Merge branch 'master' into config-prefix
Original commit: elastic/x-pack-elasticsearch@d65b27d7cc
This commit is contained in:
Joe Fleming
commit
65b3c878a3
|
|
@ -53,7 +53,8 @@ public class ShieldCachePermissionIT extends ShieldIntegTestCase {
|
|||
return super.configRoles()
|
||||
+ "\nread_one_idx:\n"
|
||||
+ " indices:\n"
|
||||
+ " 'data': READ\n";
|
||||
+ " 'data':\n"
|
||||
+ " - read\n";
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -13,13 +13,13 @@ minimal:
|
|||
indices:
|
||||
- names: source
|
||||
privileges:
|
||||
- search
|
||||
- read
|
||||
- write
|
||||
- create_index
|
||||
- indices:admin/refresh
|
||||
- names: dest
|
||||
privileges:
|
||||
- search
|
||||
- read
|
||||
- write
|
||||
- create_index
|
||||
- indices:admin/refresh
|
||||
|
|
@ -28,7 +28,7 @@ minimal:
|
|||
readonly:
|
||||
indices:
|
||||
- names: '*'
|
||||
privileges: [ search ]
|
||||
privileges: [ read ]
|
||||
|
||||
# Write operations on destination index, none on source index
|
||||
dest_only:
|
||||
|
|
@ -41,7 +41,7 @@ can_not_see_hidden_docs:
|
|||
indices:
|
||||
- names: source
|
||||
privileges:
|
||||
- search
|
||||
- read
|
||||
- write
|
||||
- create_index
|
||||
- indices:admin/refresh
|
||||
|
|
@ -52,7 +52,7 @@ can_not_see_hidden_docs:
|
|||
hidden: true
|
||||
- names: dest
|
||||
privileges:
|
||||
- search
|
||||
- read
|
||||
- write
|
||||
- create_index
|
||||
- indices:admin/refresh
|
||||
|
|
@ -62,7 +62,7 @@ can_not_see_hidden_fields:
|
|||
indices:
|
||||
- names: source
|
||||
privileges:
|
||||
- search
|
||||
- read
|
||||
- write
|
||||
- create_index
|
||||
- indices:admin/refresh
|
||||
|
|
@ -71,7 +71,7 @@ can_not_see_hidden_fields:
|
|||
- bar
|
||||
- names: dest
|
||||
privileges:
|
||||
- search
|
||||
- read
|
||||
- write
|
||||
- create_index
|
||||
- indices:admin/refresh
|
||||
|
|
|
|||
|
|
@ -4,12 +4,12 @@ admin:
|
|||
'*': all
|
||||
|
||||
watcher_manager:
|
||||
cluster: manage_watcher, cluster:monitor/nodes/info, cluster:monitor/health
|
||||
cluster: manage
|
||||
indices:
|
||||
'.watcher-history-*': all
|
||||
|
||||
watcher_monitor:
|
||||
cluster: monitor_watcher
|
||||
cluster: monitor
|
||||
indices:
|
||||
'.watcher-history-*': read
|
||||
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ graph_explorer:
|
|||
indices:
|
||||
- names: '*'
|
||||
privileges:
|
||||
- graph
|
||||
- indices:data/write/index
|
||||
- read
|
||||
- write
|
||||
- indices:admin/refresh
|
||||
- indices:admin/create
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ public class GraphWithShieldInsufficientRoleIT extends GraphWithShieldIT {
|
|||
super.test();
|
||||
fail();
|
||||
} catch(AssertionError ae) {
|
||||
assertThat(ae.getMessage(), containsString("action [indices:data/read/graph/explore"));
|
||||
assertThat(ae.getMessage(), containsString("action [indices:data/read/xpack/graph/explore"));
|
||||
assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
|
||||
assertThat(ae.getMessage(), containsString("is unauthorized for user [no_graph_explorer]"));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,9 +8,7 @@ admin:
|
|||
|
||||
watcher_manager:
|
||||
cluster:
|
||||
- manage_watcher
|
||||
- cluster:monitor/nodes/info
|
||||
- cluster:monitor/health
|
||||
- manage
|
||||
indices:
|
||||
- names: '.watcher-history-*'
|
||||
privileges:
|
||||
|
|
@ -21,7 +19,7 @@ watcher_manager:
|
|||
|
||||
watcher_monitor:
|
||||
cluster:
|
||||
- monitor_watcher
|
||||
- monitor
|
||||
indices:
|
||||
- names: '.watcher-history-*'
|
||||
privileges:
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ import java.util.Collection;
|
|||
import java.util.Collections;
|
||||
|
||||
import org.elasticsearch.action.ActionModule;
|
||||
import org.elasticsearch.action.search.SearchAction;
|
||||
import org.elasticsearch.common.component.LifecycleComponent;
|
||||
import org.elasticsearch.common.inject.Module;
|
||||
import org.elasticsearch.common.network.NetworkModule;
|
||||
|
|
@ -23,8 +22,6 @@ import org.elasticsearch.graph.license.GraphLicensee;
|
|||
import org.elasticsearch.graph.license.GraphModule;
|
||||
import org.elasticsearch.graph.rest.action.RestGraphAction;
|
||||
import org.elasticsearch.plugins.Plugin;
|
||||
import org.elasticsearch.search.action.SearchTransportService;
|
||||
import org.elasticsearch.shield.Shield;
|
||||
import org.elasticsearch.xpack.XPackPlugin;
|
||||
|
||||
public class Graph extends Plugin {
|
||||
|
|
@ -37,11 +34,6 @@ public class Graph extends Plugin {
|
|||
public Graph(Settings settings) {
|
||||
this.transportClientMode = XPackPlugin.transportClientMode(settings);
|
||||
enabled = enabled(settings);
|
||||
// adding the graph privileges to shield
|
||||
if (Shield.enabled(settings)) {
|
||||
Shield.registerIndexPrivilege( "graph", GraphExploreAction.NAME, SearchTransportService.QUERY_ACTION_NAME,
|
||||
SearchAction.NAME, SearchTransportService.QUERY_FETCH_ACTION_NAME);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ public class GraphExploreAction extends Action<GraphExploreRequest, GraphExplore
|
|||
GraphExploreRequestBuilder> {
|
||||
|
||||
public static final GraphExploreAction INSTANCE = new GraphExploreAction();
|
||||
public static final String NAME = "indices:data/read/graph/explore";
|
||||
public static final String NAME = "indices:data/read/xpack/graph/explore";
|
||||
|
||||
private GraphExploreAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
settings:
|
||||
index:
|
||||
number_of_replicas: 0
|
||||
number_of_shards: 1
|
||||
mappings:
|
||||
test:
|
||||
properties:
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
|
|||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.action.support.master.TransportMasterNodeAction;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ack.ClusterStateUpdateResponse;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
|
|||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.action.support.master.TransportMasterNodeReadAction;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
|
|||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.action.support.master.TransportMasterNodeAction;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
|
|||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.cluster.ClusterStateUpdateTask;
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
package org.elasticsearch.license.plugin;
|
||||
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateUpdateTask;
|
||||
import org.elasticsearch.cluster.metadata.MetaData;
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
package org.elasticsearch.license.plugin.consumer;
|
||||
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.inject.Singleton;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ package org.elasticsearch.license.plugin.consumer;
|
|||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.common.component.AbstractLifecycleComponent;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
package org.elasticsearch.license.plugin.core;
|
||||
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ack.ClusterStateUpdateResponse;
|
||||
import org.elasticsearch.cluster.metadata.MetaData;
|
||||
import org.elasticsearch.common.unit.TimeValue;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector;
|
|||
|
||||
import org.elasticsearch.ElasticsearchTimeoutException;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.common.component.AbstractLifecycleComponent;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.cluster;
|
|||
|
||||
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNodes;
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import org.elasticsearch.Version;
|
|||
import org.elasticsearch.action.admin.cluster.stats.ClusterStatsResponse;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterName;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
|
|||
import org.elasticsearch.action.admin.indices.recovery.RecoveryResponse;
|
||||
import org.elasticsearch.action.support.IndicesOptions;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.action.admin.indices.stats.IndexStats;
|
|||
import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
|
||||
import org.elasticsearch.action.support.IndicesOptions;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
|
|||
import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
|
||||
import org.elasticsearch.action.support.IndicesOptions;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ import org.elasticsearch.action.admin.cluster.node.stats.NodesStatsRequest;
|
|||
import org.elasticsearch.action.admin.indices.stats.CommonStatsFlags;
|
||||
import org.elasticsearch.bootstrap.BootstrapInfo;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.cluster.routing.allocation.decider.DiskThresholdDecider;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
package org.elasticsearch.marvel.agent.collector.shards;
|
||||
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.cluster.routing.RoutingTable;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
package org.elasticsearch.marvel.agent.exporter;
|
||||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.common.component.AbstractLifecycleComponent;
|
||||
import org.elasticsearch.common.component.Lifecycle;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateReque
|
|||
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
package org.elasticsearch.marvel.agent.collector.cluster;
|
||||
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.metadata.IndexMetaData;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.cluster;
|
|||
import org.apache.lucene.util.LuceneTestCase.BadApple;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.cluster.ClusterName;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.plugin.core.LicensesManagerService;
|
||||
import org.elasticsearch.marvel.MarvelSettings;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
|
|||
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.action.admin.indices.recovery.RecoveryResponse;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.MetaData;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
|
|||
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.action.admin.indices.stats.IndexStats;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.MetaData;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.index.IndexNotFoundException;
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
|
|||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.action.admin.indices.stats.IndexStats;
|
||||
import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.MetaData;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.node;
|
|||
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.bootstrap.BootstrapInfo;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.routing.allocation.decider.DiskThresholdDecider;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.env.NodeEnvironment;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
package org.elasticsearch.marvel.agent.collector.shards;
|
||||
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.routing.ShardRouting;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.exporter;
|
|||
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.common.settings.ClusterSettings;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -26,101 +26,46 @@ user:
|
|||
# Defines the required permissions for transport clients
|
||||
transport_client:
|
||||
cluster:
