honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-09 14:34:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/x-pack/qa/kerberos-tests/build.gradle
Yogesh Gaikwad 615aa85f4e
[Kerberos] Use canonical host name (#32588) 
The Apache Http components support for Spnego scheme
uses canonical name by default.
Also when resolving host name, on centos by default
there are other aliases so adding them to the
DelegationPermission.

Closes#32498
2018-08-06 23:51:43 +10:00

143 lines
5.8 KiB
Groovy
Raw Blame History

import java.nio.file.Path
import java.nio.file.Paths
import java.nio.file.Files
apply plugin: 'elasticsearch.vagrantsupport'
apply plugin: 'elasticsearch.standalone-rest-test'
apply plugin: 'elasticsearch.rest-test'
dependencies {
testCompile project(path: xpackModule('core'), configuration: 'shadow')
testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
}
// MIT Kerberos Vagrant Testing Fixture
String box = "krb5kdc"
Map<String,String> vagrantEnvVars = [
'VAGRANT_CWD' : "${project(':test:fixtures:krb5kdc-fixture').projectDir}",
'VAGRANT_VAGRANTFILE' : 'Vagrantfile',
'VAGRANT_PROJECT_DIR' : "${project(':test:fixtures:krb5kdc-fixture').projectDir}"
]
task krb5kdcUpdate(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'box'
subcommand 'update'
boxName box
environmentVars vagrantEnvVars
dependsOn "vagrantCheckVersion", "virtualboxCheckVersion"
}
task krb5kdcFixture(type: org.elasticsearch.gradle.test.VagrantFixture) {
command 'up'
args '--provision', '--provider', 'virtualbox'
boxName box
environmentVars vagrantEnvVars
dependsOn krb5kdcUpdate
}
// lazily resolve to avoid any slowdowns from DNS lookups prior to when we need this value
Object httpPrincipal = new Object() {
@Override
String toString() {
InetAddress resolvedAddress = InetAddress.getByName('127.0.0.1')
return "HTTP/" + resolvedAddress.getCanonicalHostName()
}
}
String realm = "BUILD.ELASTIC.CO"
task 'addPrincipal#peppa'(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'ssh'
args '--command', "sudo bash /vagrant/src/main/resources/provision/addprinc.sh peppa "
boxName box
environmentVars vagrantEnvVars
dependsOn krb5kdcFixture
}
task 'addPrincipal#george'(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'ssh'
args '--command', "sudo bash /vagrant/src/main/resources/provision/addprinc.sh george dino"
boxName box
environmentVars vagrantEnvVars
dependsOn krb5kdcFixture
}
task 'addPrincipal#HTTP'(type: org.elasticsearch.gradle.vagrant.VagrantCommandTask) {
command 'ssh'
args '--command', "sudo bash /vagrant/src/main/resources/provision/addprinc.sh $httpPrincipal"
boxName box
environmentVars vagrantEnvVars
dependsOn krb5kdcFixture
}
task krb5AddPrincipals { dependsOn krb5kdcFixture, 'addPrincipal#peppa', 'addPrincipal#george', 'addPrincipal#HTTP' }
def generatedResources = "$buildDir/generated-resources/keytabs"
task copyKeytabToGeneratedResources(type: Copy) {
Path peppaKeytab = project(':test:fixtures:krb5kdc-fixture').buildDir.toPath().resolve("keytabs").resolve("peppa.keytab").toAbsolutePath()
from peppaKeytab;
into generatedResources
dependsOn krb5AddPrincipals
}
integTestCluster {
// force localhost IPv4 otherwise it is a chicken and egg problem where we need the keytab for the hostname when starting the cluster
// but do not know the exact address that is first in the http ports file
setting 'http.host', '127.0.0.1'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.authc.realms.file.type', 'file'
setting 'xpack.security.authc.realms.file.order', '0'
setting 'xpack.ml.enabled', 'false'
setting 'xpack.security.audit.enabled', 'true'
// Kerberos realm
setting 'xpack.security.authc.realms.kerberos.type', 'kerberos'
setting 'xpack.security.authc.realms.kerberos.order', '1'
setting 'xpack.security.authc.realms.kerberos.keytab.path', 'es.keytab'
setting 'xpack.security.authc.realms.kerberos.krb.debug', 'true'
setting 'xpack.security.authc.realms.kerberos.remove_realm_name', 'false'
Path krb5conf = project(':test:fixtures:krb5kdc-fixture').buildDir.toPath().resolve("conf").resolve("krb5.conf").toAbsolutePath()
String jvmArgsStr = " -Djava.security.krb5.conf=${krb5conf}" + " -Dsun.security.krb5.debug=true"
jvmArgs jvmArgsStr
Path esKeytab = project(':test:fixtures:krb5kdc-fixture').buildDir.toPath().resolve("keytabs")
.resolve("$httpPrincipal".replace('/', '_') + ".keytab").toAbsolutePath()
extraConfigFile("es.keytab", "${esKeytab}")
setupCommand 'setupTestAdmin',
'bin/elasticsearch-users', 'useradd', "test_admin", '-p', 'x-pack-test-password', '-r', "superuser"
waitCondition = { node, ant ->
File tmpFile = new File(node.cwd, 'wait.success')
ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
dest: tmpFile.toString(),
username: 'test_admin',
password: 'x-pack-test-password',
ignoreerrors: true,
retries: 10)
return tmpFile.exists()
}
}
integTestRunner {
Path peppaKeytab = Paths.get("${project.buildDir}", "generated-resources", "keytabs", "peppa.keytab")
systemProperty 'test.userkt', "peppa@${realm}"
systemProperty 'test.userkt.keytab', "${peppaKeytab}"
systemProperty 'test.userpwd', "george@${realm}"
systemProperty 'test.userpwd.password', "dino"
systemProperty 'tests.security.manager', 'true'
Path krb5conf = project(':test:fixtures:krb5kdc-fixture').buildDir.toPath().resolve("conf").resolve("krb5.conf").toAbsolutePath()
List jvmargs = ["-Djava.security.krb5.conf=${krb5conf}","-Dsun.security.krb5.debug=true"]
jvmArgs jvmargs
}
if (project.rootProject.vagrantSupported == false) {
integTest.enabled = false
} else {
project.sourceSets.test.output.dir(generatedResources)
integTestCluster.dependsOn krb5AddPrincipals, krb5kdcFixture, copyKeytabToGeneratedResources
integTest.finalizedBy project(':test:fixtures:krb5kdc-fixture').halt
}
Reference in New Issue View Git Blame Copy Permalink