Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CI] CliSecurityIT testDescribeDocumentExcluded failed with missing audit log #48117

Closed
droberts195 opened this issue Oct 16, 2019 · 13 comments · Fixed by #48581
Closed

[CI] CliSecurityIT testDescribeDocumentExcluded failed with missing audit log #48117

droberts195 opened this issue Oct 16, 2019 · 13 comments · Fixed by #48581
Assignees
@matriv
Labels
:Analytics/SQL SQL querying >test-failure Triaged test failures from CI

Comments

@droberts195
Copy link
Contributor

Many tests in the CliSecurityIT suite failed in https://gradle-enterprise.elastic.co/s/3fgucfb5u5uki

However, all of them apart from 1 say:

Previous test had an audit-related failure. All subsequent audit related assertions are bogus because we can't guarantee that we fully cleaned up after the last test.

The root cause failure appears to be CliSecurityIT.testDescribeDocumentExcluded:

  1> [2019-10-16T02:52:08,327][INFO ][o.e.x.s.q.c.EmbeddedCli  ] [[Thread-49]] cli exited with code [0]
  1> [2019-10-16T02:52:18,688][WARN ][o.e.x.s.q.s.CliSecurityIT] [testDescribeWorksAsFullAccess] Failed to find an audit log. Skipping remaining tests in this class after this the missing auditlogs could turn up later.
  1> [2019-10-16T02:52:18,921][INFO ][o.e.x.s.q.s.CliSecurityIT] [testDescribeWorksAsFullAccess] after test
  2> REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.CliSecurityIT.testDescribeWorksAsFullAccess" -Dtests.seed=416A789C31C5E8C1 -Dtests.security.manager=true -Dtests.locale=bs-Cyrl-BA -Dtests.timezone=America/Guadeloupe -Dcompiler.java=12 -Druntime.java=11
  2> java.lang.AssertionError: Not all logs matched. Unmatched logs:
    {node.id=Xxg8JBmdT0qBIqPgG5J9Ww, origin.type=local_node, user.name=_system, type=audit, user.realm=__fallback, request.id=T1yUUxPoT5a3Y6a641CLmA, event.action=access_denied, indices=[.enrich-*], request.name=GetIndexRequest, origin.address=127.0.0.1:33817, event.type=transport, action=indices:admin/get, timestamp=2019-10-16T06:52:07,688+0000, user.roles=[_system]}

That's from https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+multijob-unix-compatibility/os=debian-9&&immutable/329/consoleText

The REPRO command is:

./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.CliSecurityIT.testDescribeWorksAsFullAccess" \
  -Dtests.seed=416A789C31C5E8C1 \
  -Dtests.security.manager=true \
  -Dtests.locale=bs-Cyrl-BA \
  -Dtests.timezone=America/Guadeloupe \
  -Dcompiler.java=12 \
  -Druntime.java=11

This did not reproduce locally for me.
@droberts195 droberts195 added >test-failure Triaged test failures from CI :Analytics/SQL SQL querying labels Oct 16, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-search (:Search/SQL)

@matriv matriv self-assigned this Oct 16, 2019
@droberts195
Copy link
Contributor Author

droberts195 commented Oct 16, 2019
edited
Loading

A similar thing just happened in https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+multijob-unix-compatibility/os=fedora-29&&immutable/331/consoleText, but with the first failure in CliSecurityIT.testDescribeWorksAsAdmin:

org.elasticsearch.xpack.sql.qa.security.CliSecurityIT > testDescribeWorksAsAdmin FAILED
    java.lang.AssertionError: Not all logs matched. Unmatched logs:
    {node.id=BJdMYjtfSFuMQ2iRWRU7ZQ, origin.type=local_node, user.name=_system, type=audit, user.realm=__fallback, request.id=0jizkzmWSMu_hiIUMokTow, event.action=access_denied, indices=[.enrich-*], request.name=GetIndexRequest, origin.address=127.0.0.1:38837, event.type=transport, action=indices:admin/get, timestamp=2019-10-16T14:47:41,446+0000, user.roles=[_system]}
REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.CliSecurityIT.testDescribeWorksAsAdmin" -Dtests.seed=175A48A4015214B5 -Dtests.security.manager=true -Dtests.locale=mr -Dtests.timezone=Pacific/Auckland -Dcompiler.java=12 -Druntime.java=11

org.elasticsearch.xpack.sql.qa.security.CliSecurityIT > testDescribeWithNoAccess FAILED
    java.lang.AssertionError: Previous test had an audit-related failure. All subsequent audit related assertions are bogus because we can't guarantee that we fully cleaned up after the last test.
REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.CliSecurityIT.testDescribeWithNoAccess" -Dtests.seed=175A48A4015214B5 -Dtests.security.manager=true -Dtests.locale=mr -Dtests.timezone=Pacific/Auckland -Dcompiler.java=12 -Druntime.java=11

org.elasticsearch.xpack.sql.qa.security.CliSecurityIT > testQueryStringSingleFieldGrantedWrongRequested FAILED
    java.lang.AssertionError: Previous test had an audit-related failure. All subsequent audit related assertions are bogus because we can't guarantee that we fully cleaned up after the last test.
REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.CliSecurityIT.testQueryStringSingleFieldGrantedWrongRequested" -Dtests.seed=175A48A4015214B5 -Dtests.security.manager=true -Dtests.locale=mr -Dtests.timezone=Pacific/Auckland -Dcompiler.java=12 -Druntime.java=11

org.elasticsearch.xpack.sql.qa.security.CliSecurityIT > testShowTablesWithNoAccess FAILED
    java.lang.AssertionError: Previous test had an audit-related failure. All subsequent audit related assertions are bogus because we can't guarantee that we fully cleaned up after the last test.
REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.CliSecurityIT.testShowTablesWithNoAccess" -Dtests.seed=175A48A4015214B5 -Dtests.security.manager=true -Dtests.locale=mr -Dtests.timezone=Pacific/Auckland -Dcompiler.java=12 -Druntime.java=11

org.elasticsearch.xpack.sql.qa.security.CliSecurityIT > testQuerySingleFieldExcepted FAILED
    java.lang.AssertionError: Previous test had an audit-related failure. All subsequent audit related assertions are bogus because we can't guarantee that we fully cleaned up after the last test.
REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.CliSecurityIT.testQuerySingleFieldExcepted" -Dtests.seed=175A48A4015214B5 -Dtests.security.manager=true -Dtests.locale=mr -Dtests.timezone=Pacific/Auckland -Dcompiler.java=12 -Druntime.java=11

Also in https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+multijob-unix-compatibility/os=opensuse-42-3&&immutable/331/consoleText, but with the first failure in JdbcSecurityIT.testShowTablesWorksAsFullAccess:

org.elasticsearch.xpack.sql.qa.security.JdbcSecurityIT > testShowTablesWorksAsFullAccess FAILED
    java.lang.AssertionError: Not all logs matched. Unmatched logs:
    {node.id=r2dkCn6YQxuQmWolA1lplw, origin.type=local_node, user.name=_system, type=audit, user.realm=__fallback, request.id=jDTBCEbSTE2TNDw05C2XYA, event.action=access_denied, indices=[.enrich-*], request.name=GetIndexRequest, origin.address=127.0.0.1:43094, event.type=transport, action=indices:admin/get, timestamp=2019-10-16T14:48:20,977+0000, user.roles=[_system]}
REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.JdbcSecurityIT.testShowTablesWorksAsFullAccess" -Dtests.seed=7E72C9E408941EA4 -Dtests.security.manager=true -Dtests.locale=hi-IN -Dtests.timezone=Australia/Lindeman -Dcompiler.java=12 -Druntime.java=11

org.elasticsearch.xpack.sql.qa.security.JdbcSecurityIT > testScrollWithSingleFieldExcepted FAILED
    java.lang.AssertionError: Previous test had an audit-related failure. All subsequent audit related assertions are bogus because we can't guarantee that we fully cleaned up after the last test.
REPRODUCE WITH: ./gradlew ':x-pack:plugin:sql:qa:security:with-ssl:integTestRunner' --tests "org.elasticsearch.xpack.sql.qa.security.JdbcSecurityIT.testScrollWithSingleFieldExcepted" -Dtests.seed=7E72C9E408941EA4 -Dtests.security.manager=true -Dtests.locale=hi-IN -Dtests.timezone=Australia/Lindeman -Dcompiler.java=12 -Druntime.java=11

So it seems that to silence this class of failure the entirety of both CliSecurityIT and JdbcSecurityIT would need to be muted. What do you think @matriv?

