Implement a SAML role(s) selector to aid developers in testing Serverless Kibana with different user privileges #166340
Assignees
Labels
chore
DX
Issues related to Developer Experience
Feature:Security/Authentication
Platform Security - Authentication
Feature:Security/Authorization
Platform Security - Authorization
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
azasypkin
added
chore
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
thomheymann
added a commit
that referenced
this issue
Nov 15, 2023
Related to [#166340](#166340) ## Summary Add mock identity provider and utils to test serverless user roles. ## Screenshot ### 1. Login selector <img width="767" alt="Screenshot 2023-11-08 at 15 18 18" src="https://github.com/elastic/kibana/assets/190132/82b4a29f-65b4-45d2-bed3-6d9f74043c48"> ### 2. Single sign on screen <img width="437" alt="Screenshot 2023-11-09 at 12 30 46" src="https://github.com/elastic/kibana/assets/190132/3d5b6f26-5409-4169-a627-bcf6d09836d9"> ### 3. User profile page <img width="1041" alt="Screenshot 2023-11-08 at 17 36 22" src="https://github.com/elastic/kibana/assets/190132/50bd4a5a-f9a8-4643-9384-9a352701b011"> ## Testing SAML is only supported by ES when running in SSL mode. 1. To test the mock identity provider run a serverless project in SSL mode using: ```bash yarn es serverless --ssl yarn start --serverless=es --ssl ``` 2. Then access Kibana and login in using "Continue as Test User". --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Aleh Zasypkin <[email protected]> Co-authored-by: Dzmitry Lemechko <[email protected]>
MadameSheema
added a commit
that referenced
this issue
Dec 13, 2023
…ing (#172655) Relates to: * #166340 * #170852 * #170417 * #172678 ## Summary In this PR we are using the code implemented on #170417 and #172678 to allow SAML and role testing inside Cypress. * We are creating a Cypress task to use the above-developed code and be able to retrieve a session cookie given a role. * We updated the login task to know how we should perform the login depending if we are in Serverless (MKI or serverless FTR) or ESS * In the parallel serverless script: * We are updating the `BASE_ENV_URL` variable to use the proper QA environment (pending to be done in follow-up PRs, to extract this value so it is not hardcoded cc @dkirchan ) * We are adding the `IS_SERVERLESS` environment variable needed for the logic on the login task. This changed implied to update the `es_archiver` file to continue work as expected. * We have added the `TEST_CLOUD_HOST_NAME` environment variable needed for the code we are reusing to retrieve the session cookie for MKI. * We have updated the Security Solution quality gate script to set the `role_users.json` file needed by the code we are reusing to get the different session cookies on MKI * We have adjusted the tests because the username now follows the pattern `test <role>` (@dmlemeshko is it possible to have as username just the role? Is this something that can impact other tests and teams?) * We have [skipped](#173168) a test that got unstable after the changes. ## How to test it in your machine ### Serverless FTR 1. Navigate to `x-pack/test/security_solution_cypress` 2. Execute `yarn cypress:open:qa:serverless` 3. Click on `E2E testing` 4. Click on any test to execute it ### Serverless MKI Setup a valid Elastic Cloud API key for QA environment: 1. Navigate to QA environment. 2. Click on the `User menu button` located on the top right of the header. 3. Click on `Organization`. 5. Click on the `API keys` tab. 6. Click on `Create API key` button. 7. Add a name, set an expiration date, assign an organization owner role. 8. Click on `Create API key` 9. Save the value of the key Store the saved key on `~/.elastic/cloud.json` using the following format: ```json { "api_key": { "qa": "<API_KEY>" } } ``` Store the email and password of the account you used to login in the QA Environment at the root directory of your Kibana project on `.ftr/role_users.json`, using the following format: ```json { "admin": { "email": "<email>", "password": "<password>" } } ``` If you want to execute a test with a role different from the default one, make sure you have created the user under your organization and is added to the above json following the format: ```json { "admin": { "email": "<email>", "password": "<password>" }, "<roleName>": { "email": "<email>", "password": "<password>" } } ``` 1. Navigate to `x-pack/test/security_solution_cypress` 2. Execute `yarn cypress:open:qa:serverless` 3. Click on `E2E testing` 4. Click on any test to execute it --------- Co-authored-by: kibanamachine <[email protected]>
|
Resolved via #172257 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
While developing Kibana for the Serverless offering, developers should be able to easily switch between users with different roles and privileges to test their applications. Currently, this process is quite cumbersome, as Serverless Elasticsearch doesn't support the native realm, preventing developers from quickly adding custom native users and roles.
Also, in Serverless, users are required to use the SAML realm for authentication, which differs significantly from the native realm. Therefore, it's important to test functionality in an environment as close to production as possible.
It is possible to configure both Serverless Elasticsearch and Serverless Kibana with a "fake" SAML realm locally today (we already have file-based roles that can be mapped to SAML users). With this setup, SAML users can be created on-the-fly with any roles developers need. However, there is currently no user-friendly UI to simplify switching between roles. We should consider implementing a special local-only Serverless Login Selector to address this, similar to the local-only Serverless top-bar used to switch between project types.
The text was updated successfully, but these errors were encountered: