Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement a SAML role(s) selector to aid developers in testing Serverless Kibana with different user privileges #166340

Closed
azasypkin opened this issue Sep 13, 2023 · 2 comments
Assignees
Labels
chore DX Issues related to Developer Experience Feature:Security/Authentication Platform Security - Authentication Feature:Security/Authorization Platform Security - Authorization Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@azasypkin
Copy link
Member

Summary

While developing Kibana for the Serverless offering, developers should be able to easily switch between users with different roles and privileges to test their applications. Currently, this process is quite cumbersome, as Serverless Elasticsearch doesn't support the native realm, preventing developers from quickly adding custom native users and roles.
Also, in Serverless, users are required to use the SAML realm for authentication, which differs significantly from the native realm. Therefore, it's important to test functionality in an environment as close to production as possible.

It is possible to configure both Serverless Elasticsearch and Serverless Kibana with a "fake" SAML realm locally today (we already have file-based roles that can be mapped to SAML users). With this setup, SAML users can be created on-the-fly with any roles developers need. However, there is currently no user-friendly UI to simplify switching between roles. We should consider implementing a special local-only Serverless Login Selector to address this, similar to the local-only Serverless top-bar used to switch between project types.

@azasypkin azasypkin added chore Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Security/Authentication Platform Security - Authentication Feature:Security/Authorization Platform Security - Authorization labels Sep 13, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin azasypkin added the DX Issues related to Developer Experience label Sep 13, 2023
@thomheymann thomheymann self-assigned this Oct 25, 2023
thomheymann added a commit that referenced this issue Nov 15, 2023
Related to [#166340](#166340)

## Summary

Add mock identity provider and utils to test serverless user roles.

## Screenshot

### 1. Login selector

<img width="767" alt="Screenshot 2023-11-08 at 15 18 18"
src="https://github.com/elastic/kibana/assets/190132/82b4a29f-65b4-45d2-bed3-6d9f74043c48">

### 2. Single sign on screen

<img width="437" alt="Screenshot 2023-11-09 at 12 30 46"
src="https://github.com/elastic/kibana/assets/190132/3d5b6f26-5409-4169-a627-bcf6d09836d9">

### 3. User profile page

<img width="1041" alt="Screenshot 2023-11-08 at 17 36 22"
src="https://github.com/elastic/kibana/assets/190132/50bd4a5a-f9a8-4643-9384-9a352701b011">

## Testing

SAML is only supported by ES when running in SSL mode. 

1. To test the mock identity provider run a serverless project in SSL
mode using:

```bash
yarn es serverless --ssl
yarn start --serverless=es --ssl
```

2. Then access Kibana and login in using "Continue as Test User".

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Aleh Zasypkin <[email protected]>
Co-authored-by: Dzmitry Lemechko <[email protected]>
MadameSheema added a commit that referenced this issue Dec 13, 2023
…ing (#172655)

Relates to:
* #166340
* #170852
* #170417
* #172678

## Summary

In this PR we are using the code implemented on
#170417 and
#172678 to allow SAML and role
testing inside Cypress.

* We are creating a Cypress task to use the above-developed code and be
able to retrieve a session cookie given a role.
* We updated the login task to know how we should perform the login
depending if we are in Serverless (MKI or serverless FTR) or ESS
* In the parallel serverless script:
* We are updating the `BASE_ENV_URL` variable to use the proper QA
environment (pending to be done in follow-up PRs, to extract this value
so it is not hardcoded cc @dkirchan )
* We are adding the `IS_SERVERLESS` environment variable needed for the
logic on the login task. This changed implied to update the
`es_archiver` file to continue work as expected.
* We have added the `TEST_CLOUD_HOST_NAME` environment variable needed
for the code we are reusing to retrieve the session cookie for MKI.
* We have updated the Security Solution quality gate script to set the
`role_users.json` file needed by the code we are reusing to get the
different session cookies on MKI
* We have adjusted the tests because the username now follows the
pattern `test <role>` (@dmlemeshko is it possible to have as username
just the role? Is this something that can impact other tests and teams?)
* We have [skipped](#173168) a
test that got unstable after the changes.

## How to test it in your machine

### Serverless FTR

1. Navigate to `x-pack/test/security_solution_cypress`
2. Execute `yarn cypress:open:qa:serverless`
3. Click on `E2E testing`
4. Click on any test to execute it


### Serverless MKI

Setup a valid Elastic Cloud API key for QA environment:

1. Navigate to QA environment.
2. Click on the `User menu button` located on the top right of the
header.
3. Click on `Organization`.
5. Click on the `API keys` tab.
6. Click on `Create API key` button.
7. Add a name, set an expiration date, assign an organization owner
role.
8. Click on `Create API key`
9. Save the value of the key

Store the saved key on `~/.elastic/cloud.json` using the following
format:

```json
{
  "api_key": {
    "qa": "<API_KEY>"
  }
}
```

Store the email and password of the account you used to login in the QA
Environment at the root directory of your Kibana project on
`.ftr/role_users.json`, using the following format:

```json
{
  "admin": {
    "email": "<email>",
    "password": "<password>"
  }
}
```

If you want to execute a test with a role different from the default
one, make sure you have created the user under your organization and is
added to the above json following the format:

```json
{
  "admin": {
    "email": "<email>",
    "password": "<password>"
  },
  "<roleName>": {
    "email": "<email>",
    "password": "<password>"
  }
}
```

1. Navigate to `x-pack/test/security_solution_cypress`
2. Execute `yarn cypress:open:qa:serverless`
3. Click on `E2E testing`
4. Click on any test to execute it

---------

Co-authored-by: kibanamachine <[email protected]>
@legrego legrego assigned azasypkin and unassigned thomheymann Jan 9, 2024
@legrego legrego closed this as completed Jan 13, 2024
@legrego
Copy link
Member

legrego commented Jan 13, 2024

Resolved via #172257

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chore DX Issues related to Developer Experience Feature:Security/Authentication Platform Security - Authentication Feature:Security/Authorization Platform Security - Authorization Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

No branches or pull requests

4 participants