use roles.yml from kbn/es for security solution tests #201228
Conversation
dmlemeshko
added
release_note:skip
There was a problem hiding this comment.
Hey @dmlemeshko ,
although our team initially created this module, we are no longer using it for Elastic Defend flows. Looking around at the files in the directory, looks like the following teams might be using it:
- Security Solution Cloud Security Posture team
- Security Solution cases team
- Maybe OSQuery - @tomsonpl or @szwarckonrad maybe you can check?
Thank you, Paul. |
There was a problem hiding this comment.
Thank you for addressing this. I believe this change will not affect the current osquery Cypress tests, but to be safe, let’s run them before merging. Unless @tomsonpl sees any reason not to.
|
Good idea @szwarckonrad, let's wait for the test results and 🚢 🇮🇹 :) |
| ADMIN = 'admin', // default Cloud role | ||
| SUPERUSER = 'system_indices_superuser', // this role is used to clean up the environment only and should | ||
| // not be used in any tests |
There was a problem hiding this comment.
@tomsonpl @szwarckonrad This should fix the failures.
admin is Cloud default role, available both in serverless and ess deployments. It is a role that org owner got assigned and completely valid one to use in tests. But obviously the goal is to test features with minimal required role and admin is the last in the list.
system_indices_superuser is temporary solution while some Security solution teams didn't fix their tests, e.g. cloud security posture API tests depend on it. This role does not exist on MKI and tests using it might fail on MKI. We have a plan to remove it asap, but for now it has to stay to unblock testing in Kibana CI.
Summary
I recently discovered that some Cypress tests has its own realm default roles in
x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.ymland I think it might be easy to support a single roles file shared across multiple test configs/frameworks and track changes update from controller.