diff --git a/elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle b/elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle index 1eb840cb977..85715ca77ce 100644 --- a/elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle +++ b/elasticsearch/qa/smoke-test-monitoring-with-shield/build.gradle @@ -15,6 +15,7 @@ integTest { dependsOn copyMonitoringRestTests cluster { + systemProperty 'es.logger.level', 'TRACE' plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') setting 'xpack.monitoring.agent.interval', '3s' extraConfigFile 'x-pack/roles.yml', 'roles.yml' diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java index 9baf301bba2..7a7f5500731 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java @@ -131,4 +131,20 @@ public class ReservedRealmTests extends ESTestCase { assertThat(ReservedRealm.users(), containsInAnyOrder((User) XPackUser.INSTANCE, KibanaUser.INSTANCE)); } + + public void testFailedAuthentication() { + final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore); + // maybe cache a successful auth + if (randomBoolean()) { + User user = reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("changeme".toCharArray()))); + assertThat(user, sameInstance(XPackUser.INSTANCE)); + } + + try { + reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("foobar".toCharArray()))); + fail("authentication should throw an exception otherwise we may allow others to impersonate reserved users..."); + } catch (ElasticsearchSecurityException e) { + assertThat(e.getMessage(), containsString("failed to authenticate")); + } + } }