Authoring Searchlight Plugins

At a bare minimum, a plugin must consist of an elasticsearch mapping, and a method by which it can provide data to be indexed. Many plugins also require a way to receive updates in order to keep the index up to date. For Openstack resources, typically the service API is used for initial indexing and notifications are received via oslo.messaging.

This documentation will use as an example the Neutron network plugin as a reasonably complete and complex example.

Getting some data

The very first thing you should do is figure out exactly what you’re trying to index. When I’ve developed plugins I’ve found it helpful to generate test data both for initial indexing and for notifications.

Initial indexing

In the case of neutron networks, the initial data will come from neutronclient. Some browsing of the API documentation reveals that the call I want is list_networks:

import json
import os

from keystoneclient.auth.identity import v2
from keystoneclient import session
from neutronclient.v2_0 import client as nc_20

def get_session():
    username = os.environ['OS_USERNAME']
    password = os.environ['OS_PASSWORD']
    auth_url = os.environ['OS_AUTH_URL']
    tenant_name = os.environ['OS_TENANT_NAME']
    auth = v2.Password(**locals())
    return session.Session(auth=auth)

nc = nc_20.Client(session=get_session())
networks = nc.list_networks()

print(json.dumps(networks, indent=4, sort_keys=True))

This outputs:

    "networks": [
            "admin_state_up": true,
            "availability_zone_hints": [],
            "availability_zones": [
            "created_at": "2016-04-08T16:44:17",
            "description": "",
            "id": "4d73d257-35d5-4f4e-bc71-f7f629f21904",
            "ipv4_address_scope": null,
            "ipv6_address_scope": null,
            "is_default": true,
            "mtu": 1450,
            "name": "public",
            "port_security_enabled": true,
            "provider:network_type": "vxlan",
            "provider:physical_network": null,
            "provider:segmentation_id": 1053,
            "router:external": true,
            "shared": false,
            "status": "ACTIVE",
            "subnets": [
            "tags": [],
            "tenant_id": "fa1537e9bda9405891d004ef9c08d0d1",
            "updated_at": "2016-04-08T16:44:17"

Since that’s the output from neutron client, that’s what should go in searchlight/tests/functional/data/load/networks.json, though you might also want more examples to test different things.


Openstack documents some of the notifications sent by some services. It’s also possible to eavesdrop on notifications sent by running services. Taking neutron as an example (though all services are slightly different), we can make it output notifications by editing /etc/neutron/neutron.conf and adding under the [oslo_messaging_notifications] section:

driver = messagingv2

There are then two ways to configure the service to send notifications that Searchlight can receive. The recommended method is to use notification pools, touched on in the messaging documentation.

Notification pools

A notification messaging pool allows additional listeners to receive messages on an existing topic. By default, Openstack services send notification messages to an oslo.messaging ‘topic’ named notifications. To view these notifications while still allowing searchlight-listener or Ceilometer’s agent to continue to receive them, you may use the utility script in test-scripts/

. ~/devstack/openrc admin admin
# If your rabbitmq user/pass are not the same as for devstack, you
./test-scripts/ neutron test-notifications

Adding a separate topic

In the same config file (/etc/neutron/neutron.conf) the following line (again, under the [DEFAULT] section) will cause neutron to output notifications to a topic named searchlight_indexer:

notification_topics = searchlight_indexer


searchlight-listener also listens on the searchlight_indexer topic, so if you have searchlight-listener running, it will receive and process some or all of the notifications you’re trying to look at. Thus, you should either stop the searchlight-listener or add another topic (comma-separated) for the specific notifications you want to see. For example:

notification_topics = searchlight_indexer,my_test_topic

After restarting the q-svc service notifications will be output to the message bus (rabbitmq by default). They can be viewed in any RMQ management tool; there is also a utility script in test-scripts/ that will listen for notifications:

. ~/devstack/openrc admin admin
# If your rabbitmq user/pass are not the same as for devstack, you
./test-scripts/ neutron


If you added a custom topic as described above, you’ll need to edit to use your custom topic:

# Change this line
topic = 'searchlight_indexer'
# to
topic = 'my_test_topic'

Using the results

Issuing various commands (neutron net-create, neutron net-update, neutron net-delete) will cause to receive notifications. Usually the notifications with event_type ending .end are the ones of most interest (many fields omitted for brevity):

{"event_type": "network.update.end",
 "payload": {
   "network": {
     "status": "ACTIVE",
     "router:external": false,
     "subnets": ["9b6094de-18cb-46e1-8d51-e303ff844c86",
     "updated_at": "2016-05-03T19:05:38",
     "tenant_id": "34518c16d95e40a19b1a95c1916d8335",
     "id": "abf3a939-4daf-4d05-8395-3ec735aa89fc", "name": "private"}
  "publisher_id": "network.devstack",
  "ctxt": {
    "read_only": false,
    "domain": null,
    "project_name": "demo",
    "user_id": "c714917a458e428fa5dc9b1b8aa0d4d6"
  "metadata": {
    "timestamp": "2016-05-03 19:05:38.258273",
    "message_id": "ec9ac6a1-aa17-4ee3-aa6e-ab48c1fb81a8"

The entire message can go into searchlight/tests/functional/data/events/network.json. The payload (in addition to the API response) will inform the mapping that should be applied for a given plugin.

File structure

Plugins live in searchlight/elasticsearch/plugins. We have tended to create a subpackage named after the service (neutron) and within it a module named after the resource type ( Notification handlers can be in a file specific to each resource type but can also be in a single file together (existing ones use contains a class named NetworkIndex that implements the base class IndexBase found in searchlight.elasticsearch.plugins.base.


If there are plugins for multiple resources within the same Openstack service (for example, Glance images and meta definitions) those plugins can exist in the same subpackage (‘glance’) in different modules, each implementing an IndexBase.

Enabling plugins

Searchlight plugins are loaded by Stevedore. In order for a plugin to be enabled for indexing and searching, it’s necessary to add an entry to the entry_points list in Searchlight’s configuration in setup.cfg. The name should be the plugin resource name (typically the name used to represent it in Heat):

searchlight.index_backend =
    os_neutron_net = searchlight.elasticsearch.plugins.neutron.networks:NetworkIndex


After modifying entrypoints, you’ll need to reinstall the searchlight package to register them (you may need to activate your virtual environment; see Installing Searchlight):

python develop

Writing some code

At this point you’re probably about ready to start filling in the code. My usual approach is to create the unit test file first, and copy some of the more boilerplate functionality from one of the other plugins.

You can run an individual test file with:

tox -epy34 searchlight.tests.unit.<your test module>

This has the advantage of running just your tests and executing them very quickly. It can be easier to start from a full set of failing unit tests and build up the actual code from there. Functional tests I’ve tended to add later. Again, you can run an individual functional test file:

tox -epy34 searchlight.tests.functional.<your test module>

Required plugin functions

This section describes some of the functionality from IndexBase you will need to override.

Document type

As a convention, plugins define their document type (which will map to an ElasticSearch document type) as the resource name Heat uses to identify it:

def get_document_type(self):
    return "OS::Neutron::Net"

Retrieving object for initial indexing

Plugins must implement get_objects which in many cases will go to the API of the service it’s indexing. It should return an iterable that will be passed to a function (also required) named serialize, which in turn must return a dictionary suitable for Elasticsearch to index. In the example for Neutron networks, this would be a call to list_networks on an instance of neutronclient:

def get_objects(self):
    """Generator that lists all networks owned by all tenants."""
    # Neutronclient handles pagination itself; list_networks is a generator
    neutron_client = openstack_clients.get_neutronclient()
    for network in neutron_client.list_networks()['networks']:
        yield network


get_mapping is also required. It must return a dictionary that tells Elasticsearch how to map documents for the plugin (see the documentation for mapping).

At a minimum a plugin should define an id field and an updated_at field because consumers will generally rely on those being present; a name field is highly advisable. If the resource doesn”t contain these values your serialize function can map to them. In particular, if your resource does not have a native id value, you must override get_document_id_field so that the indexing code can retrieve the correct value when indexing.

It is worth understanding how Elasticsearch indexes various field types, particularly strings. String fields are typically broken down into tokens to allow searching:

"The quick brown fox" -> ["The", "quick", "brown", "fox"]

This works well for full-text type documents but less well, for example, for UUIDS:

"aaab-bbbb-55555555" -> ["aaab", "bbbb", "55555555"]

In the second example, a search for the full UUID will not match. As a result, we tend to mark these kinds of fields as not_analyzed as with the example to follow.

Where field types are not specified, Elasticsearch will make a best guess from the first document that’s indexed.

