Completed release candidate testing build 2611/3015

[peternied]

Run through all of the test scenarios to validate the security plugin functionality

Configuration files

1. Before starting the cluster, add a role to roles.yml and a tenant to tenants.yml.
2. Start the cluster.
3. Open Dashboards and log in.
4. Security / Roles / Verify that the role exists.
5. Tenants / Verify that the tenant exists.

Create users

1. Open Dashboards and log in as admin.
2. Security / Internal User Database / Add a new internal user.
3. Provide a username and password.
4. Provide a backend role and a user attribute. [No backend role]
5. Submit.
6. Verify that the user is created.

Create role

1. Open Dashboards and log in as admin.
2. If you haven’t added any data, add the sample flight data.
3. Security / Roles / Add a new role.
4. Cluster Permissions / Add Permissions: Action Groups / read., indices:data/read/search*
5. Index Permissions / Add index permission / opensearch_dashboards_sample_data_flights*
6. Add Add Permissions: Action Groups / read., indices:data/read/search*
7. For Document Level Security Query, enter: {"match": {"FlightDelay": true}}
8. For Anonymize fields, enter: FlightNum
9. Tenant Permissions / Add tenant permissions / Add tenant pattern / Specify the tenant that you created earlier
10. Permissions / Add Field / kibana_all_read
11. Save Role Definition.
12. Verify that the role is created.

Map Role

1. Open Dashboards and log in as admin.
2. Security / Role Mappings / kibana_user
3. Add User / Specify the user you created earlier / Submit
4. Add a new role mapping / Choose the role you created earlier
5. Add User / Specify the user you created earlier / Submit.

Create Index Pattern

1. Change the tenant of the admin to newly created tenant
2. Add the index pattern by clicking discover tab
3. Discover / Add an index pattern: opensearch_dashboards_sample_data_flights
4. Next step / timestamp / Create index pattern
5. Move to Dashboards Basics to verify that the mappings worked and the roles are working as expected.

Dashboards Basics

1. Open Dashboards in an Incognito window and log in as the user you created earlier.
2. Explore on my own
3. DevTools:

GET kibana_sample_data_flights/_search
    {
      "query": {
        "match_all": {}
      }
    }

5. Verify that you have fewer than 10,000 hits. When I wrote this, I had 3,280 hits, all of which had “FlightDelay”: true (expected).
6. Verify that FlightNum is anonymized.

Multi-tenancy

1. Create Dashboard with admin and new tenant.
2. Check if new Dashboard is visible to the new user

Running with dev-tool requests

For creating tenant, user, role and role mapping

PUT _plugins/_security/api/tenants/security-test-tenant
{
  "description": "A tenant for security testing."
}

PUT _plugins/_security/api/internalusers/test-01
{
  "password": "abcd1234"
}

PUT _plugins/_security/api/roles/security-test-role
{
  "cluster_permissions" : [
    "read"
  ],
  "index_permissions" : [
    {
      "index_patterns" : [
        "opensearch_dashboards_sample_data_flights*"
      ],
      "dls" : """ {"match": {"FlightDelay": true}}""",
      "fls" : [ ],
      "masked_fields" : [
        "FlightNum"
      ],
      "allowed_actions" : [
        "read"
      ]
    }
  ],
  "tenant_permissions" : [
    {
      "tenant_patterns" : [
        "security-test-tenant"
      ],
      "allowed_actions" : [
        "kibana_all_read"
      ]
    }
  ]
}

PUT _plugins/_security/api/rolesmapping/security-test-role
{
  "users" : [ "test-01" ]
}

[peternied]

Used the following binaries for testing:

• https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/2.0.0-rc1/2611/linux/x64/tar/dist/opensearch/opensearch-2.0.0-rc1-linux-x64.tar.gz
• https://ci.opensearch.org/ci/dbc/distribution-build-opensearch-dashboards/2.0.0-rc1/3015/linux/x64/tar/dist/opensearch-dashboards/opensearch-dashboards-2.0.0-rc1-linux-x64.tar.gz

Configuration files

1. Before starting the cluster, add a role to roles.yml and a tenant to tenants.yml.
2. Start the cluster.
3. Open Kibana and log in.
4. Security / Roles / Verify that the role exists.
5. Tenants / Verify that the tenant exists.

