Unit tests for index and cluster privileges

[albertzaharovits]

Lately, see #50489 (comment) and #50643 we've learned that we miss unit test cases for index and cluster privileges. Right now we test them in the integ tests , IndexPrivilegeTests and ClusterPrivilegeTests, but we need to test which actions a privilege grants without having to start a cluster node and create a role and an user; these tests are more suited for a mix of privileges/roles to test the full authorization mechanism.

I think we need a new class of tests, modeled after the AuthorizationServiceTests, where we can pick on every privilege and every index (and cluster) action.

[elasticmachine]

Pinging @elastic/es-security (:Security/Authorization)

[amirhmd]

hi @albertzaharovits is this ready to pick up?

[albertzaharovits]

Hi @amirhmd , yes, I have assigned it to you.

Upon looking closer, I think it's better to base the new privileges unit tests upon the IndicesPermission class instead of AuthorizationService. You can follow as an example the IndicesPermissionTests. I've changed my mind because the AuthorizationService deals with actions as well as the requests (and the index names contained in those requests) that trigger those actions; it's at a higher level than what a test suite for actions and privileges is concerned about.

I would start by creating a test for a certain cluster privilege (eg monitor) and then run the IndicesPermission#authorize through a list of action names. You can get a list of action names by looking at subclasses of ActionType, eg DeleteDatafeedAction#NAME. It's not yet clear to me how best to construct this list, we'll need to experiment a bit.
But, given that actions can spawn sub-actions, which have a related name, but which are not described anywhere in the action definition (they are a consequence of how the action is coded) we would still need integration tests to assure a privilege is enough to successfully run certain actions. Yet this is not a privilege test, it is an action test, and writing these privilege unit tests would allow us to learn which actions require further integration tests.

[amirhmd]

Thanks @albertzaharovits for the explanation. will ping you if I have a question.