Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test PR to run security integ tests #1179

Closed

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Jul 18, 2024

Description

Testing a small change to see how it affects security CI checks

Issues Resolved

[List any issues this PR will resolve]

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwperks
Copy link
Member Author

cwperks commented Jul 18, 2024

FYI The security plugin's main branch runs targets JDK 21 only. For the main branch you can remove 11 and 17 from the matrix

@cwperks
Copy link
Member Author

cwperks commented Jul 18, 2024

Looks like this fixed the CI check.

Make sure that your plugin wraps all instances of interactions with a system index in:

try (StoredContext ctx = threadContext.stashContext()) {
    // Interact with system index here
}

This change is going into 2.16 and it looks like it broke the tests here.

The reason why this was working <= 2.15 is because security was only considering this list of system indices and the SAP Threat intel index was not tracked in that list.

From 2.16 onwards, all system indices registered via SystemIndexPlugin.getSystemIndexDescriptor will also get system index protection from the security plugin by default.

System indices have special protections which block regular users from performing actions like writing and deleting. Read operations are also blanked out to not reveal data from system indices for regular users (regular meaning anything other than admin cert).

In 2.15 and below, the Threat intel index was being treated as a normal index and operations were being authorized to the index as a normal index. If your security tests are running as admin this issue would not have been caught since admin can do all actions on all regular indices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant