Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[APM] Run API tests as restricted user #70050

Merged
merged 6 commits into from
Jun 29, 2020
Merged

[APM] Run API tests as restricted user #70050

merged 6 commits into from
Jun 29, 2020

Conversation

dgieselaar
Copy link
Member

Run API tests as a user that has the apm_user role and the kibana_admin role. These are (roughly) the minimum requirements for using APM.

@dgieselaar
[APM] Run API tests as restricted user
c56debf 
Run API tests as a user that has the apm_user role and the kibana_admin role. These are (roughly) the minimum requirements for using APM.
@dgieselaar dgieselaar added Team:APM All issues that need APM UI Team support release_note:skip Skip the PR/issue when compiling release notes v7.9.0 labels Jun 26, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

sorenlouv
sorenlouv approved these changes Jun 26, 2020
View reviewed changes
Copy link
Member

@sorenlouv sorenlouv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome!! Thanks for doing this.
This will help us so much - next steps: apm dataset and api tests for all the endpoints!

@dgieselaar
Copy link
Member Author

@sqren made some changes, instead of having one apm_user that can do everything, we now run tests with two users, one with read privileges to APM and one with all.

sorenlouv
sorenlouv reviewed Jun 28, 2020
View reviewed changes
x-pack/test/apm_api_integration/common/authentication.ts Outdated
Comment on lines 44 to 77
case ApmUser.APM_WRITE_USER:
await security.role.create(ApmUser.APM_WRITE_USER, {
elasticsearch: {
cluster: [],
indices: [
{
names: ['observability-annotations'],
privileges: [
'read',
'view_index_metadata',
'index',
'manage',
'create_index',
'create_doc',
],
},
],
},
kibana: [
{
base: [],
feature: {
apm: ['all'],
},
spaces: ['*'],
},
],
});

await security.user.create(ApmUser.APM_WRITE_USER, {
full_name: ApmUser.APM_WRITE_USER,
password: APM_TEST_PASSWORD,
roles: ['apm_user', ApmUser.APM_WRITE_USER],
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps it would be more clear to have separate functions: createApmReadUser, createApmReadWriteUser.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will make it more declarative. I need to add another user, one that is permitted to index annotations.

sorenlouv
sorenlouv reviewed Jun 28, 2020
View reviewed changes
x-pack/test/apm_api_integration/common/authentication.ts Outdated
],
});

await security.user.create(ApmUser.APM_WRITE_USER, {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it could be confusing with identical names for the user and role?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I don't think so. Do you see a scenario in our test where they could be confused?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, probably fine 👍

sorenlouv
sorenlouv reviewed Jun 28, 2020
View reviewed changes
x-pack/test/apm_api_integration/common/authentication.ts Outdated
elasticsearch: {
cluster: [],
indices: [
{ names: ['observability-annotations'], privileges: ['read', 'view_index_metadata'] },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wasn't the plan to make this part of the apm_user?

Copy link
Member Author

@dgieselaar dgieselaar Jun 29, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but didn't want to block on the ES PR. If the ES PR gets merged first, I will update this before merging.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@dgieselaar dgieselaar requested a review from a team as a code owner June 29, 2020 11:34
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@smith smith mentioned this pull request Jun 29, 2020
Merged
@dgieselaar dgieselaar merged commit dbdc3cd into elastic:master Jun 29, 2020
@dgieselaar dgieselaar deleted the tests-as-apm-user branch June 29, 2020 14:17
@dgieselaar dgieselaar mentioned this pull request Jun 29, 2020
Merged
dgieselaar added a commit to dgieselaar/kibana that referenced this pull request Jun 29, 2020
@dgieselaar
[APM] Run API tests as restricted user (elastic#70050)
2926a71
dgieselaar added a commit that referenced this pull request Jun 29, 2020
@dgieselaar
[7.x] [APM] Run API tests as restricted user (#70050) (#70204)
3e48426
Bamieh pushed a commit to Bamieh/kibana that referenced this pull request Jul 1, 2020
@dgieselaar @Bamieh
[APM] Run API tests as restricted user (elastic#70050)
a0ce968
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sorenlouv sorenlouv sorenlouv approved these changes

Assignees
No one assigned
Labels
release_note:skip Skip the PR/issue when compiling release notes Team:APM All issues that need APM UI Team support v7.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dgieselaar @elasticmachine @kibanamachine @sorenlouv