diff --git a/src/main/java/org/elasticsearch/shield/SecurityModule.java b/src/main/java/org/elasticsearch/shield/SecurityModule.java index 96c2f49e481..67643ce323e 100644 --- a/src/main/java/org/elasticsearch/shield/SecurityModule.java +++ b/src/main/java/org/elasticsearch/shield/SecurityModule.java @@ -29,11 +29,17 @@ public class SecurityModule extends AbstractModule implements SpawnModules { @Override public Iterable spawnModules() { - // dont spawn module in client mode + + // don't spawn module in client mode if (settings.getAsBoolean("node.client", false)) { return ImmutableList.of(); } + // don't spawn modules if shield is explicitly disabled + if (!settings.getComponentSettings(SecurityModule.class).getAsBoolean("enabled", true)) { + return ImmutableList.of(); + } + return ImmutableList.of( Modules.createModule(AuthenticationModule.class, settings), Modules.createModule(AuthorizationModule.class, settings), diff --git a/src/main/java/org/elasticsearch/shield/audit/AuditTrail.java b/src/main/java/org/elasticsearch/shield/audit/AuditTrail.java index a90d0c0c3f5..d1a3d0b65fa 100644 --- a/src/main/java/org/elasticsearch/shield/audit/AuditTrail.java +++ b/src/main/java/org/elasticsearch/shield/audit/AuditTrail.java @@ -20,7 +20,7 @@ public interface AuditTrail { } @Override - public void authenticationFailed(AuthenticationToken token, String action, TransportRequest request) { + public void authenticationFailed(String realm, AuthenticationToken token, String action, TransportRequest request) { } @Override @@ -34,7 +34,7 @@ public interface AuditTrail { void anonymousAccess(String action, TransportRequest request); - void authenticationFailed(AuthenticationToken token, String action, TransportRequest request); + void authenticationFailed(String realm, AuthenticationToken token, String action, TransportRequest request); void accessGranted(User user, String action, TransportRequest request); diff --git a/src/main/java/org/elasticsearch/shield/audit/AuditTrailService.java b/src/main/java/org/elasticsearch/shield/audit/AuditTrailService.java index 1e75daa2565..cfd7146d4eb 100644 --- a/src/main/java/org/elasticsearch/shield/audit/AuditTrailService.java +++ b/src/main/java/org/elasticsearch/shield/audit/AuditTrailService.java @@ -35,9 +35,9 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail { } @Override - public void authenticationFailed(AuthenticationToken token, String action, TransportRequest request) { + public void authenticationFailed(String realm, AuthenticationToken token, String action, TransportRequest request) { for (int i = 0; i < auditTrails.length; i++) { - auditTrails[i].authenticationFailed(token, action, request); + auditTrails[i].authenticationFailed(realm, token, action, request); } } diff --git a/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java b/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java index b29f196b847..c3b5aa1cc3f 100644 --- a/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java +++ b/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java @@ -33,11 +33,11 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail { } @Override - public void authenticationFailed(AuthenticationToken token, String action, TransportRequest request) { + public void authenticationFailed(String realm, AuthenticationToken token, String action, TransportRequest request) { if (logger.isDebugEnabled()) { - logger.info("AUTHENTICATION_FAILED\thost=[{}], action=[{}], principal=[{}], request=[{}]", request.remoteAddress(), action, token.principal(), request); + logger.info("AUTHENTICATION_FAILED\thost=[{}], realm=[{}], action=[{}], principal=[{}], request=[{}]", request.remoteAddress(), realm, action, token.principal(), request); } else { - logger.info("AUTHENTICATION_FAILED\thost=[{}], action=[{}], principal=[{}]", request.remoteAddress(), action, token.principal()); + logger.info("AUTHENTICATION_FAILED\thost=[{}], realm=[{}], action=[{}], principal=[{}]", request.remoteAddress(), realm, action, token.principal()); } } diff --git a/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java b/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java index db4c68b505f..1d93da460b4 100644 --- a/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java +++ b/src/main/java/org/elasticsearch/shield/authc/AuthenticationModule.java @@ -28,9 +28,11 @@ public class AuthenticationModule extends AbstractModule implements SpawnModules @Override public Iterable spawnModules() { ImmutableList.Builder modules = ImmutableList.builder(); - modules.add(Modules.createModule(ESUsersModule.class, settings)); + if (ESUsersModule.enabled(settings)) { + modules.add(new ESUsersModule()); + } if (LdapModule.enabled(settings)) { - modules.add(Modules.createModule(LdapModule.class, settings)); + modules.add(new LdapModule()); } return modules.build(); } diff --git a/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java b/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java index b4adc0f448f..506a243a55e 100644 --- a/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java +++ b/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java @@ -11,8 +11,6 @@ import org.elasticsearch.common.inject.internal.Nullable; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.User; import org.elasticsearch.shield.audit.AuditTrail; -import org.elasticsearch.shield.authc.esusers.ESUsersRealm; -import org.elasticsearch.shield.authc.ldap.LdapRealm; import org.elasticsearch.transport.TransportRequest; /** @@ -24,11 +22,9 @@ public class InternalAuthenticationService extends AbstractComponent implements private final AuditTrail auditTrail; @Inject - public InternalAuthenticationService(Settings settings, ESUsersRealm esUsersRealm, @Nullable LdapRealm ldapRealm, @Nullable AuditTrail auditTrail) { + public InternalAuthenticationService(Settings settings, Realms realms, @Nullable AuditTrail auditTrail) { super(settings); - this.realms = ldapRealm != null ? - new Realm[] { esUsersRealm, ldapRealm } : - new Realm[] { esUsersRealm }; + this.realms = realms.realms(); this.auditTrail = auditTrail; } @@ -49,14 +45,14 @@ public class InternalAuthenticationService extends AbstractComponent implements */ @Override public User authenticate(String action, TransportRequest request) throws AuthenticationException { - for (int i = 0; i < realms.length; i++) { - AuthenticationToken token = realms[i].token(request); + for (Realm realm : realms) { + AuthenticationToken token = realm.token(request); if (token != null) { - User user = realms[i].authenticate(token); + User user = realm.authenticate(token); if (user != null) { return user; } else if (auditTrail != null) { - auditTrail.authenticationFailed(token, action, request); + auditTrail.authenticationFailed(realm.type(), token, action, request); } } } diff --git a/src/main/java/org/elasticsearch/shield/authc/Realms.java b/src/main/java/org/elasticsearch/shield/authc/Realms.java new file mode 100644 index 00000000000..b3ed2b9b50b --- /dev/null +++ b/src/main/java/org/elasticsearch/shield/authc/Realms.java @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.shield.authc; + +import org.elasticsearch.common.inject.Inject; +import org.elasticsearch.common.inject.internal.Nullable; +import org.elasticsearch.shield.authc.esusers.ESUsersRealm; +import org.elasticsearch.shield.authc.ldap.LdapRealm; + +import java.util.ArrayList; +import java.util.List; + +/** + * Serves as a realms registry (also responsible for ordering the realms appropriately) + */ +public class Realms { + + private final Realm[] realms; + + @Inject + public Realms(@Nullable ESUsersRealm esusers, @Nullable LdapRealm ldap) { + List realms = new ArrayList<>(); + if (esusers != null) { + realms.add(esusers); + } + if (ldap != null) { + realms.add(ldap); + } + this.realms = realms.toArray(new Realm[realms.size()]); + } + + Realm[] realms() { + return realms; + } + +} diff --git a/src/main/java/org/elasticsearch/shield/authc/esusers/ESUsersModule.java b/src/main/java/org/elasticsearch/shield/authc/esusers/ESUsersModule.java index 08960fd223f..7d743626e85 100644 --- a/src/main/java/org/elasticsearch/shield/authc/esusers/ESUsersModule.java +++ b/src/main/java/org/elasticsearch/shield/authc/esusers/ESUsersModule.java @@ -6,6 +6,7 @@ package org.elasticsearch.shield.authc.esusers; import org.elasticsearch.common.inject.AbstractModule; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.authc.support.UserPasswdStore; import org.elasticsearch.shield.authc.support.UserRolesStore; @@ -16,6 +17,10 @@ import static org.elasticsearch.common.inject.name.Names.named; */ public class ESUsersModule extends AbstractModule { + public static boolean enabled(Settings settings) { + return settings.getComponentSettings(ESUsersModule.class).getAsBoolean("enabled", true); + } + @Override protected void configure() { bind(ESUsersRealm.class).asEagerSingleton(); diff --git a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapModule.java b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapModule.java index 5bb8425b887..54a23985844 100644 --- a/src/main/java/org/elasticsearch/shield/authc/ldap/LdapModule.java +++ b/src/main/java/org/elasticsearch/shield/authc/ldap/LdapModule.java @@ -15,7 +15,7 @@ public class LdapModule extends AbstractModule { public static boolean enabled(Settings settings) { Settings ldapSettings = settings.getComponentSettings(LdapModule.class); - return ldapSettings != null; + return ldapSettings != null && ldapSettings.getAsBoolean("enabled", true); } @Override diff --git a/src/test/java/org/elasticsearch/shield/authc/esusers/ESUsersModuleTests.java b/src/test/java/org/elasticsearch/shield/authc/esusers/ESUsersModuleTests.java index 1b3b4b85149..048a17add55 100644 --- a/src/test/java/org/elasticsearch/shield/authc/esusers/ESUsersModuleTests.java +++ b/src/test/java/org/elasticsearch/shield/authc/esusers/ESUsersModuleTests.java @@ -47,6 +47,19 @@ public class ESUsersModuleTests extends ElasticsearchTestCase { assertThat(realm.userRolesStore, instanceOf(FileUserRolesStore.class)); } + @Test + public void testEnabled() throws Exception { + assertThat(ESUsersModule.enabled(ImmutableSettings.EMPTY), is(true)); + Settings settings = ImmutableSettings.builder() + .put("shield.authc.esusers.enabled", false) + .build(); + assertThat(ESUsersModule.enabled(settings), is(false)); + settings = ImmutableSettings.builder() + .put("shield.authc.esusers.enabled", true) + .build(); + assertThat(ESUsersModule.enabled(settings), is(true)); + } + public static class TestModule extends AbstractModule { final Path users; @@ -70,4 +83,5 @@ public class ESUsersModuleTests extends ElasticsearchTestCase { bind(ResourceWatcherService.class).asEagerSingleton(); } } + }