security: remove use of shield in files and directory names

This commit removes as much of the use of shield as possible in the source code.

See elastic/elasticsearch#2383

Original commit: elastic/x-pack-elasticsearch@00009cc06e
This commit is contained in:
jaymode 2016-06-17 11:53:55 -04:00
parent 0fcbf8c6ca
commit c024dbfc49
585 changed files with 2939 additions and 3570 deletions

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield.audit; package org.elasticsearch.xpack.security.audit;
import com.carrotsearch.hppc.cursors.ObjectCursor; import com.carrotsearch.hppc.cursors.ObjectCursor;
import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateResponse; import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateResponse;
@ -14,10 +14,10 @@ import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.shield.audit.index.IndexAuditTrail; import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.rest.client.http.HttpResponse; import org.elasticsearch.test.rest.client.http.HttpResponse;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;
@ -35,7 +35,7 @@ public class IndexAuditIT extends ESIntegTestCase {
private static final String USER = "test_user"; private static final String USER = "test_user";
private static final String PASS = "changeme"; private static final String PASS = "changeme";
public void testShieldIndexAuditTrailWorking() throws Exception { public void testIndexAuditTrailWorking() throws Exception {
HttpResponse response = httpClient().path("/") HttpResponse response = httpClient().path("/")
.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(USER, new SecuredString(PASS.toCharArray()))) .addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(USER, new SecuredString(PASS.toCharArray())))
.execute(); .execute();
@ -48,7 +48,7 @@ public class IndexAuditIT extends ESIntegTestCase {
ClusterState state = client().admin().cluster().prepareState().get().getState(); ClusterState state = client().admin().cluster().prepareState().get().getState();
lastClusterState.set(state); lastClusterState.set(state);
for (ObjectCursor<String> cursor : state.getMetaData().getIndices().keys()) { for (ObjectCursor<String> cursor : state.getMetaData().getIndices().keys()) {
if (cursor.value.startsWith(".shield_audit_log")) { if (cursor.value.startsWith(".security_audit_log")) {
logger.info("found audit index [{}]", cursor.value); logger.info("found audit index [{}]", cursor.value);
indexExists.set(true); indexExists.set(true);
break; break;
@ -60,11 +60,11 @@ public class IndexAuditIT extends ESIntegTestCase {
} }
} }
ensureYellow(".shield_audit_log*"); ensureYellow(".security_audit_log*");
ClusterState state = client().admin().cluster().prepareState().get().getState(); ClusterState state = client().admin().cluster().prepareState().get().getState();
lastClusterState.set(state); lastClusterState.set(state);
client().admin().indices().prepareRefresh().get(); client().admin().indices().prepareRefresh().get();
return client().prepareSearch(".shield_audit_log*").setQuery(QueryBuilders.matchQuery("principal", USER)) return client().prepareSearch(".security_audit_log*").setQuery(QueryBuilders.matchQuery("principal", USER))
.get().getHits().totalHits() > 0; .get().getHits().totalHits() > 0;
}, 10L, TimeUnit.SECONDS); }, 10L, TimeUnit.SECONDS);
@ -73,7 +73,7 @@ public class IndexAuditIT extends ESIntegTestCase {
} }
assertThat(found, is(true)); assertThat(found, is(true));
SearchResponse searchResponse = client().prepareSearch(".shield_audit_log*").setQuery( SearchResponse searchResponse = client().prepareSearch(".security_audit_log*").setQuery(
QueryBuilders.matchQuery("principal", USER)).get(); QueryBuilders.matchQuery("principal", USER)).get();
assertThat(searchResponse.getHits().getHits().length, greaterThan(0)); assertThat(searchResponse.getHits().getHits().length, greaterThan(0));
assertThat((String) searchResponse.getHits().getAt(0).sourceAsMap().get("principal"), is(USER)); assertThat((String) searchResponse.getHits().getAt(0).sourceAsMap().get("principal"), is(USER));

View File

@ -3,20 +3,20 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.annotations.Name; import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException; import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class RestIT extends ESRestTestCase { public class RestIT extends ESRestTestCase {

View File

@ -57,7 +57,7 @@ public class GroovyManualExecutionIT extends AbstractWatcherIntegrationTestCase
} }
@Override @Override
protected boolean enableShield() { protected boolean enableSecurity() {
return false; return false;
} }

