honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Address license state update/read thread safety (#33396) 

This change addresses some issues regarding thread safety around
updates and method calls on the XPackLicenseState object. There exists
a possibility that there could be a concurrent update to the
XPackLicenseState when there is a scheduled check to see if the license
is expired and a cluster state update. In order to address this, the
update method now has a synchronized block where member variables are
updated. Each method that reads these variables is now also
synchronized.

Along with the above change, there was a consistency issue around
security calls to the license state. The majority of security checks
make two calls to the license state, which could result in incorrect
behavior due to the checks being made against different license states.
The majority of this behavior was introduced for 6.3 with the inclusion
of x-pack in the default distribution. In order to resolve the majority
of these cases, the `isSecurityEnabled` method is no longer public and
the logic is also included in individual methods about security such as
`isAuthAllowed`. There were a few cases where this did not remove
multiple calls on the license state, so a new method has been added
which creates a copy of the current license state that will not change.
Callers can use this copy of the license state to make decisions based
on a consistent view of the license state.
This commit is contained in:
Jay Modi 2018-09-12 13:08:09 -06:00 committed by GitHub
parent 9b8fe85edb
commit 20c6c9c542
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
37 changed files with 276 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
View File

@ -265,13 +265,15 @@ public class XPackLicenseState {
}
}
private volatile Status status = new Status(OperationMode.TRIAL, true);
private final List<Runnable> listeners = new CopyOnWriteArrayList<>();
private final List<Runnable> listeners;
private final boolean isSecurityEnabled;
private final boolean isSecurityExplicitlyEnabled;
private volatile boolean isSecurityEnabledByTrialVersion;
private Status status = new Status(OperationMode.TRIAL, true);
private boolean isSecurityEnabledByTrialVersion;
public XPackLicenseState(Settings settings) {
this.listeners = new CopyOnWriteArrayList<>();
this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
// 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled
// we can interpret this as an explicit enabling of security if the security enabled
@ -281,6 +283,14 @@ public class XPackLicenseState {
this.isSecurityEnabledByTrialVersion = false;
}
private XPackLicenseState(XPackLicenseState xPackLicenseState) {
this.listeners = xPackLicenseState.listeners;
this.isSecurityEnabled = xPackLicenseState.isSecurityEnabled;
this.isSecurityExplicitlyEnabled = xPackLicenseState.isSecurityExplicitlyEnabled;
this.status = xPackLicenseState.status;
this.isSecurityEnabledByTrialVersion = xPackLicenseState.isSecurityEnabledByTrialVersion;
}
/**
* Updates the current state of the license, which will change what features are available.
*
@ -291,15 +301,17 @@ public class XPackLicenseState {
* trial was prior to this metadata being tracked (6.1)
*/
void update(OperationMode mode, boolean active, @Nullable Version mostRecentTrialVersion) {
status = new Status(mode, active);
if (isSecurityEnabled == true && isSecurityExplicitlyEnabled == false && mode == OperationMode.TRIAL
&& isSecurityEnabledByTrialVersion == false) {
// Before 6.3, Trial licenses would default having security enabled.
// If this license was generated before that version, then treat it as if security is explicitly enabled
if (mostRecentTrialVersion == null || mostRecentTrialVersion.before(Version.V_6_3_0)) {
Loggers.getLogger(getClass()).info("Automatically enabling security for older trial license ({})",
mostRecentTrialVersion == null ? "[pre 6.1.0]" : mostRecentTrialVersion.toString());
isSecurityEnabledByTrialVersion = true;
synchronized (this) {
status = new Status(mode, active);
if (isSecurityEnabled == true && isSecurityExplicitlyEnabled == false && mode == OperationMode.TRIAL
&& isSecurityEnabledByTrialVersion == false) {
// Before 6.3, Trial licenses would default having security enabled.
// If this license was generated before that version, then treat it as if security is explicitly enabled
if (mostRecentTrialVersion == null || mostRecentTrialVersion.before(Version.V_6_3_0)) {
Loggers.getLogger(getClass()).info("Automatically enabling security for older trial license ({})",
mostRecentTrialVersion == null ? "[pre 6.1.0]" : mostRecentTrialVersion.toString());
isSecurityEnabledByTrialVersion = true;
}
}
}
listeners.forEach(Runnable::run);
@ -316,12 +328,12 @@ public class XPackLicenseState {
}
/** Return the current license type. */
public OperationMode getOperationMode() {
public synchronized OperationMode getOperationMode() {
return status.mode;
}
/** Return true if the license is currently within its time boundaries, false otherwise. */
public boolean isActive() {
public synchronized boolean isActive() {
return status.active;
}
@ -329,28 +341,32 @@ public class XPackLicenseState {
* @return true if authentication and authorization should be enabled. this does not indicate what realms are available
* @see #allowedRealmType() for the enabled realms
*/
public boolean isAuthAllowed() {
public synchronized boolean isAuthAllowed() {
OperationMode mode = status.mode;
return mode == OperationMode.STANDARD || mode == OperationMode.GOLD || mode == OperationMode.PLATINUM
|| mode == OperationMode.TRIAL;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.STANDARD || mode == OperationMode.GOLD
|| mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
}
/**
* @return true if IP filtering should be enabled
*/
public boolean isIpFilteringAllowed() {
public synchronized boolean isIpFilteringAllowed() {
OperationMode mode = status.mode;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM
|| mode == OperationMode.TRIAL;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
}
/**
* @return true if auditing should be enabled
*/
public boolean isAuditingAllowed() {
public synchronized boolean isAuditingAllowed() {
OperationMode mode = status.mode;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM
|| mode == OperationMode.TRIAL;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
}
/**
@ -359,7 +375,7 @@ public class XPackLicenseState {
*
* @return true if the license allows for the stats and health APIs to be used.
*/
public boolean isStatsAndHealthAllowed() {
public synchronized boolean isStatsAndHealthAllowed() {
return status.active;
}
@ -375,9 +391,11 @@ public class XPackLicenseState {
*
* @return {@code true} to enable DLS and FLS. Otherwise {@code false}.
*/
public boolean isDocumentAndFieldLevelSecurityAllowed() {
public synchronized boolean isDocumentAndFieldLevelSecurityAllowed() {
OperationMode mode = status.mode;
return mode == OperationMode.TRIAL || mode == OperationMode.PLATINUM;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.TRIAL || mode == OperationMode.PLATINUM);
}
/** Classes of realms that may be available based on the license type. */
@ -391,37 +409,45 @@ public class XPackLicenseState {
/**
* @return the type of realms that are enabled based on the license {@link OperationMode}
*/
public AllowedRealmType allowedRealmType() {
switch (status.mode) {
case PLATINUM:
case TRIAL:
return AllowedRealmType.ALL;
case GOLD:
return AllowedRealmType.DEFAULT;
case STANDARD:
return AllowedRealmType.NATIVE;
default:
return AllowedRealmType.NONE;
public synchronized AllowedRealmType allowedRealmType() {
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
if (isSecurityCurrentlyEnabled) {
switch (status.mode) {
case PLATINUM:
case TRIAL:
return AllowedRealmType.ALL;
case GOLD:
return AllowedRealmType.DEFAULT;
case STANDARD:
return AllowedRealmType.NATIVE;
default:
return AllowedRealmType.NONE;
}
} else {
return AllowedRealmType.NONE;
}
}
/**
* @return whether custom role providers are allowed based on the license {@link OperationMode}
*/
public boolean isCustomRoleProvidersAllowed() {
final Status localStatus = status;
return (localStatus.mode == OperationMode.PLATINUM || localStatus.mode == OperationMode.TRIAL)
&& localStatus.active;
public synchronized boolean isCustomRoleProvidersAllowed() {
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
&& status.active;
}
/**
* @return whether "authorization_realms" are allowed based on the license {@link OperationMode}
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizationRealmAllowed() {
final Status localStatus = status;
return (localStatus.mode == OperationMode.PLATINUM || localStatus.mode == OperationMode.TRIAL)
&& localStatus.active;
public synchronized boolean isAuthorizationRealmAllowed() {
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
&& status.active;
}
/**
@ -437,8 +463,7 @@ public class XPackLicenseState {
*
* @return {@code true} as long as the license is valid. Otherwise {@code false}.
*/
public boolean isWatcherAllowed() {
// status is volatile, so a local variable is used for a consistent view
public synchronized boolean isWatcherAllowed() {
Status localStatus = status;
if (localStatus.active == false) {
@ -461,7 +486,7 @@ public class XPackLicenseState {
*
* @return true if the license is active
*/
public boolean isMonitoringAllowed() {
public synchronized boolean isMonitoringAllowed() {
return status.active;
}
@ -471,7 +496,7 @@ public class XPackLicenseState {
* @return {@link #isWatcherAllowed()}
* @see #isWatcherAllowed()
*/
public boolean isMonitoringClusterAlertsAllowed() {
public synchronized boolean isMonitoringClusterAlertsAllowed() {
return isWatcherAllowed();
}
@ -484,7 +509,7 @@ public class XPackLicenseState {
*
* @return {@code true} if the user is allowed to modify the retention. Otherwise {@code false}.
*/
public boolean isUpdateRetentionAllowed() {
public synchronized boolean isUpdateRetentionAllowed() {
final OperationMode mode = status.mode;
return mode != OperationMode.BASIC && mode != OperationMode.MISSING;
}
@ -500,8 +525,7 @@ public class XPackLicenseState {
*
* @return {@code true} as long as the license is valid. Otherwise {@code false}.
*/
public boolean isGraphAllowed() {
// status is volatile
public synchronized boolean isGraphAllowed() {
Status localStatus = status;
OperationMode operationMode = localStatus.mode;
@ -523,8 +547,7 @@ public class XPackLicenseState {
* @return {@code true} as long as the license is valid. Otherwise
* {@code false}.
*/
public boolean isMachineLearningAllowed() {
// one-time volatile read as status could be updated on us while performing this check
public synchronized boolean isMachineLearningAllowed() {
final Status currentStatus = status;
return currentStatus.active && isMachineLearningAllowedForOperationMode(currentStatus.mode);
}
@ -538,7 +561,7 @@ public class XPackLicenseState {
*
* @return true if the license is active
*/
public boolean isRollupAllowed() {
public synchronized boolean isRollupAllowed() {
return status.active;
}
@ -546,7 +569,7 @@ public class XPackLicenseState {
* Logstash is allowed as long as there is an active license of type TRIAL, STANDARD, GOLD or PLATINUM
* @return {@code true} as long as there is a valid license
*/
public boolean isLogstashAllowed() {
public synchronized boolean isLogstashAllowed() {
Status localStatus = status;
return localStatus.active && (isBasic(localStatus.mode) == false);
}
@ -555,7 +578,7 @@ public class XPackLicenseState {
* Beats is allowed as long as there is an active license of type TRIAL, STANDARD, GOLD or PLATINUM
* @return {@code true} as long as there is a valid license
*/
public boolean isBeatsAllowed() {
public synchronized boolean isBeatsAllowed() {
Status localStatus = status;
return localStatus.active && (isBasic(localStatus.mode) == false);
@ -565,7 +588,7 @@ public class XPackLicenseState {
* Deprecation APIs are always allowed as long as there is an active license
* @return {@code true} as long as there is a valid license
*/
public boolean isDeprecationAllowed() {
public synchronized boolean isDeprecationAllowed() {
return status.active;
}
@ -577,11 +600,9 @@ public class XPackLicenseState {
* @return {@code true} as long as the license is valid. Otherwise
* {@code false}.
*/
public boolean isUpgradeAllowed() {
// status is volatile
Status localStatus = status;
public synchronized boolean isUpgradeAllowed() {
// Should work on all active licenses
return localStatus.active;
return status.active;
}
/**
@ -589,7 +610,7 @@ public class XPackLicenseState {
* <p>
* SQL is available for all license types except {@link OperationMode#MISSING}
*/
public boolean isSqlAllowed() {
public synchronized boolean isSqlAllowed() {
return status.active;
}
@ -598,8 +619,7 @@ public class XPackLicenseState {
* <p>
* JDBC is available only in for {@link OperationMode#PLATINUM} and {@link OperationMode#TRIAL} licences
*/
public boolean isJdbcAllowed() {
// status is volatile
public synchronized boolean isJdbcAllowed() {
Status localStatus = status;
OperationMode operationMode = localStatus.mode;
@ -608,18 +628,35 @@ public class XPackLicenseState {
return licensed && localStatus.active;
}
public boolean isTrialLicense() {
public synchronized boolean isTrialLicense() {
return status.mode == OperationMode.TRIAL;
}
public boolean isSecurityAvailable() {
/**
* @return true if security is available to be used with the current license type
*/
public synchronized boolean isSecurityAvailable() {
OperationMode mode = status.mode;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.STANDARD ||
mode == OperationMode.TRIAL;
}
public boolean isSecurityEnabled() {
final OperationMode mode = status.mode;
/**
* @return true if security has been disabled by a trial license which is the case of the
* default distribution post 6.3.0. The conditions necessary for this are:
* <ul>
* <li>A trial license generated in 6.3.0+</li>
* <li>xpack.security.enabled not specified as a setting</li>
* </ul>
*/
public synchronized boolean isSecurityDisabledByTrialLicense() {
return status.mode == OperationMode.TRIAL && isSecurityEnabled
&& isSecurityExplicitlyEnabled == false
&& isSecurityEnabledByTrialVersion == false;
}
private static boolean isSecurityEnabled(final OperationMode mode, final boolean isSecurityExplicitlyEnabled,
final boolean isSecurityEnabledByTrialVersion, final boolean isSecurityEnabled) {
return mode == OperationMode.TRIAL ? (isSecurityExplicitlyEnabled || isSecurityEnabledByTrialVersion) : isSecurityEnabled;
}
@ -634,8 +671,7 @@ public class XPackLicenseState {
*
* @return true is the license is compatible, otherwise false
*/
public boolean isCcrAllowed() {
// one-time volatile read as status could be updated on us while performing this check
public synchronized boolean isCcrAllowed() {
final Status currentStatus = status;
return currentStatus.active && isCcrAllowedForOperationMode(currentStatus.mode);
}
@ -648,4 +684,14 @@ public class XPackLicenseState {
return operationMode == OperationMode.PLATINUM || operationMode == OperationMode.TRIAL;
}
/**
* Creates a copy of this object based on the state at the time the method was called. The
* returned object will not be modified by a license update/expiration so it can be used to
* make multiple method calls on the license state safely. This object should not be long
* lived but instead used within a method when a consistent view of the license state
* is needed for multiple interactions with the license state.
*/
public synchronized XPackLicenseState copyCurrentLicenseState() {
return new XPackLicenseState(this);
}
}

4
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
View File

@ -110,7 +110,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
@Override
protected DirectoryReader wrap(DirectoryReader reader) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return reader;
}
@ -171,7 +171,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
@Override
protected IndexSearcher wrap(IndexSearcher searcher) throws EngineException {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return searcher;
}

28
x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
View File

@ -92,13 +92,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
licenseState = new XPackLicenseState(Settings.EMPTY);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityBasic() {
@ -217,21 +217,21 @@ public class XPackLicenseStateTests extends ESTestCase {
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(TRIAL, true, VersionUtils.randomVersionBetween(random(), Version.V_6_3_0, Version.CURRENT));
assertThat(licenseState.isSecurityEnabled(), is(false));
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(true));
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testOldTrialDefaultsSecurityOn() {
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(TRIAL, true, rarely() ? null : VersionUtils.randomVersionBetween(random(), Version.V_6_0_0, Version.V_6_2_4));
assertThat(licenseState.isSecurityEnabled(), is(true));
assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(false));
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));

1
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapperIntegrationTests.java
View File

@ -86,7 +86,6 @@ public class SecurityIndexSearcherWrapperIntegrationTests extends ESTestCase {
});
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
SecurityIndexSearcherWrapper wrapper = new SecurityIndexSearcherWrapper(indexSettings, s -> queryShardContext,
bitsetFilterCache, threadContext, licenseState, scriptService) {

1
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java
View File

@ -131,7 +131,6 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
ShardId shardId = new ShardId(index, 0);
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
threadContext = new ThreadContext(Settings.EMPTY);
IndexShard indexShard = mock(IndexShard.class);

2
x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDatafeedAction.java
View File

@ -77,7 +77,7 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
ActionListener<PutDatafeedAction.Response> listener) {
// If security is enabled only create the datafeed if the user requesting creation has
// permission to read the indices the datafeed is going to read from
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
if (licenseState.isAuthAllowed()) {
final String username = securityContext.getUser().principal();
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(
r -> handlePrivsResponse(username, request, r, listener),

2
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
View File

@ -971,7 +971,7 @@ public class Security extends Plugin implements ActionPlugin, IngestPlugin, Netw
public Function<String, Predicate<String>> getFieldFilter() {
if (enabled) {
return index -> {
if (getLicenseState().isSecurityEnabled() == false || getLicenseState().isDocumentAndFieldLevelSecurityAllowed() == false) {
if (getLicenseState().isDocumentAndFieldLevelSecurityAllowed() == false) {
return MapperPlugin.NOOP_FIELD_PREDICATE;
}
IndicesAccessControl indicesAccessControl = threadContext.get().getTransient(

6
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatureSet.java
View File

@ -76,7 +76,11 @@ public class SecurityFeatureSet implements XPackFeatureSet {
@Override
public boolean enabled() {
return licenseState != null && licenseState.isSecurityEnabled();
if (licenseState != null) {
return XPackSettings.SECURITY_ENABLED.get(settings) &&
licenseState.isSecurityDisabledByTrialLicense() == false;
}
return false;
}
@Override

6
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java
View File

@ -72,7 +72,6 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
public <Request extends ActionRequest, Response extends ActionResponse> void apply(Task task, String action, Request request,
ActionListener<Response> listener,
ActionFilterChain<Request, Response> chain) {
/*
A functional requirement - when the license of security is disabled (invalid/expires), security will continue
to operate normally, except all read operations will be blocked.
@ -84,8 +83,7 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
throw LicenseUtils.newComplianceException(XPackField.SECURITY);
}
final boolean securityEnabled = licenseState.isSecurityEnabled();
if (securityEnabled && licenseState.isAuthAllowed()) {
if (licenseState.isAuthAllowed()) {
final ActionListener<Response> contextPreservingListener =
ContextPreservingActionListener.wrapPreservingContext(listener, threadContext);
ActionListener<Void> authenticatedListener = ActionListener.wrap(
@ -117,7 +115,7 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
listener.onFailure(e);
}
} else if (SECURITY_ACTION_MATCHER.test(action)) {
if (securityEnabled == false && licenseState.isTrialLicense()) {
if (licenseState.isSecurityDisabledByTrialLicense()) {
listener.onFailure(new ElasticsearchException("Security must be explicitly enabled when using a trial license. " +
"Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +
"and restart the node."));

28
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/BulkShardRequestInterceptor.java
View File

@ -37,25 +37,25 @@ public class BulkShardRequestInterceptor extends AbstractComponent implements Re
@Override
public void intercept(BulkShardRequest request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return;
}
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (BulkItemRequest bulkItemRequest : request.items()) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(bulkItemRequest.index());
if (indexAccessControl != null) {
boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
boolean dls = indexAccessControl.getQueries() != null;
if (fls || dls) {
if (bulkItemRequest.request() instanceof UpdateRequest) {
throw new ElasticsearchSecurityException("Can't execute a bulk request with update requests embedded if " +
for (BulkItemRequest bulkItemRequest : request.items()) {
IndicesAccessControl.IndexAccessControl indexAccessControl =
indicesAccessControl.getIndexPermissions(bulkItemRequest.index());
if (indexAccessControl != null) {
boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
boolean dls = indexAccessControl.getQueries() != null;
if (fls || dls) {
if (bulkItemRequest.request() instanceof UpdateRequest) {
throw new ElasticsearchSecurityException("Can't execute a bulk request with update requests embedded if " +
"field or document level security is enabled", RestStatus.BAD_REQUEST);
}
}
}
}
logger.trace("intercepted bulk request for index [{}] without any update requests, continuing execution",
logger.trace("intercepted bulk request for index [{}] without any update requests, continuing execution",
bulkItemRequest.index());
}
}
}

29
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
View File

@ -34,26 +34,25 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request extends I
@Override
public void intercept(Request request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return;
}
final IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (String index : request.indices()) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
if (indexAccessControl != null) {
boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null;
if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
final IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (String index : request.indices()) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
if (indexAccessControl != null) {
boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null;
if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
logger.trace("intercepted request for index [{}] with field level access controls [{}] document level access " +
"controls [{}]. disabling conflicting features", index, fieldLevelSecurityEnabled,
if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
logger.trace("intercepted request for index [{}] with field level access controls [{}] document level access " +
"controls [{}]. disabling conflicting features", index, fieldLevelSecurityEnabled,
documentLevelSecurityEnabled);
}
disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
return;
}
disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
return;
}
logger.trace("intercepted request for index [{}] without field or document level access controls", index);
}
logger.trace("intercepted request for index [{}] without field or document level access controls", index);
}
}

54
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/IndicesAliasesRequestInterceptor.java
View File

@ -38,42 +38,42 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto
@Override
public void intercept(IndicesAliasesRequest request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isSecurityEnabled() == false) {
return;
}
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {
if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) {
for (String index : aliasAction.indices()) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
if (indexAccessControl != null) {
final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
final boolean dls = indexAccessControl.getQueries() != null;
if (fls || dls) {
throw new ElasticsearchSecurityException("Alias requests are not allowed for users who have " +
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
if (frozenLicenseState.isAuthAllowed()) {
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {
if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) {
for (String index : aliasAction.indices()) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
if (indexAccessControl != null) {
final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
final boolean dls = indexAccessControl.getQueries() != null;
if (fls || dls) {
throw new ElasticsearchSecurityException("Alias requests are not allowed for users who have " +
"field or document level security enabled on one of the indices", RestStatus.BAD_REQUEST);
}
}
}
}
}
}
}
Map<String, Automaton> permissionsMap = new HashMap<>();
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {
if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) {
for (String index : aliasAction.indices()) {
Automaton indexPermissions = permissionsMap.computeIfAbsent(index, userPermissions.indices()::allowedActionsMatcher);
for (String alias : aliasAction.aliases()) {
Automaton aliasPermissions =
Map<String, Automaton> permissionsMap = new HashMap<>();
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {
if (aliasAction.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) {
for (String index : aliasAction.indices()) {
Automaton indexPermissions =
permissionsMap.computeIfAbsent(index, userPermissions.indices()::allowedActionsMatcher);
for (String alias : aliasAction.aliases()) {
Automaton aliasPermissions =
permissionsMap.computeIfAbsent(alias, userPermissions.indices()::allowedActionsMatcher);
if (Operations.subsetOf(aliasPermissions, indexPermissions) == false) {
// TODO we've already audited a access granted event so this is going to look ugly
auditTrailService.accessDenied(authentication, action, request, userPermissions.names());
throw Exceptions.authorizationError("Adding an alias is not allowed when the alias " +
if (Operations.subsetOf(aliasPermissions, indexPermissions) == false) {
// TODO we've already audited a access granted event so this is going to look ugly
auditTrailService.accessDenied(authentication, action, request, userPermissions.names());
throw Exceptions.authorizationError("Adding an alias is not allowed when the alias " +
"has more permissions than any of the indices");
}
}
}
}

42
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/ResizeRequestInterceptor.java
View File

@ -39,31 +39,33 @@ public final class ResizeRequestInterceptor extends AbstractComponent implements
@Override
public void intercept(ResizeRequest request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isSecurityEnabled() == false) {
return;
}
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(request.getSourceIndex());
if (indexAccessControl != null) {
final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
final boolean dls = indexAccessControl.getQueries() != null;
if (fls || dls) {
throw new ElasticsearchSecurityException("Resize requests are not allowed for users when " +
final XPackLicenseState frozenLicenseState = licenseState.copyCurrentLicenseState();
if (frozenLicenseState.isAuthAllowed()) {
if (frozenLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
IndicesAccessControl.IndexAccessControl indexAccessControl =
indicesAccessControl.getIndexPermissions(request.getSourceIndex());
if (indexAccessControl != null) {
final boolean fls = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
final boolean dls = indexAccessControl.getQueries() != null;
if (fls || dls) {
throw new ElasticsearchSecurityException("Resize requests are not allowed for users when " +
"field or document level security is enabled on the source index", RestStatus.BAD_REQUEST);
}
}
}
}
// ensure that the user would have the same level of access OR less on the target index
final Automaton sourceIndexPermissions = userPermissions.indices().allowedActionsMatcher(request.getSourceIndex());
final Automaton targetIndexPermissions = userPermissions.indices().allowedActionsMatcher(request.getTargetIndexRequest().index());
if (Operations.subsetOf(targetIndexPermissions, sourceIndexPermissions) == false) {
// TODO we've already audited a access granted event so this is going to look ugly
auditTrailService.accessDenied(authentication, action, request, userPermissions.names());
throw Exceptions.authorizationError("Resizing an index is not allowed when the target index " +
// ensure that the user would have the same level of access OR less on the target index
final Automaton sourceIndexPermissions = userPermissions.indices().allowedActionsMatcher(request.getSourceIndex());
final Automaton targetIndexPermissions =
userPermissions.indices().allowedActionsMatcher(request.getTargetIndexRequest().index());
if (Operations.subsetOf(targetIndexPermissions, sourceIndexPermissions) == false) {
// TODO we've already audited a access granted event so this is going to look ugly
auditTrailService.accessDenied(authentication, action, request, userPermissions.names());
throw Exceptions.authorizationError("Resizing an index is not allowed when the target index " +
"has more permissions than the source index");
}
}
}

40
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
View File

@ -42,7 +42,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationSuccess(String realm, User user, RestRequest request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationSuccess(realm, user, request);
}
@ -51,7 +51,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationSuccess(String realm, User user, String action, TransportMessage message) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationSuccess(realm, user, action, message);
}
@ -60,7 +60,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void anonymousAccessDenied(String action, TransportMessage message) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.anonymousAccessDenied(action, message);
}
@ -69,7 +69,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void anonymousAccessDenied(RestRequest request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.anonymousAccessDenied(request);
}
@ -78,7 +78,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(RestRequest request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(request);
}
@ -87,7 +87,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(String action, TransportMessage message) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(action, message);
}
@ -96,7 +96,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(AuthenticationToken token, String action, TransportMessage message) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(token, action, message);
}
@ -105,7 +105,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(String realm, AuthenticationToken token, String action, TransportMessage message) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(realm, token, action, message);
}
@ -114,7 +114,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(AuthenticationToken token, RestRequest request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(token, request);
}
@ -123,7 +123,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(String realm, AuthenticationToken token, RestRequest request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(realm, token, request);
}
@ -132,7 +132,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void accessGranted(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.accessGranted(authentication, action, message, roleNames);
}
@ -141,7 +141,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void accessDenied(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.accessDenied(authentication, action, message, roleNames);
}
@ -150,7 +150,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void tamperedRequest(RestRequest request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.tamperedRequest(request);
}
@ -159,7 +159,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void tamperedRequest(String action, TransportMessage message) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.tamperedRequest(action, message);
}
@ -168,7 +168,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void tamperedRequest(User user, String action, TransportMessage request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.tamperedRequest(user, action, request);
}
@ -177,7 +177,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void connectionGranted(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.connectionGranted(inetAddress, profile, rule);
}
@ -186,7 +186,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void connectionDenied(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.connectionDenied(inetAddress, profile, rule);
}
@ -195,7 +195,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void runAsGranted(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.runAsGranted(authentication, action, message, roleNames);
}
@ -204,7 +204,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void runAsDenied(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.runAsDenied(authentication, action, message, roleNames);
}
@ -213,7 +213,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void runAsDenied(Authentication authentication, RestRequest request, String[] roleNames) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
if (licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.runAsDenied(authentication, request, roleNames);
}

4
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java
View File

@ -98,7 +98,7 @@ public class Realms extends AbstractComponent implements Iterable<Realm> {
@Override
public Iterator<Realm> iterator() {
if (licenseState.isSecurityEnabled() == false || licenseState.isAuthAllowed() == false) {
if (licenseState.isAuthAllowed() == false) {
return Collections.emptyIterator();
}
@ -120,7 +120,7 @@ public class Realms extends AbstractComponent implements Iterable<Realm> {
}
public List<Realm> asList() {
if (licenseState.isSecurityEnabled() == false || licenseState.isAuthAllowed() == false) {
if (licenseState.isAuthAllowed() == false) {
return Collections.emptyList();
}

4
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java
View File

@ -45,7 +45,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
*/
@Override
public void onNewScrollContext(SearchContext searchContext) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
if (licenseState.isAuthAllowed()) {
searchContext.scrollContext().putInContext(AuthenticationField.AUTHENTICATION_KEY,
Authentication.getAuthentication(threadContext));
}
@ -57,7 +57,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
*/
@Override
public void validateSearchContext(SearchContext searchContext, TransportRequest request) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
if (licenseState.isAuthAllowed()) {
if (searchContext.scrollContext() != null) {
final Authentication originalAuth = searchContext.scrollContext().getFromContext(AuthenticationField.AUTHENTICATION_KEY);
final Authentication current = Authentication.getAuthentication(threadContext);

3
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCache.java
View File

@ -59,8 +59,7 @@ public final class OptOutQueryCache extends AbstractIndexComponent implements Qu
@Override
public Weight doCache(Weight weight, QueryCachingPolicy policy) {
// TODO: this is not concurrently safe since the license state can change between reads
if (licenseState.isSecurityEnabled() == false || licenseState.isAuthAllowed() == false) {
if (licenseState.isAuthAllowed() == false) {
logger.debug("not opting out of the query cache; authorization is not allowed");
return indicesQueryCache.doCache(weight, policy);
}

2
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
View File

@ -46,7 +46,7 @@ public class SecurityRestFilter implements RestHandler {
@Override
public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
if (licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
// CORS - allow for preflight unauthenticated OPTIONS request
if (extractClientCertificate) {
HttpChannel httpChannel = request.getHttpChannel();

17
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java
View File

@ -14,6 +14,7 @@ import org.elasticsearch.rest.BaseRestHandler;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.xpack.core.XPackField;
import org.elasticsearch.xpack.core.XPackSettings;
import java.io.IOException;
@ -64,16 +65,14 @@ public abstract class SecurityBaseRestHandler extends BaseRestHandler {
* sent to the requestor
*/
protected Exception checkFeatureAvailable(RestRequest request) {
if (licenseState.isSecurityAvailable() == false) {
if (XPackSettings.SECURITY_ENABLED.get(settings) == false) {
return new IllegalStateException("Security is not enabled but a security rest handler is registered");
} else if (licenseState.isSecurityAvailable() == false) {
return LicenseUtils.newComplianceException(XPackField.SECURITY);
} else if (licenseState.isSecurityEnabled() == false) {
if (licenseState.isTrialLicense()) {
return new ElasticsearchException("Security must be explicitly enabled when using a trial license. " +
"Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +
"and restart the node.");
} else {
return new IllegalStateException("Security is not enabled but a security rest handler is registered");
}
} else if (licenseState.isSecurityDisabledByTrialLicense()) {
return new ElasticsearchException("Security must be explicitly enabled when using a trial license. " +
"Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +
"and restart the node.");
} else {
return null;
}

4
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java
View File

@ -107,7 +107,7 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
// guarantee we use the same value wherever we would check the value for the state
// being recovered
final boolean stateNotRecovered = isStateNotRecovered;
final boolean sendWithAuth = (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) || stateNotRecovered;
final boolean sendWithAuth = licenseState.isAuthAllowed() || stateNotRecovered;
if (sendWithAuth) {
// the transport in core normally does this check, BUT since we are serializing to a string header we need to do it
// ourselves otherwise we wind up using a version newer than what we can actually send
@ -266,7 +266,7 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
public void messageReceived(T request, TransportChannel channel, Task task) throws Exception {
final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task);
try (ThreadContext.StoredContext ctx = threadContext.newStoredContext(true)) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
if (licenseState.isAuthAllowed()) {
String profile = channel.getProfileName();
ServerTransportFilter filter = profileFilters.get(profile);

2
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
View File

@ -198,7 +198,7 @@ public class IPFilter {
}
public boolean accept(String profile, InetSocketAddress peerAddress) {
if (licenseState.isSecurityEnabled() == false || licenseState.isIpFilteringAllowed() == false) {
if (licenseState.isIpFilteringAllowed() == false) {
return true;
}

2
x-pack/plugin/security/src/test/java/org/elasticsearch/license/LicensingTests.java
View File

@ -238,7 +238,7 @@ public class LicensingTests extends SecurityIntegTestCase {
License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL,
License.OperationMode.PLATINUM, License.OperationMode.STANDARD);
enableLicensing(mode);
// security actions should not work!
// security actions should work!
try (TransportClient client = new TestXPackTransportClient(settings, LocalStateSecurity.class)) {
client.addTransportAddress(internalCluster().getDataNodeInstance(Transport.class).boundAddress().publishAddress());
GetUsersResponse response = new SecurityClient(client).prepareGetUsers().get();

5
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityFeatureSetTests.java
View File

@ -55,7 +55,6 @@ public class SecurityFeatureSetTests extends ESTestCase {
public void init() throws Exception {
settings = Settings.builder().put("path.home", createTempDir()).build();
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
realms = mock(Realms.class);
ipFilter = mock(IPFilter.class);
rolesStore = mock(CompositeRolesStore.class);
@ -77,7 +76,7 @@ public class SecurityFeatureSetTests extends ESTestCase {
rolesStore, roleMappingStore, ipFilter);
assertThat(featureSet.enabled(), is(true));
when(licenseState.isSecurityEnabled()).thenReturn(false);
when(licenseState.isSecurityDisabledByTrialLicense()).thenReturn(true);
featureSet = new SecurityFeatureSet(settings, licenseState, realms,
rolesStore, roleMappingStore, ipFilter);
assertThat(featureSet.enabled(), is(false));
@ -90,7 +89,7 @@ public class SecurityFeatureSetTests extends ESTestCase {
Settings.Builder settings = Settings.builder().put(this.settings);
boolean enabled = randomBoolean();
when(licenseState.isSecurityEnabled()).thenReturn(enabled);
settings.put(XPackSettings.SECURITY_ENABLED.getKey(), enabled);
final boolean httpSSLEnabled = randomBoolean();
settings.put("xpack.security.http.ssl.enabled", httpSSLEnabled);

1
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java
View File

@ -67,7 +67,6 @@ public class SecurityActionFilterTests extends ESTestCase {
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isStatsAndHealthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
threadContext = new ThreadContext(Settings.EMPTY);
when(threadPool.getThreadContext()).thenReturn(threadContext);

6
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/interceptor/IndicesAliasesRequestInterceptorTests.java
View File

@ -35,7 +35,8 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
public void testInterceptorThrowsWhenFLSDLSEnabled() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
@ -81,7 +82,8 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);

6
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/interceptor/ResizeRequestInterceptorTests.java
View File

@ -37,7 +37,8 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
@ -76,7 +77,8 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.copyCurrentLicenseState()).thenReturn(licenseState);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);

14
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java
View File

@ -48,7 +48,6 @@ public class AuditTrailServiceTests extends ESTestCase {
licenseState = mock(XPackLicenseState.class);
service = new AuditTrailService(Settings.EMPTY, auditTrails, licenseState);
isAuditingAllowed = randomBoolean();
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(isAuditingAllowed);
token = mock(AuthenticationToken.class);
message = mock(TransportMessage.class);
@ -58,7 +57,6 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailed() throws Exception {
service.authenticationFailed(token, "_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(token, "_action", message);
@ -71,7 +69,6 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedNoToken() throws Exception {
service.authenticationFailed("_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed("_action", message);
@ -84,7 +81,6 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRestNoToken() throws Exception {
service.authenticationFailed(restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(restRequest);
@ -97,7 +93,6 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRest() throws Exception {
service.authenticationFailed(token, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(token, restRequest);
@ -110,7 +105,6 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRealm() throws Exception {
service.authenticationFailed("_realm", token, "_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed("_realm", token, "_action", message);
@ -123,7 +117,6 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRestRealm() throws Exception {
service.authenticationFailed("_realm", token, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed("_realm", token, restRequest);
@ -136,7 +129,6 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAnonymousAccess() throws Exception {
service.anonymousAccessDenied("_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).anonymousAccessDenied("_action", message);
@ -152,7 +144,6 @@ public class AuditTrailServiceTests extends ESTestCase {
String[] roles = new String[] { randomAlphaOfLengthBetween(1, 6) };
service.accessGranted(authentication, "_action", message, roles);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).accessGranted(authentication, "_action", message, roles);
@ -168,7 +159,6 @@ public class AuditTrailServiceTests extends ESTestCase {
String[] roles = new String[] { randomAlphaOfLengthBetween(1, 6) };
service.accessDenied(authentication, "_action", message, roles);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).accessDenied(authentication, "_action", message, roles);
@ -183,7 +173,6 @@ public class AuditTrailServiceTests extends ESTestCase {
SecurityIpFilterRule rule = randomBoolean() ? SecurityIpFilterRule.ACCEPT_ALL : IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
service.connectionGranted(inetAddress, "client", rule);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).connectionGranted(inetAddress, "client", rule);
@ -198,7 +187,6 @@ public class AuditTrailServiceTests extends ESTestCase {
SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
service.connectionDenied(inetAddress, "client", rule);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).connectionDenied(inetAddress, "client", rule);
@ -213,7 +201,6 @@ public class AuditTrailServiceTests extends ESTestCase {
String realm = "_realm";
service.authenticationSuccess(realm, user, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationSuccess(realm, user, restRequest);
@ -228,7 +215,6 @@ public class AuditTrailServiceTests extends ESTestCase {
String realm = "_realm";
service.authenticationSuccess(realm, user, "_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationSuccess(realm, user, "_action", message);

