[POC] Serverless API integration test helper - create API key as admin

[jeramysoucy]

Description

To support moving away from using basic authentication when testing API endpoints in serverless, we created an FTR helper for creating an API key for a specific role by name (SvlUserManagerProvider.createApiKeyForRole). The helper authenticates as a user with the named role and creates an API key. However, it turns out that many roles are unable to create an API key, but are expected to be able to access some subset of APIs.

To keep the helper easy to use and understand, we are going to create a POC that explores the idea of using an admin account to create the role-specific API key. In order to do this, we will need to read the permissions granted to the named role from the project-specific roles.yml file (which I think we can with readRolesFromResource). These permissions will be used in the role descriptor, combined with a default of no privileges for each category.

This will allow maintainers of API tests to test all of their API endpoints with specific roles, and not have to worry about the underlying method of authentication, or whether a role grants the privilege to create an API key.

Further thoughts

Ideally, we will rename our FTR authentication helpers more explicitly, to imply the appropriate use case. e.g...

• createApiKeyForRole -> createM2mApiKeyWithRoleScope
• getSessionCookieForRole -> getInteractiveUserSessionCookieWithRoleScope

cc @azasypkin @pheyos

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[tsullivan]

@jeramysoucy This issue came across my radar as I've been asking questions about how to re-enable a certain test for Reporting: https://github.com/elastic/kibana/issues/186558.

The background is: I have an API integration test in the stateful area that I wish to carry into serverless. The test involves 2 users: UserA and UserB.

• UserA creates a report
• UserB attempts to delete the report but is given a 404 response.

Will it be possible to create a test like this for serverless?

• I have tried creating two sets of API Key credentials using SvlUserManagerProvider.createApiKeyForRole multiple times (ApiKeyA, ApiKeyB). That didn't work: Kibana seems to treat requests from ApiKeyA and ApiKeyB as belonging to the same user.
• I have tried creating an API Key for an admin account and an API Key for a non-admin account, but that didn't work as right now only admin is available.

[jeramysoucy]

I have an API integration test in the stateful area that I wish to carry into serverless. The test involves 2 users: UserA and UserB.

UserA creates a report UserB attempts to delete the report but is given a 404 response. Will it be possible to create a test like this for serverless?

I have tried creating two sets of API Key credentials using SvlUserManagerProvider.createApiKeyForRole multiple times (ApiKeyA, ApiKeyB). That didn't work: Kibana seems to treat requests from ApiKeyA and ApiKeyB as belonging to the same user. I have tried creating an API Key for an admin account and an API Key for a non-admin account, but that didn't work as right now only admin is available.

@tsullivan Let me make sure I first understand correctly. You want to create an API integration test that confirms that only the creator of a report can see/delete that report. Is that accurate?

I don't think this is currently possible in serverless, as API keys are created on the fly for a specific role, and not for/by a specific user.

[tsullivan]

@jeramysoucy you understand correctly. Thank you for the clarification!

[jeramysoucy]

@tsullivan No problem. How do we assign ownership of a report when it is generated via API with API key auth? I assume we have to use the API key owner as the report owner.