Exemple #1
0
def elastic_service(
        service_account: Dict[str, Any]) -> Iterator[Dict[str, Any]]:
    package_name = config.PACKAGE_NAME
    service_name = config.SERVICE_NAME
    expected_running_tasks = config.DEFAULT_TASK_COUNT

    service_options = {
        "service": {
            "name": service_name,
            "service_account": service_account["name"],
            "service_account_secret": service_account["secret"],
            "security": {
                "transport_encryption": {
                    "enabled": True
                }
            },
        },
        "elasticsearch": {
            "xpack_security_enabled": True
        },
    }

    try:
        sdk_install.uninstall(package_name, service_name)

        sdk_install.install(
            package_name,
            service_name=service_name,
            expected_running_tasks=expected_running_tasks,
            additional_options=service_options,
            timeout_seconds=30 * 60,
        )

        # Start trial license.
        config.start_trial_license(service_name, https=True)

        # Set up passwords. Basic HTTP credentials will have to be used in HTTP requests to
        # Elasticsearch from now on.
        passwords = config.setup_passwords(service_name, https=True)

        # Set up healthcheck basic HTTP credentials.
        sdk_service.update_configuration(
            package_name,
            service_name,
            {"elasticsearch": {
                "health_user_password": passwords["elastic"]
            }},
            expected_running_tasks,
        )

        yield {
            **service_options,
            **{
                "package_name": package_name,
                "passwords": passwords
            }
        }
    finally:
        sdk_install.uninstall(package_name, service_name)
Exemple #2
0
def test_security_toggle_with_kibana(default_populated_index: None) -> None:
    http_user = config.DEFAULT_ELASTICSEARCH_USER

    # Verify that commercial APIs are disabled by default in Elasticsearch.
    config.verify_commercial_api_status(False, service_name=service_name)

    # Write some data with security disabled, enabled security, and afterwards verify that we can
    # still read what we wrote.
    document_security_disabled_id = 1
    document_security_disabled_fields = {"name": "Elasticsearch", "role": "search engine"}
    config.create_document(
        index_name,
        index_type,
        document_security_disabled_id,
        document_security_disabled_fields,
        service_name=service_name,
    )

    # Verify that basic license is enabled by default.
    config.verify_xpack_license("basic", service_name=service_name)

    # Install Kibana.
    elasticsearch_url = "http://" + sdk_hosts.vip_host(service_name, "coordinator", 9200)
    sdk_install.install(
        kibana_package_name,
        kibana_service_name,
        0,
        {"kibana": {"elasticsearch_url": elasticsearch_url}},
        timeout_seconds=kibana_timeout,
        wait_for_deployment=False,
        insert_strict_options=False,
    )

    # Verify that it works.
    config.check_kibana_adminrouter_integration("service/{}/app/kibana".format(kibana_package_name))

    # Uninstall it.
    sdk_install.uninstall(kibana_package_name, kibana_package_name)

    # Enable Elasticsearch security.
    sdk_service.update_configuration(
        package_name,
        service_name,
        {
            "elasticsearch": {"xpack_security_enabled": True},
            "service": {"update_strategy": "parallel"},
        },
        current_expected_task_count,
    )

    # This should still be disabled.
    config.verify_commercial_api_status(False, service_name=service_name)

    # Start trial license.
    config.start_trial_license(service_name=service_name)

    # Set up passwords. Basic HTTP credentials will have to be used in HTTP requests to
    # Elasticsearch from now on.
    passwords = config.setup_passwords(service_name)

    # Verify trial license is working.
    config.verify_xpack_license(
        "trial", service_name=service_name, http_user=http_user, http_password=passwords["elastic"]
    )
    config.verify_commercial_api_status(
        True, service_name=service_name, http_user=http_user, http_password=passwords["elastic"]
    )

    # Write some data with security enabled, disable security, and afterwards verify that we can
    # still read what we wrote.
    document_security_enabled_id = 2
    document_security_enabled_fields = {"name": "X-Pack", "role": "commercial plugin"}
    config.create_document(
        index_name,
        index_type,
        document_security_enabled_id,
        document_security_enabled_fields,
        service_name=service_name,
        http_user=http_user,
        http_password=passwords["elastic"],
    )

    # Install Kibana with security enabled.
    sdk_install.install(
        kibana_package_name,
        kibana_package_name,
        0,
        {
            "kibana": {
                "elasticsearch_url": elasticsearch_url,
                "elasticsearch_xpack_security_enabled": True,
                "user": config.DEFAULT_KIBANA_USER,
                "password": passwords["kibana"],
            }
        },
        timeout_seconds=kibana_timeout,
        wait_for_deployment=False,
        insert_strict_options=False,
    )

    # Verify that it works. Notice that with security enabled, one has to access
    # /service/kibana/login instead of /service/kibana.
    config.check_kibana_adminrouter_integration("service/{}/login".format(kibana_package_name))

    # Uninstall it.
    sdk_install.uninstall(kibana_package_name, kibana_package_name)

    # Disable Elastic security.
    sdk_service.update_configuration(
        package_name,
        service_name,
        {
            "elasticsearch": {"xpack_security_enabled": False},
            "service": {"update_strategy": "parallel"},
        },
        current_expected_task_count,
    )

    # Verify we can read what was written before toggling security, without basic HTTP credentials.
    document_security_disabled = config.get_document(
        index_name, index_type, document_security_disabled_id, service_name=service_name
    )
    assert (
        document_security_disabled["_source"]["name"] == document_security_disabled_fields["name"]
    )

    # Verify we can read what was written when security was enabled, without basic HTTP credentials.
    document_security_enabled = config.get_document(
        index_name, index_type, document_security_enabled_id, service_name=service_name
    )
    assert document_security_enabled["_source"]["name"] == document_security_enabled_fields["name"]

    # Set update_strategy back to serial.
    sdk_service.update_configuration(
        package_name,
        service_name,
        {"service": {"update_strategy": "serial"}},
        current_expected_task_count,
    )
Exemple #3
0
def test_security_toggle_with_kibana(default_populated_index):
    # Verify that commercial APIs are disabled by default in Elasticsearch.
    config.verify_commercial_api_status(False, service_name=foldered_name)

    # Write some data with security disabled, enabled security, and afterwards verify that we can
    # still read what we wrote.
    document_security_disabled_id = 1
    document_security_disabled_fields = {"name": "Elasticsearch", "role": "search engine"}
    config.create_document(
        config.DEFAULT_INDEX_NAME,
        config.DEFAULT_INDEX_TYPE,
        document_security_disabled_id,
        document_security_disabled_fields,
        service_name=foldered_name,
    )

    # Verify that basic license is enabled by default.
    config.verify_xpack_license("basic", service_name=foldered_name)

    # Install Kibana.
    elasticsearch_url = "http://" + sdk_hosts.vip_host(foldered_name, "coordinator", 9200)
    sdk_install.install(
        config.KIBANA_PACKAGE_NAME,
        config.KIBANA_PACKAGE_NAME,
        0,
        {"kibana": {"elasticsearch_url": elasticsearch_url}},
        timeout_seconds=config.KIBANA_DEFAULT_TIMEOUT,
        wait_for_deployment=False,
        insert_strict_options=False,
    )

    # Verify that it works.
    config.check_kibana_adminrouter_integration("service/{}/".format(config.KIBANA_PACKAGE_NAME))

    # Uninstall it.
    sdk_install.uninstall(config.KIBANA_PACKAGE_NAME, config.KIBANA_PACKAGE_NAME)

    # Enable Elasticsearch security.
    sdk_service.update_configuration(
        config.PACKAGE_NAME,
        foldered_name,
        {
            "elasticsearch": {"xpack_security_enabled": True},
            "service": {"update_strategy": "parallel"},
        },
        current_expected_task_count,
    )

    # This should still be disabled.
    config.verify_commercial_api_status(False, service_name=foldered_name)

    # Start trial license.
    config.start_trial_license(service_name=foldered_name)

    # Set up passwords. Basic HTTP credentials will have to be used in HTTP requests to
    # Elasticsearch from now on.
    passwords = config.setup_passwords(foldered_name)

    # Verify trial license is working.
    config.verify_xpack_license(
        "trial",
        service_name=foldered_name,
        http_user=config.DEFAULT_ELASTICSEARCH_USER,
        http_password=passwords["elastic"],
    )
    config.verify_commercial_api_status(
        True,
        service_name=foldered_name,
        http_user=config.DEFAULT_ELASTICSEARCH_USER,
        http_password=passwords["elastic"],
    )

    # Write some data with security enabled, disable security, and afterwards verify that we can
    # still read what we wrote.
    document_security_enabled_id = 2
    document_security_enabled_fields = {"name": "X-Pack", "role": "commercial plugin"}
    config.create_document(
        config.DEFAULT_INDEX_NAME,
        config.DEFAULT_INDEX_TYPE,
        document_security_enabled_id,
        document_security_enabled_fields,
        service_name=foldered_name,
        http_user=config.DEFAULT_ELASTICSEARCH_USER,
        http_password=passwords["elastic"],
    )

    # Install Kibana with security enabled.
    sdk_install.install(
        config.KIBANA_PACKAGE_NAME,
        config.KIBANA_PACKAGE_NAME,
        0,
        {
            "kibana": {
                "elasticsearch_url": elasticsearch_url,
                "elasticsearch_xpack_security_enabled": True,
                "user": config.DEFAULT_KIBANA_USER,
                "password": passwords["kibana"],
            }
        },
        timeout_seconds=config.KIBANA_DEFAULT_TIMEOUT,
        wait_for_deployment=False,
        insert_strict_options=False,
    )

    # Verify that it works. Notice that with security enabled, one has to access
    # /service/kibana/login instead of /service/kibana.
    config.check_kibana_adminrouter_integration(
        "service/{}/login".format(config.KIBANA_PACKAGE_NAME)
    )

    # Uninstall it.
    sdk_install.uninstall(config.KIBANA_PACKAGE_NAME, config.KIBANA_PACKAGE_NAME)

    # Disable Elastic security.
    sdk_service.update_configuration(
        config.PACKAGE_NAME,
        foldered_name,
        {
            "elasticsearch": {"xpack_security_enabled": False},
            "service": {"update_strategy": "parallel"},
        },
        current_expected_task_count,
    )

    # Verify we can read what was written before toggling security, without basic HTTP credentials.
    document_security_disabled = config.get_document(
        config.DEFAULT_INDEX_NAME,
        config.DEFAULT_INDEX_TYPE,
        document_security_disabled_id,
        service_name=foldered_name,
    )
    assert (
        document_security_disabled["_source"]["name"] == document_security_disabled_fields["name"]
    )

    # Verify we can read what was written when security was enabled, without basic HTTP credentials.
    document_security_enabled = config.get_document(
        config.DEFAULT_INDEX_NAME,
        config.DEFAULT_INDEX_TYPE,
        document_security_enabled_id,
        service_name=foldered_name,
    )
    assert document_security_enabled["_source"]["name"] == document_security_enabled_fields["name"]

    # Set update_strategy back to serial.
    sdk_service.update_configuration(
        config.PACKAGE_NAME,
        foldered_name,
        {"service": {"update_strategy": "serial"}},
        current_expected_task_count,
    )