|
||||
- cluster:monitor/nodes/liveness
|
||||
#uncomment the following for sniffing
|
||||
#- cluster:monitor/state
|
||||
|
||||
# The required permissions for kibana 4 users.
|
||||
kibana4:
|
||||
cluster:
|
||||
- cluster:monitor/nodes/info
|
||||
- cluster:monitor/health
|
||||
indices:
|
||||
- names: '*'
|
||||
privileges:
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/search
|
||||
- indices:data/read/msearch
|
||||
- indices:data/read/field_stats
|
||||
- indices:admin/get
|
||||
- names: '.kibana'
|
||||
privileges:
|
||||
- indices:admin/exists
|
||||
- indices:admin/mapping/put
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/refresh
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/get
|
||||
- indices:data/read/mget
|
||||
- indices:data/read/search
|
||||
- indices:data/write/delete
|
||||
- indices:data/write/index
|
||||
- indices:data/write/update
|
||||
- transport_client
|
||||
|
||||
# The required permissions for the kibana 4 server
|
||||
kibana4_server:
|
||||
cluster:
|
||||
- cluster:monitor/nodes/info
|
||||
- cluster:monitor/health
|
||||
- monitor
|
||||
indices:
|
||||
- names: '.kibana'
|
||||
privileges:
|
||||
- indices:admin/create
|
||||
- indices:admin/exists
|
||||
- indices:admin/mapping/put
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/refresh
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/get
|
||||
- indices:data/read/mget
|
||||
- indices:data/read/search
|
||||
- indices:data/write/delete
|
||||
- indices:data/write/index
|
||||
- indices:data/write/update
|
||||
- all
|
||||
|
||||
# The required role for logstash users
|
||||
logstash:
|
||||
cluster:
|
||||
- indices:admin/template/get
|
||||
- indices:admin/template/put
|
||||
- manage_index_templates
|
||||
indices:
|
||||
- names: 'logstash-*'
|
||||
privileges:
|
||||
- indices:data/write/bulk
|
||||
- indices:data/write/delete
|
||||
- indices:data/write/update
|
||||
- indices:data/read/search
|
||||
- indices:data/read/scroll
|
||||
- write
|
||||
- read
|
||||
- create_index
|
||||
|
||||
# Monitoring user role. Assign to monitoring users.
|
||||
# Marvel user role. Assign to marvel users.
|
||||
monitoring_user:
|
||||
indices:
|
||||
- names: '.monitoring-*'
|
||||
privileges:
|
||||
- read
|
||||
- names:
|
||||
- '.marvel-es-*'
|
||||
- '.monitoring-*'
|
||||
privileges: [ "read" ]
|
||||
- names: '.kibana'
|
||||
privileges:
|
||||
- indices:admin/exists
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/get
|
||||
- indices:data/read/mget
|
||||
- indices:data/read/search
|
||||
- view_index_metadata
|
||||
- read
|
||||
|
||||
# Monitoring remote agent role. Assign to the agent user on the remote monitoring cluster
|
||||
# to which the monitoring agent will export all its data
|
||||
# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
|
||||
# to which the marvel agent will export all its data
|
||||
remote_monitoring_agent:
|
||||
cluster:
|
||||
- indices:admin/template/put
|
||||
- indices:admin/template/get
|
||||
cluster: [ "manage_index_templates" ]
|
||||
indices:
|
||||
- names: '.monitoring-*'
|
||||
privileges:
|
||||
- all
|
||||
|
||||
# Allows all operations required to manage ingest pipelines
|
||||
ingest_admin:
|
||||
cluster:
|
||||
- manage_pipeline
|
||||
- names:
|
||||
- '.marvel-es-*'
|
||||
- '.monitoring-*'
|
||||
privileges: [ "all" ]
|
||||
|
|
|
|||
|
|
@ -290,30 +290,6 @@ public class Shield {
|
|||
}
|
||||
}
|
||||
|
||||
public static void registerClusterPrivilege(String name, String... patterns) {
|
||||
try {
|
||||
ClusterPrivilege.addCustom(name, patterns);
|
||||
} catch (Exception se) {
|
||||
logger.warn("could not register cluster privilege [{}]", name);
|
||||
|
||||
// we need to prevent bubbling the shield exception here for the tests. In the tests
|
||||
// we create multiple nodes in the same jvm and since the custom cluster is a static binding
|
||||
// multiple nodes will try to add the same privileges multiple times.
|
||||
}
|
||||
}
|
||||
|
||||
public static void registerIndexPrivilege(String name, String... patterns) {
|
||||
try {
|
||||
IndexPrivilege.addCustom(name, patterns);
|
||||
} catch (Exception se) {
|
||||
logger.warn("could not register index privilege [{}]", name);
|
||||
|
||||
// we need to prevent bubbling the shield exception here for the tests. In the tests
|
||||
// we create multiple nodes in the same jvm and since the custom cluster is a static binding
|
||||
// multiple nodes will try to add the same privileges multiple times.
|
||||
}
|
||||
}
|
||||
|
||||
private void addUserSettings(Settings.Builder settingsBuilder) {
|
||||
String authHeaderSettingName = ThreadContext.PREFIX + "." + UsernamePasswordToken.BASIC_AUTH_HEADER;
|
||||
if (settings.get(authHeaderSettingName) != null) {
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
package org.elasticsearch.shield;
|
||||
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.common.component.AbstractComponent;
|
||||
import org.elasticsearch.common.component.LifecycleListener;
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateReque
|
|||
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class ClearRealmCacheAction extends Action<ClearRealmCacheRequest, ClearRealmCacheResponse, ClearRealmCacheRequestBuilder> {
|
||||
|
||||
public static final ClearRealmCacheAction INSTANCE = new ClearRealmCacheAction();
|
||||
public static final String NAME = "cluster:admin/shield/realm/cache/clear";
|
||||
public static final String NAME = "cluster:admin/xpack/security/realm/cache/clear";
|
||||
|
||||
protected ClearRealmCacheAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
|
|||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.action.support.nodes.TransportNodesAction;
|
||||
import org.elasticsearch.cluster.ClusterName;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class ClearRolesCacheAction extends Action<ClearRolesCacheRequest, ClearRolesCacheResponse, ClearRolesCacheRequestBuilder> {
|
||||
|
||||
public static final ClearRolesCacheAction INSTANCE = new ClearRolesCacheAction();
|
||||
public static final String NAME = "cluster:admin/shield/roles/cache/clear";
|
||||
public static final String NAME = "cluster:admin/xpack/security/roles/cache/clear";
|
||||
|
||||
protected ClearRolesCacheAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class DeleteRoleAction extends Action<DeleteRoleRequest, DeleteRoleResponse, DeleteRoleRequestBuilder> {
|
||||
|
||||
public static final DeleteRoleAction INSTANCE = new DeleteRoleAction();
|
||||
public static final String NAME = "cluster:admin/shield/role/delete";
|
||||
public static final String NAME = "cluster:admin/xpack/security/role/delete";
|
||||
|
||||
|
||||
protected DeleteRoleAction() {
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class GetRolesAction extends Action<GetRolesRequest, GetRolesResponse, GetRolesRequestBuilder> {
|
||||
|
||||
public static final GetRolesAction INSTANCE = new GetRolesAction();
|
||||
public static final String NAME = "cluster:admin/shield/role/get";
|
||||
public static final String NAME = "cluster:admin/xpack/security/role/get";
|
||||
|
||||
|
||||
protected GetRolesAction() {
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class PutRoleAction extends Action<PutRoleRequest, PutRoleResponse, PutRoleRequestBuilder> {
|
||||
|
||||
public static final PutRoleAction INSTANCE = new PutRoleAction();
|
||||
public static final String NAME = "cluster:admin/shield/role/put";
|
||||
public static final String NAME = "cluster:admin/xpack/security/role/put";
|
||||
|
||||
|
||||
protected PutRoleAction() {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.shield.action.role;
|
|||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.action.support.nodes.TransportNodesAction;
|
||||
import org.elasticsearch.cluster.ClusterName;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class DeleteUserAction extends Action<DeleteUserRequest, DeleteUserResponse, DeleteUserRequestBuilder> {
|
||||
|
||||
public static final DeleteUserAction INSTANCE = new DeleteUserAction();
|
||||
public static final String NAME = "cluster:admin/shield/user/delete";
|
||||
public static final String NAME = "cluster:admin/xpack/security/user/delete";
|
||||
|
||||
protected DeleteUserAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class GetUsersAction extends Action<GetUsersRequest, GetUsersResponse, GetUsersRequestBuilder> {
|
||||
|
||||
public static final GetUsersAction INSTANCE = new GetUsersAction();
|
||||
public static final String NAME = "cluster:admin/shield/user/get";
|
||||
public static final String NAME = "cluster:admin/xpack/security/user/get";
|
||||
|
||||
protected GetUsersAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class PutUserAction extends Action<PutUserRequest, PutUserResponse, PutUserRequestBuilder> {
|
||||
|
||||
public static final PutUserAction INSTANCE = new PutUserAction();
|
||||
public static final String NAME = "cluster:admin/shield/user/put";
|
||||
public static final String NAME = "cluster:admin/xpack/security/user/put";
|
||||
|
||||
protected PutUserAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ import org.elasticsearch.action.index.IndexRequest;
|
|||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.client.transport.TransportClient;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.cluster.metadata.IndexMetaData;
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
package org.elasticsearch.shield.authc;
|
||||
|
||||
import org.elasticsearch.ElasticsearchSecurityException;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.common.Base64;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.component.AbstractComponent;
|
||||
|
|
@ -224,6 +225,8 @@ public class InternalAuthenticationService extends AbstractComponent implements
