allow extensions to define settings filter
This change allows extensions to define their own filtered settings. This is used when there may be sensitive credentials stored in a custom realm that should be filtered out of some API calls. Closes elastic/elasticsearch#2847 Original commit: elastic/x-pack-elasticsearch@952474daba
This commit is contained in:
jaymode
parent
473728afb4
commit
bb4777b7d6
|
|
@ -46,6 +46,7 @@ task integTest(type: org.elasticsearch.gradle.test.RestIntegTestTask, dependsOn:
|
||||||
plugin ':x-plugins:elasticsearch:x-pack'
|
plugin ':x-plugins:elasticsearch:x-pack'
|
||||||
setting 'xpack.security.authc.realms.custom.order', '0'
|
setting 'xpack.security.authc.realms.custom.order', '0'
|
||||||
setting 'xpack.security.authc.realms.custom.type', 'custom'
|
setting 'xpack.security.authc.realms.custom.type', 'custom'
|
||||||
|
setting 'xpack.security.authc.realms.custom.filtered_setting', 'should be filtered'
|
||||||
setting 'xpack.security.authc.realms.esusers.order', '1'
|
setting 'xpack.security.authc.realms.esusers.order', '1'
|
||||||
setting 'xpack.security.authc.realms.esusers.type', 'file'
|
setting 'xpack.security.authc.realms.esusers.type', 'file'
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ import java.security.PrivilegedAction;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
public class ExampleRealmExtension extends XPackExtension {
|
public class ExampleRealmExtension extends XPackExtension {
|
||||||
|
|
@ -52,4 +53,9 @@ public class ExampleRealmExtension extends XPackExtension {
|
||||||
public Collection<String> getRestHeaders() {
|
public Collection<String> getRestHeaders() {
|
||||||
return Arrays.asList(CustomRealm.USER_HEADER, CustomRealm.PW_HEADER);
|
return Arrays.asList(CustomRealm.USER_HEADER, CustomRealm.PW_HEADER);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> getSettingsFilter() {
|
||||||
|
return Collections.singletonList("xpack.security.authc.realms.*.filtered_setting");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -108,4 +108,14 @@ public class CustomRealmIT extends ESIntegTestCase {
|
||||||
// expected
|
// expected
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void testSettingsFiltering() throws Exception {
|
||||||
|
NodesInfoResponse nodeInfos = client().admin().cluster().prepareNodesInfo().clear().setSettings(true).get();
|
||||||
|
for(NodeInfo info : nodeInfos.getNodes()) {
|
||||||
|
Settings settings = info.getSettings();
|
||||||
|
assertNotNull(settings);
|
||||||
|
assertNull(settings.get("xpack.security.authc.realms.custom.filtered_setting"));
|
||||||
|
assertEquals(CustomRealm.TYPE, settings.get("xpack.security.authc.realms.custom.type"));
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,6 @@ import org.elasticsearch.plugins.ScriptPlugin;
|
||||||
import org.elasticsearch.rest.RestHandler;
|
import org.elasticsearch.rest.RestHandler;
|
||||||
import org.elasticsearch.script.ScriptContext;
|
import org.elasticsearch.script.ScriptContext;
|
||||||
import org.elasticsearch.script.ScriptService;
|
import org.elasticsearch.script.ScriptService;
|
||||||
import org.elasticsearch.script.ScriptSettings;
|
|
||||||
import org.elasticsearch.search.SearchRequestParsers;
|
import org.elasticsearch.search.SearchRequestParsers;
|
||||||
import org.elasticsearch.threadpool.ExecutorBuilder;
|
import org.elasticsearch.threadpool.ExecutorBuilder;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
|
|
@ -320,6 +319,11 @@ public class XPackPlugin extends Plugin implements ScriptPlugin, ActionPlugin, I
|
||||||
filters.add("xpack.notification.hipchat.account.*.auth_token");
|
filters.add("xpack.notification.hipchat.account.*.auth_token");
|
||||||
filters.addAll(security.getSettingsFilter());
|
filters.addAll(security.getSettingsFilter());
|
||||||
filters.addAll(MonitoringSettings.getSettingsFilter());
|
filters.addAll(MonitoringSettings.getSettingsFilter());
|
||||||
|
if (transportClientMode == false) {
|
||||||
|
for (XPackExtension extension : extensionsService.getExtensions()) {
|
||||||
|
filters.addAll(extension.getSettingsFilter());
|
||||||
|
}
|
||||||
|
}
|
||||||
return filters;
|
return filters;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ package org.elasticsearch.xpack.extensions;
|
||||||
|
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
|
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
|
||||||
|
|
@ -54,4 +55,15 @@ public abstract class XPackExtension {
|
||||||
public AuthenticationFailureHandler getAuthenticationFailureHandler() {
|
public AuthenticationFailureHandler getAuthenticationFailureHandler() {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns a list of settings that should be filtered from API calls. In most cases,
|
||||||
|
* these settings are sensitive such as passwords.
|
||||||
|
*
|
||||||
|
* The value should be the full name of the setting or a wildcard that matches the
|
||||||
|
* desired setting.
|
||||||
|
*/
|
||||||
|
public List<String> getSettingsFilter() {
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue