[FTR] enable roles management testing for Observability project #196514
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dmlemeshko
commented
Oct 16, 2024
| @@ -53,6 +53,8 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { | |||
| if (roleAuthc) { | |||
| await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc); | |||
| } | |||
| // delete custom role | |||
| await samlAuth.deleteCustomRole(); | |||
There was a problem hiding this comment.
we need to delete role, because platform security tests validate security roles UI and roles list.
dmlemeshko
commented
Oct 16, 2024
Comment on lines
+76
to
+78
| // TODO: 'Add data' and 'Project Settings' should be hidden | ||
| // await testSubjects.missingOrFail('~nav-item-id-observabilityOnboarding'); | ||
| // await testSubjects.missingOrFail('~nav-item-id-project_settings_project_nav'); |
There was a problem hiding this comment.
I believe both Add Data and Project Settings should be hidden when role has no access to it.
dmlemeshko
added
release_note:skip
| ); | ||
|
|
||
| // Return true if the value is explicitly set to 'true', otherwise false | ||
| return roleManagementArg?.split('=')[1] === 'true' || false; |
There was a problem hiding this comment.
Why is true a string literal, but false is a boolean?
There was a problem hiding this comment.
I get that coercion will make true become a boolean, but that's if coercion is used.
There was a problem hiding this comment.
we are looking for the exact --xpack.security.roleManagementEnabled=true match in Kibana server arguments to understand if roles management was explicitly enabled. I believe Kibana won't start if you try to pass this flag with something other than true or false
There was a problem hiding this comment.
I mean only 'true' is expected to enable the functionality, so I set flag to false for any other case (including argument is completely missing)
There was a problem hiding this comment.
So the return type of boolean, is only actually a boolean when it's false.
So if it's the string literal 'true' and not a boolean true, it seems like the return type should be false || 'true', and not boolean right?
I guess I'm used to seeing a boolean return type with all return calls being an actual boolean, not a string literal depending on type coercion.
Perhaps it's just a nit at this point.
There was a problem hiding this comment.
I don't think you can start Kibana with --xpack.security.roleManagementEnabled='true', schema validation won't allow it. I don't try validate the cases for Kibana server, I believe FTR won't even start if literal 'true' or 'false' will be in arguments
There was a problem hiding this comment.
I was right, there is no way to face literal 'true' in place:
proc [kibana] [2024-10-16T14:13:30.865+02:00][INFO ][root] Kibana is shutting down {"service":{"node":{"roles":["background_tasks","ui"]}}}
proc [kibana] [2024-10-16T14:13:30.884+02:00][FATAL][root] Reason: [config validation of [xpack.security].roleManagementEnabled]: expected value of type [boolean] but got [string]
proc [kibana] Error: [config validation of [xpack.security].roleManagementEnabled]: expected value of type [boolean] but got [string]
proc [kibana] at ObjectType.validate (type.ts:171:13)
proc [kibana] at ConfigService.validateAtPath (config_service.ts:334:19)
proc [kibana] at config_service.ts:354:28
proc [kibana] at /Users/dmle/github/kibana/node_modules/rxjs/src/internal/operators/map.ts:58:33
proc [kibana] at OperatorSubscriber._this._next (/Users/dmle/github/kibana/node_modules/rxjs/src/internal/operators/OperatorSubscriber.ts:70:13)
| await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc); | ||
| await samlAuth.deleteCustomRole(); |
There was a problem hiding this comment.
So now the devs have to make two extra calls to finish?
Possible to make this a single call?
There was a problem hiding this comment.
I don't think we need to combine it.
There is nothing new in the workflow: API key and Kibana role are 2 different entities and we already handle "cleaning" in stateful separately. In theory API key is still valid after role deletion and can be used on its own.
But now I realised it makes sense to delete cached cookie for custom role whenever setCustomRole or deleteCustomRole is called. Cookies are cached per role on the first call to speedup test execution, but as custom role is re-created we need to regenerate cookie as well. I will test it (maybe cookie will remains valid with new privileges in place) and address in the new PR
There was a problem hiding this comment.
small fix dbdcd59
tl; dr; generated cookie remains valid after role is re-created after deletion or its privileges were updated. I don't think we need a logic to drop it from cache at the moment
The change I did: we need to make sure descriptors is not null aka contains some valid privileges.
| .set(INTERNAL_REQUEST_HEADERS) | ||
| .set(adminCookieHeader); | ||
|
|
||
| expect(status).to.be(204); |
There was a problem hiding this comment.
If the status is not a 204, is it still possible that it was indeed deleted?
There was a problem hiding this comment.
Interesting point.
I guess both create and delete operations are tested within security plugin testing scope. 204 status is successful request by design, so I don't think we need an extra ES query to validate Kibana APIs did their job.
There was a problem hiding this comment.
btw I checked that it is deleted via UI, but I think we are good to rely on status code only
There was a problem hiding this comment.
Indeed, I was just wondering if that null assignment within the map symbol below could be a problem if the 204 check fails, but the item was actually deleted, then the map would be out of date and could be a difficult bug to track down.
But if you think it's a non-issue, I'm good with it.
There was a problem hiding this comment.
Aha, I didn't relate it to the supportedRoleDescriptors not being updated. You are right, we should re-set it for the following test file that might use custom roles as well. Let me have a look
There was a problem hiding this comment.
Moved before actual delete call bcfc49f
…m:dmlemeshko/kibana into ftr/support-custom-roles-for-oblt-project
jbudz
reviewed
Oct 16, 2024
| @@ -34,8 +34,18 @@ const getDefaultServerlessRole = (projectType: string) => { | |||
| } | |||
| }; | |||
|
|
|||
| const isRoleManagementExplicitlyEnabled = (args: string[]): boolean => { | |||
| const roleManagementArg = args.find((arg) => | |||
| arg.startsWith('--xpack.security.roleManagementEnabled=') | |||
There was a problem hiding this comment.
It may simplify things to pull in the getopts package for parsing these. I see --serverless is parsed similarly elsewhere, so don't see a need to change it now, but making a note in case we refactor later.
jbudz
approved these changes
Oct 16, 2024
mohamedhamed-ahmed
approved these changes
Oct 16, 2024
💚 Build Succeeded
Metrics [docs]
History
cc @dmlemeshko |
|
Starting backport for target branches: 8.16 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 18, 2024
…tic#196514) ## Summary This PR makes changes in FTR `saml_auth` service to allow creating custom role for Oblt serverless project, when roles management is explicitly enabled with `--xpack.security.roleManagementEnabled=true` in Kibana server arguments. I also added [role_management/custom_role_access.ts ](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts) as a test example. Currently roles management is enabled in `x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts` and after this PR is merged, more tests with custom roles can be added for Oblt project. How to run tests: ``` node scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts ``` (cherry picked from commit 16c965f)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 18, 2024
#196514) (#196862) # Backport This will backport the following commits from `main` to `8.16`: - [[FTR] enable roles management testing for Observability project (#196514)](#196514) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Dzmitry Lemechko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-18T12:17:13Z","message":"[FTR] enable roles management testing for Observability project (#196514)\n\n## Summary\r\n\r\nThis PR makes changes in FTR `saml_auth` service to allow creating\r\ncustom role for Oblt serverless project, when roles management is\r\nexplicitly enabled with `--xpack.security.roleManagementEnabled=true` in\r\nKibana server arguments.\r\n\r\nI also added [role_management/custom_role_access.ts\r\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\r\nas a test example. Currently roles management is enabled in\r\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\r\nand after this PR is merged, more tests with custom roles can be added\r\nfor Oblt project.\r\n\r\nHow to run tests:\r\n\r\n```\r\nnode scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\r\n```","sha":"16c965f853f17565e2da996b1f2ab21e9e33a003","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","v8.16.0","backport:version"],"title":"[FTR] enable roles management testing for Observability project","number":196514,"url":"https://github.com/elastic/kibana/pull/196514","mergeCommit":{"message":"[FTR] enable roles management testing for Observability project (#196514)\n\n## Summary\r\n\r\nThis PR makes changes in FTR `saml_auth` service to allow creating\r\ncustom role for Oblt serverless project, when roles management is\r\nexplicitly enabled with `--xpack.security.roleManagementEnabled=true` in\r\nKibana server arguments.\r\n\r\nI also added [role_management/custom_role_access.ts\r\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\r\nas a test example. Currently roles management is enabled in\r\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\r\nand after this PR is merged, more tests with custom roles can be added\r\nfor Oblt project.\r\n\r\nHow to run tests:\r\n\r\n```\r\nnode scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\r\n```","sha":"16c965f853f17565e2da996b1f2ab21e9e33a003"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196514","number":196514,"mergeCommit":{"message":"[FTR] enable roles management testing for Observability project (#196514)\n\n## Summary\r\n\r\nThis PR makes changes in FTR `saml_auth` service to allow creating\r\ncustom role for Oblt serverless project, when roles management is\r\nexplicitly enabled with `--xpack.security.roleManagementEnabled=true` in\r\nKibana server arguments.\r\n\r\nI also added [role_management/custom_role_access.ts\r\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\r\nas a test example. Currently roles management is enabled in\r\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\r\nand after this PR is merged, more tests with custom roles can be added\r\nfor Oblt project.\r\n\r\nHow to run tests:\r\n\r\n```\r\nnode scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\r\n```","sha":"16c965f853f17565e2da996b1f2ab21e9e33a003"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Dzmitry Lemechko <[email protected]>
|
@dmlemeshko there's a version gap with this backport. Can you check if this should also be backported to 8.x/8.17? |
pheyos
added
v8.17.0
backport:version
|
Starting backport for target branches: 8.16, 8.x |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 25, 2024
…tic#196514) ## Summary This PR makes changes in FTR `saml_auth` service to allow creating custom role for Oblt serverless project, when roles management is explicitly enabled with `--xpack.security.roleManagementEnabled=true` in Kibana server arguments. I also added [role_management/custom_role_access.ts ](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts) as a test example. Currently roles management is enabled in `x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts` and after this PR is merged, more tests with custom roles can be added for Oblt project. How to run tests: ``` node scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts ``` (cherry picked from commit 16c965f)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 25, 2024
…#196514) (#197845) # Backport This will backport the following commits from `main` to `8.x`: - [[FTR] enable roles management testing for Observability project (#196514)](#196514) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Dzmitry Lemechko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-18T12:17:13Z","message":"[FTR] enable roles management testing for Observability project (#196514)\n\n## Summary\r\n\r\nThis PR makes changes in FTR `saml_auth` service to allow creating\r\ncustom role for Oblt serverless project, when roles management is\r\nexplicitly enabled with `--xpack.security.roleManagementEnabled=true` in\r\nKibana server arguments.\r\n\r\nI also added [role_management/custom_role_access.ts\r\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\r\nas a test example. Currently roles management is enabled in\r\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\r\nand after this PR is merged, more tests with custom roles can be added\r\nfor Oblt project.\r\n\r\nHow to run tests:\r\n\r\n```\r\nnode scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\r\n```","sha":"16c965f853f17565e2da996b1f2ab21e9e33a003","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","v8.16.0","backport:version","v8.17.0"],"title":"[FTR] enable roles management testing for Observability project","number":196514,"url":"https://github.com/elastic/kibana/pull/196514","mergeCommit":{"message":"[FTR] enable roles management testing for Observability project (#196514)\n\n## Summary\r\n\r\nThis PR makes changes in FTR `saml_auth` service to allow creating\r\ncustom role for Oblt serverless project, when roles management is\r\nexplicitly enabled with `--xpack.security.roleManagementEnabled=true` in\r\nKibana server arguments.\r\n\r\nI also added [role_management/custom_role_access.ts\r\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\r\nas a test example. Currently roles management is enabled in\r\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\r\nand after this PR is merged, more tests with custom roles can be added\r\nfor Oblt project.\r\n\r\nHow to run tests:\r\n\r\n```\r\nnode scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\r\n```","sha":"16c965f853f17565e2da996b1f2ab21e9e33a003"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196514","number":196514,"mergeCommit":{"message":"[FTR] enable roles management testing for Observability project (#196514)\n\n## Summary\r\n\r\nThis PR makes changes in FTR `saml_auth` service to allow creating\r\ncustom role for Oblt serverless project, when roles management is\r\nexplicitly enabled with `--xpack.security.roleManagementEnabled=true` in\r\nKibana server arguments.\r\n\r\nI also added [role_management/custom_role_access.ts\r\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\r\nas a test example. Currently roles management is enabled in\r\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\r\nand after this PR is merged, more tests with custom roles can be added\r\nfor Oblt project.\r\n\r\nHow to run tests:\r\n\r\n```\r\nnode scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\r\n```","sha":"16c965f853f17565e2da996b1f2ab21e9e33a003"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/196862","number":196862,"state":"MERGED","mergeCommit":{"sha":"e42cc1f8a4246b4aa34191429b272174ed9f852b","message":"[8.16] [FTR] enable roles management testing for Observability project (#196514) (#196862)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.16`:\n- [[FTR] enable roles management testing for Observability project\n(#196514)](https://github.com/elastic/kibana/pull/196514)\n\n<!--- Backport version: 9.4.3 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Dzmitry\nLemechko\",\"email\":\"[email protected]\"},\"sourceCommit\":{\"committedDate\":\"2024-10-18T12:17:13Z\",\"message\":\"[FTR]\nenable roles management testing for Observability project\n(#196514)\\n\\n## Summary\\r\\n\\r\\nThis PR makes changes in FTR `saml_auth`\nservice to allow creating\\r\\ncustom role for Oblt serverless project,\nwhen roles management is\\r\\nexplicitly enabled with\n`--xpack.security.roleManagementEnabled=true` in\\r\\nKibana server\narguments.\\r\\n\\r\\nI also added\n[role_management/custom_role_access.ts\\r\\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\\r\\nas\na test example. Currently roles management is enabled\nin\\r\\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\\r\\nand\nafter this PR is merged, more tests with custom roles can be\nadded\\r\\nfor Oblt project.\\r\\n\\r\\nHow to run tests:\\r\\n\\r\\n```\\r\\nnode\nscripts/functional_tests --config\nx-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\\r\\n```\",\"sha\":\"16c965f853f17565e2da996b1f2ab21e9e33a003\",\"branchLabelMapping\":{\"^v9.0.0$\":\"main\",\"^v8.17.0$\":\"8.x\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:skip\",\"v9.0.0\",\"v8.16.0\",\"backport:version\"],\"title\":\"[FTR]\nenable roles management testing for Observability\nproject\",\"number\":196514,\"url\":\"https://github.com/elastic/kibana/pull/196514\",\"mergeCommit\":{\"message\":\"[FTR]\nenable roles management testing for Observability project\n(#196514)\\n\\n## Summary\\r\\n\\r\\nThis PR makes changes in FTR `saml_auth`\nservice to allow creating\\r\\ncustom role for Oblt serverless project,\nwhen roles management is\\r\\nexplicitly enabled with\n`--xpack.security.roleManagementEnabled=true` in\\r\\nKibana server\narguments.\\r\\n\\r\\nI also added\n[role_management/custom_role_access.ts\\r\\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\\r\\nas\na test example. Currently roles management is enabled\nin\\r\\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\\r\\nand\nafter this PR is merged, more tests with custom roles can be\nadded\\r\\nfor Oblt project.\\r\\n\\r\\nHow to run tests:\\r\\n\\r\\n```\\r\\nnode\nscripts/functional_tests --config\nx-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\\r\\n```\",\"sha\":\"16c965f853f17565e2da996b1f2ab21e9e33a003\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[\"8.16\"],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v9.0.0\",\"branchLabelMappingKey\":\"^v9.0.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/196514\",\"number\":196514,\"mergeCommit\":{\"message\":\"[FTR]\nenable roles management testing for Observability project\n(#196514)\\n\\n## Summary\\r\\n\\r\\nThis PR makes changes in FTR `saml_auth`\nservice to allow creating\\r\\ncustom role for Oblt serverless project,\nwhen roles management is\\r\\nexplicitly enabled with\n`--xpack.security.roleManagementEnabled=true` in\\r\\nKibana server\narguments.\\r\\n\\r\\nI also added\n[role_management/custom_role_access.ts\\r\\n](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts)\\r\\nas\na test example. Currently roles management is enabled\nin\\r\\n`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`\\r\\nand\nafter this PR is merged, more tests with custom roles can be\nadded\\r\\nfor Oblt project.\\r\\n\\r\\nHow to run tests:\\r\\n\\r\\n```\\r\\nnode\nscripts/functional_tests --config\nx-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts\\r\\n```\",\"sha\":\"16c965f853f17565e2da996b1f2ab21e9e33a003\"}},{\"branch\":\"8.16\",\"label\":\"v8.16.0\",\"branchLabelMappingKey\":\"^v(\\\\d+).(\\\\d+).\\\\d+$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"}]}]\nBACKPORT-->\n\nCo-authored-by: Dzmitry Lemechko <[email protected]>"}},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Dzmitry Lemechko <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR makes changes in FTR
saml_authservice to allow creating custom role for Oblt serverless project, when roles management is explicitly enabled with--xpack.security.roleManagementEnabled=truein Kibana server arguments.I also added role_management/custom_role_access.ts as a test example. Currently roles management is enabled in
x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.tsand after this PR is merged, more tests with custom roles can be added for Oblt project.How to run tests: