Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CI] EsqlAsyncSecurityIT testInsufficientPrivilege failing #109806

Closed
DaveCTurner opened this issue Jun 17, 2024 · 5 comments · Fixed by #110305
Closed

[CI] EsqlAsyncSecurityIT testInsufficientPrivilege failing #109806

DaveCTurner opened this issue Jun 17, 2024 · 5 comments · Fixed by #110305
Assignees
@nik9000
Labels
:Analytics/ES|QL AKA ESQL low-risk An open issue or test failure that is a low risk to future releases Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) >test-failure Triaged test failures from CI

Comments

@DaveCTurner
Copy link
Contributor

Build scan:
https://gradle-enterprise.elastic.co/s/7q4i7hkcgs3pw/tests/:x-pack:plugin:esql:qa:security:javaRestTest/org.elasticsearch.xpack.esql.EsqlAsyncSecurityIT/testInsufficientPrivilege

Reproduction line:

./gradlew ':x-pack:plugin:esql:qa:security:javaRestTest' --tests "org.elasticsearch.xpack.esql.EsqlAsyncSecurityIT.testInsufficientPrivilege" -Dtests.seed=6BE610F4610E7615 -Dtests.locale=ar-SA -Dtests.timezone=Australia/Lord_Howe -Druntime.java=17 -Dtests.fips.enabled=true

Applicable branches:
main

Reproduces locally?:
Didn't try

Failure history:
Failure dashboard for org.elasticsearch.xpack.esql.EsqlAsyncSecurityIT#testInsufficientPrivilege

Failure excerpt:

java.lang.AssertionError: 
Expected: a string containing "unauthorized for user [test-admin] run as [metadata1_read2] with effective roles [metadata1_read2] on indices [index-user1], this action is granted by the index privileges [read,all]"
     but: was "method [GET], host [http:https://127.0.0.1:38777], URI [_query/async/FlpMUS1pSkhMVE0teDdGQnhNenphb1EbNXlJcVVhN01SU1c2OVJMT1Q4SEdNdzo1NjI0?wait_for_completion_timeout=60s], status line [HTTP/1.1 404 Not Found]
{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [.async-search]","resource.type":"index_or_alias","resource.id":".async-search","index_uuid":"_na_","index":".async-search"}],"type":"index_not_found_exception","reason":"no such index [.async-search]","resource.type":"index_or_alias","resource.id":".async-search","index_uuid":"_na_","index":".async-search"},"status":404}"

  at __randomizedtesting.SeedInfo.seed([6BE610F4610E7615:7E9C3F3EA2F6C740]:0)
  at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:18)
  at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:6)
  at org.elasticsearch.test.ESTestCase.assertThat(ESTestCase.java:2275)
  at org.elasticsearch.xpack.esql.EsqlSecurityIT.testInsufficientPrivilege(EsqlSecurityIT.java:145)
  at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(NativeMethodAccessorImpl.java:-2)
  at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
  at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:568)
  at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1758)
  at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:946)
  at com.carrotsearch.randomizedtesting.RandomizedRunner$9.evaluate(RandomizedRunner.java:982)
  at com.carrotsearch.randomizedtesting.RandomizedRunner$10.evaluate(RandomizedRunner.java:996)
  at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
  at org.junit.rules.RunRules.evaluate(RunRules.java:20)
  at org.apache.lucene.tests.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:48)
  at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
  at org.apache.lucene.tests.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:45)
  at org.apache.lucene.tests.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:60)
  at org.apache.lucene.tests.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:44)
  at org.junit.rules.RunRules.evaluate(RunRules.java:20)
  at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
  at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:390)
  at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:843)
  at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:490)
  at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:955)
  at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:840)
  at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:891)
  at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:902)
  at org.elasticsearch.test.cluster.local.DefaultLocalElasticsearchCluster$1.evaluate(DefaultLocalElasticsearchCluster.java:47)
  at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
  at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
  at org.apache.lucene.tests.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:38)
  at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
  at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
  at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
  at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
  at org.apache.lucene.tests.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53)
  at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
  at org.apache.lucene.tests.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:44)
  at org.apache.lucene.tests.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:60)
  at org.apache.lucene.tests.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:47)
  at org.junit.rules.RunRules.evaluate(RunRules.java:20)
  at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
  at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:390)
  at com.carrotsearch.randomizedtesting.ThreadLeakControl.lambda$forkTimeoutingTask$0(ThreadLeakControl.java:850)
  at java.lang.Thread.run(Thread.java:833)
@DaveCTurner DaveCTurner added :Analytics/ES|QL AKA ESQL >test-failure Triaged test failures from CI labels Jun 17, 2024
DaveCTurner added a commit that referenced this issue Jun 17, 2024
@DaveCTurner
AwaitsFix: #109806
1153c5b
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-analytical-engine (Team:Analytics)

@elasticsearchmachine elasticsearchmachine added Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) needs:risk Requires assignment of a risk label (low, medium, blocker) labels Jun 17, 2024
DaveCTurner added a commit that referenced this issue Jun 19, 2024
@DaveCTurner
AwaitsFix: #109806
b1fadd8
@wchaparro wchaparro added low-risk An open issue or test failure that is a low risk to future releases and removed needs:risk Requires assignment of a risk label (low, medium, blocker) labels Jun 21, 2024
@nik9000 nik9000 self-assigned this Jun 25, 2024
@nik9000
Copy link
Member

nik9000 commented Jun 27, 2024

Gradle says:

[2024-06-16T14:51:12,102][INFO ][o.e.x.e.EsqlAsyncSecurityIT] [testInsufficientPrivilege] REQUEST=Request{method='POST', endpoint='_query/async', entity=[Content-Type: application/json; charset=UTF-8,Content-Length: 231,Chunked: false], options=RequestOptions{headers=es-security-runas-user: metadata1_read2}}
[2024-06-16T14:51:12,103][INFO ][o.e.x.e.EsqlAsyncSecurityIT] [testInsufficientPrivilege] REQUEST body={query=FROM index-user1,index-user2 | STATS sum=sum(value) | limit 10000000, keep_on_completion=true, wait_for_completion_timeout=913nanos, pragma={enrich_max_workers=5, data_partitioning=segment, page_size=1}}
[2024-06-16T14:51:12,115][INFO ][o.e.x.e.EsqlAsyncSecurityIT] [testInsufficientPrivilege] RESPONSE=Response{requestLine=POST _query/async HTTP/1.1, host=http:https://127.0.0.1:38777, response=HTTP/1.1 200 OK}
[2024-06-16T14:51:12,115][INFO ][o.e.x.e.EsqlAsyncSecurityIT] [testInsufficientPrivilege] REQUEST=Request{method='GET', endpoint='_query/async/FlpMUS1pSkhMVE0teDdGQnhNenphb1EbNXlJcVVhN01SU1c2OVJMT1Q4SEdNdzo1NjI0?wait_for_completion_timeout=60s', options=RequestOptions{headers=es-security-runas-user: metadata1_read2}}

@nik9000
Copy link
Member

nik9000 commented Jun 27, 2024

It looks to me like the request in question timed out waiting for the planning of the index to finish but then retried fast enough that the .async_search index had yet to be created. That, or it isn't allowed to access it. I'm not sure which one is more likely.

And I can't reproduce locally.

@nik9000
Copy link
Member

nik9000 commented Jun 27, 2024

Looks to only fail a couple of % of the time. Going to run it in a loop with iters

@nik9000
Copy link
Member

nik9000 commented Jun 27, 2024

Ha! Reproduced:

    {"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [.async-search]","resource.type":"index_or_alias","resource.id":".async-search","index_uuid":"_na_","index":".async-search"}],"type":"index_not_found_exception","reason":"no such index [.async-search]","resource.type":"index_or_alias","resource.id":".async-search","index_uuid":"_na_","index":".async-search"},"status":404}"

nik9000 added a commit to nik9000/elasticsearch that referenced this issue Jun 29, 2024
@nik9000
ESQL: Reenable test
c1764ab 
We have a security test that fails one every thousand or so runs because
it runs an async esql action and *sometimes* it requests the async
result and the index does not yet exist. This retries. I think there's
probably a better solution, but for now I'm going to fix the test and
open an issue to track that.

Closes elastic#109806
This was referenced Jun 29, 2024
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nik9000 nik9000

Labels
:Analytics/ES|QL AKA ESQL low-risk An open issue or test failure that is a low risk to future releases Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ESQL: Reenable test nik9000/elasticsearch
4 participants
@nik9000 @DaveCTurner @wchaparro @elasticsearchmachine