-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[APM] Run API tests as restricted user #70050
Changes from 4 commits
c56debf
6839537
483e135
dd913ec
81e78a4
1025dbf
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { PromiseReturnType } from '../../../plugins/apm/typings/common'; | ||
import { SecurityServiceProvider } from '../../../../test/common/services/security'; | ||
|
||
type SecurityService = PromiseReturnType<typeof SecurityServiceProvider>; | ||
|
||
export enum ApmUser { | ||
APM_READ_USER = 'apm_read_user', | ||
APM_WRITE_USER = 'apm_write_user', | ||
} | ||
|
||
export async function createApmUser(security: SecurityService, apmUser: ApmUser) { | ||
switch (apmUser) { | ||
case ApmUser.APM_READ_USER: | ||
await security.role.create(ApmUser.APM_READ_USER, { | ||
elasticsearch: { | ||
cluster: [], | ||
indices: [ | ||
{ names: ['observability-annotations'], privileges: ['read', 'view_index_metadata'] }, | ||
], | ||
}, | ||
kibana: [ | ||
{ | ||
base: [], | ||
feature: { | ||
apm: ['read'], | ||
}, | ||
spaces: ['*'], | ||
}, | ||
], | ||
}); | ||
await security.user.create(ApmUser.APM_READ_USER, { | ||
full_name: ApmUser.APM_READ_USER, | ||
password: APM_TEST_PASSWORD, | ||
roles: ['apm_user', ApmUser.APM_READ_USER], | ||
}); | ||
break; | ||
|
||
case ApmUser.APM_WRITE_USER: | ||
await security.role.create(ApmUser.APM_WRITE_USER, { | ||
elasticsearch: { | ||
cluster: [], | ||
indices: [ | ||
{ | ||
names: ['observability-annotations'], | ||
privileges: [ | ||
'read', | ||
'view_index_metadata', | ||
'index', | ||
'manage', | ||
'create_index', | ||
'create_doc', | ||
], | ||
}, | ||
], | ||
}, | ||
kibana: [ | ||
{ | ||
base: [], | ||
feature: { | ||
apm: ['all'], | ||
}, | ||
spaces: ['*'], | ||
}, | ||
], | ||
}); | ||
|
||
await security.user.create(ApmUser.APM_WRITE_USER, { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you think it could be confusing with identical names for the user and role? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm, I don't think so. Do you see a scenario in our test where they could be confused? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, probably fine 👍 |
||
full_name: ApmUser.APM_WRITE_USER, | ||
password: APM_TEST_PASSWORD, | ||
roles: ['apm_user', ApmUser.APM_WRITE_USER], | ||
}); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Perhaps it would be more clear to have separate functions: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I will make it more declarative. I need to add another user, one that is permitted to index annotations. |
||
|
||
break; | ||
} | ||
} | ||
|
||
export const APM_TEST_PASSWORD = 'changeme'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wasn't the plan to make this part of the
apm_user
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but didn't want to block on the ES PR. If the ES PR gets merged first, I will update this before merging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