[FTR] support custom native roles in serverless tests#194677
Merged
dmlemeshko merged 28 commits intoelastic:mainfrom Oct 11, 2024
Merged
[FTR] support custom native roles in serverless tests#194677dmlemeshko merged 28 commits intoelastic:mainfrom
dmlemeshko merged 28 commits intoelastic:mainfrom
Conversation
dmlemeshko
changed the title
dmlemeshko
changed the title
dmlemeshko
commented
Oct 2, 2024
Comment on lines
+86
to
+88
| ...(role === CUSTOM_ROLE | ||
| ? { kibana_role_descriptors: roleDescriptors } | ||
| : { role_descriptors: roleDescriptors }), |
Contributor
Author
There was a problem hiding this comment.
I was getting 400 status code while trying to send payload with role_descriptors for custom role. I searched in Kibana repo for some code examples and found schema validation for kibana_role_description https://github.com/elastic/kibana/blob/main/x-pack/packages/security/plugin_types_server/src/authentication/api_keys/api_keys.ts#L29-L36
Would be good if @jeramysoucy or @azasypkin can confirm I'm doing it correctly
dmlemeshko
added
release_note:skip
…ko/kibana into ftr/support-custom-native-roles
…ko/kibana into ftr/support-custom-native-roles
dmlemeshko
commented
Oct 4, 2024
Comment on lines
+50
to
+51
| // skipped, see https://github.com/elastic/kibana/issues/194933 | ||
| describe.skip('disabled', () => { |
Contributor
Author
There was a problem hiding this comment.
@elastic/kibana-security This suite is failing because APIs are no longer disabled, I opened #194933 to track test migration from feature flag config to the regular one.
jeramysoucy
approved these changes
Oct 11, 2024
Contributor
jeramysoucy
left a comment
jeramysoucy
left a comment
There was a problem hiding this comment.
Looks great, Dima! Just left some informational comments.
Comment on lines
+39
to
+42
| // custom native roles are enabled only for search and security projects | ||
| ...(options.serverlessProject !== 'oblt' | ||
| ? ['--xpack.security.roleManagementEnabled=true'] | ||
| : []), |
Contributor
There was a problem hiding this comment.
Just leaving myself a note that this (an equivalent in functional and agnostic test configs) can be removed once #195584 is merged.
Comment on lines
+50
to
+51
| // skipped, see https://github.com/elastic/kibana/issues/194933 | ||
| describe.skip('disabled', () => { |
| }); | ||
|
|
||
| it('should login successfully', async () => { | ||
| await pageObjects.svlCommonPage.loginWithCustomRole(); |
Contributor
There was a problem hiding this comment.
Nit: are the following two test cases are dependent on this one? Could move login to the before block, or duplicate in the following cases.
Contributor
Author
There was a problem hiding this comment.
good point, I will update it.
sphilipse
approved these changes
Oct 11, 2024
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Public APIs missing comments
Any counts in public APIs
History
|
Contributor
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11294823185 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
This was referenced Oct 12, 2024
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
dmlemeshko
added a commit
to dmlemeshko/kibana
that referenced
this pull request
Oct 15, 2024
## Summary
This PR updates FTR services to support authentication with custom
native role. Few notes:
- for compatibility with MKI we reserve **"customRole"** as a custom
role name used in tests
- test user is **automatically assigned** to this role, but before login
in browser/ generating cookie header or API key in each test suite
**role privileges must me updated according test scenario**
How to test:
I added a new test file for Search project:
`x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts`
It can be run locally with:
```
node scripts/functional_tests --config=x-pack/test_serverless/functional/test_suites/search/config.ts --grep "With custom role"
```
FTR UI test example:
```ts
// First set privileges for custom role
await samlAuth.setCustomRole({
elasticsearch: {
indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],
},
kibana: [
{
feature: {
discover: ['read'],
},
spaces: ['*'],
},
],
});
});
// Then you can login in browser as a user with newly defined privileges
await pageObjects.svlCommonPage.loginWithCustomRole();
```
FTR api_integration test example:
```ts
// First set privileges for custom role
await samlAuth.setCustomRole({
elasticsearch: {
indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],
},
kibana: [
{
feature: {
discover: ['read'],
},
spaces: ['*'],
},
],
});
});
// Then you can generate an API key with newly defined privileges
const roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
// Don't forget to invalidate the API key in the end
await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);
```
(cherry picked from commit f00ac7a)
# Conflicts:
# packages/kbn-ftr-common-functional-services/services/saml_auth/serverless/auth_provider.ts
# packages/kbn-ftr-common-functional-services/services/saml_auth/stateful/auth_provider.ts
# x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts
# x-pack/test_serverless/functional/config.base.ts
kibanamachine
added
the
backport missing
Contributor
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
dmlemeshko
added a commit
that referenced
this pull request
Oct 16, 2024
…#196351) # Backport This will backport the following commits from `main` to `8.x`: - [[FTR] support custom native roles in serverless tests (#194677)](#194677) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Dzmitry Lemechko","email":"dzmitry.lemechko@elastic.co"},"sourceCommit":{"committedDate":"2024-10-11T15:11:23Z","message":"[FTR] support custom native roles in serverless tests (#194677)\n\n## Summary\r\n\r\nThis PR updates FTR services to support authentication with custom\r\nnative role. Few notes:\r\n- for compatibility with MKI we reserve **\"customRole\"** as a custom\r\nrole name used in tests\r\n- test user is **automatically assigned** to this role, but before login\r\nin browser/ generating cookie header or API key in each test suite\r\n**role privileges must me updated according test scenario**\r\n\r\nHow to test:\r\nI added a new test file for Search project:\r\n`x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts`\r\n\r\nIt can be run locally with:\r\n```\r\n node scripts/functional_tests --config=x-pack/test_serverless/functional/test_suites/search/config.ts --grep \"With custom role\"\r\n```\r\n\r\nFTR UI test example:\r\n\r\n```ts\r\n// First set privileges for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n });\r\n\r\n// Then you can login in browser as a user with newly defined privileges\r\nawait pageObjects.svlCommonPage.loginWithCustomRole();\r\n```\r\n\r\nFTR api_integration test example:\r\n\r\n```ts\r\n// First set privileges for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n });\r\n// Then you can generate an API key with newly defined privileges\r\nconst roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');\r\n// Don't forget to invalidate the API key in the end\r\nawait samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);\r\n```","sha":"f00ac7a8a21463e6bb4a2784c3a3884f36c62900","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","FTR","v8.16.0","backport:version"],"number":194677,"url":"https://github.com/elastic/kibana/pull/194677","mergeCommit":{"message":"[FTR] support custom native roles in serverless tests (#194677)\n\n## Summary\r\n\r\nThis PR updates FTR services to support authentication with custom\r\nnative role. Few notes:\r\n- for compatibility with MKI we reserve **\"customRole\"** as a custom\r\nrole name used in tests\r\n- test user is **automatically assigned** to this role, but before login\r\nin browser/ generating cookie header or API key in each test suite\r\n**role privileges must me updated according test scenario**\r\n\r\nHow to test:\r\nI added a new test file for Search project:\r\n`x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts`\r\n\r\nIt can be run locally with:\r\n```\r\n node scripts/functional_tests --config=x-pack/test_serverless/functional/test_suites/search/config.ts --grep \"With custom role\"\r\n```\r\n\r\nFTR UI test example:\r\n\r\n```ts\r\n// First set privileges for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n });\r\n\r\n// Then you can login in browser as a user with newly defined privileges\r\nawait pageObjects.svlCommonPage.loginWithCustomRole();\r\n```\r\n\r\nFTR api_integration test example:\r\n\r\n```ts\r\n// First set privileges for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n });\r\n// Then you can generate an API key with newly defined privileges\r\nconst roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');\r\n// Don't forget to invalidate the API key in the end\r\nawait samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);\r\n```","sha":"f00ac7a8a21463e6bb4a2784c3a3884f36c62900"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194677","number":194677,"mergeCommit":{"message":"[FTR] support custom native roles in serverless tests (#194677)\n\n## Summary\r\n\r\nThis PR updates FTR services to support authentication with custom\r\nnative role. Few notes:\r\n- for compatibility with MKI we reserve **\"customRole\"** as a custom\r\nrole name used in tests\r\n- test user is **automatically assigned** to this role, but before login\r\nin browser/ generating cookie header or API key in each test suite\r\n**role privileges must me updated according test scenario**\r\n\r\nHow to test:\r\nI added a new test file for Search project:\r\n`x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts`\r\n\r\nIt can be run locally with:\r\n```\r\n node scripts/functional_tests --config=x-pack/test_serverless/functional/test_suites/search/config.ts --grep \"With custom role\"\r\n```\r\n\r\nFTR UI test example:\r\n\r\n```ts\r\n// First set privileges for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n });\r\n\r\n// Then you can login in browser as a user with newly defined privileges\r\nawait pageObjects.svlCommonPage.loginWithCustomRole();\r\n```\r\n\r\nFTR api_integration test example:\r\n\r\n```ts\r\n// First set privileges for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n });\r\n// Then you can generate an API key with newly defined privileges\r\nconst roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');\r\n// Don't forget to invalidate the API key in the end\r\nawait samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);\r\n```","sha":"f00ac7a8a21463e6bb4a2784c3a3884f36c62900"}},{"branch":"8.x","label":"v8.16.0","labelRegex":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
kibanamachine
removed
the
backport missing
7 tasks
MadameSheema
added a commit
that referenced
this pull request
Jan 13, 2025
…ests (#206129) ## Summary Solves: elastic/security-team#11464 In this PR we are adding the capability to use custom roles for serverless Cypress tests. To do so, we are leveraging the solution proposed in: #194677, meaning that currently we have the same restrictions, therefore, custom roles cannot be used yet in MKI environments. ### Creating a Custom Role To create a custom role, use the Cypress task `createServerlessCustomRole`. This task requires two parameters: - **`roleDescriptor`**: Defines the permissions and access for the role. - **`roleName`**: A unique name for the custom role. Example: ```typescript const roleDescriptor = { elasticsearch: { cluster: ['monitor'], indices: [{ names: ['*'], privileges: ['read'] }], }, kibana: [ { base: ['all'], feature: {}, spaces: ['*'], }, ], }; cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' }); ``` ### Using a Custom Role Once the custom role is created, you can log in to the application using your regular `login`` method and passing the name of the role. ```typescript login('customRole'); ``` ### Deleting a Custom Role After your tests, always delete the custom role to ensure a clean environment. Use the `deleteServerlessCustomRole` task and provide the name of the role as the parameter. ```typescript cy.task('deleteServerlessCustomRole', 'customRole'); ``` ### Full workflow Here’s the complete workflow for creating, using, and deleting a custom role: ```typescript const roleDescriptor = { elasticsearch: { cluster: ['monitor'], indices: [{ names: ['*'], privileges: ['read'] }], }, kibana: [ { base: ['all'], feature: {}, spaces: ['*'], }, ], }; before(() => { cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' }); }); beforeEach(() => { login('customRole'); }); after(() => { cy.task('deleteServerlessCustomRole', 'customRole'); }); ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 13, 2025
…ests (elastic#206129) ## Summary Solves: elastic/security-team#11464 In this PR we are adding the capability to use custom roles for serverless Cypress tests. To do so, we are leveraging the solution proposed in: elastic#194677, meaning that currently we have the same restrictions, therefore, custom roles cannot be used yet in MKI environments. ### Creating a Custom Role To create a custom role, use the Cypress task `createServerlessCustomRole`. This task requires two parameters: - **`roleDescriptor`**: Defines the permissions and access for the role. - **`roleName`**: A unique name for the custom role. Example: ```typescript const roleDescriptor = { elasticsearch: { cluster: ['monitor'], indices: [{ names: ['*'], privileges: ['read'] }], }, kibana: [ { base: ['all'], feature: {}, spaces: ['*'], }, ], }; cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' }); ``` ### Using a Custom Role Once the custom role is created, you can log in to the application using your regular `login`` method and passing the name of the role. ```typescript login('customRole'); ``` ### Deleting a Custom Role After your tests, always delete the custom role to ensure a clean environment. Use the `deleteServerlessCustomRole` task and provide the name of the role as the parameter. ```typescript cy.task('deleteServerlessCustomRole', 'customRole'); ``` ### Full workflow Here’s the complete workflow for creating, using, and deleting a custom role: ```typescript const roleDescriptor = { elasticsearch: { cluster: ['monitor'], indices: [{ names: ['*'], privileges: ['read'] }], }, kibana: [ { base: ['all'], feature: {}, spaces: ['*'], }, ], }; before(() => { cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' }); }); beforeEach(() => { login('customRole'); }); after(() => { cy.task('deleteServerlessCustomRole', 'customRole'); }); ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 255aea7)
kibanamachine
added a commit
that referenced
this pull request
Jan 13, 2025
…ress tests (#206129) (#206451) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Supports custom roles in serverless for Cypress tests (#206129)](#206129) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Gloria Hornero","email":"gloria.hornero@elastic.co"},"sourceCommit":{"committedDate":"2025-01-13T14:28:30Z","message":"[Security Solution] Supports custom roles in serverless for Cypress tests (#206129)\n\n## Summary\r\n\r\nSolves: https://github.com/elastic/security-team/issues/11464\r\n\r\nIn this PR we are adding the capability to use custom roles for\r\nserverless Cypress tests. To do so, we are leveraging the solution\r\nproposed in: #194677, meaning that\r\ncurrently we have the same restrictions, therefore, custom roles cannot\r\nbe used yet in MKI environments.\r\n\r\n\r\n### Creating a Custom Role\r\n\r\nTo create a custom role, use the Cypress task\r\n`createServerlessCustomRole`. This task requires two parameters:\r\n- **`roleDescriptor`**: Defines the permissions and access for the role.\r\n- **`roleName`**: A unique name for the custom role.\r\n\r\nExample:\r\n\r\n```typescript\r\nconst roleDescriptor = {\r\n elasticsearch: {\r\n cluster: ['monitor'],\r\n indices: [{ names: ['*'], privileges: ['read'] }],\r\n },\r\n kibana: [\r\n {\r\n base: ['all'],\r\n feature: {},\r\n spaces: ['*'],\r\n },\r\n ],\r\n};\r\n\r\ncy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' });\r\n```\r\n\r\n### Using a Custom Role\r\n\r\nOnce the custom role is created, you can log in to the application using\r\nyour regular `login`` method and passing the name of the role.\r\n\r\n```typescript\r\nlogin('customRole');\r\n```\r\n\r\n\r\n### Deleting a Custom Role\r\n\r\nAfter your tests, always delete the custom role to ensure a clean\r\nenvironment. Use the `deleteServerlessCustomRole` task and provide the\r\nname of the role as the parameter.\r\n\r\n```typescript\r\ncy.task('deleteServerlessCustomRole', 'customRole');\r\n```\r\n\r\n### Full workflow\r\n\r\nHere’s the complete workflow for creating, using, and deleting a custom\r\nrole:\r\n\r\n```typescript\r\nconst roleDescriptor = {\r\n elasticsearch: {\r\n cluster: ['monitor'],\r\n indices: [{ names: ['*'], privileges: ['read'] }],\r\n },\r\n kibana: [\r\n {\r\n base: ['all'],\r\n feature: {},\r\n spaces: ['*'],\r\n },\r\n ],\r\n};\r\n\r\nbefore(() => {\r\n cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' });\r\n});\r\n\r\nbeforeEach(() => {\r\n login('customRole');\r\n});\r\n\r\nafter(() => {\r\n cy.task('deleteServerlessCustomRole', 'customRole');\r\n});\r\n```\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"255aea7adcf196564532df76573814f93097cce6","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team: SecuritySolution","backport:version","v8.18.0"],"title":"[Security Solution] Supports custom roles in serverless for Cypress tests","number":206129,"url":"https://github.com/elastic/kibana/pull/206129","mergeCommit":{"message":"[Security Solution] Supports custom roles in serverless for Cypress tests (#206129)\n\n## Summary\r\n\r\nSolves: https://github.com/elastic/security-team/issues/11464\r\n\r\nIn this PR we are adding the capability to use custom roles for\r\nserverless Cypress tests. To do so, we are leveraging the solution\r\nproposed in: #194677, meaning that\r\ncurrently we have the same restrictions, therefore, custom roles cannot\r\nbe used yet in MKI environments.\r\n\r\n\r\n### Creating a Custom Role\r\n\r\nTo create a custom role, use the Cypress task\r\n`createServerlessCustomRole`. This task requires two parameters:\r\n- **`roleDescriptor`**: Defines the permissions and access for the role.\r\n- **`roleName`**: A unique name for the custom role.\r\n\r\nExample:\r\n\r\n```typescript\r\nconst roleDescriptor = {\r\n elasticsearch: {\r\n cluster: ['monitor'],\r\n indices: [{ names: ['*'], privileges: ['read'] }],\r\n },\r\n kibana: [\r\n {\r\n base: ['all'],\r\n feature: {},\r\n spaces: ['*'],\r\n },\r\n ],\r\n};\r\n\r\ncy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' });\r\n```\r\n\r\n### Using a Custom Role\r\n\r\nOnce the custom role is created, you can log in to the application using\r\nyour regular `login`` method and passing the name of the role.\r\n\r\n```typescript\r\nlogin('customRole');\r\n```\r\n\r\n\r\n### Deleting a Custom Role\r\n\r\nAfter your tests, always delete the custom role to ensure a clean\r\nenvironment. Use the `deleteServerlessCustomRole` task and provide the\r\nname of the role as the parameter.\r\n\r\n```typescript\r\ncy.task('deleteServerlessCustomRole', 'customRole');\r\n```\r\n\r\n### Full workflow\r\n\r\nHere’s the complete workflow for creating, using, and deleting a custom\r\nrole:\r\n\r\n```typescript\r\nconst roleDescriptor = {\r\n elasticsearch: {\r\n cluster: ['monitor'],\r\n indices: [{ names: ['*'], privileges: ['read'] }],\r\n },\r\n kibana: [\r\n {\r\n base: ['all'],\r\n feature: {},\r\n spaces: ['*'],\r\n },\r\n ],\r\n};\r\n\r\nbefore(() => {\r\n cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' });\r\n});\r\n\r\nbeforeEach(() => {\r\n login('customRole');\r\n});\r\n\r\nafter(() => {\r\n cy.task('deleteServerlessCustomRole', 'customRole');\r\n});\r\n```\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"255aea7adcf196564532df76573814f93097cce6"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206129","number":206129,"mergeCommit":{"message":"[Security Solution] Supports custom roles in serverless for Cypress tests (#206129)\n\n## Summary\r\n\r\nSolves: https://github.com/elastic/security-team/issues/11464\r\n\r\nIn this PR we are adding the capability to use custom roles for\r\nserverless Cypress tests. To do so, we are leveraging the solution\r\nproposed in: #194677, meaning that\r\ncurrently we have the same restrictions, therefore, custom roles cannot\r\nbe used yet in MKI environments.\r\n\r\n\r\n### Creating a Custom Role\r\n\r\nTo create a custom role, use the Cypress task\r\n`createServerlessCustomRole`. This task requires two parameters:\r\n- **`roleDescriptor`**: Defines the permissions and access for the role.\r\n- **`roleName`**: A unique name for the custom role.\r\n\r\nExample:\r\n\r\n```typescript\r\nconst roleDescriptor = {\r\n elasticsearch: {\r\n cluster: ['monitor'],\r\n indices: [{ names: ['*'], privileges: ['read'] }],\r\n },\r\n kibana: [\r\n {\r\n base: ['all'],\r\n feature: {},\r\n spaces: ['*'],\r\n },\r\n ],\r\n};\r\n\r\ncy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' });\r\n```\r\n\r\n### Using a Custom Role\r\n\r\nOnce the custom role is created, you can log in to the application using\r\nyour regular `login`` method and passing the name of the role.\r\n\r\n```typescript\r\nlogin('customRole');\r\n```\r\n\r\n\r\n### Deleting a Custom Role\r\n\r\nAfter your tests, always delete the custom role to ensure a clean\r\nenvironment. Use the `deleteServerlessCustomRole` task and provide the\r\nname of the role as the parameter.\r\n\r\n```typescript\r\ncy.task('deleteServerlessCustomRole', 'customRole');\r\n```\r\n\r\n### Full workflow\r\n\r\nHere’s the complete workflow for creating, using, and deleting a custom\r\nrole:\r\n\r\n```typescript\r\nconst roleDescriptor = {\r\n elasticsearch: {\r\n cluster: ['monitor'],\r\n indices: [{ names: ['*'], privileges: ['read'] }],\r\n },\r\n kibana: [\r\n {\r\n base: ['all'],\r\n feature: {},\r\n spaces: ['*'],\r\n },\r\n ],\r\n};\r\n\r\nbefore(() => {\r\n cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' });\r\n});\r\n\r\nbeforeEach(() => {\r\n login('customRole');\r\n});\r\n\r\nafter(() => {\r\n cy.task('deleteServerlessCustomRole', 'customRole');\r\n});\r\n```\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"255aea7adcf196564532df76573814f93097cce6"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Gloria Hornero <gloria.hornero@elastic.co>
viduni94
pushed a commit
to viduni94/kibana
that referenced
this pull request
Jan 23, 2025
…ests (elastic#206129) ## Summary Solves: elastic/security-team#11464 In this PR we are adding the capability to use custom roles for serverless Cypress tests. To do so, we are leveraging the solution proposed in: elastic#194677, meaning that currently we have the same restrictions, therefore, custom roles cannot be used yet in MKI environments. ### Creating a Custom Role To create a custom role, use the Cypress task `createServerlessCustomRole`. This task requires two parameters: - **`roleDescriptor`**: Defines the permissions and access for the role. - **`roleName`**: A unique name for the custom role. Example: ```typescript const roleDescriptor = { elasticsearch: { cluster: ['monitor'], indices: [{ names: ['*'], privileges: ['read'] }], }, kibana: [ { base: ['all'], feature: {}, spaces: ['*'], }, ], }; cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' }); ``` ### Using a Custom Role Once the custom role is created, you can log in to the application using your regular `login`` method and passing the name of the role. ```typescript login('customRole'); ``` ### Deleting a Custom Role After your tests, always delete the custom role to ensure a clean environment. Use the `deleteServerlessCustomRole` task and provide the name of the role as the parameter. ```typescript cy.task('deleteServerlessCustomRole', 'customRole'); ``` ### Full workflow Here’s the complete workflow for creating, using, and deleting a custom role: ```typescript const roleDescriptor = { elasticsearch: { cluster: ['monitor'], indices: [{ names: ['*'], privileges: ['read'] }], }, kibana: [ { base: ['all'], feature: {}, spaces: ['*'], }, ], }; before(() => { cy.task('createServerlessCustomRole', { roleDescriptor, roleName: 'customRole' }); }); beforeEach(() => { login('customRole'); }); after(() => { cy.task('deleteServerlessCustomRole', 'customRole'); }); ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates FTR services to support authentication with custom native role. Few notes:
How to test:
I added a new test file for Search project:
x-pack/test_serverless/functional/test_suites/search/custom_role_access.tsIt can be run locally with:
FTR UI test example:
FTR api_integration test example: