This repository has been archived by the owner on Aug 2, 2022. It is now read-only.
Check empty user object for the AD monitor #304
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When security is disabled, the user in the alerting config index is empty (not null). This caused AD monitor to add a backend role filter when querying anomaly results. Since backend roles don't exist when security is disabled, AD monitor gets empty hits and always returns false during trigger evaluation. The issue basically disables AD monitor for non-fgac domain. This PR fixes the issue by checking the emptiness of a user: if its name is empty, don't add the backend role filter while querying. Testing done: 1. added a unit test to verify the backend role filter is not generated when a user is empty. 2. Manually verified AD monitors can find anomalies after the fix.
Codecov Report
@@ Coverage Diff @@
## master #304 +/- ##
=========================================
Coverage 80.34% 80.34%
Complexity 196 196
=========================================
Files 151 151
Lines 5169 5169
Branches 674 674
=========================================
Hits 4153 4153
- Misses 658 659 +1
+ Partials 358 357 -1
Continue to review full report at Codecov.
|
lezzago
approved these changes
Nov 25, 2020
ylwu-amzn
approved these changes
Nov 25, 2020
tlfeng
pushed a commit
that referenced
this pull request
Feb 6, 2021
When security is disabled, the user in the alerting config index is empty (not null). This caused AD monitor to add a backend role filter when querying anomaly results. Since backend roles don't exist when security is disabled, AD monitor gets empty hits and always returns false during trigger evaluation. The issue basically disables AD monitor for non-fgac domain. This PR fixes the issue by checking the emptiness of a user: if its name is empty, don't add the backend role filter while querying. Testing done: 1. added a unit test to verify the backend role filter is not generated when a user is empty. 2. Manually verified AD monitors can find anomalies after the fix.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
When security is disabled, the user in the alerting config index is empty (not null). This caused AD monitor to add a backend role filter when querying anomaly results. Since backend roles don't exist when security is disabled, AD monitor gets empty hits and always returns false during trigger evaluation. The issue basically disables AD monitor for non-fgac domain.
This PR fixes the issue by checking the emptiness of a user: if its name is empty, don't add the backend role filter while querying.
Testing done:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.