feat(security,serverless): enable UIAM mode by default#260546
feat(security,serverless): enable UIAM mode by default#260546azasypkin merged 3 commits intoelastic:mainfrom
Conversation
6248c55 to
2ae720e
Compare
| '--env', | ||
| `quarkus.log.category."co.elastic.cloud.uiam".level=${env.UIAM_APP_LOGGING_LEVEL}`, | ||
| '--env', | ||
| `quarkus.log.category."co.elastic.cloud.uiam.app.authentication.ClientCertificateExtractor".level=${env.UIAM_LOGGING_LEVEL}`, |
There was a problem hiding this comment.
note: it's a way too noisy.
ae068f9 to
4b76ad5
Compare
4b76ad5 to
2f2bde2
Compare
| const customRolesFileName = process.env.ROLES_FILENAME_OVERRIDE; | ||
| const cloudUsersFilePath = resolve(REPO_ROOT, '.ftr', customRolesFileName ?? 'role_users.json'); | ||
|
|
||
| const kbnServerOptions = getopts(config.get('kbnTestServer.serverArgs'), { |
There was a problem hiding this comment.
note: Replicates what we do for Scout.
| @@ -47,7 +47,7 @@ export default createTestConfig({ | |||
| // useful for testing (also enabled in MKI QA) | |||
| '--coreApp.allowDynamicConfigOverrides=true', | |||
| `--xpack.securitySolutionServerless.cloudSecurityUsageReportingTaskInterval=5s`, | |||
| `--xpack.securitySolutionServerless.usageApi.url=http://localhost:8081`, | |||
| `--xpack.securitySolutionServerless.usageApi.url=http://localhost:8089`, | |||
There was a problem hiding this comment.
note: 8081 conflicts with UIAM containers that occupy 8081, 8082, and 8443.
| @@ -17,7 +18,7 @@ export const setupMockServer = () => { | |||
| }; | |||
|
|
|||
| const autoOpsHandler = http.post( | |||
| '/monitoring/serverless/v1/projects/fakeprojectid/metrics', | |||
| `/monitoring/serverless/v1/projects/${MOCK_IDP_UIAM_PROJECT_ID}/metrics`, | |||
There was a problem hiding this comment.
note: we use project ID that follows the proper project ID format.
| @@ -19,7 +19,7 @@ export default createTestConfig({ | |||
| `--xpack.task_manager.unsafe.exclude_task_types=${JSON.stringify(['Fleet-Metrics-Task'])}`, | |||
| '--coreApp.allowDynamicConfigOverrides=true', | |||
| `--xpack.securitySolutionServerless.cloudSecurityUsageReportingTaskInterval=5s`, | |||
| `--xpack.securitySolutionServerless.usageApi.url=http://localhost:8081`, | |||
| `--xpack.securitySolutionServerless.usageApi.url=http://localhost:8089`, | |||
There was a problem hiding this comment.
note: 8081 conflicts with UIAM containers that occupy 8081, 8082, and 8443.
| @@ -25,7 +25,7 @@ export default createTestConfig({ | |||
| // useful for testing (also enabled in MKI QA) | |||
| '--coreApp.allowDynamicConfigOverrides=true', | |||
| `--xpack.securitySolutionServerless.cloudSecurityUsageReportingTaskInterval=5s`, | |||
| `--xpack.securitySolutionServerless.usageApi.url=http://localhost:8081`, | |||
| `--xpack.securitySolutionServerless.usageApi.url=http://localhost:8089`, | |||
There was a problem hiding this comment.
note: 8081 conflicts with UIAM containers that occupy 8081, 8082, and 8443.
| @@ -51,7 +51,7 @@ export default function (providerContext: FtrProviderContext) { | |||
| let roleAuthc: RoleCredentials; | |||
| let internalRequestHeader: { 'x-elastic-internal-origin': string; 'kbn-xsrf': string }; | |||
| before(async () => { | |||
| mockUsageApiServer = mockUsageApiApp.listen(8081); // Start the usage api mock server on port 8081 | |||
| mockUsageApiServer = mockUsageApiApp.listen(8089); // Start the usage api mock server on port 8089 | |||
There was a problem hiding this comment.
note: 8081 conflicts with UIAM containers that occupy 8081, 8082, and 8443.
There was a problem hiding this comment.
You can now switch from { tag: tags.serverless.observability.complete } to { tag: tags.serverless.all } if you want to.
| ? { | ||
| uiam: kbnServerOptions['xpack.security.uiam.enabled'] ?? false, | ||
| projectType: kbnServerOptions.serverless as ServerlessProjectType, | ||
| organizationId: kbnServerOptions['xpack.cloud.organization_id']!, |
There was a problem hiding this comment.
question: how important to have OrgId defined in tests and should we consider default value?
There was a problem hiding this comment.
It is required by the UIAM session token, so it must be defined in ECS and is optional for non-Cloud users in ECH.
should we consider default value?
I'm setting it in the base config for both Serverless Scout and API integration tests, or do you think it should be defined elsewhere?
| ? 'ci:ZXMwMTo5MjIwJDo5MjIwJGtpYmFuYTo5MjIw' | ||
| : 'local-dev:ZG9ja2VyLmludGVybmFsOjkyMjAkaG9zdDo5MjIwJGtpYmFuYTo5MjIw' |
There was a problem hiding this comment.
question: I'm not sure what package suits best, but could we move it to a single place and imports as const in kbn/scout and default FTR configs?
I recently decoupled few packages from kbn/test and we don't want Scout to depend on kbn/test, so if there is no good spot I'm ok with duplication.
There was a problem hiding this comment.
I'm not sure what package suits best, but could we move it to a single place and imports as const in kbn/scout and default FTR configs?
Yeah, it's a good idea, maybe I'll just move it to src/platform/packages/private/kbn-mock-idp-utils/src/constants.ts where we have the rest of the similar consts.
dmlemeshko
left a comment
There was a problem hiding this comment.
Scout/FTR config changes LGTM
ersin-erdal
left a comment
There was a problem hiding this comment.
ResponseOps changes LGTM
mattkime
left a comment
There was a problem hiding this comment.
code owner changes lgtm
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
History
|
## Summary Now that UIAM powers all our environments by default, it's time to enable UIAM mode by default for local dev and CI setups (all Serverless tets). For a couple of months, I'm still keeping the `--no-uiam` flags for both Kibana and Elasticsearch as an escape hatch for developers in case things go awry. While the risk of such an event is low, local/CI UIAM involves two additional containers, so it's better to be safe.
…)" This reverts commit 17ac072.
Summary
Now that UIAM powers all our environments by default, it's time to enable UIAM mode by default for local dev and CI setups (all Serverless tets).
For a couple of months, I'm still keeping the
--no-uiamflags for both Kibana and Elasticsearch as an escape hatch for developers in case things go awry. While the risk of such an event is low, local/CI UIAM involves two additional containers, so it's better to be safe.