[FTR] unify custom role name with Scout#217882
Merged
dmlemeshko merged 17 commits intoelastic:mainfrom Apr 14, 2025
Merged
Conversation
dmlemeshko
added
FTR
v9.1.0
v9.0.1
release_note:skip
jbudz
approved these changes
Apr 10, 2025
azasypkin
approved these changes
Apr 11, 2025
Contributor
azasypkin
left a comment
azasypkin
left a comment
There was a problem hiding this comment.
LGTM from the security/consumer perspective, thanks! 🎖️
|
|
||
| checkRoleIsSupported(role: string): void { | ||
| if (!supportedRoles.includes(role)) { | ||
| throw new Error( |
Contributor
There was a problem hiding this comment.
question: If a developer sees this error message, how are they supposed to resolve it? If it's resolvable, we can hint at a solution in the error message (the same question for any other error message).
Contributor
Author
There was a problem hiding this comment.
Noted. I will add a text with possible actions.
|
|
||
| async createM2mApiKeyWithRoleScope(role: string): Promise<RoleCredentials> { | ||
| this.checkRoleIsSupported(role); | ||
| if (role === CUSTOM_ROLE && !isCustomRoleEnabled) { |
Contributor
There was a problem hiding this comment.
nit: the name of this flag and error message are a bit confusing. Is it supposed to check that the legacy/deprecated/static/fixed "customRole" custom role is enabled? Right now it feels like it's checking whether any custom role support is enabled or not. But it can just be me, so feel free to ignore.
Also, maybe this check should happen before this.checkRoleIsSupported(role);?
Contributor
Author
There was a problem hiding this comment.
isCustomRoleEnabled is FTR internal flag to restrict custom roles usage in Oblt serverless projects, unless it is explicitly enabled with server argument in config file. I agree, moving check to checkRoleIsSupported makes sense
| role === CUSTOM_ROLE | ||
| ? `Before creating API key for '${CUSTOM_ROLE}', use 'samlAuth.setCustomRole' to set the role privileges` | ||
| : `Cannot create API key for non-existent role "${role}"` | ||
| : `Cannot create API key for role "${role}", role descriptor not found` |
Contributor
There was a problem hiding this comment.
question: not found, not found where? (re: my question about making error messages more actionable and helpful) 🙂
| ({ log, config, esClient, kbnClient }, use, workerInfo) => { | ||
| let customRoleHash = ''; | ||
| const customRoleName = `custom_role_worker_${workerInfo.parallelIndex}`; | ||
| /** |
Contributor
There was a problem hiding this comment.
Thanks for adding a comment 🎖️
csr
reviewed
Apr 11, 2025
csr
reviewed
Apr 11, 2025
.../packages/shared/kbn-ftr-common-functional-services/services/saml_auth/saml_auth_provider.ts
Outdated
Show resolved
Hide resolved
…hko/kibana into unify-ftr-custom-role-with-scout
…s/services/saml_auth/saml_auth_provider.ts Co-authored-by: Cesare de Cal <cesare.decal@elastic.co>
…hko/kibana into unify-ftr-custom-role-with-scout
dmlemeshko
commented
Apr 11, 2025
.../packages/shared/kbn-ftr-common-functional-services/services/saml_auth/saml_auth_provider.ts
Show resolved
Hide resolved
…hko/kibana into unify-ftr-custom-role-with-scout
TattdCodeMonkey
approved these changes
Apr 11, 2025
csr
approved these changes
Apr 11, 2025
Contributor
There was a problem hiding this comment.
LGTM. Dima and I confirmed that FTR handles both of these cases correctly:
- ✅ The custom role already exists in the Kibana project → FTR updates the role descriptors.
- ✅ The custom role doesn't exist in the Kibana project → FTR creates the role and sets its role descriptors.
In both cases:
- The custom role is deleted in the after block of the test suite. (Note: Scout behaves slightly differently—it doesn't delete the role at the end of the test and only updates the descriptors if they’ve changed. This may change in the future.)
- We observed that the Elastic Cloud user keeps the custom role assignment (as expected), even after the role itself is deleted from the project. The role assignment persists across test runs.
ElenaStoeva
approved these changes
Apr 11, 2025
Contributor
ElenaStoeva
left a comment
ElenaStoeva
left a comment
There was a problem hiding this comment.
Data streams test changes lgtm.
Contributor
💔 Build Failed
Failed CI StepsHistory
|
szwarckonrad
approved these changes
Apr 14, 2025
Contributor
szwarckonrad
left a comment
szwarckonrad
left a comment
There was a problem hiding this comment.
SecSol change LGTM.
CC @janmonschke since you authored the modified lines
Contributor
|
Starting backport for target branches: 8.x, 9.0 https://github.com/elastic/kibana/actions/runs/14451761445 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 14, 2025
## Summary
In QAF David added a possibility to spin up MKI project with custom role
set and ready to use.
Originally FTR was using reserved name `'customRole'` for internal
Kibana role to be mapped with native custom role in the project.
Both Scout and FTR use `kbn/test` to simulate SAML authentication, but
the new framework will allow to run the tests in parallel. That said, we
need to support multiple custom role credentials (one pair per worker)
and for simplicity we decided to use the same keys:
To run your tests locally against MKI you need to add a new Cloud user
entry in `user_roles.json`:
```
"custom_role_worker_1": { "username": ..., "password": ... }, // FTR requires only the first entry
"custom_role_worker_2": { "username": ..., "password": ... },
...
```
The test change is minimal:
<img width="559" alt="image"
src="https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c"
/>
---------
Co-authored-by: Cesare de Cal <cesare.decal@elastic.co>
(cherry picked from commit c4a97e5)
Contributor
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Apr 14, 2025
# Backport This will backport the following commits from `main` to `9.0`: - [[FTR] unify custom role name with Scout (#217882)](#217882) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Dzmitry Lemechko","email":"dzmitry.lemechko@elastic.co"},"sourceCommit":{"committedDate":"2025-04-14T17:21:49Z","message":"[FTR] unify custom role name with Scout (#217882)\n\n## Summary\n\nIn QAF David added a possibility to spin up MKI project with custom role\nset and ready to use.\n\nOriginally FTR was using reserved name `'customRole'` for internal\nKibana role to be mapped with native custom role in the project.\n\nBoth Scout and FTR use `kbn/test` to simulate SAML authentication, but\nthe new framework will allow to run the tests in parallel. That said, we\nneed to support multiple custom role credentials (one pair per worker)\nand for simplicity we decided to use the same keys:\n\nTo run your tests locally against MKI you need to add a new Cloud user\nentry in `user_roles.json`:\n\n```\n\"custom_role_worker_1\": { \"username\": ..., \"password\": ... }, // FTR requires only the first entry\n\"custom_role_worker_2\": { \"username\": ..., \"password\": ... },\n...\n```\n\nThe test change is minimal:\n<img width=\"559\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c\"\n/>\n\n---------\n\nCo-authored-by: Cesare de Cal <cesare.decal@elastic.co>","sha":"c4a97e51e3c9040fb0c955913b06aa0e3b5ba791","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","FTR","backport:version","v9.1.0","v8.19.0","v9.0.1"],"title":"[FTR] unify custom role name with Scout","number":217882,"url":"https://github.com/elastic/kibana/pull/217882","mergeCommit":{"message":"[FTR] unify custom role name with Scout (#217882)\n\n## Summary\n\nIn QAF David added a possibility to spin up MKI project with custom role\nset and ready to use.\n\nOriginally FTR was using reserved name `'customRole'` for internal\nKibana role to be mapped with native custom role in the project.\n\nBoth Scout and FTR use `kbn/test` to simulate SAML authentication, but\nthe new framework will allow to run the tests in parallel. That said, we\nneed to support multiple custom role credentials (one pair per worker)\nand for simplicity we decided to use the same keys:\n\nTo run your tests locally against MKI you need to add a new Cloud user\nentry in `user_roles.json`:\n\n```\n\"custom_role_worker_1\": { \"username\": ..., \"password\": ... }, // FTR requires only the first entry\n\"custom_role_worker_2\": { \"username\": ..., \"password\": ... },\n...\n```\n\nThe test change is minimal:\n<img width=\"559\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c\"\n/>\n\n---------\n\nCo-authored-by: Cesare de Cal <cesare.decal@elastic.co>","sha":"c4a97e51e3c9040fb0c955913b06aa0e3b5ba791"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/217882","number":217882,"mergeCommit":{"message":"[FTR] unify custom role name with Scout (#217882)\n\n## Summary\n\nIn QAF David added a possibility to spin up MKI project with custom role\nset and ready to use.\n\nOriginally FTR was using reserved name `'customRole'` for internal\nKibana role to be mapped with native custom role in the project.\n\nBoth Scout and FTR use `kbn/test` to simulate SAML authentication, but\nthe new framework will allow to run the tests in parallel. That said, we\nneed to support multiple custom role credentials (one pair per worker)\nand for simplicity we decided to use the same keys:\n\nTo run your tests locally against MKI you need to add a new Cloud user\nentry in `user_roles.json`:\n\n```\n\"custom_role_worker_1\": { \"username\": ..., \"password\": ... }, // FTR requires only the first entry\n\"custom_role_worker_2\": { \"username\": ..., \"password\": ... },\n...\n```\n\nThe test change is minimal:\n<img width=\"559\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c\"\n/>\n\n---------\n\nCo-authored-by: Cesare de Cal <cesare.decal@elastic.co>","sha":"c4a97e51e3c9040fb0c955913b06aa0e3b5ba791"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
dmlemeshko
added a commit
to dmlemeshko/kibana
that referenced
this pull request
Apr 15, 2025
## Summary
In QAF David added a possibility to spin up MKI project with custom role
set and ready to use.
Originally FTR was using reserved name `'customRole'` for internal
Kibana role to be mapped with native custom role in the project.
Both Scout and FTR use `kbn/test` to simulate SAML authentication, but
the new framework will allow to run the tests in parallel. That said, we
need to support multiple custom role credentials (one pair per worker)
and for simplicity we decided to use the same keys:
To run your tests locally against MKI you need to add a new Cloud user
entry in `user_roles.json`:
```
"custom_role_worker_1": { "username": ..., "password": ... }, // FTR requires only the first entry
"custom_role_worker_2": { "username": ..., "password": ... },
...
```
The test change is minimal:
<img width="559" alt="image"
src="https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c"
/>
---------
Co-authored-by: Cesare de Cal <cesare.decal@elastic.co>
(cherry picked from commit c4a97e5)
# Conflicts:
# x-pack/test/spaces_api_integration/deployment_agnostic/services/role_scoped_supertest.ts
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
dmlemeshko
added a commit
that referenced
this pull request
Apr 15, 2025
# Backport This will backport the following commits from `main` to `8.x`: - [[FTR] unify custom role name with Scout (#217882)](#217882) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Dzmitry Lemechko","email":"dzmitry.lemechko@elastic.co"},"sourceCommit":{"committedDate":"2025-04-14T17:21:49Z","message":"[FTR] unify custom role name with Scout (#217882)\n\n## Summary\n\nIn QAF David added a possibility to spin up MKI project with custom role\nset and ready to use.\n\nOriginally FTR was using reserved name `'customRole'` for internal\nKibana role to be mapped with native custom role in the project.\n\nBoth Scout and FTR use `kbn/test` to simulate SAML authentication, but\nthe new framework will allow to run the tests in parallel. That said, we\nneed to support multiple custom role credentials (one pair per worker)\nand for simplicity we decided to use the same keys:\n\nTo run your tests locally against MKI you need to add a new Cloud user\nentry in `user_roles.json`:\n\n```\n\"custom_role_worker_1\": { \"username\": ..., \"password\": ... }, // FTR requires only the first entry\n\"custom_role_worker_2\": { \"username\": ..., \"password\": ... },\n...\n```\n\nThe test change is minimal:\n<img width=\"559\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c\"\n/>\n\n---------\n\nCo-authored-by: Cesare de Cal <cesare.decal@elastic.co>","sha":"c4a97e51e3c9040fb0c955913b06aa0e3b5ba791","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","FTR","backport:version","v9.1.0","v8.19.0","v9.0.1"],"title":"[FTR] unify custom role name with Scout","number":217882,"url":"https://github.com/elastic/kibana/pull/217882","mergeCommit":{"message":"[FTR] unify custom role name with Scout (#217882)\n\n## Summary\n\nIn QAF David added a possibility to spin up MKI project with custom role\nset and ready to use.\n\nOriginally FTR was using reserved name `'customRole'` for internal\nKibana role to be mapped with native custom role in the project.\n\nBoth Scout and FTR use `kbn/test` to simulate SAML authentication, but\nthe new framework will allow to run the tests in parallel. That said, we\nneed to support multiple custom role credentials (one pair per worker)\nand for simplicity we decided to use the same keys:\n\nTo run your tests locally against MKI you need to add a new Cloud user\nentry in `user_roles.json`:\n\n```\n\"custom_role_worker_1\": { \"username\": ..., \"password\": ... }, // FTR requires only the first entry\n\"custom_role_worker_2\": { \"username\": ..., \"password\": ... },\n...\n```\n\nThe test change is minimal:\n<img width=\"559\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c\"\n/>\n\n---------\n\nCo-authored-by: Cesare de Cal <cesare.decal@elastic.co>","sha":"c4a97e51e3c9040fb0c955913b06aa0e3b5ba791"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/218152","number":218152,"state":"MERGED","mergeCommit":{"sha":"086804391acca87ea1baa98e97b1e12886e3e42b","message":"[9.0] [FTR] unify custom role name with Scout (#217882) (#218152)\n\n# Backport\n\nThis will backport the following commits from `main` to `9.0`:\n- [[FTR] unify custom role name with Scout\n(#217882)](https://github.com/elastic/kibana/pull/217882)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>"}},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/217882","number":217882,"mergeCommit":{"message":"[FTR] unify custom role name with Scout (#217882)\n\n## Summary\n\nIn QAF David added a possibility to spin up MKI project with custom role\nset and ready to use.\n\nOriginally FTR was using reserved name `'customRole'` for internal\nKibana role to be mapped with native custom role in the project.\n\nBoth Scout and FTR use `kbn/test` to simulate SAML authentication, but\nthe new framework will allow to run the tests in parallel. That said, we\nneed to support multiple custom role credentials (one pair per worker)\nand for simplicity we decided to use the same keys:\n\nTo run your tests locally against MKI you need to add a new Cloud user\nentry in `user_roles.json`:\n\n```\n\"custom_role_worker_1\": { \"username\": ..., \"password\": ... }, // FTR requires only the first entry\n\"custom_role_worker_2\": { \"username\": ..., \"password\": ... },\n...\n```\n\nThe test change is minimal:\n<img width=\"559\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c\"\n/>\n\n---------\n\nCo-authored-by: Cesare de Cal <cesare.decal@elastic.co>","sha":"c4a97e51e3c9040fb0c955913b06aa0e3b5ba791"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
In QAF David added a possibility to spin up MKI project with custom role set and ready to use.
Originally FTR was using reserved name
'customRole'for internal Kibana role to be mapped with native custom role in the project.Both Scout and FTR use
kbn/testto simulate SAML authentication, but the new framework will allow to run the tests in parallel. That said, we need to support multiple custom role credentials (one pair per worker) and for simplicity we decided to use the same keys:To run your tests locally against MKI you need to add a new Cloud user entry in
user_roles.json:The test change is minimal:
