Fix audit log writing errors for rollover-enabled alias indices#5900
Fix audit log writing errors for rollover-enabled alias indices#5900pCastq wants to merge 10 commits intoopensearch-project:mainfrom
Conversation
pCastq
requested review from
DarshitChanpura,
RyanL1997,
cwperks,
derek-ho,
nibix,
reta,
shikharj05 and
willyborankin
as code owners
|
The part of integration test is to hard. We need separate test classes because they test distinct code paths that require different cluster configurations. Cleaning indices between tests would require cluster restarts or expensive index deletion, significantly slowing CI/CD pipelines. Instead, we use delta-based assertions (before/after counts) that ensure test isolation without cleanup overhead. And there are other stuff that need to look carefully throught the object There are a lot of comment and javadoc. |
nibix
left a comment
nibix
left a comment
There was a problem hiding this comment.
Thank you for this. I left a couple of comments.
Could you also please:
- Check the CI errors regarding code hygiene? maybe it is just a missing spotlessApply
- Write a changelog entry
- Change the name of this PR to something more descriptive
Thank you :)
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Outdated
Show resolved
Hide resolved
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Outdated
Show resolved
Hide resolved
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I am still not quite sure if we need anonymous auth?
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Show resolved
Hide resolved
Signed-off-by: Pietro Paolo Castagna <PietroPaolo.Castagna@gmail.com>
Removed unnecessary comments from audit log integration tests. Signed-off-by: pCastq <131659139+pCastq@users.noreply.github.com>
Signed-off-by: pCastq <131659139+pCastq@users.noreply.github.com>
Signed-off-by: Pietro Paolo Castagna <PietroPaolo.Castagna@gmail.com>
Signed-off-by: Pietro Paolo Castagna <PietroPaolo.Castagna@gmail.com>
|
I intentionally did not unify these tests with InternalAuditLogTest because they validate different responsibilities and operate under fundamentally different assumptions. InternalAuditLogTest is a cluster-level smoke test: it verifies that, in a fully secured single-node cluster, the audit index is created, shards are allocated, and the index reaches green health. Its purpose is infrastructure readiness, not application logic. The tests in this PR instead focus on InternalOpenSearchSink behavior: index creation when absent, alias detection, and write routing for date-based vs alias-based configurations. They explicitly cover sink-level code paths that InternalAuditLogTest does not exercise at all. Unifying the tests would also force a much heavier configuration (admin users, HTTP Basic auth, compliance logging, transport events). This would introduce unnecessary overhead, extra audit noise, and additional failure modes, without increasing coverage for the sink logic being tested. Keeping these tests separate preserves clarity, focus, and maintainability. Each test suite remains aligned with its specific goal, and failures remain easy to diagnose. Combining them would add complexity without providing real value, in my opinion. However , as @nibix suggest, I use Awaitility instead of Thread.sleep() because audit events are generated asynchronously allows the test to wait until a meaningful functional condition is met (i.e. a new audit event becomes visible) and to fail deterministically after a bounded timeout. This approach makes the test more robust, avoids flakiness in CI, and ensures that we only proceed once the audit data has actually been indexed and refreshed. |
nibix
changed the title
There was a problem hiding this comment.
si prega di preferire l'uso dell'inglese :-)
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Outdated
Show resolved
Hide resolved
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Could you elaborate why this is something related to the OpenSearch sink? Isnt this a behavior that occurs at a higher level?
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Outdated
Show resolved
Hide resolved
| * test created a new event.</p> | ||
| */ | ||
| @Test | ||
| public void testAuditDocumentsViaAliasContainMandatoryFields() { |
There was a problem hiding this comment.
Is this a test which covers the alias logic? It seems to be this covers logic from a higher level.
There was a problem hiding this comment.
This test validates the end-to-end write path through the alias branch of createIndexIfAbsent(). The other two tests verify that the alias is recognized (testRecognizesAuditTargetAsWriteAlias) and that documents are counted (testWritesEventsToAliasSuccessfully), but neither inspects the document content. This test closes the loop by confirming that a document written through the alias pipeline — createIndexIfAbsent() → prepareIndex(aliasName) → execute() — arrives in the backing index structurally intact with all mandatory fields and correct values. Without it, we'd know documents are delivered but not that they're correct.
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Show resolved
Hide resolved
Signed-off-by: Pietro Paolo Castagna <PietroPaolo.Castagna@gmail.com>
...onTest/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSinkIntegrationTest.java
Show resolved
Hide resolved
Signed-off-by: Pietro Paolo Castagna <PietroPaolo.Castagna@gmail.com>
There was a problem hiding this comment.
10 seconds is actually the default timeout constraint, so this can be dropped. Same holds for the poll interval.
There was a problem hiding this comment.
can we also use default timeout and poll interval here?
There was a problem hiding this comment.
The hamcrest way of doing such assertions would be
assertThat(auditDoc, hasKey("@timestamp"));
assertThat(auditDoc, hasKey("audit_rest_request_method"));
assertThat(auditDoc, hasKey("audit_rest_request_path"));
This will yield much richer assertion errors in the case of test failures.
There was a problem hiding this comment.
This Objects.requireNonNull is redundant, with our without you will get a NPE in case getTotalHits() returns null.
|
Thank you, looks much better! I have added a few minor comments. Also there are still a few leftover comments from the previous round. Could you please have a look at these? |
Signed-off-by: Pietro Paolo Castagna <PietroPaolo.Castagna@gmail.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5900 +/- ##
==========================================
- Coverage 73.75% 73.74% -0.01%
==========================================
Files 439 439
Lines 26884 26894 +10
Branches 3980 3983 +3
==========================================
+ Hits 19828 19833 +5
- Misses 5168 5177 +9
+ Partials 1888 1884 -4
🚀 New features to boost your workflow:
|
3 participants
Description
[Bug fix, Enhancement , Test fix]
the audit log cannot be written to an index that already exists when using an alias with a rollover policy. This causes errors and prevents audit events from being stored.
When an audit log index already exists under an alias, OpenSearch throws an error and does not insert audit events.
The audit log now detects if the target index already exists and inserts new events into it instead of failing.
Issues Resolved
[#5878 + integration test]
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.