diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MarvelPlugin.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MarvelPlugin.java index 16103e91310..ab7ad4f9758 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MarvelPlugin.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MarvelPlugin.java @@ -22,7 +22,7 @@ import org.elasticsearch.marvel.agent.settings.MarvelModule; import org.elasticsearch.marvel.agent.settings.MarvelSettings; import org.elasticsearch.marvel.license.LicenseModule; import org.elasticsearch.marvel.license.MarvelLicensee; -import org.elasticsearch.marvel.shield.MarvelInternalUserHolder; +import org.elasticsearch.marvel.shield.InternalMarvelUser; import org.elasticsearch.marvel.shield.MarvelShieldIntegration; import org.elasticsearch.marvel.shield.MarvelShieldModule; import org.elasticsearch.plugins.Plugin; @@ -106,7 +106,7 @@ public class MarvelPlugin extends Plugin { // is enabled. This is a temporary solution until inter-plugin-communication can be worked out. public void onModule(Module module) { if (enabled && MarvelShieldIntegration.enabled(settings) && module instanceof AuthorizationModule) { - ((AuthorizationModule)module).registerReservedRole(MarvelInternalUserHolder.ROLE); + ((AuthorizationModule)module).registerReservedRole(InternalMarvelUser.ROLE); } } diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelInternalUserHolder.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/InternalMarvelUser.java similarity index 86% rename from elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelInternalUserHolder.java rename to elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/InternalMarvelUser.java index 687e9d8475e..4e8a4aa9e87 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelInternalUserHolder.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/InternalMarvelUser.java @@ -11,16 +11,17 @@ import org.elasticsearch.marvel.agent.settings.MarvelSettings; import org.elasticsearch.shield.User; import org.elasticsearch.shield.authz.Permission; import org.elasticsearch.shield.authz.Privilege; -import org.elasticsearch.transport.TransportMessage; /** * */ -public class MarvelInternalUserHolder { +public class InternalMarvelUser extends User.Simple { static final String NAME = "__marvel_user"; static final String[] ROLE_NAMES = new String[] { "__marvel_role" }; + public static final InternalMarvelUser INSTANCE = new InternalMarvelUser(NAME, ROLE_NAMES); + public static final Permission.Global.Role ROLE = Permission.Global.Role.builder(ROLE_NAMES[0]) .cluster(Privilege.Cluster.get(new Privilege.Name( PutIndexTemplateAction.NAME + "*", @@ -38,9 +39,7 @@ public class MarvelInternalUserHolder { .build(); - final User user = new User.Simple(NAME, ROLE_NAMES); - - public void bindUser(TransportMessage message) { - + InternalMarvelUser(String username, String[] roles) { + super(username, roles); } } diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldIntegration.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldIntegration.java index 812828d4110..9873319ac75 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldIntegration.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldIntegration.java @@ -6,12 +6,10 @@ package org.elasticsearch.marvel.shield; import org.elasticsearch.ElasticsearchException; -import org.elasticsearch.common.HasContext; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Injector; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.ShieldPlugin; -import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.shield.ShieldSettingsFilter; import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.transport.TransportMessage; @@ -23,45 +21,35 @@ import java.io.IOException; */ public class MarvelShieldIntegration { - private final Object authcService; - private final Object userHolder; - private final Object settingsFilter; + private final boolean enabled; + private final AuthenticationService authcService; + private final ShieldSettingsFilter settingsFilter; @Inject public MarvelShieldIntegration(Settings settings, Injector injector) { - boolean enabled = enabled(settings); + enabled = enabled(settings); authcService = enabled ? injector.getInstance(AuthenticationService.class) : null; - userHolder = enabled ? injector.getInstance(MarvelInternalUserHolder.class) : null; settingsFilter = enabled ? injector.getInstance(ShieldSettingsFilter.class) : null; } public void bindInternalMarvelUser(TransportMessage message) { if (authcService != null) { try { - ((AuthenticationService) authcService).attachUserHeaderIfMissing(message, ((MarvelInternalUserHolder) userHolder).user); + authcService.attachUserHeaderIfMissing(message, InternalMarvelUser.INSTANCE); } catch (IOException e) { - throw new ElasticsearchException("failed to attach watcher user to request", e); + throw new ElasticsearchException("failed to attach marvel user to request", e); } } } public void filterOutSettings(String... patterns) { if (settingsFilter != null) { - ((ShieldSettingsFilter) settingsFilter).filterOut(patterns); - } - } - - static boolean installed() { - try { - MarvelShieldIntegration.class.getClassLoader().loadClass("org.elasticsearch.shield.ShieldPlugin"); - return true; - } catch (ClassNotFoundException e) { - return false; + settingsFilter.filterOut(patterns); } } public static boolean enabled(Settings settings) { - return installed() && ShieldPlugin.shieldEnabled(settings); + return ShieldPlugin.shieldEnabled(settings); } } diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldModule.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldModule.java index c93defbfe80..3d043e3f8b1 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldModule.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldModule.java @@ -6,7 +6,6 @@ package org.elasticsearch.marvel.shield; import org.elasticsearch.common.inject.AbstractModule; -import org.elasticsearch.common.inject.util.Providers; import org.elasticsearch.common.settings.Settings; /** @@ -14,19 +13,16 @@ import org.elasticsearch.common.settings.Settings; */ public class MarvelShieldModule extends AbstractModule { - private final MarvelInternalUserHolder userHolder; private final boolean enabled; public MarvelShieldModule(Settings settings) { this.enabled = MarvelShieldIntegration.enabled(settings); - userHolder = enabled ? new MarvelInternalUserHolder() : null; } @Override protected void configure() { bind(MarvelShieldIntegration.class).asEagerSingleton(); bind(SecuredClient.class).asEagerSingleton(); - bind(MarvelInternalUserHolder.class).toProvider(Providers.of(userHolder)); if (enabled) { bind(MarvelSettingsFilter.Shield.class).asEagerSingleton(); bind(MarvelSettingsFilter.class).to(MarvelSettingsFilter.Shield.class); diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java index 4949e4ebc4b..7aa18ebc51e 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java @@ -36,9 +36,9 @@ import org.elasticsearch.watcher.input.InputModule; import org.elasticsearch.watcher.license.LicenseModule; import org.elasticsearch.watcher.license.WatcherLicensee; import org.elasticsearch.watcher.rest.action.*; +import org.elasticsearch.watcher.shield.InternalWatcherUser; import org.elasticsearch.watcher.shield.ShieldIntegration; import org.elasticsearch.watcher.shield.WatcherShieldModule; -import org.elasticsearch.watcher.shield.WatcherUserHolder; import org.elasticsearch.watcher.support.WatcherIndexTemplateRegistry.TemplateConfig; import org.elasticsearch.watcher.support.clock.ClockModule; import org.elasticsearch.watcher.support.http.HttpClient; @@ -211,7 +211,7 @@ public class WatcherPlugin extends Plugin { // is enabled. This is a temporary solution until inter-plugin-communication can be worked out. public void onModule(Module module) { if (enabled && ShieldIntegration.enabled(settings) && module instanceof AuthorizationModule) { - ((AuthorizationModule)module).registerReservedRole(WatcherUserHolder.ROLE); + ((AuthorizationModule)module).registerReservedRole(InternalWatcherUser.ROLE); } } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherUserHolder.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/InternalWatcherUser.java similarity index 75% rename from elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherUserHolder.java rename to elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/InternalWatcherUser.java index e5c1aeedb7b..d23bd9de19a 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherUserHolder.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/InternalWatcherUser.java @@ -12,13 +12,15 @@ import org.elasticsearch.shield.authz.Privilege; /** * */ -public class WatcherUserHolder { +public class InternalWatcherUser extends User.Simple { static final String NAME = "__watcher_user"; static final String[] ROLE_NAMES = new String[] { "__watcher_role" }; + public static final InternalWatcherUser INSTANCE = new InternalWatcherUser(NAME, ROLE_NAMES); + public static final Permission.Global.Role ROLE = Permission.Global.Role.builder(ROLE_NAMES[0]) - .cluster(Privilege.Cluster.action("indices:admin/template/put")) + .cluster(Privilege.Cluster.action("indices:admin/template/put")) // for now, the watches will be executed under the watcher user, meaning, all actions // taken as part of the execution will be executed on behalf of this user. this includes @@ -27,10 +29,11 @@ public class WatcherUserHolder { // // at later phases we'll want to execute the watch on behalf of the user who registers // it. this will require some work to attache/persist that user to/with the watch. - .add(Privilege.Index.ALL, "*") + .add(Privilege.Index.ALL, "*") - .build(); - - final User user = new User.Simple(NAME, ROLE_NAMES); + .build(); + InternalWatcherUser(String username, String[] roles) { + super(username, roles); + } } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java index f3e12627226..4bd8c6dd1ff 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java @@ -11,7 +11,6 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Injector; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.ShieldPlugin; -import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.shield.ShieldSettingsFilter; import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.transport.TransportMessage; @@ -23,24 +22,21 @@ import java.io.IOException; */ public class ShieldIntegration { - private static final int MIN_SHIELD_VERSION = /*00*/2000001; // 2.0.0_beta1 - - private final Object authcService; - private final Object userHolder; - private final Object settingsFilter; + private final boolean enabled; + private final AuthenticationService authcService; + private final ShieldSettingsFilter settingsFilter; @Inject public ShieldIntegration(Settings settings, Injector injector) { - boolean enabled = enabled(settings); + enabled = enabled(settings); authcService = enabled ? injector.getInstance(AuthenticationService.class) : null; - userHolder = enabled ? injector.getInstance(WatcherUserHolder.class) : null; settingsFilter = enabled ? injector.getInstance(ShieldSettingsFilter.class) : null; } public void bindWatcherUser(TransportMessage message) { if (authcService != null) { try { - ((AuthenticationService) authcService).attachUserHeaderIfMissing(message, ((WatcherUserHolder) userHolder).user); + authcService.attachUserHeaderIfMissing(message, InternalWatcherUser.INSTANCE); } catch (IOException e) { throw new ElasticsearchException("failed to attach watcher user to request", e); } @@ -49,28 +45,19 @@ public class ShieldIntegration { public void filterOutSettings(String... patterns) { if (settingsFilter != null) { - ((ShieldSettingsFilter) settingsFilter).filterOut(patterns); + settingsFilter.filterOut(patterns); } } // TODO this is a hack that needs to go away with proper fixes in core public void putUserInContext(HasContext context) { - if (userHolder != null) { - context.putInContext("_shield_user", ((WatcherUserHolder) userHolder).user); - } - } - - static boolean installed() { - try { - ShieldIntegration.class.getClassLoader().loadClass("org.elasticsearch.shield.ShieldPlugin"); - return true; - } catch (ClassNotFoundException e) { - return false; + if (enabled) { + context.putInContext("_shield_user", InternalWatcherUser.INSTANCE); } } public static boolean enabled(Settings settings) { - return installed() && ShieldPlugin.shieldEnabled(settings); + return ShieldPlugin.shieldEnabled(settings); } } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java index 08e5e80a89b..9a9f62bee23 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java @@ -6,7 +6,6 @@ package org.elasticsearch.watcher.shield; import org.elasticsearch.common.inject.AbstractModule; -import org.elasticsearch.common.inject.util.Providers; import org.elasticsearch.common.logging.ESLogger; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.settings.Settings; @@ -21,17 +20,12 @@ public class WatcherShieldModule extends AbstractModule { private final boolean enabled; - private final WatcherUserHolder userHolder; - public WatcherShieldModule(Settings settings) { this.logger = Loggers.getLogger(WatcherShieldModule.class, settings); this.enabled = ShieldIntegration.enabled(settings); if (enabled) { - userHolder = new WatcherUserHolder(); registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*"); registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*"); - } else { - userHolder = null; } } @@ -50,7 +44,6 @@ public class WatcherShieldModule extends AbstractModule { @Override protected void configure() { bind(ShieldIntegration.class).asEagerSingleton(); - bind(WatcherUserHolder.class).toProvider(Providers.of(userHolder)); if (enabled) { bind(WatcherSettingsFilter.Shield.class).asEagerSingleton(); bind(WatcherSettingsFilter.class).to(WatcherSettingsFilter.Shield.class); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/condition/compare/CompareConditionSearchTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/condition/compare/CompareConditionSearchTests.java index 3be082796ec..e37fe939480 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/condition/compare/CompareConditionSearchTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/condition/compare/CompareConditionSearchTests.java @@ -31,6 +31,12 @@ import static org.mockito.Mockito.when; /** */ public class CompareConditionSearchTests extends AbstractWatcherIntegrationTestCase { + + @Override + protected boolean enableShield() { + return true; + } + public void testExecuteWithAggs() throws Exception { client().admin().indices().prepareCreate("my-index") .addMapping("my-type", "_timestamp", "enabled=true")