OpenSearch/elasticsearch/bin/x-pack/migrate

#!/bin/bash

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License;
# you may not use this file except in compliance with the Elastic License.

SCRIPT="$0"

# SCRIPT may be an arbitrarily deep series of symlinks. Loop until we have the concrete path.
while [ -h "$SCRIPT" ] ; do
  ls=`ls -ld "$SCRIPT"`
  # Drop everything prior to ->
  link=`expr "$ls" : '.*-> \(.*\)$'`
  if expr "$link" : '/.*' > /dev/null; then
    SCRIPT="$link"
  else
    SCRIPT=`dirname "$SCRIPT"`/"$link"
  fi
done

# determine elasticsearch home
ES_HOME=`dirname "$SCRIPT"`/../..

# make ELASTICSEARCH_HOME absolute
ES_HOME=`cd "$ES_HOME"; pwd`

# If an include wasn't specified in the environment, then search for one...
if [ "x$ES_INCLUDE" = "x" ]; then
    # Locations (in order) to use when searching for an include file.
    for include in /usr/share/elasticsearch/elasticsearch.in.sh \
                   /usr/local/share/elasticsearch/elasticsearch.in.sh \
                   /opt/elasticsearch/elasticsearch.in.sh \
                   ~/.elasticsearch.in.sh \
                   "`dirname "$0"`"/../elasticsearch.in.sh \
                   "$ES_HOME/bin/elasticsearch.in.sh"; do
        if [ -r "$include" ]; then
            . "$include"
            break
        fi
    done
# ...otherwise, source the specified include.
elif [ -r "$ES_INCLUDE" ]; then
    . "$ES_INCLUDE"
fi

if [ -x "$JAVA_HOME/bin/java" ]; then
    JAVA="$JAVA_HOME/bin/java"
else
    JAVA=`which java`
fi

if [ ! -x "$JAVA" ]; then
    echo "Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME"
    exit 1
fi

if [ -z "$ES_CLASSPATH" ]; then
    echo "You must set the ES_CLASSPATH var" >&2
    exit 1
fi

if [ -z "$CONF_DIR" ]; then
    # Try to read package config files
    if [ -f "/etc/sysconfig/elasticsearch" ]; then
        CONF_DIR=/etc/elasticsearch

        . "/etc/sysconfig/elasticsearch"
    elif [ -f "/etc/default/elasticsearch" ]; then
        CONF_DIR=/etc/elasticsearch

       . "/etc/default/elasticsearch"
    fi
fi

export HOSTNAME=`hostname -s`

# include x-pack jars in classpath
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"

# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
# works around https://bugs.launchpad.net/ubuntu/+source/jayatana/+bug/1441487
if [ "x$JAVA_TOOL_OPTIONS" != "x" ]; then
    echo "Warning: Ignoring JAVA_TOOL_OPTIONS=$JAVA_TOOL_OPTIONS"
    echo "Please pass JVM parameters via ES_JAVA_OPTS instead"
    unset JAVA_TOOL_OPTIONS
fi

# CONF_FILE setting was removed
if [ ! -z "$CONF_FILE" ]; then
    echo "CONF_FILE setting is no longer supported. elasticsearch.yml must be placed in the config directory and cannot be renamed."
    exit 1
fi

declare -a args=("$@")

if [ -e "$CONF_DIR" ]; then
  args=("${args[@]}" -Edefault.path.conf="$CONF_DIR")
fi

cd "$ES_HOME" > /dev/null
"$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.xpack.security.authc.esnative.ESNativeRealmMigrateTool "${args[@]}"
status=$?
cd - > /dev/null
exit $status
Add a tool to migrate users/roles from file to native realm This adds the `bin/shield/migrate` tool that allows migrating users and roles from the files to the native (API-based) store. It looks like this: ``` λ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo starting migration of users and roles... importing users from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/users]... found existing users: [test_user, joe3, joe2] migrating user [lee] {"user":{"created":true}} no user [foo] found, skipping importing roles from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/roles.yml]... found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query] migrating role [role1] {"role":{"created":true}} migrating role [role2] {"role":{"created":true}} role [role3] already exists, skipping migrating role [role4] failed to migrate role [role4] with body: {"indices":[{"names":["idx2"]},{"names":["idx2"]},{"names":["idx1"]}]} java.io.IOException: {"error":{"root_cause":[{"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"}],"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"},"status":400} at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:206) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.importRoles(ESNativeRealmMigrateTool.java:389) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.execute(ESNativeRealmMigrateTool.java:171) at org.elasticsearch.common.cli.CliTool.execute(CliTool.java:153) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool.main(ESNativeRealmMigrateTool.java:91) Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:9200/_shield/role/role4 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:192) ... 4 more no role [foo] found, skipping users and roles imported. ``` Original commit: elastic/x-pack-elasticsearch@3ce47c0ffd9003df3970ae9ef92c10826ddfdf11 2016-06-02 13:50:21 -04:00			`#!/bin/bash`

			`# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one`
			`# or more contributor license agreements. Licensed under the Elastic License;`
			`# you may not use this file except in compliance with the Elastic License.`

			`SCRIPT="$0"`

			`# SCRIPT may be an arbitrarily deep series of symlinks. Loop until we have the concrete path.`
			`while [ -h "$SCRIPT" ] ; do`
			ls=`ls -ld "$SCRIPT"`
			`# Drop everything prior to ->`
			link=`expr "$ls" : '.-> \(.\)$'`
			`if expr "$link" : '/.*' > /dev/null; then`
			`SCRIPT="$link"`
			`else`
			SCRIPT=`dirname "$SCRIPT"`/"$link"
			`fi`
			`done`

			`# determine elasticsearch home`
			ES_HOME=`dirname "$SCRIPT"`/../..

			`# make ELASTICSEARCH_HOME absolute`
			ES_HOME=`cd "$ES_HOME"; pwd`

			`# If an include wasn't specified in the environment, then search for one...`
			`if [ "x$ES_INCLUDE" = "x" ]; then`
			`# Locations (in order) to use when searching for an include file.`
			`for include in /usr/share/elasticsearch/elasticsearch.in.sh \`
			`/usr/local/share/elasticsearch/elasticsearch.in.sh \`
			`/opt/elasticsearch/elasticsearch.in.sh \`
			`~/.elasticsearch.in.sh \`
			"`dirname "$0"`"/../elasticsearch.in.sh \
			`"$ES_HOME/bin/elasticsearch.in.sh"; do`
			`if [ -r "$include" ]; then`
			`. "$include"`
			`break`
			`fi`
			`done`
			`# ...otherwise, source the specified include.`
			`elif [ -r "$ES_INCLUDE" ]; then`
			`. "$ES_INCLUDE"`
			`fi`

			`if [ -x "$JAVA_HOME/bin/java" ]; then`
			`JAVA="$JAVA_HOME/bin/java"`
			`else`
			JAVA=`which java`
			`fi`

			`if [ ! -x "$JAVA" ]; then`
			`echo "Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME"`
			`exit 1`
			`fi`

			`if [ -z "$ES_CLASSPATH" ]; then`
			`echo "You must set the ES_CLASSPATH var" >&2`
			`exit 1`
			`fi`

