OpenSearch/x-pack/qa/security-example-spi-extension/build.gradle

apply plugin: 'elasticsearch.esplugin'

esplugin {
  name 'spi-extension'
  description 'An example spi extension plugin for security'
  classname 'org.elasticsearch.example.SpiExtensionPlugin'
  extendedPlugins = ['x-pack-security']
}

dependencies {
  compileOnly "org.elasticsearch.plugin:x-pack-core:${version}"
  testCompile project(path: xpackProject('transport-client').path, configuration: 'runtime')
}


integTestRunner {
    systemProperty 'tests.security.manager', 'false'
}

integTestCluster {
  dependsOn buildZip
  setting 'xpack.security.authc.realms.custom.custom.order', '0'
  setting 'xpack.security.authc.realms.custom.custom.filtered_setting', 'should be filtered'
  setting 'xpack.security.authc.realms.file.esusers.order', '1'
  setting 'xpack.security.authc.realms.native.native.order', '2'
  setting 'xpack.security.enabled', 'true'
  setting 'xpack.ilm.enabled', 'false'
  setting 'xpack.ml.enabled', 'false'
  setting 'xpack.monitoring.enabled', 'false'
  setting 'xpack.license.self_generated.type', 'trial'

  // This is important, so that all the modules are available too.
  // There are index templates that use token filters that are in analysis-module and
  // processors are being used that are in ingest-common module.
  distribution = 'default'

  setupCommand 'setupDummyUser',
               'bin/elasticsearch-users', 'useradd', 'test_user', '-p', 'x-pack-test-password', '-r', 'superuser'
  waitCondition = { node, ant ->
    File tmpFile = new File(node.cwd, 'wait.success')
    ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
            dest: tmpFile.toString(),
            username: 'test_user',
            password: 'x-pack-test-password',
            ignoreerrors: true,
            retries: 10)
    return tmpFile.exists()
  }
}
check.dependsOn integTest
Expose XPackExtensions via SPI (elastic/x-pack-elasticsearch#3530) This change adds SPI loading for XPackExtensions that allows to extend XPack via an ordinary plugin. This can co-exist with the existin extension mechanism for the time being. Original commit: elastic/x-pack-elasticsearch@bf02b56deee7d1fccc1df4a96755bdbc4b69355c 2018-01-23 07:05:39 -05:00			`apply plugin: 'elasticsearch.esplugin'`

			`esplugin {`
			`name 'spi-extension'`
Allow custom authorization with an authorization engine (#38358) For some users, the built in authorization mechanism does not fit their needs and no feature that we offer would allow them to control the authorization process to meet their needs. In order to support this, a concept of an AuthorizationEngine is being introduced, which can be provided using the security extension mechanism. An AuthorizationEngine is responsible for making the authorization decisions about a request. The engine is responsible for knowing how to authorize and can be backed by whatever mechanism a user wants. The default mechanism is one backed by roles to provide the authorization decisions. The AuthorizationEngine will be called by the AuthorizationService, which handles more of the internal workings that apply in general to authorization within Elasticsearch. In order to support external authorization services that would back an authorization engine, the entire authorization process has become asynchronous, which also includes all calls to the AuthorizationEngine. The use of roles also leaked out of the AuthorizationService in our existing code that is not specifically related to roles so this also needed to be addressed. RequestInterceptor instances sometimes used a role to ensure a user was not attempting to escalate their privileges. Addressing this leakage of roles meant that the RequestInterceptor execution needed to move within the AuthorizationService and that AuthorizationEngines needed to support detection of whether a user has more privileges on a name than another. The second area where roles leaked to the user is in the handling of a few privilege APIs that could be used to retrieve the user's privileges or ask if a user has privileges to perform an action. To remove the leakage of roles from these actions, the AuthorizationService and AuthorizationEngine gained methods that enabled an AuthorizationEngine to return the response for these APIs. Ultimately this feature is the work included in: #37785 #37495 #37328 #36245 #38137 #38219 Closes #32435 2019-02-05 15:39:29 -05:00			`description 'An example spi extension plugin for security'`
Expose XPackExtensions via SPI (elastic/x-pack-elasticsearch#3530) This change adds SPI loading for XPackExtensions that allows to extend XPack via an ordinary plugin. This can co-exist with the existin extension mechanism for the time being. Original commit: elastic/x-pack-elasticsearch@bf02b56deee7d1fccc1df4a96755bdbc4b69355c 2018-01-23 07:05:39 -05:00			`classname 'org.elasticsearch.example.SpiExtensionPlugin'`
			`extendedPlugins = ['x-pack-security']`
			`}`

