Skip to content

[RORDEV_2109] reproduction#104

Open
coutoPL wants to merge 2 commits into
masterfrom
support/RORDEV-2109
Open

[RORDEV_2109] reproduction#104
coutoPL wants to merge 2 commits into
masterfrom
support/RORDEV-2109

Conversation

@coutoPL

@coutoPL coutoPL commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Running

cd ror-demo-cluster && ./clean.sh && ./run.sh

You can change ROR and ES/KBN versions in the .env-showcase file.

Summary by CodeRabbit

  • New Features

    • Added a remote Elasticsearch cluster setup for cross-cluster search testing.
    • Included a helper script to initialize remote test indices and verify search behavior.
    • Expanded seeded test data with additional index patterns for remote search scenarios.
  • Bug Fixes

    • Updated demo access rules to use explicit credentials-based policies.
    • Adjusted startup timing so initialization waits only for the main search cluster.
    • Enabled remote search access with a permissive rule set for test workflows.
  • Chores

    • Updated showcase versions and binary download settings to the latest release set.

@coderabbitai

This comment was marked as spam.

coderabbitai[bot]

This comment was marked as off-topic.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ror-demo-cluster/conf/es/readonlyrest.yml`:
- Around line 14-32: The demo ACL credentials are inconsistent: the rules in
readonlyrest.yml only match user1:test and user2:test, while test-remote-ccs.sh
authenticates as user:test, so the intended Test remote/local allow and forbid
paths never trigger. Update the relevant ACL entries in the readonlyrest
configuration to use the same username as the script, and verify the matching
rules still separate the remote and local cases through the existing Test
remote, Test remote (forbid), Test local, and Test local (forbid) blocks.
- Around line 14-16: The “Test remote” ACL block currently groups all index
patterns under a single rule, but the probes in test-remote-ccs.sh are
differentiated by the test header value. Update the readonlyrest.yml rule by
adding a headers matcher keyed on the test header and split the index patterns
into separate ACL entries so each test:$x case maps to its own rule. Keep the
existing auth_key on the Test remote rule and use the rule name plus headers
matcher to locate the right block.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 65aebc77-aa69-432b-8f0e-f9faf67dc4cd

📥 Commits

Reviewing files that changed from the base of the PR and between c578b9b and 3227742.

📒 Files selected for processing (4)
  • ror-demo-cluster/.env-showcase
  • ror-demo-cluster/conf/es/readonlyrest.yml
  • ror-demo-cluster/docker-compose.yml
  • shared/init-scripts/init.sh
💤 Files with no reviewable changes (1)
  • ror-demo-cluster/docker-compose.yml

Comment on lines +14 to +16
- name: "Test remote"
auth_key: user1:test
indices: ["*:asdasd", "*:*asdasd", "*:asdasd*", "*:*asdasd*"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== files ==\n'
git ls-files 'ror-demo-cluster/conf/es/readonlyrest.yml' 'ror-demo-cluster/*test-remote-ccs.sh' 'ror-demo-cluster/**/test-remote-ccs.sh' 'ror-demo-cluster/**readonlyrest*' | sed 's#^`#-` #'

printf '\n== readonlyrest.yml (selected) ==\n'
cat -n ror-demo-cluster/conf/es/readonlyrest.yml | sed -n '1,120p'

printf '\n== search for test header / test-remote-ccs ==\n'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' 'test-remote-ccs|test:\$|headers|indices:' ror-demo-cluster

Repository: beshu-tech/ror-sandbox

Length of output: 2068


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== test-remote-ccs.sh (selected) ==\n'
cat -n ror-demo-cluster/test-remote-ccs.sh | sed -n '1,120p'

printf '\n== headers matcher / test header references in repo ==\n'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' 'headers:|test:\$x|test:\$|header.*test|X-.*test' ror-demo-cluster

Repository: beshu-tech/ror-sandbox

Length of output: 2932


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== es-remote readonlyrest config ==\n'
cat -n ror-demo-cluster/conf/es-remote/readonlyrest.yml | sed -n '1,220p'

printf '\n== all readonlyrest configs mentioning Test remote or headers ==\n'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' 'Test remote|headers:|header:' ror-demo-cluster/conf

Repository: beshu-tech/ror-sandbox

Length of output: 1019


Split the Test remote rule by test header

ror-demo-cluster/conf/es/readonlyrest.yml:14-16 groups all four index patterns under one ACL block, but ror-demo-cluster/test-remote-ccs.sh uses test:$x to distinguish the probes. Without a headers matcher, every request hits the same rule set, so the per-pattern cases can’t be exercised independently.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ror-demo-cluster/conf/es/readonlyrest.yml` around lines 14 - 16, The “Test
remote” ACL block currently groups all index patterns under a single rule, but
the probes in test-remote-ccs.sh are differentiated by the test header value.
Update the readonlyrest.yml rule by adding a headers matcher keyed on the test
header and split the index patterns into separate ACL entries so each test:$x
case maps to its own rule. Keep the existing auth_key on the Test remote rule
and use the rule name plus headers matcher to locate the right block.

Comment on lines +14 to +32
- name: "Test remote"
auth_key: user1:test
indices: ["*:asdasd", "*:*asdasd", "*:asdasd*", "*:*asdasd*"]

- username: user1
- name: "Test remote (forbid)"
type:
policy: forbid
response_message: "test"
auth_key: user1:test
groups:
- id: "EndUsers"
name: "End Users"
- id: "BusinessUsers"
name: "Business Users"

- username: user2
- name: "Test local"
auth_key: user2:test
groups:
- id: "EndUsers"
name: "End Users"
indices: ["asdasd", "*asdasd", "asdasd*", "*asdasd*"]

- username: "*"
ror_kbn_auth:
name: "kbn1"
groups: ["*"]
groups:
- local_group:
id: "EndUsers"
name: "End Users"
external_group_ids: [ "extEndUsers" ]
- local_group:
id: "BusinessUsers"
name: "Business Users"
external_group_ids: [ "extBusinessUsers" ]
- name: "Test local (forbid)"
type:
policy: forbid
response_message: "test"
auth_key: user2:test

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm the credentials used across the CCS demo files.
rg -n --no-heading -e 'auth_key' ror-demo-cluster/conf/es/readonlyrest.yml
rg -n --no-heading -e '-u [a-zA-Z0-9]+:' ror-demo-cluster/test-remote-ccs.sh ror-demo-cluster/conf/es-remote/init-remote-indices.sh

Repository: beshu-tech/ror-sandbox

Length of output: 748


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant ACL block with line numbers.
sed -n '1,120p' ror-demo-cluster/conf/es/readonlyrest.yml | cat -n

printf '\n---\n'

# Inspect the test script around the CCS calls.
sed -n '1,120p' ror-demo-cluster/test-remote-ccs.sh | cat -n

printf '\n---\n'

# Search for any other ACL/auth_key entries that could match user:test.
rg -n --no-heading 'auth_key:|policy: forbid|name: "Admins"|name: "Test ' ror-demo-cluster/conf/es/readonlyrest.yml

Repository: beshu-tech/ror-sandbox

Length of output: 3958


Align the demo credentials

test-remote-ccs.sh authenticates as user:test, but these ACLs only allow user1:test and user2:test. As written, the script won’t match the intended Test remote/local rules, so the allow/forbid paths never get exercised.

Use the same username on both sides.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ror-demo-cluster/conf/es/readonlyrest.yml` around lines 14 - 32, The demo ACL
credentials are inconsistent: the rules in readonlyrest.yml only match
user1:test and user2:test, while test-remote-ccs.sh authenticates as user:test,
so the intended Test remote/local allow and forbid paths never trigger. Update
the relevant ACL entries in the readonlyrest configuration to use the same
username as the script, and verify the matching rules still separate the remote
and local cases through the existing Test remote, Test remote (forbid), Test
local, and Test local (forbid) blocks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant