[athena] changes to make athena part of a default deployment

[ryandeivert]

to: @austinbyers or @chunyong-lin
cc: @airbnb/streamalert-maintainers, @jacknagz
size: large
resolves #N/A

NOTE: this is a replacement for #592. All new updates will be made here.

Background

• In order to support some upcoming features, StreamAlert must always have alerts sent to S3 to allow for Athena querying. Therefore, the Athena partition refresh function is no longer optional and should be created upon StreamAlert initialization.

Changes

• Updating cli to handle deploying athena on init
  • This removes some now unnecessary manage.py athena subcommands like init, create-db, etc.
  • Athena database creation is now handled via Terraform.
• The athena AWS resources are now name-spaced to the user-specified prefix as to not conflict if multiple deploys exist in one AWS account.
• Updating athena terraform generate code and updating default local config for athena.
• Three additional options related to the athena function are now configurable by the user (within the athena_partition_refresh_config in lambda.json:
  • database_name: the name of the Athena database to use. (default is: <prefix>_streamalert)
  • results_bucket : the S3 bucket to use for Athena query results and metastore storage (default is: <prefix>.streamalert.athena-results)
  • queue_name: the name of the sqs queue to use for bucket notifications (default is: <prefix>_streamalert_athena_data_bucket_notifications)

Other Changes

• Preliminary doc updates to go with changes. Another wave will follow.
• Syncing carbon black logs schema updates

Testing

• Updating some unit tests for changes.
• Deployed in test account end-to-end and tested to make sure alerts searchable in S3.

[austinbyers]

I'm not an expert on the Athena changes, but the code LGTM!

[coveralls]

Coverage decreased (-0.04%) to 95.66% when pulling 0003e5a on ryandeivert-athena-default-output into 8ad15c4 on release-2.0.0.

[austinbyers]

results_bucket.startswith('s3://')

[jacknagz]

I'm excited for this change!! A couple more clarifying comments

[jacknagz]

This method is still needs the constraint on options.type == data, since it won't work for the alerts table

[jacknagz]

I might be missing something, but is there an added benefit of passing in table_type as an arg if it's in options.type?

[ryandeivert]

the idea was this would allow for a more generic function with a better interface by accepting a string for the table_type.

the only property of options that was accessed within this function was type, which means if any caller wanted to use this function it essentially has to create a namedtuple first that would have a type property corresponding to the table type. it's fine to keep as is, just makes using it more difficult

[jacknagz]

I was under the impression we were revisiting table creation on every deploy per the last PR convo, is that not the case?

[jacknagz]

(not related to this line)

Any reason to delete the generate_athena method? It could still be useful for current users who don't have an Athena config

[austinbyers]

@jacknagz We don't auto-generate any other part of the config (e.g. Lambda template code for the alert processor or alert merger), and I think we should be consistent. So either we should auto-generate all of it or none of it, and IMO it would be over-engineering to auto-generate every part of the config an upgrading user might not have (because they'll likely need to change the config anyway). With documentation, users can just update their config manually. So my vote is to get rid of the generate_athena method

#simplify 💣

[ryandeivert]

@austinbyers and @jacknagz maybe we need to discuss this because I'm not sure what the best approach is. my initial impression was to nix it as well (as seen in my commit history). let's chat today

[ryandeivert]

@jacknagz & @austinbyers I should clarify that this PR is a direct mirror of #592 and your feedback there was not addressed yet. This PR was simply to go against the release branch instead of master. Your comments lead me to believe you thought I had addressed previous PR feedback in this PR, which is not the case. Sorry for the misunderstanding!!

needs rebase

[ryandeivert]

hey @austinbyers and @jacknagz PTAL. I've updated the branch and addressed the feedback from previous comments

EDIT: just fixed a pylint error and pushed a commit

[austinbyers]

Thanks @ryandeivert! I read the whole thing over again and found a few small things now that I have a better understanding of the codebase :)

[austinbyers]

This key is no longer necessary

[austinbyers]

Since 2.0 will not be backwards compatible, do we need this legacy support? If all it does is update the conf/lambda.json, I would say nix it (it's not hard to manually add)
EDIT: see also my response to Jack below

[ryandeivert]

thanks @austinbyers, that was my impression as well

[austinbyers]

@jacknagz We don't auto-generate any other part of the config (e.g. Lambda template code for the alert processor or alert merger), and I think we should be consistent. So either we should auto-generate all of it or none of it, and IMO it would be over-engineering to auto-generate every part of the config an upgrading user might not have (because they'll likely need to change the config anyway). With documentation, users can just update their config manually. So my vote is to get rid of the generate_athena method

#simplify 💣

[austinbyers]

We don't really need this comment

[austinbyers]

This is no longer used in the config , let's also remove it from the test.
EDIT: I just found it in the config too! But are we using it? If so, we should probably remove it since it's no longer optional

[ryandeivert]

yes good catch - I'll remove :)

[chunyong-lin]

Thanks for the refactoring! 👏 Few comments from me.

[chunyong-lin]

The val will be a set, should we go through each element in the set? Also, for the case that column_foo= will be passed the validation. Maybe we can do
if len(val.split('=')) != 2:

[ryandeivert]

hey @chunyong-lin - val will actually not be a set, but will be each individual item within the set.

Good suggestion though - I can add an additional check to make sure the right about of equals-separated-values is provided

[ryandeivert]

Made the change!

[chunyong-lin]

Does it make sense to rename this method to _add_required_athena_args? I first impression when see default word and it gives me impression that there is default value, it is not required to set it. Actually, the all the args are required here, and users must provide values for these args.
But I might interpreter this differently from others.

[ryandeivert]

I can rename but chose this since the arguments are the 'defaults' related to the actual argparsers that we're constructing here (not the 'defaults' the user will have to provide). Also, you'll notice that not ever argument that is added within the function is in fact 'required' - see the 'debug' param.

[chunyong-lin]

Is data or alert is implemented? In docs/source/athena-setup.rst line 37, it sounds that it is alert is implemented.

[ryandeivert]

Good catch! But this is just for 'rebuilding' part, not simply supporting the alerts

[chunyong-lin]

You may just use if not results_bucket_name:. The empty string is treated as false anyway.

[ryandeivert]

Oh good catch on this - I missed updating this one :)

[chunyong-lin]

Same as above, optional to use if not queue_name:

[jacknagz]

A couple final comments

[jacknagz]

This is a pretty long Queue name, can we shorten it? The max length is 80 chars.

[ryandeivert]

Yeah we can - I was just mimicking what our queue name is internally

[jacknagz]

What's the benefit of removing the instantiation here and doing it in each subcommand's method?

[ryandeivert]

This allows any caller using these functions to not have to worry about created an athena client that needs to be passed it.

Example here:

streamalert/stream_alert_cli/terraform/handler.py

Line 121 in 8d653cb

create_table(None, alerts_bucket, 'alerts', config)

Also, not every subcommand needs this (ie: init)

[jacknagz]

is this missing the results_bucket?

[jacknagz]

also database_name?

[ryandeivert]

those options are only needed if the user wants to override the defaults that we use. I can add the defaults here but have some concerns. Mainly, I worry that our config is growing unnecessarily large with superfluous options that the vast majority of users wouldn't need to worry about. What are your thoughts? Have it here or omit it and just document the options config settings well?

[austinbyers]

We'll have a larger discussion on the interaction between the CLI and the config at another time. Thanks for this change!

👍 🚀

[chunyong-lin]

LGTM. Thanks for the change.