tests/audit_log: cover admin v2 FinalizeUpgrade#30452
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an integration test to ensure Redpanda’s admin v2 FeaturesService.FinalizeUpgrade RPC is captured in audit logging (API activity) when the "admin" audit event type is enabled, and that the resulting audit record attributes the call to the authenticated actor.
Changes:
- Import admin v2
features_pb2to construct aFinalizeUpgradeRequest. - Add a new audit-log test that issues the admin v2
FinalizeUpgradeRPC and asserts anapi_activityrecord exists with the expected URL and actor username.
Comment on lines
+1079
to
+1080
| @cluster(num_nodes=4) | ||
| def test_admin_v2_finalize_upgrade(self): |
Comment on lines
+1099
to
+1102
| try: | ||
| admin_v2.features().finalize_upgrade(features_pb2.FinalizeUpgradeRequest()) | ||
| except Exception as e: | ||
| self.logger.debug(f"FinalizeUpgrade returned (expected failure): {e}") |
Comment on lines
+1113
to
+1124
| records = self.find_matching_record( | ||
| is_finalize_upgrade_record, | ||
| lambda count: count >= 1, | ||
| "admin v2 FinalizeUpgrade audit record", | ||
| ) | ||
|
|
||
| assert len(records) >= 1, ( | ||
| f"Expected at least one record, got {len(records)}: {records}" | ||
| ) | ||
| actor = records[0]["actor"]["user"]["name"] | ||
| expected = self.redpanda.SUPERUSER_CREDENTIALS[0] | ||
| assert actor == expected, f"Expected actor user {expected}, got {actor}" |
Collaborator
Retry command for Build#84360please wait until all jobs are finished before running the slash command |
Collaborator
pgellert
reviewed
May 13, 2026
| wait_for_version_sync(self.admin, self.redpanda, patch_result["config_version"]) | ||
|
|
||
| @skip_fips_mode | ||
| @cluster(num_nodes=4) |
Contributor
There was a problem hiding this comment.
It looks like from the CI failure that this test needs 5 nodes not 4
Suggested change
| @cluster(num_nodes=4) | |
| @cluster(num_nodes=5) |
Member
Author
There was a problem hiding this comment.
oh weird i was pretty sure that claude ran this locally.
FeaturesService.FinalizeUpgrade is already audited via the shared apply_auth<> path that admin_server registers for every admin v2 route in add_service(): audit_authn and audit_authz fire at the auth boundary before the service handler runs. Lock that in with a test that drives the RPC and asserts an api_activity record with the expected URL and actor user. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
pgellert
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns out this one was easy mode.
FeaturesService.FinalizeUpgrade is already audited via the shared apply_auth<> path that admin_server registers for every admin v2 route in add_service(): audit_authn and audit_authz fire at the auth boundary before the service handler runs. Lock that in with a test that drives the RPC and asserts an api_activity record with the expected URL and actor user.
Backports Required
Release Notes