|
|||
try {
|
||||
byte[] bytes = Base64.decode(text);
|
||||
StreamInput input = StreamInput.wrap(bytes);
|
||||
Version version = Version.readVersion(input);
|
||||
input.setVersion(version);
|
||||
return User.readFrom(input);
|
||||
} catch (IOException ioe) {
|
||||
throw authenticationError("could not read authenticated user", ioe);
|
||||
|
|
@ -233,6 +236,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
|
|||
static String encodeUser(User user, ESLogger logger) {
|
||||
try {
|
||||
BytesStreamOutput output = new BytesStreamOutput();
|
||||
Version.writeVersion(Version.CURRENT, output);
|
||||
User.writeTo(user, output);
|
||||
byte[] bytes = output.bytes().toBytes();
|
||||
return Base64.encodeBytes(bytes);
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ import org.elasticsearch.action.admin.indices.alias.Alias;
|
|||
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
|
||||
import org.elasticsearch.action.search.ClearScrollAction;
|
||||
import org.elasticsearch.action.search.SearchScrollAction;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.metadata.AliasOrIndex;
|
||||
import org.elasticsearch.cluster.metadata.MetaData;
|
||||
|
|
|
|||
|
|
@ -40,7 +40,6 @@ import org.elasticsearch.index.query.QueryShardContext;
|
|||
import org.elasticsearch.index.shard.IndexSearcherWrapper;
|
||||
import org.elasticsearch.index.shard.ShardId;
|
||||
import org.elasticsearch.index.shard.ShardUtils;
|
||||
import org.elasticsearch.percolator.PercolatorService;
|
||||
import org.elasticsearch.shield.authz.InternalAuthorizationService;
|
||||
import org.elasticsearch.shield.authz.accesscontrol.DocumentSubsetReader.DocumentSubsetDirectoryReader;
|
||||
import org.elasticsearch.shield.license.ShieldLicenseState;
|
||||
|
|
@ -229,9 +228,10 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
|
|||
}
|
||||
|
||||
private void resolvePercolatorFields(Set<String> allowedFields) {
|
||||
if (mapperService.hasMapping(PercolatorService.TYPE_NAME)) {
|
||||
if (mapperService.hasMapping(PercolatorFieldMapper.TYPE_NAME)) {
|
||||
allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME);
|
||||
allowedFields.add(PercolatorFieldMapper.UNKNOWN_QUERY_FULL_FIELD_NAME);
|
||||
allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,8 +6,8 @@
|
|||
package org.elasticsearch.shield.authz.privilege;
|
||||
|
||||
import dk.brics.automaton.Automaton;
|
||||
import dk.brics.automaton.BasicAutomata;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.shield.support.Automatons;
|
||||
|
||||
import java.util.Locale;
|
||||
import java.util.Set;
|
||||
|
|
@ -15,16 +15,30 @@ import java.util.concurrent.ConcurrentHashMap;
|
|||
import java.util.concurrent.CopyOnWriteArraySet;
|
||||
import java.util.function.Predicate;
|
||||
|
||||
import static org.elasticsearch.shield.support.Automatons.minusAndDeterminize;
|
||||
import static org.elasticsearch.shield.support.Automatons.patterns;
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivilege> {
|
||||
|
||||
public static final ClusterPrivilege NONE = new ClusterPrivilege(Name.NONE, BasicAutomata.makeEmpty());
|
||||
public static final ClusterPrivilege ALL = new ClusterPrivilege(Name.ALL, "cluster:*", "indices:admin/template/*");
|
||||
public static final ClusterPrivilege MONITOR = new ClusterPrivilege("monitor", "cluster:monitor/*");
|
||||
public static final ClusterPrivilege MANAGE_SHIELD = new ClusterPrivilege("manage_shield", "cluster:admin/shield/*");
|
||||
public static final ClusterPrivilege MANAGE_PIPELINE = new ClusterPrivilege("manage_pipeline", "cluster:admin/ingest/pipeline/*");
|
||||
// shared automatons
|
||||
private static final Automaton MANAGE_SECURITY_AUTOMATON = patterns("cluster:admin/xpack/security/*");
|
||||
private static final Automaton MONITOR_AUTOMATON = patterns("cluster:monitor/*");
|
||||
private static final Automaton ALL_CLUSTER_AUTOMATON = patterns("cluster:*", "indices:admin/template/*");
|
||||
private static final Automaton MANAGE_AUTOMATON = minusAndDeterminize(ALL_CLUSTER_AUTOMATON, MANAGE_SECURITY_AUTOMATON);
|
||||
private static final Automaton TRANSPORT_CLIENT_AUTOMATON = patterns("cluster:monitor/nodes/liveness", "cluster:monitor/state");
|
||||
private static final Automaton MANAGE_IDX_TEMPLATE_AUTOMATON = patterns("indices:admin/template/*");
|
||||
|
||||
public static final ClusterPrivilege NONE = new ClusterPrivilege(Name.NONE, Automatons.EMPTY);
|
||||
public static final ClusterPrivilege ALL = new ClusterPrivilege(Name.ALL, ALL_CLUSTER_AUTOMATON);
|
||||
public static final ClusterPrivilege MONITOR = new ClusterPrivilege("monitor", MONITOR_AUTOMATON);
|
||||
public static final ClusterPrivilege MANAGE = new ClusterPrivilege("manage", MANAGE_AUTOMATON);
|
||||
public static final ClusterPrivilege MANAGE_IDX_TEMPLATES =
|
||||
new ClusterPrivilege("manage_index_templates", MANAGE_IDX_TEMPLATE_AUTOMATON);
|
||||
public static final ClusterPrivilege TRANSPORT_CLIENT = new ClusterPrivilege("transport_client", TRANSPORT_CLIENT_AUTOMATON);
|
||||
public static final ClusterPrivilege MANAGE_SECURITY = new ClusterPrivilege("manage_security", MANAGE_SECURITY_AUTOMATON);
|
||||
|
||||
public final static Predicate<String> ACTION_MATCHER = ClusterPrivilege.ALL.predicate();
|
||||
|
||||
|
|
@ -34,8 +48,10 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
|
|||
values.add(NONE);
|
||||
values.add(ALL);
|
||||
values.add(MONITOR);
|
||||
values.add(MANAGE_SHIELD);
|
||||
values.add(MANAGE_PIPELINE);
|
||||
values.add(MANAGE);
|
||||
values.add(MANAGE_IDX_TEMPLATES);
|
||||
values.add(TRANSPORT_CLIENT);
|
||||
values.add(MANAGE_SECURITY);
|
||||
}
|
||||
|
||||
static Set<ClusterPrivilege> values() {
|
||||
|
|
@ -48,8 +64,8 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
|
|||
super(name, patterns);
|
||||
}
|
||||
|
||||
private ClusterPrivilege(Name name, String... patterns) {
|
||||
super(name, patterns);
|
||||
private ClusterPrivilege(String name, Automaton automaton) {
|
||||
super(new Name(name), automaton);
|
||||
}
|
||||
|
||||
private ClusterPrivilege(Name name, Automaton automaton) {
|
||||
|
|
|
|||
|
|
@ -6,14 +6,21 @@
|
|||
package org.elasticsearch.shield.authz.privilege;
|
||||
|
||||
import dk.brics.automaton.Automaton;
|
||||
import dk.brics.automaton.BasicAutomata;
|
||||
import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsAction;
|
||||
import org.elasticsearch.action.admin.indices.alias.exists.AliasesExistAction;
|
||||
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesAction;
|
||||
import org.elasticsearch.action.admin.indices.create.CreateIndexAction;
|
||||
import org.elasticsearch.action.get.GetAction;
|
||||
import org.elasticsearch.action.get.MultiGetAction;
|
||||
import org.elasticsearch.action.search.MultiSearchAction;
|
||||
import org.elasticsearch.action.search.SearchAction;
|
||||
import org.elasticsearch.action.suggest.SuggestAction;
|
||||
import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction;
|
||||
import org.elasticsearch.action.admin.indices.exists.indices.IndicesExistsAction;
|
||||
import org.elasticsearch.action.admin.indices.exists.types.TypesExistsAction;
|
||||
import org.elasticsearch.action.admin.indices.get.GetIndexAction;
|
||||
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsAction;
|
||||
import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsAction;
|
||||
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
|
||||
import org.elasticsearch.action.admin.indices.settings.get.GetSettingsAction;
|
||||
import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryAction;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.shield.support.Automatons;
|
||||
|
||||
import java.util.Locale;
|
||||
import java.util.Set;
|
||||
|
|
@ -21,29 +28,41 @@ import java.util.concurrent.ConcurrentHashMap;
|
|||
import java.util.concurrent.CopyOnWriteArraySet;
|
||||
import java.util.function.Predicate;
|
||||
|
||||
import static org.elasticsearch.shield.support.Automatons.patterns;
|
||||
import static org.elasticsearch.shield.support.Automatons.unionAndDeterminize;
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
|
||||
|
||||
public static final IndexPrivilege NONE = new IndexPrivilege(Name.NONE, BasicAutomata.makeEmpty());
|
||||
public static final IndexPrivilege ALL = new IndexPrivilege(Name.ALL, "indices:*");
|
||||
public static final IndexPrivilege MANAGE = new IndexPrivilege("manage", "indices:monitor/*", "indices:admin/*");
|
||||
public static final IndexPrivilege CREATE_INDEX = new IndexPrivilege("create_index", CreateIndexAction.NAME);
|
||||
public static final IndexPrivilege MANAGE_ALIASES = new IndexPrivilege("manage_aliases", "indices:admin/aliases*");
|
||||
public static final IndexPrivilege MONITOR = new IndexPrivilege("monitor", "indices:monitor/*");
|
||||
public static final IndexPrivilege DATA_ACCESS = new IndexPrivilege("data_access", "indices:data/*", "indices:admin/mapping/put");
|
||||
public static final IndexPrivilege CRUD =
|
||||
new IndexPrivilege("crud", "indices:data/write/*", "indices:data/read/*", "indices:admin/mapping/put");
|
||||
public static final IndexPrivilege READ = new IndexPrivilege("read", "indices:data/read/*");
|
||||
public static final IndexPrivilege SEARCH =
|
||||
new IndexPrivilege("search", SearchAction.NAME + "*", MultiSearchAction.NAME + "*", SuggestAction.NAME + "*");
|
||||
public static final IndexPrivilege GET = new IndexPrivilege("get", GetAction.NAME + "*", MultiGetAction.NAME + "*");
|
||||
public static final IndexPrivilege SUGGEST = new IndexPrivilege("suggest", SuggestAction.NAME + "*");
|
||||
public static final IndexPrivilege INDEX =
|
||||
new IndexPrivilege("index", "indices:data/write/index*", "indices:data/write/update*", "indices:admin/mapping/put");
