Skip to content

Commit

Permalink
add DLS test
Browse files Browse the repository at this point in the history
  • Loading branch information
jakelandis committed Apr 11, 2024
1 parent 79fa902 commit a893be9
Showing 1 changed file with 101 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,11 @@ public class RemoteClusterSecurityEsqlIT extends AbstractRemoteClusterSecurityTe
{
"search": [
{
"names": ["index*", "not_found_index", "employees*"]
"names": ["index*", "not_found_index", "employees", "employees"]
},
{
"names": ["employees3"],
"query": {"term" : {"department" : "engineering"}}
}
]
}""");
Expand Down Expand Up @@ -208,6 +212,9 @@ public void populateData() throws Exception {
Request createIndex2 = new Request("PUT", "employees2");
createIndex2.setJsonEntity(employeesMapping);
assertOK(performRequestAgainstFulfillingCluster(createIndex2));
Request createIndex3 = new Request("PUT", "employees3");
createIndex3.setJsonEntity(employeesMapping);
assertOK(performRequestAgainstFulfillingCluster(createIndex3));
Request bulkRequest = new Request("POST", "/_bulk?refresh=true");
bulkRequest.setJsonEntity(Strings.format("""
{ "index": { "_index": "employees" } }
Expand All @@ -224,7 +231,14 @@ public void populateData() throws Exception {
{ "emp_id": "11", "department" : "engineering" }
{ "index": { "_index": "employees2" } }
{ "emp_id": "13", "department" : "sales" }
{ "index": { "_index": "employees2" } }
{ "index": { "_index": "employees3" } }
{ "emp_id": "21", "department" : "engineering" }
{ "index": { "_index": "employees3" } }
{ "emp_id": "23", "department" : "sales" }
{ "index": { "_index": "employees3" } }
{ "emp_id": "25", "department" : "engineering" }
{ "index": { "_index": "employees3" } }
{ "emp_id": "27", "department" : "sales" }
"""));
assertOK(performRequestAgainstFulfillingCluster(bulkRequest));

Expand All @@ -238,6 +252,9 @@ public void populateData() throws Exception {
createIndex2 = new Request("PUT", "employees2");
createIndex2.setJsonEntity(employeesMapping);
assertOK(adminClient().performRequest(createIndex2));
createIndex3 = new Request("PUT", "employees3");
createIndex3.setJsonEntity(employeesMapping);
assertOK(adminClient().performRequest(createIndex3));
bulkRequest = new Request("POST", "/_bulk?refresh=true");
bulkRequest.setJsonEntity(Strings.format("""
{ "index": { "_index": "employees" } }
Expand All @@ -252,6 +269,10 @@ public void populateData() throws Exception {
{ "emp_id": "10", "department" : "management"}
{ "index": { "_index": "employees2"} }
{ "emp_id": "12", "department" : "engineering"}
{ "index": { "_index": "employees3"} }
{ "emp_id": "20", "department" : "management"}
{ "index": { "_index": "employees3"} }
{ "emp_id": "22", "department" : "engineering"}
"""));
assertOK(client().performRequest(bulkRequest));

Expand Down Expand Up @@ -289,6 +310,7 @@ public void wipeData() throws Exception {
CheckedConsumer<RestClient, IOException> wipe = client -> {
performRequestWithAdminUser(client, new Request("DELETE", "/employees"));
performRequestWithAdminUser(client, new Request("DELETE", "/employees2"));
performRequestWithAdminUser(client, new Request("DELETE", "/employees3"));
performRequestWithAdminUser(client, new Request("DELETE", "/_enrich/policy/countries"));
};
wipe.accept(fulfillingClusterClient);
Expand Down Expand Up @@ -360,6 +382,83 @@ public void testCrossClusterQuery() throws Exception {
assertRemoteOnlyAgainst2IndexResults(response);
}

@SuppressWarnings("unchecked")
public void testCrossClusterQueryWithRemoteDLS() throws Exception {
configureRemoteCluster();
populateData();

// ensure user has access to the employees3 index
final var putRoleRequest = new Request("PUT", "/_security/role/" + REMOTE_SEARCH_ROLE);
putRoleRequest.setJsonEntity("""
{
"indices": [{"names": [""], "privileges": ["read_cross_cluster"]}],
"remote_indices": [
{
"names": ["employees*"],
"privileges": ["read"],
"clusters": ["my_remote_cluster"]
}
]
}""");
Response response = adminClient().performRequest(putRoleRequest);
assertOK(response);

response = performRequestWithRemoteSearchUser(esqlRequest("""
FROM my_remote_cluster:employees3
| SORT emp_id ASC
| LIMIT 10
| KEEP emp_id, department"""));
assertOK(response);

Map<String, Object> responseAsMap = entityAsMap(response);
List<?> columns = (List<?>) responseAsMap.get("columns");
List<?> values = (List<?>) responseAsMap.get("values");
assertEquals(2, columns.size());
assertEquals(2, values.size());
List<String> flatList = values.stream()
.flatMap(innerList -> innerList instanceof List ? ((List<String>) innerList).stream() : Stream.empty())
.collect(Collectors.toList());
// the APIKey has DLS set to : "query": {"term" : {"department" : "engineering"}}
assertThat(flatList, containsInAnyOrder("21", "25", "engineering", "engineering"));

// add DLS to the remote indices in the role to restrict access to only emp_id = 21
putRoleRequest.setJsonEntity("""
{
"indices": [{"names": [""], "privileges": ["read_cross_cluster"]}],
"remote_indices": [
{
"names": ["employees*"],
"privileges": ["read"],
"clusters": ["my_remote_cluster"],
"query": {"term" : {"emp_id" : "21"}}
}
]
}""");
response = adminClient().performRequest(putRoleRequest);
assertOK(response);

response = performRequestWithRemoteSearchUser(esqlRequest("""
FROM my_remote_cluster:employees3
| SORT emp_id ASC
| LIMIT 2
| KEEP emp_id, department"""));
assertOK(response);

responseAsMap = entityAsMap(response);
columns = (List<?>) responseAsMap.get("columns");
values = (List<?>) responseAsMap.get("values");
assertEquals(2, columns.size());
assertEquals(1, values.size());
flatList = values.stream()
.flatMap(innerList -> innerList instanceof List ? ((List<String>) innerList).stream() : Stream.empty())
.collect(Collectors.toList());
// the APIKey has DLS set to : "query": {"term" : {"department" : "engineering"}}
// AND this role has DLS set to: "query": {"term" : {"emp_id" : "21"}}
assertThat(flatList, containsInAnyOrder("21", "engineering"));
}

@SuppressWarnings("unchecked")
@AwaitsFix(bugUrl = "this trips ThreadPool.assertCurrentThreadPool(ThreadPool.Names.SEARCH_COORDINATION)")
// comment out those assertions in EsqlIndexResolver and TransportFieldCapabilitiesAction to see this test pass
Expand Down

0 comments on commit a893be9

Please sign in to comment.