[APM] Run API tests as restricted user#70050
Conversation
Run API tests as a user that has the apm_user role and the kibana_admin role. These are (roughly) the minimum requirements for using APM.
|
Pinging @elastic/apm-ui (Team:apm) |
sorenlouv
left a comment
There was a problem hiding this comment.
awesome!! Thanks for doing this.
This will help us so much - next steps: apm dataset and api tests for all the endpoints!
|
@sqren made some changes, instead of having one apm_user that can do everything, we now run tests with two users, one with |
| case ApmUser.APM_WRITE_USER: | ||
| await security.role.create(ApmUser.APM_WRITE_USER, { | ||
| elasticsearch: { | ||
| cluster: [], | ||
| indices: [ | ||
| { | ||
| names: ['observability-annotations'], | ||
| privileges: [ | ||
| 'read', | ||
| 'view_index_metadata', | ||
| 'index', | ||
| 'manage', | ||
| 'create_index', | ||
| 'create_doc', | ||
| ], | ||
| }, | ||
| ], | ||
| }, | ||
| kibana: [ | ||
| { | ||
| base: [], | ||
| feature: { | ||
| apm: ['all'], | ||
| }, | ||
| spaces: ['*'], | ||
| }, | ||
| ], | ||
| }); | ||
|
|
||
| await security.user.create(ApmUser.APM_WRITE_USER, { | ||
| full_name: ApmUser.APM_WRITE_USER, | ||
| password: APM_TEST_PASSWORD, | ||
| roles: ['apm_user', ApmUser.APM_WRITE_USER], | ||
| }); |
There was a problem hiding this comment.
Perhaps it would be more clear to have separate functions: createApmReadUser, createApmReadWriteUser.
There was a problem hiding this comment.
I will make it more declarative. I need to add another user, one that is permitted to index annotations.
| ], | ||
| }); | ||
|
|
||
| await security.user.create(ApmUser.APM_WRITE_USER, { |
There was a problem hiding this comment.
Do you think it could be confusing with identical names for the user and role?
There was a problem hiding this comment.
Hmm, I don't think so. Do you see a scenario in our test where they could be confused?
| elasticsearch: { | ||
| cluster: [], | ||
| indices: [ | ||
| { names: ['observability-annotations'], privileges: ['read', 'view_index_metadata'] }, |
There was a problem hiding this comment.
Wasn't the plan to make this part of the apm_user?
There was a problem hiding this comment.
Yes, but didn't want to block on the ES PR. If the ES PR gets merged first, I will update this before merging.
💚 Build SucceededBuild metrics
History
To update your PR or re-run it, just comment with: |
Run API tests as a user that has the apm_user role and the kibana_admin role. These are (roughly) the minimum requirements for using APM.