New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow test clusters to run with TLS #8900
Conversation
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm having trouble seeing how the value 'http.protocal' is used, shouldn't there be a change ~line 575 so the WaitForHttpResource object uses the correct protocol?
buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
Outdated
Show resolved
Hide resolved
buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchCluster.java
Show resolved
Hide resolved
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Yeah, we need to take the value from the settings and use it where you mentioned. The issue is it is not clear how we can configure the tests on the fly and actually change that value. There is a lot of circular logic between the OpenSearchCluster and OpenSearchNode files and most the values appear hard coded. The settings that are passed are all about the file structure which is not what we want. I will have to ask someone more familiar with this test setup because I cannot find a way to actually pass a value on execution. |
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Compatibility status:Checks if related components are compatible with change 7ffcd65 Incompatible componentsIncompatible components: [https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/security-analytics.git] Skipped componentsCompatible componentsCompatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git] |
Gradle Check (Jenkins) Run Completed with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good. So, how do I use this?
Gradle Check (Jenkins) Run Completed with:
|
Hi @dblock, that is a good question haha. I am adding some notes to using it in the Security repo, but basically it is used with this process: opensearch-project/security#3056 (comment). In short, with this change, you can go into the security repo and grab the code changes that will shortly be merged when I fix them all. The working branch is here: https://github.com/scrawfor99/security/tree/testClusterChanges. Then you will run the BWC tests
This lets you specify security information when running our BWC tests so we can then confirm when the tests operate with Security and establish secure connections between the nodes. |
Can we add this (and any missing) info to https://github.com/opensearch-project/OpenSearch/blob/main/TESTING.md#testing-backwards-compatibility |
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-8900-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 6a5b464c71964800507d389cfb0ae2d358175857
# Push it to GitHub
git push --set-upstream origin backport/backport-8900-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x Then, create a pull request where the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the late review. Your changes broke some of my tests in another repo and I started investigation.
getFirstNode().getCredentials().get(0).get("username"), | ||
getFirstNode().getCredentials().get(0).get("password"), | ||
nodes.size() | ||
); | ||
wait.setUsername(getFirstNode().getCredentials().get(0).get("username")); | ||
wait.setPassword(getFirstNode().getCredentials().get(0).get("password")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you set credentials twice here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One constructs the URL, one configures the the object.
wait.setUsername(credentials.get(0).get("useradd")); | ||
wait.setPassword(credentials.get(0).get("-p")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why useradd
and -p
and not username
and password
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was support for the previous testing
What repo? Do you have an issue you can link? |
@scrawfor99 |
@scrawfor99 updated link for Yury's PR: opensearch-project/sql#1986 |
* Basic idea Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make configurable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update change log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Have to ask around Signed-off-by: Stephen Crawford <steecraw@amazon.com> * add http protocol configuration Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update settings Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure to find Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix assigment Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * prevent empty string Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap optional use Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap back run setup Signed-off-by: Stephen Crawford <steecraw@amazon.com> * try stream fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> * store Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove config mentioons Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Readd setting to config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * readd overridable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Add setting to env Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Buildable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * update cert passing Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * buildable no logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove uneeded configs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Pass old creds Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix bad logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Reta's requests Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap to boolean Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make bool Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * failed with string logic Signed-off-by: Stephen Crawford <steecraw@amazon.com> --------- Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
* Basic idea Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make configurable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update change log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Have to ask around Signed-off-by: Stephen Crawford <steecraw@amazon.com> * add http protocol configuration Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update settings Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure to find Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix assigment Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * prevent empty string Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap optional use Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap back run setup Signed-off-by: Stephen Crawford <steecraw@amazon.com> * try stream fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> * store Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove config mentioons Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Readd setting to config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * readd overridable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Add setting to env Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Buildable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * update cert passing Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * buildable no logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove uneeded configs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Pass old creds Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix bad logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Reta's requests Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap to boolean Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make bool Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * failed with string logic Signed-off-by: Stephen Crawford <steecraw@amazon.com> --------- Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