|
||||
public static final IndexPrivilege DELETE = new IndexPrivilege("delete", "indices:data/write/delete*");
|
||||
public static final IndexPrivilege WRITE = new IndexPrivilege("write", "indices:data/write/*", "indices:admin/mapping/put");
|
||||
private static final Automaton ALL_AUTOMATON = patterns("indices:*");
|
||||
private static final Automaton READ_AUTOMATON = patterns("indices:data/read/*");
|
||||
private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", PutMappingAction.NAME);
|
||||
private static final Automaton INDEX_AUTOMATON =
|
||||
patterns("indices:data/write/index*", "indices:data/write/update*", PutMappingAction.NAME);
|
||||
private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*");
|
||||
private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", PutMappingAction.NAME);
|
||||
private static final Automaton MONITOR_AUTOMATON = patterns("indices:monitor/*");
|
||||
private static final Automaton MANAGE_AUTOMATON = unionAndDeterminize(MONITOR_AUTOMATON, patterns("indices:admin/*"));
|
||||
private static final Automaton CREATE_INDEX_AUTOMATON = patterns(CreateIndexAction.NAME);
|
||||
private static final Automaton DELETE_INDEX_AUTOMATON = patterns(DeleteIndexAction.NAME);
|
||||
private static final Automaton VIEW_METADATA_AUTOMATON = patterns(GetAliasesAction.NAME, AliasesExistAction.NAME,
|
||||
GetIndexAction.NAME, IndicesExistsAction.NAME, GetFieldMappingsAction.NAME, GetMappingsAction.NAME,
|
||||
ClusterSearchShardsAction.NAME, TypesExistsAction.NAME, ValidateQueryAction.NAME, GetSettingsAction.NAME);
|
||||
|
||||
public static final IndexPrivilege NONE = new IndexPrivilege(Name.NONE, Automatons.EMPTY);
|
||||
public static final IndexPrivilege ALL = new IndexPrivilege(Name.ALL, ALL_AUTOMATON);
|
||||
public static final IndexPrivilege READ = new IndexPrivilege("read", READ_AUTOMATON);
|
||||
public static final IndexPrivilege CREATE = new IndexPrivilege("create", CREATE_AUTOMATON);
|
||||
public static final IndexPrivilege INDEX = new IndexPrivilege("index", INDEX_AUTOMATON);
|
||||
public static final IndexPrivilege DELETE = new IndexPrivilege("delete", DELETE_AUTOMATON);
|
||||
public static final IndexPrivilege WRITE = new IndexPrivilege("write", WRITE_AUTOMATON);
|
||||
public static final IndexPrivilege MONITOR = new IndexPrivilege("monitor", MONITOR_AUTOMATON);
|
||||
public static final IndexPrivilege MANAGE = new IndexPrivilege("manage", MANAGE_AUTOMATON);
|
||||
public static final IndexPrivilege DELETE_INDEX = new IndexPrivilege("delete_index", DELETE_INDEX_AUTOMATON);
|
||||
public static final IndexPrivilege CREATE_INDEX = new IndexPrivilege("create_index", CREATE_INDEX_AUTOMATON);
|
||||
public static final IndexPrivilege VIEW_METADATA = new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
|
||||
|
||||
private static final Set<IndexPrivilege> values = new CopyOnWriteArraySet<>();
|
||||
|
||||
|
|
@ -52,17 +71,14 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
|
|||
values.add(ALL);
|
||||
values.add(MANAGE);
|
||||
values.add(CREATE_INDEX);
|
||||
values.add(MANAGE_ALIASES);
|
||||
values.add(MONITOR);
|
||||
values.add(DATA_ACCESS);
|
||||
values.add(CRUD);
|
||||
values.add(READ);
|
||||
values.add(SEARCH);
|
||||
values.add(GET);
|
||||
values.add(SUGGEST);
|
||||
values.add(INDEX);
|
||||
values.add(DELETE);
|
||||
values.add(WRITE);
|
||||
values.add(CREATE);
|
||||
values.add(DELETE_INDEX);
|
||||
values.add(VIEW_METADATA);
|
||||
}
|
||||
|
||||
public static final Predicate<String> ACTION_MATCHER = ALL.predicate();
|
||||
|
|
@ -78,8 +94,8 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
|
|||
super(name, patterns);
|
||||
}
|
||||
|
||||
private IndexPrivilege(Name name, String... patterns) {
|
||||
super(name, patterns);
|
||||
private IndexPrivilege(String name, Automaton automaton) {
|
||||
super(new Name(name), automaton);
|
||||
}
|
||||
|
||||
private IndexPrivilege(Name name, Automaton automaton) {
|
||||
|
|
|
|||
|
|
@ -24,6 +24,8 @@ import static dk.brics.automaton.MinimizationOperations.minimize;
|
|||
*/
|
||||
public final class Automatons {
|
||||
|
||||
public static final Automaton EMPTY = BasicAutomata.makeEmpty();
|
||||
|
||||
static final char WILDCARD_STRING = '*'; // String equality with support for wildcards
|
||||
static final char WILDCARD_CHAR = '?'; // Char equality with support for wildcards
|
||||
static final char WILDCARD_ESCAPE = '\\'; // Escape character
|
||||
|
|
|
|||
|
|
@ -63,7 +63,8 @@ public class DocumentLevelSecurityRandomTests extends ShieldIntegTestCase {
|
|||
builder.append(" cluster: [ all ]\n");
|
||||
builder.append(" indices:\n");
|
||||
builder.append(" - names: '*'\n");
|
||||
builder.append(" privileges: [ ALL ]\n");
|
||||
builder.append(" privileges:\n");
|
||||
builder.append(" - all\n");
|
||||
builder.append(" query: \n");
|
||||
builder.append(" term: \n");
|
||||
builder.append(" field1: value").append(i).append('\n');
|
||||
|
|
|
|||
|
|
@ -73,10 +73,12 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
protected String configRoles() {
|
||||
return super.configRoles() +
|
||||
"\nrole1:\n" +
|
||||
" cluster: [ all ]\n" +
|
||||
" cluster:\n" +
|
||||
" - all\n" +
|
||||
" indices:\n" +
|
||||
" - names: '*'\n" +
|
||||
" privileges: [ ALL ]\n" +
|
||||
" privileges:\n" +
|
||||
" - all\n" +
|
||||
" query: \n" +
|
||||
" term: \n" +
|
||||
" field1: value1\n" +
|
||||
|
|
|
|||
|
|
@ -86,10 +86,12 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase {
|
|||
" privileges: [ ALL ]\n" +
|
||||
" fields:\n" +roleFields.toString() +
|
||||
"role2:\n" +
|
||||
" cluster: [ all ]\n" +
|
||||
" cluster:\n" +
|
||||
" - all\n" +
|
||||
" indices:\n" +
|
||||
" - names: test\n" +
|
||||
" privileges: [ ALL ]\n" +
|
||||
" privileges:\n" +
|
||||
" - all\n" +
|
||||
" fields:\n" +
|
||||
" - field1\n" +
|
||||
"role3:\n" +
|
||||
|
|
|
|||
|
|
@ -1,199 +0,0 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.integration;
|
||||
|
||||
import org.elasticsearch.ElasticsearchSecurityException;
|
||||
import org.elasticsearch.action.get.MultiGetResponse;
|
||||
import org.elasticsearch.action.index.IndexResponse;
|
||||
import org.elasticsearch.action.search.MultiSearchResponse;
|
||||
import org.elasticsearch.action.search.SearchResponse;
|
||||
import org.elasticsearch.action.suggest.SuggestResponse;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.search.suggest.SuggestBuilders;
|
||||
import org.elasticsearch.shield.authc.support.Hasher;
|
||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
||||
import org.elasticsearch.shield.authc.support.SecuredStringTests;
|
||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
||||
import org.elasticsearch.test.ShieldIntegTestCase;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import static java.util.Collections.singletonMap;
|
||||
import static org.elasticsearch.client.Requests.searchRequest;
|
||||
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
|
||||
import static org.elasticsearch.test.ShieldTestsUtils.assertAuthorizationException;
|
||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFailures;
|
||||
import static org.hamcrest.Matchers.equalTo;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
|
||||
public class SearchGetAndSuggestPermissionsTests extends ShieldIntegTestCase {
|
||||
protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("passwd".toCharArray())));
|
||||
|
||||
@Override
|
||||
protected String configRoles() {
|
||||
return super.configRoles() + "\n" +
|
||||
"\n" +
|
||||
"search_role:\n" +
|
||||
" indices:\n" +
|
||||
" - names: 'a'\n" +
|
||||
" privileges: [ search ]\n" +
|
||||
"\n" +
|
||||
"get_role:\n" +
|
||||
" indices:\n" +
|
||||
" - names: 'a'\n" +
|
||||
" privileges: [ get ]\n" +
|
||||
"\n" +
|
||||
"suggest_role:\n" +
|
||||
" indices:\n" +
|
||||
" - names: 'a'\n" +
|
||||
" privileges: [ suggest ]\n";
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String configUsers() {
|
||||
return super.configUsers() +
|
||||
"search_user:" + USERS_PASSWD_HASHED + "\n" +
|
||||
"get_user:" + USERS_PASSWD_HASHED + "\n" +
|
||||
"suggest_user:" + USERS_PASSWD_HASHED + "\n";
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String configUsersRoles() {
|
||||
return super.configUsersRoles() +
|
||||
"search_role:search_user\n" +
|
||||
"get_role:get_user\n" +
|
||||
"suggest_role:suggest_user\n";
|
||||
}
|
||||
|
||||
/**
|
||||
* testing both "search" and "suggest" privileges can execute the suggest API
|
||||
*/
|
||||
public void testSuggestAPI() throws Exception {
|
||||
IndexResponse indexResponse = index("a", "type", jsonBuilder()
|
||||
.startObject()
|
||||
.field("name", "value")
|
||||
.endObject());
|
||||
assertThat(indexResponse.isCreated(), is(true));
|
||||
|
||||
refresh();
|
||||
|
||||
Client client = internalCluster().transportClient();
|
||||
|
||||
Map<String, String> headers = singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("suggest_user", "passwd"));
|
||||
SuggestResponse suggestResponse = client.filterWithHeader(headers)
|
||||
.prepareSuggest("a")
|
||||
.addSuggestion(randomAsciiOfLengthBetween(3,7), SuggestBuilders.termSuggestion("name").text("val")).get();
|
||||
assertNoFailures(suggestResponse);
|
||||
assertThat(suggestResponse.getSuggest().size(), is(1));
|
||||
|
||||
suggestResponse = client
|
||||
.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
|
||||
.prepareSuggest("a")
|
||||
.addSuggestion(randomAsciiOfLengthBetween(3, 7), SuggestBuilders.termSuggestion("name").text("val")).get();
|
||||
assertNoFailures(suggestResponse);
|
||||
assertThat(suggestResponse.getSuggest().size(), is(1));
|
||||
|
||||
try {
|
||||
client.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("suggest_user", "passwd")))
|
||||