View File

@ -41,7 +41,7 @@ public class GroovyScriptConditionIT extends AbstractWatcherIntegrationTestCase
} }
@Override @Override
protected boolean enableShield() { protected boolean enableSecurity() {
return false; return false;
} }

View File

@ -41,8 +41,8 @@ public class HistoryTemplateTransformMappingsIT extends AbstractWatcherIntegrati
} }
@Override @Override
protected boolean enableShield() { protected boolean enableSecurity() {
return false; // remove shield noise from this test return false; // remove security noise from this test
} }
public void testTransformFields() throws Exception { public void testTransformFields() throws Exception {

View File

@ -48,7 +48,7 @@ public class HipChatServiceIT extends AbstractWatcherIntegrationTestCase {
} }
@Override @Override
protected boolean enableShield() { protected boolean enableSecurity() {
return false; return false;
} }

View File

@ -72,7 +72,7 @@ public class NoMasterNodeIT extends AbstractWatcherIntegrationTestCase {
} }
@Override @Override
protected boolean enableShield() { protected boolean enableSecurity() {
return false; return false;
} }

View File

@ -50,7 +50,7 @@ public class PagerDutyServiceIT extends AbstractWatcherIntegrationTestCase {
} }
@Override @Override
protected boolean enableShield() { protected boolean enableSecurity() {
return false; return false;
} }

View File

@ -6,7 +6,6 @@
package org.elasticsearch.messy.tests; package org.elasticsearch.messy.tests;
import org.elasticsearch.Version; import org.elasticsearch.Version;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchPhaseExecutionException; import org.elasticsearch.action.search.SearchPhaseExecutionException;
import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.common.bytes.BytesArray; import org.elasticsearch.common.bytes.BytesArray;
@ -17,9 +16,9 @@ import org.elasticsearch.script.ScriptService;
import org.elasticsearch.script.Template; import org.elasticsearch.script.Template;
import org.elasticsearch.script.mustache.MustachePlugin; import org.elasticsearch.script.mustache.MustachePlugin;
import org.elasticsearch.script.mustache.MustacheScriptEngineService; import org.elasticsearch.script.mustache.MustacheScriptEngineService;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.ShieldSettingsSource; import org.elasticsearch.test.SecuritySettingsSource;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
@ -27,12 +26,12 @@ import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
@ShieldIntegTestCase.AwaitsFix(bugUrl = "clean up test to not use mustache templates, otherwise needs many resources here") @SecurityIntegTestCase.AwaitsFix(bugUrl = "clean up test to not use mustache templates, otherwise needs many resources here")
public class ShieldCachePermissionIT extends ShieldIntegTestCase { public class SecurityCachePermissionIT extends SecurityIntegTestCase {
static final String READ_ONE_IDX_USER = "read_user"; static final String READ_ONE_IDX_USER = "read_user";
@Override @Override
@ -46,7 +45,7 @@ public class ShieldCachePermissionIT extends ShieldIntegTestCase {
@Override @Override
public String configUsers() { public String configUsers() {
return super.configUsers() return super.configUsers()
+ READ_ONE_IDX_USER + ":" + ShieldSettingsSource.DEFAULT_PASSWORD_HASHED + "\n"; + READ_ONE_IDX_USER + ":" + SecuritySettingsSource.DEFAULT_PASSWORD_HASHED + "\n";
} }
@Override @Override

View File

@ -47,7 +47,7 @@ public class SlackServiceIT extends AbstractWatcherIntegrationTestCase {
} }
@Override @Override
protected boolean enableShield() { protected boolean enableSecurity() {
return false; return false;
} }

View File

@ -20,12 +20,4 @@
* </ul> * </ul>
*/ */
// renames that took place:
// renamed: x-pack/watcher/src/test/java/org/elasticsearch/watcher/input/search/SearchInputTests.java ->
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchInputTests.java
// renamed: x-pack/watcher/src/test/java/org/elasticsearch/watcher/transform/search/SearchTransformTests.java ->
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformTests.java
// renamed: x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldCachePermissionTests.java ->
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/ShieldCachePermissionTests.java
package org.elasticsearch.messy.tests; package org.elasticsearch.messy.tests;

View File

@ -8,7 +8,7 @@ admin:
- '*' - '*'
# Search and write on both source and destination indices. It should work if you could just search on the source and # Search and write on both source and destination indices. It should work if you could just search on the source and
# write to the destination but that isn't how shield works. # write to the destination but that isn't how security works.
minimal: minimal:
indices: indices:
- names: source - names: source