security: add tool to simplify creation of certificate and csr files This commit adds a CLI tool that can be used to generate a CA and signed certificates in PEM format. The tool only requires a name of an instance to be provided by the user; ip and dns values are supported but optional. By default, the tool is interactive and will prompt the user for input but an option exists to provide a yaml file that contains the necessary information to generate certificates or signing requests. The output is in the form of a zip file with subfolders for each instance. Neither the zip file or the PEM files are encrypted as some parts of our stack do not support encrypted PEM files. Original commit: elastic/x-pack-elasticsearch@3dc0f8d495bd73b7efce4c92ad85c410294e980b 2016-07-07 07:41:48 -04:00			`if [ -z "$CONF_DIR" ]; then`
			`# Try to read package config files`
			`if [ -f "/etc/sysconfig/elasticsearch" ]; then`
			`CONF_DIR=/etc/elasticsearch`
Add a tool to migrate users/roles from file to native realm This adds the `bin/shield/migrate` tool that allows migrating users and roles from the files to the native (API-based) store. It looks like this: ``` λ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo starting migration of users and roles... importing users from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/users]... found existing users: [test_user, joe3, joe2] migrating user [lee] {"user":{"created":true}} no user [foo] found, skipping importing roles from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/roles.yml]... found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query] migrating role [role1] {"role":{"created":true}} migrating role [role2] {"role":{"created":true}} role [role3] already exists, skipping migrating role [role4] failed to migrate role [role4] with body: {"indices":[{"names":["idx2"]},{"names":["idx2"]},{"names":["idx1"]}]} java.io.IOException: {"error":{"root_cause":[{"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"}],"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"},"status":400} at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:206) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.importRoles(ESNativeRealmMigrateTool.java:389) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.execute(ESNativeRealmMigrateTool.java:171) at org.elasticsearch.common.cli.CliTool.execute(CliTool.java:153) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool.main(ESNativeRealmMigrateTool.java:91) Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:9200/_shield/role/role4 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:192) ... 4 more no role [foo] found, skipping users and roles imported. ``` Original commit: elastic/x-pack-elasticsearch@3ce47c0ffd9003df3970ae9ef92c10826ddfdf11 2016-06-02 13:50:21 -04:00
security: add tool to simplify creation of certificate and csr files This commit adds a CLI tool that can be used to generate a CA and signed certificates in PEM format. The tool only requires a name of an instance to be provided by the user; ip and dns values are supported but optional. By default, the tool is interactive and will prompt the user for input but an option exists to provide a yaml file that contains the necessary information to generate certificates or signing requests. The output is in the form of a zip file with subfolders for each instance. Neither the zip file or the PEM files are encrypted as some parts of our stack do not support encrypted PEM files. Original commit: elastic/x-pack-elasticsearch@3dc0f8d495bd73b7efce4c92ad85c410294e980b 2016-07-07 07:41:48 -04:00			`. "/etc/sysconfig/elasticsearch"`
			`elif [ -f "/etc/default/elasticsearch" ]; then`
			`CONF_DIR=/etc/elasticsearch`
Add a tool to migrate users/roles from file to native realm This adds the `bin/shield/migrate` tool that allows migrating users and roles from the files to the native (API-based) store. It looks like this: ``` λ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo starting migration of users and roles... importing users from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/users]... found existing users: [test_user, joe3, joe2] migrating user [lee] {"user":{"created":true}} no user [foo] found, skipping importing roles from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/roles.yml]... found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query] migrating role [role1] {"role":{"created":true}} migrating role [role2] {"role":{"created":true}} role [role3] already exists, skipping migrating role [role4] failed to migrate role [role4] with body: {"indices":[{"names":["idx2"]},{"names":["idx2"]},{"names":["idx1"]}]} java.io.IOException: {"error":{"root_cause":[{"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"}],"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"},"status":400} at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:206) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.importRoles(ESNativeRealmMigrateTool.java:389) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.execute(ESNativeRealmMigrateTool.java:171) at org.elasticsearch.common.cli.CliTool.execute(CliTool.java:153) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool.main(ESNativeRealmMigrateTool.java:91) Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:9200/_shield/role/role4 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:192) ... 4 more no role [foo] found, skipping users and roles imported. ``` Original commit: elastic/x-pack-elasticsearch@3ce47c0ffd9003df3970ae9ef92c10826ddfdf11 2016-06-02 13:50:21 -04:00
