From bb4777b7d6bca4f0c0d52756ff264f5b2fdb9519 Mon Sep 17 00:00:00 2001 From: jaymode Date: Mon, 29 Aug 2016 15:18:08 -0400 Subject: [PATCH] allow extensions to define settings filter This change allows extensions to define their own filtered settings. This is used when there may be sensitive credentials stored in a custom realm that should be filtered out of some API calls. Closes elastic/elasticsearch#2847 Original commit: elastic/x-pack-elasticsearch@952474dabae4cddc3a5b7020fee5086dab21f05d --- elasticsearch/qa/security-example-realm/build.gradle | 1 + .../elasticsearch/example/ExampleRealmExtension.java | 6 ++++++ .../elasticsearch/example/realm/CustomRealmIT.java | 10 ++++++++++ .../java/org/elasticsearch/xpack/XPackPlugin.java | 6 +++++- .../xpack/extensions/XPackExtension.java | 12 ++++++++++++ 5 files changed, 34 insertions(+), 1 deletion(-) diff --git a/elasticsearch/qa/security-example-realm/build.gradle b/elasticsearch/qa/security-example-realm/build.gradle index bc0cba826a4..9a7217598dd 100644 --- a/elasticsearch/qa/security-example-realm/build.gradle +++ b/elasticsearch/qa/security-example-realm/build.gradle @@ -46,6 +46,7 @@ task integTest(type: org.elasticsearch.gradle.test.RestIntegTestTask, dependsOn: plugin ':x-plugins:elasticsearch:x-pack' setting 'xpack.security.authc.realms.custom.order', '0' setting 'xpack.security.authc.realms.custom.type', 'custom' + setting 'xpack.security.authc.realms.custom.filtered_setting', 'should be filtered' setting 'xpack.security.authc.realms.esusers.order', '1' setting 'xpack.security.authc.realms.esusers.type', 'file' diff --git a/elasticsearch/qa/security-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java b/elasticsearch/qa/security-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java index 04948027f30..ee1f8e7c3ff 100644 --- a/elasticsearch/qa/security-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java +++ b/elasticsearch/qa/security-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java @@ -16,6 +16,7 @@ import java.security.PrivilegedAction; import java.util.Arrays; import java.util.Collection; import java.util.Collections; +import java.util.List; import java.util.Map; public class ExampleRealmExtension extends XPackExtension { @@ -52,4 +53,9 @@ public class ExampleRealmExtension extends XPackExtension { public Collection getRestHeaders() { return Arrays.asList(CustomRealm.USER_HEADER, CustomRealm.PW_HEADER); } + + @Override + public List getSettingsFilter() { + return Collections.singletonList("xpack.security.authc.realms.*.filtered_setting"); + } } diff --git a/elasticsearch/qa/security-example-realm/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java b/elasticsearch/qa/security-example-realm/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java index 5d71c766cc5..b00855ba3cc 100644 --- a/elasticsearch/qa/security-example-realm/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java +++ b/elasticsearch/qa/security-example-realm/src/test/java/org/elasticsearch/example/realm/CustomRealmIT.java @@ -108,4 +108,14 @@ public class CustomRealmIT extends ESIntegTestCase { // expected } } + + public void testSettingsFiltering() throws Exception { + NodesInfoResponse nodeInfos = client().admin().cluster().prepareNodesInfo().clear().setSettings(true).get(); + for(NodeInfo info : nodeInfos.getNodes()) { + Settings settings = info.getSettings(); + assertNotNull(settings); + assertNull(settings.get("xpack.security.authc.realms.custom.filtered_setting")); + assertEquals(CustomRealm.TYPE, settings.get("xpack.security.authc.realms.custom.type")); + } + } } diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java index 81815ada449..6faaf1aa7b5 100644 --- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java +++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java @@ -49,7 +49,6 @@ import org.elasticsearch.plugins.ScriptPlugin; import org.elasticsearch.rest.RestHandler; import org.elasticsearch.script.ScriptContext; import org.elasticsearch.script.ScriptService; -import org.elasticsearch.script.ScriptSettings; import org.elasticsearch.search.SearchRequestParsers; import org.elasticsearch.threadpool.ExecutorBuilder; import org.elasticsearch.threadpool.ThreadPool; @@ -320,6 +319,11 @@ public class XPackPlugin extends Plugin implements ScriptPlugin, ActionPlugin, I filters.add("xpack.notification.hipchat.account.*.auth_token"); filters.addAll(security.getSettingsFilter()); filters.addAll(MonitoringSettings.getSettingsFilter()); + if (transportClientMode == false) { + for (XPackExtension extension : extensionsService.getExtensions()) { + filters.addAll(extension.getSettingsFilter()); + } + } return filters; } diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtension.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtension.java index 3253bf3c7fa..cdb445d9772 100644 --- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtension.java +++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtension.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.extensions; import java.util.Collection; import java.util.Collections; +import java.util.List; import java.util.Map; import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler; @@ -54,4 +55,15 @@ public abstract class XPackExtension { public AuthenticationFailureHandler getAuthenticationFailureHandler() { return null; } + + /** + * Returns a list of settings that should be filtered from API calls. In most cases, + * these settings are sensitive such as passwords. + * + * The value should be the full name of the setting or a wildcard that matches the + * desired setting. + */ + public List getSettingsFilter() { + return Collections.emptyList(); + } }