in x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/crossclusteraccess/CrossClusterAccessHeadersForCcsRestIT.java [507:784]
public void testApiKeyCrossClusterAccessHeadersSentSingleRemote() throws Exception {
final boolean createApiKeyWithRoleDescriptors = randomBoolean();
final Tuple<String, String> apiKeyTuple; // id, encoded
if (createApiKeyWithRoleDescriptors) {
apiKeyTuple = createOrGrantApiKey("""
{
"name": "my-api-key",
"role_descriptors": {
"role-a": {
"index": [
{
"names": ["index-a*"],
"privileges": ["all"]
}
],
"remote_indices": [
{
"names": ["index-a*"],
"privileges": ["all"],
"clusters": ["my_remote_cluster*"]
}
],
"remote_cluster": [
{
"privileges": ["monitor_enrich"],
"clusters": ["my_remote_cluster*"]
}
]
},
"role-b": {
"index": [
{
"names": ["index-b*"],
"privileges": ["all"]
}
],
"remote_indices": [
{
"names": ["index-b*"],
"privileges": ["all"],
"clusters": ["my_remote_cluster_b"]
}
],
"remote_cluster": [
{
"privileges": ["monitor_enrich"],
"clusters": ["my_remote_cluster_b"]
}
]
}
}
}
""");
} else {
apiKeyTuple = createOrGrantApiKey("""
{
"name": "my-api-key"
}
""");
}
final String apiKeyId = apiKeyTuple.v1();
final String apiKeyEncoded = apiKeyTuple.v2();
{
final RoleDescriptorsIntersection expectedRoleDescriptorsIntersection;
if (createApiKeyWithRoleDescriptors) {
expectedRoleDescriptorsIntersection = new RoleDescriptorsIntersection(
List.of(
// Base API key role
Set.of(
new RoleDescriptor(
Role.REMOTE_USER_ROLE_NAME,
new String[] { "monitor_enrich" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("index-a*").privileges("all").build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
)
),
// Limited by API key role
Set.of(
new RoleDescriptor(
Role.REMOTE_USER_ROLE_NAME,
new String[] { "monitor_enrich" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("index-a")
.privileges("read", "read_cross_cluster")
.build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
)
)
)
);
} else {
expectedRoleDescriptorsIntersection = new RoleDescriptorsIntersection(
List.of(
Set.of(
new RoleDescriptor(
Role.REMOTE_USER_ROLE_NAME,
new String[] { "monitor_enrich" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("index-a")
.privileges("read", "read_cross_cluster")
.build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
)
)
)
);
}
testCcsWithApiKeyCrossClusterAccessAuthenticationAgainstSingleCluster(
CLUSTER_A + "_1",
apiKeyEncoded,
expectedRoleDescriptorsIntersection
);
}
// updating API key to test opposite
// -> if we created API key with role descriptors, then we test authentication after removing them and vice versa
boolean updateApiKeyWithRoleDescriptors = createApiKeyWithRoleDescriptors == false;
if (updateApiKeyWithRoleDescriptors) {
updateOrBulkUpdateApiKey(apiKeyId, """
{
"role-a": {
"index": [
{
"names": ["index-a*"],
"privileges": ["all"]
}
],
"remote_indices": [
{
"names": ["index-a*"],
"privileges": ["all"],
"clusters": ["my_remote_cluster*"]
}
],
"remote_cluster": [
{
"privileges": ["monitor_enrich"],
"clusters": ["my_remote_cluster*"]
}
]
},
"role-b": {
"index": [
{
"names": ["index-b*"],
"privileges": ["all"]
}
],
"remote_indices": [
{
"names": ["index-b*"],
"privileges": ["all"],
"clusters": ["my_remote_cluster_b"]
}
],
"remote_cluster": [
{
"privileges": ["monitor_enrich"],
"clusters": ["my_remote_cluster_b"]
}
]
}
}
""");
} else {
updateOrBulkUpdateApiKey(apiKeyId, """
{ }
""");
}
{
final RoleDescriptorsIntersection expectedRoleDescriptorsIntersection;
if (updateApiKeyWithRoleDescriptors) {
expectedRoleDescriptorsIntersection = new RoleDescriptorsIntersection(
List.of(
// Base API key role
Set.of(
new RoleDescriptor(
Role.REMOTE_USER_ROLE_NAME,
new String[] { "monitor_enrich" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder().indices("index-a*").privileges("all").build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
)
),
// Limited by API key role
Set.of(
new RoleDescriptor(
Role.REMOTE_USER_ROLE_NAME,
new String[] { "monitor_enrich" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("index-a")
.privileges("read", "read_cross_cluster")
.build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
)
)
)
);
} else {
expectedRoleDescriptorsIntersection = new RoleDescriptorsIntersection(
List.of(
Set.of(
new RoleDescriptor(
Role.REMOTE_USER_ROLE_NAME,
new String[] { "monitor_enrich" },
new RoleDescriptor.IndicesPrivileges[] {
RoleDescriptor.IndicesPrivileges.builder()
.indices("index-a")
.privileges("read", "read_cross_cluster")
.build() },
null,
null,
null,
null,
null,
null,
null,
null,
null
)
)
)
);
}
testCcsWithApiKeyCrossClusterAccessAuthenticationAgainstSingleCluster(
CLUSTER_A + "_2",
apiKeyEncoded,
expectedRoleDescriptorsIntersection
);
}
}