Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle expired tokens in cluster migration tests #89422

Merged
merged 29 commits into from
Aug 23, 2022
Merged

Handle expired tokens in cluster migration tests #89422

merged 29 commits into from
Aug 23, 2022

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Aug 17, 2022
edited
Loading

This PR addresses a failure around token BWC during cluster upgrade
tests: the tests assert that tokens created in a cluster before (or
during) an upgrade are still valid in the mixed or upgraded clusters.
Our cluster upgrade test suites are long running however such that
tokens created in the old (or mixed) cluster may be expired by the time
we test their validity. The maximum lifetime of tokens is configured
via a setting which has a max value of 1h. This PR extends the lifetime
of all tokens by writing to the .security-tokens index directly, for
each test where this is necessary. This (hacky) solution allows us to
robustly exercise the target path of the test (validating that a token
is valid and authenticates correctly) while keeping the fix confined to
test code (as opposed to solving this via a system property).

Closes #77350

@n1v0lg n1v0lg added >test Issues or PRs that are addressing/adding tests :Security/Security Security issues without another label labels Aug 17, 2022
@n1v0lg n1v0lg self-assigned this Aug 17, 2022
n1v0lg
n1v0lg commented Aug 22, 2022
View reviewed changes
.../rolling-upgrade/src/test/java/org/elasticsearch/upgrades/TokenBackwardsCompatibilityIT.java
assertEquals(false, bulkResponseMap.get("errors"));
}

private void refreshSecurityTokensIndex() throws IOException {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be overkill but I want to avoid weird flakiness here -- it would take forever to debug for someone looking at this in the future.

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Aug 22, 2022

@elasticsearchmachine update branch plz

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Aug 22, 2022

@elasticsearchmachine run elasticsearch-ci/part-2

@n1v0lg n1v0lg marked this pull request as ready for review August 22, 2022 11:53
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Aug 22, 2022
jakelandis
jakelandis approved these changes Aug 22, 2022
View reviewed changes
Copy link
Contributor

@jakelandis jakelandis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

albertzaharovits
albertzaharovits approved these changes Aug 23, 2022
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@n1v0lg n1v0lg merged commit af4421d into elastic:main Aug 23, 2022
@n1v0lg n1v0lg deleted the fix/token-expiration-in-migrations-tests branch August 23, 2022 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

@jakelandis jakelandis jakelandis approved these changes

Assignees

@n1v0lg n1v0lg

Labels
:Security/Security Security issues without another label Team:Security Meta label for security team >test Issues or PRs that are addressing/adding tests v8.5.0
Projects
None yet
Milestone
No milestone
4 participants
@n1v0lg @elasticsearchmachine @jakelandis @albertzaharovits