OpenSearch/qa/sql/security/build.gradle

integTestCluster {
  // Setup auditing so we can use it in some tests
  setting 'xpack.security.audit.enabled', 'true'
  setting 'xpack.security.audit.outputs', '[logfile, index]'
  // Only log the events we need so we don't have as much to sort through
  setting 'xpack.security.audit.index.events.include', '[access_denied, access_granted]'
  // Try and speed up audit logging without overwelming it
  setting 'xpack.security.audit.index.flush_interval', '250ms'
  setting 'xpack.security.audit.index.settings.index.number_of_shards', '1'
  setting 'xpack.security.audit.index.settings.index.refresh_interval', '250ms'
  // Setup roles used by tests
  extraConfigFile 'x-pack/roles.yml', 'roles.yml'
  /* Setup the one admin user that we run the tests as.
   * Tests use "run as" to get different users. */
  setupCommand 'setupUser#test_admin',
               'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'
  // Override the wait condition to work properly with security
  waitCondition = { node, ant ->
    File tmpFile = new File(node.cwd, 'wait.success')
    ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
            dest: tmpFile.toString(),
            username: 'test_admin',
            password: 'x-pack-test-password',
            ignoreerrors: true,
            retries: 10)
    return tmpFile.exists()
  }
}

run {
  // Enabled audit logging so we can test it
  setting 'xpack.security.audit.enabled', 'true'
  setting 'xpack.security.audit.outputs', '[logfile, index]'
  // Only log the events we need so we don't have as much to sort through
  setting 'xpack.security.audit.index.events.include', '[access_denied, access_granted]'
  // Try and speed up the logging process without overwelming it
  setting 'xpack.security.audit.index.flush_interval', '250ms'
  setting 'xpack.security.audit.index.settings.index.number_of_shards', '1'
  setting 'xpack.security.audit.index.settings.index.refresh_interval', '250ms'
  // Setup roles used by tests
  extraConfigFile 'x-pack/roles.yml', 'roles.yml'
  /* Setup the one admin user that we run the tests as.
   * Tests use "run as" to get different users. */
  setupCommand 'setupUser#test_admin',
               'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'
  // Override the wait condition to work properly with security
  waitCondition = { node, ant ->
    File tmpFile = new File(node.cwd, 'wait.success')
    ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
            dest: tmpFile.toString(),
            username: 'test_admin',
            password: 'x-pack-test-password',
            ignoreerrors: true,
            retries: 10)
    return tmpFile.exists()
  }
}
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`integTestCluster {`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Setup auditing so we can use it in some tests`
Audit logging for SQL (elastic/x-pack-elasticsearch#2210) Adapts audit logging to actions that delay getting index access control until the action is started. The audit log will contain an entry for the action itself starting without any associated indices because the indices are not yet known. The audit log will also contain an entry for every time the action resolved security for a set of indices. Since sql resolves indices one at a time it will contain an entry per index. All of this customization is entirely in the security code. The only SQL change in this PR is to add audit logging support to the integration test. Original commit: elastic/x-pack-elasticsearch@539bb3c2a844c48caf337a152438854ac6882057 2017-08-15 14:19:28 -04:00			`setting 'xpack.security.audit.enabled', 'true'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`setting 'xpack.security.audit.outputs', '[logfile, index]'`
Audit logging for SQL (elastic/x-pack-elasticsearch#2210) Adapts audit logging to actions that delay getting index access control until the action is started. The audit log will contain an entry for the action itself starting without any associated indices because the indices are not yet known. The audit log will also contain an entry for every time the action resolved security for a set of indices. Since sql resolves indices one at a time it will contain an entry per index. All of this customization is entirely in the security code. The only SQL change in this PR is to add audit logging support to the integration test. Original commit: elastic/x-pack-elasticsearch@539bb3c2a844c48caf337a152438854ac6882057 2017-08-15 14:19:28 -04:00			`// Only log the events we need so we don't have as much to sort through`
			`setting 'xpack.security.audit.index.events.include', '[access_denied, access_granted]'`
			`// Try and speed up audit logging without overwelming it`
			`setting 'xpack.security.audit.index.flush_interval', '250ms'`
			`setting 'xpack.security.audit.index.settings.index.number_of_shards', '1'`
			`setting 'xpack.security.audit.index.settings.index.refresh_interval', '250ms'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Setup roles used by tests`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`extraConfigFile 'x-pack/roles.yml', 'roles.yml'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`/* Setup the one admin user that we run the tests as.`
			`* Tests use "run as" to get different users. */`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`setupCommand 'setupUser#test_admin',`
			`'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Override the wait condition to work properly with security`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`waitCondition = { node, ant ->`
			`File tmpFile = new File(node.cwd, 'wait.success')`
			`ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",`
			`dest: tmpFile.toString(),`
			`username: 'test_admin',`
			`password: 'x-pack-test-password',`
			`ignoreerrors: true,`
			`retries: 10)`
			`return tmpFile.exists()`
			`}`
			`}`

Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`run {`
Audit logging for SQL (elastic/x-pack-elasticsearch#2210) Adapts audit logging to actions that delay getting index access control until the action is started. The audit log will contain an entry for the action itself starting without any associated indices because the indices are not yet known. The audit log will also contain an entry for every time the action resolved security for a set of indices. Since sql resolves indices one at a time it will contain an entry per index. All of this customization is entirely in the security code. The only SQL change in this PR is to add audit logging support to the integration test. Original commit: elastic/x-pack-elasticsearch@539bb3c2a844c48caf337a152438854ac6882057 2017-08-15 14:19:28 -04:00			`// Enabled audit logging so we can test it`
			`setting 'xpack.security.audit.enabled', 'true'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`setting 'xpack.security.audit.outputs', '[logfile, index]'`
Audit logging for SQL (elastic/x-pack-elasticsearch#2210) Adapts audit logging to actions that delay getting index access control until the action is started. The audit log will contain an entry for the action itself starting without any associated indices because the indices are not yet known. The audit log will also contain an entry for every time the action resolved security for a set of indices. Since sql resolves indices one at a time it will contain an entry per index. All of this customization is entirely in the security code. The only SQL change in this PR is to add audit logging support to the integration test. Original commit: elastic/x-pack-elasticsearch@539bb3c2a844c48caf337a152438854ac6882057 2017-08-15 14:19:28 -04:00			`// Only log the events we need so we don't have as much to sort through`
			`setting 'xpack.security.audit.index.events.include', '[access_denied, access_granted]'`
			`// Try and speed up the logging process without overwelming it`
			`setting 'xpack.security.audit.index.flush_interval', '250ms'`
			`setting 'xpack.security.audit.index.settings.index.number_of_shards', '1'`
			`setting 'xpack.security.audit.index.settings.index.refresh_interval', '250ms'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Setup roles used by tests`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`extraConfigFile 'x-pack/roles.yml', 'roles.yml'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`/* Setup the one admin user that we run the tests as.`
			`* Tests use "run as" to get different users. */`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`setupCommand 'setupUser#test_admin',`
			`'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'`
Shuffle SQL's integration tests some (elastic/x-pack-elasticsearch#2403) This shuffles all of SQL's QA tests into the `qa/sql` directory, moving some shared resources into the new `qa:sql` project. It also rigs up testing of the rest SQL interface in all the sql qa configurations: without security, with security, and against multiple nodes. I've had to make some modifications to how we handle the audit log because it has gotten pretty slow. If these modifications turn out to not be fast enough then I'll change the test to querying the log files and drop the audit log index entirely but the index seems to be holding out for now. Original commit: elastic/x-pack-elasticsearch@ff3b5a74c1d6fc08fa5186f97d52579a66860802 2017-08-30 17:22:46 -04:00			`// Override the wait condition to work properly with security`
Sql security take 1 (elastic/x-pack-elasticsearch#2106) Add some basic security testing/integration. The good news: 1. Basic security now works. Users without access to an index can't run sql queries against it. Without this change they could. 2. Document level security works! At least so far as I can tell. The work left to do: 1. Field level security doesn't work properly. I mean, it kind of works in that the field's values don't leak but it just looks like they all have null values. 2. We will need to test scrolling. 3. I've only added tests for the rest sql action. I'll need to add tests for jdbc and the CLI as well. 4. I've only added tests for `SELECT` and have ignored stuff like `DESCRIBE` and `SHOW TABLES`. Original commit: elastic/x-pack-elasticsearch@b9909bbda01d625e7f58d77dc967b160c9d9c7a0 2017-07-27 17:40:14 -04:00			`waitCondition = { node, ant ->`
			`File tmpFile = new File(node.cwd, 'wait.success')`
			`ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",`
			`dest: tmpFile.toString(),`
			`username: 'test_admin',`
			`password: 'x-pack-test-password',`
			`ignoreerrors: true,`
			`retries: 10)`
			`return tmpFile.exists()`
			`}`
			`}`