Add a rollover policy to the setup plugin

[f-galland]

Description

This PR is meant as a proof of concept that a rollover policy can be set up from a plugin, outside the Index Management plugin itself.
It does so by writing a policy json to the .opendistro-ism-config much like the Index Management plugin itself would do.

Issues Resolved

wazuh/wazuh-indexer#591

[f-galland]

Policy Document

The setup plugin has been modified to index a document to the .opendistro-ism-config index which look as follows:

{
  "policy": {
    "policy_id": "wazuh_rollover_policy",
    "description": "Example rollover policy.",
    "last_updated_time": 1738947466825,
    "schema_version": 21,
    "error_notification": null,
    "default_state": "rollover",
    "states": [
      {
        "name": "rollover",
        "actions": [
          {
            "retry": {
              "count": 3,
              "backoff": "exponential",
              "delay": "1m"
            },
            "rollover": {
              "min_doc_count": 1,
              "copy_alias": false
            }
          }
        ],
        "transitions": []
      }
    ],
    "ism_template": [
      {
        "index_patterns": [
          "test-index-*"
        ],
        "priority": 100,
        "last_updated_time": 1738947466825
      }
    ],
    "user": {
      "name": "admin",
      "backend_roles": [
        "admin"
      ],
      "roles": [
        "own_index",
        "all_access"
      ],
      "custom_attribute_names": [],
      "user_requested_tenant": null
    }
  }
}

[f-galland]

Index Management index template

During testing we found out that our plugin was quicker to load than the Index Management one, so a template must be set up for the .opendistro-ism-config index before creation.

We took the mappings from it from here:

• https://github.com/opensearch-project/index-management/blob/2.18.0.0/src/main/resources/mappings/opendistro-ism-config.json

[f-galland]

Trigger the job

An index needs to be written, which matches the index pattern the policy expects, while also being set up as the write index for the rollover alias:

curl -XPUT http://localhost:9200/test-index-0000 -H 'Content-Type: application/json' -d '{"aliases":{"test-alias":{"is_write_index":true}}}'

[f-galland]

Check that indices are being rotated

In order to speed up execution of the rollover policy, the following command can be issued:

curl -XPUT http://localhost:9200/_cluster/settings?pretty=true -H'Content-Type: application/json' -d '{"persistent": {"plugins.index_state_management.job_interval":1}}'

Now we can index new commands pointing towards our index alias:

curl -XPOST http://localhost:9200/test-alias/_doc -H 'Content-Type: application/json' -d '{"field":"value"}'

[f-galland]

Check the policy is reckoned

We can now check whether the ISM plugin is recognizing our policy and will apply it to the right index

$ curl 'http://localhost:9200/_plugins/_ism/explain?pretty'
{
  "test-index-0000" : {
    "index.plugins.index_state_management.policy_id" : "wazuh_rollover_policy",
    "index.opendistro.index_state_management.policy_id" : "wazuh_rollover_policy",
    "index" : "test-index-0000",
    "index_uuid" : "v6dYvuxlS9mJ3DE_78-IyA",
    "policy_id" : "wazuh_rollover_policy",
    "enabled" : true
  },
  "total_managed_indices" : 1
}

[mcasas993]

When changing the OpenSearch version from 2.18.0 to 2.19.1 the solution stops working.

At first the template was not configured in .opendistro-ism-config and generated problems with the mapping. Configuring the mapping directly in the .opendistro-ism-config index creation solves that problem. Although when the mapping started working the wazuh-command index and the wazuh-alerts index stopped being managed by the previously created policy.

I think probably the problem is associated with the cluster reload process and this logs:

[2025-03-13T11:45:26,172][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing ISM template migration.
[2025-03-13T11:45:26,173][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Doing ISM template migration 1 time.
[2025-03-13T11:45:26,174][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Use 2025-03-13T13:44:26.162Z as migrating ISM template last_updated_time
[2025-03-13T11:45:26,174][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] ISM templates: {}
[2025-03-13T11:45:26,175][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Policies to update: []
[2025-03-13T11:45:26,179][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Failure experienced when migrating ISM Template and update ISM policies: {}
[2025-03-13T11:45:26,189][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] initialized PublicationContext using class: class org.opensearch.cluster.coordination.PublicationTransportHandler$PublicationContext
[2025-03-13T11:45:26,190][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publishing version 44 to [PublicationTarget{discoveryNode={integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}, state=NOT_STARTED, ackIsPending=true}]
[2025-03-13T11:45:26,190][DEBUG][o.o.c.c.PublicationTransportHandler] [integTest-0] received diff cluster state version [44] with uuid [9p89_bUYQXiX5cFna-Ny4w], diff size [200]
[2025-03-13T11:45:26,191][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] handlePublishRequest: handling version [44] from [{integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}]
[2025-03-13T11:45:26,218][INFO ][o.o.c.s.ClusterSettings  ] [integTest-0] updating [plugins.index_state_management.template_migration.control] from [0] to [-1]
[2025-03-13T11:45:26,220][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publication ended successfully: Publication{term=1, version=44}
[2025-03-13T11:45:26,222][WARN ][o.o.c.r.a.AllocationService] [integTest-0] Falling back to single shard assignment since batch mode disable or multiple custom allocators set
[2025-03-13T11:45:26,225][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Successfully update template migration setting
[2025-03-13T11:46:26,165][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing move cluster state metadata.
[2025-03-13T11:46:26,165][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Doing metadata migration 2 time.
[2025-03-13T11:46:26,165][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Corrupt managed indices with outdated index uuid in metadata: []
[2025-03-13T11:47:26,166][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing move cluster state metadata.
[2025-03-13T11:47:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Doing metadata migration 3 time.
[2025-03-13T11:47:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Corrupt managed indices with outdated index uuid in metadata: []
[2025-03-13T11:48:26,167][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing move cluster state metadata.
[2025-03-13T11:48:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Doing metadata migration 4 time.
[2025-03-13T11:48:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Corrupt managed indices with outdated index uuid in metadata: []
[2025-03-13T11:48:26,168][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Move Metadata succeed, set finish flag to true. Indices failed to get indexed: {}
[2025-03-13T11:48:26,175][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] initialized PublicationContext using class: class org.opensearch.cluster.coordination.PublicationTransportHandler$PublicationContext
[2025-03-13T11:48:26,176][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publishing version 45 to [PublicationTarget{discoveryNode={integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}, state=NOT_STARTED, ackIsPending=true}]
[2025-03-13T11:48:26,177][DEBUG][o.o.c.c.PublicationTransportHandler] [integTest-0] received diff cluster state version [45] with uuid [eV6iMtDJSNyld5tQuIiJyw], diff size [219]
[2025-03-13T11:48:26,178][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] handlePublishRequest: handling version [45] from [{integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}]
[2025-03-13T11:48:26,205][INFO ][o.o.c.s.ClusterSettings  ] [integTest-0] updating [plugins.index_state_management.metadata_migration.status] from [0] to [1]
[2025-03-13T11:48:26,205][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Canceling metadata moving job because of cluster setting update.
[2025-03-13T11:48:26,206][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publication ended successfully: Publication{term=1, version=45}
[2025-03-13T11:48:26,207][WARN ][o.o.c.r.a.AllocationService] [integTest-0] Falling back to single shard assignment since batch mode disable or multiple custom allocators set
[2025-03-13T11:48:26,208][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Successfully metadata template migration setting to 1
[2025-03-13T11:49:26,028][INFO ][o.o.j.s.JobSweeper       ] [integTest-0] Running full sweep
[2025-03-13T11:49:26,167][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [integTest-0] Canceling sweep ism plugin version job