* Basic idea Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make configurable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update change log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Have to ask around Signed-off-by: Stephen Crawford <steecraw@amazon.com> * add http protocol configuration Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update settings Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure to find Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix assigment Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * prevent empty string Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap optional use Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap back run setup Signed-off-by: Stephen Crawford <steecraw@amazon.com> * try stream fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> * store Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove config mentioons Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Readd setting to config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * readd overridable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Add setting to env Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Buildable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * update cert passing Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * buildable no logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove uneeded configs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Pass old creds Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix bad logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Reta's requests Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap to boolean Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make bool Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * failed with string logic Signed-off-by: Stephen Crawford <steecraw@amazon.com> --------- Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Gagan Juneja <gjjuneja@amazon.com>
* Basic idea Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make configurable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update change log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Have to ask around Signed-off-by: Stephen Crawford <steecraw@amazon.com> * add http protocol configuration Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update settings Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure to find Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix assigment Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * prevent empty string Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap optional use Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap back run setup Signed-off-by: Stephen Crawford <steecraw@amazon.com> * try stream fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> * store Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove config mentioons Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Readd setting to config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * readd overridable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Add setting to env Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Buildable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * update cert passing Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * buildable no logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove uneeded configs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Pass old creds Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix bad logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Reta's requests Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap to boolean Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make bool Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * failed with string logic Signed-off-by: Stephen Crawford <steecraw@amazon.com> --------- Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Kiran Reddy <kkreddy@amazon.com>
### Description Opening up a PR to describe the issues faced with BWC tests with the security plugin installed and solicit feedback. I plan to forward port this change to main, but first wanted to show this working for 2.9 -> 2.10 tests (as of the time of this writing). Thanks to the work that @scrawfor99 did in [core](opensearch-project/OpenSearch#8900) to supply security settings to testClusters to be able to run the initial wait for cluster yellow checks with a URL that includes the right protocol (`https` when security is enabled) along with a username and password to authenticate the request. I ran into 4 hurdles to get this to run: 1. Initially the cluster didn't form. After a lot of frustration, I ended up finding that by supplying `network.bind_host` and `network.publish_host` to both 127.0.0.1 it resolved the issue. These could probably be combined into a single `network.host`, but I chose to keep them separated. 2. I had issue testing changes to the gradle build-tools after making changes locally. This was the most frustrating hurdle, but ultimately the solution was to change the [`opensearch.version` setting in `bwc-test/build.gradle`](https://github.com/opensearch-project/security/blob/2.x/bwc-test/build.gradle#L47) to `2.10.0-SNAPSHOT`. This value is specifically used as the version of the gradle build-tools that the [BWC tests use](https://github.com/opensearch-project/security/blob/main/bwc-test/build.gradle#L58). The changes I made locally didn't reflect because I was publishing to maven local from the 2.x branch (currently 2.10) and it was looking for 2.9.0-SNAPSHOT artifacts. After updating the value it found my maven local snapshots. For this artifact you can produce maven local snapshots using `./gradlew :build-tools:publishToMavenLocal` from the respective branch in the core repo. 3. After the waitForYellow checks were able to run successfully, the REST Client in the SecurityBackwardsCompatibilityIT was also having problems connecting to the cluster because it didn't recognize the certificates of the server. I ended up using the overly trustworthy route where there is no SSL verification for the REST Client used in this test. I borrowed this implementation from [k-NN's ODFERestTestCase](https://github.com/opensearch-project/k-NN/blob/2.x/src/testFixtures/java/org/opensearch/knn/ODFERestTestCase.java#L118-L141) which is widely used in the plugin ecosystem. There is an open issue to abstract this class into common-utils. More work can be done here to ensure the rest-high-level-client runs with a truststore with the root certificate. 