@mark-vieira
Copy link
Contributor

mark-vieira commented Oct 17, 2019
edited
Loading

There are a number of these builds that fail with assertion errors in basically the entire CliSecurityIT suite. There doesn't seem to be a consistent pattern in terms of job configuration or platform.

https://gradle-enterprise.elastic.co/s/h5t5objanvhpk/tests/failed
https://gradle-enterprise.elastic.co/s/6tzhbqmzbfpaq/tests/failed
https://gradle-enterprise.elastic.co/s/6fxzvikol63cu/tests/failed
https://gradle-enterprise.elastic.co/s/677gidbftg3hy/tests/failed
https://gradle-enterprise.elastic.co/s/dtjepark7fozu/tests/failed
https://gradle-enterprise.elastic.co/s/4pmzwlh5zshgq/tests/failed
https://gradle-enterprise.elastic.co/s/5hg5j2537sdnm/tests/failed
https://gradle-enterprise.elastic.co/s/qljxa73qplxbo/tests/failed

@astefan
Copy link
Contributor

astefan commented Oct 17, 2019

It seems that all these failures have to do with an audit log that involves the newly added enrich processor index... and the timing seems to match as well.

@mark-vieira
Copy link
Contributor

@elastic/es-core-features ☝️thoughts?

alpar-t added a commit that referenced this issue Oct 18, 2019
@alpar-t
Mute CliSecurityIT
a340795 
tracking in #48117
@alpar-t
Copy link
Contributor

alpar-t commented Oct 18, 2019

this led to even more failures, I muted the suite in a340795

@mark-vieira
Copy link
Contributor

this led to even more failures, I muted the suite in a340795

This is failing in 7.x as well. Should we mute there too?

@astefan
Copy link
Contributor

astefan commented Oct 18, 2019

#48098 might be related

alpar-t added a commit that referenced this issue Oct 21, 2019
@alpar-t
Mute CliSecurityIT
fe265f0 
tracking in #48117
@alpar-t
Copy link
Contributor

alpar-t commented Oct 21, 2019

Muted in 7.x too fe265f0

@iverase
Copy link
Contributor

iverase commented Oct 21, 2019

I am muting 7.5 as well

@iverase iverase mentioned this issue Oct 21, 2019
Merged
iverase added a commit that referenced this issue Oct 21, 2019
@iverase
Mute CliSecurityIT (#48285)
0744cde 
tracking in #48117
@astefan
Copy link
Contributor

astefan commented Oct 21, 2019

@jbaiera could #48098 be the fix for these failures here? What happens with sql tests in this specific issue is that some unexpected audit log entry resembling {node.id=r2dkCn6YQxuQmWolA1lplw, origin.type=local_node, user.name=_system, type=audit, user.realm=__fallback, request.id=jDTBCEbSTE2TNDw05C2XYA, event.action=access_denied, indices=[.enrich-*], request.name=GetIndexRequest, origin.address=127.0.0.1:43094, event.type=transport, action=indices:admin/get, timestamp=2019-10-16T14:48:20,977+0000, user.roles=[_system]} is messing up the expectation. These seem to have been showing up first almost a week ago.

@jbaiera
Copy link
Member

jbaiera commented Oct 25, 2019

I think the reason for that log line was that the background maintenance task for enrich was failing when running with security. The authentication failure was making it to the audit log. Now that it's fixed, the log message should be gone

matriv added a commit to matriv/elasticsearch that referenced this issue Oct 28, 2019
@matriv
SQL: [Tests] Renable CliSecurityIT
cc4d562 
Seems that the issue has been fixed with: elastic#48098

Closes: elastic#48117
@matriv matriv mentioned this issue Oct 28, 2019
Merged
matriv added a commit that referenced this issue Oct 28, 2019
@matriv
SQL: [Tests] Renable CliSecurityIT (#48581)
4703623 
Seems that the issue has been fixed with: #48098

Closes: #48117
matriv added a commit that referenced this issue Oct 28, 2019
@matriv
SQL: [Tests] Renable CliSecurityIT (#48581)
124f6d0 
Seems that the issue has been fixed with: #48098

Closes: #48117
(cherry picked from commit 4703623)
matriv added a commit that referenced this issue Oct 28, 2019
@matriv
SQL: [Tests] Renable CliSecurityIT (#48581)
1051342 
Seems that the issue has been fixed with: #48098

Closes: #48117
(cherry picked from commit 4703623)
@matriv
Copy link
Contributor

matriv commented Oct 28, 2019

Re-enabled:
master : 4703623
7.x : 124f6d0
7.5 : 1051342

Many thanks @jbaiera and @astefan for chasing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matriv matriv

Labels
:Analytics/SQL SQL querying >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SQL: [Tests] Renable CliSecurityIT matriv/elasticsearch
8 participants
@jbaiera @astefan @alpar-t @mark-vieira @matriv @droberts195 @elasticmachine @iverase