honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-03-09 14:34:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disable security for trial licenses by default (elastic/x-pack-elasticsearch#4120)

Browse Source 
This change disables security for trial licenses unless security is
explicitly enabled in the settings. This is done to facilitate users
getting started and not having to deal with some of the complexities
involved in getting security configured. In order to do this and avoid
disabling security for existing users that have gold or platinum
licenses, we have to disable security after cluster formation so that
the license can be retrieved.

relates elastic/x-pack-elasticsearch#4078

Original commit: elastic/x-pack-elasticsearch@96bdb889fc
This commit is contained in:
Jay Modi 2018-03-21 21:09:44 -06:00 committed by GitHub
parent e139b7ee31
commit b0cc5afe8b
73 changed files with 349 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/build.gradle
View File

@ -136,6 +136,7 @@ Closure waitWithAuth = { NodeInfo node, AntBuilder ant ->
integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.authc.token.enabled', 'true'
// Disable monitoring exporters for the docs tests
setting 'xpack.monitoring.exporters._local.type', 'local'

1
plugin/build.gradle
View File

@ -90,6 +90,7 @@ processTestResources.dependsOn(createNodeKeyStore)
integTestCluster {
dependsOn createNodeKeyStore
setting 'xpack.ml.enabled', 'true'
setting 'xpack.security.enabled', 'true'
setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE'
// Integration tests are supposed to enable/disable exporters before/after each test
setting 'xpack.monitoring.exporters._local.type', 'local'

32
plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
View File

@ -10,6 +10,7 @@ import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.License.OperationMode;
import org.elasticsearch.xpack.core.XPackField;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.monitoring.MonitoringField;
import java.util.Collections;
@ -262,8 +263,16 @@ public class XPackLicenseState {
this.active = active;
}
}
private volatile Status status = new Status(OperationMode.TRIAL, true);
private final List<Runnable> listeners = new CopyOnWriteArrayList<>();
private final boolean isSecurityEnabled;
private final boolean isSecurityExplicitlyEnabled;
public XPackLicenseState(Settings settings) {
this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
this.isSecurityExplicitlyEnabled = settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) && isSecurityEnabled;
}
/** Updates the current state of the license, which will change what features are available. */
void update(OperationMode mode, boolean active) {
@ -306,7 +315,8 @@ public class XPackLicenseState {
*/
public boolean isIpFilteringAllowed() {
OperationMode mode = status.mode;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM
|| mode == OperationMode.TRIAL;
}
/**
@ -314,7 +324,8 @@ public class XPackLicenseState {
*/
public boolean isAuditingAllowed() {
OperationMode mode = status.mode;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM
|| mode == OperationMode.TRIAL;
}
/**
@ -374,7 +385,8 @@ public class XPackLicenseState {
*/
public boolean isCustomRoleProvidersAllowed() {
final Status localStatus = status;
return (localStatus.mode == OperationMode.PLATINUM || localStatus.mode == OperationMode.TRIAL) && localStatus.active;
return (localStatus.mode == OperationMode.PLATINUM || localStatus.mode == OperationMode.TRIAL )
&& localStatus.active;
}
/**
@ -578,4 +590,18 @@ public class XPackLicenseState {
return licensed && localStatus.active;
}
public boolean isTrialLicense() {
return status.mode == OperationMode.TRIAL;
}
public boolean isSecurityAvailable() {
OperationMode mode = status.mode;
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.STANDARD ||
mode == OperationMode.TRIAL;
}
public boolean isSecurityEnabled() {
final OperationMode mode = status.mode;
return mode == OperationMode.TRIAL ? isSecurityExplicitlyEnabled : isSecurityEnabled;
}
}

2
plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java
View File

@ -111,7 +111,7 @@ public class XPackPlugin extends XPackClientPlugin implements ScriptPlugin, Exte
Environment env = transportClientMode ? null : new Environment(settings, configPath);
setSslService(new SSLService(settings, env));
setLicenseState(new XPackLicenseState());
setLicenseState(new XPackLicenseState(settings));
this.licensing = new Licensing(settings);
}

4
plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
View File

@ -108,7 +108,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
@Override
protected DirectoryReader wrap(DirectoryReader reader) {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return reader;
}
@ -162,7 +162,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
@Override
protected IndexSearcher wrap(IndexSearcher searcher) throws EngineException {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return searcher;
}

8
plugin/core/src/test/java/org/elasticsearch/license/LicenseRegistrationTests.java
View File

@ -23,7 +23,7 @@ import static org.mockito.Mockito.when;
public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
public void testSelfGeneratedTrialLicense() throws Exception {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(null, licenseState, Settings.EMPTY, "trial");
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
licenseService.start();
@ -42,7 +42,7 @@ public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
}
public void testSelfGeneratedBasicLicense() throws Exception {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(null, licenseState, Settings.EMPTY, "basic");
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
licenseService.start();
@ -74,7 +74,7 @@ public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
.maxNodes(5);
License license = TestUtils.generateSignedLicense(builder);
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(license, licenseState, Settings.EMPTY);
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
licenseService.start();
@ -106,7 +106,7 @@ public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
.expiryDate(dateMath("now-2h", now));
License license = SelfGeneratedLicense.create(builder);
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(license, licenseState, Settings.EMPTY);
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
licenseService.start();

8
plugin/core/src/test/java/org/elasticsearch/license/LicensesAcknowledgementTests.java
View File

@ -20,7 +20,7 @@ import static org.mockito.Mockito.verify;
public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase {
public void testAcknowledgment() throws Exception {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(TestUtils.generateSignedLicense("gold", timeValueHours(2)), licenseState, Settings.EMPTY);
licenseService.start();
// try installing a signed license
@ -40,7 +40,7 @@ public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase
}
public void testRejectUpgradeToProductionWithoutTLS() throws Exception {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(TestUtils.generateSignedLicense("trial", timeValueHours(2)), licenseState, Settings.EMPTY);
licenseService.start();
// try installing a signed license
@ -53,7 +53,7 @@ public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase
}
public void testUpgradeToProductionWithoutTLSAndSecurityDisabled() throws Exception {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(TestUtils.generateSignedLicense("trial", timeValueHours(2)), licenseState, Settings.builder()
.put("xpack.security.enabled", false).build());
licenseService.start();
@ -72,7 +72,7 @@ public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase
}
public void testUpgradeToProductionWithTLSAndSecurity() throws Exception {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
setInitialState(TestUtils.generateSignedLicense("trial", timeValueHours(2)), licenseState, Settings.builder()
.put("xpack.security.enabled", true)
.put("xpack.security.transport.ssl.enabled", true).build());

13
plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java
View File

@ -12,6 +12,7 @@ import org.elasticsearch.common.Strings;
import org.elasticsearch.common.joda.DateMathParser;
import org.elasticsearch.common.joda.FormatDateTimeFormatter;
import org.elasticsearch.common.joda.Joda;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentBuilder;
@ -341,6 +342,10 @@ public class TestUtils {
public final List<License.OperationMode> modeUpdates = new ArrayList<>();
public final List<Boolean> activeUpdates = new ArrayList<>();
public AssertingLicenseState() {
super(Settings.EMPTY);
}
@Override
void update(License.OperationMode mode, boolean active) {
modeUpdates.add(mode);
@ -353,6 +358,14 @@ public class TestUtils {
* method public for use in tests.
*/
public static class UpdatableLicenseState extends XPackLicenseState {
public UpdatableLicenseState() {
this(Settings.EMPTY);
}
public UpdatableLicenseState(Settings settings) {
super(settings);
}
@Override
public void update(License.OperationMode mode, boolean active) {
super.update(mode, active);

77
plugin/security/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java → plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
View File

@ -5,10 +5,11 @@
*/
package org.elasticsearch.license;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.License.OperationMode;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.XPackField;
import org.hamcrest.Matchers;
import org.elasticsearch.xpack.core.XPackSettings;
import java.util.Arrays;
import java.util.function.Predicate;
@ -29,7 +30,7 @@ public class XPackLicenseStateTests extends ESTestCase {
/** Creates a license state with the given license type and active state, and checks the given method returns expected. */
void assertAllowed(OperationMode mode, boolean active, Predicate<XPackLicenseState> predicate, boolean expected) {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(mode, active);
assertEquals(expected, predicate.test(licenseState));
}
@ -68,18 +69,29 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSecurityDefaults() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState =
new XPackLicenseState(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
licenseState = new XPackLicenseState(Settings.EMPTY);
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
}
public void testSecurityBasic() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(BASIC, true);
assertThat(licenseState.isAuthAllowed(), is(false));
@ -87,12 +99,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityBasicExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(BASIC, false);
assertThat(licenseState.isAuthAllowed(), is(false));
@ -100,12 +113,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityStandard() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(STANDARD, true);
assertThat(licenseState.isAuthAllowed(), is(true));
@ -113,12 +127,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NATIVE));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityStandardExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(STANDARD, false);
assertThat(licenseState.isAuthAllowed(), is(true));
@ -126,12 +141,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NATIVE));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityGold() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(GOLD, true);
assertThat(licenseState.isAuthAllowed(), is(true));
@ -139,12 +155,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.DEFAULT));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityGoldExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(GOLD, false);
assertThat(licenseState.isAuthAllowed(), is(true));
@ -152,12 +169,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.DEFAULT));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityPlatinum() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(PLATINUM, true);
assertThat(licenseState.isAuthAllowed(), is(true));
@ -165,12 +183,13 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
}
public void testSecurityPlatinumExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(PLATINUM, false);
assertThat(licenseState.isAuthAllowed(), is(true));
@ -178,7 +197,7 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
@ -318,13 +337,13 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlDefaults() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
assertThat(licenseState.isSqlAllowed(), is(true));
assertThat(licenseState.isJdbcAllowed(), is(true));
}
public void testSqlBasic() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(BASIC, true);
assertThat(licenseState.isSqlAllowed(), is(true));
@ -332,7 +351,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlBasicExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(BASIC, false);
assertThat(licenseState.isSqlAllowed(), is(false));
@ -340,7 +359,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlStandard() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(STANDARD, true);
assertThat(licenseState.isSqlAllowed(), is(true));
@ -348,7 +367,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlStandardExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(STANDARD, false);
assertThat(licenseState.isSqlAllowed(), is(false));
@ -356,7 +375,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlGold() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(GOLD, true);
assertThat(licenseState.isSqlAllowed(), is(true));
@ -364,7 +383,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlGoldExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(GOLD, false);
assertThat(licenseState.isSqlAllowed(), is(false));
@ -372,7 +391,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlPlatinum() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(PLATINUM, true);
assertThat(licenseState.isSqlAllowed(), is(true));
@ -380,7 +399,7 @@ public class XPackLicenseStateTests extends ESTestCase {
}
public void testSqlPlatinumExpired() {
XPackLicenseState licenseState = new XPackLicenseState();
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(PLATINUM, false);
assertThat(licenseState.isSqlAllowed(), is(false));

1
plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapperIntegrationTests.java
View File

@ -87,6 +87,7 @@ public class SecurityIndexSearcherWrapperIntegrationTests extends ESTestCase {
});
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
SecurityIndexSearcherWrapper wrapper = new SecurityIndexSearcherWrapper(indexSettings, s -> queryShardContext,
bitsetFilterCache, threadContext, licenseState, scriptService) {

1
plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java
View File

@ -132,6 +132,7 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
ShardId shardId = new ShardId(index, 0);
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
threadContext = new ThreadContext(Settings.EMPTY);
IndexShard indexShard = mock(IndexShard.class);

7
plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportPutDatafeedAction.java
View File

@ -45,7 +45,6 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
private final XPackLicenseState licenseState;
private final Client client;
private final boolean securityEnabled;
private final SecurityContext securityContext;
@ -58,8 +57,8 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
actionFilters, indexNameExpressionResolver, PutDatafeedAction.Request::new);
this.licenseState = licenseState;
this.client = client;
this.securityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
this.securityContext = securityEnabled ? new SecurityContext(settings, threadPool.getThreadContext()) : null;
this.securityContext = XPackSettings.SECURITY_ENABLED.get(settings) ?
new SecurityContext(settings, threadPool.getThreadContext()) : null;
}
@Override
@ -77,7 +76,7 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
ActionListener<PutDatafeedAction.Response> listener) {
// If security is enabled only create the datafeed if the user requesting creation has
// permission to read the indices the datafeed is going to read from
if (securityEnabled) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
final String username = securityContext.getUser().principal();
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(
r -> handlePrivsResponse(username, request, r, listener),

1
plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollector.java
View File

@ -105,6 +105,7 @@ public class ClusterStatsCollector extends Collector {
final boolean apmIndicesExist = doAPMIndicesExist(clusterState);
// if they have any other type of license, then they are either okay or already know
final boolean clusterNeedsTLSEnabled = license.operationMode() == License.OperationMode.TRIAL &&
settings.hasValue(SECURITY_ENABLED.getKey()) &&
SECURITY_ENABLED.get(settings) &&
TRANSPORT_SSL_ENABLED.get(settings) == false;

7
plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollectorTests.java
View File

@ -137,6 +137,9 @@ public class ClusterStatsCollectorTests extends BaseCollectorTestCase {
throw new AssertionError("Unknown mode [" + mode + "]");
}
if (randomBoolean()) {
settings.put(XPackSettings.SECURITY_ENABLED.getKey(), true);
}
settings.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), transportTLSEnabled);
} else {
transportTLSEnabled = false;
@ -234,8 +237,10 @@ public class ClusterStatsCollectorTests extends BaseCollectorTestCase {
assertThat(document.getLicense(), equalTo(license));
assertThat(document.getStatus(), equalTo(clusterStatus));
final boolean securitySettingDefined = settings.build().hasValue(XPackSettings.SECURITY_ENABLED.getKey());
assertThat(document.getClusterNeedsTLSEnabled(),
equalTo(mode == License.OperationMode.TRIAL && securityEnabled && transportTLSEnabled == false));
equalTo(mode == License.OperationMode.TRIAL && securitySettingDefined && securityEnabled
&& transportTLSEnabled == false));
assertThat(document.getClusterStats(), notNullValue());
assertThat(document.getClusterStats().getStatus(), equalTo(clusterStatus));

2
plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterIT.java
View File

@ -551,7 +551,7 @@ public class HttpExporterIT extends MonitoringIntegTestCase {
private HttpExporter createHttpExporter(final Settings settings) throws Exception {
final Exporter.Config config =
new Exporter.Config("_http", "http", settings, clusterService(), new XPackLicenseState());
new Exporter.Config("_http", "http", settings, clusterService(), new XPackLicenseState(Settings.EMPTY));
return new HttpExporter(config, new SSLService(settings, environment), new ThreadContext(settings));
}

3
plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/local/LocalExporterIntegTestCase.java
View File

@ -11,7 +11,6 @@ import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.threadpool.TestThreadPool;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.monitoring.MonitoringService;
import org.elasticsearch.xpack.monitoring.cleaner.CleanerService;
import org.elasticsearch.xpack.monitoring.exporter.Exporter;
import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase;
@ -72,7 +71,7 @@ public abstract class LocalExporterIntegTestCase extends MonitoringIntegTestCase
*/
protected LocalExporter createLocalExporter() {
final Settings settings = localExporterSettings();
final XPackLicenseState licenseState = new XPackLicenseState();
final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
final Exporter.Config config = new Exporter.Config(exporterName, "local", settings, clusterService(), licenseState);
final CleanerService cleanerService =
new CleanerService(settings, clusterService().getClusterSettings(), THREADPOOL, licenseState);

2
plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
View File

@ -917,7 +917,7 @@ public class Security extends Plugin implements ActionPlugin, IngestPlugin, Netw
public Function<String, Predicate<String>> getFieldFilter() {
if (enabled) {
return index -> {
if (getLicenseState().isDocumentAndFieldLevelSecurityAllowed() == false) {
if (getLicenseState().isSecurityEnabled() == false || getLicenseState().isDocumentAndFieldLevelSecurityAllowed() == false) {
return MapperPlugin.NOOP_FIELD_PREDICATE;
}
IndicesAccessControl indicesAccessControl = threadContext.get().getTransient(

6
plugin/security/src/main/java/org/elasticsearch/xpack/security/SecurityFeatureSet.java
View File

@ -36,7 +36,6 @@ import static org.elasticsearch.xpack.core.XPackSettings.TRANSPORT_SSL_ENABLED;
public class SecurityFeatureSet implements XPackFeatureSet {
private final Settings settings;
private final boolean enabled;
private final XPackLicenseState licenseState;
@Nullable
private final Realms realms;
@ -52,7 +51,6 @@ public class SecurityFeatureSet implements XPackFeatureSet {
@Nullable Realms realms, @Nullable CompositeRolesStore rolesStore,
@Nullable NativeRoleMappingStore roleMappingStore,
@Nullable IPFilter ipFilter) {
this.enabled = XPackSettings.SECURITY_ENABLED.get(settings);
this.licenseState = licenseState;
this.realms = realms;
this.rolesStore = rolesStore;
@ -73,12 +71,12 @@ public class SecurityFeatureSet implements XPackFeatureSet {
@Override
public boolean available() {
return licenseState != null && licenseState.isAuthAllowed();
return licenseState != null && licenseState.isSecurityAvailable();
}
@Override
public boolean enabled() {
return enabled;
return licenseState != null && licenseState.isSecurityEnabled();
}
@Override

13
plugin/security/src/main/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.java
View File

@ -5,6 +5,7 @@
*/
package org.elasticsearch.xpack.security.action.filter;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
@ -30,7 +31,6 @@ import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.privilege.HealthAndStatsPrivilege;
import org.elasticsearch.xpack.core.security.support.Automatons;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.action.SecurityActionMapper;
import org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
@ -84,7 +84,8 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
throw LicenseUtils.newComplianceException(XPackField.SECURITY);
}
if (licenseState.isAuthAllowed()) {
final boolean securityEnabled = licenseState.isSecurityEnabled();
if (securityEnabled && licenseState.isAuthAllowed()) {
final ActionListener<Response> contextPreservingListener =
ContextPreservingActionListener.wrapPreservingContext(listener, threadContext);
ActionListener<Void> authenticatedListener = ActionListener.wrap(
@ -116,7 +117,13 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
listener.onFailure(e);
}
} else if (SECURITY_ACTION_MATCHER.test(action)) {
listener.onFailure(LicenseUtils.newComplianceException(XPackField.SECURITY));
if (securityEnabled == false && licenseState.isTrialLicense()) {
listener.onFailure(new ElasticsearchException("Security must be explicitly enabled when using a trial license. " +
"Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +
"and restart the node."));
} else {
listener.onFailure(LicenseUtils.newComplianceException(XPackField.SECURITY));
}
} else {
chain.proceed(task, action, request, listener);
}

3
plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/BulkShardRequestInterceptor.java
View File

@ -20,7 +20,6 @@ import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.Role;
import org.elasticsearch.xpack.core.security.user.User;
/**
* Similar to {@link UpdateRequestInterceptor}, but checks if there are update requests embedded in a bulk request.
@ -38,7 +37,7 @@ public class BulkShardRequestInterceptor extends AbstractComponent implements Re
@Override
public void intercept(BulkShardRequest request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return;
}
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);

2
plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
View File

@ -34,7 +34,7 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request extends I
@Override
public void intercept(Request request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return;
}
final IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);

4
plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/IndicesAliasesRequestInterceptor.java
View File

@ -38,6 +38,10 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto
@Override
public void intercept(IndicesAliasesRequest request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isSecurityEnabled() == false) {
return;
}
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {

4
plugin/security/src/main/java/org/elasticsearch/xpack/security/action/interceptor/ResizeRequestInterceptor.java
View File

@ -39,6 +39,10 @@ public final class ResizeRequestInterceptor extends AbstractComponent implements
@Override
public void intercept(ResizeRequest request, Authentication authentication, Role userPermissions, String action) {
if (licenseState.isSecurityEnabled() == false) {
return;
}
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(request.getSourceIndex());

46
plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
View File

@ -22,7 +22,7 @@ import java.util.List;
public class AuditTrailService extends AbstractComponent implements AuditTrail {
private final XPackLicenseState licenseState;
final List<AuditTrail> auditTrails;
private final List<AuditTrail> auditTrails;
@Override
public String name() {
@ -42,7 +42,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationSuccess(String realm, User user, RestRequest request) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationSuccess(realm, user, request);
}
@ -51,7 +51,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationSuccess(String realm, User user, String action, TransportMessage message) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationSuccess(realm, user, action, message);
}
@ -60,7 +60,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void anonymousAccessDenied(String action, TransportMessage message) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.anonymousAccessDenied(action, message);
}
@ -69,7 +69,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void anonymousAccessDenied(RestRequest request) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.anonymousAccessDenied(request);
}
@ -78,7 +78,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(RestRequest request) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(request);
}
@ -87,7 +87,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(String action, TransportMessage message) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(action, message);
}
@ -96,7 +96,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(AuthenticationToken token, String action, TransportMessage message) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(token, action, message);
}
@ -105,7 +105,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(String realm, AuthenticationToken token, String action, TransportMessage message) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(realm, token, action, message);
}
@ -114,7 +114,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(AuthenticationToken token, RestRequest request) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(token, request);
}
@ -123,7 +123,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void authenticationFailed(String realm, AuthenticationToken token, RestRequest request) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.authenticationFailed(realm, token, request);
}
@ -132,7 +132,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void accessGranted(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.accessGranted(authentication, action, message, roleNames);
}
@ -141,7 +141,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void accessDenied(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.accessDenied(authentication, action, message, roleNames);
}
@ -150,14 +150,16 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void tamperedRequest(RestRequest request) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.tamperedRequest(request);
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.tamperedRequest(request);
}
}
}
@Override
public void tamperedRequest(String action, TransportMessage message) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.tamperedRequest(action, message);
}
@ -166,7 +168,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void tamperedRequest(User user, String action, TransportMessage request) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.tamperedRequest(user, action, request);
}
@ -175,7 +177,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void connectionGranted(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.connectionGranted(inetAddress, profile, rule);
}
@ -184,7 +186,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void connectionDenied(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.connectionDenied(inetAddress, profile, rule);
}
@ -193,7 +195,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void runAsGranted(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.runAsGranted(authentication, action, message, roleNames);
}
@ -202,7 +204,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void runAsDenied(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.runAsDenied(authentication, action, message, roleNames);
}
@ -211,7 +213,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
@Override
public void runAsDenied(Authentication authentication, RestRequest request, String[] roleNames) {
if (licenseState.isAuditingAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
for (AuditTrail auditTrail : auditTrails) {
auditTrail.runAsDenied(authentication, request, roleNames);
}

4
plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java
View File

@ -92,7 +92,7 @@ public class Realms extends AbstractComponent implements Iterable<Realm> {
@Override
public Iterator<Realm> iterator() {
if (licenseState.isAuthAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isAuthAllowed() == false) {
return Collections.emptyIterator();
}
@ -114,7 +114,7 @@ public class Realms extends AbstractComponent implements Iterable<Realm> {
}
public List<Realm> asList() {
if (licenseState.isAuthAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isAuthAllowed() == false) {
return Collections.emptyList();
}

4
plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java
View File

@ -45,7 +45,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
*/
@Override
public void onNewScrollContext(SearchContext searchContext) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
searchContext.scrollContext().putInContext(AuthenticationField.AUTHENTICATION_KEY,
Authentication.getAuthentication(threadContext));
}
@ -57,7 +57,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
*/
@Override
public void validateSearchContext(SearchContext searchContext, TransportRequest request) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
if (searchContext.scrollContext() != null) {
final Authentication originalAuth = searchContext.scrollContext().getFromContext(AuthenticationField.AUTHENTICATION_KEY);
final Authentication current = Authentication.getAuthentication(threadContext);

2
plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
View File

@ -47,7 +47,7 @@ public class SecurityRestFilter implements RestHandler {
@Override
public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
if (licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
// CORS - allow for preflight unauthenticated OPTIONS request
if (extractClientCertificate) {
Netty4HttpRequest nettyHttpRequest = (Netty4HttpRequest) request;

34
plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandler.java
View File

@ -5,6 +5,7 @@
*/
package org.elasticsearch.xpack.security.rest.action;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.LicenseUtils;
@ -44,23 +45,38 @@ public abstract class SecurityBaseRestHandler extends BaseRestHandler {
*/
protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
RestChannelConsumer consumer = innerPrepareRequest(request, client);
final String failedFeature = checkLicensedFeature(request);
final Exception failedFeature = checkFeatureAvailable(request);
if (failedFeature == null) {
return consumer;
} else {
return channel -> channel.sendResponse(new BytesRestResponse(channel, LicenseUtils.newComplianceException(failedFeature)));
return channel -> channel.sendResponse(new BytesRestResponse(channel, failedFeature));
}
}
/**
* Check whether the given request is allowed within the current license state, and return the name of any unlicensed feature.
* By default this returns {@link org.elasticsearch.xpack.core.XPackField#SECURITY} if the license state does not
* {@link XPackLicenseState#isAuthAllowed() allow authentication and authorization}.
* Sub-classes can override this method if they have additional licensing requirements.
* @return {@code null} if all required features are licensed, otherwise the name of the most significant unlicensed feature.
* Check whether the given request is allowed within the current license state and setup,
* and return the name of any unlicensed feature.
* By default this returns an exception is security is not available by the current license or
* security is not enabled.
* Sub-classes can override this method if they have additional requirements.
*
* @return {@code null} if all required features are available, otherwise an exception to be
* sent to the requestor
*/
protected String checkLicensedFeature(RestRequest request) {
return licenseState.isAuthAllowed() ? null : XPackField.SECURITY;
protected Exception checkFeatureAvailable(RestRequest request) {
if (licenseState.isSecurityAvailable() == false) {
return LicenseUtils.newComplianceException(XPackField.SECURITY);
} else if (licenseState.isSecurityEnabled() == false) {
if (licenseState.isTrialLicense()) {
return new ElasticsearchException("Security must be explicitly enabled when using a trial license. " +
"Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +
"and restart the node.");
} else {
return new IllegalStateException("Security is not enabled but a security rest handler is registered");
}
} else {
return null;
}
}

11
plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/SamlBaseRestHandler.java
View File

@ -6,6 +6,7 @@
package org.elasticsearch.xpack.security.rest.action.saml;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;
@ -24,15 +25,15 @@ public abstract class SamlBaseRestHandler extends SecurityBaseRestHandler {
}
@Override
protected String checkLicensedFeature(RestRequest request) {
String feature = super.checkLicensedFeature(request);
if (feature != null) {
return feature;
protected Exception checkFeatureAvailable(RestRequest request) {
Exception failedFeature = super.checkFeatureAvailable(request);
if (failedFeature != null) {
return failedFeature;
} else if (Realms.isRealmTypeAvailable(licenseState.allowedRealmType(), SAML_REALM_TYPE)) {
return null;
} else {
logger.info("The '{}' realm is not available under the current license", SAML_REALM_TYPE);
return SAML_REALM_TYPE;
return LicenseUtils.newComplianceException(SAML_REALM_TYPE);
}
}
}

4
plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java
View File

@ -98,7 +98,7 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
@Override
public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String action, TransportRequest request,
TransportRequestOptions options, TransportResponseHandler<T> handler) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
// the transport in core normally does this check, BUT since we are serializing to a string header we need to do it
// ourselves otherwise we wind up using a version newer than what we can actually send
final Version minVersion = Version.min(connection.getVersion(), Version.CURRENT);
@ -261,7 +261,7 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
public void messageReceived(T request, TransportChannel channel, Task task) throws Exception {
final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task);
try (ThreadContext.StoredContext ctx = threadContext.newStoredContext(true)) {
if (licenseState.isAuthAllowed()) {
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
String profile = channel.getProfileName();
ServerTransportFilter filter = profileFilters.get(profile);

2
plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
View File

@ -198,7 +198,7 @@ public class IPFilter {
}
public boolean accept(String profile, InetSocketAddress peerAddress) {
if (licenseState.isIpFilteringAllowed() == false) {
if (licenseState.isSecurityEnabled() == false || licenseState.isIpFilteringAllowed() == false) {
return true;
}

1
plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
View File

@ -128,6 +128,7 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
writeFile(xpackConf, "users_roles", configUsersRoles());
Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal))
.put(XPackSettings.SECURITY_ENABLED.getKey(), true)
//TODO: for now isolate security tests from watcher & monitoring (randomize this later)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put(XPackSettings.MONITORING_ENABLED.getKey(), false)

36
plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityFeatureSetTests.java
View File

@ -55,46 +55,42 @@ public class SecurityFeatureSetTests extends ESTestCase {
public void init() throws Exception {
settings = Settings.builder().put("path.home", createTempDir()).build();
licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
realms = mock(Realms.class);
ipFilter = mock(IPFilter.class);
rolesStore = mock(CompositeRolesStore.class);
roleMappingStore = mock(NativeRoleMappingStore.class);
}
public void testAvailable() throws Exception {
public void testAvailable() {
SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms,
rolesStore, roleMappingStore, ipFilter);
boolean available = randomBoolean();
when(licenseState.isAuthAllowed()).thenReturn(available);
assertThat(featureSet.available(), is(available));
when(licenseState.isSecurityAvailable()).thenReturn(true);
assertThat(featureSet.available(), is(true));
when(licenseState.isSecurityAvailable()).thenReturn(false);
assertThat(featureSet.available(), is(false));
}
public void testEnabledSetting() throws Exception {
boolean enabled = randomBoolean();
Settings settings = Settings.builder()
.put(this.settings)
.put("xpack.security.enabled", enabled)
.build();
SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms,
rolesStore, roleMappingStore, ipFilter);
assertThat(featureSet.enabled(), is(enabled));
}
public void testEnabledDefault() throws Exception {
public void testEnabled() {
SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms,
rolesStore, roleMappingStore, ipFilter);
assertThat(featureSet.enabled(), is(true));
when(licenseState.isSecurityEnabled()).thenReturn(false);
featureSet = new SecurityFeatureSet(settings, licenseState, realms,
rolesStore, roleMappingStore, ipFilter);
assertThat(featureSet.enabled(), is(false));
}
public void testUsage() throws Exception {
boolean authcAuthzAvailable = randomBoolean();
when(licenseState.isAuthAllowed()).thenReturn(authcAuthzAvailable);
final boolean authcAuthzAvailable = randomBoolean();
when(licenseState.isSecurityAvailable()).thenReturn(authcAuthzAvailable);
Settings.Builder settings = Settings.builder().put(this.settings);
boolean enabled = randomBoolean();
settings.put("xpack.security.enabled", enabled);
when(licenseState.isSecurityEnabled()).thenReturn(enabled);
final boolean httpSSLEnabled = randomBoolean();
settings.put("xpack.security.http.ssl.enabled", httpSSLEnabled);

7
plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java
View File

@ -91,9 +91,12 @@ public class SecurityTests extends ESTestCase {
if (security != null) {
throw new IllegalStateException("Security object already exists (" + security + ")");
}
Settings settings = Settings.builder().put(testSettings).put("path.home", createTempDir()).build();
Settings settings = Settings.builder()
.put("xpack.security.enabled", true)
.put(testSettings)
.put("path.home", createTempDir()).build();
Environment env = TestEnvironment.newEnvironment(settings);
licenseState = new TestUtils.UpdatableLicenseState();
licenseState = new TestUtils.UpdatableLicenseState(settings);
SSLService sslService = new SSLService(settings, env);
security = new Security(settings, null, Arrays.asList(extensions)) {
@Override

1
plugin/security/src/test/java/org/elasticsearch/xpack/security/action/filter/SecurityActionFilterTests.java
View File

@ -67,6 +67,7 @@ public class SecurityActionFilterTests extends ESTestCase {
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isStatsAndHealthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
threadContext = new ThreadContext(Settings.EMPTY);
when(threadPool.getThreadContext()).thenReturn(threadContext);

2
plugin/security/src/test/java/org/elasticsearch/xpack/security/action/interceptor/IndicesAliasesRequestInterceptorTests.java
View File

@ -35,6 +35,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
public void testInterceptorThrowsWhenFLSDLSEnabled() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
@ -80,6 +81,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);

2
plugin/security/src/test/java/org/elasticsearch/xpack/security/action/interceptor/ResizeRequestInterceptorTests.java
View File

@ -37,6 +37,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);
@ -75,6 +76,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
ThreadPool threadPool = mock(ThreadPool.class);

14
plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/AuditTrailServiceTests.java
View File

@ -48,6 +48,7 @@ public class AuditTrailServiceTests extends ESTestCase {
licenseState = mock(XPackLicenseState.class);
service = new AuditTrailService(Settings.EMPTY, auditTrails, licenseState);
isAuditingAllowed = randomBoolean();
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(isAuditingAllowed);
token = mock(AuthenticationToken.class);
message = mock(TransportMessage.class);
@ -57,6 +58,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailed() throws Exception {
service.authenticationFailed(token, "_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(token, "_action", message);
@ -69,6 +71,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedNoToken() throws Exception {
service.authenticationFailed("_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed("_action", message);
@ -81,6 +84,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRestNoToken() throws Exception {
service.authenticationFailed(restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(restRequest);
@ -93,6 +97,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRest() throws Exception {
service.authenticationFailed(token, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed(token, restRequest);
@ -105,6 +110,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRealm() throws Exception {
service.authenticationFailed("_realm", token, "_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed("_realm", token, "_action", message);
@ -117,6 +123,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAuthenticationFailedRestRealm() throws Exception {
service.authenticationFailed("_realm", token, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationFailed("_realm", token, restRequest);
@ -129,6 +136,7 @@ public class AuditTrailServiceTests extends ESTestCase {
public void testAnonymousAccess() throws Exception {
service.anonymousAccessDenied("_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).anonymousAccessDenied("_action", message);
@ -144,6 +152,7 @@ public class AuditTrailServiceTests extends ESTestCase {
String[] roles = new String[] { randomAlphaOfLengthBetween(1, 6) };
service.accessGranted(authentication, "_action", message, roles);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).accessGranted(authentication, "_action", message, roles);
@ -159,6 +168,7 @@ public class AuditTrailServiceTests extends ESTestCase {
String[] roles = new String[] { randomAlphaOfLengthBetween(1, 6) };
service.accessDenied(authentication, "_action", message, roles);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).accessDenied(authentication, "_action", message, roles);
@ -173,6 +183,7 @@ public class AuditTrailServiceTests extends ESTestCase {
SecurityIpFilterRule rule = randomBoolean() ? SecurityIpFilterRule.ACCEPT_ALL : IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
service.connectionGranted(inetAddress, "client", rule);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).connectionGranted(inetAddress, "client", rule);
@ -187,6 +198,7 @@ public class AuditTrailServiceTests extends ESTestCase {
SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
service.connectionDenied(inetAddress, "client", rule);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).connectionDenied(inetAddress, "client", rule);
@ -201,6 +213,7 @@ public class AuditTrailServiceTests extends ESTestCase {
String realm = "_realm";
service.authenticationSuccess(realm, user, restRequest);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationSuccess(realm, user, restRequest);
@ -215,6 +228,7 @@ public class AuditTrailServiceTests extends ESTestCase {
String realm = "_realm";
service.authenticationSuccess(realm, user, "_action", message);
verify(licenseState).isAuditingAllowed();
verify(licenseState).isSecurityEnabled();
if (isAuditingAllowed) {
for (AuditTrail auditTrail : auditTrails) {
verify(auditTrail).authenticationSuccess(realm, user, "_action", message);

1
plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java
View File

@ -152,6 +152,7 @@ public class AuthenticationServiceTests extends ESTestCase {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.allowedRealmType()).thenReturn(XPackLicenseState.AllowedRealmType.ALL);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
realms = new TestRealms(Settings.EMPTY, TestEnvironment.newEnvironment(settings), Collections.<String, Realm.Factory>emptyMap(),
licenseState, threadContext, mock(ReservedRealm.class), Arrays.asList(firstRealm, secondRealm),
Collections.singletonList(firstRealm));

1
plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java
View File

@ -63,6 +63,7 @@ public class RealmsTests extends ESTestCase {
threadContext = new ThreadContext(Settings.EMPTY);
reservedRealm = mock(ReservedRealm.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.allowedRealmType()).thenReturn(AllowedRealmType.ALL);
when(reservedRealm.type()).thenReturn(ReservedRealm.TYPE);
}

10
plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java
View File

@ -39,6 +39,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
public void testUnlicensed() {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(false);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -48,6 +49,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
SecuritySearchOperationListener listener = new SecuritySearchOperationListener(threadContext, licenseState, auditTrailService);
listener.onNewScrollContext(searchContext);
listener.validateSearchContext(searchContext, Empty.INSTANCE);
verify(licenseState, times(2)).isSecurityEnabled();
verify(licenseState, times(2)).isAuthAllowed();
verifyZeroInteractions(auditTrailService, searchContext);
}
@ -58,6 +60,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
final Scroll scroll = new Scroll(TimeValue.timeValueSeconds(2L));
testSearchContext.scrollContext().scroll = scroll;
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -72,6 +75,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
assertEquals(scroll, testSearchContext.scrollContext().scroll);
verify(licenseState).isAuthAllowed();
verify(licenseState).isSecurityEnabled();
verifyZeroInteractions(auditTrailService);
}
@ -82,6 +86,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
testSearchContext.scrollContext().scroll = new Scroll(TimeValue.timeValueSeconds(2L));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthAllowed()).thenReturn(true);
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
AuditTrailService auditTrailService = mock(AuditTrailService.class);
@ -92,6 +97,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
authentication.writeToContext(threadContext);
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
verify(licenseState).isAuthAllowed();
verify(licenseState).isSecurityEnabled();
verifyZeroInteractions(auditTrailService);
}
@ -102,6 +108,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
authentication.writeToContext(threadContext);
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
verify(licenseState, times(2)).isAuthAllowed();
verify(licenseState, times(2)).isSecurityEnabled();
verifyZeroInteractions(auditTrailService);
}
@ -118,6 +125,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.id());
verify(licenseState, times(3)).isAuthAllowed();
verify(licenseState, times(3)).isSecurityEnabled();
verify(auditTrailService).accessDenied(authentication, "action", request, authentication.getUser().roles());
}
@ -134,6 +142,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
listener.validateSearchContext(testSearchContext, request);
verify(licenseState, times(4)).isAuthAllowed();
verify(licenseState, times(4)).isSecurityEnabled();
verifyNoMoreInteractions(auditTrailService);
}
@ -152,6 +161,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.id());
verify(licenseState, times(5)).isAuthAllowed();
verify(licenseState, times(5)).isSecurityEnabled();
verify(auditTrailService).accessDenied(authentication, "action", request, authentication.getUser().roles());
}
}

