2.0 License Testing

[elasticmachine]

Original comment by @rasroh:

License 2.0

• Trial License Test: Install ES 2.0+ license 2.0+ shield 2.0 trial license . Advance system clock. see license expires as expected.
• When the trial license is installed, all the features should be enabled for all plugins ( test for watcher, shield, marvel ) and should work seamlessly and should be valid until the trial expires.
• Test the unlicensed behavior of each product, the behavior when adding a Basic, Gold and Platinum License on top of an expired built-in Trial license.

Upgrade:

• Install Trial ES 1.0+ license 1.0+ Shield 1.0 - upgrade to ES 2.0, License 2.0 + shield 2.0—trial license should work without any issues. Logs should be clean
• Generate signed license for 1.0 and upgrade to 2.0 License.

For signed licenses

• generate signed license ( license generator tool- for different types of license- basic, gold, platinum)
• Apply the license to the cluster
• Verify by GET _license - signed license is applied- check the uid.
• To expire the signed license- advance the system clock and make the signed license expire. Once expired, verify the behavior of each product .
• change the subscription type from basic> gold> platinum in the generated License.json- see the features enabled/disabled. ( note: Everytime you change the license.json we should re- generate the license and reapply.)
• Test adding a 1.x license to a 2.0 cluster and check the behavior.

Isolation Plugin Tests

License+ Watcher:

• While the built-in trial license is active, test to make sure that all features of watcher are enabled.
• When trial license expires- validate that the watches will still be triggered but no actions will be performed.
• When trial license expires- validate that you will not be able to get existing watches or add new ones. ( PUT / GET watch APIs are disabled)
• When trial license expires- validate that you still will be able to delete watches.
• When trial license expires- validate that watches continue to work and write to watch history.

License+ Watcher+ Shield:

Unlincensed behavior:

• When under a trial license - ES + Shield+ Watcher > configure the motinor_watcher ( to access watcher stats and get API) and manage_watcher roles ( to get access to all watcher APIs) in the roles.yml file verify the APIs.
• Add the watcher administrator user , once added this user will be able to call all the watcher APIs and by that manage all watches - validate this behavior
• If Shield is enabled, you need cluster admin privileges to install the license.You can do this update at run time without shutting down the nodes.Validate this behavior.
• Cluster health, cluster stats and indices stats operations are blocked when trial license expires.

We also need to test each plugin in isolation, and each of the plugins with Shield. Marvel + Shield (with SSL), Watcher + Shield. For these combinations, we should verify that they work as intended while licensed and properly configured, as well as test their behavior when unlicensed.

[elasticmachine]

Original comment by @skearns64:

@rasroh -

the licensing tests should include testing the unlicensed behavior of each product, the behavior when adding a Basic, Gold and Platinum License on top of an expired built-in Trial license.

Advance system clock- check expiry date of the signed license by generating a new json again

I don't know what you mean by generating a new json again?

Everytime you change the license.json we should re- generate the license and reapply.

I'm not sure what this means?

For licensing, we also want to test adding a 1.x license to a 2.0 cluster.

When the 30 day trial period is installed, test to make sure that all features of watcher are enabled.

What do you mean by when the 30 day trial period is installed...? perhaps "While the built-in trial license is active..."

For Watcher, we want to verify that we can delete watches when the license is expired, or a Basic license is in-place (this is a change in behavior from 1.x).

We also need to test each plugin in isolation, and each of the plugins with Shield. Marvel + Shield (with SSL), Watcher + Shield. For these combinations, we should verify that they work as intended while licensed and properly configured, as well as test their behavior when unlicensed.

[elasticmachine]

Original comment by @uboness:

Test the unlicensed behavior of each product, the behavior when adding a Basic, Gold and Platinum License on top of an expired built-in Trial license.

There are two things to check - 1) what happens when the license expiration date is reached (that's when you're officially entering the "grace period" mode... lasts 7 days, 2) what happens when the grace period ends (7 days after expiration date).

Each plugin defines its own behaviour for expiration & grace period:

LINK REDACTED
LINK REDACTED
LINK REDACTED

[elasticmachine]

Original comment by @rasroh:

basic license

on license installation, return ack messages:

• Security will be disabled
• SSL will be disabled on node restart
• once license installed, Shield will behave as if disabled (except SSL)

Basic to Gold License:

On license installation, return ack messages:

• Field & Document level security will be disabled
  {"acknowledged":false,"license_status":"valid","acknowledge":{"message":"This license update requires acknowledgement. To acknowledge the license, please read the following messages and update the license again, this time with the \"acknowledge=true\" parameter:","shield":["Field and document level access control will be disabled","Custom realms will be ignored"]}}
• Plugged in custom realms will be ignored
• All other Shield features work

trial / platinum licenses

• everything works
  Tested audits, RBAC (esusers realm), cluster health API, cluster stats API

on license expiry

• Expiration messages are logged every 10 minutes

-[2015-11-30 08:44:52,194][ERROR][shield.action ] [rashmi-node1] blocking [indices:monitor/stats] operation due to expired license. Cluster health, cluster stats and indices stats operations are blocked on shield license expiration. All data operations (read and write) continue to work. If you have a new license, please update it. Otherwise, please reach out to your support contact

• There will be a 7 days grace period where everything continues to work
  • As a quick check- checked the cluster health and stats APIs - this continues to work.
• When the grace period expires, the health & stats APIs will stop working

curl -u es_admin -XGET 'http://localhost:9200/_cluster/health?pretty=true'
Enter host password for user 'es_admin':
{
  "error" : {
    "root_cause" : [ {
      "type" : "security_exception",
      "reason" : "current license is non-compliant for [shield]",
      "license.expired.feature" : "shield"
    } ],
    "type" : "security_exception",
    "reason" : "current license is non-compliant for [shield]",
    "license.expired.feature" : "shield"
  },
  "status" : 401
}

[elasticmachine]

Original comment by @rasroh:

Backward compatibility tests:

• 1.x auto-generated and signed licenses propagate properly to 2.0 license plugin. ( trial, gold, basic, platinum)
• License backward compatibility tests-
  Install Trial ES 1.0+ license 1.0+ Shield 1.0 - upgrade to ES 2.0, License 2.0 + shield 2.0—trial license should work without any issues. Logs should be clean
• repeated above tests for basic, gold, platinum.
• Verified for 2.0 at any given point of time , there is a single active license for all the features .( not the case for 1.x)
• if a cluster has 1.x licenses,the license with the latest issue date that is not yet expired will be chosen by 2.0. The selected license feature should be ignored and used as if it was feature agnostic. ( ref LINK REDACTED)

[elasticmachine]

Original comment by @rasroh:

Closing since 2.0 has been released

[elasticmachine]

Original comment by @rasroh:

• We need to support the actual licenses that we issued in the field.
  When you apply 1.x License file with multiple licenses, License plugin must accept multiple licenses to take the best one. Currently it only supports a single license in 1.x license file.

[polyfractal]

Think this was accidentally re-opened. Closing.