4. The last hurdle I faced was a WarningFailureException where the REST Client could not deserialize the cluster health response because of a warning that was returned with the response about the request including system indices. According to this [comment](opensearch-project/OpenSearch#1108 (comment)), this may only be enabled in snapshots. To fix this, I set preserve cluster to true which [bypasses the method](https://github.com/opensearch-project/OpenSearch/blob/main/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java#L364) where the error was thrown. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Enhancement ### Issues Resolved #3056 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
Opening up a PR to describe the issues faced with BWC tests with the security plugin installed and solicit feedback. I plan to forward port this change to main, but first wanted to show this working for 2.9 -> 2.10 tests (as of the time of this writing). Thanks to the work that @scrawfor99 did in [core](opensearch-project/OpenSearch#8900) to supply security settings to testClusters to be able to run the initial wait for cluster yellow checks with a URL that includes the right protocol (`https` when security is enabled) along with a username and password to authenticate the request. I ran into 4 hurdles to get this to run: 1. Initially the cluster didn't form. After a lot of frustration, I ended up finding that by supplying `network.bind_host` and `network.publish_host` to both 127.0.0.1 it resolved the issue. These could probably be combined into a single `network.host`, but I chose to keep them separated. 2. I had issue testing changes to the gradle build-tools after making changes locally. This was the most frustrating hurdle, but ultimately the solution was to change the [`opensearch.version` setting in `bwc-test/build.gradle`](https://github.com/opensearch-project/security/blob/2.x/bwc-test/build.gradle#L47) to `2.10.0-SNAPSHOT`. This value is specifically used as the version of the gradle build-tools that the [BWC tests use](https://github.com/opensearch-project/security/blob/main/bwc-test/build.gradle#L58). The changes I made locally didn't reflect because I was publishing to maven local from the 2.x branch (currently 2.10) and it was looking for 2.9.0-SNAPSHOT artifacts. After updating the value it found my maven local snapshots. For this artifact you can produce maven local snapshots using `./gradlew :build-tools:publishToMavenLocal` from the respective branch in the core repo. 3. After the waitForYellow checks were able to run successfully, the REST Client in the SecurityBackwardsCompatibilityIT was also having problems connecting to the cluster because it didn't recognize the certificates of the server. I ended up using the overly trustworthy route where there is no SSL verification for the REST Client used in this test. I borrowed this implementation from [k-NN's ODFERestTestCase](https://github.com/opensearch-project/k-NN/blob/2.x/src/testFixtures/java/org/opensearch/knn/ODFERestTestCase.java#L118-L141) which is widely used in the plugin ecosystem. There is an open issue to abstract this class into common-utils. More work can be done here to ensure the rest-high-level-client runs with a truststore with the root certificate. 4. The last hurdle I faced was a WarningFailureException where the REST Client could not deserialize the cluster health response because of a warning that was returned with the response about the request including system indices. According to this [comment](opensearch-project/OpenSearch#1108 (comment)), this may only be enabled in snapshots. To fix this, I set preserve cluster to true which [bypasses the method](https://github.com/opensearch-project/OpenSearch/blob/main/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java#L364) where the error was thrown. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Enhancement opensearch-project#3056 - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
### Description Opening up a PR to describe the issues faced with BWC tests with the security plugin installed and solicit feedback. Thanks to the work that @scrawfor99 did in [core](opensearch-project/OpenSearch#8900) to supply security settings to testClusters to be able to run the initial wait for cluster yellow checks with a URL that includes the right protocol (`https` when security is enabled) along with a username and password to authenticate the request. I ran into 4 hurdles to get this to run: 1. Initially the cluster didn't form. After a lot of frustration, I ended up finding that by supplying `network.bind_host` and `network.publish_host` to both 127.0.0.1 it resolved the issue. These could probably be combined into a single `network.host`, but I chose to keep them separated. 2. I had issue testing changes to the gradle build-tools after making changes locally. This was the most frustrating hurdle, but ultimately the solution was to change the [`opensearch.version` setting in `bwc-test/build.gradle`](https://github.com/opensearch-project/security/blob/2.x/bwc-test/build.gradle#L47) to `2.10.0-SNAPSHOT`. This value is specifically used as the version of the gradle build-tools that the [BWC tests use](https://github.com/opensearch-project/security/blob/main/bwc-test/build.gradle#L58). The changes I made locally didn't reflect because I was publishing to maven local from the 2.x branch (currently 2.10) and it was looking for 2.9.0-SNAPSHOT artifacts. After updating the value it found my maven local snapshots. For this artifact you can produce maven local snapshots using `./gradlew :build-tools:publishToMavenLocal` from the respective branch in the core repo. 3. After the waitForYellow checks were able to run successfully, the REST Client in the SecurityBackwardsCompatibilityIT was also having problems connecting to the cluster because it didn't recognize the certificates of the server. I ended up using the overly trustworthy route where there is no SSL verification for the REST Client used in this test. I borrowed this implementation from [k-NN's ODFERestTestCase](https://github.com/opensearch-project/k-NN/blob/2.x/src/testFixtures/java/org/opensearch/knn/ODFERestTestCase.java#L118-L141) which is widely used in the plugin ecosystem. There is an open issue to abstract this class into common-utils. More work can be done here to ensure the rest-high-level-client runs with a truststore with the root certificate. 4. The last hurdle I faced was a WarningFailureException where the REST Client could not deserialize the cluster health response because of a warning that was returned with the response about the request including system indices. According to this [comment](opensearch-project/OpenSearch#1108 (comment)), this may only be enabled in snapshots. To fix this, I set preserve cluster to true which [bypasses the method](https://github.com/opensearch-project/OpenSearch/blob/main/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java#L364) where the error was thrown. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Enhancement ### Issues Resolved #3056 ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins <cwperx@amazon.com>
* Basic idea Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make configurable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update change log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Have to ask around Signed-off-by: Stephen Crawford <steecraw@amazon.com> * add http protocol configuration Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update settings Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure to find Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix assigment Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * prevent empty string Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap optional use Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap back run setup Signed-off-by: Stephen Crawford <steecraw@amazon.com> * try stream fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> * store Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove config mentioons Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Readd setting to config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * readd overridable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Add setting to env Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Buildable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * update cert passing Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * buildable no logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove uneeded configs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Pass old creds Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix bad logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Reta's requests Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap to boolean Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make bool Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * failed with string logic Signed-off-by: Stephen Crawford <steecraw@amazon.com> --------- Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Kaushal Kumar <ravi.kaushal97@gmail.com>
* Basic idea Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make configurable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update change log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Have to ask around Signed-off-by: Stephen Crawford <steecraw@amazon.com> * add http protocol configuration Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update settings Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure to find Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix assigment Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * prevent empty string Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap optional use Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap back run setup Signed-off-by: Stephen Crawford <steecraw@amazon.com> * try stream fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> * store Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove config mentioons Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Readd setting to config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * readd overridable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Add setting to env Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Buildable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * update cert passing Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * buildable no logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove uneeded configs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Pass old creds Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix bad logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Reta's requests Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap to boolean Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make bool Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * failed with string logic Signed-off-by: Stephen Crawford <steecraw@amazon.com> --------- Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Ivan Brusic <ivan.brusic@flocksafety.com>
* Basic idea Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make configurable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update change log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Have to ask around Signed-off-by: Stephen Crawford <steecraw@amazon.com> * add http protocol configuration Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Update settings Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * retry integ Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Fix failure to find Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix assigment Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * set default Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * prevent empty string Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap optional use Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap back run setup Signed-off-by: Stephen Crawford <steecraw@amazon.com> * try stream fix Signed-off-by: Stephen Crawford <steecraw@amazon.com> * store Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove config mentioons Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix failure Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Readd setting to config Signed-off-by: Stephen Crawford <steecraw@amazon.com> * readd overridable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Add setting to env Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Buildable Signed-off-by: Stephen Crawford <steecraw@amazon.com> * update cert passing Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove log Signed-off-by: Stephen Crawford <steecraw@amazon.com> * buildable no logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * remove uneeded configs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Pass old creds Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix bad logs Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Reta's requests Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Swap to boolean Signed-off-by: Stephen Crawford <steecraw@amazon.com> * trigger retry Signed-off-by: Stephen Crawford <steecraw@amazon.com> * Make bool Signed-off-by: Stephen Crawford <steecraw@amazon.com> * fix npe Signed-off-by: Stephen Crawford <steecraw@amazon.com> * spotless Signed-off-by: Stephen Crawford <steecraw@amazon.com> * failed with string logic Signed-off-by: Stephen Crawford <steecraw@amazon.com> --------- Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Description
Allow configuration of test clusters to run with TLS.
I copied the change patterns from this PR: https://github.com/opensearch-project/OpenSearch/pull/1051/files. Thank you @VachaShah for the help. From there this is the linked issue about figuring out how to exercise the changes in these files directly: #1086. Seems unaddressed, so hopefully this will not be a blocker.
Related Issues
opensearch-project/security#3056
Check List
New functionality includes testing.All tests passBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.