Initial EQL rest API implementation

[aleksmaus]

It's my first PR, need a bit of feedback on the code shape and direction.
Specifically had to poke through RBACEngine.java and “mark” the request with CompositeIndicesRequest interface, not sure if this is the right approach.

[aleksmaus]

was not sure if there is a better approach instead of this ^

[imotov]

I am not sure we need this here. I don't see a scenario when we are going to resolve the index name based on the content of the request itself.

[aleksmaus]

Removing this change, replacing with more suitable solution after discussion with Igor.

[aleksmaus]

A possible fix for equals as a separate commit here, can remove if not appropriate or should be it's own separate PR.
Sharing the same SearchHit structures in the eql resful API implementation, and the equality checks would fail without this change in place.
Following the same thing that was done a line below with highlightFields accessors.

[imotov]

It might be a bit cleaner to make this a separate PR to master and 7.x and then merge it in. In any case, I think this requires a modification to SearchHitTests that would trigger the issue that you are trying to fix here.

[aleksmaus]

Sounds good, will update this PR once this change goes through the master.

[aleksmaus]

This file change is removed now from PR.

[aleksmaus]

• Removed the SearchHit.java change. It will go through master branch.
• Updated the unit test for now to always create SearchHit with fields.
• Squashed and force pushed.

[aleksmaus]

Pulled the latest master to feature/eql and rebased my PR against it, cause of build failures due to java version
21:07:03 Caused by: org.gradle.api.GradleException: JAVA13_HOME required to run task: 21:07:03 task ':distribution:bwc:minor:buildBwcOssLinuxTar'

master branch was on Java 13 already

[elasticmachine]

Pinging @elastic/es-search (:Search/EQL)

[imotov]

Should we also add a rest client and add some rest level tests to make sure it works end-to-end?

[imotov]

We can probably replace it with Collections.singletonList() here and below since we don't anticipate more actions here.

[aleksmaus]

Thought there was a possibility of one more "translate" action down the road.

[imotov]

Since we rely on the fact that index, timestampField, eventTypeField, etc cannot be null and fetchSize cannot be negative, we should validate that it's indeed the case. We could also make serialization more forgiving and avoid serializing the same default values on every request.

[aleksmaus]

Will add validation code

[imotov]

I am not sure we need this here. I don't see a scenario when we are going to resolve the index name based on the content of the request itself.

[imotov]

In most cases, if the index name is not specified on the URL we search all indices or use index specified inside the request. In this case I don't think we will ever search all indices and I don't see any provisions from specifying the index name inside the request. So, I think we can remove this version.

[aleksmaus]

Yeah, there was like going back-n-forth on this, so included both versions. Will remove the latter.

[imotov]

I would move this file into a separate trivial PR.

[aleksmaus]

Will revert this file change from this PR.

[aleksmaus]

@elasticmachine run elasticsearch-ci/1

[imotov]

LGTM. Thanks!