fix: explicitly enable native role mappings for Mock IDP (#184017)

## Summary The most recent versions of the Serverless Elasticsearch disable native role mappings by default and this conflicts with the Mock IDP package/plugin that we use for local development and tests. To unblock ES snapshot promotion I explicitly enable native role mappings for Mock IDP only, but eventually we should consider switching to a file-based role mapping (`config/operator/settings.json`, I didn't manage to make it work in a reasonable amount of time). ```bash $ cat config/operator/settings.json { "metadata": { "version": "%s", "compatibility": "8.4.0" }, "state": { "role_mappings": { "mock-idp-mapping": { "enabled": true, "role_templates": [ { "format": "json", "template": "{\"source\":\"{{#tojson}}groups{{/tojson}}\"}" } ], "rules": { "all": [ { "field": { "realm.name": "cloud-saml-kibana" } } ] } } } } } ``` /cc @albertzaharovits
elastic · May 22, 2024 · b0c0e4d · b0c0e4d
1 parent cc5a2bd
commit b0c0e4d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/packages/kbn-es/src/utils/docker.test.ts b/packages/kbn-es/src/utils/docker.test.ts
@@ -438,7 +438,6 @@ describe('resolveEsArgs()', () => {
       kibanaUrl: 'https://localhost:5601/',
     });
 
-    expect(esArgs).toHaveLength(26);
     expect(esArgs).toMatchInlineSnapshot(`
       Array [
         "--env",
@@ -448,6 +447,8 @@ describe('resolveEsArgs()', () => {
         "--env",
         "xpack.security.http.ssl.verification_mode=certificate",
         "--env",
+        "xpack.security.authc.native_role_mappings.enabled=true",
+        "--env",
         "xpack.security.authc.realms.saml.cloud-saml-kibana.order=0",
         "--env",
         "xpack.security.authc.realms.saml.cloud-saml-kibana.idp.metadata.path=/usr/share/elasticsearch/config/secrets/idp_metadata.xml",
@@ -477,7 +478,6 @@ describe('resolveEsArgs()', () => {
       kibanaUrl: 'https://localhost:5601/',
     });
 
-    expect(esArgs).toHaveLength(8);
     expect(esArgs).toMatchInlineSnapshot(`
       Array [
         "--env",

diff --git a/packages/kbn-es/src/utils/docker.ts b/packages/kbn-es/src/utils/docker.ts
@@ -486,6 +486,10 @@ export function resolveEsArgs(
   ) {
     const trimTrailingSlash = (url: string) => (url.endsWith('/') ? url.slice(0, -1) : url);
 
+    // The mock IDP setup requires a custom role mapping, but since native role mappings are disabled by default in
+    // Serverless, we have to re-enable them explicitly here.
+    esArgs.set('xpack.security.authc.native_role_mappings.enabled', 'true');
+
     esArgs.set(`xpack.security.authc.realms.saml.${MOCK_IDP_REALM_NAME}.order`, '0');
     esArgs.set(
       `xpack.security.authc.realms.saml.${MOCK_IDP_REALM_NAME}.idp.metadata.path`,