honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

allow extensions to define settings filter 

This change allows extensions to define their own filtered settings. This is used when there
may be sensitive credentials stored in a custom realm that should be filtered out of some
API calls.

Closes elastic/elasticsearch#2847

Original commit: elastic/x-pack-elasticsearch@952474daba
This commit is contained in:
jaymode 2016-08-29 15:18:08 -04:00
parent 473728afb4
commit bb4777b7d6
5 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
elasticsearch/qa/security-example-realm/build.gradle
View File

@ -46,6 +46,7 @@ task integTest(type: org.elasticsearch.gradle.test.RestIntegTestTask, dependsOn:
plugin ':x-plugins:elasticsearch:x-pack'
setting 'xpack.security.authc.realms.custom.order', '0'
setting 'xpack.security.authc.realms.custom.type', 'custom'
setting 'xpack.security.authc.realms.custom.filtered_setting', 'should be filtered'
setting 'xpack.security.authc.realms.esusers.order', '1'
setting 'xpack.security.authc.realms.esusers.type', 'file'

6
elasticsearch/qa/security-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java
View File

@ -16,6 +16,7 @@ import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
public class ExampleRealmExtension extends XPackExtension {
@ -52,4 +53,9 @@ public class ExampleRealmExtension extends XPackExtension {
public Collection<String> getRestHeaders() {
return Arrays.asList(CustomRealm.USER_HEADER, CustomRealm.PW_HEADER);
}
@Override
public List<String> getSettingsFilter() {
return Collections.singletonList("xpack.security.authc.realms.*.filtered_setting");
}
}

10
elasticsearch/qa/security-example-realm/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java
View File

@ -108,4 +108,14 @@ public class CustomRealmIT extends ESIntegTestCase {
// expected
}
}
public void testSettingsFiltering() throws Exception {
NodesInfoResponse nodeInfos = client().admin().cluster().prepareNodesInfo().clear().setSettings(true).get();
for(NodeInfo info : nodeInfos.getNodes()) {
Settings settings = info.getSettings();
assertNotNull(settings);
assertNull(settings.get("xpack.security.authc.realms.custom.filtered_setting"));
assertEquals(CustomRealm.TYPE, settings.get("xpack.security.authc.realms.custom.type"));
}
}
}

6
elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
View File

@ -49,7 +49,6 @@ import org.elasticsearch.plugins.ScriptPlugin;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.script.ScriptContext;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.script.ScriptSettings;
import org.elasticsearch.search.SearchRequestParsers;
import org.elasticsearch.threadpool.ExecutorBuilder;
import org.elasticsearch.threadpool.ThreadPool;
@ -320,6 +319,11 @@ public class XPackPlugin extends Plugin implements ScriptPlugin, ActionPlugin, I
filters.add("xpack.notification.hipchat.account.*.auth_token");
filters.addAll(security.getSettingsFilter());
filters.addAll(MonitoringSettings.getSettingsFilter());
if (transportClientMode == false) {
for (XPackExtension extension : extensionsService.getExtensions()) {
filters.addAll(extension.getSettingsFilter());
}
}
return filters;
}

12
elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtension.java
View File

@ -7,6 +7,7 @@ package org.elasticsearch.xpack.extensions;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
@ -54,4 +55,15 @@ public abstract class XPackExtension {
public AuthenticationFailureHandler getAuthenticationFailureHandler() {
return null;
}
/**
* Returns a list of settings that should be filtered from API calls. In most cases,
* these settings are sensitive such as passwords.
*
* The value should be the full name of the setting or a wildcard that matches the
* desired setting.
*/
public List<String> getSettingsFilter() {
return Collections.emptyList();
}
}