diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java b/plugin/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java index 9479f22110a..d7a3ac1781e 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/SecurityLifecycleService.java @@ -191,7 +191,8 @@ public class SecurityLifecycleService extends AbstractComponent implements Clust securityIndex.createIndexIfNeededThenExecute(listener, andThen); } else { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); } } diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java index ea2d7be226f..055b41e8cae 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java @@ -256,7 +256,8 @@ public final class TokenService extends AbstractComponent { ensureEnabled(); if (lifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } else if (lifecycleService.isSecurityIndexWriteable() == false) { listener.onFailure(new IllegalStateException("cannot write to the tokens index")); @@ -322,7 +323,8 @@ public final class TokenService extends AbstractComponent { if (lifecycleService.isSecurityIndexAvailable()) { if (lifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } internalClient.prepareGet(SecurityLifecycleService.SECURITY_INDEX_NAME, TYPE, getDocumentId(userToken)) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java index 14a87092834..c864857f97a 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java @@ -114,7 +114,8 @@ public class NativeUsersStore extends AbstractComponent { } else { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational " + + "until the upgrade API is run on the security index")); return; } try { @@ -150,7 +151,8 @@ public class NativeUsersStore extends AbstractComponent { private void getUserAndPassword(final String user, final ActionListener listener) { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } try { @@ -197,7 +199,8 @@ public class NativeUsersStore extends AbstractComponent { return; } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } else if (securityLifecycleService.isSecurityIndexWriteable() == false) { listener.onFailure(new IllegalStateException("password cannot be changed as user service cannot write until template and " + @@ -249,7 +252,8 @@ public class NativeUsersStore extends AbstractComponent { private void createReservedUser(String username, char[] passwordHash, RefreshPolicy refresh, ActionListener listener) { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } securityLifecycleService.createIndexIfNeededThenExecute(listener, () -> @@ -282,7 +286,8 @@ public class NativeUsersStore extends AbstractComponent { return; } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } else if (securityLifecycleService.isSecurityIndexWriteable() == false) { listener.onFailure(new IllegalStateException("user cannot be created or changed as the user service cannot write until " + @@ -384,7 +389,8 @@ public class NativeUsersStore extends AbstractComponent { return; } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } else if (securityLifecycleService.isSecurityIndexWriteable() == false) { listener.onFailure(new IllegalStateException("enabled status cannot be changed as user service cannot write until template " + @@ -471,7 +477,8 @@ public class NativeUsersStore extends AbstractComponent { return; } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } else if (securityLifecycleService.isSecurityIndexWriteable() == false) { listener.onFailure(new IllegalStateException("user cannot be deleted as user service cannot write until template and " + @@ -526,7 +533,8 @@ public class NativeUsersStore extends AbstractComponent { return; } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm not be operational until " + + "the upgrade API is run on the security index")); return; } client.prepareGet(SecurityLifecycleService.SECURITY_INDEX_NAME, INDEX_TYPE, getIdForUser(RESERVED_USER_TYPE, username)) @@ -570,7 +578,8 @@ public class NativeUsersStore extends AbstractComponent { void getAllReservedUserInfo(ActionListener> listener) { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } client.prepareSearch(SecurityLifecycleService.SECURITY_INDEX_NAME) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java index ed917fb033c..3814d1d5f68 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.java @@ -98,7 +98,8 @@ public class NativeRoleMappingStore extends AbstractComponent implements UserRol void loadMappings(ActionListener> listener) { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } final QueryBuilder query = QueryBuilders.termQuery(DOC_TYPE_FIELD, DOC_TYPE_ROLE_MAPPING); @@ -153,7 +154,8 @@ public class NativeRoleMappingStore extends AbstractComponent implements UserRol listener.onFailure(new UnsupportedOperationException("role-mappings may not be modified using a tribe node")); } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); } else if (securityLifecycleService.isSecurityIndexWriteable() == false) { listener.onFailure(new IllegalStateException("role-mappings cannot be modified until template and mappings are up to date")); } else { @@ -198,7 +200,8 @@ public class NativeRoleMappingStore extends AbstractComponent implements UserRol private void innerDeleteMapping(DeleteRoleMappingRequest request, ActionListener listener) throws IOException { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } client.prepareDelete(SECURITY_INDEX_NAME, SECURITY_GENERIC_TYPE, getIdForName(request.getName())) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java index a0085f43e01..3bec9ec7667 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java @@ -106,7 +106,8 @@ public class NativeRolesStore extends AbstractComponent { listener::onFailure)); } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } else { try { @@ -139,7 +140,8 @@ public class NativeRolesStore extends AbstractComponent { return; } else if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } else if (securityLifecycleService.isSecurityIndexWriteable() == false) { listener.onFailure(new IllegalStateException("role cannot be deleted as service cannot write until template and " + @@ -191,7 +193,8 @@ public class NativeRolesStore extends AbstractComponent { void innerPutRole(final PutRoleRequest request, final RoleDescriptor role, final ActionListener listener) { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } try { @@ -236,7 +239,8 @@ public class NativeRolesStore extends AbstractComponent { } else { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } client.prepareMultiSearch() @@ -321,7 +325,8 @@ public class NativeRolesStore extends AbstractComponent { private void executeGetRoleRequest(String role, ActionListener listener) { if (securityLifecycleService.isSecurityIndexOutOfDate()) { listener.onFailure(new IllegalStateException( - "Security index is not on the current version - please upgrade with the upgrade api")); + "Security index is not on the current version - the native realm will not be operational until " + + "the upgrade API is run on the security index")); return; } try { diff --git a/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java b/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java index cf300bc3f64..96556110f3a 100644 --- a/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java +++ b/qa/full-cluster-restart/src/test/java/org/elasticsearch/xpack/restart/FullClusterRestartIT.java @@ -10,6 +10,7 @@ import org.apache.http.entity.StringEntity; import org.apache.http.util.EntityUtils; import org.elasticsearch.Version; import org.elasticsearch.client.Response; +import org.elasticsearch.client.ResponseException; import org.elasticsearch.common.Booleans; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; @@ -111,8 +112,16 @@ public class FullClusterRestartIT extends ESRestTestCase { createUser("preupgrade_user"); createRole("preupgrade_role"); } else { - // run upgrade API first waitForYellow(".security"); + // without upgrade, an error should be thrown + try { + createUser("postupgrade_user"); + fail("should not be able to add a user when upgrade hasn't taken place"); + } catch (ResponseException e) { + assertThat(e.getMessage(), containsString("Security index is not on the current version - " + + "the native realm will not be operational until the upgrade API is run on the security index")); + } + // run upgrade API client().performRequest("POST", "_xpack/migration/upgrade/.security"); // create additional user and role createUser("postupgrade_user");