Use IndexModule#forceQueryCacheType instead of overriding configrations
This is a follow up from elasticsearchelastic/elasticsearch#16799 which prevents setting index level settings on a node level. Original commit: elastic/x-pack-elasticsearch@80d1819ab3
This commit is contained in:
parent
b6d279fc7f
commit
214b4f269a
|
@ -16,7 +16,6 @@ import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.CountDown;
|
import org.elasticsearch.common.util.concurrent.CountDown;
|
||||||
import org.elasticsearch.common.xcontent.ToXContent;
|
import org.elasticsearch.common.xcontent.ToXContent;
|
||||||
import org.elasticsearch.common.xcontent.XContentBuilder;
|
import org.elasticsearch.common.xcontent.XContentBuilder;
|
||||||
import org.elasticsearch.index.IndexModule;
|
|
||||||
import org.elasticsearch.index.IndexNotFoundException;
|
import org.elasticsearch.index.IndexNotFoundException;
|
||||||
import org.elasticsearch.marvel.MarvelSettings;
|
import org.elasticsearch.marvel.MarvelSettings;
|
||||||
import org.elasticsearch.marvel.MonitoredSystem;
|
import org.elasticsearch.marvel.MonitoredSystem;
|
||||||
|
@ -25,7 +24,6 @@ import org.elasticsearch.marvel.agent.exporter.MarvelTemplateUtils;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver;
|
import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Shield;
|
|
||||||
import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
|
import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
|
||||||
import org.elasticsearch.shield.authc.support.Hasher;
|
import org.elasticsearch.shield.authc.support.Hasher;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.shield.authc.support.SecuredString;
|
||||||
|
@ -463,8 +461,6 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
Path folder = createTempDir().resolve("marvel_shield");
|
Path folder = createTempDir().resolve("marvel_shield");
|
||||||
Files.createDirectories(folder);
|
Files.createDirectories(folder);
|
||||||
|
|
||||||
builder.remove("index.queries.cache.type");
|
|
||||||
|
|
||||||
builder.put("shield.enabled", true)
|
builder.put("shield.enabled", true)
|
||||||
.put("shield.authc.realms.esusers.type", ESUsersRealm.TYPE)
|
.put("shield.authc.realms.esusers.type", ESUsersRealm.TYPE)
|
||||||
.put("shield.authc.realms.esusers.order", 0)
|
.put("shield.authc.realms.esusers.order", 0)
|
||||||
|
@ -473,10 +469,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES))
|
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES))
|
||||||
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
|
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
|
||||||
.put("shield.authc.sign_user_header", false)
|
.put("shield.authc.sign_user_header", false)
|
||||||
.put("shield.audit.enabled", auditLogsEnabled)
|
.put("shield.audit.enabled", auditLogsEnabled);
|
||||||
// Test framework sometimes randomily selects the 'index' or 'none' cache and that makes the
|
|
||||||
// validation in ShieldPlugin fail. Shield can only run with this query cache impl
|
|
||||||
.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE);
|
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
throw new RuntimeException("failed to build settings for shield", ex);
|
throw new RuntimeException("failed to build settings for shield", ex);
|
||||||
}
|
}
|
||||||
|
|
|
@ -109,7 +109,6 @@ public class Shield {
|
||||||
this.transportClientMode = XPackPlugin.transportClientMode(settings);
|
this.transportClientMode = XPackPlugin.transportClientMode(settings);
|
||||||
this.enabled = XPackPlugin.featureEnabled(settings, NAME, true);
|
this.enabled = XPackPlugin.featureEnabled(settings, NAME, true);
|
||||||
if (enabled && !transportClientMode) {
|
if (enabled && !transportClientMode) {
|
||||||
failIfShieldQueryCacheIsNotActive(settings, true);
|
|
||||||
validateAutoCreateIndex(settings);
|
validateAutoCreateIndex(settings);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -172,7 +171,6 @@ public class Shield {
|
||||||
settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Shield.NAME);
|
settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Shield.NAME);
|
||||||
addUserSettings(settingsBuilder);
|
addUserSettings(settingsBuilder);
|
||||||
addTribeSettings(settingsBuilder);
|
addTribeSettings(settingsBuilder);
|
||||||
addQueryCacheSettings(settingsBuilder);
|
|
||||||
return settingsBuilder.build();
|
return settingsBuilder.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -235,7 +233,11 @@ public class Shield {
|
||||||
}
|
}
|
||||||
if (transportClientMode == false) {
|
if (transportClientMode == false) {
|
||||||
module.registerQueryCache(Shield.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new);
|
module.registerQueryCache(Shield.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new);
|
||||||
failIfShieldQueryCacheIsNotActive(module.getSettings(), false);
|
/* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
|
||||||
|
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
|
||||||
|
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
|
||||||
|
* unauthorized users. */
|
||||||
|
module.forceQueryCacheType(Shield.OPT_OUT_QUERY_CACHE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -386,16 +388,6 @@ public class Shield {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
|
|
||||||
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
|
|
||||||
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
|
|
||||||
* unauthorized users.
|
|
||||||
*/
|
|
||||||
private void addQueryCacheSettings(Settings.Builder settingsBuilder) {
|
|
||||||
settingsBuilder.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE);
|
|
||||||
}
|
|
||||||
|
|
||||||
public static boolean enabled(Settings settings) {
|
public static boolean enabled(Settings settings) {
|
||||||
return XPackPlugin.featureEnabled(settings, NAME, true);
|
return XPackPlugin.featureEnabled(settings, NAME, true);
|
||||||
}
|
}
|
||||||
|
@ -404,21 +396,6 @@ public class Shield {
|
||||||
return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true);
|
return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean nodeSettings) {
|
|
||||||
String queryCacheImplementation;
|
|
||||||
if (nodeSettings) {
|
|
||||||
// in case this are node settings then the plugin additional settings have not been applied yet,
|
|
||||||
// so we use 'opt_out_cache' as default. So in that case we only fail if the node settings contain
|
|
||||||
// another cache impl than 'opt_out_cache'.
|
|
||||||
queryCacheImplementation = settings.get(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE);
|
|
||||||
} else {
|
|
||||||
queryCacheImplementation = settings.get(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey());
|
|
||||||
}
|
|
||||||
if (OPT_OUT_QUERY_CACHE.equals(queryCacheImplementation) == false) {
|
|
||||||
throw new IllegalStateException("shield does not support a user specified query cache. remove the setting [" + IndexModule
|
|
||||||
.INDEX_QUERY_CACHE_TYPE_SETTING.getKey() + "] with value [" + queryCacheImplementation + "]");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static void validateAutoCreateIndex(Settings settings) {
|
static void validateAutoCreateIndex(Settings settings) {
|
||||||
String value = settings.get("action.auto_create_index");
|
String value = settings.get("action.auto_create_index");
|
||||||
|
|
|
@ -10,7 +10,6 @@ import org.elasticsearch.ElasticsearchException;
|
||||||
import org.elasticsearch.Version;
|
import org.elasticsearch.Version;
|
||||||
import org.elasticsearch.common.io.PathUtils;
|
import org.elasticsearch.common.io.PathUtils;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.index.IndexModule;
|
|
||||||
import org.elasticsearch.node.MockNode;
|
import org.elasticsearch.node.MockNode;
|
||||||
import org.elasticsearch.node.Node;
|
import org.elasticsearch.node.Node;
|
||||||
import org.elasticsearch.shield.authc.esnative.ESNativeRealm;
|
import org.elasticsearch.shield.authc.esnative.ESNativeRealm;
|
||||||
|
@ -43,7 +42,6 @@ public class ShieldF {
|
||||||
settings.put("xpack.shield.enabled", "true");
|
settings.put("xpack.shield.enabled", "true");
|
||||||
// Disable Monitoring to prevent cluster activity
|
// Disable Monitoring to prevent cluster activity
|
||||||
settings.put("xpack.monitoring.enabled", "false");
|
settings.put("xpack.monitoring.enabled", "false");
|
||||||
settings.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE);
|
|
||||||
settings.put("cluster.name", ShieldF.class.getSimpleName());
|
settings.put("cluster.name", ShieldF.class.getSimpleName());
|
||||||
|
|
||||||
String homeDir = System.getProperty("es.path.home");
|
String homeDir = System.getProperty("es.path.home");
|
||||||
|
|
|
@ -21,7 +21,6 @@ import org.elasticsearch.common.transport.DummyTransportAddress;
|
||||||
import org.elasticsearch.common.transport.InetSocketTransportAddress;
|
import org.elasticsearch.common.transport.InetSocketTransportAddress;
|
||||||
import org.elasticsearch.common.transport.LocalTransportAddress;
|
import org.elasticsearch.common.transport.LocalTransportAddress;
|
||||||
import org.elasticsearch.common.transport.TransportAddress;
|
import org.elasticsearch.common.transport.TransportAddress;
|
||||||
import org.elasticsearch.index.IndexModule;
|
|
||||||
import org.elasticsearch.index.IndexNotFoundException;
|
import org.elasticsearch.index.IndexNotFoundException;
|
||||||
import org.elasticsearch.rest.RestRequest;
|
import org.elasticsearch.rest.RestRequest;
|
||||||
import org.elasticsearch.search.SearchHit;
|
import org.elasticsearch.search.SearchHit;
|
||||||
|
@ -168,14 +167,6 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
|
||||||
Settings.Builder builder = Settings.builder()
|
Settings.Builder builder = Settings.builder()
|
||||||
.put(super.nodeSettings(nodeOrdinal))
|
.put(super.nodeSettings(nodeOrdinal))
|
||||||
.put(XPackPlugin.featureEnabledSetting(Shield.NAME), useShield);
|
.put(XPackPlugin.featureEnabledSetting(Shield.NAME), useShield);
|
||||||
|
|
||||||
// For tests we forcefully configure Shield's custom query cache because the test framework
|
|
||||||
// randomizes the query cache impl but if shield is disabled then we don't need to forcefully
|
|
||||||
// set the query cache
|
|
||||||
if (useShield == false) {
|
|
||||||
builder.remove(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey());
|
|
||||||
}
|
|
||||||
|
|
||||||
return builder.build();
|
return builder.build();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
|
@ -9,10 +9,8 @@ import org.elasticsearch.ElasticsearchException;
|
||||||
import org.elasticsearch.common.io.PathUtils;
|
import org.elasticsearch.common.io.PathUtils;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.index.IndexModule;
|
|
||||||
import org.elasticsearch.marvel.Marvel;
|
import org.elasticsearch.marvel.Marvel;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Shield;
|
|
||||||
import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
|
import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
|
||||||
import org.elasticsearch.shield.authc.esnative.ESNativeRealm;
|
import org.elasticsearch.shield.authc.esnative.ESNativeRealm;
|
||||||
import org.elasticsearch.shield.authc.support.Hasher;
|
import org.elasticsearch.shield.authc.support.Hasher;
|
||||||
|
@ -136,9 +134,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
|
||||||
.put("shield.authc.realms.index.type", ESNativeRealm.TYPE)
|
.put("shield.authc.realms.index.type", ESNativeRealm.TYPE)
|
||||||
.put("shield.authc.realms.index.order", "1")
|
.put("shield.authc.realms.index.order", "1")
|
||||||
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", configRoles()))
|
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", configRoles()))
|
||||||
// Test framework sometimes randomly selects the 'index' or 'none' cache and that makes the
|
|
||||||
// validation in ShieldPlugin fail.
|
|
||||||
.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE)
|
|
||||||
.put(getNodeSSLSettings());
|
.put(getNodeSSLSettings());
|
||||||
|
|
||||||
return builder.build();
|
return builder.build();
|
||||||
|
|
|
@ -21,14 +21,12 @@ import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.Callback;
|
import org.elasticsearch.common.util.Callback;
|
||||||
import org.elasticsearch.common.xcontent.XContentHelper;
|
import org.elasticsearch.common.xcontent.XContentHelper;
|
||||||
import org.elasticsearch.common.xcontent.support.XContentMapValues;
|
import org.elasticsearch.common.xcontent.support.XContentMapValues;
|
||||||
import org.elasticsearch.index.IndexModule;
|
|
||||||
import org.elasticsearch.index.query.QueryBuilder;
|
import org.elasticsearch.index.query.QueryBuilder;
|
||||||
import org.elasticsearch.marvel.Marvel;
|
import org.elasticsearch.marvel.Marvel;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.script.MockMustacheScriptEngine;
|
import org.elasticsearch.script.MockMustacheScriptEngine;
|
||||||
import org.elasticsearch.search.SearchHit;
|
import org.elasticsearch.search.SearchHit;
|
||||||
import org.elasticsearch.search.builder.SearchSourceBuilder;
|
import org.elasticsearch.search.builder.SearchSourceBuilder;
|
||||||
import org.elasticsearch.shield.Shield;
|
|
||||||
import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
|
import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
|
||||||
import org.elasticsearch.shield.authc.support.Hasher;
|
import org.elasticsearch.shield.authc.support.Hasher;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.shield.authc.support.SecuredString;
|
||||||
|
@ -719,9 +717,6 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase
|
||||||
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
|
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
|
||||||
.put("shield.authc.sign_user_header", false)
|
.put("shield.authc.sign_user_header", false)
|
||||||
.put("shield.audit.enabled", auditLogsEnabled)
|
.put("shield.audit.enabled", auditLogsEnabled)
|
||||||
// Test framework sometimes randomily selects the 'index' or 'none' cache and that makes the
|
|
||||||
// validation in ShieldPlugin fail. Shield can only run with this query cache impl
|
|
||||||
.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE)
|
|
||||||
.build();
|
.build();
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
throw new RuntimeException("failed to build settings for shield", ex);
|
throw new RuntimeException("failed to build settings for shield", ex);
|
||||||
|
|
Loading…
Reference in New Issue