View File

@ -3,20 +3,20 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.annotations.Name; import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException; import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class RestIT extends ESRestTestCase { public class RestIT extends ESRestTestCase {
private static final String USER = "test_admin"; private static final String USER = "test_admin";
@ -32,7 +32,7 @@ public class RestIT extends ESRestTestCase {
} }
/** /**
* All tests run as a an administrative user but use <code>es-shield-runas-user</code> to become a less privileged user. * All tests run as a an administrative user but use <code>es-security-runas-user</code> to become a less privileged user.
*/ */
@Override @Override
protected Settings restClientSettings() { protected Settings restClientSettings() {

View File

@ -32,7 +32,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: powerful_user} headers: {es-security-runas-user: powerful_user}
reindex: reindex:
refresh: true refresh: true
body: body:
@ -65,7 +65,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: minimal_user} headers: {es-security-runas-user: minimal_user}
reindex: reindex:
refresh: true refresh: true
body: body:
@ -98,7 +98,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: readonly_user} headers: {es-security-runas-user: readonly_user}
catch: forbidden catch: forbidden
reindex: reindex:
body: body:
@ -120,7 +120,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: dest_only_user} headers: {es-security-runas-user: dest_only_user}
catch: forbidden catch: forbidden
reindex: reindex:
body: body:
@ -147,7 +147,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: dest_only_user} headers: {es-security-runas-user: dest_only_user}
catch: forbidden catch: forbidden
reindex: reindex:
refresh: true refresh: true
@ -194,7 +194,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user} headers: {es-security-runas-user: can_not_see_hidden_docs_user}
reindex: reindex:
refresh: true refresh: true
body: body:
@ -237,7 +237,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user} headers: {es-security-runas-user: can_not_see_hidden_fields_user}
reindex: reindex:
refresh: true refresh: true
body: body:
@ -287,7 +287,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user} headers: {es-security-runas-user: can_not_see_hidden_docs_user}
reindex: reindex:
body: body:
source: source:
@ -308,7 +308,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user} headers: {es-security-runas-user: can_not_see_hidden_fields_user}
reindex: reindex:
body: body:
source: source:

View File

@ -41,7 +41,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: powerful_user} headers: {es-security-runas-user: powerful_user}
update_by_query: update_by_query:
refresh: true refresh: true
index: source index: source
@ -72,7 +72,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: minimal_user} headers: {es-security-runas-user: minimal_user}
update_by_query: update_by_query:
refresh: true refresh: true
index: source index: source
@ -103,7 +103,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: readonly_user} headers: {es-security-runas-user: readonly_user}
catch: forbidden catch: forbidden
update_by_query: update_by_query:
index: source index: source
@ -121,7 +121,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: dest_only_user} headers: {es-security-runas-user: dest_only_user}
catch: forbidden catch: forbidden
update_by_query: update_by_query:
index: source index: source
@ -145,7 +145,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user} headers: {es-security-runas-user: can_not_see_hidden_docs_user}
update_by_query: update_by_query:
refresh: true refresh: true
index: source index: source
@ -191,7 +191,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user} headers: {es-security-runas-user: can_not_see_hidden_fields_user}
update_by_query: update_by_query:
index: source index: source
body: body:

View File

@ -37,7 +37,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: powerful_user} headers: {es-security-runas-user: powerful_user}
delete_by_query: delete_by_query:
refresh: true refresh: true
index: source index: source
@ -64,7 +64,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: minimal_user} headers: {es-security-runas-user: minimal_user}
delete_by_query: delete_by_query:
refresh: true refresh: true
index: source index: source
@ -91,7 +91,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: readonly_user} headers: {es-security-runas-user: readonly_user}
catch: forbidden catch: forbidden
delete_by_query: delete_by_query:
refresh: true refresh: true
@ -118,7 +118,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: dest_only_user} headers: {es-security-runas-user: dest_only_user}
catch: forbidden catch: forbidden
delete_by_query: delete_by_query:
refresh: true refresh: true
@ -151,7 +151,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user} headers: {es-security-runas-user: can_not_see_hidden_docs_user}
delete_by_query: delete_by_query:
refresh: true refresh: true
index: source index: source
@ -212,7 +212,7 @@
indices.refresh: {} indices.refresh: {}
- do: - do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user} headers: {es-security-runas-user: can_not_see_hidden_fields_user}
delete_by_query: delete_by_query:
refresh: true refresh: true
index: source index: source

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield.qa; package org.elasticsearch.xpack.security.qa;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse; import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
@ -13,8 +13,8 @@ import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;
@ -23,14 +23,14 @@ import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
/** /**
* Integration tests that test a transport client with Shield being loaded that connect to an external cluster * Integration tests that test a transport client with security being loaded that connect to an external cluster
*/ */
public class ShieldTransportClientIT extends ESIntegTestCase { public class SecurityTransportClientIT extends ESIntegTestCase {
static final String ADMIN_USER_PW = "test_user:changeme"; static final String ADMIN_USER_PW = "test_user:changeme";
static final String TRANSPORT_USER_PW = "transport:changeme"; static final String TRANSPORT_USER_PW = "transport:changeme";

View File

@ -8,7 +8,7 @@ package org.elasticsearch.example;
import org.elasticsearch.example.realm.CustomAuthenticationFailureHandler; import org.elasticsearch.example.realm.CustomAuthenticationFailureHandler;
import org.elasticsearch.example.realm.CustomRealm; import org.elasticsearch.example.realm.CustomRealm;
import org.elasticsearch.example.realm.CustomRealmFactory; import org.elasticsearch.example.realm.CustomRealmFactory;
import org.elasticsearch.shield.authc.AuthenticationModule; import org.elasticsearch.xpack.security.authc.AuthenticationModule;
import org.elasticsearch.xpack.extensions.XPackExtension; import org.elasticsearch.xpack.extensions.XPackExtension;
import java.security.AccessController; import java.security.AccessController;

View File

@ -8,8 +8,8 @@ package org.elasticsearch.example.realm;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestRequest; import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.shield.authc.AuthenticationToken; import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.shield.authc.DefaultAuthenticationFailureHandler; import org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler;
import org.elasticsearch.transport.TransportMessage; import org.elasticsearch.transport.TransportMessage;
public class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler { public class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler {

View File

@ -6,12 +6,12 @@
package org.elasticsearch.example.realm; package org.elasticsearch.example.realm;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.user.User; import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.shield.authc.AuthenticationToken; import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.shield.authc.Realm; import org.elasticsearch.xpack.security.authc.Realm;
import org.elasticsearch.shield.authc.RealmConfig; import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
public class CustomRealm extends Realm<UsernamePasswordToken> { public class CustomRealm extends Realm<UsernamePasswordToken> {

View File

@ -7,8 +7,8 @@ package org.elasticsearch.example.realm;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.rest.RestController; import org.elasticsearch.rest.RestController;
import org.elasticsearch.shield.authc.Realm; import org.elasticsearch.xpack.security.authc.Realm;
import org.elasticsearch.shield.authc.RealmConfig; import org.elasticsearch.xpack.security.authc.RealmConfig;
public class CustomRealmFactory extends Realm.Factory<CustomRealm> { public class CustomRealmFactory extends Realm.Factory<CustomRealm> {

View File

@ -6,10 +6,10 @@
package org.elasticsearch.example.realm; package org.elasticsearch.example.realm;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.user.User; import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.shield.authc.RealmConfig; import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.ESTestCase;
import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.equalTo;

View File

@ -1,114 +0,0 @@
<?xml version="1.0"?>
<!--
~ ELASTICSEARCH CONFIDENTIAL
~ __________________
~
~ [2014] Elasticsearch Incorporated. All Rights Reserved.
~
~ NOTICE: All information contained herein is, and remains
~ the property of Elasticsearch Incorporated and its suppliers,
~ if any. The intellectual and technical concepts contained
~ herein are proprietary to Elasticsearch Incorporated
~ and its suppliers and may be covered by U.S. and Foreign Patents,
~ patents in process, and are protected by trade secret or copyright law.
~ Dissemination of this information or reproduction of this material
~ is strictly forbidden unless prior written permission is obtained
~ from Elasticsearch Incorporated.
-->
<project name="smoke-test-watcher-and-shield"
xmlns:ac="antlib:net.sf.antcontrib">
<import file="${elasticsearch.integ.antfile.default}"/>
<!-- redefined to work with auth -->
<macrodef name="waitfor-elasticsearch">
<attribute name="port"/>
<attribute name="timeoutproperty"/>
<sequential>
<echo>Waiting for elasticsearch to become available on port @{port}...</echo>
<waitfor maxwait="30" maxwaitunit="second"
checkevery="500" checkeveryunit="millisecond"
timeoutproperty="@{timeoutproperty}">
<socket server="127.0.0.1" port="@{port}"/>
</waitfor>
</sequential>
</macrodef>
<target name="start-external-cluster-with-found-license-and-shield" depends="setup-workspace">
<ac:for list="${xplugins.list}" param="xplugin.name">
<sequential>
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
<condition>
<not>
<available file="${integ.deps}/plugins/@{xplugin.name}-${elasticsearch.version}.zip" />
</not>
</condition>
</fail>
</sequential>
</ac:for>
<ac:for param="file">
<path>
<fileset dir="${integ.deps}/plugins"/>
</path>
<sequential>
<local name="plugin.name"/>
<convert-plugin-name file="@{file}" outputproperty="plugin.name"/>
<install-plugin name="${plugin.name}" file="@{file}"/>
</sequential>
</ac:for>
<local name="home"/>
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
<echo>Adding roles.yml with watcher roles</echo>
<copy file="watcher-with-shield-roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
<echo>Adding shield users...</echo>
<run-script script="${home}/bin/x-pack/esusers">
<nested>
<arg value="useradd"/>
<arg value="test_admin"/>
<arg value="-p"/>
<arg value="changeme"/>
<arg value="-r"/>
<arg value="admin"/>
</nested>
</run-script>
<run-script script="${home}/bin/x-pack/esusers">
<nested>
<arg value="useradd"/>
<arg value="watcher_manager"/>
<arg value="-p"/>
<arg value="changeme"/>
<arg value="-r"/>
<arg value="watcher_manager"/>
</nested>
</run-script>
<run-script script="${home}/bin/x-pack/esusers">
<nested>
<arg value="useradd"/>
<arg value="powerless_user"/>
<arg value="-p"/>
<arg value="changeme"/>
<arg value="-r"/>
<arg value="crapy_role"/>
</nested>
</run-script>
<startup-elasticsearch>
<!-- Useful for when debugging -->
<!--<additional-args>-->
<!--<arg value="-Des.http.cors.enabled=true"/>-->
<!--<arg value="-Des.http.cors.allow-origin=*"/>-->
<!--</additional-args>-->
</startup-elasticsearch>
<echo>Checking we can connect with basic auth on port ${integ.http.port}...</echo>
<local name="temp.file"/>
<tempfile property="temp.file" destdir="${java.io.tmpdir}"/>
<get src="http://127.0.0.1:${integ.http.port}" dest="${temp.file}"
username="test_admin" password="changeme" verbose="true" retries="10"/>
</target>
</project>

View File

@ -1,95 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.smoketest;
import org.elasticsearch.Version;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.shield.Shield;
import org.hamcrest.Matcher;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.nullValue;
public class MarvelClusterInfoIT extends ESIntegTestCase {
static final String ADMIN_USER_PW = "test_admin:changeme";
@Override
protected Settings externalClusterClientSettings() {
return Settings.builder()
.put(Shield.USER_SETTING.getKey(), ADMIN_USER_PW)
.build();
}
@Override
protected Collection<Class<? extends Plugin>> transportClientPlugins() {
return Collections.singletonList(XPackPlugin.class);
}
public void testMarvelClusterInfoCollectorWorks() throws Exception {
final String clusterUUID = client().admin().cluster().prepareState().setMetaData(true).get().getState().metaData().clusterUUID();
assertTrue(Strings.hasText(clusterUUID));
awaitIndexExists(".monitoring-es-data");
ensureYellow(".monitoring-es-data");
awaitMarvelDocsCount(equalTo(1L), "cluster_info");
GetResponse response = client().prepareGet(".monitoring-es-data", "cluster_info", clusterUUID).get();
assertTrue(".monitoring-es-data" + " document does not exist", response.isExists());
Map<String, Object> source = response.getSource();
assertThat((String) source.get("cluster_name"), equalTo(cluster().getClusterName()));
assertThat((String) source.get("version"), equalTo(Version.CURRENT.toString()));
Object licenseObj = source.get("license");
assertThat(licenseObj, nullValue());
}
protected void awaitMarvelDocsCount(Matcher<Long> matcher, String... types) throws Exception {
flush();
refresh();
assertBusy(new Runnable() {
@Override
public void run() {
assertMarvelDocsCount(matcher, types);
}
}, 30, TimeUnit.SECONDS);
}
protected void assertMarvelDocsCount(Matcher<Long> matcher, String... types) {
try {
long count = client().prepareSearch(".monitoring-es-data").setSize(0)
.setTypes(types).get().getHits().totalHits();
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
assertThat(count, matcher);
} catch (IndexNotFoundException e) {
assertThat(0L, matcher);
}
}
protected void awaitIndexExists(final String... indices) throws Exception {
assertBusy(new Runnable() {
@Override
public void run() {
assertIndicesExists(indices);
}
}, 30, TimeUnit.SECONDS);
}
protected void assertIndicesExists(String... indices) {
logger.trace("checking if index exists [{}]", Strings.arrayToCommaDelimitedString(indices));
assertThat(client().admin().indices().prepareExists(indices).get().isExists(), is(true));
}
}

