[CI] Use INTEG_TEST distribution in FIPS 140 testing when possible #70005
Comments
|
Pinging @elastic/es-security (Team:Security) |
|
I don't fully understand the conversation in #66820. But is the proposal to just allow extra xpack settings but make them no-op? If so, why don't we just stop running FIPS for these tests at all? Also, FIPS is a bit of a cross-cutting mode. So even if a test does not seem to use it directly, is it possible that they would still fail in FIPS mode? A not-great example is the md5 hasher used for fingerprint ingestion processor. I know md5 is still allowed by BC-FIPS, but assume it is not. If it uses the |
There is no proposal in this issue. The issue tracks the need to look into using INTEG_TEST distribution as much as we can and the proposal will come from that investigation. For the question you raise, I think we'd need to not set I'm not sure what the argument is with "using FIPS mode", are you talking about the security provider? If so, I don't think we'll end up suggesting not using the security provider in FIPS mode. |
|
Thanks for the clarification. My questions are not well formulated and they are based on my misunderstanding of the conversation in #66820. Please disregard them. |
|
No worries Yang, thanks for asking. I think the issue description is not as clear as it should be and the questions are valid, I'll try and rewrite it an clean way |
This commit no longer explicitly sets the default configuration for FIPS tests. This allows each project's tests to run in FIPS mode with out deviation (other than the FIPS mode). A side product of this change is that any REST test can now enable security if they so choose without needing to use the default distribution. This allows for additional usage of the integ_test distribution which can help with testing modularization. This only possible now that the security plugin is always included with the integ_test distribution via #77632 fixes: #70005 related: #77632
In #64024 , we changed our test setup for FIPS 140 to always use the default distribution because we always wanted to set
xpack.security.fips_mode.enabled: trueand we can't do this with INTEG_TEST distribution as in tests for non-xpack modules, that setting is not available.We should try to refrain from setting a specific distribution in fips and use INTEG_TEST as much as possible ( to the extent that the test suites themselves already use it). This has two benefits:
This issue is for tracking the problem so that we can schedule for the appropriate time for investigation and come up with a proposal on how to do this.
The text was updated successfully, but these errors were encountered: