Open LeeDr opened 5 years ago
Pinging @elastic/kibana-qa
Notes from meeting with @spalger @dmlemeshko @wayneseymour ;
Keep using elastic superuser within FTR for everything like esArchiver or kibanaServer calls.
Each test calls a testUser(<named set of privileges>)
service to switch the privileges of the testRole
to a named set of privs. For example indexMgmt
which has read and view_index_metadata access to logstash-* index. This testUser call should probably before the navigateToApp call.
Change common_page method(s) to login as testUser
which has testRole
.
The initial implementation of this could add testUser('superuser')
for every test and then other PRs could reduce the privs on a case-by-case basis.
Still need to run the OSS tests with security enabled as another task.
UPDATE: After spending some time thinking about the cost to implement this across all tests, and weighing that against another option which is to just use one non-superuser for all OSS tests and a different non-superuser for all x-pack tests (each with the union of privileges needed by those tests), it seems much much much easier to just use a "power" user (or "kibana_user") and still gets a significant reduction in risk compared to running all tests as a superuser.
One of the paths to look at is packages\kbn-test\src\functional_tests\lib\auth.js and another place to look is packages\kbn-test\src\kbn\users.js
sounds like the KISS principle to me. Simple is clean.
https://github.com/elastic/kibana/pull/52431 addresses much of this issue.
Describe the feature: We should run all CI tests with security enabled and with a user who has the minimal documented privileges to allow them to be successful.
Describe a specific use case for the feature: For example, Management Index Pattern tests should be run with a user with the
kibana_user
role and a role that gives them onlyread
, andview_index_metadata
privileges onlogstash-*
.The x-pack tests already do run with security enabled but they currently all run as the elastic superuser.
The OSS tests currently run against an OSS Kibana/Elasticsearch server pair. I guess we should keep that but then also run them against a default distribution Kibana/Elasticsearch server pair.
Of course Kibana should be configured to use the kibana_server role user also and not the elastic superuser.
@dmlemeshko had what I think is a great idea for this. Instead of creating multiple users and logging out and back in as a different user between tests, just log in as one
dynamic
user and change the roles between tests using the Elasticsearch js client. I think the way we navigate with the timestamp in the url, and the refresh, that the changed role would take affect without a new login.For some features like visualize, this could just be done once in the before method in the index.js.