Add EC2 credential test for repository-s3 #31918
Conversation
vladimirdolzhenko
added
>test
|
Pinging @elastic/es-distributed |
|
Note: there is a big difference between just a |
| @@ -137,7 +137,7 @@ class ClusterConfiguration { | |||
| this.project = project | |||
| } | |||
|
|
|||
| Map<String, String> systemProperties = new HashMap<>() | |||
| Map<String, Object> systemProperties = new HashMap<>() | |||
There was a problem hiding this comment.
The difference is easy to overlook , maybe it would be good to have a comment explaining why Object is needed.
We might be able to have Map<String, GString> to make the intention cleaner.
| @@ -412,6 +413,31 @@ class ClusterFormationTasks { | |||
| return parentTask | |||
| } | |||
|
|
|||
| /** Configure ES JAVA OPTS - adds system properties, assertion flags, remote debug etc */ | |||
| static Task configureESJavaOpts(String parent, Project project, Task setup, NodeInfo node) { | |||
There was a problem hiding this comment.
I don't think we need a separate task for it, especially that the result is only stored in memory.
I would add this to the doFirst we already run on the start task.
We can just set ES_JAVA_OPTS before the start task, or concatenate it if already set.
The builds script could also set this. None of the currently do, but we should either concatenate to it if set, or fail if it's set if we don;t want to support it. I'm not saying we shouldn't just speculating on what the initial intent could have been.
There was a problem hiding this comment.
@atorok do you mean to put it to
?| esJavaOpts = String.join(" ", "-ea", "-esa", esJavaOpts) | ||
| } | ||
| env = ['ES_JAVA_OPTS': esJavaOpts] | ||
| env = [:] |
There was a problem hiding this comment.
this can be removed, the map is already initialized.
There was a problem hiding this comment.
nope, map is null, here is the output if I drop this line:
Cannot invoke method put() on null object
There was a problem hiding this comment.
My bad, this class initializes in the constructor, this is ok as it is.
|
@atorok thanks for your comments - i did a relevant amendments. |
plugins/repository-s3/build.gradle
Outdated
| @@ -288,7 +288,9 @@ Map<String, Object> expansions = [ | |||
| 'permanent_bucket': s3PermanentBucket, | |||
| 'permanent_base_path': s3PermanentBasePath, | |||
| 'temporary_bucket': s3TemporaryBucket, | |||
| 'temporary_base_path': s3TemporaryBasePath | |||
| 'temporary_base_path': s3TemporaryBasePath, | |||
| 'ec2_bucket': s3TemporaryBucket, | |||
There was a problem hiding this comment.
Did you mean for this to be the same as the entry for temporary_bucket, and similarly for ec2_base_path? I think they should be different.
| @@ -70,17 +72,24 @@ private AmazonS3Fixture(final String workingDir, final String permanentBucketNam | |||
|
|
|||
| @Override | |||
| protected Response handle(final Request request) throws IOException { | |||
| final RequestHandler handler = handlers.retrieve(request.getMethod() + " " + request.getPath(), request.getParameters()); | |||
| final String nonAuthorizedPath = "* " + request.getMethod() + " " + request.getPath(); | |||
There was a problem hiding this comment.
I'm not a big fan of the * vs A thing, at least not as literals. Could you introduce constants so these things have more descriptive names?
| if (handler != null) { | ||
| final String authorization = request.getHeader("Authorization"); | ||
| final String permittedBucket; | ||
| if (authorization.contains("s3_integration_test_permanent_access_key")) { | ||
| if (authorization != null && authorization.contains("s3_integration_test_permanent_access_key")) { |
There was a problem hiding this comment.
Could we handle the authorisation == null case first to avoid these null checks proliferating? It's also helpful to distinguish no authorisation header vs a bad one, which this would achieve.
| if (sessionToken.equals("securitycredentials42_TKN") == false) { | ||
| return newError(request.getId(), RestStatus.FORBIDDEN, "AccessDenied", "Bad session token", ""); | ||
| } | ||
| permittedBucket = temporaryBucketName; |
There was a problem hiding this comment.
As commented above, I think this should have its own bucket.
| @@ -89,6 +98,15 @@ protected Response handle(final Request request) throws IOException { | |||
| return newError(request.getId(), RestStatus.FORBIDDEN, "AccessDenied", "Bad session token", ""); | |||
| } | |||
| permittedBucket = temporaryBucketName; | |||
| } else if (authorization != null && authorization.contains("securitycredentials42_KEYID")) { | |||
There was a problem hiding this comment.
Could we extract securitycredentials42 out as a named constant so it's clear why it is what it is?
| // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html | ||
| handlers.insert("* GET /latest/meta-data/iam/security-credentials/{credentials}", (request) -> { | ||
| final String credentials = request.getParam("credentials"); | ||
| return credentialResponseFunction.apply(credentials); |
There was a problem hiding this comment.
On deeper thought, this seems unduly lenient: it should only return credentials for the role that GET /latest/meta-data/iam/security-credentials/ returned, and should return 404 otherwise.
Also I think credentialResponseFunction can be inlined, it's only used in one place.
Also also we could prevent cheating slightly more by inventing random credentials when the service starts up, rather than synthesising them from the role name.
There was a problem hiding this comment.
I extract it for doing ECS part as well - it has to return similar json,
for randomization ... I bit confused here in terms of how to reproduce it in case of failure
There was a problem hiding this comment.
@DaveCTurner s3 perm/temp authorization tokens have to be randomized as well - should we ?
There was a problem hiding this comment.
I think we cannot (yet) do this with auth tokens received externally because they need to be passed to the test suite as well as this fixture, so we've had to settle on just using the same (long) string in both places. It would indeed be nicer if there were no magic strings in the fixture at all.
For deterministic testing, maybe you can pass a seed in from Gradle somehow? Or just hard-code them, it's not that important. I'd rather they weren't synthesised as they are now.
There was a problem hiding this comment.
it sounds like it is better to provide some kind of properties file that contains tokens, paths etc - esp. keeping in mind coming ECS test
…s3fixture clean up
|
thanks @DaveCTurner for quick review - I did changes - could you pls have another look ? |
| // | ||
| // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html | ||
| handlers.insert(NON_AUTH + " GET /latest/meta-data/iam/security-credentials/", (request) -> { | ||
| final String response = ec2Key; |
There was a problem hiding this comment.
Why ec2Key here? This should be the instance profile name, and can reasonably be a fixed value...
There was a problem hiding this comment.
agree - it does not required to be ec2Key (I noticed that in following PR #31864) - but in fact it requires some instance profile name (it is not required to be fixed as it is 2 step process - to call /latest/meta-data/iam/security-credentials/ to get the instance profile name and /latest/meta-data/iam/security-credentials/{instance_profile_name})
| // GET | ||
| // | ||
| // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html | ||
| handlers.insert(NON_AUTH + " GET /latest/meta-data/iam/security-credentials/{credentials}", (request) -> { |
There was a problem hiding this comment.
... so that this doesn't need the {credentials} parameter in the URL ...
| if (ec2Key.equals(credentials) == false) { | ||
| return new Response(RestStatus.NOT_FOUND.getStatus(), new HashMap<>(), "unknown credentials".getBytes(UTF_8)); | ||
| } | ||
| return credentialResponseFunction.apply(credentials, ec2Key, ec2Token); |
There was a problem hiding this comment.
... and this doesn't need to know it either.
plugins/repository-s3/build.gradle
Outdated
| env 'S3FIXTURE_TEMPORARY_SESSION_TOKEN', "${s3TemporarySessionToken}" | ||
| env 'S3FIXTURE_EC2_BUCKET_NAME', "${s3EC2Bucket}" | ||
| env 'S3FIXTURE_EC2_KEY', "${s3EC2AccessKey}" | ||
| env 'S3FIXTURE_EC2_TOKEN', "${s3EC2Token}" |
There was a problem hiding this comment.
Not so sure about this, compared with your proposal of configuring the fixture using a file. @tlrx what do you think?
There was a problem hiding this comment.
Reason I changed to env variables - I faced some issues on creating a property file - again due to different stages of configuring / running - property file is not visible to fixture
| throw new IllegalArgumentException( | ||
| "AmazonS3Fixture <working directory> <bucket for permanent creds> <bucket for temporary creds>"); | ||
| if (args == null || args.length != 1) { | ||
| throw new IllegalArgumentException("AmazonS3Fixture <basedir"); |
There was a problem hiding this comment.
Could this remain as <working directory>? Trailing > was lost too.
| final PathTrie<RequestHandler> handlers = new PathTrie<>(RestUtils.REST_DECODER); | ||
|
|
||
| // HEAD Object | ||
| // | ||
| // https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectHEAD.html | ||
| objectsPaths("HEAD /{bucket}").forEach(path -> | ||
| objectsPaths(AUTH + " HEAD /{bucket}").forEach(path -> |
There was a problem hiding this comment.
Nit: how about putting the space into AUTH/NONAUTH rather than including it in all these strings?
| return Objects.requireNonNull(System.getenv(varName), "env variable '" + varName + "' is missing"); | ||
| } | ||
|
|
||
| private static String nonAuthPath(Request request) { |
| // | ||
| // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html | ||
| handlers.insert(nonAuthPath(HttpGet.METHOD_NAME, "/latest/meta-data/iam/security-credentials/"), (request) -> { | ||
| final String response = ec2ProfileName; |
There was a problem hiding this comment.
I really think this should a hard-coded value and not passed in from the environment. I don't think we gain much by accepting it from outside, and I envisage it being the sort of thing I have to look up each time I come across it. The BUCKET_NAME/KEY/TOKEN inputs are clearer (despite that the KEY and TOKEN used here could be generated internally if we could do so deterministically).
| this.ec2BucketName = envVar("S3FIXTURE_EC2_BUCKET_NAME"); | ||
| this.ec2ProfileName = envVar("S3FIXTURE_EC2_PROFILE_NAME"); | ||
| this.ec2Key = envVar("S3FIXTURE_EC2_KEY"); | ||
| this.ec2Token = envVar("S3FIXTURE_EC2_TOKEN"); |
There was a problem hiding this comment.
This nearly feels worthy of abstraction over the various sets of credentials, and I think that'll definitely be worth doing when the ECS-style credentials are added. Optional now, but worth thinking about.
|
|
||
| private final Bucket permanentBucket; | ||
| private final Bucket temporaryBucket; | ||
| private final Bucket ec2Bucket; |
There was a problem hiding this comment.
The first two of these fields are unused. I think that's right, and we should remove them and also ec2Bucket, by generating the key and token and then passing them into the bucket's constructor.
| } | ||
| final Collection<Bucket> values = buckets.values(); | ||
| String permittedBucket = null; | ||
| for (final Bucket bucket : values) { |
There was a problem hiding this comment.
I suspect it's now neater to turn this logic around - find the appropriate Bucket using request.getParam("bucket") and let the Bucket check the authorisation, look up the handler, and do the necessary.
There was a problem hiding this comment.
I'd like to agree with you here - but we do have a corner case that does not require bucket parameter at all
// https://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html
handlers.insert(authPath(HttpPost.METHOD_NAME, "/")
There was a problem hiding this comment.
We discussed this on Slack and concluded that this is an unimportant special case in which it's painful to check the authorization correctly but, moreover, we can just ignore the auth checks on this API without losing anything significant. Arguably this could just use a nonAuthPath. I think get this special case out of the way first and then neaten up the rest and move it into Bucket.
| final String response = "{" | ||
| + "\"AccessKeyId\": \"" + key + "\"," | ||
| + "\"Expiration\": \"" + DateUtils.formatISO8601Date(expiration) + "\"," | ||
| + "\"RoleArn\": \"" + profileName + "_ROLE" + "\"," |
There was a problem hiding this comment.
It should now be possible to make up the RoleArn and SecretAccessKey using the seeded RNG rather than by concatenating strings like this. They can reasonably be different each call.
| this(properties, buckets, prefix, false, random); | ||
| } | ||
|
|
||
| private Bucket(final Properties properties, |
There was a problem hiding this comment.
I think it'd be clearer to simply inline these overloads and spell out all the parameters at the call sites. We only make three of these objects, so four overloads of the constructor seems excessive :)
Also if Bucket were not static then you wouldn't need to pass buckets in.
There was a problem hiding this comment.
makes sence
|
test this please |
| } | ||
| final Collection<Bucket> values = buckets.values(); | ||
| String permittedBucket = null; | ||
| for (final Bucket bucket : values) { |
There was a problem hiding this comment.
We discussed this on Slack and concluded that this is an unimportant special case in which it's painful to check the authorization correctly but, moreover, we can just ignore the auth checks on this API without losing anything significant. Arguably this could just use a nonAuthPath. I think get this special case out of the way first and then neaten up the rest and move it into Bucket.
| new Bucket("s3Fixture.temporary", true, null); | ||
| final Bucket ec2Bucket = new Bucket("s3Fixture.ec2", false, random); | ||
|
|
||
| this.handlers = defaultHandlers(buckets, ec2Bucket.name); |
There was a problem hiding this comment.
I was kind of thinking about creating the access key and token here and then passing them to Bucket() and defaultHandlers(), avoiding the null-or-Random parameter to Bucket, but that's ugly for other reasons. How about passing the bucket into defaultHandlers rather than passing its name and then looking it up again later?
There was a problem hiding this comment.
I thought we agreed to keep original way of auth check due to that edge case - I do see a profit of turn multipart delete into non-auth and do auth check there on demand
| @@ -348,7 +344,12 @@ public static void main(final String[] args) throws Exception { | |||
|
|
|||
| boolean found = false; | |||
| for (Bucket bucket : buckets.values()) { | |||
| if (bucket.objects.remove(objectName) != null) { | |||
| if (bucket.objects.containsKey(objectName)) { | |||
| final Response authResponse = authenticateBucket(request, bucket); | |||
|
thanks @DaveCTurner for review and comments 👍 |
Relates to #26913 (cherry picked from commit 8235b25)
* 6.x: Fix rollup on date fields that don't support epoch_millis (#31890) Revert "Introduce a Hashing Processor (#31087)" (#32179) [test] use randomized runner in packaging tests (#32109) Painless: Fix caching bug and clean up addPainlessClass. (#32142) Fix BwC Tests looking for UUID Pre 6.4 (#32158) (#32169) Call setReferences() on custom referring tokenfilters in _analyze (#32157) Add more contexts to painless execute api (#30511) Add EC2 credential test for repository-s3 (#31918) Fix CP for namingConventions when gradle home has spaces (#31914) Convert Version to Java - clusterformation part1 (#32009) Fix Java 11 javadoc compile problem Improve docs for search preferences (#32098) Configurable password hashing algorithm/cost(#31234) (#32092) [DOCS] Update TLS on Docker for 6.3 ESIndexLevelReplicationTestCase doesn't support replicated failures but it's good to know what they are Switch distribution to new style Requests (#30595) Build: Skip jar tests if jar disabled Build: Move shadow customizations into common code (#32014) Painless: Add PainlessClassBuilder (#32141) Fix accidental duplication of bwc test for script behavior Handle missing values in painless (#30975) (#31903) Build: Make additional test deps of check (#32015) Painless: Fix Bug with Duplicate PainlessClasses (#32110) Adjust translog after versionType removed in 7.0 (#32020) Disable C2 from using AVX-512 on JDK 10 (#32138) [Rollup] Add new capabilities endpoint for concrete rollup indices (#32111) Mute :qa:mixed-cluster indices.stats/10_index/Index - all’ [ML] Wait for aliases in multi-node tests (#32086) Ensure to release translog snapshot in primary-replica resync (#32045) Docs: Fix missing example script quote (#32010) Add Index UUID to `/_stats` Response (#31871) (#32113) [ML] Move analyzer dependencies out of categorization config (#32123) [ML][DOCS] Add missing 6.3.0 release notes (#32099) Updates the build to gradle 4.9 (#32087) Update monitoring template version to 6040099 (#32088) Fix put mappings java API documentation (#31955) Add exclusion option to `keep_types` token filter (#32012)
* master: Painless: Simplify Naming in Lookup Package (#32177) Handle missing values in painless (#32207) add support for write index resolution when creating/updating documents (#31520) ECS Task IAM profile credentials ignored in repository-s3 plugin (#31864) Remove indication of future multi-homing support (#32187) Rest test - allow for snapshots to take 0 milliseconds Make x-pack-core generate a pom file Rest HL client: Add put watch action (#32026) Build: Remove pom generation for plugin zip files (#32180) Fix comments causing errors with Java 11 Fix rollup on date fields that don't support epoch_millis (#31890) Detect and prevent configuration that triggers a Gradle bug (#31912) [test] port linux package packaging tests (#31943) Revert "Introduce a Hashing Processor (#31087)" (#32178) Remove empty @return from JavaDoc Adjust SSLDriver behavior for JDK11 changes (#32145) [test] use randomized runner in packaging tests (#32109) Add support for field aliases. (#32172) Painless: Fix caching bug and clean up addPainlessClass. (#32142) Call setReferences() on custom referring tokenfilters in _analyze (#32157) Fix BwC Tests looking for UUID Pre 6.4 (#32158) Improve docs for search preferences (#32159) use before instead of onOrBefore Add more contexts to painless execute api (#30511) Add EC2 credential test for repository-s3 (#31918) A replica can be promoted and started in one cluster state update (#32042) Fix Java 11 javadoc compile problem Fix CP for namingConventions when gradle home has spaces (#31914) Fix `range` queries on `_type` field for singe type indices (#31756) [DOCS] Update TLS on Docker for 6.3 (#32114) ESIndexLevelReplicationTestCase doesn't support replicated failures but it's good to know what they are Remove versionType from translog (#31945) Switch distribution to new style Requests (#30595) Build: Skip jar tests if jar disabled Painless: Add PainlessClassBuilder (#32141) Build: Make additional test deps of check (#32015) Disable C2 from using AVX-512 on JDK 10 (#32138) Build: Move shadow customizations into common code (#32014) Painless: Fix Bug with Duplicate PainlessClasses (#32110) Remove empty @param from Javadoc Re-disable packaging tests on suse boxes Docs: Fix missing example script quote (#32010) [ML] Wait for aliases in multi-node tests (#32086) [ML] Move analyzer dependencies out of categorization config (#32123) Ensure to release translog snapshot in primary-replica resync (#32045) Handle TokenizerFactory TODOs (#32063) Relax TermVectors API to work with textual fields other than TextFieldType (#31915) Updates the build to gradle 4.9 (#32087) Mute :qa:mixed-cluster indices.stats/10_index/Index - all’ Check that client methods match API defined in the REST spec (#31825) Enable testing in FIPS140 JVM (#31666) Fix put mappings java API documentation (#31955) Add exclusion option to `keep_types` token filter (#32012) [Test] Modify assert statement for ssl handshake (#32072)
Relates elastic#31918 / Closes infra/issues/6085
* 6.x: Security: revert to old way of merging automata (#32254) Fix a test bug in RangeQueryBuilderTests introduced in the field aliases backport. Introduce Application Privileges with support for Kibana RBAC (#32309) Undo a debugging change that snuck in during the field aliases merge. [test] port linux package packaging tests (#31943) Painless: Update More Methods to New Naming Scheme (#32305) Tribe: Add error with secure settings copied to tribe (#32298) Add V_6_3_3 version constant Add ERR to ranking evaluation documentation (#32314) [DOCS] Added link to 6.3.2 RNs [DOCS] Updates 6.3.2 release notes with PRs from ml-cpp repo (#32334) [Kerberos] Add Kerberos authentication support (#32263) [ML] Extract persistent task methods from MlMetadata (#32319) Backport - Add Snapshots Status API to High Level Rest Client (#32295) Make release notes ignore the `>test-failure` label. (#31309) [DOCS] Adds release highlights for search for 6.4 (#32095) Allow Integ Tests to run in a FIPS-140 JVM (#32316) Add support for field aliases to 6.x. (#32184) Register ERR metric with NamedXContentRegistry (#32320) fixes broken build for third-party-tests (#32315) Relates #31918 / Closes infra/issues/6085 [DOCS] Rollup Caps API incorrectly mentions GET Jobs API (#32280) Rest HL client: Add put watch action (#32026) (#32191) Add WeightedAvg metric aggregation (#31037) Consistent encoder names (#29492) Switch monitoring to new style Requests (#32255) specify subdirs of lib, bin, modules in package (#32253) Rename ranking evaluation `quality_level` to `metric_score` (#32168) Add new permission for JDK11 to load JAAS libraries (#32132) Switch x-pack:core to new style Requests (#32252) Watcher: Store username on watch execution (#31873) Silence SSL reload test that fails on JDK 11 Painless: Clean up add methods in PainlessLookup (#32258) CCE when re-throwing "shard not available" exception in TransportShardMultiGetAction (#32185) Fail shard if IndexShard#storeStats runs into an IOException (#32241) Fix `range` queries on `_type` field for singe type indices (#31756) (#32161) AwaitsFix RecoveryIT#testHistoryUUIDIsGenerated Add new fields to monitoring template for Beats state (#32085) (#32273) [TEST] improve REST high-level client naming conventions check (#32244) Check that client methods match API defined in the REST spec (#31825)
Add EC2 credential test for repository-s3
Relates to #26913