			`dependencies {`
Build: Rework shadow plugin configuration (#32409) This reworks how we configure the `shadow` plugin in the build. The major change is that we no longer bundle dependencies in the `compile` configuration, instead we bundle dependencies in the new `bundle` configuration. This feels more right because it is a little more "opt in" rather than "opt out" and the name of the `bundle` configuration is a little more obvious. As an neat side effect of this, the `runtimeElements` configuration used when one project depends on another now contains exactly the dependencies needed to run the project so you no longer need to reference projects that use the shadow plugin like this: ``` testCompile project(path: ':client:rest-high-level', configuration: 'shadow') ``` You can instead use the much more normal: ``` testCompile "org.elasticsearch.client:elasticsearch-rest-high-level-client:${version}" ``` 2018-08-21 20:03:28 -04:00			`compileOnly "org.elasticsearch.plugin:x-pack-core:${version}"`
Build: Replace references to x-pack-elasticsearch paths with helper methods (elastic/x-pack-elasticsearch#3748) In order to more easily integrate xpack once it moves into the elasticsearch repo, references to the existing x-pack-elasticsearch need to be reduced. This commit introduces a few helper "methods" available to any project within xpack (through gradle project extension properties, as closures). All refeerences to project paths now use these helper methods, except for those pertaining to bwc, which will be handled in a followup. Original commit: elastic/x-pack-elasticsearch@850668744c7188f3ca8d6ff561c99fbd8995288e 2018-01-27 00:48:30 -05:00			`testCompile project(path: xpackProject('transport-client').path, configuration: 'runtime')`
Expose XPackExtensions via SPI (elastic/x-pack-elasticsearch#3530) This change adds SPI loading for XPackExtensions that allows to extend XPack via an ordinary plugin. This can co-exist with the existin extension mechanism for the time being. Original commit: elastic/x-pack-elasticsearch@bf02b56deee7d1fccc1df4a96755bdbc4b69355c 2018-01-23 07:05:39 -05:00			`}`


			`integTestRunner {`
			`systemProperty 'tests.security.manager', 'false'`
			`}`

			`integTestCluster {`
			`dependsOn buildZip`
Include realm type in Security Realm setting keys (#30241) This moves all Realm settings to an Affix definition. However, because different realm types define different settings (potentially conflicting settings) this requires that the realm type become part of the setting key. Thus, we now need to define realm settings as: xpack.security.authc.realms: file.file1: order: 0 native.native1: order: 1 - This is a breaking change to realm config - This is also a breaking change to custom security realms (SecurityExtension) 2018-11-05 22:56:50 -05:00			`setting 'xpack.security.authc.realms.custom.custom.order', '0'`
			`setting 'xpack.security.authc.realms.custom.custom.filtered_setting', 'should be filtered'`
			`setting 'xpack.security.authc.realms.file.esusers.order', '1'`
			`setting 'xpack.security.authc.realms.native.native.order', '2'`
Disable security for trial licenses by default (elastic/x-pack-elasticsearch#4120) This change disables security for trial licenses unless security is explicitly enabled in the settings. This is done to facilitate users getting started and not having to deal with some of the complexities involved in getting security configured. In order to do this and avoid disabling security for existing users that have gold or platinum licenses, we have to disable security after cluster formation so that the license can be retrieved. relates elastic/x-pack-elasticsearch#4078 Original commit: elastic/x-pack-elasticsearch@96bdb889fc74d4871c43df71354a21549cc53a3e 2018-03-21 23:09:44 -04:00			`setting 'xpack.security.enabled', 'true'`
Rename ILM, ILM endpoints and drop _xpack (#32564) This commit does the following: - renames index-lifecycle plugin to ilm - modifies the endpoints to ilm instead of index_lifecycle - drops _xpack from the endpoints - drops a few duplicate endpoints 2018-08-02 13:05:11 -04:00			`setting 'xpack.ilm.enabled', 'false'`
Expose XPackExtensions via SPI (elastic/x-pack-elasticsearch#3530) This change adds SPI loading for XPackExtensions that allows to extend XPack via an ordinary plugin. This can co-exist with the existin extension mechanism for the time being. Original commit: elastic/x-pack-elasticsearch@bf02b56deee7d1fccc1df4a96755bdbc4b69355c 2018-01-23 07:05:39 -05:00			`setting 'xpack.ml.enabled', 'false'`
Test: disable monitoring for security spi qa project This commit disables monitoring for the qa project that tests custom realms and role providers as monitoring can cause failures due to an accounting breaker not being reset. See elastic/x-pack-elasticsearch#157 Original commit: elastic/x-pack-elasticsearch@f882507e8517e529fba003165edba8977b715241 2018-02-06 15:09:09 -05:00			`setting 'xpack.monitoring.enabled', 'false'`
Default to basic license at startup (elastic/x-pack-elasticsearch#3878) This is related to elastic/x-pack-elasticsearch#3877. This commit modifies the license settings to default to self generating a basic license. Original commit: elastic/x-pack-elasticsearch@cd6ee8e06f17c213544ae1c06cfe8ebfa85b9f68 2018-02-12 14:57:04 -05:00			`setting 'xpack.license.self_generated.type', 'trial'`
Expose XPackExtensions via SPI (elastic/x-pack-elasticsearch#3530) This change adds SPI loading for XPackExtensions that allows to extend XPack via an ordinary plugin. This can co-exist with the existin extension mechanism for the time being. Original commit: elastic/x-pack-elasticsearch@bf02b56deee7d1fccc1df4a96755bdbc4b69355c 2018-01-23 07:05:39 -05:00
			`// This is important, so that all the modules are available too.`
			`// There are index templates that use token filters that are in analysis-module and`
			`// processors are being used that are in ingest-common module.`
Simplify integ test distribution types (#37618) The integ tests currently use the raw zip project name as the distribution type. This commit simplifies this specification to be "default" or "oss". Whether zip or tar is used should be an internal implementation detail of the integ test setup, which can (in the future) be platform specific. 2019-01-21 15:37:17 -05:00			`distribution = 'default'`
Expose XPackExtensions via SPI (elastic/x-pack-elasticsearch#3530) This change adds SPI loading for XPackExtensions that allows to extend XPack via an ordinary plugin. This can co-exist with the existin extension mechanism for the time being. Original commit: elastic/x-pack-elasticsearch@bf02b56deee7d1fccc1df4a96755bdbc4b69355c 2018-01-23 07:05:39 -05:00
			`setupCommand 'setupDummyUser',`
Rename users This commit renames users to elasticsearch-users. 2018-04-11 11:36:12 -04:00			`'bin/elasticsearch-users', 'useradd', 'test_user', '-p', 'x-pack-test-password', '-r', 'superuser'`
Expose XPackExtensions via SPI (elastic/x-pack-elasticsearch#3530) This change adds SPI loading for XPackExtensions that allows to extend XPack via an ordinary plugin. This can co-exist with the existin extension mechanism for the time being. Original commit: elastic/x-pack-elasticsearch@bf02b56deee7d1fccc1df4a96755bdbc4b69355c 2018-01-23 07:05:39 -05:00			`waitCondition = { node, ant ->`
			`File tmpFile = new File(node.cwd, 'wait.success')`
			`ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",`
			`dest: tmpFile.toString(),`
			`username: 'test_user',`
			`password: 'x-pack-test-password',`
			`ignoreerrors: true,`
			`retries: 10)`
			`return tmpFile.exists()`
			`}`
			`}`
			`check.dependsOn integTest`