Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NativeRealmIntegTests fail on master and 7.x #79361

Closed
przemekwitek opened this issue Oct 18, 2021 · 1 comment · Fixed by #79415
Closed

NativeRealmIntegTests fail on master and 7.x #79361

przemekwitek opened this issue Oct 18, 2021 · 1 comment · Fixed by #79415
Assignees
@ywangd
Labels
>test-failure Triaged test failures from CI

Comments

@przemekwitek
Copy link
Contributor

Build scan:

https://gradle-enterprise.elastic.co/s/voymlnrgccyq2

Repro line:

REPRODUCE WITH: ./gradlew ':x-pack:plugin:security:internalClusterTest' --tests "org.elasticsearch.xpack.security.authc.esnative.NativeRealmIntegTests.testAddUserAndRoleThenAuth" \
  -Dtests.seed=C99E649FE167748C \
  -Dtests.locale=ms \
  -Dtests.timezone=America/Shiprock \
  -Druntime.java=11

REPRODUCE WITH: ./gradlew ':x-pack:plugin:security:internalClusterTest' --tests "org.elasticsearch.xpack.security.authc.esnative.NativeRealmIntegTests.testAddUserAndRoleThenAuth" \
  -Dtests.seed=C99E649FE167748C \
  -Dtests.locale=ms \
  -Dtests.timezone=America/Shiprock \
  -Druntime.java=11

Reproduces locally?:

No

Applicable branches:

master, 7.x

Failure history:

6 failures this year but 3 new ones (today).

Failure excerpt:

13:48:14 org.elasticsearch.xpack.security.authc.esnative.NativeRealmIntegTests > testAddUserAndRoleThenAuth FAILED
13:48:14     java.lang.NullPointerException
13:48:14         at __randomizedtesting.SeedInfo.seed([C99E649FE167748C:919ACE55FC4DCE80]:0)
13:48:14         at org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.getFieldAndDocumentLevelSecurityUsage(IndicesAccessControl.java:72)
13:48:14         at org.elasticsearch.xpack.security.authz.interceptor.DlsFlsLicenseRequestInterceptor.intercept(DlsFlsLicenseRequestInterceptor.java:58)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:479)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:475)
13:48:14         at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:75)
13:48:14         at org.elasticsearch.xpack.security.authz.interceptor.UpdateRequestInterceptor.intercept(UpdateRequestInterceptor.java:27)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:479)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:475)
13:48:14         at org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor.intercept(ResizeRequestInterceptor.java:78)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService.runRequestInterceptors(AuthorizationService.java:474)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService.handleIndexActionAuthorizationResult(AuthorizationService.java:464)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction$11(AuthorizationService.java:395)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:781)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:756)
13:48:14         at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
13:48:14         at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction$3(RBACEngine.java:327)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListenerDirectly(ListenableFuture.java:113)
13:48:14         at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:55)
13:48:14         at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:41)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:828)
13:48:14         at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexAction(RBACEngine.java:318)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:393)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:326)
13:48:14         at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize$1(AuthorizationService.java:227)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
13:48:14         at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo$1(RBACEngine.java:128)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.lambda$buildThenMaybeCacheRole$14(CompositeRolesStore.java:362)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.buildRoleFromDescriptors(CompositeRolesStore.java:509)
13:48:14         at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.buildThenMaybeCacheRole(CompositeRolesStore.java:342)
13:48:14         at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.lambda$roles$3(CompositeRolesStore.java:201)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.lambda$loadRoleDescriptorsAsync$18(CompositeRolesStore.java:412)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
13:48:14         at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:127)
13:48:14         at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.lambda$loadRoleDescriptorsAsync$21(CompositeRolesStore.java:432)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.xpack.security.authz.store.NativeRolesStore.lambda$getRoleDescriptors$5(NativeRolesStore.java:156)
13:48:14         at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134)
13:48:14         at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
13:48:14         at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:103)
13:48:14         at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:169)
13:48:14         at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:163)
13:48:14         at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
13:48:14         at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:146)
13:48:14         at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217)
13:48:14         at org.elasticsearch.action.get.TransportMultiGetAction$1.finishHim(TransportMultiGetAction.java:123)
13:48:14         at org.elasticsearch.action.get.TransportMultiGetAction$1.onResponse(TransportMultiGetAction.java:106)
13:48:14         at org.elasticsearch.action.get.TransportMultiGetAction$1.onResponse(TransportMultiGetAction.java:98)
13:48:14         at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:103)
13:48:14         at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:169)
13:48:14         at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:163)
13:48:14         at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31)
13:48:14         at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:146)
13:48:14         at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217)
13:48:14         at org.elasticsearch.action.support.single.shard.TransportSingleShardAction$AsyncSingleAction$2.handleResponse(TransportSingleShardAction.java:240)
@przemekwitek przemekwitek added the >test-failure Triaged test failures from CI label Oct 18, 2021
@tvernum
Copy link
Contributor

tvernum commented Oct 19, 2021

@ywangd
This looks like it could have come about as a result of your recent changes

13:48:14         at org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.getFieldAndDocumentLevelSecurityUsage(IndicesAccessControl.java:72)
13:48:14         at org.elasticsearch.xpack.security.authz.interceptor.DlsFlsLicenseRequestInterceptor.intercept(DlsFlsLicenseRequestInterceptor.java:58)

@ywangd ywangd self-assigned this Oct 19, 2021
ywangd added a commit to ywangd/elasticsearch that referenced this issue Oct 19, 2021
@ywangd
More robust and consistnt allowAll indicesAccessControl
18ee249 
This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and also mandate
non-null in the constructor of IndicesAccessControl.

In additional, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that the role reports it has DLS/FLS while the
cindicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: elastic#79361
@ywangd ywangd mentioned this issue Oct 19, 2021
Merged
ywangd added a commit that referenced this issue Oct 19, 2021
@ywangd
More robust and consistent allowAll indicesAccessControl (#79415)
4ea349d 
This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and also mandate
non-null in the constructor of IndicesAccessControl.

In additional, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that the role reports it has DLS/FLS while the
cindicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: #79361
ywangd added a commit to ywangd/elasticsearch that referenced this issue Oct 19, 2021
@ywangd
More robust and consistent allowAll indicesAccessControl (elastic#79415)
bca07c7 
This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and also mandate
non-null in the constructor of IndicesAccessControl.

In additional, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that the role reports it has DLS/FLS while the
cindicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: elastic#79361
@ywangd ywangd mentioned this issue Oct 19, 2021
Merged
elasticsearchmachine pushed a commit that referenced this issue Oct 19, 2021
@ywangd
More robust and consistent allowAll indicesAccessControl (#79415) (#7…
ba5032d 
…9427)

* More robust and consistent allowAll indicesAccessControl (#79415)

This PR ensures that AllowAllIndicesAccessControl is able to behave well
for all superclass's methods. Previously it throws NPE when it is asked
about Fls/Dls usage because it has a null index permissions map as a
placeholder. In this PR, we also get rid of the null and also mandate
non-null in the constructor of IndicesAccessControl.

In additional, whether a role has DLS/FLS and whether an
AllowAllIndicesAccessControl should be used for short circuit is
determined more consistently. In both places, whether a group has total
access to all indices is used as part of the criteria. Previously it is
possible that the role reports it has DLS/FLS while the
cindicesAccessControl does not have it. This could happen when one of
the group has DLS/FLS but another group has total access to all indices.
In this case, the code now correctly reports no DLS/FLS in both places.

Resolves: #79361

* fix for 7.x quirks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
>test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

More robust and consistent allowAll indicesAccessControl ywangd/elasticsearch
3 participants
@tvernum @ywangd @przemekwitek