-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add messages to distributed query results #6352
Add messages to distributed query results #6352
Conversation
@chrisbroome Nice! Kolide's SaaS Product, K2 provides error messages today, by correlating status logs with the distributed results. This PR will be much nicer because we can deliver the messages simultaneously with the other information. The key thing that we needed to have in our UX that wasn't obvious at first, was not only do we want to show execution error messages, but also warning messages for queries that succeed. As an example, consider a user who is remote querying Here is how we show that status in our app today. I would want those warning messages included in the result output. Is that possible to do? |
Hmm... I'll have to take a look at the C++ |
All the warnings that appear are currently only LOG messages. They never get returned to calling APIs via Relevant code: https://github.com/osquery/osquery/blob/master/osquery/sql/virtual_table.cpp#L958-L969 That said, I agree that we need these warnings to be in the distributed query results. We probably need some feedback from regular contributors as to what can be done about that. |
bca8bb5
to
c660f20
Compare
@chrisbroome Can you talk about the motivation for including the query SQL along with the results? I am 100% on board with returning the error messages. Been wanting this for a long time and never really looked into it. |
@zwass The sql statement isn't 100% necessary. But there are a couple of benefits of having it in the distributed write result:
|
f50e3c4
to
f002e38
Compare
Do we need more discussion about this item? |
My gut sense is that this is an important addition, but isn't something we need to block on. Is there somewhere to leave a TODO, or an obvious place to fix that? |
f002e38
to
c3937b1
Compare
We talked about this again in office hours today. There are still some concerns about including the sql -- among them is that it greatly increases the amount of network traffic and storage bytes. Do you think you could split the statuses from the statements, so we can merge the former and keep discussing the latter? |
Sure I can do that! |
c3937b1
to
86d5516
Compare
Updated the PR to not include the SQL statements. For some reason the LGTM c/c++ build step is failing. I don't understand why. |
The LGTM step can be ignored, it's a WIP and it's not required :). |
Currently the distributed write API sends back status codes that indicate whether or not a particular query was successful. However, in the event that a query was not successful, we have no other information as to what the failure was. This PR solves the issue by adding a new top-level field to the distributed write results:
messages
: A map of queryID -> error message for queries that fail. Successful queries will have an empty string for the message.Also another top-level key was added for the original sql query statement corresponding to the distributed write request:
statements
: A map of queryID -> sql statement.Together, these fields help TLS distributed api implementors to inform clients about why an error happened - as opposed to just letting them know that some error happened.