dmlemeshko
commented
1 month ago It's currently possible to get a cookie for a built in role (admin, editor, viewer), using svlManager, however it does not support custom users or roles.
Afaik custom SAML roles won't be supported by Oblt serverless project, so either it is no longer the case or there is no need to cover such test scenario.
In theory you might want to have 2 users of the same default role (e.g. Editor) and we probably can make it work on both Kibana CI and MKI.
The current recommendation in serverless tests is to use SAML role based testing. The only way to test roles is to use API keys. However only public routes should use API keys in the header. Internal routes do not use API keys and instead we should be using a cookie to check for authentication. It's currently possible to get a cookie for a built in role (admin, editor, viewer), using
svlManager, however it does not support custom users.From appex-qa team: With SAML simulation in local env, we create roles when we start the Kibana. We tell Elasticsearch what roles are in places and just grant admin, editor and viewer its own. Plan is to add a possibility to create custom role and locally it will be assigned to the new user (no ETA, but probably within a month) But currently for consistency with MKI (we can't generate new users in Elastic Cloud), we are not able to do so.
Change all our serverless api integration internal routes to use cookie authentication instead of API Key headers which should only be used for public routes. Also look into adding users to the
observabilityAIAssistantAPIClientservice, as we do in stateful, using cookie auth.PR that makes getting the cookie easier for the built in users/roles https://github.com/elastic/kibana/pull/192727