diff --git a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/test/MarvelIntegTestCase.java b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/test/MarvelIntegTestCase.java index 218535a8841..1f404a59ec5 100644 --- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/test/MarvelIntegTestCase.java +++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/test/MarvelIntegTestCase.java @@ -16,7 +16,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.CountDown; import org.elasticsearch.common.xcontent.ToXContent; import org.elasticsearch.common.xcontent.XContentBuilder; -import org.elasticsearch.index.IndexModule; import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.marvel.MarvelSettings; import org.elasticsearch.marvel.MonitoredSystem; @@ -25,7 +24,6 @@ import org.elasticsearch.marvel.agent.exporter.MarvelTemplateUtils; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver; import org.elasticsearch.plugins.Plugin; -import org.elasticsearch.shield.Shield; import org.elasticsearch.shield.authc.esusers.ESUsersRealm; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; @@ -463,8 +461,6 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase { Path folder = createTempDir().resolve("marvel_shield"); Files.createDirectories(folder); - builder.remove("index.queries.cache.type"); - builder.put("shield.enabled", true) .put("shield.authc.realms.esusers.type", ESUsersRealm.TYPE) .put("shield.authc.realms.esusers.order", 0) @@ -473,10 +469,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase { .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES)) .put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey)) .put("shield.authc.sign_user_header", false) - .put("shield.audit.enabled", auditLogsEnabled) - // Test framework sometimes randomily selects the 'index' or 'none' cache and that makes the - // validation in ShieldPlugin fail. Shield can only run with this query cache impl - .put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE); + .put("shield.audit.enabled", auditLogsEnabled); } catch (IOException ex) { throw new RuntimeException("failed to build settings for shield", ex); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java index 57cc08d3be4..4c0ce5a3c8a 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java @@ -109,7 +109,6 @@ public class Shield { this.transportClientMode = XPackPlugin.transportClientMode(settings); this.enabled = XPackPlugin.featureEnabled(settings, NAME, true); if (enabled && !transportClientMode) { - failIfShieldQueryCacheIsNotActive(settings, true); validateAutoCreateIndex(settings); } } @@ -172,7 +171,6 @@ public class Shield { settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Shield.NAME); addUserSettings(settingsBuilder); addTribeSettings(settingsBuilder); - addQueryCacheSettings(settingsBuilder); return settingsBuilder.build(); } @@ -235,7 +233,11 @@ public class Shield { } if (transportClientMode == false) { module.registerQueryCache(Shield.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new); - failIfShieldQueryCacheIsNotActive(module.getSettings(), false); + /* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation. + * This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do + * forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to + * unauthorized users. */ + module.forceQueryCacheType(Shield.OPT_OUT_QUERY_CACHE); } } @@ -386,16 +388,6 @@ public class Shield { } } - /** - * We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation. - * This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do - * forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to - * unauthorized users. - */ - private void addQueryCacheSettings(Settings.Builder settingsBuilder) { - settingsBuilder.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE); - } - public static boolean enabled(Settings settings) { return XPackPlugin.featureEnabled(settings, NAME, true); } @@ -404,21 +396,6 @@ public class Shield { return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true); } - private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean nodeSettings) { - String queryCacheImplementation; - if (nodeSettings) { - // in case this are node settings then the plugin additional settings have not been applied yet, - // so we use 'opt_out_cache' as default. So in that case we only fail if the node settings contain - // another cache impl than 'opt_out_cache'. - queryCacheImplementation = settings.get(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE); - } else { - queryCacheImplementation = settings.get(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey()); - } - if (OPT_OUT_QUERY_CACHE.equals(queryCacheImplementation) == false) { - throw new IllegalStateException("shield does not support a user specified query cache. remove the setting [" + IndexModule - .INDEX_QUERY_CACHE_TYPE_SETTING.getKey() + "] with value [" + queryCacheImplementation + "]"); - } - } static void validateAutoCreateIndex(Settings settings) { String value = settings.get("action.auto_create_index"); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java index 92c199083ab..c4561a98406 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldF.java @@ -10,7 +10,6 @@ import org.elasticsearch.ElasticsearchException; import org.elasticsearch.Version; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexModule; import org.elasticsearch.node.MockNode; import org.elasticsearch.node.Node; import org.elasticsearch.shield.authc.esnative.ESNativeRealm; @@ -43,7 +42,6 @@ public class ShieldF { settings.put("xpack.shield.enabled", "true"); // Disable Monitoring to prevent cluster activity settings.put("xpack.monitoring.enabled", "false"); - settings.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE); settings.put("cluster.name", ShieldF.class.getSimpleName()); String homeDir = System.getProperty("es.path.home"); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java index cfccbc7805a..6d226741692 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java @@ -21,7 +21,6 @@ import org.elasticsearch.common.transport.DummyTransportAddress; import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.LocalTransportAddress; import org.elasticsearch.common.transport.TransportAddress; -import org.elasticsearch.index.IndexModule; import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.rest.RestRequest; import org.elasticsearch.search.SearchHit; @@ -168,14 +167,6 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(XPackPlugin.featureEnabledSetting(Shield.NAME), useShield); - - // For tests we forcefully configure Shield's custom query cache because the test framework - // randomizes the query cache impl but if shield is disabled then we don't need to forcefully - // set the query cache - if (useShield == false) { - builder.remove(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey()); - } - return builder.build(); } }; diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java index 66d015f99f2..ceca8a36646 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java @@ -9,10 +9,8 @@ import org.elasticsearch.ElasticsearchException; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.index.IndexModule; import org.elasticsearch.marvel.Marvel; import org.elasticsearch.plugins.Plugin; -import org.elasticsearch.shield.Shield; import org.elasticsearch.shield.authc.esusers.ESUsersRealm; import org.elasticsearch.shield.authc.esnative.ESNativeRealm; import org.elasticsearch.shield.authc.support.Hasher; @@ -136,9 +134,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ .put("shield.authc.realms.index.type", ESNativeRealm.TYPE) .put("shield.authc.realms.index.order", "1") .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", configRoles())) - // Test framework sometimes randomly selects the 'index' or 'none' cache and that makes the - // validation in ShieldPlugin fail. - .put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE) .put(getNodeSSLSettings()); return builder.build(); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java index b074dd430f0..2859e9ad664 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java @@ -21,14 +21,12 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.Callback; import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.support.XContentMapValues; -import org.elasticsearch.index.IndexModule; import org.elasticsearch.index.query.QueryBuilder; import org.elasticsearch.marvel.Marvel; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.script.MockMustacheScriptEngine; import org.elasticsearch.search.SearchHit; import org.elasticsearch.search.builder.SearchSourceBuilder; -import org.elasticsearch.shield.Shield; import org.elasticsearch.shield.authc.esusers.ESUsersRealm; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; @@ -719,9 +717,6 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase .put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey)) .put("shield.authc.sign_user_header", false) .put("shield.audit.enabled", auditLogsEnabled) - // Test framework sometimes randomily selects the 'index' or 'none' cache and that makes the - // validation in ShieldPlugin fail. Shield can only run with this query cache impl - .put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE) .build(); } catch (IOException ex) { throw new RuntimeException("failed to build settings for shield", ex);