diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/risk_score_data_client.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/risk_score_data_client.ts index 2ae05e4c86227..981e89c8d8ec5 100644 --- a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/risk_score_data_client.ts +++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/risk_score_data_client.ts @@ -120,30 +120,10 @@ export class RiskScoreDataClient { const oldComponentTemplateExists = await esClient.cluster.existsComponentTemplate({ name: mappingComponentName, }); - // If present then copy the contents to a new component template with the namespace in the name if (oldComponentTemplateExists) { - const oldComponentTemplateResponse = await esClient.cluster.getComponentTemplate( - { - name: mappingComponentName, - }, - { ignore: [404] } - ); - const oldComponentTemplate = oldComponentTemplateResponse?.component_templates[0]; - const newComponentTemplateName = nameSpaceAwareMappingsComponentName(namespace); - await esClient.cluster.putComponentTemplate({ - name: newComponentTemplateName, - body: oldComponentTemplate.component_template, - }); + await this.updateComponentTemplateNamewithNamespace(namespace); } - // Delete the component template without the namespace in the name - await esClient.cluster.deleteComponentTemplate( - { - name: mappingComponentName, - }, - { ignore: [404] } - ); - // Update the new component template with the required data await Promise.all([ createOrUpdateComponentTemplate({ @@ -188,6 +168,14 @@ export class RiskScoreDataClient { }, }); + // Delete the component template without the namespace in the name + await esClient.cluster.deleteComponentTemplate( + { + name: mappingComponentName, + }, + { ignore: [404] } + ); + await createDataStream({ logger: this.options.logger, esClient, @@ -327,4 +315,20 @@ export class RiskScoreDataClient { { logger: this.options.logger } ); } + + private async updateComponentTemplateNamewithNamespace(namespace: string): Promise { + const esClient = this.options.esClient; + const oldComponentTemplateResponse = await esClient.cluster.getComponentTemplate( + { + name: mappingComponentName, + }, + { ignore: [404] } + ); + const oldComponentTemplate = oldComponentTemplateResponse?.component_templates[0]; + const newComponentTemplateName = nameSpaceAwareMappingsComponentName(namespace); + await esClient.cluster.putComponentTemplate({ + name: newComponentTemplateName, + body: oldComponentTemplate.component_template, + }); + } } diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/init_and_status_apis.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/init_and_status_apis.ts index 49112ad5d1a79..84d384e825da0 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/init_and_status_apis.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/init_and_status_apis.ts @@ -540,7 +540,87 @@ export default ({ getService }: FtrProviderContext) => { ); }); - describe('remove legacy risk score transform', function () { + it('should update the existing component template and index template without any errors', async () => { + const componentTemplateName = '.risk-score-mappings'; + const indexTemplateName = '.risk-score.risk-score-default-index-template'; + const newComponentTemplateName = '.risk-score-mappings-default'; + + // Call API to put the component template and index template + + await es.cluster.putComponentTemplate({ + name: componentTemplateName, + body: { + template: { + settings: { + number_of_shards: 1, + }, + mappings: { + properties: { + timestamp: { + type: 'date', + }, + user: { + properties: { + id: { + type: 'keyword', + }, + name: { + type: 'text', + }, + }, + }, + }, + }, + }, + version: 1, + }, + }); + + // Call an API to put the index template + + await es.indices.putIndexTemplate({ + name: indexTemplateName, + body: { + index_patterns: [indexTemplateName], + composed_of: [componentTemplateName], + template: { + settings: { + number_of_shards: 1, + }, + mappings: { + properties: { + timestamp: { + type: 'date', + }, + user: { + properties: { + id: { + type: 'keyword', + }, + name: { + type: 'text', + }, + }, + }, + }, + }, + }, + }, + }); + + const response = await riskEngineRoutes.init(); + expect(response.status).to.eql(200); + expect(response.body.result.errors).to.eql([]); + + const response2 = await es.cluster.getComponentTemplate({ + name: newComponentTemplateName, + }); + expect(response2.component_templates.length).to.eql(1); + expect(response2.component_templates[0].name).to.eql(newComponentTemplateName); + }); + + // Failing: See https://github.com/elastic/kibana/issues/191637 + describe.skip('remove legacy risk score transform', function () { this.tags('skipFIPS'); it('should remove legacy risk score transform if it exists', async () => { await installLegacyRiskScore({ supertest });