OpenSearch/qa/sql/security/build.gradle

dependencies {
  testCompile(project(path: ':x-pack-elasticsearch:plugin', configuration: 'runtime')) {
    transitive = false
  }
}

integTestCluster {
  // Setup auditing so we can use it in some tests
  setting 'xpack.security.audit.enabled', 'true'
  setting 'xpack.security.audit.outputs', 'logfile'
  // Setup roles used by tests
  extraConfigFile 'x-pack/roles.yml', 'roles.yml'
  /* Setup the one admin user that we run the tests as.
   * Tests use "run as" to get different users. */
  setupCommand 'setupUser#test_admin',
               'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'
  // Override the wait condition to work properly with security
  waitCondition = { node, ant ->
    File tmpFile = new File(node.cwd, 'wait.success')
    ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
            dest: tmpFile.toString(),
            username: 'test_admin',
            password: 'x-pack-test-password',
            ignoreerrors: true,
            retries: 10)
    return tmpFile.exists()
  }
}

integTestRunner {
  systemProperty 'tests.audit.logfile',
      "${ -> integTest.nodes[0].homeDir}/logs/${ -> integTest.nodes[0].clusterName }_access.log"
}

run {
  // Setup auditing so we can use it in some tests
  setting 'xpack.security.audit.enabled', 'true'
  setting 'xpack.security.audit.outputs', 'logfile'
  // Setup roles used by tests
  extraConfigFile 'x-pack/roles.yml', 'roles.yml'
  /* Setup the one admin user that we run the tests as.
   * Tests use "run as" to get different users. */
  setupCommand 'setupUser#test_admin',
               'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'
  // Override the wait condition to work properly with security
  waitCondition = { node, ant ->
    File tmpFile = new File(node.cwd, 'wait.success')
    ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
            dest: tmpFile.toString(),
            username: 'test_admin',
            password: 'x-pack-test-password',
            ignoreerrors: true,
            retries: 10)
    return tmpFile.exists()
  }
}
Move all sql integration tests into qa (elastic/x-pack-elasticsearch#2432) Builds on elastic/x-pack-elasticsearch#2403 to move all of sql's integration testing into qa modules with different running server configurations. The big advantage of this is that it allows us to test the cli and jdbc with security present. Creating a project that depends on both cli and jdbc and the server has some prickly jar hell issues because cli and jdbc package their dependencies in the jar. This works around it in a few days: 1. Include only a single copy of the JDBC dependencies with careful gradle work. 2. Do not include the CLI on the classpath at all and instead run it externally. I say "run it externally" rather than "fork it" because Elasticsearch tests aren't allowed to fork other processes. This is forbidden by seccomp on linux and seatbelt on osx and cannot be explicitly requested like additional security manager settings. So instead of forking the CLI process directly the tests interact with a test fixture that isn't bound by Elasticsearch's rules and can fork it. This forking of the CLI has a nice side effect: it forces us to make sure that things like security and connection strings other than `localhost:9200` work. The old test could and did work around missing features like that. The new tests cannot so I added the ability to set the connection string. Configuring usernames and passwords was also not supported but I did not add support for that, only created the failing test and marked it as `@AwaitsFix`. Original commit: elastic/x-pack-elasticsearch@560c6815e3e03306270a2affd758763f34613891 2017-09-21 09:58:52 -04:00			`dependencies {`
			`testCompile(project(path: ':x-pack-elasticsearch:plugin', configuration: 'runtime')) {`
			`transitive = false`
			`}`
			`}`

Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`integTestCluster {`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Setup auditing so we can use it in some tests`
Audit logging for SQL (elastic/x-pack-elasticsearch#2210) Adapts audit logging to actions that delay getting index access control until the action is started. The audit log will contain an entry for the action itself starting without any associated indices because the indices are not yet known. The audit log will also contain an entry for every time the action resolved security for a set of indices. Since sql resolves indices one at a time it will contain an entry per index. All of this customization is entirely in the security code. The only SQL change in this PR is to add audit logging support to the integration test. Original commit: elastic/x-pack-elasticsearch@539bb3c2a844c48caf337a152438854ac6882057 2017-08-15 14:19:28 -04:00			`setting 'xpack.security.audit.enabled', 'true'`
Switch sql audit tests from index to the log file (elastic/x-pack-elasticsearch#2753) This is way faster because we don't have to wait for the audit events from previous test runs to drain into the index. And we don't have to wait for the index's refresh cycle. We have to parse the log lines which is a bit more brittle but it feels worth it at this point. Original commit: elastic/x-pack-elasticsearch@4b1758fc329e7661c81922acd60e5fec9575d962 2017-10-14 08:27:51 -04:00			`setting 'xpack.security.audit.outputs', 'logfile'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Setup roles used by tests`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`extraConfigFile 'x-pack/roles.yml', 'roles.yml'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`/* Setup the one admin user that we run the tests as.`
			`* Tests use "run as" to get different users. */`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`setupCommand 'setupUser#test_admin',`
			`'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Override the wait condition to work properly with security`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`waitCondition = { node, ant ->`
			`File tmpFile = new File(node.cwd, 'wait.success')`
			`ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",`
			`dest: tmpFile.toString(),`
			`username: 'test_admin',`
			`password: 'x-pack-test-password',`
			`ignoreerrors: true,`
			`retries: 10)`
			`return tmpFile.exists()`
			`}`
			`}`

Switch sql audit tests from index to the log file (elastic/x-pack-elasticsearch#2753) This is way faster because we don't have to wait for the audit events from previous test runs to drain into the index. And we don't have to wait for the index's refresh cycle. We have to parse the log lines which is a bit more brittle but it feels worth it at this point. Original commit: elastic/x-pack-elasticsearch@4b1758fc329e7661c81922acd60e5fec9575d962 2017-10-14 08:27:51 -04:00			`integTestRunner {`
			`systemProperty 'tests.audit.logfile',`
			`"${ -> integTest.nodes[0].homeDir}/logs/${ -> integTest.nodes[0].clusterName }_access.log"`
			`}`

Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`run {`
Fix SQL security build's run config Now it is the same as the integTest config agian. I should have done this in elastic/x-pack-elasticsearch#2753 but I forgot. Original commit: elastic/x-pack-elasticsearch@bbbb8b1dc7ca6a4cbabfe95085f3007769fbe3ae 2017-10-19 13:14:30 -04:00			`// Setup auditing so we can use it in some tests`
Audit logging for SQL (elastic/x-pack-elasticsearch#2210) Adapts audit logging to actions that delay getting index access control until the action is started. The audit log will contain an entry for the action itself starting without any associated indices because the indices are not yet known. The audit log will also contain an entry for every time the action resolved security for a set of indices. Since sql resolves indices one at a time it will contain an entry per index. All of this customization is entirely in the security code. The only SQL change in this PR is to add audit logging support to the integration test. Original commit: elastic/x-pack-elasticsearch@539bb3c2a844c48caf337a152438854ac6882057 2017-08-15 14:19:28 -04:00			`setting 'xpack.security.audit.enabled', 'true'`
Fix SQL security build's run config Now it is the same as the integTest config agian. I should have done this in elastic/x-pack-elasticsearch#2753 but I forgot. Original commit: elastic/x-pack-elasticsearch@bbbb8b1dc7ca6a4cbabfe95085f3007769fbe3ae 2017-10-19 13:14:30 -04:00			`setting 'xpack.security.audit.outputs', 'logfile'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Setup roles used by tests`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`extraConfigFile 'x-pack/roles.yml', 'roles.yml'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`/* Setup the one admin user that we run the tests as.`
			`* Tests use "run as" to get different users. */`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`setupCommand 'setupUser#test_admin',`
			`'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Override the wait condition to work properly with security`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`waitCondition = { node, ant ->`
			`File tmpFile = new File(node.cwd, 'wait.success')`
			`ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",`
			`dest: tmpFile.toString(),`
			`username: 'test_admin',`
			`password: 'x-pack-test-password',`
			`ignoreerrors: true,`
			`retries: 10)`
			`return tmpFile.exists()`
			`}`
			`}`