security: add tool to simplify creation of certificate and csr files This commit adds a CLI tool that can be used to generate a CA and signed certificates in PEM format. The tool only requires a name of an instance to be provided by the user; ip and dns values are supported but optional. By default, the tool is interactive and will prompt the user for input but an option exists to provide a yaml file that contains the necessary information to generate certificates or signing requests. The output is in the form of a zip file with subfolders for each instance. Neither the zip file or the PEM files are encrypted as some parts of our stack do not support encrypted PEM files. Original commit: elastic/x-pack-elasticsearch@3dc0f8d495bd73b7efce4c92ad85c410294e980b 2016-07-07 07:41:48 -04:00			`. "/etc/default/elasticsearch"`
			`fi`
Add a tool to migrate users/roles from file to native realm This adds the `bin/shield/migrate` tool that allows migrating users and roles from the files to the native (API-based) store. It looks like this: ``` λ bin/shield/migrate native -U http://localhost:9200 -u test_user -p changeme -n lee,foo -r role1,role2,role3,role4,foo starting migration of users and roles... importing users from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/users]... found existing users: [test_user, joe3, joe2] migrating user [lee] {"user":{"created":true}} no user [foo] found, skipping importing roles from [/home/hinmanm/scratch/elasticsearch-2.4.0-SNAPSHOT/config/shield/roles.yml]... found existing roles: [marvel_user, role_query_fields, admin_role, role3, admin, remote_marvel_agent, power_user, role_new_format_name_array, role_run_as, logstash, role_fields, role_run_as1, role_new_format, kibana4_server, user, transport_client, role1.ab, role_query] migrating role [role1] {"role":{"created":true}} migrating role [role2] {"role":{"created":true}} role [role3] already exists, skipping migrating role [role4] failed to migrate role [role4] with body: {"indices":[{"names":["idx2"]},{"names":["idx2"]},{"names":["idx1"]}]} java.io.IOException: {"error":{"root_cause":[{"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"}],"type":"parse_exception","reason":"failed to parse indices privileges for role [role4]. missing required [privileges] field"},"status":400} at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:206) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.importRoles(ESNativeRealmMigrateTool.java:389) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.execute(ESNativeRealmMigrateTool.java:171) at org.elasticsearch.common.cli.CliTool.execute(CliTool.java:153) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool.main(ESNativeRealmMigrateTool.java:91) Caused by: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:9200/_shield/role/role4 at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at org.elasticsearch.shield.authc.esusers.tool.ESNativeRealmMigrateTool$MigrateUserOrRoles.postURL(ESNativeRealmMigrateTool.java:192) ... 4 more no role [foo] found, skipping users and roles imported. ``` Original commit: elastic/x-pack-elasticsearch@3ce47c0ffd9003df3970ae9ef92c10826ddfdf11 2016-06-02 13:50:21 -04:00			`fi`

			export HOSTNAME=`hostname -s`

			`# include x-pack jars in classpath`
			`ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"`

			`# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)`
			`# works around https://bugs.launchpad.net/ubuntu/+source/jayatana/+bug/1441487`
			`if [ "x$JAVA_TOOL_OPTIONS" != "x" ]; then`
			`echo "Warning: Ignoring JAVA_TOOL_OPTIONS=$JAVA_TOOL_OPTIONS"`
			`echo "Please pass JVM parameters via ES_JAVA_OPTS instead"`
			`unset JAVA_TOOL_OPTIONS`
			`fi`

			`# CONF_FILE setting was removed`
			`if [ ! -z "$CONF_FILE" ]; then`
			`echo "CONF_FILE setting is no longer supported. elasticsearch.yml must be placed in the config directory and cannot be renamed."`
			`exit 1`
			`fi`

			`declare -a args=("$@")`

			`if [ -e "$CONF_DIR" ]; then`
			`args=("${args[@]}" -Edefault.path.conf="$CONF_DIR")`
			`fi`

			`cd "$ES_HOME" > /dev/null`
			`"$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.xpack.security.authc.esnative.ESNativeRealmMigrateTool "${args[@]}"`
			`status=$?`
			`cd - > /dev/null`
			`exit $status`