-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
run all CI tests with security enabled and minimal privileged roles #26937
Comments
Pinging @elastic/kibana-qa |
Notes from meeting with @spalger @dmlemeshko @wayneseymour ;
|
UPDATE: After spending some time thinking about the cost to implement this across all tests, and weighing that against another option which is to just use one non-superuser for all OSS tests and a different non-superuser for all x-pack tests (each with the union of privileges needed by those tests), it seems much much much easier to just use a "power" user (or "kibana_user") and still gets a significant reduction in risk compared to running all tests as a superuser. One of the paths to look at is packages\kbn-test\src\functional_tests\lib\auth.js |
sounds like the KISS principle to me. Simple is clean. |
#52431 addresses much of this issue.
|
Describe the feature: We should run all CI tests with security enabled and with a user who has the minimal documented privileges to allow them to be successful.
Describe a specific use case for the feature:
For example, Management Index Pattern tests should be run with a user with the
kibana_user
role and a role that gives them onlyread
, andview_index_metadata
privileges onlogstash-*
.The x-pack tests already do run with security enabled but they currently all run as the elastic superuser.
The OSS tests currently run against an OSS Kibana/Elasticsearch server pair. I guess we should keep that but then also run them against a default distribution Kibana/Elasticsearch server pair.
Of course Kibana should be configured to use the kibana_server role user also and not the elastic superuser.
@dmlemeshko had what I think is a great idea for this. Instead of creating multiple users and logging out and back in as a different user between tests, just log in as one
dynamic
user and change the roles between tests using the Elasticsearch js client. I think the way we navigate with the timestamp in the url, and the refresh, that the changed role would take affect without a new login.For some features like visualize, this could just be done once in the before method in the index.js.
The text was updated successfully, but these errors were encountered: