[Test] Relax assertion of denial message for service account#80389
[Test] Relax assertion of denial message for service account#80389ywangd merged 3 commits intoelastic:8.0from
Conversation
The error message for access denial now explicitly spells out service account instead of generic "user" when a service account issues the request. Relates: elastic#79809
|
Pinging @elastic/es-security (Team:Security) |
|
Does this need to go into 8.0 or just 7.16? |
| - match: { "error.type": "security_exception" } | ||
| - match: | ||
| error.reason: "action [cluster:admin/xpack/security/user/delete] is unauthorized for user [elastic/fleet-server], this action is granted by the cluster privileges [manage_security,all]" | ||
| error.reason: "/action.\\[cluster:admin/xpack/security/user/delete\\].is.unauthorized.for.*\\[elastic/fleet-server\\].*this.action.is.granted.by.the.cluster.privileges.*/" |
There was a problem hiding this comment.
I don't understand why the regex needs a . in place of a space. Can you explain?
There was a problem hiding this comment.
The match regex assertion is compiled with the COMMENTS option that ignores whitespaces and permits comments (#).
We can also assert whitespace with \\ , e.g. this\\ action\\ is\\ granted\\ by\\ the\\ cluster\\ privileges. But I think escapes looks ugly and it's not all that important. Many existing yaml tests just use ..
For now probably 7.16 is fine since 8.0 is not used for v7RestCompat for 8.1. But I think it's better to update both 8.0 and 7.16 since it is a tiny change and future-proof in case we need restCompat from 8.0 to future versions. |
…#80389) Relax the assertion for error message so that v7RestCompat test does not break on non-bwc'able changes. Relates: elastic#79809
Relax the assertion for error message so that v7RestCompat test does not break on non-bwc'able changes.
Relates: #79809