Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test queryable built-in role synchronization #118964

Conversation

slobodanadamovic
Copy link
Contributor

@slobodanadamovic slobodanadamovic commented Dec 18, 2024

Adds more tests for built-in roles synchronization, and fixes a bug where synchronizationInProgress hasn't been reset properly.

Resolves #118806

@slobodanadamovic slobodanadamovic self-assigned this Dec 18, 2024
@slobodanadamovic slobodanadamovic added >test Issues or PRs that are addressing/adding tests :Security/Security Security issues without another label Team:Security Meta label for security team and removed v9.0.0 labels Dec 18, 2024
final Map<String, String> indexedRolesDigests = readIndexedBuiltInRolesDigests(clusterService.state());
if (roles.rolesDigest().equals(indexedRolesDigests)) {
logger.debug("Security index already contains the latest built-in roles indexed, skipping synchronization");
return;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bug fix where this method would return without calling synchronizationInProgress.set(false);.

@slobodanadamovic slobodanadamovic added v9.0.0 v8.18.0 auto-backport Automatically create backport pull requests when merged labels Dec 18, 2024
@slobodanadamovic slobodanadamovic marked this pull request as ready for review December 18, 2024 23:36
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Good catch! A few comments but no need for a re-review

}, QueryableBuiltInRolesSynchronizer::handleException)));
}
} finally {
final Map<String, String> indexedRolesDigests = readIndexedBuiltInRolesDigests(clusterService.state());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is getting to be a lot but I wonder if we want a try-catch around this whole block after all -- readIndexedBuiltInRolesDigests can technically throw and so can executor.execute.

I spent a bit of time thinking of how to refactor this to avoid four separate calls to synchronizationInProgress.set(false) but nothing straight-forward comes to mind.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely, I'll wrap it with try-catch block. I don't see other option.

@@ -452,6 +453,14 @@ static class MarkRolesAsSyncedTask implements ClusterStateTaskListener {
this.newRoleDigests = newRoleDigests;
}

public Map<String, String> getExpectedRoleDigests() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think this is used anywheres


private DiscoveryNodes mixedVersionNodes() {
VersionInformation oldVersion = new VersionInformation(
VersionUtils.randomCompatibleVersion(random(), VersionUtils.getPreviousVersion()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL VersionUtils.getPreviousVersion().isCompatible(Version.CURRENT) is true so we'll get failures for testMixedVersionsCluster -- so I think we want randomVersionBetween here instead

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

any()
);
verify(clusterService, times(2)).state();
verifyNoMoreInteractions(nativeRolesStore, featureService, taskQueue, reservedRolesProvider, threadPool, clusterService);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might also make synchronizationInProgress pkg-private (or a getter to it) and assert on it here: assertThat(synchronizer.synchronizationInProgress.get(), equalTo(false));

@slobodanadamovic slobodanadamovic added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label Dec 19, 2024
@elasticsearchmachine elasticsearchmachine merged commit 845021d into elastic:main Dec 19, 2024
21 checks passed
@slobodanadamovic slobodanadamovic deleted the sa-testing-queryable-built-in-roles branch December 19, 2024 23:46
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
8.x Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 118964

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Automatically create backport pull requests when merged auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport pending :Security/Security Security issues without another label Team:Security Meta label for security team >test Issues or PRs that are addressing/adding tests v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[CI] QueryableReservedRolesIT testDeletingAndCreatingSecurityIndexTriggersSynchronization failing
3 participants