mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-09 14:34:43 +00:00
Disable security for trial licenses by default (elastic/x-pack-elasticsearch#4120)
This change disables security for trial licenses unless security is explicitly enabled in the settings. This is done to facilitate users getting started and not having to deal with some of the complexities involved in getting security configured. In order to do this and avoid disabling security for existing users that have gold or platinum licenses, we have to disable security after cluster formation so that the license can be retrieved. relates elastic/x-pack-elasticsearch#4078 Original commit: elastic/x-pack-elasticsearch@96bdb889fc
This commit is contained in:
parent
e139b7ee31
commit
b0cc5afe8b
@ -136,6 +136,7 @@ Closure waitWithAuth = { NodeInfo node, AntBuilder ant ->
|
||||
|
||||
integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.authc.token.enabled', 'true'
|
||||
// Disable monitoring exporters for the docs tests
|
||||
setting 'xpack.monitoring.exporters._local.type', 'local'
|
||||
|
@ -90,6 +90,7 @@ processTestResources.dependsOn(createNodeKeyStore)
|
||||
integTestCluster {
|
||||
dependsOn createNodeKeyStore
|
||||
setting 'xpack.ml.enabled', 'true'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE'
|
||||
// Integration tests are supposed to enable/disable exporters before/after each test
|
||||
setting 'xpack.monitoring.exporters._local.type', 'local'
|
||||
|
@ -10,6 +10,7 @@ import org.elasticsearch.common.logging.LoggerMessageFormat;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.License.OperationMode;
|
||||
import org.elasticsearch.xpack.core.XPackField;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.monitoring.MonitoringField;
|
||||
|
||||
import java.util.Collections;
|
||||
@ -262,8 +263,16 @@ public class XPackLicenseState {
|
||||
this.active = active;
|
||||
}
|
||||
}
|
||||
|
||||
private volatile Status status = new Status(OperationMode.TRIAL, true);
|
||||
private final List<Runnable> listeners = new CopyOnWriteArrayList<>();
|
||||
private final boolean isSecurityEnabled;
|
||||
private final boolean isSecurityExplicitlyEnabled;
|
||||
|
||||
public XPackLicenseState(Settings settings) {
|
||||
this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
|
||||
this.isSecurityExplicitlyEnabled = settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) && isSecurityEnabled;
|
||||
}
|
||||
|
||||
/** Updates the current state of the license, which will change what features are available. */
|
||||
void update(OperationMode mode, boolean active) {
|
||||
@ -306,7 +315,8 @@ public class XPackLicenseState {
|
||||
*/
|
||||
public boolean isIpFilteringAllowed() {
|
||||
OperationMode mode = status.mode;
|
||||
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL;
|
||||
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM
|
||||
|| mode == OperationMode.TRIAL;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -314,7 +324,8 @@ public class XPackLicenseState {
|
||||
*/
|
||||
public boolean isAuditingAllowed() {
|
||||
OperationMode mode = status.mode;
|
||||
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL;
|
||||
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM
|
||||
|| mode == OperationMode.TRIAL;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -374,7 +385,8 @@ public class XPackLicenseState {
|
||||
*/
|
||||
public boolean isCustomRoleProvidersAllowed() {
|
||||
final Status localStatus = status;
|
||||
return (localStatus.mode == OperationMode.PLATINUM || localStatus.mode == OperationMode.TRIAL) && localStatus.active;
|
||||
return (localStatus.mode == OperationMode.PLATINUM || localStatus.mode == OperationMode.TRIAL )
|
||||
&& localStatus.active;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -578,4 +590,18 @@ public class XPackLicenseState {
|
||||
return licensed && localStatus.active;
|
||||
}
|
||||
|
||||
public boolean isTrialLicense() {
|
||||
return status.mode == OperationMode.TRIAL;
|
||||
}
|
||||
|
||||
public boolean isSecurityAvailable() {
|
||||
OperationMode mode = status.mode;
|
||||
return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.STANDARD ||
|
||||
mode == OperationMode.TRIAL;
|
||||
}
|
||||
|
||||
public boolean isSecurityEnabled() {
|
||||
final OperationMode mode = status.mode;
|
||||
return mode == OperationMode.TRIAL ? isSecurityExplicitlyEnabled : isSecurityEnabled;
|
||||
}
|
||||
}
|
||||
|
@ -111,7 +111,7 @@ public class XPackPlugin extends XPackClientPlugin implements ScriptPlugin, Exte
|
||||
Environment env = transportClientMode ? null : new Environment(settings, configPath);
|
||||
|
||||
setSslService(new SSLService(settings, env));
|
||||
setLicenseState(new XPackLicenseState());
|
||||
setLicenseState(new XPackLicenseState(settings));
|
||||
|
||||
this.licensing = new Licensing(settings);
|
||||
}
|
||||
|
@ -108,7 +108,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
|
||||
|
||||
@Override
|
||||
protected DirectoryReader wrap(DirectoryReader reader) {
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
return reader;
|
||||
}
|
||||
|
||||
@ -162,7 +162,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
|
||||
|
||||
@Override
|
||||
protected IndexSearcher wrap(IndexSearcher searcher) throws EngineException {
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
return searcher;
|
||||
}
|
||||
|
||||
|
@ -23,7 +23,7 @@ import static org.mockito.Mockito.when;
|
||||
public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
|
||||
|
||||
public void testSelfGeneratedTrialLicense() throws Exception {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(null, licenseState, Settings.EMPTY, "trial");
|
||||
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
|
||||
licenseService.start();
|
||||
@ -42,7 +42,7 @@ public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
|
||||
}
|
||||
|
||||
public void testSelfGeneratedBasicLicense() throws Exception {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(null, licenseState, Settings.EMPTY, "basic");
|
||||
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
|
||||
licenseService.start();
|
||||
@ -74,7 +74,7 @@ public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
|
||||
.maxNodes(5);
|
||||
License license = TestUtils.generateSignedLicense(builder);
|
||||
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(license, licenseState, Settings.EMPTY);
|
||||
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
|
||||
licenseService.start();
|
||||
@ -106,7 +106,7 @@ public class LicenseRegistrationTests extends AbstractLicenseServiceTestCase {
|
||||
.expiryDate(dateMath("now-2h", now));
|
||||
License license = SelfGeneratedLicense.create(builder);
|
||||
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(license, licenseState, Settings.EMPTY);
|
||||
when(discoveryNodes.isLocalNodeElectedMaster()).thenReturn(true);
|
||||
licenseService.start();
|
||||
|
@ -20,7 +20,7 @@ import static org.mockito.Mockito.verify;
|
||||
public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase {
|
||||
|
||||
public void testAcknowledgment() throws Exception {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(TestUtils.generateSignedLicense("gold", timeValueHours(2)), licenseState, Settings.EMPTY);
|
||||
licenseService.start();
|
||||
// try installing a signed license
|
||||
@ -40,7 +40,7 @@ public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase
|
||||
}
|
||||
|
||||
public void testRejectUpgradeToProductionWithoutTLS() throws Exception {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(TestUtils.generateSignedLicense("trial", timeValueHours(2)), licenseState, Settings.EMPTY);
|
||||
licenseService.start();
|
||||
// try installing a signed license
|
||||
@ -53,7 +53,7 @@ public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase
|
||||
}
|
||||
|
||||
public void testUpgradeToProductionWithoutTLSAndSecurityDisabled() throws Exception {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(TestUtils.generateSignedLicense("trial", timeValueHours(2)), licenseState, Settings.builder()
|
||||
.put("xpack.security.enabled", false).build());
|
||||
licenseService.start();
|
||||
@ -72,7 +72,7 @@ public class LicensesAcknowledgementTests extends AbstractLicenseServiceTestCase
|
||||
}
|
||||
|
||||
public void testUpgradeToProductionWithTLSAndSecurity() throws Exception {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
setInitialState(TestUtils.generateSignedLicense("trial", timeValueHours(2)), licenseState, Settings.builder()
|
||||
.put("xpack.security.enabled", true)
|
||||
.put("xpack.security.transport.ssl.enabled", true).build());
|
||||
|
@ -12,6 +12,7 @@ import org.elasticsearch.common.Strings;
|
||||
import org.elasticsearch.common.joda.DateMathParser;
|
||||
import org.elasticsearch.common.joda.FormatDateTimeFormatter;
|
||||
import org.elasticsearch.common.joda.Joda;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.unit.TimeValue;
|
||||
import org.elasticsearch.common.xcontent.ToXContent;
|
||||
import org.elasticsearch.common.xcontent.XContentBuilder;
|
||||
@ -341,6 +342,10 @@ public class TestUtils {
|
||||
public final List<License.OperationMode> modeUpdates = new ArrayList<>();
|
||||
public final List<Boolean> activeUpdates = new ArrayList<>();
|
||||
|
||||
public AssertingLicenseState() {
|
||||
super(Settings.EMPTY);
|
||||
}
|
||||
|
||||
@Override
|
||||
void update(License.OperationMode mode, boolean active) {
|
||||
modeUpdates.add(mode);
|
||||
@ -353,6 +358,14 @@ public class TestUtils {
|
||||
* method public for use in tests.
|
||||
*/
|
||||
public static class UpdatableLicenseState extends XPackLicenseState {
|
||||
public UpdatableLicenseState() {
|
||||
this(Settings.EMPTY);
|
||||
}
|
||||
|
||||
public UpdatableLicenseState(Settings settings) {
|
||||
super(settings);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void update(License.OperationMode mode, boolean active) {
|
||||
super.update(mode, active);
|
||||
|
@ -5,10 +5,11 @@
|
||||
*/
|
||||
package org.elasticsearch.license;
|
||||
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.License.OperationMode;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.XPackField;
|
||||
import org.hamcrest.Matchers;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.function.Predicate;
|
||||
@ -29,7 +30,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
|
||||
/** Creates a license state with the given license type and active state, and checks the given method returns expected. */
|
||||
void assertAllowed(OperationMode mode, boolean active, Predicate<XPackLicenseState> predicate, boolean expected) {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(mode, active);
|
||||
assertEquals(expected, predicate.test(licenseState));
|
||||
}
|
||||
@ -68,18 +69,29 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSecurityDefaults() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState =
|
||||
new XPackLicenseState(Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build());
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.ALL));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
|
||||
|
||||
licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
assertThat(licenseState.isIpFilteringAllowed(), is(true));
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
|
||||
}
|
||||
|
||||
public void testSecurityBasic() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(BASIC, true);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(false));
|
||||
@ -87,12 +99,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NONE));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityBasicExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(BASIC, false);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(false));
|
||||
@ -100,12 +113,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NONE));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityStandard() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(STANDARD, true);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
@ -113,12 +127,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NATIVE));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityStandardExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(STANDARD, false);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
@ -126,12 +141,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(false));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.NATIVE));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityGold() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(GOLD, true);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
@ -139,12 +155,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.DEFAULT));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityGoldExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(GOLD, false);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
@ -152,12 +169,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.DEFAULT));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
}
|
||||
|
||||
public void testSecurityPlatinum() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(PLATINUM, true);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
@ -165,12 +183,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.ALL));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
|
||||
}
|
||||
|
||||
public void testSecurityPlatinumExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
|
||||
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
|
||||
licenseState.update(PLATINUM, false);
|
||||
|
||||
assertThat(licenseState.isAuthAllowed(), is(true));
|
||||
@ -178,7 +197,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
assertThat(licenseState.isAuditingAllowed(), is(true));
|
||||
assertThat(licenseState.isStatsAndHealthAllowed(), is(false));
|
||||
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
|
||||
assertThat(licenseState.allowedRealmType(), Matchers.is(XPackLicenseState.AllowedRealmType.ALL));
|
||||
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
|
||||
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
|
||||
}
|
||||
|
||||
@ -318,13 +337,13 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlDefaults() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
assertThat(licenseState.isSqlAllowed(), is(true));
|
||||
assertThat(licenseState.isJdbcAllowed(), is(true));
|
||||
}
|
||||
|
||||
public void testSqlBasic() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(BASIC, true);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(true));
|
||||
@ -332,7 +351,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlBasicExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(BASIC, false);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(false));
|
||||
@ -340,7 +359,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlStandard() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(STANDARD, true);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(true));
|
||||
@ -348,7 +367,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlStandardExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(STANDARD, false);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(false));
|
||||
@ -356,7 +375,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlGold() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(GOLD, true);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(true));
|
||||
@ -364,7 +383,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlGoldExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(GOLD, false);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(false));
|
||||
@ -372,7 +391,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlPlatinum() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(PLATINUM, true);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(true));
|
||||
@ -380,7 +399,7 @@ public class XPackLicenseStateTests extends ESTestCase {
|
||||
}
|
||||
|
||||
public void testSqlPlatinumExpired() {
|
||||
XPackLicenseState licenseState = new XPackLicenseState();
|
||||
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
licenseState.update(PLATINUM, false);
|
||||
|
||||
assertThat(licenseState.isSqlAllowed(), is(false));
|
@ -87,6 +87,7 @@ public class SecurityIndexSearcherWrapperIntegrationTests extends ESTestCase {
|
||||
});
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
SecurityIndexSearcherWrapper wrapper = new SecurityIndexSearcherWrapper(indexSettings, s -> queryShardContext,
|
||||
bitsetFilterCache, threadContext, licenseState, scriptService) {
|
||||
|
||||
|
@ -132,6 +132,7 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
|
||||
|
||||
ShardId shardId = new ShardId(index, 0);
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
threadContext = new ThreadContext(Settings.EMPTY);
|
||||
IndexShard indexShard = mock(IndexShard.class);
|
||||
|
@ -45,7 +45,6 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
|
||||
|
||||
private final XPackLicenseState licenseState;
|
||||
private final Client client;
|
||||
private final boolean securityEnabled;
|
||||
|
||||
private final SecurityContext securityContext;
|
||||
|
||||
@ -58,8 +57,8 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
|
||||
actionFilters, indexNameExpressionResolver, PutDatafeedAction.Request::new);
|
||||
this.licenseState = licenseState;
|
||||
this.client = client;
|
||||
this.securityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
|
||||
this.securityContext = securityEnabled ? new SecurityContext(settings, threadPool.getThreadContext()) : null;
|
||||
this.securityContext = XPackSettings.SECURITY_ENABLED.get(settings) ?
|
||||
new SecurityContext(settings, threadPool.getThreadContext()) : null;
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -77,7 +76,7 @@ public class TransportPutDatafeedAction extends TransportMasterNodeAction<PutDat
|
||||
ActionListener<PutDatafeedAction.Response> listener) {
|
||||
// If security is enabled only create the datafeed if the user requesting creation has
|
||||
// permission to read the indices the datafeed is going to read from
|
||||
if (securityEnabled) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
|
||||
final String username = securityContext.getUser().principal();
|
||||
ActionListener<HasPrivilegesResponse> privResponseListener = ActionListener.wrap(
|
||||
r -> handlePrivsResponse(username, request, r, listener),
|
||||
|
@ -105,6 +105,7 @@ public class ClusterStatsCollector extends Collector {
|
||||
final boolean apmIndicesExist = doAPMIndicesExist(clusterState);
|
||||
// if they have any other type of license, then they are either okay or already know
|
||||
final boolean clusterNeedsTLSEnabled = license.operationMode() == License.OperationMode.TRIAL &&
|
||||
settings.hasValue(SECURITY_ENABLED.getKey()) &&
|
||||
SECURITY_ENABLED.get(settings) &&
|
||||
TRANSPORT_SSL_ENABLED.get(settings) == false;
|
||||
|
||||
|
@ -137,6 +137,9 @@ public class ClusterStatsCollectorTests extends BaseCollectorTestCase {
|
||||
throw new AssertionError("Unknown mode [" + mode + "]");
|
||||
}
|
||||
|
||||
if (randomBoolean()) {
|
||||
settings.put(XPackSettings.SECURITY_ENABLED.getKey(), true);
|
||||
}
|
||||
settings.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), transportTLSEnabled);
|
||||
} else {
|
||||
transportTLSEnabled = false;
|
||||
@ -234,8 +237,10 @@ public class ClusterStatsCollectorTests extends BaseCollectorTestCase {
|
||||
assertThat(document.getLicense(), equalTo(license));
|
||||
assertThat(document.getStatus(), equalTo(clusterStatus));
|
||||
|
||||
final boolean securitySettingDefined = settings.build().hasValue(XPackSettings.SECURITY_ENABLED.getKey());
|
||||
assertThat(document.getClusterNeedsTLSEnabled(),
|
||||
equalTo(mode == License.OperationMode.TRIAL && securityEnabled && transportTLSEnabled == false));
|
||||
equalTo(mode == License.OperationMode.TRIAL && securitySettingDefined && securityEnabled
|
||||
&& transportTLSEnabled == false));
|
||||
|
||||
assertThat(document.getClusterStats(), notNullValue());
|
||||
assertThat(document.getClusterStats().getStatus(), equalTo(clusterStatus));
|
||||
|
@ -551,7 +551,7 @@ public class HttpExporterIT extends MonitoringIntegTestCase {
|
||||
|
||||
private HttpExporter createHttpExporter(final Settings settings) throws Exception {
|
||||
final Exporter.Config config =
|
||||
new Exporter.Config("_http", "http", settings, clusterService(), new XPackLicenseState());
|
||||
new Exporter.Config("_http", "http", settings, clusterService(), new XPackLicenseState(Settings.EMPTY));
|
||||
|
||||
return new HttpExporter(config, new SSLService(settings, environment), new ThreadContext(settings));
|
||||
}
|
||||
|
@ -11,7 +11,6 @@ import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.threadpool.TestThreadPool;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.monitoring.MonitoringService;
|
||||
import org.elasticsearch.xpack.monitoring.cleaner.CleanerService;
|
||||
import org.elasticsearch.xpack.monitoring.exporter.Exporter;
|
||||
import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase;
|
||||
@ -72,7 +71,7 @@ public abstract class LocalExporterIntegTestCase extends MonitoringIntegTestCase
|
||||
*/
|
||||
protected LocalExporter createLocalExporter() {
|
||||
final Settings settings = localExporterSettings();
|
||||
final XPackLicenseState licenseState = new XPackLicenseState();
|
||||
final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
|
||||
final Exporter.Config config = new Exporter.Config(exporterName, "local", settings, clusterService(), licenseState);
|
||||
final CleanerService cleanerService =
|
||||
new CleanerService(settings, clusterService().getClusterSettings(), THREADPOOL, licenseState);
|
||||
|
@ -917,7 +917,7 @@ public class Security extends Plugin implements ActionPlugin, IngestPlugin, Netw
|
||||
public Function<String, Predicate<String>> getFieldFilter() {
|
||||
if (enabled) {
|
||||
return index -> {
|
||||
if (getLicenseState().isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
if (getLicenseState().isSecurityEnabled() == false || getLicenseState().isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
return MapperPlugin.NOOP_FIELD_PREDICATE;
|
||||
}
|
||||
IndicesAccessControl indicesAccessControl = threadContext.get().getTransient(
|
||||
|
@ -36,7 +36,6 @@ import static org.elasticsearch.xpack.core.XPackSettings.TRANSPORT_SSL_ENABLED;
|
||||
public class SecurityFeatureSet implements XPackFeatureSet {
|
||||
|
||||
private final Settings settings;
|
||||
private final boolean enabled;
|
||||
private final XPackLicenseState licenseState;
|
||||
@Nullable
|
||||
private final Realms realms;
|
||||
@ -52,7 +51,6 @@ public class SecurityFeatureSet implements XPackFeatureSet {
|
||||
@Nullable Realms realms, @Nullable CompositeRolesStore rolesStore,
|
||||
@Nullable NativeRoleMappingStore roleMappingStore,
|
||||
@Nullable IPFilter ipFilter) {
|
||||
this.enabled = XPackSettings.SECURITY_ENABLED.get(settings);
|
||||
this.licenseState = licenseState;
|
||||
this.realms = realms;
|
||||
this.rolesStore = rolesStore;
|
||||
@ -73,12 +71,12 @@ public class SecurityFeatureSet implements XPackFeatureSet {
|
||||
|
||||
@Override
|
||||
public boolean available() {
|
||||
return licenseState != null && licenseState.isAuthAllowed();
|
||||
return licenseState != null && licenseState.isSecurityAvailable();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean enabled() {
|
||||
return enabled;
|
||||
return licenseState != null && licenseState.isSecurityEnabled();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -5,6 +5,7 @@
|
||||
*/
|
||||
package org.elasticsearch.xpack.security.action.filter;
|
||||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.ActionRequest;
|
||||
@ -30,7 +31,6 @@ import org.elasticsearch.xpack.core.security.authc.Authentication;
|
||||
import org.elasticsearch.xpack.core.security.authz.privilege.HealthAndStatsPrivilege;
|
||||
import org.elasticsearch.xpack.core.security.support.Automatons;
|
||||
import org.elasticsearch.xpack.core.security.user.SystemUser;
|
||||
import org.elasticsearch.xpack.core.security.user.User;
|
||||
import org.elasticsearch.xpack.security.action.SecurityActionMapper;
|
||||
import org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor;
|
||||
import org.elasticsearch.xpack.security.authc.AuthenticationService;
|
||||
@ -84,7 +84,8 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
|
||||
throw LicenseUtils.newComplianceException(XPackField.SECURITY);
|
||||
}
|
||||
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
final boolean securityEnabled = licenseState.isSecurityEnabled();
|
||||
if (securityEnabled && licenseState.isAuthAllowed()) {
|
||||
final ActionListener<Response> contextPreservingListener =
|
||||
ContextPreservingActionListener.wrapPreservingContext(listener, threadContext);
|
||||
ActionListener<Void> authenticatedListener = ActionListener.wrap(
|
||||
@ -116,7 +117,13 @@ public class SecurityActionFilter extends AbstractComponent implements ActionFil
|
||||
listener.onFailure(e);
|
||||
}
|
||||
} else if (SECURITY_ACTION_MATCHER.test(action)) {
|
||||
listener.onFailure(LicenseUtils.newComplianceException(XPackField.SECURITY));
|
||||
if (securityEnabled == false && licenseState.isTrialLicense()) {
|
||||
listener.onFailure(new ElasticsearchException("Security must be explicitly enabled when using a trial license. " +
|
||||
"Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +
|
||||
"and restart the node."));
|
||||
} else {
|
||||
listener.onFailure(LicenseUtils.newComplianceException(XPackField.SECURITY));
|
||||
}
|
||||
} else {
|
||||
chain.proceed(task, action, request, listener);
|
||||
}
|
||||
|
@ -20,7 +20,6 @@ import org.elasticsearch.xpack.core.security.authc.Authentication;
|
||||
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
|
||||
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
|
||||
import org.elasticsearch.xpack.core.security.authz.permission.Role;
|
||||
import org.elasticsearch.xpack.core.security.user.User;
|
||||
|
||||
/**
|
||||
* Similar to {@link UpdateRequestInterceptor}, but checks if there are update requests embedded in a bulk request.
|
||||
@ -38,7 +37,7 @@ public class BulkShardRequestInterceptor extends AbstractComponent implements Re
|
||||
|
||||
@Override
|
||||
public void intercept(BulkShardRequest request, Authentication authentication, Role userPermissions, String action) {
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
return;
|
||||
}
|
||||
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
|
@ -34,7 +34,7 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request extends I
|
||||
|
||||
@Override
|
||||
public void intercept(Request request, Authentication authentication, Role userPermissions, String action) {
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
return;
|
||||
}
|
||||
final IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
|
@ -38,6 +38,10 @@ public final class IndicesAliasesRequestInterceptor implements RequestIntercepto
|
||||
|
||||
@Override
|
||||
public void intercept(IndicesAliasesRequest request, Authentication authentication, Role userPermissions, String action) {
|
||||
if (licenseState.isSecurityEnabled() == false) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
for (IndicesAliasesRequest.AliasActions aliasAction : request.getAliasActions()) {
|
||||
|
@ -39,6 +39,10 @@ public final class ResizeRequestInterceptor extends AbstractComponent implements
|
||||
|
||||
@Override
|
||||
public void intercept(ResizeRequest request, Authentication authentication, Role userPermissions, String action) {
|
||||
if (licenseState.isSecurityEnabled() == false) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
|
||||
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
|
||||
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(request.getSourceIndex());
|
||||
|
@ -22,7 +22,7 @@ import java.util.List;
|
||||
public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
private final XPackLicenseState licenseState;
|
||||
final List<AuditTrail> auditTrails;
|
||||
private final List<AuditTrail> auditTrails;
|
||||
|
||||
@Override
|
||||
public String name() {
|
||||
@ -42,7 +42,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationSuccess(String realm, User user, RestRequest request) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationSuccess(realm, user, request);
|
||||
}
|
||||
@ -51,7 +51,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationSuccess(String realm, User user, String action, TransportMessage message) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationSuccess(realm, user, action, message);
|
||||
}
|
||||
@ -60,7 +60,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void anonymousAccessDenied(String action, TransportMessage message) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.anonymousAccessDenied(action, message);
|
||||
}
|
||||
@ -69,7 +69,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void anonymousAccessDenied(RestRequest request) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.anonymousAccessDenied(request);
|
||||
}
|
||||
@ -78,7 +78,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationFailed(RestRequest request) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationFailed(request);
|
||||
}
|
||||
@ -87,7 +87,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationFailed(String action, TransportMessage message) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationFailed(action, message);
|
||||
}
|
||||
@ -96,7 +96,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationFailed(AuthenticationToken token, String action, TransportMessage message) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationFailed(token, action, message);
|
||||
}
|
||||
@ -105,7 +105,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationFailed(String realm, AuthenticationToken token, String action, TransportMessage message) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationFailed(realm, token, action, message);
|
||||
}
|
||||
@ -114,7 +114,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationFailed(AuthenticationToken token, RestRequest request) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationFailed(token, request);
|
||||
}
|
||||
@ -123,7 +123,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void authenticationFailed(String realm, AuthenticationToken token, RestRequest request) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.authenticationFailed(realm, token, request);
|
||||
}
|
||||
@ -132,7 +132,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void accessGranted(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.accessGranted(authentication, action, message, roleNames);
|
||||
}
|
||||
@ -141,7 +141,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void accessDenied(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.accessDenied(authentication, action, message, roleNames);
|
||||
}
|
||||
@ -150,14 +150,16 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void tamperedRequest(RestRequest request) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.tamperedRequest(request);
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.tamperedRequest(request);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void tamperedRequest(String action, TransportMessage message) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.tamperedRequest(action, message);
|
||||
}
|
||||
@ -166,7 +168,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void tamperedRequest(User user, String action, TransportMessage request) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.tamperedRequest(user, action, request);
|
||||
}
|
||||
@ -175,7 +177,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void connectionGranted(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.connectionGranted(inetAddress, profile, rule);
|
||||
}
|
||||
@ -184,7 +186,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void connectionDenied(InetAddress inetAddress, String profile, SecurityIpFilterRule rule) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.connectionDenied(inetAddress, profile, rule);
|
||||
}
|
||||
@ -193,7 +195,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void runAsGranted(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.runAsGranted(authentication, action, message, roleNames);
|
||||
}
|
||||
@ -202,7 +204,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void runAsDenied(Authentication authentication, String action, TransportMessage message, String[] roleNames) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.runAsDenied(authentication, action, message, roleNames);
|
||||
}
|
||||
@ -211,7 +213,7 @@ public class AuditTrailService extends AbstractComponent implements AuditTrail {
|
||||
|
||||
@Override
|
||||
public void runAsDenied(Authentication authentication, RestRequest request, String[] roleNames) {
|
||||
if (licenseState.isAuditingAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
auditTrail.runAsDenied(authentication, request, roleNames);
|
||||
}
|
||||
|
@ -92,7 +92,7 @@ public class Realms extends AbstractComponent implements Iterable<Realm> {
|
||||
|
||||
@Override
|
||||
public Iterator<Realm> iterator() {
|
||||
if (licenseState.isAuthAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isAuthAllowed() == false) {
|
||||
return Collections.emptyIterator();
|
||||
}
|
||||
|
||||
@ -114,7 +114,7 @@ public class Realms extends AbstractComponent implements Iterable<Realm> {
|
||||
}
|
||||
|
||||
public List<Realm> asList() {
|
||||
if (licenseState.isAuthAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isAuthAllowed() == false) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
|
@ -45,7 +45,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
|
||||
*/
|
||||
@Override
|
||||
public void onNewScrollContext(SearchContext searchContext) {
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
|
||||
searchContext.scrollContext().putInContext(AuthenticationField.AUTHENTICATION_KEY,
|
||||
Authentication.getAuthentication(threadContext));
|
||||
}
|
||||
@ -57,7 +57,7 @@ public final class SecuritySearchOperationListener implements SearchOperationLis
|
||||
*/
|
||||
@Override
|
||||
public void validateSearchContext(SearchContext searchContext, TransportRequest request) {
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
|
||||
if (searchContext.scrollContext() != null) {
|
||||
final Authentication originalAuth = searchContext.scrollContext().getFromContext(AuthenticationField.AUTHENTICATION_KEY);
|
||||
final Authentication current = Authentication.getAuthentication(threadContext);
|
||||
|
@ -47,7 +47,7 @@ public class SecurityRestFilter implements RestHandler {
|
||||
|
||||
@Override
|
||||
public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception {
|
||||
if (licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed() && request.method() != Method.OPTIONS) {
|
||||
// CORS - allow for preflight unauthenticated OPTIONS request
|
||||
if (extractClientCertificate) {
|
||||
Netty4HttpRequest nettyHttpRequest = (Netty4HttpRequest) request;
|
||||
|
@ -5,6 +5,7 @@
|
||||
*/
|
||||
package org.elasticsearch.xpack.security.rest.action;
|
||||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.client.node.NodeClient;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
@ -44,23 +45,38 @@ public abstract class SecurityBaseRestHandler extends BaseRestHandler {
|
||||
*/
|
||||
protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
|
||||
RestChannelConsumer consumer = innerPrepareRequest(request, client);
|
||||
final String failedFeature = checkLicensedFeature(request);
|
||||
final Exception failedFeature = checkFeatureAvailable(request);
|
||||
if (failedFeature == null) {
|
||||
return consumer;
|
||||
} else {
|
||||
return channel -> channel.sendResponse(new BytesRestResponse(channel, LicenseUtils.newComplianceException(failedFeature)));
|
||||
return channel -> channel.sendResponse(new BytesRestResponse(channel, failedFeature));
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether the given request is allowed within the current license state, and return the name of any unlicensed feature.
