update settings for tribes to fail if shield is not enabled or mandatory

In 2.0, plugins cannot specify mandatory settings, they can only specify a default additional set of settings. For tribe nodes, we require shield to be enabled and be a mandatory plugin. If the settings specified by the user conflict with this, we now throw an exception and fail startup. Closes elastic/elasticsearch#426 Original commit: elastic/x-pack-elasticsearch@db4d6d7923
2015-09-14 16:46:46 -04:00 · 2015-09-14 16:46:46 -04:00 · 8860364f72
parent 8e343d21cc
commit 8860364f72
2 changed files with 47 additions and 39 deletions
--- a/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java
+++ b/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java
@ -60,11 +60,11 @@ import java.util.Map;
 public class ShieldPlugin extends Plugin {
    public static final String NAME = "shield";
    public static final String ENABLED_SETTING_NAME = NAME + ".enabled";
    public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache";
    private static final boolean DEFAULT_ENABLED_SETTING = true;
    private final Settings settings;
    private final boolean enabled;
    private final boolean clientMode;
@ -250,15 +250,20 @@ public class ShieldPlugin extends Plugin {
                settingsBuilder.putArray(tribePrefix + "plugin.mandatory", NAME);
            } else {
                if (!isShieldMandatory(existingMandatoryPlugins)) {
-                    String[] updatedMandatoryPlugins = new String[existingMandatoryPlugins.length + 1];
+                    throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [" + NAME + "] must be included in this list");
                    System.arraycopy(existingMandatoryPlugins, 0, updatedMandatoryPlugins, 0, existingMandatoryPlugins.length);
                    updatedMandatoryPlugins[updatedMandatoryPlugins.length - 1] = NAME;
                    //shield is mandatory on every tribe if installed and enabled on the tribe node
                    settingsBuilder.putArray(tribePrefix + "plugin.mandatory", updatedMandatoryPlugins);
                }
            }
            final String tribeEnabledSetting = tribePrefix + ENABLED_SETTING_NAME;
            if (settings.get(tribeEnabledSetting) != null) {
                boolean enabled = shieldEnabled(tribeSettings.getValue());
                if (!enabled) {
                    throw new IllegalStateException("tribe setting [" + tribeEnabledSetting + "] must be set to true but the value is [" + settings.get(tribeEnabledSetting) + "]");
                }
            } else {
                //shield must be enabled on every tribe if it's enabled on the tribe node
-            settingsBuilder.put(tribePrefix + ENABLED_SETTING_NAME, true);
+                settingsBuilder.put(tribeEnabledSetting, true);
            }
        }
    }
@ -294,7 +299,7 @@ public class ShieldPlugin extends Plugin {
    }
    public static boolean shieldEnabled(Settings settings) {
-        return settings.getAsBoolean(ENABLED_SETTING_NAME, true);
+        return settings.getAsBoolean(ENABLED_SETTING_NAME, DEFAULT_ENABLED_SETTING);
    }
    private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean nodeSettings) {
--- a/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java
@ -9,6 +9,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Test;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.Matchers.arrayContaining;
@ -40,13 +41,13 @@ public class ShieldPluginSettingsTests extends ESTestCase {
        ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
        //simulate what PluginsService#updatedSettings does to make sure we don't override existing mandatory plugins
-        Settings finalSettings = Settings.builder().put(settings).put(shieldPlugin.additionalSettings()).build();
+        try {
-
+            Settings.builder().put(settings).put(shieldPlugin.additionalSettings()).build();
-        String[] finalMandatoryPlugins = finalSettings.getAsArray("tribe.t1.plugin.mandatory", null);
+            fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown");
-        assertThat(finalMandatoryPlugins, notNullValue());
+        } catch (IllegalStateException e) {
-        assertThat(finalMandatoryPlugins.length, equalTo(2));
+            assertThat(e.getMessage(), containsString("shield"));
-        assertThat(finalMandatoryPlugins[0], equalTo("test_plugin"));
+            assertThat(e.getMessage(), containsString("plugin.mandatory"));
-        assertThat(finalMandatoryPlugins[1], equalTo(ShieldPlugin.NAME));
+        }
    }
    @Test
@ -67,9 +68,8 @@ public class ShieldPluginSettingsTests extends ESTestCase {
    }
    @Test
-    public void testShieldAlwaysEnabledOnTribes() {
+    public void testShieldIsEnabledByDefaultOnTribes() {
        Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
                .put(TRIBE_T1_SHIELD_ENABLED, false)
                .put("tribe.t2.cluster.name", "non_existing").build();
        ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
@ -78,15 +78,26 @@ public class ShieldPluginSettingsTests extends ESTestCase {
        assertThat(additionalSettings.getAsBoolean(TRIBE_T1_SHIELD_ENABLED, null), equalTo(true));
        assertThat(additionalSettings.getAsBoolean(TRIBE_T2_SHIELD_ENABLED, null), equalTo(true));
        //simulate what PluginsService#updatedSettings does to make sure additional settings override existing settings with same name
        Settings finalSettings = Settings.builder().put(settings).put(shieldPlugin.additionalSettings()).build();
        assertThat(finalSettings.getAsBoolean(TRIBE_T1_SHIELD_ENABLED, null), equalTo(true));
        assertThat(finalSettings.getAsBoolean(TRIBE_T2_SHIELD_ENABLED, null), equalTo(true));
    }
    @Test
-    public void testShieldAlwaysEnabledOnTribesShieldAlreadyMandatory() {
+    public void testShieldDisabledOnATribe() {
        Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
                .put(TRIBE_T1_SHIELD_ENABLED, false)
                .put("tribe.t2.cluster.name", "non_existing").build();
        ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
        try {
            shieldPlugin.additionalSettings();
            fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown");
        } catch (IllegalStateException e) {
            assertThat(e.getMessage(), containsString(TRIBE_T1_SHIELD_ENABLED));
        }
    }
    @Test
    public void testShieldDisabledOnTribesShieldAlreadyMandatory() {
        Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
                .put(TRIBE_T1_SHIELD_ENABLED, false)
                .put("tribe.t2.cluster.name", "non_existing")
@ -94,19 +105,11 @@ public class ShieldPluginSettingsTests extends ESTestCase {
        ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
-        Settings additionalSettings = shieldPlugin.additionalSettings();
+        try {
-
+            shieldPlugin.additionalSettings();
-        assertThat(additionalSettings.getAsBoolean(TRIBE_T1_SHIELD_ENABLED, null), equalTo(true));
+            fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown");
-        assertThat(additionalSettings.getAsBoolean(TRIBE_T2_SHIELD_ENABLED, null), equalTo(true));
+        } catch (IllegalStateException e) {
-
+            assertThat(e.getMessage(), containsString(TRIBE_T1_SHIELD_ENABLED));
-        //simulate what PluginsService#updatedSettings does to make sure additional settings override existing settings with same name
+        }
        Settings finalSettings = Settings.builder().put(settings).put(shieldPlugin.additionalSettings()).build();
        assertThat(finalSettings.getAsBoolean(TRIBE_T1_SHIELD_ENABLED, null), equalTo(true));
        assertThat(finalSettings.getAsBoolean(TRIBE_T2_SHIELD_ENABLED, null), equalTo(true));
        String[] finalMandatoryPlugins = finalSettings.getAsArray("tribe.t1.plugin.mandatory", null);
        assertThat(finalMandatoryPlugins, notNullValue());
        assertThat(finalMandatoryPlugins.length, equalTo(2));
        assertThat(finalMandatoryPlugins[0], equalTo("test_plugin"));
        assertThat(finalMandatoryPlugins[1], equalTo(ShieldPlugin.NAME));
    }
 }