diff --git a/plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yaml b/plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yaml new file mode 100644 index 00000000000..b28ceb4de03 --- /dev/null +++ b/plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yaml @@ -0,0 +1,140 @@ +--- +setup: + - skip: + features: headers + - do: + cluster.health: + wait_for_status: yellow + + # Creates a role and a user "Logstash Agent" who can use + # the Monitoring Bulk API and read the monitoring indices. + - do: + xpack.security.put_role: + name: "logstash_agent_role" + body: > + { + "cluster": ["cluster:admin/xpack/monitoring/bulk"], + "indices": [ + { + "privileges": ["read"], + "names": ".monitoring-*" + } + ] + } + - do: + xpack.security.put_user: + username: "logstash_agent" + body: > + { + "password": "s3krit", + "roles" : [ "logstash_agent_role" ] + } + + # Creates a role and a user "Unknown Agent" who can only + # read the monitoring indices. + - do: + xpack.security.put_role: + name: "unkown_agent_role" + body: > + { + "cluster": ["monitor"], + "indices": [ + { + "privileges": ["read"], + "names": ".monitoring-*" + } + ] + } + - do: + xpack.security.put_user: + username: "unknown_agent" + body: > + { + "password": "s3krit", + "roles" : [ "unkown_agent_role" ] + } + +--- +teardown: + - do: + xpack.security.delete_user: + username: "logstash_agent" + ignore: 404 + - do: + xpack.security.delete_role: + name: "logstash_agent_role" + ignore: 404 + - do: + xpack.security.delete_user: + username: "unknown_agent" + ignore: 404 + - do: + xpack.security.delete_role: + name: "unkown_agent_role" + ignore: 404 + +--- +"Monitoring Bulk API": + - skip: + features: catch_unauthorized + + - do: + headers: + # Authorization: logstash_agent + Authorization: "Basic bG9nc3Rhc2hfYWdlbnQ6czNrcml0" + xpack.monitoring.bulk: + system_id: "logstash" + system_api_version: "2" + interval: "10s" + body: + - index: + _type: logstash_metric + - metric: + queue: 10 + - index: + _index: _data + _type: logstash_info + - info: + license: basic + - is_false: errors + + - do: + indices.refresh: {} + + - do: + search: + index: .monitoring-logstash-* + type: logstash_metric + - match: { hits.total: 1 } + + - do: + search: + index: .monitoring-data-* + type: logstash_info + - match: { hits.total: 1 } + + - do: + catch: forbidden + headers: + # Authorization: unknown_agent + Authorization: "Basic dW5rbm93bl9hZ2VudDpzM2tyaXQ=" + xpack.monitoring.bulk: + system_id: "logstash" + system_api_version: "2" + interval: "10s" + body: + - index: + _type: logstash_metric + - metric: + queue: 10 + - match: { "error.type": "security_exception" } + - match: { "error.reason": "action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [unknown_agent]" } + + - do: + indices.refresh: {} + + - do: + search: + index: .monitoring-logstash-* + type: logstash_metric + - match: { hits.total: 1 } diff --git a/qa/smoke-test-monitoring-with-security/build.gradle b/qa/smoke-test-monitoring-with-security/build.gradle deleted file mode 100644 index 8b16dbc7665..00000000000 --- a/qa/smoke-test-monitoring-with-security/build.gradle +++ /dev/null @@ -1,50 +0,0 @@ -subprojects { - apply plugin: 'elasticsearch.standalone-rest-test' - apply plugin: 'elasticsearch.rest-test' - - dependencies { - testCompile project(path: ':x-pack-elasticsearch:plugin', configuration: 'runtime') - } - - // bring in monitoring rest test suite - task copyMonitoringRestTests(type: Copy) { - into project.sourceSets.test.output.resourcesDir - from project(':x-pack-elasticsearch:plugin').sourceSets.test.resources.srcDirs - include 'rest-api-spec/test/monitoring/**' - } - - integTest { - dependsOn copyMonitoringRestTests - } - - integTestCluster { - systemProperty 'es.logger.level', 'TRACE' - plugin ':x-pack-elasticsearch:plugin' - setting 'xpack.monitoring.collection.interval', '3s' - extraConfigFile 'x-pack/roles.yml', '../roles.yml' - setupCommand 'setupTestAdminUser', - 'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'superuser' - setupCommand 'setupMonitoredSystemUser', - 'bin/x-pack/users', 'useradd', 'monitoring_system', '-p', 'changeme', '-r', 'monitoring_system,monitoring_without_bulk' - setupCommand 'setupPowerlessUser', - 'bin/x-pack/users', 'useradd', 'not_monitoring_system', '-p', 'changeme', '-r', 'monitoring_without_bulk' - - waitCondition = { node, ant -> - File tmpFile = new File(node.cwd, 'wait.success') - ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow", - dest: tmpFile.toString(), - username: 'test_admin', - password: 'changeme', - ignoreerrors: true, - retries: 10) - return tmpFile.exists() - } - } -} - -/** - * Allow {@code integTest} to be invoked on this project to run both Monitoring+Security smoke tests. - */ -task integTest { - dependsOn subprojects.integTest -} diff --git a/qa/smoke-test-monitoring-with-security/insufficient-rights/build.gradle b/qa/smoke-test-monitoring-with-security/insufficient-rights/build.gradle deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/qa/smoke-test-monitoring-with-security/insufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java b/qa/smoke-test-monitoring-with-security/insufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java deleted file mode 100644 index ba8cd0790b5..00000000000 --- a/qa/smoke-test-monitoring-with-security/insufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.smoketest; - -import com.carrotsearch.randomizedtesting.annotations.Name; -import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; - -import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; -import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import org.elasticsearch.xpack.security.authc.support.SecuredString; - -import java.io.IOException; - -import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; -import static org.hamcrest.Matchers.containsString; - -public class SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { - - public SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { - super(testCandidate); - } - - @ParametersFactory - public static Iterable parameters() throws IOException { - return ESClientYamlSuiteTestCase.createParameters(); - } - - @Override - protected Settings restClientSettings() { - String token = basicAuthHeaderValue("not_monitoring_system", new SecuredString("changeme".toCharArray())); - return Settings.builder() - .put(ThreadContext.PREFIX + ".Authorization", token) - .build(); - } - - @Override - protected Settings restAdminSettings() { - String token = basicAuthHeaderValue("test_admin", new SecuredString("changeme".toCharArray())); - return Settings.builder() - .put(ThreadContext.PREFIX + ".Authorization", token) - .build(); - } - - @Override - public void test() throws IOException { - try { - super.test(); - fail("should have failed because of missing role"); - } catch(AssertionError ae) { - assertThat(ae.getMessage(), containsString("action [cluster:admin/xpack/monitoring/bulk]")); - assertThat(ae.getMessage(), containsString("returned [403 Forbidden]")); - assertThat(ae.getMessage(), containsString("is unauthorized for user [not_monitoring_system]")); - } - } - -} diff --git a/qa/smoke-test-monitoring-with-security/roles.yml b/qa/smoke-test-monitoring-with-security/roles.yml deleted file mode 100644 index e317cb01295..00000000000 --- a/qa/smoke-test-monitoring-with-security/roles.yml +++ /dev/null @@ -1,11 +0,0 @@ -monitoring_system: - cluster: [ 'cluster:admin/xpack/monitoring/bulk' ] - -monitoring_without_bulk: - cluster: [ 'monitor' ] - indices: - - names: '.monitoring-*' - privileges: - - write - - read - - manage diff --git a/qa/smoke-test-monitoring-with-security/sufficient-rights/build.gradle b/qa/smoke-test-monitoring-with-security/sufficient-rights/build.gradle deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/qa/smoke-test-monitoring-with-security/sufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java b/qa/smoke-test-monitoring-with-security/sufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java deleted file mode 100644 index 2024f9d1da2..00000000000 --- a/qa/smoke-test-monitoring-with-security/sufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.smoketest; - -import com.carrotsearch.randomizedtesting.annotations.Name; -import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; - -import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; -import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import org.elasticsearch.xpack.security.authc.support.SecuredString; - -import java.io.IOException; - -import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - -public class SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { - - public SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) { - super(testCandidate); - } - - @ParametersFactory - public static Iterable parameters() throws IOException { - return ESClientYamlSuiteTestCase.createParameters(); - } - - @Override - protected Settings restClientSettings() { - String token = basicAuthHeaderValue("monitoring_system", new SecuredString("changeme".toCharArray())); - return Settings.builder() - .put(ThreadContext.PREFIX + ".Authorization", token) - .build(); - } - - @Override - protected Settings restAdminSettings() { - String token = basicAuthHeaderValue("test_admin", new SecuredString("changeme".toCharArray())); - return Settings.builder() - .put(ThreadContext.PREFIX + ".Authorization", token) - .build(); - } -}