Skip to content

[Failure Store] Test API keys and skip_unavailable with RCS1 #125782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 38 commits into from
Apr 9, 2025
Merged

[Failure Store] Test API keys and skip_unavailable with RCS1 #125782

merged 38 commits into from
Apr 9, 2025

Conversation

slobodanadamovic
Copy link
Contributor

@slobodanadamovic slobodanadamovic commented Mar 27, 2025
edited
Loading

Adjust existing RCS1 tests to randomize using API keys for authorization
and skip_unavailable setting.

Followup on #125252

slobodanadamovic and others added 30 commits March 19, 2025 06:49
@slobodanadamovic
Prevent usage of :: selectors for remote cluster requests
2bc0e99
@slobodanadamovic
fail only if ::failures selector is used
fc2271c
@slobodanadamovic
cleanup and extend existing rest IT
ba976a9
@slobodanadamovic
Merge branch 'main' into sa-prevent-using-selectors-for-ccs-ccr
f6c96e2
@slobodanadamovic
test ccs with rcs1
5bc46b5
@slobodanadamovic
nit
e92ffde
@slobodanadamovic
remove remote_indices - not relevant for RCS1 test case
29de669
@slobodanadamovic
test CCS with RCS2
eaf9a01
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into sa-preve…
41da2e6 
…nt-using-selectors-for-ccs-ccr
@slobodanadamovic
cleanup tests, handle edge cases with ccs_minimize_roundtrips
4e366ed
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into sa-preve…
542aa54 
…nt-using-selectors-for-ccs-ccr
@slobodanadamovic
more test users
816d919
@slobodanadamovic
fix assertion
7dc89d4
@slobodanadamovic
test direct access to backing failure index for other users
26e8ae3
@slobodanadamovic
fix assertion
9c3d0d7
@slobodanadamovic
fix another assertion
e8a4b96
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into sa-preve…
6c8eee8 
…nt-using-selectors-for-ccs-ccr
@slobodanadamovic
bring back selector validation inline
6d5293f
@slobodanadamovic
refactor to reuse selector validation
fd1a0e5
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into sa-preve…
c88a35f 
…nt-using-selectors-for-ccs-ccr
@slobodanadamovic
more tests
1bd03a6
@slobodanadamovic
more tests 2
0dd4053
@slobodanadamovic
more test coverage
f085835
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into sa-preve…
446f8b6 
…nt-using-selectors-for-ccs-ccr
@elasticsearchmachine
[CI] Auto commit changes from spotless
62664ac
@slobodanadamovic
prevent using ::data selector as well
0fe3ec5
@slobodanadamovic
Merge branch 'main' into sa-prevent-using-selectors-for-ccs-ccr
ae8cc1a
@slobodanadamovic
consolidate error messages and exceptions thrown
4baa39a
@slobodanadamovic
fix failing test
5811200
@slobodanadamovic
Merge branch 'main' into sa-prevent-using-selectors-for-ccs-ccr
bc0a5b5
@slobodanadamovic slobodanadamovic added >test Issues or PRs that are addressing/adding tests :Security/Security Security issues without another label Team:Security Meta label for security team auto-backport Automatically create backport pull requests when merged v8.19.0 v9.1.0 labels Mar 27, 2025
@slobodanadamovic slobodanadamovic self-assigned this Mar 27, 2025
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into sa-test-…
d7aa1dc 
…ccs-with-api-keys

# Conflicts:
#	x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/AbstractRemoteClusterSecurityFailureStoreRestIT.java
#	x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1FailureStoreRestIT.java
slobodanadamovic
slobodanadamovic commented Mar 28, 2025
View reviewed changes
.../java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1FailureStoreRestIT.java
public void testRCS1CrossClusterSearch() throws Exception {
final boolean rcs1Security = true;
final boolean isProxyMode = randomBoolean();
final boolean skipUnavailable = false; // we want to get actual failures and not skip and get empty results
final boolean skipUnavailable = randomBoolean();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressing this suggestion: https://github.com/elastic/elasticsearch/pull/125252/files#r2010058827

The result does come empty, but it also contains failure reason per remote cluster. Which is what I'm asserting on.

slobodanadamovic
slobodanadamovic commented Mar 28, 2025
View reviewed changes
.../java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1FailureStoreRestIT.java
assertOK(client().performRequest(indexDocRequest));
}

private static void setupUserAndRoleOnQueryCluster() throws IOException {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes are mostly refactorings in order to reuse the role definitions when creating API keys.

slobodanadamovic
slobodanadamovic commented Mar 28, 2025
View reviewed changes
.../java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1FailureStoreRestIT.java
"names": ["local_index"],
"privileges": ["read"]
},
{
Copy link
Contributor Author

@slobodanadamovic slobodanadamovic Mar 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The roles on query cluster now include index privileges which were previously only defined on fulfilling cluster. This is needed, because API keys are created on query cluster for each user. Without this, API keys would be useless as they would not have any privilege to access, because their roles are limited-by owning user's privileges.

@slobodanadamovic slobodanadamovic requested review from Copilot and n1v0lg and removed request for Copilot March 28, 2025 09:23
@slobodanadamovic slobodanadamovic marked this pull request as ready for review March 28, 2025 09:23
Copilot

This comment was marked as off-topic.

Sign in to view

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

n1v0lg
n1v0lg approved these changes Apr 9, 2025
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@slobodanadamovic slobodanadamovic merged commit d12eb8d into elastic:main Apr 9, 2025
22 checks passed
slobodanadamovic added a commit to slobodanadamovic/elasticsearch that referenced this pull request Apr 9, 2025
@slobodanadamovic
[Failure Store] Test API keys and skip_unavailable with RCS1 (elastic…
0086860 
…#125782)

Adjust existing RCS1 tests to randomize using API keys for authorization
and `skip_unavailable` setting.

Followup on elastic#125252
@slobodanadamovic slobodanadamovic mentioned this pull request Apr 9, 2025
Merged
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.x

elasticsearchmachine pushed a commit that referenced this pull request Apr 9, 2025
@slobodanadamovic
[Failure Store] Test API keys and skip_unavailable with RCS1 (#125782) (
2e385d3 
#126555)

Adjust existing RCS1 tests to randomize using API keys for authorization
and `skip_unavailable` setting.

Followup on #125252
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@n1v0lg n1v0lg n1v0lg approved these changes

Assignees

@slobodanadamovic slobodanadamovic

Labels
auto-backport Automatically create backport pull requests when merged :Security/Security Security issues without another label Team:Security Meta label for security team >test Issues or PRs that are addressing/adding tests v8.19.0 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@slobodanadamovic @elasticsearchmachine @n1v0lg