Use IndexModule#forceQueryCacheType instead of overriding configrations

This is a follow up from elasticsearchelastic/elasticsearch#16799 which prevents setting index
level settings on a node level.

Original commit: elastic/x-pack-elasticsearch@80d1819ab3
This commit is contained in:
Simon Willnauer 2016-03-17 14:25:38 +01:00
parent b6d279fc7f
commit 214b4f269a
6 changed files with 6 additions and 57 deletions

View File

@ -16,7 +16,6 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.CountDown; import org.elasticsearch.common.util.concurrent.CountDown;
import org.elasticsearch.common.xcontent.ToXContent; import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.marvel.MarvelSettings; import org.elasticsearch.marvel.MarvelSettings;
import org.elasticsearch.marvel.MonitoredSystem; import org.elasticsearch.marvel.MonitoredSystem;
@ -25,7 +24,6 @@ import org.elasticsearch.marvel.agent.exporter.MarvelTemplateUtils;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver; import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Shield;
import org.elasticsearch.shield.authc.esusers.ESUsersRealm; import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.Hasher;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.SecuredString;
@ -463,8 +461,6 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
Path folder = createTempDir().resolve("marvel_shield"); Path folder = createTempDir().resolve("marvel_shield");
Files.createDirectories(folder); Files.createDirectories(folder);
builder.remove("index.queries.cache.type");
builder.put("shield.enabled", true) builder.put("shield.enabled", true)
.put("shield.authc.realms.esusers.type", ESUsersRealm.TYPE) .put("shield.authc.realms.esusers.type", ESUsersRealm.TYPE)
.put("shield.authc.realms.esusers.order", 0) .put("shield.authc.realms.esusers.order", 0)
@ -473,10 +469,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES)) .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES))
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey)) .put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
.put("shield.authc.sign_user_header", false) .put("shield.authc.sign_user_header", false)
.put("shield.audit.enabled", auditLogsEnabled) .put("shield.audit.enabled", auditLogsEnabled);
// Test framework sometimes randomily selects the 'index' or 'none' cache and that makes the
// validation in ShieldPlugin fail. Shield can only run with this query cache impl
.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE);
} catch (IOException ex) { } catch (IOException ex) {
throw new RuntimeException("failed to build settings for shield", ex); throw new RuntimeException("failed to build settings for shield", ex);
} }

View File

@ -109,7 +109,6 @@ public class Shield {
this.transportClientMode = XPackPlugin.transportClientMode(settings); this.transportClientMode = XPackPlugin.transportClientMode(settings);
this.enabled = XPackPlugin.featureEnabled(settings, NAME, true); this.enabled = XPackPlugin.featureEnabled(settings, NAME, true);
if (enabled && !transportClientMode) { if (enabled && !transportClientMode) {
failIfShieldQueryCacheIsNotActive(settings, true);
validateAutoCreateIndex(settings); validateAutoCreateIndex(settings);
} }
} }
@ -172,7 +171,6 @@ public class Shield {
settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Shield.NAME); settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Shield.NAME);
addUserSettings(settingsBuilder); addUserSettings(settingsBuilder);
addTribeSettings(settingsBuilder); addTribeSettings(settingsBuilder);
addQueryCacheSettings(settingsBuilder);
return settingsBuilder.build(); return settingsBuilder.build();
} }
@ -235,7 +233,11 @@ public class Shield {
} }
if (transportClientMode == false) { if (transportClientMode == false) {
module.registerQueryCache(Shield.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new); module.registerQueryCache(Shield.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new);
failIfShieldQueryCacheIsNotActive(module.getSettings(), false); /* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
* unauthorized users. */
module.forceQueryCacheType(Shield.OPT_OUT_QUERY_CACHE);
} }
} }
@ -386,16 +388,6 @@ public class Shield {
} }
} }
/**
* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
* unauthorized users.
*/
private void addQueryCacheSettings(Settings.Builder settingsBuilder) {
settingsBuilder.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE);
}
public static boolean enabled(Settings settings) { public static boolean enabled(Settings settings) {
return XPackPlugin.featureEnabled(settings, NAME, true); return XPackPlugin.featureEnabled(settings, NAME, true);
} }
@ -404,21 +396,6 @@ public class Shield {
return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true); return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true);
} }
private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean nodeSettings) {
String queryCacheImplementation;
if (nodeSettings) {
// in case this are node settings then the plugin additional settings have not been applied yet,
// so we use 'opt_out_cache' as default. So in that case we only fail if the node settings contain
// another cache impl than 'opt_out_cache'.
queryCacheImplementation = settings.get(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE);
} else {
queryCacheImplementation = settings.get(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey());
}
if (OPT_OUT_QUERY_CACHE.equals(queryCacheImplementation) == false) {
throw new IllegalStateException("shield does not support a user specified query cache. remove the setting [" + IndexModule
.INDEX_QUERY_CACHE_TYPE_SETTING.getKey() + "] with value [" + queryCacheImplementation + "]");
}
}
static void validateAutoCreateIndex(Settings settings) { static void validateAutoCreateIndex(Settings settings) {
String value = settings.get("action.auto_create_index"); String value = settings.get("action.auto_create_index");

