nickwallen opened a new pull request #1482: METRON-2216 Upgrade Core Enrichments for HBase 2.0.2 URL: https://github.com/apache/metron/pull/1482 This change upgrades the core Enrichment components to work with HBase 2.0.2. This PR is for the `feature/METRON-2088-support-HDP-3.1` feature branch. ## Changes 1. Leverages `EnrichmentLookup` as an abstraction 1. Creates the `EnrichmentLookup` interface so that different implementations can be swapped in for testing where needed. For example, a `FakeEnrichmentLookup` allows the Enrichment integration test to function where we are not able to run a live HBase instance. 1. Updated Streaming Enrichments to use an `HBaseClient`. 1. Updated the Stellar `ENRICHMENT_GET` for HBase 2.0.2. 1. Updated the Stellar `ENRICHMENT_EXISTS` for HBase 2.0.2. 1. Updated the legacy HBase adapters for HBase 2.0.2. ## Acceptance Testing ### Basics Verify data is flowing through the system, from parsing to indexing 1. Open Ambari and navigate to the Metron service http://node1:8080/#/main/services/METRON/summary 1. Open the Alerts UI 1. Verify alerts show up in the main UI - click the search icon (you may need to wait a moment for them to appear) 1. Head back to Ambari and select the Kibana service http://node1:8080/#/main/services/KIBANA/summary 1. Open the Kibana dashboard via the "Metron UI" option in the quick links 1. Verify the dashboard is populating ### Enrichment Stellar Functions in Storm 1. Follow [instructions similar to these](https://cwiki.apache.org/confluence/display/METRON/2016/04/28/Metron+Tutorial+-+Fundamentals+Part+2%3A+Creating+a+New+Enrichment) to load the user data. 1. Create a simple file called `user.csv`. ``` jdoe,192.168.138.2 ``` 1. Create a file called `user-extractor.json`. ``` { "config": { "columns": { "user": 0, "ip": 1 }, "indicator_column": "ip", "separator": ",", "type": "user" }, "extractor": "CSV" } ``` 1. Import the data. ``` $METRON_HOME/bin/flatfile_loader.sh -i ./user.csv -t enrichment -c t -e ./user-extractor.json ``` 1. Enrich the Bro telemetry using the "user" data. Similar to [here](https://cwiki.apache.org/confluence/display/METRON/2016/06/16/Metron+Tutorial+-+Fundamentals+Part+6%3A+Streaming+Enrichment). 1. Validate that the enrichment loaded successfully. ``` [root@node1 0.7.2]# source /etc/default/metron [root@node1 0.7.2]# $METRON_HOME/bin/stellar -z $ZOOKEEPER [Stellar]>>> ip_dst_addr := "192.168.138.2" 192.168.138.2 [Stellar]>>> ENRICHMENT_GET('user', ip_dst_addr, 'enrichment', 't') {ip=192.168.138.2, user=jdoe} ``` 1. Use the User data to enrich the telemetry. Run the following commands in the REPL. ``` [Stellar]>>> bro := SHELL_EDIT() { "enrichment" : { "fieldMap": { "stellar" : { "config" : { "users" : "ENRICHMENT_GET('user', ip_dst_addr, 'enrichment', 't')" } } } }, "threatIntel": { "fieldMap": {}, "fieldToTypeMap": {} } } [Stellar]>>> CONFIG_PUT("ENRICHMENT", bro, "bro") ``` 1. Wait for the new configuration to be picked up by the running topology. 1. Review the telemetry indexing into Elasticsearch. Look for records where the `ip_dst_addr` is `192.168.138.2`. Ensure that some of the messages have a field called `alexa` created from this enrichment. ``` { "_index": "bro_index_2019.08.13.20", "_type": "bro_doc", "_id": "AWyMxSJFg1bv3MpSt284", ... "_source": { "ip_dst_addr": "192.168.138.2", "ip_src_addr": "192.168.138.158", "timestamp": 1565729823979, "source:type": "bro", "guid": "6778beb4-569d-478f-b1c9-8faaf475ac2f" ... "users:user": "jdoe", "users:ip": "192.168.138.2", ... }, ... } ``` ### Legacy HBase Adapter We are going to perform the same enrichment, but instead using the legacy HBase Adapter. 1. Use the User data to enrich the telemetry. Run the following commands in the REPL. ``` [Stellar]>>> bro := SHELL_EDIT() { "enrichment": { "fieldMap": { "hbaseEnrichment": [ "ip_dst_addr" ] }, "config": { "typeToColumnFamily": { "users": "cf" } } }, "threatIntel": {} } [Stellar]>>> CONFIG_PUT("ENRICHMENT", bro, "bro") ``` 1. Wait for the new configuration to be picked up by the running topology. 1. Review the telemetry indexing into Elasticsearch. Look for records where the `ip_dst_addr` is `192.168.138.2`. Ensure that some of the messages have a field called `alexa` created from this enrichment. ``` { "_index": "bro_index_2019.08.13.20", "_type": "bro_doc", "_id": "AWyMxSJFg1bv3MpSt284", ... "_source": { "ip_dst_addr": "192.168.138.2", "ip_src_addr": "192.168.138.158", "timestamp": 1565729823979, "source:type": "bro", "guid": "6778beb4-569d-478f-b1c9-8faaf475ac2f" ... "users:user": "jdoe", "users:ip": "192.168.138.2", ... }, ... } ``` ## Pull Request Checklist - [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel). - [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [x] Has your PR been rebased against the latest commit within the target branch (typically master)? - [x] Have you included steps to reproduce the behavior or problem that is being changed or addressed? - [x] Have you included steps or a guide to how the change may be verified and tested manually? - [x] Have you ensured that the full suite of tests and checks have been executed in the root metron folder via: - [x] Have you written or updated unit tests and or integration tests to verify your changes? - [x] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