.prepareSearch("a")
|
||||
.get();
|
||||
fail("a user with only a suggest privilege cannot execute search");
|
||||
} catch (ElasticsearchSecurityException e) {
|
||||
logger.error("failed to search", e);
|
||||
// expected
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* testing that "search" privilege cannot execute the get API
|
||||
*/
|
||||
public void testGetAPI() throws Exception {
|
||||
IndexResponse indexResponse = index("a", "type", jsonBuilder()
|
||||
.startObject()
|
||||
.field("name", "value")
|
||||
.endObject());
|
||||
assertThat(indexResponse.isCreated(), is(true));
|
||||
|
||||
refresh();
|
||||
|
||||
Client client = internalCluster().transportClient();
|
||||
|
||||
try {
|
||||
client.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
|
||||
.prepareGet("a", "type", indexResponse.getId())
|
||||
.get();
|
||||
fail("a user with only search privilege should not be authorized for a get request");
|
||||
} catch (ElasticsearchSecurityException e) {
|
||||
// expected
|
||||
assertAuthorizationException(e);
|
||||
logger.error("could not get document", e);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* testing that "get" privilege can execute the mget API, and "search" privilege cannot execute mget
|
||||
*/
|
||||
public void testMultiGetAPI() throws Exception {
|
||||
IndexResponse indexResponse = index("a", "type", jsonBuilder()
|
||||
.startObject()
|
||||
.field("name", "value")
|
||||
.endObject());
|
||||
assertThat(indexResponse.isCreated(), is(true));
|
||||
|
||||
refresh();
|
||||
|
||||
Client client = internalCluster().transportClient();
|
||||
|
||||
MultiGetResponse response = client
|
||||
.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("get_user", "passwd")))
|
||||
.prepareMultiGet().add("a", "type", indexResponse.getId())
|
||||
.get();
|
||||
assertNotNull(response);
|
||||
assertThat(response.getResponses().length, is(1));
|
||||
assertThat(response.getResponses()[0].getId(), equalTo(indexResponse.getId()));
|
||||
|
||||
try {
|
||||
client.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
|
||||
.prepareMultiGet().add("a", "type", indexResponse.getId())
|
||||
.get();
|
||||
fail("a user with only a search privilege should not be able to execute the mget API");
|
||||
} catch (ElasticsearchSecurityException e) {
|
||||
// expected
|
||||
assertAuthorizationException(e);
|
||||
logger.error("could not mget documents", e);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* testing that "search" privilege can execute the msearch API
|
||||
*/
|
||||
public void testMultiSearchAPI() throws Exception {
|
||||
IndexResponse indexResponse = index("a", "type", jsonBuilder()
|
||||
.startObject()
|
||||
.field("name", "value")
|
||||
.endObject());
|
||||
assertThat(indexResponse.isCreated(), is(true));
|
||||
|
||||
refresh();
|
||||
|
||||
Client client = internalCluster().transportClient();
|
||||
|
||||
MultiSearchResponse response = client
|
||||
.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
|
||||
.prepareMultiSearch().add(searchRequest("a").types("type"))
|
||||
.get();
|
||||
assertNotNull(response);
|
||||
assertThat(response.getResponses().length, is(1));
|
||||
SearchResponse first = response.getResponses()[0].getResponse();
|
||||
assertNotNull(first);
|
||||
assertNoFailures(first);
|
||||
}
|
||||
|
||||
private static String userHeader(String username, String password) {
|
||||
return UsernamePasswordToken.basicAuthHeaderValue(username, SecuredStringTests.build(password));
|
||||
}
|
||||
}
|
||||
|
|
@ -12,7 +12,7 @@ import org.elasticsearch.action.admin.indices.settings.get.GetSettingsResponse;
|
|||
import org.elasticsearch.action.search.SearchResponse;
|
||||
import org.elasticsearch.action.support.IndicesOptions;
|
||||
import org.elasticsearch.client.Client;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.common.inject.util.Providers;
|
||||
import org.elasticsearch.common.network.NetworkAddress;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
package org.elasticsearch.shield.audit.index;
|
||||
|
||||
import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsResponse;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.common.inject.util.Providers;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.transport.BoundTransportAddress;
|
||||
|
|
|
|||
|
|
@ -7,6 +7,8 @@ package org.elasticsearch.shield.authc;
|
|||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.ElasticsearchSecurityException;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.common.Base64;
|
||||
import org.elasticsearch.common.io.stream.BytesStreamOutput;
|
||||
import org.elasticsearch.common.io.stream.StreamInput;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
|
|
@ -750,6 +752,15 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
|
|||
}
|
||||
}
|
||||
|
||||
public void testVersionWrittenWithUser() throws Exception {
|
||||
User user = new User("username", "r1", "r2", "r3");
|
||||
String text = InternalAuthenticationService.encodeUser(user, null);
|
||||
|
||||
StreamInput input = StreamInput.wrap(Base64.decode(text));
|
||||
Version version = Version.readVersion(input);
|
||||
assertThat(version, is(Version.CURRENT));
|
||||
}
|
||||
|
||||
private static class InternalMessage extends TransportMessage {
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@
|
|||
*/
|
||||
package org.elasticsearch.shield.authc.ldap.support;
|
||||
|
||||
import com.unboundid.ldap.listener.InMemoryDirectoryServer;
|
||||
import com.unboundid.ldap.sdk.LDAPConnection;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.shield.authc.RealmConfig;
|
||||
|
|
@ -12,8 +13,10 @@ import org.elasticsearch.shield.authc.support.SecuredString;
|
|||
import org.elasticsearch.shield.ssl.ClientSSLService;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.not;
|
||||
|
||||
|
|
@ -43,6 +46,7 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
|
|||
|
||||
public void testRoundRobinWithFailures() throws Exception {
|
||||
assumeTrue("at least one ldap server should be present for this test", ldapServers.length > 1);
|
||||
logger.debug("using [{}] ldap servers, urls {}", ldapServers.length, ldapUrls());
|
||||
TestSessionFactory testSessionFactory = createSessionFactory(LdapLoadBalancing.ROUND_ROBIN);
|
||||
|
||||
// create a list of ports
|
||||
|
|
@ -50,19 +54,31 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
|
|||
for (int i = 0; i < ldapServers.length; i++) {
|
||||
ports.add(ldapServers[i].getListenPort());
|
||||
}
|
||||
logger.debug("list of all ports {}", ports);
|
||||
|
||||
int numberToKill = randomIntBetween(1, numberOfLdapServers - 1);
|
||||
for (int i = 0; i < numberToKill; i++) {
|
||||
int index = randomIntBetween(0, numberOfLdapServers - 1);
|
||||
ports.remove(Integer.valueOf(ldapServers[index].getListenPort()));
|
||||
final int numberToKill = randomIntBetween(1, numberOfLdapServers - 1);
|
||||
logger.debug("killing [{}] servers", numberToKill);
|
||||
|
||||
// get a subset to kil
|
||||
final List<InMemoryDirectoryServer> ldapServersToKill = randomSubsetOf(numberToKill, ldapServers);
|
||||
final List<InMemoryDirectoryServer> ldapServersList = Arrays.asList(ldapServers);
|
||||
for (InMemoryDirectoryServer ldapServerToKill : ldapServersToKill) {
|
||||
final int index = ldapServersList.indexOf(ldapServerToKill);
|
||||
assertThat(index, greaterThanOrEqualTo(0));
|
||||
final Integer port = Integer.valueOf(ldapServers[index].getListenPort());
|
||||
logger.debug("shutting down server index [{}] listening on [{}]", index, port);
|
||||
assertTrue(ports.remove(port));
|
||||
ldapServers[index].shutDown(true);
|
||||
assertThat(ldapServers[index].getListenPort(), is(-1));
|
||||
}
|
||||
|
||||
final int numberOfIterations = randomIntBetween(1, 5);
|
||||
for (int iteration = 0; iteration < numberOfIterations; iteration++) {
|
||||
logger.debug("iteration [{}]", iteration);
|
||||
for (Integer port : ports) {
|
||||
LDAPConnection connection = null;
|
||||
try {
|
||||
logger.debug("attempting connection with expected port [{}]", port);
|
||||
connection = testSessionFactory.getServerSet().getConnection();
|
||||
assertThat(connection.getConnectedPort(), is(port));
|
||||
} finally {
|
||||
|
|
@ -76,6 +92,7 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
|
|||
|
||||
public void testFailover() throws Exception {
|
||||
assumeTrue("at least one ldap server should be present for this test", ldapServers.length > 1);
|
||||
logger.debug("using [{}] ldap servers, urls {}", ldapServers.length, ldapUrls());
|
||||
TestSessionFactory testSessionFactory = createSessionFactory(LdapLoadBalancing.FAILOVER);
|
||||
|
||||
// first test that there is no round robin stuff going on
|
||||
|
|
@ -92,32 +109,46 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
|
|||
}
|
||||
}
|
||||
|
||||
List<Integer> stoppedServers = new ArrayList<>();
|
||||
// now we should kill some servers including the first one
|
||||
int numberToKill = randomIntBetween(1, numberOfLdapServers - 1);
|
||||
// always kill the first one, but don't add to the list
|
||||
logger.debug("shutting down server index [0] listening on [{}]", ldapServers[0].getListenPort());
|
||||
// always kill the first one
|
||||
ldapServers[0].shutDown(true);
|
||||
stoppedServers.add(0);
|
||||
for (int i = 0; i < numberToKill - 1; i++) {
|
||||
int index = randomIntBetween(1, numberOfLdapServers - 1);
|
||||
ldapServers[index].shutDown(true);
|
||||
stoppedServers.add(index);
|
||||
assertThat(ldapServers[0].getListenPort(), is(-1));
|
||||
|
||||
// now randomly shutdown some others
|
||||
if (ldapServers.length > 2) {
|
||||
// kill at least one other server, but we need at least one good one. Hence the upper bound is number - 2 since we need at least
|
||||
// one server to use!