|
||||
* By default this returns {@link org.elasticsearch.xpack.core.XPackField#SECURITY} if the license state does not
|
||||
* {@link XPackLicenseState#isAuthAllowed() allow authentication and authorization}.
|
||||
* Sub-classes can override this method if they have additional licensing requirements.
|
||||
* @return {@code null} if all required features are licensed, otherwise the name of the most significant unlicensed feature.
|
||||
* Check whether the given request is allowed within the current license state and setup,
|
||||
* and return the name of any unlicensed feature.
|
||||
* By default this returns an exception is security is not available by the current license or
|
||||
* security is not enabled.
|
||||
* Sub-classes can override this method if they have additional requirements.
|
||||
*
|
||||
* @return {@code null} if all required features are available, otherwise an exception to be
|
||||
* sent to the requestor
|
||||
*/
|
||||
protected String checkLicensedFeature(RestRequest request) {
|
||||
return licenseState.isAuthAllowed() ? null : XPackField.SECURITY;
|
||||
protected Exception checkFeatureAvailable(RestRequest request) {
|
||||
if (licenseState.isSecurityAvailable() == false) {
|
||||
return LicenseUtils.newComplianceException(XPackField.SECURITY);
|
||||
} else if (licenseState.isSecurityEnabled() == false) {
|
||||
if (licenseState.isTrialLicense()) {
|
||||
return new ElasticsearchException("Security must be explicitly enabled when using a trial license. " +
|
||||
"Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file " +
|
||||
"and restart the node.");
|
||||
} else {
|
||||
return new IllegalStateException("Security is not enabled but a security rest handler is registered");
|
||||
}
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
package org.elasticsearch.xpack.security.rest.action.saml;
|
||||
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;
|
||||
@ -24,15 +25,15 @@ public abstract class SamlBaseRestHandler extends SecurityBaseRestHandler {
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String checkLicensedFeature(RestRequest request) {
|
||||
String feature = super.checkLicensedFeature(request);
|
||||
if (feature != null) {
|
||||
return feature;
|
||||
protected Exception checkFeatureAvailable(RestRequest request) {
|
||||
Exception failedFeature = super.checkFeatureAvailable(request);
|
||||
if (failedFeature != null) {
|
||||
return failedFeature;
|
||||
} else if (Realms.isRealmTypeAvailable(licenseState.allowedRealmType(), SAML_REALM_TYPE)) {
|
||||
return null;
|
||||
} else {
|
||||
logger.info("The '{}' realm is not available under the current license", SAML_REALM_TYPE);
|
||||
return SAML_REALM_TYPE;
|
||||
return LicenseUtils.newComplianceException(SAML_REALM_TYPE);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -98,7 +98,7 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
|
||||
@Override
|
||||
public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String action, TransportRequest request,
|
||||
TransportRequestOptions options, TransportResponseHandler<T> handler) {
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
|
||||
// the transport in core normally does this check, BUT since we are serializing to a string header we need to do it
|
||||
// ourselves otherwise we wind up using a version newer than what we can actually send
|
||||
final Version minVersion = Version.min(connection.getVersion(), Version.CURRENT);
|
||||
@ -261,7 +261,7 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
|
||||
public void messageReceived(T request, TransportChannel channel, Task task) throws Exception {
|
||||
final AbstractRunnable receiveMessage = getReceiveRunnable(request, channel, task);
|
||||
try (ThreadContext.StoredContext ctx = threadContext.newStoredContext(true)) {
|
||||
if (licenseState.isAuthAllowed()) {
|
||||
if (licenseState.isSecurityEnabled() && licenseState.isAuthAllowed()) {
|
||||
String profile = channel.getProfileName();
|
||||
ServerTransportFilter filter = profileFilters.get(profile);
|
||||
|
||||
|
@ -198,7 +198,7 @@ public class IPFilter {
|
||||
}
|
||||
|
||||
public boolean accept(String profile, InetSocketAddress peerAddress) {
|
||||
if (licenseState.isIpFilteringAllowed() == false) {
|
||||
if (licenseState.isSecurityEnabled() == false || licenseState.isIpFilteringAllowed() == false) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -128,6 +128,7 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
|
||||
writeFile(xpackConf, "users_roles", configUsersRoles());
|
||||
|
||||
Settings.Builder builder = Settings.builder().put(super.nodeSettings(nodeOrdinal))
|
||||
.put(XPackSettings.SECURITY_ENABLED.getKey(), true)
|
||||
//TODO: for now isolate security tests from watcher & monitoring (randomize this later)
|
||||
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
|
||||
.put(XPackSettings.MONITORING_ENABLED.getKey(), false)
|
||||
|
@ -55,46 +55,42 @@ public class SecurityFeatureSetTests extends ESTestCase {
|
||||
public void init() throws Exception {
|
||||
settings = Settings.builder().put("path.home", createTempDir()).build();
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
realms = mock(Realms.class);
|
||||
ipFilter = mock(IPFilter.class);
|
||||
rolesStore = mock(CompositeRolesStore.class);
|
||||
roleMappingStore = mock(NativeRoleMappingStore.class);
|
||||
}
|
||||
|
||||
public void testAvailable() throws Exception {
|
||||
public void testAvailable() {
|
||||
SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms,
|
||||
rolesStore, roleMappingStore, ipFilter);
|
||||
boolean available = randomBoolean();
|
||||
when(licenseState.isAuthAllowed()).thenReturn(available);
|
||||
assertThat(featureSet.available(), is(available));
|
||||
when(licenseState.isSecurityAvailable()).thenReturn(true);
|
||||
assertThat(featureSet.available(), is(true));
|
||||
|
||||
when(licenseState.isSecurityAvailable()).thenReturn(false);
|
||||
assertThat(featureSet.available(), is(false));
|
||||
}
|
||||
|
||||
public void testEnabledSetting() throws Exception {
|
||||
boolean enabled = randomBoolean();
|
||||
Settings settings = Settings.builder()
|
||||
.put(this.settings)
|
||||
.put("xpack.security.enabled", enabled)
|
||||
.build();
|
||||
SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms,
|
||||
rolesStore, roleMappingStore, ipFilter);
|
||||
assertThat(featureSet.enabled(), is(enabled));
|
||||
}
|
||||
|
||||
public void testEnabledDefault() throws Exception {
|
||||
public void testEnabled() {
|
||||
SecurityFeatureSet featureSet = new SecurityFeatureSet(settings, licenseState, realms,
|
||||
rolesStore, roleMappingStore, ipFilter);
|
||||
assertThat(featureSet.enabled(), is(true));
|
||||
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(false);
|
||||
featureSet = new SecurityFeatureSet(settings, licenseState, realms,
|
||||
rolesStore, roleMappingStore, ipFilter);
|
||||
assertThat(featureSet.enabled(), is(false));
|
||||
}
|
||||
|
||||
public void testUsage() throws Exception {
|
||||
|
||||
boolean authcAuthzAvailable = randomBoolean();
|
||||
when(licenseState.isAuthAllowed()).thenReturn(authcAuthzAvailable);
|
||||
final boolean authcAuthzAvailable = randomBoolean();
|
||||
when(licenseState.isSecurityAvailable()).thenReturn(authcAuthzAvailable);
|
||||
|
||||
Settings.Builder settings = Settings.builder().put(this.settings);
|
||||
|
||||
boolean enabled = randomBoolean();
|
||||
settings.put("xpack.security.enabled", enabled);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(enabled);
|
||||
|
||||
final boolean httpSSLEnabled = randomBoolean();
|
||||
settings.put("xpack.security.http.ssl.enabled", httpSSLEnabled);
|
||||
|
@ -91,9 +91,12 @@ public class SecurityTests extends ESTestCase {
|
||||
if (security != null) {
|
||||
throw new IllegalStateException("Security object already exists (" + security + ")");
|
||||
}
|
||||
Settings settings = Settings.builder().put(testSettings).put("path.home", createTempDir()).build();
|
||||
Settings settings = Settings.builder()
|
||||
.put("xpack.security.enabled", true)
|
||||
.put(testSettings)
|
||||
.put("path.home", createTempDir()).build();
|
||||
Environment env = TestEnvironment.newEnvironment(settings);
|
||||
licenseState = new TestUtils.UpdatableLicenseState();
|
||||
licenseState = new TestUtils.UpdatableLicenseState(settings);
|
||||
SSLService sslService = new SSLService(settings, env);
|
||||
security = new Security(settings, null, Arrays.asList(extensions)) {
|
||||
@Override
|
||||
|
@ -67,6 +67,7 @@ public class SecurityActionFilterTests extends ESTestCase {
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isStatsAndHealthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
threadContext = new ThreadContext(Settings.EMPTY);
|
||||
when(threadPool.getThreadContext()).thenReturn(threadContext);
|
||||
|
@ -35,6 +35,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
|
||||
|
||||
public void testInterceptorThrowsWhenFLSDLSEnabled() {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
@ -80,6 +81,7 @@ public class IndicesAliasesRequestInterceptorTests extends ESTestCase {
|
||||
|
||||
public void testInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
|
@ -37,6 +37,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
|
||||
|
||||
public void testResizeRequestInterceptorThrowsWhenFLSDLSEnabled() {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
@ -75,6 +76,7 @@ public class ResizeRequestInterceptorTests extends ESTestCase {
|
||||
|
||||
public void testResizeRequestInterceptorThrowsWhenTargetHasGreaterPermissions() throws Exception {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(true);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
|
||||
ThreadPool threadPool = mock(ThreadPool.class);
|
||||
|
@ -48,6 +48,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
service = new AuditTrailService(Settings.EMPTY, auditTrails, licenseState);
|
||||
isAuditingAllowed = randomBoolean();
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuditingAllowed()).thenReturn(isAuditingAllowed);
|
||||
token = mock(AuthenticationToken.class);
|
||||
message = mock(TransportMessage.class);
|
||||
@ -57,6 +58,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
public void testAuthenticationFailed() throws Exception {
|
||||
service.authenticationFailed(token, "_action", message);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(token, "_action", message);
|
||||
@ -69,6 +71,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
public void testAuthenticationFailedNoToken() throws Exception {
|
||||
service.authenticationFailed("_action", message);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed("_action", message);
|
||||
@ -81,6 +84,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
public void testAuthenticationFailedRestNoToken() throws Exception {
|
||||
service.authenticationFailed(restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(restRequest);
|
||||
@ -93,6 +97,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
public void testAuthenticationFailedRest() throws Exception {
|
||||
service.authenticationFailed(token, restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed(token, restRequest);
|
||||
@ -105,6 +110,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
public void testAuthenticationFailedRealm() throws Exception {
|
||||
service.authenticationFailed("_realm", token, "_action", message);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed("_realm", token, "_action", message);
|
||||
@ -117,6 +123,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
public void testAuthenticationFailedRestRealm() throws Exception {
|
||||
service.authenticationFailed("_realm", token, restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationFailed("_realm", token, restRequest);
|
||||
@ -129,6 +136,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
public void testAnonymousAccess() throws Exception {
|
||||
service.anonymousAccessDenied("_action", message);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).anonymousAccessDenied("_action", message);
|
||||
@ -144,6 +152,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
String[] roles = new String[] { randomAlphaOfLengthBetween(1, 6) };
|
||||
service.accessGranted(authentication, "_action", message, roles);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).accessGranted(authentication, "_action", message, roles);
|
||||
@ -159,6 +168,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
String[] roles = new String[] { randomAlphaOfLengthBetween(1, 6) };
|
||||
service.accessDenied(authentication, "_action", message, roles);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).accessDenied(authentication, "_action", message, roles);
|
||||
@ -173,6 +183,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
SecurityIpFilterRule rule = randomBoolean() ? SecurityIpFilterRule.ACCEPT_ALL : IPFilter.DEFAULT_PROFILE_ACCEPT_ALL;
|
||||
service.connectionGranted(inetAddress, "client", rule);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).connectionGranted(inetAddress, "client", rule);
|
||||
@ -187,6 +198,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
SecurityIpFilterRule rule = new SecurityIpFilterRule(false, "_all");
|
||||
service.connectionDenied(inetAddress, "client", rule);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).connectionDenied(inetAddress, "client", rule);
|
||||
@ -201,6 +213,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
String realm = "_realm";
|
||||
service.authenticationSuccess(realm, user, restRequest);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationSuccess(realm, user, restRequest);
|
||||
@ -215,6 +228,7 @@ public class AuditTrailServiceTests extends ESTestCase {
|
||||
String realm = "_realm";
|
||||
service.authenticationSuccess(realm, user, "_action", message);
|
||||
verify(licenseState).isAuditingAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (isAuditingAllowed) {
|
||||
for (AuditTrail auditTrail : auditTrails) {
|
||||
verify(auditTrail).authenticationSuccess(realm, user, "_action", message);
|
||||
|
@ -152,6 +152,7 @@ public class AuthenticationServiceTests extends ESTestCase {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.allowedRealmType()).thenReturn(XPackLicenseState.AllowedRealmType.ALL);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
realms = new TestRealms(Settings.EMPTY, TestEnvironment.newEnvironment(settings), Collections.<String, Realm.Factory>emptyMap(),
|
||||
licenseState, threadContext, mock(ReservedRealm.class), Arrays.asList(firstRealm, secondRealm),
|
||||
Collections.singletonList(firstRealm));
|
||||
|
@ -63,6 +63,7 @@ public class RealmsTests extends ESTestCase {
|
||||
threadContext = new ThreadContext(Settings.EMPTY);
|
||||
reservedRealm = mock(ReservedRealm.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.allowedRealmType()).thenReturn(AllowedRealmType.ALL);
|
||||
when(reservedRealm.type()).thenReturn(ReservedRealm.TYPE);
|
||||
}
|
||||
|
@ -39,6 +39,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
|
||||
public void testUnlicensed() {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(false);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
AuditTrailService auditTrailService = mock(AuditTrailService.class);
|
||||
@ -48,6 +49,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
SecuritySearchOperationListener listener = new SecuritySearchOperationListener(threadContext, licenseState, auditTrailService);
|
||||
listener.onNewScrollContext(searchContext);
|
||||
listener.validateSearchContext(searchContext, Empty.INSTANCE);
|
||||
verify(licenseState, times(2)).isSecurityEnabled();
|
||||
verify(licenseState, times(2)).isAuthAllowed();
|
||||
verifyZeroInteractions(auditTrailService, searchContext);
|
||||
}
|
||||
@ -58,6 +60,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
final Scroll scroll = new Scroll(TimeValue.timeValueSeconds(2L));
|
||||
testSearchContext.scrollContext().scroll = scroll;
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
AuditTrailService auditTrailService = mock(AuditTrailService.class);
|
||||
@ -72,6 +75,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
assertEquals(scroll, testSearchContext.scrollContext().scroll);
|
||||
|
||||
verify(licenseState).isAuthAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
verifyZeroInteractions(auditTrailService);
|
||||
}
|
||||
|
||||
@ -82,6 +86,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
new Authentication(new User("test", "role"), new RealmRef("realm", "file", "node"), null));
|
||||
testSearchContext.scrollContext().scroll = new Scroll(TimeValue.timeValueSeconds(2L));
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
|
||||
AuditTrailService auditTrailService = mock(AuditTrailService.class);
|
||||
@ -92,6 +97,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
authentication.writeToContext(threadContext);
|
||||
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
|
||||
verify(licenseState).isAuthAllowed();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
verifyZeroInteractions(auditTrailService);
|
||||
}
|
||||
|
||||
@ -102,6 +108,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
authentication.writeToContext(threadContext);
|
||||
listener.validateSearchContext(testSearchContext, Empty.INSTANCE);
|
||||
verify(licenseState, times(2)).isAuthAllowed();
|
||||
verify(licenseState, times(2)).isSecurityEnabled();
|
||||
verifyZeroInteractions(auditTrailService);
|
||||
}
|
||||
|
||||
@ -118,6 +125,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
|
||||
assertEquals(testSearchContext.id(), expected.id());
|
||||
verify(licenseState, times(3)).isAuthAllowed();
|
||||
verify(licenseState, times(3)).isSecurityEnabled();
|
||||
verify(auditTrailService).accessDenied(authentication, "action", request, authentication.getUser().roles());
|
||||
}
|
||||
|
||||
@ -134,6 +142,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
|
||||
listener.validateSearchContext(testSearchContext, request);
|
||||
verify(licenseState, times(4)).isAuthAllowed();
|
||||
verify(licenseState, times(4)).isSecurityEnabled();
|
||||
verifyNoMoreInteractions(auditTrailService);
|
||||
}
|
||||
|
||||
@ -152,6 +161,7 @@ public class SecuritySearchOperationListenerTests extends ESTestCase {
|
||||
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
|
||||
assertEquals(testSearchContext.id(), expected.id());
|
||||
verify(licenseState, times(5)).isAuthAllowed();
|
||||
verify(licenseState, times(5)).isSecurityEnabled();
|
||||
verify(auditTrailService).accessDenied(authentication, "action", request, authentication.getUser().roles());
|
||||
}
|
||||
}
|
||||
|
@ -23,6 +23,7 @@ import org.elasticsearch.license.License.OperationMode;
|
||||
import org.elasticsearch.license.TestUtils.UpdatableLicenseState;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
|
||||
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor.IndicesPrivileges;
|
||||
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
|
||||
@ -59,6 +60,10 @@ import static org.mockito.Mockito.when;
|
||||
|
||||
public class CompositeRolesStoreTests extends ESTestCase {
|
||||
|
||||
private static final Settings SECURITY_ENABLED_SETTINGS = Settings.builder()
|
||||
.put(XPackSettings.SECURITY_ENABLED.getKey(), true)
|
||||
.build();
|
||||
|
||||
public void testRolesWhenDlsFlsUnlicensed() throws IOException {
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
|
||||
@ -191,8 +196,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
||||
final ReservedRolesStore reservedRolesStore = spy(new ReservedRolesStore());
|
||||
|
||||
final CompositeRolesStore compositeRolesStore =
|
||||
new CompositeRolesStore(Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore,
|
||||
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState());
|
||||
new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore,
|
||||
Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS),
|
||||
new XPackLicenseState(SECURITY_ENABLED_SETTINGS));
|
||||
verify(fileRolesStore).addListener(any(Runnable.class)); // adds a listener in ctor
|
||||
|
||||
final String roleName = randomAlphaOfLengthBetween(1, 10);
|
||||
@ -268,9 +274,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
||||
}));
|
||||
|
||||
final CompositeRolesStore compositeRolesStore =
|
||||
new CompositeRolesStore(Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore,
|
||||
Arrays.asList(inMemoryProvider1, inMemoryProvider2), new ThreadContext(Settings.EMPTY),
|
||||
new XPackLicenseState());
|
||||
new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore,
|
||||
Arrays.asList(inMemoryProvider1, inMemoryProvider2), new ThreadContext(SECURITY_ENABLED_SETTINGS),
|
||||
new XPackLicenseState(SECURITY_ENABLED_SETTINGS));
|
||||
|
||||
final Set<String> roleNames = Sets.newHashSet("roleA", "roleB", "unknown");
|
||||
PlainActionFuture<Role> future = new PlainActionFuture<>();
|
||||
@ -364,9 +370,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
||||
(roles, listener) -> listener.onFailure(new Exception("fake failure"));
|
||||
|
||||
final CompositeRolesStore compositeRolesStore =
|
||||
new CompositeRolesStore(Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore,
|
||||
Arrays.asList(inMemoryProvider1, failingProvider), new ThreadContext(Settings.EMPTY),
|
||||
new XPackLicenseState());
|
||||
new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, fileRolesStore, nativeRolesStore, reservedRolesStore,
|
||||
Arrays.asList(inMemoryProvider1, failingProvider), new ThreadContext(SECURITY_ENABLED_SETTINGS),
|
||||
new XPackLicenseState(SECURITY_ENABLED_SETTINGS));
|
||||
|
||||
final Set<String> roleNames = Sets.newHashSet("roleA", "roleB", "unknown");
|
||||
PlainActionFuture<Role> future = new PlainActionFuture<>();
|
||||
@ -402,7 +408,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
||||
return descriptors;
|
||||
});
|
||||
|
||||
UpdatableLicenseState xPackLicenseState = new UpdatableLicenseState();
|
||||
UpdatableLicenseState xPackLicenseState = new UpdatableLicenseState(SECURITY_ENABLED_SETTINGS);
|
||||
// these licenses don't allow custom role providers
|
||||
xPackLicenseState.update(randomFrom(OperationMode.BASIC, OperationMode.GOLD, OperationMode.STANDARD), true);
|
||||
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(
|
||||
@ -450,7 +456,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
||||
|
||||
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(
|
||||
Settings.EMPTY, mock(FileRolesStore.class), mock(NativeRolesStore.class), mock(ReservedRolesStore.class),
|
||||
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState()) {
|
||||
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState(SECURITY_ENABLED_SETTINGS)) {
|
||||
@Override
|
||||
public void invalidateAll() {
|
||||
numInvalidation.incrementAndGet();
|
||||
@ -493,9 +499,9 @@ public class CompositeRolesStoreTests extends ESTestCase {
|
||||
public void testCacheClearOnIndexOutOfDateChange() {
|
||||
final AtomicInteger numInvalidation = new AtomicInteger(0);
|
||||
|
||||
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(
|
||||
Settings.EMPTY, mock(FileRolesStore.class), mock(NativeRolesStore.class), mock(ReservedRolesStore.class),
|
||||
Collections.emptyList(), new ThreadContext(Settings.EMPTY), new XPackLicenseState()) {
|
||||
CompositeRolesStore compositeRolesStore = new CompositeRolesStore(SECURITY_ENABLED_SETTINGS, mock(FileRolesStore.class),
|
||||
mock(NativeRolesStore.class), mock(ReservedRolesStore.class),
|
||||
Collections.emptyList(), new ThreadContext(SECURITY_ENABLED_SETTINGS), new XPackLicenseState(SECURITY_ENABLED_SETTINGS)) {
|
||||
@Override
|
||||
public void invalidateAll() {
|
||||
numInvalidation.incrementAndGet();
|
||||
|
@ -63,7 +63,7 @@ public class FileRolesStoreTests extends ESTestCase {
|
||||
Path path = getDataPath("roles.yml");
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
|
||||
.put(XPackSettings.DLS_FLS_ENABLED.getKey(), true)
|
||||
.build(), new XPackLicenseState());
|
||||
.build(), new XPackLicenseState(Settings.EMPTY));
|
||||
assertThat(roles, notNullValue());
|
||||
assertThat(roles.size(), is(9));
|
||||
|
||||
@ -240,7 +240,7 @@ public class FileRolesStoreTests extends ESTestCase {
|
||||
Logger logger = CapturingLogger.newCapturingLogger(Level.ERROR);
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
|
||||
.put(XPackSettings.DLS_FLS_ENABLED.getKey(), false)
|
||||
.build(), new XPackLicenseState());
|
||||
.build(), new XPackLicenseState(Settings.EMPTY));
|
||||
assertThat(roles, notNullValue());
|
||||
assertThat(roles.size(), is(6));
|
||||
assertThat(roles.get("role_fields"), nullValue());
|
||||
@ -291,7 +291,7 @@ public class FileRolesStoreTests extends ESTestCase {
|
||||
public void testDefaultRolesFile() throws Exception {
|
||||
// TODO we should add the config dir to the resources so we don't copy this stuff around...
|
||||
Path path = getDataPath("default_roles.yml");
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState());
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
|
||||
assertThat(roles, notNullValue());
|
||||
assertThat(roles.size(), is(0));
|
||||
}
|
||||
@ -317,7 +317,8 @@ public class FileRolesStoreTests extends ESTestCase {
|
||||
threadPool = new TestThreadPool("test");
|
||||
watcherService = new ResourceWatcherService(settings, threadPool);
|
||||
final CountDownLatch latch = new CountDownLatch(1);
|
||||
FileRolesStore store = new FileRolesStore(settings, env, watcherService, latch::countDown, new XPackLicenseState());
|
||||
FileRolesStore store = new FileRolesStore(settings, env, watcherService, latch::countDown,
|
||||
new XPackLicenseState(Settings.EMPTY));
|
||||
|
||||
Set<RoleDescriptor> descriptors = store.roleDescriptors(Collections.singleton("role1"));
|
||||
assertThat(descriptors, notNullValue());
|
||||
@ -361,14 +362,14 @@ public class FileRolesStoreTests extends ESTestCase {
|
||||
public void testThatEmptyFileDoesNotResultInLoop() throws Exception {
|
||||
Path file = createTempFile();
|
||||
Files.write(file, Collections.singletonList("#"), StandardCharsets.UTF_8);
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(file, logger, Settings.EMPTY, new XPackLicenseState());
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(file, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
|
||||
assertThat(roles.keySet(), is(empty()));
|
||||
}
|
||||
|
||||
public void testThatInvalidRoleDefinitions() throws Exception {
|
||||
Path path = getDataPath("invalid_roles.yml");
|
||||
Logger logger = CapturingLogger.newCapturingLogger(Level.ERROR);
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState());
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
|
||||
assertThat(roles.size(), is(1));
|
||||
assertThat(roles, hasKey("valid_role"));
|
||||
RoleDescriptor descriptor = roles.get("valid_role");
|
||||
@ -410,7 +411,7 @@ public class FileRolesStoreTests extends ESTestCase {
|
||||
Logger logger = CapturingLogger.newCapturingLogger(Level.INFO);
|
||||
|
||||
Path path = getDataPath("reserved_roles.yml");
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState());
|
||||
Map<String, RoleDescriptor> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, new XPackLicenseState(Settings.EMPTY));
|
||||
assertThat(roles, notNullValue());
|
||||
assertThat(roles.size(), is(1));
|
||||
|
||||
@ -442,7 +443,7 @@ public class FileRolesStoreTests extends ESTestCase {
|
||||
.put(XPackSettings.DLS_FLS_ENABLED.getKey(), flsDlsEnabled)
|
||||
.build();
|
||||
Environment env = TestEnvironment.newEnvironment(settings);
|
||||
FileRolesStore store = new FileRolesStore(settings, env, mock(ResourceWatcherService.class), new XPackLicenseState());
|
||||
FileRolesStore store = new FileRolesStore(settings, env, mock(ResourceWatcherService.class), new XPackLicenseState(Settings.EMPTY));
|
||||
|
||||
Map<String, Object> usageStats = store.usageStats();
|
||||
|
||||
|
@ -86,7 +86,7 @@ public class NativeRolesStoreTests extends ESTestCase {
|
||||
byte[] bytes = Files.readAllBytes(path);
|
||||
String roleString = new String(bytes, Charset.defaultCharset());