32
plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java
View File

@ -23,6 +23,7 @@ import org.elasticsearch.license.License.OperationMode;
import org.elasticsearch.license.TestUtils.UpdatableLicenseState;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.IndicesPrivileges;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
@ -59,6 +60,10 @@ import static org.mockito.Mockito.when;
public class CompositeRolesStoreTests extends ESTestCase {
private static final Settings SECURITY_ENABLED_SETTINGS = Settings.builder()
.put(XPackSettings.SECURITY_ENABLED.getKey(), true)
.build();
public void testRolesWhenDlsFlsUnlicensed() throws IOException {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
@ -191,8 +196,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
final ReservedRolesStore reservedRolesStore = spy(new ReservedRolesStore());
final CompositeRolesStore compositeRolesStore =
new CompositeRolesStore(Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore,
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState());
new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore,
Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS),
new XPackLicenseState(SECURITY_ENABLED_SETTINGS));
verify(fileRolesStore).addListener(any(Runnable.class)); // adds a listener in ctor
final String roleName = randomAlphaOfLengthBetween(1, 10);
@ -268,9 +274,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
}));
final CompositeRolesStore compositeRolesStore =
new CompositeRolesStore(Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore,
Arrays.asList(inMemoryProvider1, inMemoryProvider2), new ThreadContext(Settings.EMPTY),
new XPackLicenseState());
new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore,
Arrays.asList(inMemoryProvider1, inMemoryProvider2), new ThreadContext(SECURITY_ENABLED_SETTINGS),
new XPackLicenseState(SECURITY_ENABLED_SETTINGS));
final Set<String> roleNames = Sets.newHashSet("roleA", "roleB", "unknown");
PlainActionFuture<Role> future = new PlainActionFuture<>();
@ -364,9 +370,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
(roles, listener) -> listener.onFailure(new Exception("fake failure"));
final CompositeRolesStore compositeRolesStore =
new CompositeRolesStore(Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore,
Arrays.asList(inMemoryProvider1, failingProvider), new ThreadContext(Settings.EMPTY),
new XPackLicenseState());
new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore,
Arrays.asList(inMemoryProvider1, failingProvider), new ThreadContext(SECURITY_ENABLED_SETTINGS),
new XPackLicenseState(SECURITY_ENABLED_SETTINGS));
final Set<String> roleNames = Sets.newHashSet("roleA", "roleB", "unknown");
PlainActionFuture<Role> future = new PlainActionFuture<>();
@ -402,7 +408,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
return descriptors;
});
UpdatableLicenseState xPackLicenseState = new UpdatableLicenseState();
UpdatableLicenseState xPackLicenseState = new UpdatableLicenseState(SECURITY_ENABLED_SETTINGS);
// these licenses don't allow custom role providers
xPackLicenseState.update(randomFrom(OperationMode.BASIC, OperationMode.GOLD, OperationMode.STANDARD), true);
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(
@ -450,7 +456,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(
Settings.EMPTY, mock(FileRolesStore.class), mock(NativeRolesStore.class), mock(ReservedRolesStore.class),
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState()) {
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState(SECURITY_ENABLED_SETTINGS)) {
@Override
public void invalidateAll() {
numInvalidation.incrementAndGet();
@ -493,9 +499,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
public void testCacheClearOnIndexOutOfDateChange() {
final AtomicInteger numInvalidation = new AtomicInteger(0);
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(
Settings.EMPTY, mock(FileRolesStore.class), mock(NativeRolesStore.class), mock(ReservedRolesStore.class),
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState()) {
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, mock(FileRolesStore.class),
mock(NativeRolesStore.class), mock(ReservedRolesStore.class),
Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), new XPackLicenseState(SECURITY_ENABLED_SETTINGS)) {
@Override
public void invalidateAll() {
numInvalidation.incrementAndGet();

17
plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
View File

@ -63,7 +63,7 @@ public class FileRolesStoreTests extends ESTestCase {
Path path = getDataPath("roles.yml");
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
.put(XPackSettings.DLS_FLS_ENABLED.getKey(), true)
.build(), new XPackLicenseState());
.build(), new XPackLicenseState(Settings.EMPTY));
assertThat(roles, notNullValue());
assertThat(roles.size(), is(9));
@ -240,7 +240,7 @@ public class FileRolesStoreTests extends ESTestCase {
Logger logger = CapturingLogger.newCapturingLogger(Level.ERROR);
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
.put(XPackSettings.DLS_FLS_ENABLED.getKey(), false)
.build(), new XPackLicenseState());
.build(), new XPackLicenseState(Settings.EMPTY));
assertThat(roles, notNullValue());
assertThat(roles.size(), is(6));
assertThat(roles.get("role_fields"), nullValue());
@ -291,7 +291,7 @@ public class FileRolesStoreTests extends ESTestCase {
public void testDefaultRolesFile() throws Exception {
// TODO we should add the config dir to the resources so we don't copy this stuff around...
Path path = getDataPath("default_roles.yml");
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState());
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
assertThat(roles, notNullValue());
assertThat(roles.size(), is(0));
}
@ -317,7 +317,8 @@ public class FileRolesStoreTests extends ESTestCase {
threadPool = new TestThreadPool("test");
watcherService = new ResourceWatcherService(settings, threadPool);
final CountDownLatch latch = new CountDownLatch(1);
FileRolesStore store = new FileRolesStore(settings, env, watcherService, latch::countDown, new XPackLicenseState());
FileRolesStore store = new FileRolesStore(settings, env, watcherService, latch::countDown,
new XPackLicenseState(Settings.EMPTY));
Set<RoleDescriptor> descriptors = store.roleDescriptors(Collections.singleton("role1"));
assertThat(descriptors, notNullValue());
@ -361,14 +362,14 @@ public class FileRolesStoreTests extends ESTestCase {
public void testThatEmptyFileDoesNotResultInLoop() throws Exception {
Path file = createTempFile();
Files.write(file, Collections.singletonList("#"), StandardCharsets.UTF_8);
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(file, logger, Settings.EMPTY, new XPackLicenseState());
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(file, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
assertThat(roles.keySet(), is(empty()));
}
public void testThatInvalidRoleDefinitions() throws Exception {
Path path = getDataPath("invalid_roles.yml");
Logger logger = CapturingLogger.newCapturingLogger(Level.ERROR);
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState());
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
assertThat(roles.size(), is(1));
assertThat(roles, hasKey("valid_role"));
RoleDescriptor descriptor = roles.get("valid_role");
@ -410,7 +411,7 @@ public class FileRolesStoreTests extends ESTestCase {
Logger logger = CapturingLogger.newCapturingLogger(Level.INFO);
Path path = getDataPath("reserved_roles.yml");
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState());
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
assertThat(roles, notNullValue());
assertThat(roles.size(), is(1));
@ -442,7 +443,7 @@ public class FileRolesStoreTests extends ESTestCase {
.put(XPackSettings.DLS_FLS_ENABLED.getKey(), flsDlsEnabled)
.build();
Environment env = TestEnvironment.newEnvironment(settings);
FileRolesStore store = new FileRolesStore(settings, env, mock(ResourceWatcherService.class), new XPackLicenseState());
FileRolesStore store = new FileRolesStore(settings, env, mock(ResourceWatcherService.class), new XPackLicenseState(Settings.EMPTY));
Map<String, Object> usageStats = store.usageStats();

2
plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java
View File

@ -86,7 +86,7 @@ public class NativeRolesStoreTests extends ESTestCase {
byte[] bytes = Files.readAllBytes(path);
String roleString = new String(bytes, Charset.defaultCharset());
RoleDescriptor role = NativeRolesStore.transformRole(RoleDescriptor.ROLE_TYPE + "role1",
new BytesArray(roleString), logger, new XPackLicenseState());
new BytesArray(roleString), logger, new XPackLicenseState(Settings.EMPTY));
assertNotNull(role);
assertNotNull(role.getIndicesPrivileges());
RoleDescriptor.IndicesPrivileges indicesPrivileges = role.getIndicesPrivileges()[0];

1
plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java
View File

@ -59,6 +59,7 @@ public class SecurityRestFilterTests extends ESTestCase {
channel = mock(RestChannel.class);
licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
restHandler = mock(RestHandler.class);
filter = new SecurityRestFilter(licenseState,
new ThreadContext(Settings.EMPTY), authcService, restHandler, false);

6
plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/SecurityBaseRestHandlerTests.java
View File

@ -27,7 +27,8 @@ public class SecurityBaseRestHandlerTests extends ESTestCase {
final boolean securityEnabled = randomBoolean();
final AtomicBoolean consumerCalled = new AtomicBoolean(false);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthAllowed()).thenReturn(securityEnabled);
when(licenseState.isSecurityAvailable()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(securityEnabled);
SecurityBaseRestHandler handler = new SecurityBaseRestHandler(Settings.EMPTY, licenseState) {
@Override
@ -52,7 +53,8 @@ public class SecurityBaseRestHandlerTests extends ESTestCase {
verifyZeroInteractions(licenseState);
handler.handleRequest(fakeRestRequest, fakeRestChannel, client);
verify(licenseState).isAuthAllowed();
verify(licenseState).isSecurityAvailable();
verify(licenseState).isSecurityEnabled();
if (securityEnabled) {
assertTrue(consumerCalled.get());
assertEquals(0, fakeRestChannel.responses().get());

25
plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/saml/SamlBaseRestHandlerTests.java
View File

@ -5,37 +5,52 @@
*/
package org.elasticsearch.xpack.security.rest.action.saml;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.License;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.TestUtils;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.test.rest.FakeRestRequest;
import org.elasticsearch.xpack.core.XPackSettings;
import org.hamcrest.Matchers;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.instanceOf;
public class SamlBaseRestHandlerTests extends ESTestCase {
public void testSamlAvailableOnTrialAndPlatinum() {
final SamlBaseRestHandler handler = buildHandler(randomFrom(License.OperationMode.TRIAL, License.OperationMode.PLATINUM));
assertThat(handler.checkLicensedFeature(new FakeRestRequest()), Matchers.nullValue());
assertThat(handler.checkFeatureAvailable(new FakeRestRequest()), Matchers.nullValue());
}
public void testSecurityNotAvailableOnBasic() {
final SamlBaseRestHandler handler = buildHandler(License.OperationMode.BASIC);
assertThat(handler.checkLicensedFeature(new FakeRestRequest()), Matchers.equalTo("security"));
Exception e = handler.checkFeatureAvailable(new FakeRestRequest());
assertThat(e, instanceOf(ElasticsearchException.class));
ElasticsearchException elasticsearchException = (ElasticsearchException) e;
assertThat(elasticsearchException.getMetadata(LicenseUtils.EXPIRED_FEATURE_METADATA), contains("security"));
}
public void testSamlNotAvailableOnStandardOrGold() {
final SamlBaseRestHandler handler = buildHandler(randomFrom(License.OperationMode.STANDARD, License.OperationMode.GOLD));
assertThat(handler.checkLicensedFeature(new FakeRestRequest()), Matchers.equalTo("saml"));
Exception e = handler.checkFeatureAvailable(new FakeRestRequest());
assertThat(e, instanceOf(ElasticsearchException.class));
ElasticsearchException elasticsearchException = (ElasticsearchException) e;
assertThat(elasticsearchException.getMetadata(LicenseUtils.EXPIRED_FEATURE_METADATA), contains("saml"));
}
private SamlBaseRestHandler buildHandler(License.OperationMode licenseMode) {
final TestUtils.UpdatableLicenseState licenseState = new TestUtils.UpdatableLicenseState();
final Settings settings = Settings.builder()
.put(XPackSettings.SECURITY_ENABLED.getKey(), true)
.build();
final TestUtils.UpdatableLicenseState licenseState = new TestUtils.UpdatableLicenseState(settings);
licenseState.update(licenseMode, true);
return new SamlBaseRestHandler(Settings.EMPTY, licenseState) {
return new SamlBaseRestHandler(settings, licenseState) {
@Override
public String getName() {

5
plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptorTests.java
View File

@ -65,6 +65,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
securityContext = spy(new SecurityContext(settings, threadPool.getThreadContext()));
xPackLicenseState = mock(XPackLicenseState.class);
when(xPackLicenseState.isAuthAllowed()).thenReturn(true);
when(xPackLicenseState.isSecurityEnabled()).thenReturn(true);
}
public void testSendAsyncUnlicensed() {
@ -86,6 +87,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
sender.sendRequest(null, null, null, null, null);
assertTrue(calledWrappedSender.get());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verifyNoMoreInteractions(xPackLicenseState);
verifyZeroInteractions(securityContext);
}
@ -119,6 +121,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertEquals(user, sendingUser.get());
assertEquals(user, securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -155,6 +158,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertEquals(SystemUser.INSTANCE, sendingUser.get());
assertEquals(user, securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
verifyNoMoreInteractions(xPackLicenseState);
}
@ -184,6 +188,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
assertEquals("there should always be a user when sending a message for action [indices:foo]", e.getMessage());
assertNull(securityContext.getUser());
verify(xPackLicenseState).isAuthAllowed();
verify(xPackLicenseState).isSecurityEnabled();
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
verifyNoMoreInteractions(xPackLicenseState);
}

2
plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
View File

@ -110,6 +110,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
.put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put("path.home", home)
@ -146,6 +147,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
.put("discovery.zen.ping.unicast.hosts", unicastHost)
.put("discovery.zen.minimum_master_nodes",
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
.put("xpack.security.enabled", true)
.put("xpack.security.audit.enabled", false)
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
.put(NetworkModule.HTTP_ENABLED.getKey(), false)

1
plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java
View File

@ -53,6 +53,7 @@ public class IPFilterTests extends ESTestCase {
public void init() {
licenseState = mock(XPackLicenseState.class);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
auditTrail = mock(AuditTrailService.class);
clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(
IPFilter.HTTP_FILTER_ALLOW_SETTING,

3
plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java
View File

@ -15,9 +15,7 @@ import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.transport.TcpTransport;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.junit.Before;
@ -59,6 +57,7 @@ public class IpFilterRemoteAddressFilterTests extends ESTestCase {
IPFilter.PROFILE_FILTER_DENY_SETTING)));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isSecurityEnabled()).thenReturn(true);
AuditTrailService auditTrailService = new AuditTrailService(settings, Collections.emptyList(), licenseState);
IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());

5
plugin/upgrade/src/test/java/org/elasticsearch/xpack/upgrade/IndexUpgradeTasksIT.java
View File

@ -25,6 +25,7 @@ import org.elasticsearch.env.NodeEnvironment;
import org.elasticsearch.index.reindex.BulkByScrollResponse;
import org.elasticsearch.index.reindex.ReindexAction;
import org.elasticsearch.index.reindex.ReindexPlugin;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.plugins.ActionPlugin;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.plugins.PluginsService;
@ -119,7 +120,7 @@ public class IndexUpgradeTasksIT extends ESIntegTestCase {
ResourceWatcherService resourceWatcherService, ScriptService scriptService,
NamedXContentRegistry xContentRegistry, Environment environment,
NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry) {
return Collections.singletonList(new IndexUpgradeService(settings, Collections.singletonList(
return Arrays.asList(new IndexUpgradeService(settings, Collections.singletonList(
new IndexUpgradeCheck("test", settings,
new Function<IndexMetaData, UpgradeActionRequired>() {
@Override
@ -137,7 +138,7 @@ public class IndexUpgradeTasksIT extends ESIntegTestCase {
},
client, clusterService, Strings.EMPTY_ARRAY,
new Script(ScriptType.INLINE, NAME, "block", Collections.emptyMap()))
)));
)), new XPackLicenseState(settings));
}
@Override

2
plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/transport/actions/put/TransportPutWatchActionTests.java
View File

@ -76,7 +76,7 @@ public class TransportPutWatchActionTests extends ESTestCase {
action = new TransportPutWatchAction(Settings.EMPTY, transportService, threadPool,
new ActionFilters(Collections.emptySet()), new IndexNameExpressionResolver(Settings.EMPTY), new ClockMock(),
new XPackLicenseState(), parser, client);
new XPackLicenseState(Settings.EMPTY), parser, client);
}
public void testHeadersAreFilteredWhenPuttingWatches() throws Exception {

1
qa/audit-tests/build.gradle
View File

@ -20,6 +20,7 @@ integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.ml.enabled', 'false'
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.audit.enabled', 'true'
setting 'xpack.security.audit.outputs', 'index'
setting 'xpack.license.self_generated.type', 'trial'

1
qa/core-rest-tests-with-security/build.gradle
View File

@ -23,6 +23,7 @@ integTestRunner {
integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setting 'xpack.watcher.enabled', 'false'
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.ml.enabled', 'false'

3
qa/full-cluster-restart/build.gradle
View File

@ -154,6 +154,7 @@ subprojects {
// debug logging for testRecovery see https://github.com/elastic/x-pack-elasticsearch/issues/2691
setting 'logger.level', 'DEBUG'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
setting 'xpack.ssl.keystore.password', 'testnode'
@ -203,7 +204,7 @@ subprojects {
// some tests rely on the translog not being flushed
setting 'indices.memory.shard_inactive_time', '20m'
setting 'xpack.security.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
setting 'xpack.license.self_generated.type', 'trial'

1
qa/ml-native-tests/build.gradle
View File

@ -51,6 +51,7 @@ processTestResources.dependsOn(createNodeKeyStore)
integTestCluster {
dependsOn createNodeKeyStore
setting 'xpack.security.enabled', 'true'
setting 'xpack.ml.enabled', 'true'
setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE'
setting 'xpack.monitoring.enabled', 'false'

2
qa/multi-cluster-search-security/build.gradle
View File

@ -16,6 +16,7 @@ remoteClusterTestCluster {
clusterName = 'remote-cluster'
setting 'search.remote.connect', false
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setting 'xpack.watcher.enabled', 'false'
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.ml.enabled', 'false'
@ -43,6 +44,7 @@ task mixedClusterTest(type: RestIntegTestTask) {}
mixedClusterTestCluster {
dependsOn remoteClusterTestRunner
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setting 'xpack.watcher.enabled', 'false'
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.ml.enabled', 'false'

1
qa/multi-node/build.gradle
View File

@ -9,6 +9,7 @@ integTestCluster {
numNodes = 2
clusterName = 'multi-node'
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setting 'xpack.watcher.enabled', 'false'
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.ml.enabled', 'false'

1
qa/reindex-tests-with-security/build.gradle
View File

@ -12,6 +12,7 @@ integTestCluster {
plugin xpackProject('plugin').path
// Whitelist reindexing from the local node so we can test it.
setting 'reindex.remote.whitelist', '127.0.0.1:*'
setting 'xpack.security.enabled', 'true'
setting 'xpack.ml.enabled', 'false'
setting 'xpack.license.self_generated.type', 'trial'
extraConfigFile 'x-pack/roles.yml', 'roles.yml'

4
qa/rolling-upgrade/build.gradle
View File

@ -135,6 +135,7 @@ subprojects {
setting 'xpack.monitoring.exporters._http.auth.username', 'test_user'
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.security.authc.token.enabled', 'true'
setting 'xpack.security.audit.enabled', 'true'
@ -179,6 +180,8 @@ subprojects {
setting 'xpack.monitoring.exporters._http.enabled', 'false'
setting 'xpack.monitoring.exporters._http.auth.username', 'test_user'
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
@ -219,6 +222,7 @@ subprojects {
setting 'xpack.monitoring.exporters._http.auth.username', 'test_user'
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.transport.ssl.enabled', 'true'
setting 'xpack.ssl.keystore.path', 'testnode.jks'
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'

1
qa/saml-idp-tests/build.gradle
View File

@ -33,6 +33,7 @@ integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.http.ssl.enabled', 'false'
setting 'xpack.security.authc.token.enabled', 'true'
setting 'xpack.security.authc.realms.file.type', 'file'

1
qa/security-client-tests/build.gradle
View File

@ -20,6 +20,7 @@ integTestRunner {
integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setting 'xpack.ml.enabled', 'false'
setting 'xpack.license.self_generated.type', 'trial'
setupCommand 'setupDummyUser',

1
qa/security-example-spi-extension/build.gradle
View File

@ -27,6 +27,7 @@ integTestCluster {
setting 'xpack.security.authc.realms.esusers.type', 'file'
setting 'xpack.security.authc.realms.native.type', 'native'
setting 'xpack.security.authc.realms.native.order', '2'
setting 'xpack.security.enabled', 'true'
setting 'xpack.ml.enabled', 'false'
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.license.self_generated.type', 'trial'

1
qa/security-migrate-tests/build.gradle
View File

@ -9,6 +9,7 @@ dependencies {
integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setting 'xpack.license.self_generated.type', 'trial'
extraConfigFile 'x-pack/roles.yml', 'roles.yml'
[

1
qa/security-setup-password-tests/build.gradle
View File

@ -15,6 +15,7 @@ integTestCluster {
plugin xpackProject('plugin').path
setupCommand 'setupTestAdmin',
'bin/x-pack/users', 'useradd', "test_admin", '-p', 'x-pack-test-password', '-r', "superuser"
setting 'xpack.security.enabled', 'true'
setting 'xpack.license.self_generated.type', 'trial'
waitCondition = { node, ant ->
File tmpFile = new File(node.cwd, 'wait.success')

1
qa/smoke-test-graph-with-security/build.gradle
View File

@ -23,6 +23,7 @@ integTestCluster {
setupCommand 'setupPowerlessUser',
'bin/x-pack/users', 'useradd', 'no_graph_explorer', '-p', 'x-pack-test-password', '-r', 'no_graph_explorer'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
waitCondition = { node, ant ->
File tmpFile = new File(node.cwd, 'wait.success')
ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",

1
qa/smoke-test-ml-with-security/build.gradle
View File

@ -105,6 +105,7 @@ integTestCluster {
setupCommand 'setupPowerlessUser',
'bin/x-pack/users', 'useradd', 'no_ml', '-p', 'x-pack-test-password', '-r', 'minimal'
setting 'xpack.license.self_generated.type', 'trial'
setting 'xpack.security.enabled', 'true'
waitCondition = { node, ant ->
File tmpFile = new File(node.cwd, 'wait.success')
ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",

1
qa/smoke-test-plugins-ssl/build.gradle
View File

@ -182,6 +182,7 @@ integTestCluster {
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full'
setting 'xpack.security.enabled', 'true'
setting 'xpack.security.http.ssl.enabled', 'true'
setting 'xpack.security.http.ssl.keystore.path', nodeKeystore.name
keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass'

2
qa/smoke-test-plugins/build.gradle
View File

@ -22,7 +22,7 @@ project.rootProject.subprojects.findAll { it.path.startsWith(':plugins:') }.each
integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.security.enabled', 'true'
setupCommand 'setupDummyUser',
'bin/x-pack/users', 'useradd', 'test_user', '-p', 'x-pack-test-password', '-r', 'superuser'
waitCondition = { node, ant ->

1
qa/smoke-test-security-with-mustache/build.gradle
View File

@ -11,6 +11,7 @@ integTestCluster {
plugin xpackProject('plugin').path
setting 'xpack.watcher.enabled', 'false'
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.security.enabled', 'true'
setting 'xpack.license.self_generated.type', 'trial'
setupCommand 'setupDummyUser',
'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'

1
qa/smoke-test-watcher-with-security/build.gradle
View File

@ -22,6 +22,7 @@ integTestCluster {
dependsOn copyWatcherRestTests
setting 'xpack.monitoring.enabled', 'false'
setting 'xpack.ml.enabled', 'false'
setting 'xpack.security.enabled', 'true'
// settings to test settings filtering on
setting 'xpack.notification.email.account._email.smtp.host', 'host.domain'
setting 'xpack.notification.email.account._email.smtp.port', '587'

2
qa/sql/security/build.gradle
View File

@ -25,6 +25,7 @@ subprojects {
// Setup auditing so we can use it in some tests
setting 'xpack.security.audit.enabled', 'true'
setting 'xpack.security.audit.outputs', 'logfile'
setting 'xpack.security.enabled', 'true'
// Setup roles used by tests
extraConfigFile 'x-pack/roles.yml', '../roles.yml'
/* Setup the one admin user that we run the tests as.
@ -43,6 +44,7 @@ subprojects {
// Setup auditing so we can use it in some tests
setting 'xpack.security.audit.enabled', 'true'
setting 'xpack.security.audit.outputs', 'logfile'
setting 'xpack.security.enabled', 'true'
// Setup roles used by tests
extraConfigFile 'x-pack/roles.yml', '../roles.yml'
/* Setup the one admin user that we run the tests as.