-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove username/password #1006
Remove username/password #1006
Conversation
Remove using basic auth as credentials when contacting ES. Will only be able to use service tokens.
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
Some of the integation tests are failing as they seem to do things beyond just using the
|
@ruflin, is the service account expected to be able to do all the interactions that are currently part of the integration tests/ |
It is not necessarily the case the fleet-server service token has all the permissions for the integration tests as these also do some additional setup. But looking at the error above, it is about setting up template and likely comes from here: https://github.com/elastic/fleet-server/blob/master/internal/pkg/testing/esutil/template.go#L52 In the early days of fleet-server, fleet-server did the setup during testing but this is now all shipped with Elasticsearch. @aleksmaus Is this part still needed? Is this to ensure that Elasticsearch has the template as expected? Assuming we need more permissions, it would good to make all these checks with a different Elasticsearch client and not directly the one from fleet-server so username / password is only used during tests and not exposed to users. |
@ruflin many integration tests created artificial indices, easier to setup and guarantee that the tests from different packages do not step on each other in case if they are run in parallel. We probably could generate a different token with wider permissions for integration testing only as a short term solution, not ideal but it will unblock this effort. We probably should rewrite the integration tests to use the .fleet-* indices (need a proper setup/cleanup), probably add some new tests for the new .fleet system indices APIs. Make sure that the tests from different packages are not run in parallel (-p 1) if we have such a problem. |
@aleksmaus, I've tried to change one of the integration test to use an index prefixed with
|
As the templates are by now always shipped in Elasticsearch I think we can start to assume these are always there. @aleksmaus Agree that we should revamp the tests quite a bit. Would be great if you could take it on. Do you need an issue for it? @jlind23 (FYI) @michel-laterman As a quick workaround, is it possible to use a different ES client for the template actions in the tests with a username / password? |
@michel-laterman use whatever workaround is needed to unblock this PR for now. Could disable the test(s) short term as long as you verified that the fleet-server works as expected with the agents/fleet. In some tests like this one, it tests just some basic functionality (bulker) that should work on any index and we probably can use whatever credentials or test indices to test it, doesn't have to be .fleet- index. On the other hand it would be good to test with the actual .fleet-* indices since the calls to these indices are going through the elasticsearch fleet plugin, so we can catch any potential breakage earlier. @ruflin I created a tracker issue (#1020) and will work on revamping the integration tests so we don't have to use workarounds. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 LGTM
* Remove username/password Remove using basic auth as credentials when contacting ES. Will only be able to use service tokens. * fix most tests * Skip broken tests (cherry picked from commit d435007)
* Remove username/password Remove using basic auth as credentials when contacting ES. Will only be able to use service tokens. * fix most tests * Skip broken tests (cherry picked from commit d435007) Co-authored-by: Michel Laterman <[email protected]>
one of the issues that came up during changing of the integration tests, thought it's worth to mention.
|
btw the current code utilizes refreshes, grep for so not sure how it works now with the service token if it was tested |
Looks like migration is broken as well.
The token doesn't have refresh permissions. |
Seems like @aleksmaus fixed this in an Elasticsearch PR for 8.0 but what about 7.x? |
added labels for v7.16.3 and v7.17 to elastisearch PR, will see if it backports automagically or would have to do it manually. |
What is the problem this PR solves?
Remove using basic auth as credentials when contacting ES. Will only be
able to use service tokens.
PR to remove the attributes in elastic-agent: elastic/beats#29458
How does this PR solve the problem?
// Explain HOW you solved the problem in your code. It is possible that during PR reviews this changes and then this section should be updated.
Checklist
I have added an entry inCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues