Add a smoke test for security realms #68881
Conversation
This changes adds a new QA test that runs a smoke test on a node that has been configured with one realm of each type. Not all of the realms work, because some of them would depend on external fixtures (LDAP, SAML, etc) and this particularly test suite is intended to be as stable as possible and have no external dependencies. The primary purpose of this test is to catch any issues that prevent a node from starting with particular realms configurd (e.g. security manager or classpath issues). We don't depend on external fixtures becaused we want this to be a smoke test that clearly indicates when a (seemingly unrelated) change in Elasticsearch has unintended consequences on realms. The use of external dependencies would increase the number of things that could go wrong and move this from a smoke test to a potentially noisy integration test.
tvernum
added
>test
|
Pinging @elastic/es-security (Team:Security) |
|
For verification purposes here is a gradle scan where this test passes (because the bug is fixed). If I cherry pick this test on top of the last commit before the LDAP bug was fixed (683368c), then we get this gradle scan that has the expected classloading failure. |
ywangd
left a comment
ywangd
left a comment
There was a problem hiding this comment.
LGTM.
Just to be paranoid, we could test the reserved realm as well.
|
|
||
| assertUsername(authenticate, USERNAME); | ||
| assertRealm(authenticate, "pki", "pki4"); | ||
| assertRoles(authenticate, new String[0]); |
There was a problem hiding this comment.
The new String[0] argument is redundant since the method takes varargs. Or did you intentionally add it for more clarity?
There was a problem hiding this comment.
It is for clarity. I find
assertRoles(authenticate);
a bit weird. Technically it does the same thing, but it doesn't read well.
The method normally reads like:
- Assert the the authentication response has roles
foo
With the empty array it reads
- Assert the the authentication response has roles empty
But with no argument at all it reads
- Assert the the authentication response has roles ...
| protected void createRole(String name, Collection<String> clusterPrivileges) throws IOException { | ||
| final RestHighLevelClient client = getHighLevelAdminClient(); | ||
| final Role role = Role.builder().name(name).clusterPrivileges(clusterPrivileges).build(); | ||
| client.security().putRole(new PutRoleRequest(role, null), RequestOptions.DEFAULT); |
There was a problem hiding this comment.
Nit: I'd also use RefreshPolicy.WAIT_UNTIL for PutRoleRequest even though it is not necessary for existing use cases. The performance gain with null is trivial and it feels more future proof to use WAIT_UNTIL or even IMMEDIATE.
| } else if (clientCertificatePath != null) { | ||
| throw new IllegalStateException("Client certificates are currently only support when using a custom CA"); |
There was a problem hiding this comment.
Why do we have this restriction? Is it just so we don't need to bother writing code for this branch (no test would be setup like this anyway)?
There was a problem hiding this comment.
I didn't want to write yet another block of code if no one was going to use it (and therefore it had a good chance of not actually working).
But I also didn't want to leave it in a state where someone would try and use it (e.g. a truststore and a client cert in PEM) and then have to debug why their code didn't do what they thought it should do.
It is also FIPS worthy! |
jkakavas
left a comment
jkakavas
left a comment
There was a problem hiding this comment.
LGTM. I guess there can still be things that we miss ( i.e. because a class can be loaded in the process of authenticating to an external system and not realm initialization - but hopefully realm integ tests can catch these? ) but I fully agree with the idea of having this smoke test be stripped of all external dependencies.
| throw new RuntimeException("Error setting up ssl", e); | ||
| } | ||
| } else if (clientCertificatePath != null) { | ||
| throw new IllegalStateException("Client certificates are currently only support when using a custom CA"); |
There was a problem hiding this comment.
| throw new IllegalStateException("Client certificates are currently only support when using a custom CA"); | |
| throw new IllegalStateException("Client certificates are currently only supported when using a custom CA"); |
There was a problem hiding this comment.
This ended up being the only comment, I wouldn't necessarily respin all CI checks just to change this now.
| assertThat("License must exist", map.containsKey("license"), equalTo(true)); | ||
| @SuppressWarnings("unchecked") | ||
| final Map<String, ?> license = (Map<String, ?>) map.get("license"); | ||
| @SuppressWarnings("unchecked") final Map<String, ?> license = (Map<String, ?>) map.get("license"); |
There was a problem hiding this comment.
Is this the IDE doing autoformatting or our spotless plugin being applied on changes? Keeping the diff to reflect actual changes helps a lot in reviewing ( "hide whitespace changes" is not enough.. )
Writing this mostly as a mental note so that we can discuss it at some point
There was a problem hiding this comment.
This was IDE. I'm not sure what the official style guide is - I didn't even notice the change this time.
|
@elasticmachine update branch |
This changes adds a new QA test that runs a smoke test on a node that has been configured with one realm of each type. Not all of the realms work, because some of them would depend on external fixtures (LDAP, SAML, etc) and this particularly test suite is intended to be as stable as possible and have no external dependencies. The primary purpose of this test is to catch any issues that prevent a node from starting with particular realms configurd (e.g. security manager or classpath issues). We don't depend on external fixtures becaused we want this to be a smoke test that clearly indicates when a (seemingly unrelated) change in Elasticsearch has unintended consequences on realms. The use of external dependencies would increase the number of things that could go wrong and move this from a smoke test to a potentially noisy integration test. Backport of: elastic#68881
This changes adds a new QA test that runs a smoke test on a node that has been configured with one realm of each type. Not all of the realms work, because some of them would depend on external fixtures (LDAP, SAML, etc) and this particularly test suite is intended to be as stable as possible and have no external dependencies. The primary purpose of this test is to catch any issues that prevent a node from starting with particular realms configurd (e.g. security manager or classpath issues). We don't depend on external fixtures becaused we want this to be a smoke test that clearly indicates when a (seemingly unrelated) change in Elasticsearch has unintended consequences on realms. The use of external dependencies would increase the number of things that could go wrong and move this from a smoke test to a potentially noisy integration test. Backport of: elastic#68881
This changes adds a new QA test that runs a smoke test on a node that has been configured with one realm of each type. Not all of the realms work, because some of them would depend on external fixtures (LDAP, SAML, etc) and this particularly test suite is intended to be as stable as possible and have no external dependencies. The primary purpose of this test is to catch any issues that prevent a node from starting with particular realms configurd (e.g. security manager or classpath issues). We don't depend on external fixtures becaused we want this to be a smoke test that clearly indicates when a (seemingly unrelated) change in Elasticsearch has unintended consequences on realms. The use of external dependencies would increase the number of things that could go wrong and move this from a smoke test to a potentially noisy integration test. Backport of: #68881
This changes adds a new QA test that runs a smoke test on a node that has been configured with one realm of each type. Not all of the realms work, because some of them would depend on external fixtures (LDAP, SAML, etc) and this particularly test suite is intended to be as stable as possible and have no external dependencies. The primary purpose of this test is to catch any issues that prevent a node from starting with particular realms configurd (e.g. security manager or classpath issues). We don't depend on external fixtures becaused we want this to be a smoke test that clearly indicates when a (seemingly unrelated) change in Elasticsearch has unintended consequences on realms. The use of external dependencies would increase the number of things that could go wrong and move this from a smoke test to a potentially noisy integration test. Backport of: #68881
6 participants
This changes adds a new QA test that runs a smoke test on a node that
has been configured with one realm of each type.
Not all of the realms work, because some of them would depend on
external fixtures (LDAP, SAML, etc) and this particularly test suite
is intended to be as stable as possible and have no external
dependencies.
The primary purpose of this test is to catch any issues that prevent
a node from starting with particular realms configured (e.g. security
manager or classpath issues). We don't depend on external fixtures
because we want this to be a smoke test that clearly indicates when a
(seemingly unrelated) change in Elasticsearch has unintended
consequences on realms. The use of external dependencies would
increase the number of things that could go wrong and move this from a
smoke test to a potentially noisy integration test.
Relates: #68838, #68872