Some notes (expressed below as comments starting with #):

  # This allows indexing of fields not specified in the mapping doc
  "dynamic": true,
  "properties": {

    # not_analyzed is important for id fields; it prevents Elasticsearch
    # tokenizing the field, allowing for exact matches
    "id": {"type": "string", "index": "not_analyzed"},

    # This allows name to be tokenized for searching, but Searchlight will
    # attempt to use the 'raw' (untokenized) field for sorting which gives
    # more consistent results
    "name": {
      "type": "string",
      "fields": {
        "raw": {"type": "string", "index": "not_analyzed"}

If you are mapping a field which is a reference id to other plugin type, you should add a _meta mapping for that field. This will enable Searchlight(SL) to provide more information to CLI/UI. The reference id and the plugin resource type can be used by CLI/UI to issue a GET request to fetch more information from SL. See below for an example on nova server plugin mapping:

def get_mapping(self):
  return {
      'dynamic': True,
      'properties': {
          'id': {'type': 'string', 'index': 'not_analyzed'},
          'name': {
              'type': 'string',
              'fields': {
                  'raw': {'type': 'string', 'index': 'not_analyzed'}
          'image': {
              'type': 'nested',
              'properties': {
                  'id': {'type': 'string', 'index': 'not_analyzed'}
      "_meta": {
          "": {
              "resource_type": resource_types.GLANCE_IMAGE


Parent plugin id field(when available) is automatically linked to the parent resource type.

Doc values

For many field types Searchlight will alter the mapping to change the format in which field data is stored. Prior to Elasticsearch 2.x field values by default were stored in ‘fielddata’ format, which could result in high memory usage under some sort and aggregation operations. An alternative format, called doc_values trades slightly increased disk usage for better memory efficiency. In Elasticsearch 2.x doc_values is the default, and Searchlight uses this option as the default regardless of Elasticsearch version. For more information see the Elasticsearch documentation.

Generally this default will be fine. However, there are several ways in which the default can be overridden:

  • Globally in plugin configuration; in searchlight.conf:

    mapping_use_doc_values = false
  • For an individual plugin in searchlight.conf:

    mapping_use_doc_values = false
  • For a plugin’s entire mapping; in code, override the mapping_use_doc_values property (and thus ignoring any configuration property):

    def mapping_use_doc_values(self):
        return False
  • For individual fields in a mapping, by setting doc_values to False:

      "properties": {
        "some_field": {"type": "date", "doc_values": False}

Access control

Plugins must define how they are access controlled. Typically this is a restriction matching the user’s project/tenant:

def _get_rbac_field_filters(self, request_context):
    return [
        {'term': {'tenant_id': request_context.owner}}

Any filters listed will be applied to queries against the plugin’s document type. A document will match the RBAC filters if any of the clauses match. Administrative users can specify all_projects in searches to bypass these filters. This default behavior can be overridden for a plugin by setting the allow_admin_ignore_rbac property to False on the plugin (currently only in code). all_projects will be ignore for that plugin.


Related to access control is policy. Most services control API access with policy files that define rules enforced with oslo.policy. Searchlight has its own policy file that configures access to its own API and resources, but it also supports reading other services’ policy files. In the future this will be expanded to define RBAC rules, but at present external policy files are only used to determine whether a resource should be available to a user.

To support this in your plugin, you must define two properties. The first is service_type which must correspond to the service ‘type’ as seen in the keystone catalog (e.g. nova’s service ‘type’ is ‘compute’). The second property is resource_allowed_policy_target which identifies the rule name in the service’s policy files. If either of these properties are ‘None’ no rule will be enforced.

For example:

def resource_allowed_policy_target(self):
    return 'os_compute_api:servers:index'

def service_type(self):
    return 'compute'

See Service policy controls for configuration information.


Any fields defined in the mapping document are eligible to be identified as facets, which allows a UI to let users search on specific fields. Many plugins define facets_excluded which exclude specified fields. Many also define facets_with_options which should return fields with low cardinality where it makes sense to return valid options for those fields.

Protected fields

admin_only_fields determines fields which only administrators should be able to see or search. For instance, this will mark any fields beginning with provider: as well as any defined in the plugin configuration:

def admin_only_fields(self):
    from_conf = super(NetworkIndex, self).admin_only_fields
    return ['provider:*'] + from_conf

These fields end up getting indexed in separate admin-only documents.

Parent/child relationships

In some cases there is a strong ownership implied between plugins. In these cases the child plugin can define parent_plugin_type and get_parent_id_field (which determines a field on the child that refers to its parent). See the Neutron Port plugin for an example.

Remember that Elasticsearch is not a relational database and it doesn’t do joins, per se, but this linkage does allow running queries referencing children (or parents).

Pipeline architecture

Notification handlers can emit enriched resource data into pipeline, configured publishers could use these data to notify external systems. To use this feature, each event handler should return one or a sequence of pipeline items. These items will be passed to subscribed publshers:

def create_or_update(self, event_type, payload, timestamp):
    network_id = payload['network']['id']
    LOG.debug("Updating network information for %s", network_id)

    network = serialize_network(payload['network'])
    version = self.get_version(network, timestamp)

    self.index_helper.save_document(network, version=version)
    return pipeline.IndexItem(self.index_helper.plugin,