|
||||
final int numberToKill = randomIntBetween(1, numberOfLdapServers - 2);
|
||||
InMemoryDirectoryServer[] allButFirstServer = Arrays.copyOfRange(ldapServers, 1, ldapServers.length);
|
||||
// get a subset to kil
|
||||
final List<InMemoryDirectoryServer> ldapServersToKill = randomSubsetOf(numberToKill, allButFirstServer);
|
||||
final List<InMemoryDirectoryServer> ldapServersList = Arrays.asList(ldapServers);
|
||||
for (InMemoryDirectoryServer ldapServerToKill : ldapServersToKill) {
|
||||
final int index = ldapServersList.indexOf(ldapServerToKill);
|
||||
assertThat(index, greaterThanOrEqualTo(1));
|
||||
final Integer port = Integer.valueOf(ldapServers[index].getListenPort());
|
||||
logger.debug("shutting down server index [{}] listening on [{}]", index, port);
|
||||
ldapServers[index].shutDown(true);
|
||||
assertThat(ldapServers[index].getListenPort(), is(-1));
|
||||
}
|
||||
}
|
||||
|
||||
int firstNonStoppedPort = -1;
|
||||
// now we find the first that isn't stopped
|
||||
for (int i = 0; i < numberOfLdapServers; i++) {
|
||||
if (stoppedServers.contains(i) == false) {
|
||||
if (ldapServers[i].getListenPort() != -1) {
|
||||
firstNonStoppedPort = ldapServers[i].getListenPort();
|
||||
break;
|
||||
}
|
||||
}
|
||||
logger.debug("first non stopped port [{}]", firstNonStoppedPort);
|
||||
|
||||
assertThat(firstNonStoppedPort, not(-1));
|
||||
final int numberOfIterations = randomIntBetween(1, 5);
|
||||
for (int iteration = 0; iteration < numberOfIterations; iteration++) {
|
||||
LDAPConnection connection = null;
|
||||
try {
|
||||
logger.debug("attempting connection with expected port [{}] iteration [{}]", firstNonStoppedPort, iteration);
|
||||
connection = testSessionFactory.getServerSet().getConnection();
|
||||
assertThat(connection.getConnectedPort(), is(firstNonStoppedPort));
|
||||
} finally {
|
||||
|
|
|
|||
|
|
@ -60,30 +60,30 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
|
|||
" indices:\n" +
|
||||
" - names: '*'\n" +
|
||||
" privileges: [ create_index ]\n" +
|
||||
//role that has create index and managa aliases on test_*, not enough to manage aliases outside of test_* namespace
|
||||
//role that has create index and manage_aliases on test_*, not enough to manage_aliases aliases outside of test_* namespace
|
||||
"create_test_aliases_test:\n" +
|
||||
" indices:\n" +
|
||||
" - names: 'test_*'\n" +
|
||||
" privileges: [ create_index, manage_aliases ]\n" +
|
||||
//role that has create index on test_* and manage aliases on alias_*, can't create aliases pointing to test_* though
|
||||
" privileges: [ create_index, 'indices:admin/aliases*' ]\n" +
|
||||
//role that has create index on test_* and manage_aliases on alias_*, can't create aliases pointing to test_* though
|
||||
"create_test_aliases_alias:\n" +
|
||||
" indices:\n" +
|
||||
" - names: 'test_*'\n" +
|
||||
" privileges: [ create_index ]\n" +
|
||||
" - names: 'alias_*'\n" +
|
||||
" privileges: [ manage_aliases ]\n" +
|
||||
" privileges: [ 'indices:admin/aliases*' ]\n" +
|
||||
//role that has create index on test_* and manage_aliases on both alias_* and test_*
|
||||
"create_test_aliases_test_alias:\n" +
|
||||
" indices:\n" +
|
||||
" - names: 'test_*'\n" +
|
||||
" privileges: [ create_index ]\n" +
|
||||
" - names: [ 'alias_*', 'test_*' ]\n" +
|
||||
" privileges: [ manage_aliases ]\n" +
|
||||
" privileges: [ 'indices:admin/aliases*' ]\n" +
|
||||
//role that has manage_aliases only on both test_* and alias_*
|
||||
"aliases_only:\n" +
|
||||
" indices:\n" +
|
||||
" - names: [ 'alias_*', 'test_*']\n" +
|
||||
" privileges: [ manage_aliases ]\n";
|
||||
" privileges: [ 'indices:admin/aliases*' ]\n";
|
||||
}
|
||||
|
||||
@Before
|
||||
|
|
@ -368,7 +368,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
|
|||
assertAcked(client.admin().indices().prepareCreate("test_1"));
|
||||
|
||||
try {
|
||||
//fails: user doesn't have manage aliases on test_1
|
||||
//fails: user doesn't have manage_aliases aliases on test_1
|
||||
client.admin().indices().prepareAliases().addAlias("test_1", "test_alias").get();
|
||||
fail("add alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
|
||||
} catch(ElasticsearchSecurityException e) {
|
||||
|
|
@ -377,7 +377,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
|
|||
}
|
||||
|
||||
try {
|
||||
//fails: user doesn't have manage aliases on test_1
|
||||
//fails: user doesn't have manage_aliases aliases on test_1
|
||||
client.admin().indices().prepareAliases().addAlias("test_1", "alias_1").get();
|
||||
fail("add alias should have failed due to missing manage_aliases privileges on test_1");
|
||||
} catch(ElasticsearchSecurityException e) {
|
||||
|
|
@ -386,7 +386,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
|
|||
}
|
||||
|
||||
try {
|
||||
//fails: user doesn't have manage aliases on test_*, no matching indices to replace wildcards
|
||||
//fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
|
||||
client.admin().indices().prepareAliases().addAlias("test_*", "alias_1").get();
|
||||
fail("add alias should have failed due to missing manage_aliases privileges on test_1");
|
||||
} catch(IndexNotFoundException e) {
|
||||
|
|
@ -465,7 +465,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
|
|||
assertAcked(client.admin().indices().prepareCreate("test_1"));
|
||||
|
||||
try {
|
||||
//fails: user doesn't have manage aliases on test_1, nor test_alias
|
||||
//fails: user doesn't have manage_aliases aliases on test_1, nor test_alias
|
||||
client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1").get();
|
||||
fail("get alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
|
||||
} catch(ElasticsearchSecurityException e) {
|
||||
|
|
@ -474,7 +474,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
|
|||
}
|
||||
|
||||
try {
|
||||
//fails: user doesn't have manage aliases on test_*, no matching indices to replace wildcards
|
||||
//fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
|
||||
client.admin().indices().prepareGetAliases().setIndices("test_*").setAliases("test_alias").get();
|
||||
fail("get alias should have failed due to missing manage_aliases privileges on test_*");
|
||||
} catch(IndexNotFoundException e) {
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ import org.elasticsearch.action.termvectors.TermVectorsAction;
|
|||
import org.elasticsearch.action.termvectors.TermVectorsRequest;
|
||||
import org.elasticsearch.action.update.UpdateAction;
|
||||
import org.elasticsearch.action.update.UpdateRequest;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.metadata.AliasMetaData;
|
||||
import org.elasticsearch.cluster.metadata.IndexMetaData;
|
||||
|
|
@ -302,7 +302,7 @@ public class InternalAuthorizationServiceTests extends ESTestCase {
|
|||
User user = new User("test user", "a_star", "b");
|
||||
ClusterState state = mock(ClusterState.class);
|
||||
when(rolesStore.role("a_star")).thenReturn(Role.builder("a_star").add(IndexPrivilege.ALL, "a*").build());
|
||||
when(rolesStore.role("b")).thenReturn(Role.builder("a_star").add(IndexPrivilege.SEARCH, "b").build());
|
||||
when(rolesStore.role("b")).thenReturn(Role.builder("a_star").add(IndexPrivilege.READ, "b").build());
|
||||
when(clusterService.state()).thenReturn(state);
|
||||
Settings indexSettings = Settings.builder().put("index.version.created", Version.CURRENT).build();
|
||||
when(state.metaData()).thenReturn(MetaData.builder()
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ import org.elasticsearch.action.search.SearchAction;
|
|||
import org.elasticsearch.action.search.SearchRequest;
|
||||
import org.elasticsearch.action.support.IndicesOptions;
|
||||
import org.elasticsearch.client.Requests;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.metadata.AliasAction;
|
||||
import org.elasticsearch.cluster.metadata.AliasMetaData;
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ import java.util.function.Predicate;
|
|||
|
||||
import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.MONITOR;
|
||||
import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.READ;
|
||||
import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.SEARCH;
|
||||
import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.union;
|
||||