View File

@ -10,7 +10,6 @@ import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.Version; import org.elasticsearch.Version;
import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.node.MockNode; import org.elasticsearch.node.MockNode;
import org.elasticsearch.node.Node; import org.elasticsearch.node.Node;
import org.elasticsearch.shield.authc.esnative.ESNativeRealm; import org.elasticsearch.shield.authc.esnative.ESNativeRealm;
@ -43,7 +42,6 @@ public class ShieldF {
settings.put("xpack.shield.enabled", "true"); settings.put("xpack.shield.enabled", "true");
// Disable Monitoring to prevent cluster activity // Disable Monitoring to prevent cluster activity
settings.put("xpack.monitoring.enabled", "false"); settings.put("xpack.monitoring.enabled", "false");
settings.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE);
settings.put("cluster.name", ShieldF.class.getSimpleName()); settings.put("cluster.name", ShieldF.class.getSimpleName());
String homeDir = System.getProperty("es.path.home"); String homeDir = System.getProperty("es.path.home");

View File

@ -21,7 +21,6 @@ import org.elasticsearch.common.transport.DummyTransportAddress;
import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.transport.LocalTransportAddress; import org.elasticsearch.common.transport.LocalTransportAddress;
import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.rest.RestRequest; import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.search.SearchHit; import org.elasticsearch.search.SearchHit;
@ -168,14 +167,6 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
Settings.Builder builder = Settings.builder() Settings.Builder builder = Settings.builder()
.put(super.nodeSettings(nodeOrdinal)) .put(super.nodeSettings(nodeOrdinal))
.put(XPackPlugin.featureEnabledSetting(Shield.NAME), useShield); .put(XPackPlugin.featureEnabledSetting(Shield.NAME), useShield);
// For tests we forcefully configure Shield's custom query cache because the test framework
// randomizes the query cache impl but if shield is disabled then we don't need to forcefully
// set the query cache
if (useShield == false) {
builder.remove(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey());
}
return builder.build(); return builder.build();
} }
}; };

View File

@ -9,10 +9,8 @@ import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.marvel.Marvel; import org.elasticsearch.marvel.Marvel;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Shield;
import org.elasticsearch.shield.authc.esusers.ESUsersRealm; import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
import org.elasticsearch.shield.authc.esnative.ESNativeRealm; import org.elasticsearch.shield.authc.esnative.ESNativeRealm;
import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.Hasher;
@ -136,9 +134,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
.put("shield.authc.realms.index.type", ESNativeRealm.TYPE) .put("shield.authc.realms.index.type", ESNativeRealm.TYPE)
.put("shield.authc.realms.index.order", "1") .put("shield.authc.realms.index.order", "1")
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", configRoles())) .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", configRoles()))
// Test framework sometimes randomly selects the 'index' or 'none' cache and that makes the
// validation in ShieldPlugin fail.
.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE)
.put(getNodeSSLSettings()); .put(getNodeSSLSettings());
return builder.build(); return builder.build();

View File

@ -21,14 +21,12 @@ import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Callback; import org.elasticsearch.common.util.Callback;
import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.common.xcontent.support.XContentMapValues; import org.elasticsearch.common.xcontent.support.XContentMapValues;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.index.query.QueryBuilder; import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.marvel.Marvel; import org.elasticsearch.marvel.Marvel;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.script.MockMustacheScriptEngine; import org.elasticsearch.script.MockMustacheScriptEngine;
import org.elasticsearch.search.SearchHit; import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.builder.SearchSourceBuilder; import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.shield.Shield;
import org.elasticsearch.shield.authc.esusers.ESUsersRealm; import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.Hasher;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.SecuredString;
@ -719,9 +717,6 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey)) .put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
.put("shield.authc.sign_user_header", false) .put("shield.authc.sign_user_header", false)
.put("shield.audit.enabled", auditLogsEnabled) .put("shield.audit.enabled", auditLogsEnabled)
// Test framework sometimes randomily selects the 'index' or 'none' cache and that makes the
// validation in ShieldPlugin fail. Shield can only run with this query cache impl
.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), Shield.OPT_OUT_QUERY_CACHE)
.build(); .build();
} catch (IOException ex) { } catch (IOException ex) {
throw new RuntimeException("failed to build settings for shield", ex); throw new RuntimeException("failed to build settings for shield", ex);