|
||||
RoleDescriptor role = NativeRolesStore.transformRole(RoleDescriptor.ROLE_TYPE + "role1",
|
||||
new BytesArray(roleString), logger, new XPackLicenseState());
|
||||
new BytesArray(roleString), logger, new XPackLicenseState(Settings.EMPTY));
|
||||
assertNotNull(role);
|
||||
assertNotNull(role.getIndicesPrivileges());
|
||||
RoleDescriptor.IndicesPrivileges indicesPrivileges = role.getIndicesPrivileges()[0];
|
||||
|
@ -59,6 +59,7 @@ public class SecurityRestFilterTests extends ESTestCase {
|
||||
channel = mock(RestChannel.class);
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
restHandler = mock(RestHandler.class);
|
||||
filter = new SecurityRestFilter(licenseState,
|
||||
new ThreadContext(Settings.EMPTY), authcService, restHandler, false);
|
||||
|
@ -27,7 +27,8 @@ public class SecurityBaseRestHandlerTests extends ESTestCase {
|
||||
final boolean securityEnabled = randomBoolean();
|
||||
final AtomicBoolean consumerCalled = new AtomicBoolean(false);
|
||||
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isAuthAllowed()).thenReturn(securityEnabled);
|
||||
when(licenseState.isSecurityAvailable()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(securityEnabled);
|
||||
SecurityBaseRestHandler handler = new SecurityBaseRestHandler(Settings.EMPTY, licenseState) {
|
||||
|
||||
@Override
|
||||
@ -52,7 +53,8 @@ public class SecurityBaseRestHandlerTests extends ESTestCase {
|
||||
verifyZeroInteractions(licenseState);
|
||||
handler.handleRequest(fakeRestRequest, fakeRestChannel, client);
|
||||
|
||||
verify(licenseState).isAuthAllowed();
|
||||
verify(licenseState).isSecurityAvailable();
|
||||
verify(licenseState).isSecurityEnabled();
|
||||
if (securityEnabled) {
|
||||
assertTrue(consumerCalled.get());
|
||||
assertEquals(0, fakeRestChannel.responses().get());
|
||||
|
@ -5,37 +5,52 @@
|
||||
*/
|
||||
package org.elasticsearch.xpack.security.rest.action.saml;
|
||||
|
||||
import org.elasticsearch.ElasticsearchException;
|
||||
import org.elasticsearch.client.node.NodeClient;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.license.License;
|
||||
import org.elasticsearch.license.LicenseUtils;
|
||||
import org.elasticsearch.license.TestUtils;
|
||||
import org.elasticsearch.rest.RestRequest;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.test.rest.FakeRestRequest;
|
||||
import org.elasticsearch.xpack.core.XPackSettings;
|
||||
import org.hamcrest.Matchers;
|
||||
|
||||
import static org.hamcrest.Matchers.contains;
|
||||
import static org.hamcrest.Matchers.instanceOf;
|
||||
|
||||
public class SamlBaseRestHandlerTests extends ESTestCase {
|
||||
|
||||
public void testSamlAvailableOnTrialAndPlatinum() {
|
||||
final SamlBaseRestHandler handler = buildHandler(randomFrom(License.OperationMode.TRIAL, License.OperationMode.PLATINUM));
|
||||
assertThat(handler.checkLicensedFeature(new FakeRestRequest()), Matchers.nullValue());
|
||||
assertThat(handler.checkFeatureAvailable(new FakeRestRequest()), Matchers.nullValue());
|
||||
}
|
||||
|
||||
public void testSecurityNotAvailableOnBasic() {
|
||||
final SamlBaseRestHandler handler = buildHandler(License.OperationMode.BASIC);
|
||||
assertThat(handler.checkLicensedFeature(new FakeRestRequest()), Matchers.equalTo("security"));
|
||||
Exception e = handler.checkFeatureAvailable(new FakeRestRequest());
|
||||
assertThat(e, instanceOf(ElasticsearchException.class));
|
||||
ElasticsearchException elasticsearchException = (ElasticsearchException) e;
|
||||
assertThat(elasticsearchException.getMetadata(LicenseUtils.EXPIRED_FEATURE_METADATA), contains("security"));
|
||||
}
|
||||
|
||||
public void testSamlNotAvailableOnStandardOrGold() {
|
||||
final SamlBaseRestHandler handler = buildHandler(randomFrom(License.OperationMode.STANDARD, License.OperationMode.GOLD));
|
||||
assertThat(handler.checkLicensedFeature(new FakeRestRequest()), Matchers.equalTo("saml"));
|
||||
Exception e = handler.checkFeatureAvailable(new FakeRestRequest());
|
||||
assertThat(e, instanceOf(ElasticsearchException.class));
|
||||
ElasticsearchException elasticsearchException = (ElasticsearchException) e;
|
||||
assertThat(elasticsearchException.getMetadata(LicenseUtils.EXPIRED_FEATURE_METADATA), contains("saml"));
|
||||
}
|
||||
|
||||
private SamlBaseRestHandler buildHandler(License.OperationMode licenseMode) {
|
||||
final TestUtils.UpdatableLicenseState licenseState = new TestUtils.UpdatableLicenseState();
|
||||
final Settings settings = Settings.builder()
|
||||
.put(XPackSettings.SECURITY_ENABLED.getKey(), true)
|
||||
.build();
|
||||
final TestUtils.UpdatableLicenseState licenseState = new TestUtils.UpdatableLicenseState(settings);
|
||||
licenseState.update(licenseMode, true);
|
||||
|
||||
return new SamlBaseRestHandler(Settings.EMPTY, licenseState) {
|
||||
return new SamlBaseRestHandler(settings, licenseState) {
|
||||
|
||||
@Override
|
||||
public String getName() {
|
||||
|
@ -65,6 +65,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
||||
securityContext = spy(new SecurityContext(settings, threadPool.getThreadContext()));
|
||||
xPackLicenseState = mock(XPackLicenseState.class);
|
||||
when(xPackLicenseState.isAuthAllowed()).thenReturn(true);
|
||||
when(xPackLicenseState.isSecurityEnabled()).thenReturn(true);
|
||||
}
|
||||
|
||||
public void testSendAsyncUnlicensed() {
|
||||
@ -86,6 +87,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
||||
sender.sendRequest(null, null, null, null, null);
|
||||
assertTrue(calledWrappedSender.get());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
verifyZeroInteractions(securityContext);
|
||||
}
|
||||
@ -119,6 +121,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
||||
assertEquals(user, sendingUser.get());
|
||||
assertEquals(user, securityContext.getUser());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
@ -155,6 +158,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
||||
assertEquals(SystemUser.INSTANCE, sendingUser.get());
|
||||
assertEquals(user, securityContext.getUser());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext).executeAsUser(any(User.class), any(Consumer.class), eq(Version.CURRENT));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
@ -184,6 +188,7 @@ public class SecurityServerTransportInterceptorTests extends ESTestCase {
|
||||
assertEquals("there should always be a user when sending a message for action [indices:foo]", e.getMessage());
|
||||
assertNull(securityContext.getUser());
|
||||
verify(xPackLicenseState).isAuthAllowed();
|
||||
verify(xPackLicenseState).isSecurityEnabled();
|
||||
verify(securityContext, never()).executeAsUser(any(User.class), any(Consumer.class), any(Version.class));
|
||||
verifyNoMoreInteractions(xPackLicenseState);
|
||||
}
|
||||
|
@ -110,6 +110,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
||||
.put("discovery.zen.ping.unicast.hosts", unicastHost)
|
||||
.put("discovery.zen.minimum_master_nodes",
|
||||
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
|
||||
.put("xpack.security.enabled", true)
|
||||
.put("xpack.security.audit.enabled", false)
|
||||
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
|
||||
.put("path.home", home)
|
||||
@ -146,6 +147,7 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
|
||||
.put("discovery.zen.ping.unicast.hosts", unicastHost)
|
||||
.put("discovery.zen.minimum_master_nodes",
|
||||
internalCluster().getInstance(Settings.class).get("discovery.zen.minimum_master_nodes"))
|
||||
.put("xpack.security.enabled", true)
|
||||
.put("xpack.security.audit.enabled", false)
|
||||
.put(XPackSettings.WATCHER_ENABLED.getKey(), false)
|
||||
.put(NetworkModule.HTTP_ENABLED.getKey(), false)
|
||||
|
@ -53,6 +53,7 @@ public class IPFilterTests extends ESTestCase {
|
||||
public void init() {
|
||||
licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
auditTrail = mock(AuditTrailService.class);
|
||||
clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(
|
||||
IPFilter.HTTP_FILTER_ALLOW_SETTING,
|
||||
|
@ -15,9 +15,7 @@ import org.elasticsearch.common.transport.TransportAddress;
|
||||
import org.elasticsearch.http.HttpServerTransport;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
import org.elasticsearch.transport.TcpTransport;
|
||||
import org.elasticsearch.transport.Transport;
|
||||
import org.elasticsearch.xpack.security.Security;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
|
||||
import org.junit.Before;
|
||||
@ -59,6 +57,7 @@ public class IpFilterRemoteAddressFilterTests extends ESTestCase {
|
||||
IPFilter.PROFILE_FILTER_DENY_SETTING)));
|
||||
XPackLicenseState licenseState = mock(XPackLicenseState.class);
|
||||
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
|
||||
when(licenseState.isSecurityEnabled()).thenReturn(true);
|
||||
AuditTrailService auditTrailService = new AuditTrailService(settings, Collections.emptyList(), licenseState);
|
||||
IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
|
||||
ipFilter.setBoundTransportAddress(transport.boundAddress(), transport.profileBoundAddresses());
|
||||
|
@ -25,6 +25,7 @@ import org.elasticsearch.env.NodeEnvironment;
|
||||
import org.elasticsearch.index.reindex.BulkByScrollResponse;
|
||||
import org.elasticsearch.index.reindex.ReindexAction;
|
||||
import org.elasticsearch.index.reindex.ReindexPlugin;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.plugins.ActionPlugin;
|
||||
import org.elasticsearch.plugins.Plugin;
|
||||
import org.elasticsearch.plugins.PluginsService;
|
||||
@ -119,7 +120,7 @@ public class IndexUpgradeTasksIT extends ESIntegTestCase {
|
||||
ResourceWatcherService resourceWatcherService, ScriptService scriptService,
|
||||
NamedXContentRegistry xContentRegistry, Environment environment,
|
||||
NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry) {
|
||||
return Collections.singletonList(new IndexUpgradeService(settings, Collections.singletonList(
|
||||
return Arrays.asList(new IndexUpgradeService(settings, Collections.singletonList(
|
||||
new IndexUpgradeCheck("test", settings,
|
||||
new Function<IndexMetaData, UpgradeActionRequired>() {
|
||||
@Override
|
||||
@ -137,7 +138,7 @@ public class IndexUpgradeTasksIT extends ESIntegTestCase {
|
||||
},
|
||||
client, clusterService, Strings.EMPTY_ARRAY,
|
||||
new Script(ScriptType.INLINE, NAME, "block", Collections.emptyMap()))
|
||||
)));
|
||||
)), new XPackLicenseState(settings));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -76,7 +76,7 @@ public class TransportPutWatchActionTests extends ESTestCase {
|
||||
|
||||
action = new TransportPutWatchAction(Settings.EMPTY, transportService, threadPool,
|
||||
new ActionFilters(Collections.emptySet()), new IndexNameExpressionResolver(Settings.EMPTY), new ClockMock(),
|
||||
new XPackLicenseState(), parser, client);
|
||||
new XPackLicenseState(Settings.EMPTY), parser, client);
|
||||
}
|
||||
|
||||
public void testHeadersAreFilteredWhenPuttingWatches() throws Exception {
|
||||
|
@ -20,6 +20,7 @@ integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.audit.enabled', 'true'
|
||||
setting 'xpack.security.audit.outputs', 'index'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
|
@ -23,6 +23,7 @@ integTestRunner {
|
||||
|
||||
integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.watcher.enabled', 'false'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
|
@ -154,6 +154,7 @@ subprojects {
|
||||
// debug logging for testRecovery see https://github.com/elastic/x-pack-elasticsearch/issues/2691
|
||||
setting 'logger.level', 'DEBUG'
|
||||
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.transport.ssl.enabled', 'true'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
setting 'xpack.ssl.keystore.password', 'testnode'
|
||||
@ -203,7 +204,7 @@ subprojects {
|
||||
|
||||
// some tests rely on the translog not being flushed
|
||||
setting 'indices.memory.shard_inactive_time', '20m'
|
||||
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
|
@ -51,6 +51,7 @@ processTestResources.dependsOn(createNodeKeyStore)
|
||||
|
||||
integTestCluster {
|
||||
dependsOn createNodeKeyStore
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.ml.enabled', 'true'
|
||||
setting 'logger.org.elasticsearch.xpack.ml.datafeed', 'TRACE'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
|
@ -16,6 +16,7 @@ remoteClusterTestCluster {
|
||||
clusterName = 'remote-cluster'
|
||||
setting 'search.remote.connect', false
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.watcher.enabled', 'false'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
@ -43,6 +44,7 @@ task mixedClusterTest(type: RestIntegTestTask) {}
|
||||
mixedClusterTestCluster {
|
||||
dependsOn remoteClusterTestRunner
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.watcher.enabled', 'false'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
|
@ -9,6 +9,7 @@ integTestCluster {
|
||||
numNodes = 2
|
||||
clusterName = 'multi-node'
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.watcher.enabled', 'false'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
|
@ -12,6 +12,7 @@ integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
// Whitelist reindexing from the local node so we can test it.
|
||||
setting 'reindex.remote.whitelist', '127.0.0.1:*'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
extraConfigFile 'x-pack/roles.yml', 'roles.yml'
|
||||
|
@ -135,6 +135,7 @@ subprojects {
|
||||
setting 'xpack.monitoring.exporters._http.auth.username', 'test_user'
|
||||
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.transport.ssl.enabled', 'true'
|
||||
setting 'xpack.security.authc.token.enabled', 'true'
|
||||
setting 'xpack.security.audit.enabled', 'true'
|
||||
@ -179,6 +180,8 @@ subprojects {
|
||||
setting 'xpack.monitoring.exporters._http.enabled', 'false'
|
||||
setting 'xpack.monitoring.exporters._http.auth.username', 'test_user'
|
||||
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.transport.ssl.enabled', 'true'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
|
||||
@ -219,6 +222,7 @@ subprojects {
|
||||
setting 'xpack.monitoring.exporters._http.auth.username', 'test_user'
|
||||
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.transport.ssl.enabled', 'true'
|
||||
setting 'xpack.ssl.keystore.path', 'testnode.jks'
|
||||
keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
|
||||
|
@ -33,6 +33,7 @@ integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.http.ssl.enabled', 'false'
|
||||
setting 'xpack.security.authc.token.enabled', 'true'
|
||||
setting 'xpack.security.authc.realms.file.type', 'file'
|
||||
|
@ -20,6 +20,7 @@ integTestRunner {
|
||||
|
||||
integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setupCommand 'setupDummyUser',
|
||||
|
@ -27,6 +27,7 @@ integTestCluster {
|
||||
setting 'xpack.security.authc.realms.esusers.type', 'file'
|
||||
setting 'xpack.security.authc.realms.native.type', 'native'
|
||||
setting 'xpack.security.authc.realms.native.order', '2'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
|
@ -9,6 +9,7 @@ dependencies {
|
||||
|
||||
integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
extraConfigFile 'x-pack/roles.yml', 'roles.yml'
|
||||
[
|
||||
|
@ -15,6 +15,7 @@ integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
setupCommand 'setupTestAdmin',
|
||||
'bin/x-pack/users', 'useradd', "test_admin", '-p', 'x-pack-test-password', '-r', "superuser"
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
waitCondition = { node, ant ->
|
||||
File tmpFile = new File(node.cwd, 'wait.success')
|
||||
|
@ -23,6 +23,7 @@ integTestCluster {
|
||||
setupCommand 'setupPowerlessUser',
|
||||
'bin/x-pack/users', 'useradd', 'no_graph_explorer', '-p', 'x-pack-test-password', '-r', 'no_graph_explorer'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
waitCondition = { node, ant ->
|
||||
File tmpFile = new File(node.cwd, 'wait.success')
|
||||
ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
|
||||
|
@ -105,6 +105,7 @@ integTestCluster {
|
||||
setupCommand 'setupPowerlessUser',
|
||||
'bin/x-pack/users', 'useradd', 'no_ml', '-p', 'x-pack-test-password', '-r', 'minimal'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
waitCondition = { node, ant ->
|
||||
File tmpFile = new File(node.cwd, 'wait.success')
|
||||
ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
|
||||
|
@ -182,6 +182,7 @@ integTestCluster {
|
||||
setting 'xpack.monitoring.exporters._http.auth.password', 'x-pack-test-password'
|
||||
setting 'xpack.monitoring.exporters._http.ssl.verification_mode', 'full'
|
||||
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.security.http.ssl.enabled', 'true'
|
||||
setting 'xpack.security.http.ssl.keystore.path', nodeKeystore.name
|
||||
keystoreSetting 'xpack.security.http.ssl.keystore.secure_password', 'keypass'
|
||||
|
@ -22,7 +22,7 @@ project.rootProject.subprojects.findAll { it.path.startsWith(':plugins:') }.each
|
||||
|
||||
integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setupCommand 'setupDummyUser',
|
||||
'bin/x-pack/users', 'useradd', 'test_user', '-p', 'x-pack-test-password', '-r', 'superuser'
|
||||
waitCondition = { node, ant ->
|
||||
|
@ -11,6 +11,7 @@ integTestCluster {
|
||||
plugin xpackProject('plugin').path
|
||||
setting 'xpack.watcher.enabled', 'false'
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
setting 'xpack.license.self_generated.type', 'trial'
|
||||
setupCommand 'setupDummyUser',
|
||||
'bin/x-pack/users', 'useradd', 'test_admin', '-p', 'x-pack-test-password', '-r', 'superuser'
|
||||
|
@ -22,6 +22,7 @@ integTestCluster {
|
||||
dependsOn copyWatcherRestTests
|
||||
setting 'xpack.monitoring.enabled', 'false'
|
||||
setting 'xpack.ml.enabled', 'false'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
// settings to test settings filtering on
|
||||
setting 'xpack.notification.email.account._email.smtp.host', 'host.domain'
|
||||
setting 'xpack.notification.email.account._email.smtp.port', '587'
|
||||
|
@ -25,6 +25,7 @@ subprojects {
|
||||
// Setup auditing so we can use it in some tests
|
||||
setting 'xpack.security.audit.enabled', 'true'
|
||||
setting 'xpack.security.audit.outputs', 'logfile'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
// Setup roles used by tests
|
||||
extraConfigFile 'x-pack/roles.yml', '../roles.yml'
|
||||
/* Setup the one admin user that we run the tests as.
|
||||
@ -43,6 +44,7 @@ subprojects {
|
||||
// Setup auditing so we can use it in some tests
|
||||
setting 'xpack.security.audit.enabled', 'true'
|
||||
setting 'xpack.security.audit.outputs', 'logfile'
|
||||
setting 'xpack.security.enabled', 'true'
|
||||
// Setup roles used by tests
|
||||
extraConfigFile 'x-pack/roles.yml', '../roles.yml'
|
||||
/* Setup the one admin user that we run the tests as.
|
||||
|
Loading…
x
Reference in New Issue
Block a user