[Test] Add Monitoring Bulk API REST tests with privileges (elastic/x-pack-elasticsearch#968)

This commit removes the smoke-test-monitoring-with-security project
and replaces it with a REST test.

Original commit: elastic/x-pack-elasticsearch@f1665815c2

plugin/src/test/resources/rest-api-spec/test/monitoring/bulk/20_privileges.yaml

@@ -0,0 +1,140 @@
+---
+setup:
+  - skip:
+      features: headers
+  - do:
+      cluster.health:
+        wait_for_status: yellow
+
+  # Creates a role and a user "Logstash Agent" who can use
+  # the Monitoring Bulk API and read the monitoring indices.
+  - do:
+      xpack.security.put_role:
+        name: "logstash_agent_role"
+        body:  >
+            {
+              "cluster": ["cluster:admin/xpack/monitoring/bulk"],
+              "indices": [
+                {
+                  "privileges": ["read"],
+                  "names": ".monitoring-*"
+                }
+              ]
+            }
+  - do:
+      xpack.security.put_user:
+        username: "logstash_agent"
+        body:  >
+          {
+            "password": "s3krit",
+            "roles" : [ "logstash_agent_role" ]
+          }
+
+  # Creates a role and a user "Unknown Agent" who can only
+  # read the monitoring indices.
+  - do:
+      xpack.security.put_role:
+        name: "unkown_agent_role"
+        body:  >
+            {
+              "cluster": ["monitor"],
+              "indices": [
+                {
+                  "privileges": ["read"],
+                  "names": ".monitoring-*"
+                }
+              ]
+            }
+  - do:
+      xpack.security.put_user:
+        username: "unknown_agent"
+        body:  >
+          {
+            "password": "s3krit",
+            "roles" : [ "unkown_agent_role" ]
+          }
+
+---
+teardown:
+  - do:
+      xpack.security.delete_user:
+        username: "logstash_agent"
+        ignore: 404
+  - do:
+      xpack.security.delete_role:
+        name: "logstash_agent_role"
+        ignore: 404
+  - do:
+      xpack.security.delete_user:
+        username: "unknown_agent"
+        ignore: 404
+  - do:
+      xpack.security.delete_role:
+        name: "unkown_agent_role"
+        ignore: 404
+
+---
+"Monitoring Bulk API":
+  - skip:
+      features: catch_unauthorized
+
+  - do:
+      headers:
+        # Authorization: logstash_agent
+        Authorization: "Basic bG9nc3Rhc2hfYWdlbnQ6czNrcml0"
+      xpack.monitoring.bulk:
+        system_id:          "logstash"
+        system_api_version: "2"
+        interval:           "10s"
+        body:
+          - index:
+              _type:  logstash_metric
+          - metric:
+              queue:  10
+          - index:
+              _index: _data
+              _type:  logstash_info
+          - info:
+              license: basic
+  - is_false: errors
+
+  - do:
+      indices.refresh: {}
+
+  - do:
+      search:
+        index: .monitoring-logstash-*
+        type:  logstash_metric
+  - match: { hits.total: 1 }
+
+  - do:
+      search:
+        index: .monitoring-data-*
+        type:  logstash_info
+  - match: { hits.total: 1 }
+
+  - do:
+      catch: forbidden
+      headers:
+        # Authorization: unknown_agent
+        Authorization: "Basic dW5rbm93bl9hZ2VudDpzM2tyaXQ="
+      xpack.monitoring.bulk:
+        system_id:          "logstash"
+        system_api_version: "2"
+        interval:           "10s"
+        body:
+          - index:
+              _type:  logstash_metric
+          - metric:
+              queue:  10
+  - match: { "error.type": "security_exception" }
+  - match: { "error.reason": "action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [unknown_agent]" }
+
+  - do:
+      indices.refresh: {}
+
+  - do:
+      search:
+        index: .monitoring-logstash-*
+        type:  logstash_metric
+  - match: { hits.total: 1 }

