Skip to content

Commit

Permalink
Update security/authz YAML tests for severless
Browse files Browse the repository at this point in the history 
These YAML rest tests made assumptions about the behaviour of the
Elasticsearch cluster that are not always true on Serverless ES.

The primary changes are:
1. Always set at least 1 replica because in serverless these
   correspond to search shards. Some tests previously set 0 replicas
   for simplicity/performance but this is no longer viable.
2. Don't assume that a user with write access can refresh a bulk. This
   is not the case in Serverless - refreshing a bulk requires explicit
   refresh privileges.
  • Loading branch information
@tvernum
tvernum committed Aug 31, 2023
1 parent 291ecc5 commit 6f68213
Show file tree
Hide file tree
Showing 9 changed files with 104 additions and 53 deletions.
13 changes: 8 additions & 5 deletions x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/authz/10_index_doc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -50,7 +50,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -62,7 +62,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -75,7 +75,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand Down Expand Up @@ -235,7 +235,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "only_read", "_id": "13"}}'
- '{"name": "doc13"}'
Expand All @@ -246,6 +245,10 @@ teardown:
- match: { items.0.index.error.type: "security_exception" }
- match: { items.1.index.status: 201 }

- do: # superuser
indices.refresh:
index: only_index

- do: # superuser
search:
rest_total_hits_as_int: true
Expand Down
34 changes: 20 additions & 14 deletions x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/authz/11_delete_doc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -50,7 +50,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -62,7 +62,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -75,7 +75,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand Down Expand Up @@ -138,7 +138,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
delete:
refresh: true
index: only_delete
id: "3"

Expand All @@ -152,15 +151,13 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"delete": {"_index": "only_delete", "_id": "4"}}'
- '{"delete": {"_index": "everything" , "_id": "9"}}'

- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body: # The rest test won't send streaming content unless it has multiple bodies, so we send the same delete twice
- '{"delete": {"_index": "only_delete", "_id": "5"}}'
- '{"delete": {"_index": "only_delete", "_id": "5"}}'
Expand All @@ -177,6 +174,10 @@ teardown:
_index: everything
_id: "10"

- do: # superuser
indices.refresh:
index: only_delete

- do: # superuser
search:
rest_total_hits_as_int: true
Expand All @@ -197,22 +198,19 @@ teardown:
catch: forbidden
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
delete:
refresh: true
index: only_read
id: "1"

- do:
catch: forbidden
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
delete:
refresh: true
index: only_index
id: "2"

- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"delete": {"_index": "only_read" , "_id": "1"}}'
- '{"delete": {"_index": "only_index", "_id": "2"}}'
Expand All @@ -226,7 +224,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body: # The rest test won't send streaming content unless it has multiple bodies, so we send the same delete twice
- '{"delete": {"_index": "only_read" , "_id": "1"}}'
- '{"delete": {"_index": "only_read" , "_id": "1"}}'
Expand All @@ -240,7 +237,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body: # The rest test won't send streaming content unless it has multiple bodies, so we send the same delete twice
- '{"delete": {"_index": "only_index", "_id": "2"}}'
- '{"delete": {"_index": "only_index", "_id": "2"}}'
Expand All @@ -251,6 +247,10 @@ teardown:
- match: { items.1.delete.status: 403 }
- match: { items.1.delete.error.type: "security_exception" }

- do: # superuser
indices.refresh:
index: only_read,only_index

- do: # superuser
search:
rest_total_hits_as_int: true
Expand All @@ -270,7 +270,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"delete": {"_index": "only_read" , "_id": "1"}}'
- '{"delete": {"_index": "only_delete", "_id": "6"}}'
Expand All @@ -279,6 +278,10 @@ teardown:
- match: { items.0.delete.error.type: "security_exception" }
- match: { items.1.delete.status: 200 }

- do: # superuser
indices.refresh:
index: only_read,only_delete

- do: # superuser
search:
rest_total_hits_as_int: true
Expand All @@ -298,7 +301,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index" : {"_index": "only_delete", "_id": "11"}}'
- '{"name" : "doc11"}'
Expand All @@ -314,6 +316,10 @@ teardown:
- match: { items.3.delete.status: 403 }
- match: { items.3.delete.error.type: "security_exception" }