Added to roles.yml:

petern_role:
  reserved: true
  index_permissions:
    - index_patterns:
        - 'bob'

Added to tenants.yml:

petern_test_tenant:
  reserved: false
  description: "Test tenant for testing"

Used ./opensearch-tar-install.sh to start the cluster

OpenSearch Cluster is operational ✅

% curl -k "https://admin:admin@localhost:9200/_cat/health?v"
epoch      timestamp cluster    status node.total node.data discovered_cluster_manager shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1651083177 18:12:57  opensearch yellow          1         1                       true      3   3    0    0        1             0                  -                 75.0%

OpenSearch Dashboard is operational ✅

Navigated to `http://localhost:5601`, signed in with `admin` `admin` permissions, was navigated to http://localhost:5601/app/home#/

Look for the role that was created in the yml ✅

* Opened `Security` from the side menu navigated to http://localhost:5601/app/security-dashboards-plugin#/app/security-dashboards-plugin/getstarted
* Clicked `Role` on the side bar, navigated to http://localhost:5601/app/security-dashboards-plugin#/roles
* Role `petern_role` was present

Look for the tenat that was created in the yml ✅

* Clicked `Tenants` on the side bar, navigated to http://localhost:5601/app/security-dashboards-plugin#/tenants
* Role `petern_test_tenant` was present

✅ Configuration works as expected

[peternied]

Create users

1. Open Dashboards and log in as admin.
2. Security / Internal User Database / Add a new internal user.
3. Provide a username and password.
4. Provide a backend role and a user attribute. [No backend role]
5. Submit.
6. Verify that the user is created.

As an admin user, created the user on http://localhost:5601/app/security-dashboards-plugin#/users
Created an Incognito browser window and signed in as the newly created user, landed on the welcome permissions

✅ Create users works as expected

[peternied]

Create role

1. Open Dashboards and log in as admin.
2. If you haven’t added any data, add the sample flight data.
3. Security / Roles / Add a new role.
4. Cluster Permissions / Add Permissions: Action Groups / read., indices:data/read/search*
5. Index Permissions / Add index permission / opensearch_dashboards_sample_data_flights*
6. Add Add Permissions: Action Groups / read., indices:data/read/search*
7. For Document Level Security Query, enter: {"match": {"FlightDelay": true}}
8. For Anonymize fields, enter: FlightNum
9. Tenant Permissions / Add tenant permissions / Add tenant pattern / Specify the tenant that you created earlier
10. Permissions / Add Field / kibana_all_read
11. Save Role Definition.
12. Verify that the role is created.

Navigated to http://localhost:5601/app/opensearch_dashboards_overview#/

✅ Create role works as expected

[peternied]

Map Role

1. Open Dashboards and log in as admin.
2. Security / Role Mappings / kibana_user
3. Add User / Specify the user you created earlier / Submit
4. Add a new role mapping / Choose the role you created earlier
5. Add User / Specify the user you created earlier / Submit.

Go to http://localhost:5601/app/security-dashboards-plugin#/roles/view/New_role
Click mapped users
Click map user
Add a user petern
Click Map

✅ Map Role works as expected

[peternied]

Create Index Pattern

1. Change the tenant of the admin to newly created tenant
2. Add the index pattern by clicking discover tab
3. Discover / Add an index pattern: opensearch_dashboards_sample_data_flights
4. Next step / timestamp / Create index pattern
5. Move to Dashboards Basics to verify that the mappings worked and the roles are working as expected.

Switched to petern_test_tenant as the admin user
Needed to get sample data via http://localhost:5601/app/home#/tutorial_directory

✅ Create Index Pattern works as expected

[peternied]

Dashboards Basics

1. Open Dashboards in an Incognito window and log in as the user you created earlier.
2. Explore on my own
3. DevTools:

GET opensearch_dashboards_sample_data_flights/_search
    {
      "query": {
        "match_all": {}
      }
    }

5. Verify that you have fewer than 10,000 hits. When I wrote this, I had 3,280 hits, all of which had “FlightDelay”: true (expected).
6. Verify that FlightNum is anonymized.

Number of hits that match:

GET opensearch_dashboards_sample_data_flights/_search?filter_path=hits.total.value
{
  "query": {
    "match_all": {}
  }
}

Response ✅

{
  "hits" : {
    "total" : {
      "value" : 3280
    }
  }
}

Looking at the FlightNum field:

GET opensearch_dashboards_sample_data_flights/_search?filter_path=hits.hits._source.FlightNum
{
  "query": {
    "match_all": {}
  }
}

Response ✅

{
  "hits" : {
    "hits" : [
      {
        "_source" : {
          "FlightNum" : "cb9a6abeadc566b9114e35dcc7ed0bb4fff1c11d76c2ee87e63ecfc7cc1fd1cf"
        }
      },
      {
        "_source" : {
          "FlightNum" : "0852d2f9b310ae589cd9d13bf4c1ce69a2c74f3d0e111065851104c4073443bd"
        }
      },
      {
        "_source" : {
          "FlightNum" : "a90608f7ce7796041affed20144472e360c0124f322d55350de8ad8e9271ea89"
        }
      },
      {
        "_source" : {
          "FlightNum" : "fd96089bf3dda2afaec2924c18fb20f5165b55bf6e854aad9b1db830af546f6f"
        }
      },
      {
        "_source" : {
          "FlightNum" : "fd5a23f895b93476854afe46f531e27912e721c2fdbc0103f17d6b13592b4e9c"
        }
      },
      {
        "_source" : {
          "FlightNum" : "eadafce25028ad5abc215360b4c296e808d931d5c193e8820153b7798fbbb43d"
        }
      },
      {
        "_source" : {
          "FlightNum" : "c37377380e2bf54ee38b6fb835666c5cf490c2982757f7a7ae84a682716a7768"
        }
      },
      {
        "_source" : {
          "FlightNum" : "9dfe98c49654c5f98612c8791ee0b6789ed44f911f2c485e86ae13625b0d6d85"
        }
      },
      {
        "_source" : {
          "FlightNum" : "18f08d4175b9e26e1b1d972c17998635d4d2544f7f49604952e52c4be280c8e0"
        }
      },
      {
        "_source" : {
          "FlightNum" : "38f19a0b4d20e0620c133c1b479efae9cb4e46c228e49f443066799feb153906"
        }
      }
    ]
  }
}

✅ Dashboards Basics works as expected

[peternied]

Multi-tenancy

1. Create Dashboard with admin and new tenant.
2. Check if new Dashboard is visible to the new user

• Created new tenant as an admin
• User petern cannot see the tenant via the switch tenant UX

✅ Multi-tenancy works as expected

[peternied]

Running security api with dev-tool requests

For creating tenant, user, role and role mapping

As an admin user making the following calls:

Create tenant

Request

PUT _plugins/_security/api/tenants/security-test-tenant
{
  "description": "A tenant for security testing."
}

Response ✅

{
  "status" : "CREATED",
  "message" : "'security-test-tenant' created."
}

Create User

Request:

PUT _plugins/_security/api/internalusers/test-01
{
  "password": "abcd1234"
}

Response ✅

{
  "status" : "CREATED",
  "message" : "'test-01' created."
}

Create role

Request

PUT _plugins/_security/api/roles/security-test-role
{
  "cluster_permissions" : [
    "read"
  ],
  "index_permissions" : [
    {
      "index_patterns" : [
        "opensearch_dashboards_sample_data_flights*"
      ],
      "dls" : """ {"match": {"FlightDelay": true}}""",
      "fls" : [ ],
      "masked_fields" : [
        "FlightNum"
      ],
      "allowed_actions" : [
        "read"
      ]
    }
  ],
  "tenant_permissions" : [
    {
      "tenant_patterns" : [
        "security-test-tenant"
      ],
      "allowed_actions" : [
        "kibana_all_read"
      ]
    }
  ]
}

Response ✅

{
  "status" : "CREATED",
  "message" : "'security-test-role' created."
}

Create role mapping

Request

PUT _plugins/_security/api/rolesmapping/security-test-role
{
  "users" : [ "test-01" ]
}

Response ✅

{
  "status" : "CREATED",
  "message" : "'security-test-role' created."
}

✅ Running security api with dev-tool requests works as expected

[peternied]

All results are working as expected.