qa/smoke-test-monitoring-with-security/build.gradle

@@ -1,50 +0,0 @@
-subprojects {
-  apply plugin: 'elasticsearch.standalone-rest-test'
-  apply plugin: 'elasticsearch.rest-test'
-
-  dependencies {
-    testCompile project(path: ':x-pack-elasticsearch:plugin', configuration: 'runtime')
-  }
-
-  // bring in monitoring rest test suite
-  task copyMonitoringRestTests(type: Copy) {
-    into project.sourceSets.test.output.resourcesDir
-    from project(':x-pack-elasticsearch:plugin').sourceSets.test.resources.srcDirs
-    include 'rest-api-spec/test/monitoring/**'
-  }
-
-  integTest {
-    dependsOn copyMonitoringRestTests
-  }
-
-  integTestCluster {
-    systemProperty 'es.logger.level', 'TRACE'
-    plugin ':x-pack-elasticsearch:plugin'
-    setting 'xpack.monitoring.collection.interval', '3s'
-    extraConfigFile 'x-pack/roles.yml', '../roles.yml'
-    setupCommand 'setupTestAdminUser',
-                 'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'superuser'
-    setupCommand 'setupMonitoredSystemUser',
-                 'bin/x-pack/users', 'useradd', 'monitoring_system', '-p', 'changeme', '-r', 'monitoring_system,monitoring_without_bulk'
-    setupCommand 'setupPowerlessUser',
-                 'bin/x-pack/users', 'useradd', 'not_monitoring_system', '-p', 'changeme', '-r', 'monitoring_without_bulk'
-
-    waitCondition = { node, ant ->
-      File tmpFile = new File(node.cwd, 'wait.success')
-      ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
-              dest: tmpFile.toString(),
-              username: 'test_admin',
-              password: 'changeme',
-              ignoreerrors: true,
-              retries: 10)
-      return tmpFile.exists()
-    }
-  }
-}
-
-/**
- * Allow {@code integTest} to be invoked on this project to run both Monitoring+Security smoke tests.
- */
-task integTest {
-  dependsOn subprojects.integTest
-}

qa/smoke-test-monitoring-with-security/insufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java

@@ -1,61 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.smoketest;
-
-import com.carrotsearch.randomizedtesting.annotations.Name;
-import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
-
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.concurrent.ThreadContext;
-import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate;
-import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase;
-import org.elasticsearch.xpack.security.authc.support.SecuredString;
-
-import java.io.IOException;
-
-import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
-import static org.hamcrest.Matchers.containsString;
-
-public class SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase {
-
-    public SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) {
-        super(testCandidate);
-    }
-
-    @ParametersFactory
-    public static Iterable<Object[]> parameters() throws IOException {
-        return ESClientYamlSuiteTestCase.createParameters();
-    }
-
-    @Override
-    protected Settings restClientSettings() {
-        String token = basicAuthHeaderValue("not_monitoring_system", new SecuredString("changeme".toCharArray()));
-        return Settings.builder()
-                .put(ThreadContext.PREFIX + ".Authorization", token)
-                .build();
-    }
-
-    @Override
-    protected Settings restAdminSettings() {
-        String token = basicAuthHeaderValue("test_admin", new SecuredString("changeme".toCharArray()));
-        return Settings.builder()
-                .put(ThreadContext.PREFIX + ".Authorization", token)
-                .build();
-    }
-
-    @Override
-    public void test() throws IOException {
-        try {
-            super.test();
-            fail("should have failed because of missing role");
-        } catch(AssertionError ae) {
-            assertThat(ae.getMessage(), containsString("action [cluster:admin/xpack/monitoring/bulk]"));
-            assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
-            assertThat(ae.getMessage(), containsString("is unauthorized for user [not_monitoring_system]"));
-        }
-    }
-
-}

qa/smoke-test-monitoring-with-security/roles.yml

@@ -1,11 +0,0 @@
-monitoring_system:
-  cluster: [ 'cluster:admin/xpack/monitoring/bulk' ]
-
-monitoring_without_bulk:
-  cluster: [ 'monitor' ]
-  indices:
-    - names: '.monitoring-*'
-      privileges:
-        - write
-        - read
-        - manage

qa/smoke-test-monitoring-with-security/sufficient-rights/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT.java

@@ -1,47 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.smoketest;
-
-import com.carrotsearch.randomizedtesting.annotations.Name;
-import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
-
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.concurrent.ThreadContext;
-import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate;
-import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase;
-import org.elasticsearch.xpack.security.authc.support.SecuredString;
-
-import java.io.IOException;
-
-import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
-
-public class SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase {
-
-    public SmokeTestMonitoringWithSecurityClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) {
-        super(testCandidate);
-    }
-
-    @ParametersFactory
-    public static Iterable<Object[]> parameters() throws IOException {
-        return ESClientYamlSuiteTestCase.createParameters();
-    }
-
-    @Override
-    protected Settings restClientSettings() {
-        String token = basicAuthHeaderValue("monitoring_system", new SecuredString("changeme".toCharArray()));
-        return Settings.builder()
-                .put(ThreadContext.PREFIX + ".Authorization", token)
-                .build();
-    }
-
-    @Override
-    protected Settings restAdminSettings() {
-        String token = basicAuthHeaderValue("test_admin", new SecuredString("changeme".toCharArray()));
-        return Settings.builder()
-                .put(ThreadContext.PREFIX + ".Authorization", token)
-                .build();
-    }
-}