-
Notifications
You must be signed in to change notification settings - Fork 24.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ML] Make semantic search an indices action (#90887)
Users do not require an ml privilege to call _semantic_search
- Loading branch information
Showing
12 changed files
with
383 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apply plugin: 'elasticsearch.internal-yaml-rest-test' | ||
|
||
dependencies { | ||
yamlRestTestImplementation(testArtifact(project(xpackModule('core')))) | ||
yamlRestTestImplementation(testArtifact(project(':x-pack:plugin'))) | ||
} | ||
|
||
// bring in machine learning rest test suite | ||
restResources { | ||
restApi { | ||
include '_common', 'cluster', 'nodes', 'indices', 'index', 'search', 'get', 'bulk', 'ml', 'semantic_search' | ||
} | ||
} | ||
|
||
testClusters.configureEach { | ||
testDistribution = 'DEFAULT' | ||
rolesFile file('roles.yml') | ||
user username: "x_pack_rest_user", password: "x-pack-test-password" | ||
user username: "read_index_no_ml", password: "read_index_no_ml_password", role: "all_data" | ||
user username: "no_read_index_no_ml", password: "no_read_index_no_ml_password", role: "unrelated_index_only" | ||
setting 'xpack.license.self_generated.type', 'trial' | ||
setting 'xpack.security.enabled', 'true' | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
all_data: | ||
cluster: | ||
# This is always required because the REST client uses it to find the version of | ||
# Elasticsearch it's talking to | ||
- cluster:monitor/main | ||
indices: | ||
# User | ||
- names: [ 'embedded_text', 'unrelated' ] | ||
privileges: | ||
- create_index | ||
- indices:admin/refresh | ||
- read | ||
- write | ||
- view_index_metadata | ||
|
||
unrelated_index_only: | ||
cluster: | ||
# This is always required because the REST client uses it to find the version of | ||
# Elasticsearch it's talking to | ||
- cluster:monitor/main | ||
indices: | ||
# | ||
- names: [ 'unrelated' ] | ||
privileges: | ||
- create_index | ||
- indices:admin/refresh | ||
- read | ||
- write | ||
- view_index_metadata |
56 changes: 56 additions & 0 deletions
56
...rc/yamlRestTest/java/org/elasticsearch/smoketest/AbstractSemanticSearchPermissionsIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
package org.elasticsearch.smoketest; | ||
|
||
import com.carrotsearch.randomizedtesting.annotations.Name; | ||
|
||
import org.elasticsearch.common.settings.SecureString; | ||
import org.elasticsearch.common.settings.Settings; | ||
import org.elasticsearch.common.util.concurrent.ThreadContext; | ||
import org.elasticsearch.test.SecuritySettingsSourceField; | ||
import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; | ||
import org.elasticsearch.xpack.test.rest.AbstractXPackRestTest; | ||
|
||
import java.util.Collections; | ||
import java.util.Map; | ||
|
||
public abstract class AbstractSemanticSearchPermissionsIT extends AbstractXPackRestTest { | ||
|
||
private static final String TEST_ADMIN_USERNAME = "x_pack_rest_user"; | ||
|
||
public AbstractSemanticSearchPermissionsIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { | ||
super(testCandidate); | ||
} | ||
|
||
protected abstract String[] getCredentials(); | ||
|
||
@Override | ||
protected Settings restClientSettings() { | ||
String[] creds = getCredentials(); | ||
String token = basicAuthHeaderValue(creds[0], new SecureString(creds[1].toCharArray())); | ||
return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build(); | ||
} | ||
|
||
@Override | ||
protected Settings restAdminSettings() { | ||
String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING); | ||
return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build(); | ||
} | ||
|
||
@Override | ||
protected Map<String, String> getApiCallHeaders() { | ||
return Collections.singletonMap( | ||
"Authorization", | ||
basicAuthHeaderValue(TEST_ADMIN_USERNAME, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING) | ||
); | ||
} | ||
|
||
@Override | ||
protected boolean isMachineLearningTest() { | ||
return true; | ||
} | ||
} |
58 changes: 58 additions & 0 deletions
58
.../src/yamlRestTest/java/org/elasticsearch/smoketest/SemanticSearchNoReadPermissionsIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
package org.elasticsearch.smoketest; | ||
|
||
import com.carrotsearch.randomizedtesting.annotations.Name; | ||
|
||
import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; | ||
import org.elasticsearch.test.rest.yaml.section.DoSection; | ||
import org.elasticsearch.test.rest.yaml.section.ExecutableSection; | ||
|
||
import java.io.IOException; | ||
|
||
import static org.hamcrest.Matchers.containsString; | ||
|
||
public class SemanticSearchNoReadPermissionsIT extends AbstractSemanticSearchPermissionsIT { | ||
|
||
private static final String USERNAME = "no_read_index_no_ml"; | ||
|
||
private final ClientYamlTestCandidate testCandidate; | ||
|
||
public SemanticSearchNoReadPermissionsIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { | ||
super(testCandidate); | ||
this.testCandidate = testCandidate; | ||
} | ||
|
||
@Override | ||
protected String[] getCredentials() { | ||
return new String[] { USERNAME, "no_read_index_no_ml_password" }; | ||
} | ||
|
||
@Override | ||
public void test() throws IOException { | ||
try { | ||
// Cannot use expectThrows here because blacklisted tests will throw an | ||
// InternalAssumptionViolatedException rather than an AssertionError | ||
super.test(); | ||
|
||
for (ExecutableSection section : testCandidate.getTestSection().getExecutableSections()) { | ||
if (section instanceof DoSection doSection) { | ||
String apiName = doSection.getApiCallSection().getApi(); | ||
fail("call to semantic_search endpoint [" + apiName + "] should have failed because of missing role"); | ||
} | ||
} | ||
} catch (AssertionError ae) { | ||
if (ae.getMessage().startsWith("call to")) { | ||
// rethrow the fail() from the try section above | ||
throw ae; | ||
} | ||
assertThat(ae.getMessage(), containsString("security_exception")); | ||
assertThat(ae.getMessage(), containsString("returned [403 Forbidden]")); | ||
assertThat(ae.getMessage(), containsString("is unauthorized for user [" + USERNAME + "]")); | ||
} | ||
} | ||
} |
23 changes: 23 additions & 0 deletions
23
...ts/src/yamlRestTest/java/org/elasticsearch/smoketest/SemanticSearchReadPermissionsIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
package org.elasticsearch.smoketest; | ||
|
||
import com.carrotsearch.randomizedtesting.annotations.Name; | ||
|
||
import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; | ||
|
||
public class SemanticSearchReadPermissionsIT extends AbstractSemanticSearchPermissionsIT { | ||
|
||
public SemanticSearchReadPermissionsIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { | ||
super(testCandidate); | ||
} | ||
|
||
@Override | ||
protected String[] getCredentials() { | ||
return new String[] { "read_index_no_ml", "read_index_no_ml_password" }; | ||
} | ||
} |
Oops, something went wrong.