- do: # superuser
indices.refresh:
index: only_delete,only_index

- do: # superuser
search:
rest_total_hits_as_int: true
Expand Down
36 changes: 23 additions & 13 deletions ...ck/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/authz/12_index_alias.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -48,7 +48,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand All @@ -61,7 +61,7 @@ setup:
settings:
index:
number_of_shards: 1
number_of_replicas: 0
number_of_replicas: 1
mappings:
properties:
name:
Expand Down Expand Up @@ -147,7 +147,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_write_1", "_id": "3"}}'
- '{"name": "doc3"}'
Expand All @@ -157,7 +156,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_write_1", "_id": "5"}}'
- '{"name": "doc5"}'
Expand All @@ -167,7 +165,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_write_1", "_id": "7"}}'
- '{"name": "doc7"}'
Expand All @@ -176,6 +173,10 @@ teardown:
- '{"index": {"_index": "can_write_3", "_id": "9"}}'
- '{"name": "doc9"}'

- do: # superuser
indices.refresh:
index: write_index_*

- do: # superuser
search:
rest_total_hits_as_int: true
Expand All @@ -194,7 +195,6 @@ teardown:
catch: forbidden
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
create:
refresh: true
id: "7"
index: can_read_1
body: >
Expand All @@ -206,7 +206,6 @@ teardown:
catch: forbidden
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
create:
refresh: true
id: "8"
index: can_read_2
body: >
Expand All @@ -217,7 +216,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_read_1", "_id": "9"}}'
- '{"name": "doc9"}'
Expand All @@ -232,7 +230,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_read_1", "_id": "11"}}'
- '{"name": "doc11"}'
Expand All @@ -244,6 +241,10 @@ teardown:
- match: { items.1.index.status: 403 }
- match: { items.1.index.error.type: "security_exception" }

- do: # superuser
indices.refresh:
index: read_index

- do: # superuser
search:
rest_total_hits_as_int: true
Expand All @@ -255,7 +256,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_read_1", "_id": "13"}}'
- '{"name": "doc13"}'
Expand All @@ -266,6 +266,10 @@ teardown:
- match: { items.0.index.error.type: "security_exception" }
- match: { items.1.index.status: 201 }

- do: # superuser
indices.refresh:
index: write_index_1

- do: # superuser
search:
rest_total_hits_as_int: true
Expand All @@ -276,7 +280,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_read_1", "_id": "15"}}'
- '{"name": "doc15"}'
Expand All @@ -297,6 +300,10 @@ teardown:
- match: { items.3.index.status: 201 }
- match: { items.4.index.status: 201 }

- do: # superuser
indices.refresh:
index: write_index_*

- do: # superuser
search:
rest_total_hits_as_int: true
Expand Down Expand Up @@ -336,7 +343,6 @@ teardown:
- do:
headers: { Authorization: "Basic dGVzdF91c2VyOngtcGFjay10ZXN0LXBhc3N3b3Jk" } # test_user
bulk:
refresh: true
body:
- '{"index": {"_index": "can_read_1", "_id": "20"}}'
- '{"name": "doc20"}'
Expand All @@ -363,6 +369,10 @@ teardown:
- match: { items.5.update.status: 200 }
- match: { items.6.delete.status: 200 }

- do: # superuser
indices.refresh:
index: write_index_*

- do: # superuser
search:
rest_total_hits_as_int: true
Expand Down
2 changes: 1 addition & 1 deletion ...ck/plugin/src/yamlRestTest/resources/rest-api-spec/test/security/authz/14_cat_indices.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ teardown:

- match:
$body: |
/^(yellow \s+
/^((yellow|green) \s+
close \s+
index_to_monitor \s+
([a-zA-Z0-9=/_+]|[\\\-]){22} \s+
Expand Down
Loading

0 comments on commit 6f68213

Please sign in to comment.