import static org.hamcrest.Matchers.equalTo;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
|
|
@ -33,7 +32,7 @@ public class PermissionTests extends ESTestCase {
|
|||
@Before
|
||||
public void init() {
|
||||
Role.Builder builder = Role.builder("test");
|
||||
builder.add(union(SEARCH, MONITOR), "test_*", "/foo.*/");
|
||||
builder.add(union(MONITOR), "test_*", "/foo.*/");
|
||||
builder.add(union(READ), "baz_*foo", "/fool.*bar/");
|
||||
builder.add(union(MONITOR), "/bar.*/");
|
||||
permission = builder.build();
|
||||
|
|
|
|||
|
|
@ -5,15 +5,10 @@
|
|||
*/
|
||||
package org.elasticsearch.shield.authz.privilege;
|
||||
|
||||
import org.elasticsearch.action.get.GetAction;
|
||||
import org.elasticsearch.action.get.MultiGetAction;
|
||||
import org.elasticsearch.action.ingest.DeletePipelineAction;
|
||||
import org.elasticsearch.action.ingest.GetPipelineAction;
|
||||
import org.elasticsearch.action.ingest.PutPipelineAction;
|
||||
import org.elasticsearch.action.ingest.SimulatePipelineAction;
|
||||
import org.elasticsearch.action.search.MultiSearchAction;
|
||||
import org.elasticsearch.action.search.SearchAction;
|
||||
import org.elasticsearch.action.suggest.SuggestAction;
|
||||
import org.elasticsearch.shield.support.AutomatonPredicate;
|
||||
import org.elasticsearch.shield.support.Automatons;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
|
|
@ -77,16 +72,6 @@ public class PrivilegeTests extends ESTestCase {
|
|||
assertThat(cluster, is(cluster2));
|
||||
}
|
||||
|
||||
public void testIngestPrivilege() throws Exception {
|
||||
Privilege.Name name = new Privilege.Name("manage_pipeline");
|
||||
ClusterPrivilege cluster = ClusterPrivilege.get(name);
|
||||
assertThat(cluster, is(ClusterPrivilege.MANAGE_PIPELINE));
|
||||
assertThat(cluster.predicate().test(PutPipelineAction.NAME), is(true));
|
||||
assertThat(cluster.predicate().test(DeletePipelineAction.NAME), is(true));
|
||||
assertThat(cluster.predicate().test(GetPipelineAction.NAME), is(true));
|
||||
assertThat(cluster.predicate().test(SimulatePipelineAction.NAME), is(true));
|
||||
}
|
||||
|
||||
public void testClusterTemplateActions() throws Exception {
|
||||
Privilege.Name name = new Privilege.Name("indices:admin/template/delete");
|
||||
ClusterPrivilege cluster = ClusterPrivilege.get(name);
|
||||
|
|
@ -262,27 +247,4 @@ public class PrivilegeTests extends ESTestCase {
|
|||
assertThat(predicate.test("indices:admin/mapping/put"), is(false));
|
||||
assertThat(predicate.test("indices:admin/mapping/whatever"), is(false));
|
||||
}
|
||||
|
||||
public void testSearchPrivilege() throws Exception {
|
||||
Predicate<String> predicate = IndexPrivilege.SEARCH.predicate();
|
||||
assertThat(predicate.test(SearchAction.NAME), is(true));
|
||||
assertThat(predicate.test(SearchAction.NAME + "/whatever"), is(true));
|
||||
assertThat(predicate.test(MultiSearchAction.NAME), is(true));
|
||||
assertThat(predicate.test(MultiSearchAction.NAME + "/whatever"), is(true));
|
||||
assertThat(predicate.test(SuggestAction.NAME), is(true));
|
||||
assertThat(predicate.test(SuggestAction.NAME + "/whatever"), is(true));
|
||||
|
||||
assertThat(predicate.test(GetAction.NAME), is(false));
|
||||
assertThat(predicate.test(GetAction.NAME + "/whatever"), is(false));
|
||||
assertThat(predicate.test(MultiGetAction.NAME), is(false));
|
||||
assertThat(predicate.test(MultiGetAction.NAME + "/whatever"), is(false));
|
||||
}
|
||||
|
||||
public void testGetPrivilege() throws Exception {
|
||||
Predicate<String> predicate = IndexPrivilege.GET.predicate();
|
||||
assertThat(predicate.test(GetAction.NAME), is(true));
|
||||
assertThat(predicate.test(GetAction.NAME + "/whatever"), is(true));
|
||||
assertThat(predicate.test(MultiGetAction.NAME), is(true));
|
||||
assertThat(predicate.test(MultiGetAction.NAME + "/whatever"), is(true));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -82,7 +82,8 @@ public class FileRolesStoreTests extends ESTestCase {
|
|||
assertThat(group.indices().length, is(1));
|
||||
assertThat(group.indices()[0], equalTo("idx3"));
|
||||
assertThat(group.privilege(), notNullValue());
|
||||
assertThat(group.privilege(), is(IndexPrivilege.CRUD));
|
||||
assertThat(group.privilege().implies(IndexPrivilege.READ), is(true));
|
||||
assertThat(group.privilege().implies(IndexPrivilege.WRITE),is(true));
|
||||
|
||||
role = roles.get("role1.ab");
|
||||
assertThat(role, notNullValue());
|
||||
|
|
@ -228,21 +229,20 @@ public class FileRolesStoreTests extends ESTestCase {
|
|||
* This test is mainly to make sure we can read the default roles.yml config
|
||||
*/
|
||||
public void testDefaultRolesFile() throws Exception {
|
||||
// TODO we should add the config dir to the resources so we don't copy this stuff around...
|
||||
Path path = getDataPath("default_roles.yml");
|
||||
Map<String, Role> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY);
|
||||
assertThat(roles, notNullValue());
|
||||
assertThat(roles.size(), is(10));
|
||||
assertThat(roles.size(), is(8));
|
||||
|
||||
assertThat(roles, hasKey("admin"));
|
||||
assertThat(roles, hasKey("power_user"));
|
||||
assertThat(roles, hasKey("user"));
|
||||
assertThat(roles, hasKey("kibana4"));
|
||||
assertThat(roles, hasKey("transport_client"));
|
||||
assertThat(roles, hasKey("kibana4_server"));
|
||||
assertThat(roles, hasKey("logstash"));
|
||||
assertThat(roles, hasKey("monitoring_user"));
|
||||
assertThat(roles, hasKey("remote_monitoring_agent"));
|
||||
assertThat(roles, hasKey("ingest_admin"));
|
||||
assertThat(roles, hasKey("transport_client"));
|
||||
}
|
||||
|
||||
public void testAutoReload() throws Exception {
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
package org.elasticsearch.shield.transport;
|
||||
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.node.DiscoveryNode;
|
||||
import org.elasticsearch.common.inject.AbstractModule;
|
||||
import org.elasticsearch.common.inject.Inject;
|
||||
|
|
|
|||
|
|
@ -71,8 +71,7 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
|
|||
" privileges: [ ALL ]\n" +
|
||||
DEFAULT_TRANSPORT_CLIENT_ROLE + ":\n" +
|
||||
" cluster:\n" +
|
||||
" - cluster:monitor/nodes/info\n" +
|
||||
" - cluster:monitor/state";
|
||||
" - transport_client";
|
||||
|
||||
private final Path parentFolder;
|
||||
private final String subfolderPrefix;
|
||||
|
|
|
|||
|
|
@ -26,101 +26,46 @@ user:
|
|||
# Defines the required permissions for transport clients
|
||||
transport_client:
|
||||
cluster:
|
||||
- cluster:monitor/nodes/liveness
|
||||
#uncomment the following for sniffing
|
||||
#- cluster:monitor/state
|
||||
|
||||
# The required permissions for kibana 4 users.
|
||||
kibana4:
|
||||
cluster:
|
||||
- cluster:monitor/nodes/info
|
||||
- cluster:monitor/health
|
||||
indices:
|
||||
- names: '*'
|
||||
privileges:
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/search
|
||||
- indices:data/read/msearch
|
||||
- indices:data/read/field_stats
|
||||
- indices:admin/get
|
||||
- names: '.kibana'
|
||||
privileges:
|
||||
- indices:admin/exists
|
||||
- indices:admin/mapping/put
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/refresh
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/get
|
||||
- indices:data/read/mget
|
||||
- indices:data/read/search
|
||||
- indices:data/write/delete
|
||||
- indices:data/write/index
|
||||
- indices:data/write/update
|
||||
- transport_client
|
||||
|
||||
# The required permissions for the kibana 4 server
|
||||
kibana4_server:
|
||||
cluster:
|
||||
- cluster:monitor/nodes/info
|
||||
- cluster:monitor/health
|
||||
- monitor
|
||||
indices:
|
||||
- names: '.kibana'
|
||||
privileges:
|
||||
- indices:admin/create
|
||||
- indices:admin/exists
|
||||
- indices:admin/mapping/put
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/refresh
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/get
|
||||
- indices:data/read/mget
|
||||
- indices:data/read/search
|
||||
- indices:data/write/delete
|
||||
- indices:data/write/index
|
||||
- indices:data/write/update
|
||||
- all
|
||||
|
||||
# The required role for logstash users
|
||||
logstash:
|
||||
cluster:
|
||||
- indices:admin/template/get
|
||||
- indices:admin/template/put
|
||||
- manage_index_templates
|
||||
indices:
|
||||
- names: 'logstash-*'
|
||||
privileges:
|
||||
- indices:data/write/bulk
|
||||
- indices:data/write/delete
|
||||
- indices:data/write/update
|
||||
- indices:data/read/search
|
||||
- indices:data/read/scroll
|
||||
- write
|
||||
- read
|
||||
- create_index
|
||||
|
||||
# Monitoring user role. Assign to monitoring users.
|
||||
# Marvel user role. Assign to marvel users.
|
||||
monitoring_user:
|
||||
indices:
|
||||
- names: '.monitoring-*'
|
||||
privileges:
|
||||
- read
|
||||
- names:
|
||||
- '.marvel-es-*'
|
||||
- '.monitoring-*'
|
||||
privileges: [ "read" ]
|
||||
- names: '.kibana'
|
||||
privileges:
|
||||
- indices:admin/exists
|
||||
- indices:admin/mappings/fields/get
|
||||
- indices:admin/validate/query
|
||||
- indices:data/read/get
|
||||
- indices:data/read/mget
|
||||
- indices:data/read/search
|
||||
- view_index_metadata
|
||||
- read
|
||||
|
||||
# Monitoring remote agent role. Assign to the agent user on the remote monitoring cluster
|
||||
# to which the monitoring agent will export all its data
|
||||
# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
|
||||
# to which the marvel agent will export all its data
|
||||
remote_monitoring_agent:
|
||||
cluster:
|
||||
- indices:admin/template/put
|
||||
- indices:admin/template/get
|
||||
cluster: [ "manage_index_templates" ]
|
||||
indices:
|
||||
- names: '.monitoring-*'
|
||||
privileges:
|
||||
- all
|
||||
|
||||
# Allows all operations required to manage ingest pipelines
|
||||
ingest_admin:
|
||||
cluster:
|
||||
- manage_pipeline
|
||||
- names:
|
||||
- '.marvel-es-*'
|
||||
- '.monitoring-*'
|
||||
privileges: [ "all" ]
|
||||
|
|
|
|||
|
|
@ -9,7 +9,8 @@ role1:
|
|||
- READ
|
||||
- names: idx3
|
||||
privileges:
|
||||
- CRUD
|
||||
- READ
|
||||
- WRITE
|
||||
|
||||
role1.ab:
|
||||
cluster:
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ indices:monitor/upgrade
|
|||
indices:data/read/explain
|
||||
indices:data/read/field_stats
|
||||
indices:data/read/get
|
||||
indices:data/read/graph/explore
|
||||
indices:data/read/xpack/graph/explore
|
||||
indices:data/read/mget
|
||||
indices:data/read/mpercolate
|
||||
indices:data/read/msearch
|
||||
|
|
@ -75,14 +75,14 @@ indices:data/write/update
|
|||
cluster:monitor/xpack/license/get
|
||||
cluster:admin/xpack/license/delete
|
||||
cluster:admin/xpack/license/put
|
||||
cluster:admin/shield/realm/cache/clear
|
||||
cluster:admin/shield/roles/cache/clear
|
||||
cluster:admin/shield/user/put
|
||||
cluster:admin/shield/user/delete
|
||||
cluster:admin/shield/user/get
|
||||
cluster:admin/shield/role/put
|
||||
cluster:admin/shield/role/delete
|
||||
cluster:admin/shield/role/get
|
||||
cluster:admin/xpack/security/realm/cache/clear
|
||||
cluster:admin/xpack/security/roles/cache/clear
|
||||
cluster:admin/xpack/security/user/put
|
||||
cluster:admin/xpack/security/user/delete
|
||||
cluster:admin/xpack/security/user/get
|
||||
cluster:admin/xpack/security/role/put
|
||||
cluster:admin/xpack/security/role/delete
|
||||
cluster:admin/xpack/security/role/get
|
||||
internal:indices/admin/upgrade
|
||||
cluster:admin/ingest/pipeline/delete
|
||||
cluster:admin/ingest/pipeline/get
|
||||
|
|
|
|||
|
|
@ -8,16 +8,16 @@ cluster:monitor/nodes/liveness
|
|||
cluster:monitor/nodes/stats[n]
|
||||
cluster:monitor/stats[n]
|
||||
cluster:monitor/tasks/lists[n]
|
||||
cluster:admin/shield/realm/cache/clear
|
||||
cluster:admin/shield/realm/cache/clear[n]
|
||||
cluster:admin/shield/roles/cache/clear
|
||||
cluster:admin/shield/roles/cache/clear[n]
|
||||
cluster:admin/shield/role/put
|
||||
cluster:admin/shield/role/delete
|
||||
cluster:admin/shield/role/get
|
||||
cluster:admin/shield/user/put
|
||||
cluster:admin/shield/user/delete
|
||||
cluster:admin/shield/user/get
|
||||
cluster:admin/xpack/security/realm/cache/clear
|
||||
cluster:admin/xpack/security/realm/cache/clear[n]
|
||||
cluster:admin/xpack/security/roles/cache/clear
|
||||
cluster:admin/xpack/security/roles/cache/clear[n]
|
||||
cluster:admin/xpack/security/role/put
|
||||
cluster:admin/xpack/security/role/delete
|
||||
cluster:admin/xpack/security/role/get
|
||||
cluster:admin/xpack/security/user/put
|
||||
cluster:admin/xpack/security/user/delete
|
||||
cluster:admin/xpack/security/user/get
|
||||
indices:admin/analyze[s]
|
||||
indices:admin/cache/clear[n]
|
||||
indices:admin/forcemerge[n]
|
||||
|
|
@ -36,11 +36,9 @@ indices:admin/validate/query[s]
|
|||
indices:data/read/explain[s]
|
||||
indices:data/read/field_stats[s]
|
||||
indices:data/read/get[s]
|
||||
indices:data/read/graph/explore
|
||||
indices:data/read/xpack/graph/explore
|
||||
indices:data/read/mget[shard][s]
|
||||
indices:data/read/mpercolate[shard][s]
|
||||
indices:data/read/mtv[shard][s]
|
||||
indices:data/read/percolate[s]
|
||||
indices:data/read/search[clear_scroll_contexts]
|
||||
indices:data/read/search[free_context/scroll]
|
||||
indices:data/read/search[free_context]
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ import org.elasticsearch.common.settings.Setting;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.settings.SettingsModule;
|
||||
import org.elasticsearch.script.ScriptModule;
|
||||
import org.elasticsearch.shield.Shield;
|
||||
import org.elasticsearch.watcher.actions.WatcherActionModule;
|
||||
import org.elasticsearch.watcher.actions.email.service.EmailService;
|
||||
import org.elasticsearch.watcher.actions.email.service.InternalEmailService;
|
||||
|
|
@ -120,12 +119,6 @@ public class Watcher {
|
|||
transportClient = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
|
||||
enabled = enabled(settings);
|
||||
validAutoCreateIndex(settings);
|
||||
|
||||
// adding the watcher privileges to shield
|
||||
if (Shield.enabled(settings)) {
|
||||
Shield.registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*");
|
||||
Shield.registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*");
|
||||
}
|
||||
}
|
||||
|
||||
public Collection<Module> nodeModules() {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher;
|
|||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.cluster.ack.AckedRequest;
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher.support;
|
|||
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
|
||||
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateListener;
|
||||
import org.elasticsearch.common.component.AbstractComponent;
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import org.elasticsearch.action.ActionResponse;
|
|||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.action.support.master.MasterNodeRequest;
|
||||
import org.elasticsearch.action.support.master.TransportMasterNodeAction;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.plugin.core.LicenseUtils;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class AckWatchAction extends Action<AckWatchRequest, AckWatchResponse, AckWatchRequestBuilder> {
|
||||
|
||||
public static final AckWatchAction INSTANCE = new AckWatchAction();
|
||||
public static final String NAME = "cluster:admin/watcher/watch/ack";
|
||||
public static final String NAME = "cluster:admin/xpack/watcher/watch/ack";
|
||||
|
||||
private AckWatchAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.ack;
|
|||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class ActivateWatchAction extends Action<ActivateWatchRequest, ActivateWatchResponse, ActivateWatchRequestBuilder> {
|
||||
|
||||
public static final ActivateWatchAction INSTANCE = new ActivateWatchAction();
|
||||
public static final String NAME = "cluster:admin/watcher/watch/activate";
|
||||
public static final String NAME = "cluster:admin/xpack/watcher/watch/activate";
|
||||
|
||||
private ActivateWatchAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.activate;
|
|||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class DeleteWatchAction extends Action<DeleteWatchRequest, DeleteWatchResponse, DeleteWatchRequestBuilder> {
|
||||
|
||||
public static final DeleteWatchAction INSTANCE = new DeleteWatchAction();
|
||||
public static final String NAME = "cluster:admin/watcher/watch/delete";
|
||||
public static final String NAME = "cluster:admin/xpack/watcher/watch/delete";
|
||||
|
||||
private DeleteWatchAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
|
|||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.delete.DeleteResponse;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class ExecuteWatchAction extends Action<ExecuteWatchRequest, ExecuteWatchResponse, ExecuteWatchRequestBuilder> {
|
||||
|
||||
public static final ExecuteWatchAction INSTANCE = new ExecuteWatchAction();
|
||||
public static final String NAME = "cluster:admin/watcher/watch/execute";
|
||||
public static final String NAME = "cluster:admin/xpack/watcher/watch/execute";
|
||||
|
||||
private ExecuteWatchAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.execute;
|
|||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class GetWatchAction extends org.elasticsearch.action.Action<GetWatchRequest, GetWatchResponse, GetWatchRequestBuilder> {
|
||||
|
||||
public static final GetWatchAction INSTANCE = new GetWatchAction();
|
||||
public static final String NAME = "cluster:monitor/watcher/watch/get";
|
||||
public static final String NAME = "cluster:monitor/xpack/watcher/watch/get";
|
||||
|
||||
private GetWatchAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.get;
|
|||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class PutWatchAction extends Action<PutWatchRequest, PutWatchResponse, PutWatchRequestBuilder> {
|
||||
|
||||
public static final PutWatchAction INSTANCE = new PutWatchAction();
|
||||
public static final String NAME = "cluster:admin/watcher/watch/put";
|
||||
public static final String NAME = "cluster:admin/xpack/watcher/watch/put";
|
||||
|
||||
private PutWatchAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
|
|||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.index.IndexResponse;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.service;
|
|||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class WatcherServiceAction extends Action<WatcherServiceRequest, WatcherServiceResponse, WatcherServiceRequestBuilder> {
|
||||
|
||||
public static final WatcherServiceAction INSTANCE = new WatcherServiceAction();
|
||||
public static final String NAME = "cluster:admin/watcher/service";
|
||||
public static final String NAME = "cluster:admin/xpack/watcher/service";
|
||||
|
||||
private WatcherServiceAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.stats;
|
|||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.ActionFilters;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockException;
|
||||
import org.elasticsearch.cluster.block.ClusterBlockLevel;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
|
|||
public class WatcherStatsAction extends Action<WatcherStatsRequest, WatcherStatsResponse, WatcherStatsRequestBuilder> {
|
||||
|
||||
public static final WatcherStatsAction INSTANCE = new WatcherStatsAction();
|
||||
public static final String NAME = "cluster:monitor/watcher/stats";
|
||||
public static final String NAME = "cluster:monitor/xpack/watcher/stats";
|
||||
|
||||
private WatcherStatsAction() {
|
||||
super(NAME);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.watcher;
|
|||
import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
|
||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||
import org.elasticsearch.cluster.ClusterName;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.ClusterStateUpdateTask;
|
||||
import org.elasticsearch.cluster.block.ClusterBlocks;
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ package org.elasticsearch.watcher.actions.email;
|
|||
import com.squareup.okhttp.mockwebserver.MockResponse;
|
||||
import com.squareup.okhttp.mockwebserver.MockWebServer;
|
||||
import com.squareup.okhttp.mockwebserver.QueueDispatcher;
|
||||
import org.apache.lucene.util.LuceneTestCase;
|
||||
import org.elasticsearch.action.search.SearchRequest;
|
||||
import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.io.Streams;
|
||||
|
|
@ -61,7 +60,6 @@ import static org.hamcrest.Matchers.equalTo;
|
|||
import static org.hamcrest.Matchers.hasItem;
|
||||
import static org.hamcrest.Matchers.startsWith;
|
||||
|
||||
@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/pull/17065")
|
||||
public class EmailAttachmentTests extends AbstractWatcherIntegrationTestCase {
|
||||
|
||||
static final String USERNAME = "_user";
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
package org.elasticsearch.watcher.execution;
|
||||
|
||||
import org.elasticsearch.action.get.GetResponse;
|
||||
import org.elasticsearch.cluster.ClusterService;
|
||||
import org.elasticsearch.cluster.service.ClusterService;
|
||||
import org.elasticsearch.watcher.condition.ExecutableCondition;
|
||||
import org.elasticsearch.watcher.condition.always.ExecutableAlwaysCondition;
|
||||
import org.elasticsearch.watcher.input.none.ExecutableNoneInput;
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@
|
|||
*/
|
||||
package org.elasticsearch.watcher.history;
|
||||
|
||||
import org.apache.lucene.util.LuceneTestCase;
|
||||
import org.elasticsearch.action.search.SearchResponse;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.search.aggregations.Aggregations;
|
||||
|
|
@ -32,7 +31,6 @@ import static org.hamcrest.Matchers.notNullValue;
|
|||
* This test makes sure that the email address fields in the watch_record action result are
|
||||
* not analyzed so they can be used in aggregations
|
||||
*/
|
||||
@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/pull/17065")
|
||||
public class HistoryTemplateEmailMappingsTests extends AbstractWatcherIntegrationTestCase {
|
||||
static final String USERNAME = "_user";
|
||||
static final String PASSWORD = "_passwd";
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue