Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Meta] FTR configurable test users for xpack #60815

Closed
68 tasks done
rashmivkulkarni opened this issue Mar 20, 2020 · 5 comments
Closed
68 tasks done

[Meta] FTR configurable test users for xpack #60815

rashmivkulkarni opened this issue Mar 20, 2020 · 5 comments
Labels
automation Meta Team:QA Team label for QA Team

Comments

@rashmivkulkarni
Copy link
Contributor

rashmivkulkarni commented Mar 20, 2020

fixes: #26937
Reference for OSS tests: #52431
Objective :
We should run all CI tests with security enabled and with a user who has the minimal documented privileges to allow them to be successful.

Describe a specific use case for the feature:
The x-pack tests already do run with security enabled but the test_user has the superuser role.

This issue tries to eliminate the usage of superuser role in the tests and instead use the right set of roles and privileges required to run the tests.

Here I have listed the xpack apps which currently run as superuser. Each of the tests in these apps need to be run as a test_user with the right set of roles and privileges.
These tests exclude feature controls tests

As an example xpack tests under api_keys, and dashboard_view_mode.js have been modified to run as a test_user with the right set of roles and privileges.

Please Note: This requires contribution from all teams.




cc @elastic/kibana-qa

@rashmivkulkarni rashmivkulkarni added Team:QA Team label for QA Team Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! automation labels Mar 20, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-qa (Team:QA)

@legrego
Copy link
Member

legrego commented Mar 23, 2020

Thanks for this @Rasroh! #52431 was a great step forward in making sure we're running with the minimal set of documented Elasticsearch Privileges, but we should also keep Kibana Privileges in mind when designing these tests going forward.

#52431 specifies a set of roles with specific cluster/index privileges, but from what I can tell, each test still runs with the kibana_admin/kibana_user role applied. This means that all tests will be run with full read/write access to Kibana, which goes against the stated objective above of

We should run all CI tests with security enabled and with a user who has the minimal documented privileges to allow them to be successful.

For example, to test that the dashboard application works correctly for read/write access, you would want a user with a role similar to the following:

{
  "name": "test_dashboard_user_role",
  "elasticsearch": {
    "cluster": []
    "indices": [{
      "names": ["kibana-sample-data-*"],
      "privileges" ["read", "view_index_metadata"]
    }],
    "run_as": []
  },
  "kibana": [{
    "spaces": ["*"],
    "feature": {
      "dashboard": ["all"]
    }
  }]
}

@rashmivkulkarni
Copy link
Contributor Author

Good suggestion, Larry- As we do new tests, we shall make it more granular like the example shared above. For the older tests, it needs to be dealt as a separate PR.

@cuff-links
Copy link
Contributor

All of the existing items have been completed. If there's any follow-up work, please open a new meta issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automation Meta Team:QA Team label for QA Team
Projects
None yet
Development

No branches or pull requests

5 participants