileges
api responding with missing read
privileges when the index patterns provided are using cross-cluster search (see here) and thus giving the user a false-negative that the rule did not have read permissions to the index patterns provided when in actuality it does.