1
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java
View File

@ -154,7 +154,6 @@ public class AuthenticationServiceTests extends ESTestCase {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.allowedRealmType()).thenReturn(XPackLicenseState.AllowedRealmType.ALL);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
realms = new TestRealms(Settings.EMPTY, TestEnvironment.newEnvironment(settings), Collections.<String, Realm.Factory>emptyMap(),
licenseState, threadContext, mock(ReservedRealm.class), Arrays.asList(firstRealm, secondRealm),
Collections.singletonList(firstRealm));

1
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java
View File

@ -69,7 +69,6 @@ public class RealmsTests extends ESTestCase {
threadContext = new ThreadContext(Settings.EMPTY);
reservedRealm = mock(ReservedRealm.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.allowedRealmType()).thenReturn(AllowedRealmType.ALL);
when(reservedRealm.type()).thenReturn(ReservedRealm.TYPE);
}

10
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java
View File

@ -39,7 +39,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
public void testUnlicensed() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(false);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -49,7 +48,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
SecuritySearchOperationListener listener = new SecuritySearchOperationListener(threadContext, licenseState, auditTrailService);
listener.onNewScrollContext(searchContext);
listener.validateSearchContext(searchContext, Empty.INSTANCE);
verify(licenseState, times(2)).isSecurityEnabled();
verify(licenseState, times(2)).isAuthAllowed();
verifyZeroInteractions(auditTrailService, searchContext);
}
@ -60,7 +58,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
final Scroll scroll = new Scroll(TimeValue.timeValueSeconds(2L));
testSearchContext.scrollContext().scroll = scroll;
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -75,7 +72,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
assertEquals(scroll, testSearchContext.scrollContext().scroll);
verify(licenseState).isAuthAllowed();
verify(licenseState).isSecurityEnabled();
verifyZeroInteractions(auditTrailService);
}
@ -86,7 +82,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
testSearchContext.scrollContext().scroll = new Scroll(TimeValue.timeValueSeconds(2L));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -97,7 +92,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
authentication.writeToContext(threadContext);
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
verify(licenseState).isAuthAllowed();
verify(licenseState).isSecurityEnabled();
verifyZeroInteractions(auditTrailService);
}
@ -108,7 +102,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
authentication.writeToContext(threadContext);
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
verify(licenseState, times(2)).isAuthAllowed();
verify(licenseState, times(2)).isSecurityEnabled();
verifyZeroInteractions(auditTrailService);
}
@ -125,7 +118,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.id());
verify(licenseState, times(3)).isAuthAllowed();
verify(licenseState, times(3)).isSecurityEnabled();
verify(auditTrailService).accessDenied(authentication, "action", request, authentication.getUser().roles());
}
@ -142,7 +134,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
listener.validateSearchContext(testSearchContext, request);
verify(licenseState, times(4)).isAuthAllowed();
verify(licenseState, times(4)).isSecurityEnabled();
verifyNoMoreInteractions(auditTrailService);
}
@ -161,7 +152,6 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.id());
verify(licenseState, times(5)).isAuthAllowed();
verify(licenseState, times(5)).isSecurityEnabled();
verify(auditTrailService).accessDenied(authentication, "action", request, authentication.getUser().roles());
}
}

27
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/OptOutQueryCacheTests.java
View File

@ -48,7 +48,7 @@ public class OptOutQueryCacheTests extends ESTestCase {
DirectoryReader reader;
@Before
void initLuceneStuff() throws IOException {
public void initLuceneStuff() throws IOException {
dir = newDirectory();
w = new RandomIndexWriter(random(), dir);
reader = w.getReader();
@ -56,11 +56,12 @@ public class OptOutQueryCacheTests extends ESTestCase {
}
@After
void closeLuceneStuff() throws IOException {
public void closeLuceneStuff() throws IOException {
w.close();
dir.close();
reader.close();
}
public void testOptOutQueryCacheSafetyCheck() throws IOException {
BooleanQuery.Builder builder = new BooleanQuery.Builder();
@ -123,25 +124,6 @@ public class OptOutQueryCacheTests extends ESTestCase {
assertFalse(OptOutQueryCache.cachingIsSafe(weight, permissions));
}
public void testOptOutQueryCacheSecurityIsNotEnabled() {
final Settings.Builder settings = Settings.builder()
.put("index.version.created", Version.CURRENT)
.put("index.number_of_shards", 1)
.put("index.number_of_replicas", 0);
final IndexMetaData indexMetaData = IndexMetaData.builder("index").settings(settings).build();
final IndexSettings indexSettings = new IndexSettings(indexMetaData, Settings.EMPTY);
final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class);
final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(false);
when(licenseState.isAuthAllowed()).thenReturn(randomBoolean());
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
final Weight weight = mock(Weight.class);
final QueryCachingPolicy policy = mock(QueryCachingPolicy.class);
cache.doCache(weight, policy);
verify(indicesQueryCache).doCache(same(weight), same(policy));
}
public void testOptOutQueryCacheAuthIsNotAllowed() {
final Settings.Builder settings = Settings.builder()
.put("index.version.created", Version.CURRENT)
@ -152,7 +134,6 @@ public class OptOutQueryCacheTests extends ESTestCase {
final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class);
final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(randomBoolean());
when(licenseState.isAuthAllowed()).thenReturn(false);
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
final Weight weight = mock(Weight.class);
@ -171,7 +152,6 @@ public class OptOutQueryCacheTests extends ESTestCase {
final IndicesQueryCache indicesQueryCache = mock(IndicesQueryCache.class);
final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(true);
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
final Weight weight = mock(Weight.class);
@ -196,7 +176,6 @@ public class OptOutQueryCacheTests extends ESTestCase {
when(indicesAccessControl.getIndexPermissions("index")).thenReturn(indexAccessControl);
threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(true);
final OptOutQueryCache cache = new OptOutQueryCache(indexSettings, indicesQueryCache, threadContext, licenseState);
final Weight weight = mock(Weight.class);

1
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java
View File

@ -60,7 +60,6 @@ public class SecurityRestFilterTests extends ESTestCase {
channel = mock(RestChannel.class);
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
restHandler = mock(RestHandler.class);
filter = new SecurityRestFilter(licenseState,
new ThreadContext(Settings.EMPTY), authcService, restHandler, false);

9
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandlerTests.java
View File

@ -24,11 +24,11 @@ import static org.mockito.Mockito.when;
public class SecurityBaseRestHandlerTests extends ESTestCase {
public void testSecurityBaseRestHandlerChecksLicenseState() throws Exception {
final boolean securityEnabled = randomBoolean();
final boolean securityDisabledByTrial = randomBoolean();
final AtomicBoolean consumerCalled = new AtomicBoolean(false);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityAvailable()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(securityEnabled);
when(licenseState.isSecurityDisabledByTrialLicense()).thenReturn(securityDisabledByTrial);
SecurityBaseRestHandler handler = new SecurityBaseRestHandler(Settings.EMPTY, licenseState) {
@Override
@ -46,7 +46,7 @@ public class SecurityBaseRestHandlerTests extends ESTestCase {
}
};
FakeRestRequest fakeRestRequest = new FakeRestRequest();
FakeRestChannel fakeRestChannel = new FakeRestChannel(fakeRestRequest, randomBoolean(), securityEnabled ? 0 : 1);
FakeRestChannel fakeRestChannel = new FakeRestChannel(fakeRestRequest, randomBoolean(), securityDisabledByTrial ? 1 : 0);
NodeClient client = mock(NodeClient.class);
assertFalse(consumerCalled.get());
@ -54,8 +54,7 @@ public class SecurityBaseRestHandlerTests extends ESTestCase {
handler.handleRequest(fakeRestRequest, fakeRestChannel, client);
verify(licenseState).isSecurityAvailable();
verify(licenseState).isSecurityEnabled();
if (securityEnabled) {
if (securityDisabledByTrial == false) {
assertTrue(consumerCalled.get());
assertEquals(0, fakeRestChannel.responses().get());
assertEquals(0, fakeRestChannel.errors().get());

14
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java
View File

@ -73,7 +73,6 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
securityContext = spy(new SecurityContext(settings, threadPool.getThreadContext()));
xPackLicenseState = mock(XPackLicenseState.class);
when(xPackLicenseState.isAuthAllowed()).thenReturn(true);
when(xPackLicenseState.isSecurityEnabled()).thenReturn(true);
}
@After
@ -102,7 +101,6 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
sender.sendRequest(null, null, null, null, null);
assertTrue(calledWrappedSender.get());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verifyNoMoreInteractions(xPackLicenseState);
verifyZeroInteractions(securityContext);
}
@ -112,10 +110,8 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
mock(AuthenticationService.class), mock(AuthorizationService.class), xPackLicenseState, mock(SSLService.class),
securityContext, new DestructiveOperations(Settings.EMPTY, new ClusterSettings(Settings.EMPTY,
Collections.singleton(DestructiveOperations.REQUIRES_NAME_SETTING))), clusterService);
final boolean securityEnabled = randomBoolean();
final boolean authAllowed = securityEnabled && randomBoolean();
final boolean authAllowed = randomBoolean();
when(xPackLicenseState.isAuthAllowed()).thenReturn(authAllowed);
when(xPackLicenseState.isSecurityEnabled()).thenReturn(securityEnabled);
ClusterState notRecovered = ClusterState.builder(clusterService.state())
.blocks(ClusterBlocks.builder().addGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK).build())
.build();
@ -139,10 +135,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
sender.sendRequest(connection, "internal:foo", null, null, null);
assertTrue(calledWrappedSender.get());
assertEquals(SystemUser.INSTANCE, sendingUser.get());
verify(xPackLicenseState).isSecurityEnabled();
if (securityEnabled) {
verify(xPackLicenseState).isAuthAllowed();
}
verify(xPackLicenseState).isAuthAllowed();
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -177,7 +170,6 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertEquals(user, sendingUser.get());
assertEquals(user, securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -215,7 +207,6 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertEquals(SystemUser.INSTANCE, sendingUser.get());
assertEquals(user, securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -246,7 +237,6 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertEquals("there should always be a user when sending a message for action [indices:foo]", e.getMessage());
assertNull(securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
verifyNoMoreInteractions(xPackLicenseState);
}

1
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java
View File

@ -53,7 +53,6 @@ public class IPFilterTests extends ESTestCase {
public void init() {
licenseState = mock(XPackLicenseState.class);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
auditTrail = mock(AuditTrailService.class);
clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(
IPFilter.HTTP_FILTER_ALLOW_SETTING,

1
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java
View File

@ -57,7 +57,6 @@ public class IpFilterRemoteAddressFilterTests extends ESTestCase {
IPFilter.PROFILE_FILTER_DENY_SETTING)));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
AuditTrailService auditTrailService = new AuditTrailService(settings, Collections.emptyList(), licenseState);
IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());

1
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java
View File

@ -58,7 +58,6 @@ public class NioIPFilterTests extends ESTestCase {
IPFilter.PROFILE_FILTER_DENY_SETTING)));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
AuditTrailService auditTrailService = new AuditTrailService(settings, Collections.emptyList(), licenseState);
IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());