Fix cluster default initialization #1

Signed-off-by: Andrey Pleskach <[email protected]>

build.gradle

@@ -617,7 +617,8 @@ dependencies {
     testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.1'
 
     //OpenSAML
-    implementation 'net.shibboleth.utilities:java-support:8.4.0'
+    implementation "net.shibboleth.utilities:java-support:8.4.0"
+    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.15"
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
     implementation "org.opensaml:opensaml-core:${open_saml_version}"
@@ -643,7 +644,6 @@ dependencies {
     runtimeOnly 'com.google.j2objc:j2objc-annotations:2.8'
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
     runtimeOnly 'org.lz4:lz4-java:1.8.0'
-    runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.25'
     runtimeOnly 'org.slf4j:slf4j-api:1.7.36'
     runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
     runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.5'
@@ -704,12 +704,12 @@ dependencies {
         exclude(group:'org.springframework', module: 'spring-jcl' )
     }
     testRuntimeOnly 'org.scala-lang:scala-library:2.13.13'
-    testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0'
     testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5'
     testRuntimeOnly('org.apache.zookeeper:zookeeper:3.9.1') {
         exclude(group:'ch.qos.logback', module: 'logback-classic' )
         exclude(group:'ch.qos.logback', module: 'logback-core' )
     }
+    testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0'
     testRuntimeOnly "org.apache.kafka:kafka-metadata:${kafka_version}"
     testRuntimeOnly "org.apache.kafka:kafka-storage:${kafka_version}"
 

src/integrationTest/java/org/opensearch/security/AbstractDefaultConfigurationTests.java

@@ -0,0 +1,98 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.io.IOException;
+import java.nio.file.Path;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.apache.commons.io.FileUtils;
+import org.awaitility.Awaitility;
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.opensearch.security.state.SecurityMetadata;
+import org.opensearch.test.framework.cluster.LocalCluster;
+import org.opensearch.test.framework.cluster.TestRestClient;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.aMapWithSize;
+import static org.hamcrest.Matchers.allOf;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasKey;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public abstract class AbstractDefaultConfigurationTests {
+    public final static Path configurationFolder = ConfigurationFiles.createConfigurationDirectory();
+    public static final String ADMIN_USER_NAME = "admin";
+    public static final String DEFAULT_PASSWORD = "secret";
+    public static final String NEW_USER = "new-user";
+    public static final String LIMITED_USER = "limited-user";
+
+    private final LocalCluster cluster;
+
+    protected AbstractDefaultConfigurationTests(LocalCluster cluster) {
+        this.cluster = cluster;
+    }
+
+    @AfterClass
+    public static void cleanConfigurationDirectory() throws IOException {
+        FileUtils.deleteDirectory(configurationFolder.toFile());
+    }
+
+    @Test
+    public void shouldLoadDefaultConfiguration() throws IOException {
+        try (TestRestClient client = cluster.getRestClient(NEW_USER, DEFAULT_PASSWORD)) {
+            Awaitility.waitAtMost(10, TimeUnit.SECONDS)
+                .await("Load default configuration")
+                .until(() -> client.getAuthInfo().getStatusCode(), equalTo(200));
+        }
+
+        try (TestRestClient client = cluster.getRestClient(ADMIN_USER_NAME, DEFAULT_PASSWORD)) {
+            client.confirmCorrectCredentials(ADMIN_USER_NAME);
+            TestRestClient.HttpResponse response = client.get("_plugins/_security/api/internalusers");
+            response.assertStatusCode(200);
+            Map<String, Object> users = response.getBodyAs(Map.class);
+            assertThat(users, allOf(aMapWithSize(3), hasKey(ADMIN_USER_NAME), hasKey(NEW_USER), hasKey(LIMITED_USER)));
+            assertClusterState(client);
+        }
+    }
+
+    void assertClusterState(final TestRestClient client) {
+        if (cluster.node().settings().getAsBoolean("plugins.security.allow_default_init_securityindex.use_cluster_state", false)) {
+            final TestRestClient.HttpResponse response = client.get("_cluster/state");
+            response.assertStatusCode(200);
+            final var clusterState = response.getBodyAs(Map.class);
+            assertTrue(response.getBody(), clusterState.containsKey(SecurityMetadata.TYPE));
+            @SuppressWarnings("unchecked")
+            final var securityClusterState = (Map<String, Object>) clusterState.get(SecurityMetadata.TYPE);
+            @SuppressWarnings("unchecked")
+            final var securityConfiguration = (Map<String, Object>) ((Map<?, ?>) clusterState.get(SecurityMetadata.TYPE)).get(
+                "configuration"
+            );
+            assertTrue(response.getBody(), securityClusterState.containsKey("created"));
+            assertNotNull(response.getBody(), securityClusterState.get("created"));
+
+            for (final var k : securityConfiguration.keySet()) {
+                @SuppressWarnings("unchecked")
+                final var sc = (Map<String, Object>) securityConfiguration.get(k);
+                assertTrue(response.getBody(), sc.containsKey("hash"));
+                assertTrue(response.getBody(), sc.containsKey("last_modified"));
+            }
+        }
+    }
+
+}

src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterTests.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import org.junit.ClassRule;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+public class DefaultConfigurationMultiNodeClusterTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationMultiNodeClusterTests() {
+        super(cluster);
+    }
+}

src/integrationTest/java/org/opensearch/security/DefaultConfigurationMultiNodeClusterUseClusterStateTests.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import org.junit.ClassRule;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+public class DefaultConfigurationMultiNodeClusterUseClusterStateTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.allow_default_init_securityindex.use_cluster_state",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationMultiNodeClusterUseClusterStateTests() {
+        super(cluster);
+    }
+
+}

src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterTests.java

@@ -0,0 +1,44 @@
+/*
+* Copyright OpenSearch Contributors
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*
+*/
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import org.junit.ClassRule;
+import org.junit.runner.RunWith;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class)
+@ThreadLeakScope(ThreadLeakScope.Scope.NONE)
+public class DefaultConfigurationSingleNodeClusterTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationSingleNodeClusterTests() {
+        super(cluster);
+    }
+
+}

src/integrationTest/java/org/opensearch/security/DefaultConfigurationSingleNodeClusterUseClusterStateTests.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ */
+package org.opensearch.security;
+
+import java.util.List;
+import java.util.Map;
+
+import org.junit.ClassRule;
+
+import org.opensearch.test.framework.cluster.ClusterManager;
+import org.opensearch.test.framework.cluster.LocalCluster;
+
+public class DefaultConfigurationSingleNodeClusterUseClusterStateTests extends AbstractDefaultConfigurationTests {
+
+    @ClassRule
+    public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
+        .nodeSettings(
+            Map.of(
+                "plugins.security.allow_default_init_securityindex",
+                true,
+                "plugins.security.allow_default_init_securityindex.use_cluster_state",
+                true,
+                "plugins.security.restapi.roles_enabled",
+                List.of("user_admin__all_access")
+            )
+        )
+        .defaultConfigurationInitDirectory(configurationFolder.toString())
+        .loadConfigurationIntoIndex(false)
+        .build();
+
+    public DefaultConfigurationSingleNodeClusterUseClusterStateTests() {
+        super(cluster);
+    }
+
+}

src/integrationTest/java/org/opensearch/security/SecurityConfigurationBootstrapTests.java

@@ -124,6 +124,7 @@ public void shouldStillLoadSecurityConfigDuringBootstrapAndActiveConfigUpdateReq
                     .put("action_groups.yml", CType.ACTIONGROUPS)
                     .put("config.yml", CType.CONFIG)
                     .put("roles.yml", CType.ROLES)
+                    .put("roles_mapping.yml", CType.ROLESMAPPING)
                     .put("tenants.yml", CType.TENANTS)
                     .build();
 
@@ -146,7 +147,7 @@ public void shouldStillLoadSecurityConfigDuringBootstrapAndActiveConfigUpdateReq
                     // After the configuration has been loaded, the rest clients should be able to connect successfully
                     cluster.triggerConfigurationReloadForCTypes(
                         internalNodeClient,
-                        List.of(CType.ACTIONGROUPS, CType.CONFIG, CType.ROLES, CType.TENANTS),
+                        List.of(CType.ACTIONGROUPS, CType.CONFIG, CType.ROLES, CType.ROLESMAPPING, CType.TENANTS),
                         true
                     );
                     try (final TestRestClient freshClient = cluster.getRestClient(USER_ADMIN)) {