honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ip Filtering: Change default rule to allow 

In order to prevent confusion when starting up nodes (so they can join easily together)
and adding some usability connections are not denied by default on the server side.

Original commit: elastic/x-pack-elasticsearch@6ffe3a7df2
This commit is contained in:
Alexander Reelsen 2014-10-01 12:00:42 +02:00
parent a47de7539c
commit 464bc0a752
3 changed files with 15 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/java/org/elasticsearch/shield/transport/n2n/IPFilteringN2NAuthenticator.java
View File

@ -129,14 +129,14 @@ public class IPFilteringN2NAuthenticator extends AbstractComponent implements N2
public boolean authenticate(@Nullable Principal peerPrincipal, InetAddress peerAddress, int peerPort) { public boolean authenticate(@Nullable Principal peerPrincipal, InetAddress peerAddress, int peerPort) {
for (IpFilterRule rule : rules) { for (IpFilterRule rule : rules) {
if (rule.contains(peerAddress)) { if (rule.contains(peerAddress)) {
boolean isAllowed = rule.isAllowRule(); boolean isAllowed = rule.isAllowRule();
logger.trace("Authentication rule matched for host [{}]: {}", peerAddress, isAllowed); logger.trace("Authentication rule matched for host [{}]: {}", peerAddress, isAllowed);
return isAllowed; return isAllowed;
} }
} }
logger.trace("Rejecting host {}", peerAddress); logger.trace("Allowing host {}", peerAddress);
return false; return true;
} }
private class FileListener extends FileChangesListener { private class FileListener extends FileChangesListener {

15
src/test/java/org/elasticsearch/shield/transport/n2n/IPFilteringN2NAuthenticatorTests.java
View File

@ -71,10 +71,13 @@ public class IPFilteringN2NAuthenticatorTests extends ElasticsearchTestCase {
@Test @Test
public void testThatIpV6AddressesCanBeProcessed() throws Exception { public void testThatIpV6AddressesCanBeProcessed() throws Exception {
writeConfigFile("allow: 2001:0db8:1234::/48\ndeny: 1234:0db8:85a3:0000:0000:8a2e:0370:7334"); // you have to use the shortest possible notation in order to match, so
// 1234:0db8:85a3:0000:0000:8a2e:0370:7334 becomes 1234:db8:85a3:0:0:8a2e:370:7334
writeConfigFile("allow: 2001:0db8:1234::/48\ndeny: 1234:db8:85a3:0:0:8a2e:370:7334\ndeny: 4321:db8:1234::/48");
assertAddressIsAllowed("2001:0db8:1234:0000:0000:8a2e:0370:7334"); assertAddressIsAllowed("2001:0db8:1234:0000:0000:8a2e:0370:7334");
assertAddressIsDenied("1234:0db8:85a3:0000:0000:8a2e:0370:7334"); assertAddressIsDenied("1234:0db8:85a3:0000:0000:8a2e:0370:7334");
assertAddressIsDenied("4321:0db8:1234:0000:0000:8a2e:0370:7334");
} }
@Test @Test
@ -82,20 +85,20 @@ public class IPFilteringN2NAuthenticatorTests extends ElasticsearchTestCase {
writeConfigFile("allow: localhost\ndeny: '*.google.com'"); writeConfigFile("allow: localhost\ndeny: '*.google.com'");
assertAddressIsAllowed("127.0.0.1"); assertAddressIsAllowed("127.0.0.1");
assertAddressIsDenied("173.194.70.100"); assertAddressIsDenied("8.8.8.8");
} }
@Test @Test
public void testThatFileDeletionResultsInAllowingAll() throws Exception { public void testThatFileDeletionResultsInAllowingAll() throws Exception {
writeConfigFile("allow: 127.0.0.1"); writeConfigFile("deny: 127.0.0.1");
assertAddressIsAllowed("127.0.0.1"); assertAddressIsDenied("127.0.0.1");
configFile.delete(); configFile.delete();
assertThat(configFile.exists(), is(false)); assertThat(configFile.exists(), is(false));
sleep(250); sleep(250);
assertAddressIsDenied("127.0.0.1"); assertAddressIsAllowed("127.0.0.1");
} }
@Test @Test
@ -133,7 +136,7 @@ public class IPFilteringN2NAuthenticatorTests extends ElasticsearchTestCase {
public void testThatEmptyFileDoesNotLeadIntoLoop() throws Exception { public void testThatEmptyFileDoesNotLeadIntoLoop() throws Exception {
writeConfigFile("# \n\n"); writeConfigFile("# \n\n");
assertAddressIsDenied("127.0.0.1"); assertAddressIsAllowed("127.0.0.1");
} }
@Test(expected = ElasticsearchParseException.class) @Test(expected = ElasticsearchParseException.class)

10
src/test/java/org/elasticsearch/shield/transport/n2n/IpFilteringIntegrationTests.java
View File

@ -39,13 +39,9 @@ public class IpFilteringIntegrationTests extends ShieldIntegrationTest {
protected Settings nodeSettings(int nodeOrdinal) { protected Settings nodeSettings(int nodeOrdinal) {
ImmutableSettings.Builder builder = settingsBuilder().put(super.nodeSettings(nodeOrdinal)); ImmutableSettings.Builder builder = settingsBuilder().put(super.nodeSettings(nodeOrdinal));
builder.put(InternalNode.HTTP_ENABLED, true); builder.put(InternalNode.HTTP_ENABLED, true);
// either deny all or do not have a configuration file, as this denies by default
if (getRandom().nextBoolean()) { File folder = newFolder();
File folder = newFolder(); builder.put("shield.transport.n2n.ip_filter.file", writeFile(folder, "ip_filter.yml", CONFIG_IPFILTER_DENY_ALL));
builder.put("shield.transport.n2n.ip_filter.file", writeFile(folder, "ip_filter.yml", CONFIG_IPFILTER_DENY_ALL));
} else {
builder.remove("shield.transport.n2n.ip_filter.file");
}
return builder.build(); return builder.build();
} }