Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] FullClusterRestartIT testWatcherWithApiKey {cluster=UPGRADED} failing #119396

Closed
elasticsearchmachine opened this issue Dec 31, 2024 · 5 comments
Assignees
Labels
needs:risk Requires assignment of a risk label (low, medium, blocker) :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Dec 31, 2024

Build Scans:

Reproduction Line:

./gradlew ":x-pack:qa:full-cluster-restart:v8.17.1#bwcTest" -Dtests.class="org.elasticsearch.xpack.restart.FullClusterRestartIT" -Dtests.method="testWatcherWithApiKey {cluster=UPGRADED}" -Dtests.seed=DA2966653E6F6196 -Dtests.bwc=true -Dtests.locale=mai-Deva-IN -Dtests.timezone=America/Guayaquil -Druntime.java=23

Applicable branches:
8.x

Reproduces locally?:
N/A

Failure History:
See dashboard

Failure Message:

java.lang.AssertionError: version increased: [true], executed: [false]
Expected: is <true>
     but: was <false>

Issue Reasons:

  • [8.x] 2 consecutive failures in step 7.5.2_bwc
  • [8.x] 5 failures in test testWatcherWithApiKey {cluster=UPGRADED} (0.7% fail rate in 744 executions)
  • [8.x] 2 failures in step 7.5.2_bwc (100.0% fail rate in 2 executions)
  • [8.x] 3 failures in pipeline elasticsearch-periodic (30.0% fail rate in 10 executions)

Note:
This issue was created using new test triage automation. Please report issues or feedback to es-delivery.

@elasticsearchmachine elasticsearchmachine added :Delivery/Build Build or test infrastructure >test-failure Triaged test failures from CI Team:Delivery Meta label for Delivery team needs:risk Requires assignment of a risk label (low, medium, blocker) labels Dec 31, 2024
@elasticsearchmachine
Copy link
Collaborator Author

Pinging @elastic/es-delivery (Team:Delivery)

@mark-vieira
Copy link
Contributor

Same as #119259

@mark-vieira mark-vieira reopened this Jan 2, 2025
@mark-vieira mark-vieira added :Data Management/Watcher and removed :Delivery/Build Build or test infrastructure labels Jan 2, 2025
@elasticsearchmachine elasticsearchmachine added Team:Data Management Meta label for data/management team and removed Team:Delivery Meta label for Delivery team labels Jan 2, 2025
@elasticsearchmachine
Copy link
Collaborator Author

Pinging @elastic/es-data-management (Team:Data Management)

@elasticsearchmachine
Copy link
Collaborator Author

This has been muted on branch 8.x

Mute Reasons:

  • [8.x] 2 consecutive failures in step 7.5.2_bwc
  • [8.x] 5 failures in test testWatcherWithApiKey {cluster=UPGRADED} (0.7% fail rate in 744 executions)
  • [8.x] 2 failures in step 7.5.2_bwc (100.0% fail rate in 2 executions)
  • [8.x] 3 failures in pipeline elasticsearch-periodic (30.0% fail rate in 10 executions)

Build Scans:

elasticsearchmachine added a commit that referenced this issue Jan 3, 2025
@lukewhiting lukewhiting added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) and removed :Data Management/Watcher labels Jan 7, 2025
@elasticsearchmachine elasticsearchmachine added Team:Security Meta label for security team and removed Team:Data Management Meta label for data/management team labels Jan 7, 2025
@elasticsearchmachine
Copy link
Collaborator Author

Pinging @elastic/es-security (Team:Security)

@n1v0lg n1v0lg self-assigned this Jan 7, 2025
elasticsearchmachine pushed a commit that referenced this issue Jan 10, 2025
This PR addresses an issue where legacy API keys fail consistency checks
because they include synthetic role names. 

We removed synthetic role names with
#56005. We added
consistency checks sometime later to enforce no role names, with
#93894 in `8.8.0`. 

Rather than relaxing our consistency checks, this PR tweaks
de-serialization logic to strip out role names when appropriate. This
has the advantage that we maintain the invariant the consistency check
is meant to enforce.

Note that this does not manifest in production: outside of RCS 2.0, we
only execute consistency checks with assertions enabled. For RCS 2.0, an
API key would require `remote_indices` privileges to ever be sent cross
cluster and go through consistency checks. These were introduced after
we've stopped including role names in API keys so it's not a real issue
either.

Closes: #119259 Closes:
#119435 Closes:
#119434 Closes:
#119433  Closes:
#119424 Closes:
#119423 Closes:
#119422 Closes:
#119396 Closes:
#119395 Closes:
#119394 Closes:
#119393
@n1v0lg n1v0lg closed this as completed Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs:risk Requires assignment of a risk label (low, medium, blocker) :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Development

No branches or pull requests

4 participants