View File

@ -1,98 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
import org.elasticsearch.client.support.Headers;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Shield;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import org.elasticsearch.xpack.XPackPlugin;
import org.junit.After;
import org.junit.Before;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URI;
import java.util.Collection;
import java.util.Collections;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class WatcherWithShieldIT extends ESRestTestCase {
private final static String TEST_ADMIN_USERNAME = "test_admin";
private final static String TEST_ADMIN_PASSWORD = "changeme";
public WatcherWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}
@ParametersFactory
public static Iterable<Object[]> parameters() throws IOException, RestTestParseException {
return ESRestTestCase.createParameters(0, 1);
}
@Before
public void startWatcher() throws Exception {
try(CloseableHttpClient client = HttpClients.createMinimal(new BasicHttpClientConnectionManager())) {
InetSocketAddress address = cluster().httpAddresses()[0];
HttpPut request = new HttpPut(new URI("http", null, NetworkAddress.format(address.getAddress()), address.getPort(), "/_xpack/watcher/_start", null, null));
String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, new SecuredString(TEST_ADMIN_PASSWORD.toCharArray()));
request.addHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, token);
client.execute(request);
}
}
@After
public void stopWatcher() throws Exception {
try(CloseableHttpClient client = HttpClients.createMinimal(new BasicHttpClientConnectionManager())) {
InetSocketAddress address = cluster().httpAddresses()[0];
HttpPut request = new HttpPut(new URI("http", null, NetworkAddress.format(address.getAddress()), address.getPort(), "/_xpack/watcher/_stop", null, null));
String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, new SecuredString(TEST_ADMIN_PASSWORD.toCharArray()));
request.addHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, token);
client.execute(request);
}
}
@Override
protected Settings restClientSettings() {
String[] credentials = getCredentials();
String token = basicAuthHeaderValue(credentials[0], new SecuredString(credentials[1].toCharArray()));
return Settings.builder()
.put(Headers.PREFIX + ".Authorization", token)
.build();
}
@Override
protected Settings externalClusterClientSettings() {
return Settings.builder()
.put(Shield.USER_SETTING.getKey(), TEST_ADMIN_USERNAME + ":" + TEST_ADMIN_PASSWORD)
.build();
}
protected String[] getCredentials() {
return new String[]{"watcher_manager", "changeme"};
}
@Override
protected Collection<Class<? extends Plugin>> transportClientPlugins() {
return Collections.<Class<? extends Plugin>>singleton(XPackPlugin.class);
}
}

View File

@ -1,36 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name;
import org.elasticsearch.test.rest.RestTestCandidate;
import java.io.IOException;
import static org.hamcrest.Matchers.anyOf;
import static org.hamcrest.Matchers.containsString;
public class WatcherWithShieldInsufficientRoleIT extends WatcherWithShieldIT {
public WatcherWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}
public void test() throws IOException {
try {
super.test();
fail();
} catch(AssertionError ae) {
assertThat(ae.getMessage(), anyOf(containsString("action [cluster:monitor/watcher/"), containsString("action [cluster:admin/watcher/")));
assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
assertThat(ae.getMessage(), containsString("is unauthorized for user [powerless_user]"));
}
}
@Override
protected String[] getCredentials() {
return new String[]{"powerless_user", "changeme"};
}
}

View File

@ -1,20 +0,0 @@
admin:
cluster: all
indices:
'*': all
watcher_manager:
cluster: manage
indices:
'.watcher-history-*': all
watcher_monitor:
cluster: monitor
indices:
'.watcher-history-*': read
crapy_role:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
- cluster:monitor/nodes/liveness

View File

@ -8,37 +8,23 @@ package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name; import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
//import org.elasticsearch.client.support.Headers;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.xpack.security.authc.support.SecuredString;
//import org.elasticsearch.shield.ShieldPlugin;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import org.junit.After;
import org.junit.Before;
import java.io.IOException; import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.util.Collection;
import java.util.Collections;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class GraphWithShieldIT extends ESRestTestCase { public class GraphWithSecurityIT extends ESRestTestCase {
private final static String TEST_ADMIN_USERNAME = "test_admin"; private final static String TEST_ADMIN_USERNAME = "test_admin";
private final static String TEST_ADMIN_PASSWORD = "changeme"; private final static String TEST_ADMIN_PASSWORD = "changeme";
public GraphWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) { public GraphWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate); super(testCandidate);
} }

View File

@ -7,15 +7,14 @@ package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name; import com.carrotsearch.randomizedtesting.annotations.Name;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.junit.Test;
import java.io.IOException; import java.io.IOException;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
public class GraphWithShieldInsufficientRoleIT extends GraphWithShieldIT { public class GraphWithSecurityInsufficientRoleIT extends GraphWithSecurityIT {
public GraphWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) { public GraphWithSecurityInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate); super(testCandidate);
} }

View File

@ -9,19 +9,19 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException; import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
public class MonitoringWithShieldInsufficientRoleIT extends ESRestTestCase { public class MonitoringWithSecurityInsufficientRoleIT extends ESRestTestCase {
public MonitoringWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) { public MonitoringWithSecurityInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate); super(testCandidate);
} }

View File

@ -9,18 +9,18 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException; import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class MonitoringWithShieldIT extends ESRestTestCase { public class MonitoringWithSecurityIT extends ESRestTestCase {
public MonitoringWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) { public MonitoringWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate); super(testCandidate);
} }

View File

@ -12,8 +12,8 @@ import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;
import org.junit.After; import org.junit.After;
@ -37,14 +37,14 @@ import static org.hamcrest.Matchers.greaterThanOrEqualTo;
/** /**
* This test checks that a Monitoring's HTTP exporter correctly exports to a monitoring cluster * This test checks that a Monitoring's HTTP exporter correctly exports to a monitoring cluster
* protected by Shield with HTTPS/SSL. * protected by security with HTTPS/SSL.
* *
* It sets up a cluster with Monitoring and Shield configured with SSL. Once started, * It sets up a cluster with Monitoring and Security configured with SSL. Once started,
* an HTTP exporter is activated and it exports data locally over HTTPS/SSL. The test * an HTTP exporter is activated and it exports data locally over HTTPS/SSL. The test
* then uses a transport client to check that the data have been correctly received and * then uses a transport client to check that the data have been correctly received and
* indexed in the cluster. * indexed in the cluster.
*/ */
public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase { public class SmokeTestMonitoringWithSecurityIT extends ESIntegTestCase {
private static final String USER = "test_user"; private static final String USER = "test_user";
private static final String PASS = "changeme"; private static final String PASS = "changeme";
@ -61,7 +61,7 @@ public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
protected Settings externalClusterClientSettings() { protected Settings externalClusterClientSettings() {
return Settings.builder() return Settings.builder()
.put(Security.USER_SETTING.getKey(), USER + ":" + PASS) .put(Security.USER_SETTING.getKey(), USER + ":" + PASS)
.put(ShieldNettyTransport.SSL_SETTING.getKey(), true) .put(SecurityNettyTransport.SSL_SETTING.getKey(), true)
.put("xpack.security.ssl.keystore.path", clientKeyStore) .put("xpack.security.ssl.keystore.path", clientKeyStore)
.put("xpack.security.ssl.keystore.password", KEYSTORE_PASS) .put("xpack.security.ssl.keystore.password", KEYSTORE_PASS)
.build(); .build();
@ -133,7 +133,7 @@ public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
@BeforeClass @BeforeClass
public static void loadKeyStore() { public static void loadKeyStore() {
try { try {
clientKeyStore = PathUtils.get(SmokeTestMonitoringWithShieldIT.class.getResource("/test-client.jks").toURI()); clientKeyStore = PathUtils.get(SmokeTestMonitoringWithSecurityIT.class.getResource("/test-client.jks").toURI());
} catch (URISyntaxException e) { } catch (URISyntaxException e) {
throw new ElasticsearchException("exception while reading the store", e); throw new ElasticsearchException("exception while reading the store", e);
} }

View File

@ -11,7 +11,7 @@ import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.client.RestClient; import org.elasticsearch.test.rest.client.RestClient;
@ -24,7 +24,7 @@ import java.net.URISyntaxException;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class SmokeTestPluginsSslIT extends ESRestTestCase { public class SmokeTestPluginsSslIT extends ESRestTestCase {

View File

@ -9,14 +9,14 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException; import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class SmokeTestPluginsIT extends ESRestTestCase { public class SmokeTestPluginsIT extends ESRestTestCase {

View File

@ -17,22 +17,22 @@ import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager; import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import org.junit.After; import org.junit.After;
import org.junit.Before; import org.junit.Before;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class WatcherWithShieldIT extends ESRestTestCase { public class WatcherWithSecurityIT extends ESRestTestCase {
private final static String TEST_ADMIN_USERNAME = "test_admin"; private final static String TEST_ADMIN_USERNAME = "test_admin";
private final static String TEST_ADMIN_PASSWORD = "changeme"; private final static String TEST_ADMIN_PASSWORD = "changeme";
public WatcherWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) { public WatcherWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate); super(testCandidate);
} }

View File

@ -1,7 +1,7 @@
--- ---
"Test watcher is protected by shield": "Test watcher is protected by security":
- do: - do:
headers: { es-shield-runas-user: powerless_user } headers: { es-security-runas-user: powerless_user }
catch: forbidden catch: forbidden
xpack.watcher.stats: {} xpack.watcher.stats: {}
# there seems to be a bug in the yaml parser we use, where a single element list # there seems to be a bug in the yaml parser we use, where a single element list

View File

@ -16,14 +16,14 @@
~ from Elasticsearch Incorporated. ~ from Elasticsearch Incorporated.
--> -->
<project name="smoke-test-tribe-node-with-shield" <project name="smoke-test-tribe-node-with-security"
xmlns:ac="antlib:net.sf.antcontrib"> xmlns:ac="antlib:net.sf.antcontrib">
<taskdef name="xhttp" classname="org.elasticsearch.ant.HttpTask" classpath="${test_classpath}" /> <taskdef name="xhttp" classname="org.elasticsearch.ant.HttpTask" classpath="${test_classpath}" />
<typedef name="xhttp" classname="org.elasticsearch.ant.HttpCondition" classpath="${test_classpath}"/> <typedef name="xhttp" classname="org.elasticsearch.ant.HttpCondition" classpath="${test_classpath}"/>
<import file="${elasticsearch.integ.antfile.default}"/> <import file="${elasticsearch.integ.antfile.default}"/>
<import file="${elasticsearch.tools.directory}/ant/shield-overrides.xml"/> <import file="${elasticsearch.tools.directory}/ant/security-overrides.xml"/>
<property name="tribe_node.pidfile" location="${integ.scratch}/tribe-node.pid"/> <property name="tribe_node.pidfile" location="${integ.scratch}/tribe-node.pid"/>
<available property="tribe_node.pidfile.exists" file="${tribe_node.pidfile}"/> <available property="tribe_node.pidfile.exists" file="${tribe_node.pidfile}"/>
@ -47,7 +47,7 @@
</sequential> </sequential>
</macrodef> </macrodef>
<target name="start-tribe-node-and-2-clusters-with-shield" depends="setup-workspace"> <target name="start-tribe-node-and-2-clusters-with-security" depends="setup-workspace">
<ac:for list="${xplugins.list}" param="xplugin.name"> <ac:for list="${xplugins.list}" param="xplugin.name">
<sequential> <sequential>
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}"> <fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
@ -75,9 +75,9 @@
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/> <property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
<echo>Adding roles.yml</echo> <echo>Adding roles.yml</echo>
<copy file="shield-roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/> <copy file="roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
<echo>Adding shield users...</echo> <echo>Adding security users...</echo>
<run-script script="${home}/bin/x-pack/esusers"> <run-script script="${home}/bin/x-pack/esusers">
<nested> <nested>
<arg value="useradd"/> <arg value="useradd"/>

View File

@ -3,20 +3,20 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.annotations.Name; import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.client.support.Headers; import org.elasticsearch.client.support.Headers;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate; import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException; import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException; import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class RestIT extends TribeRestTestCase { public class RestIT extends TribeRestTestCase {

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.RandomizedTest; import com.carrotsearch.randomizedtesting.RandomizedTest;
import com.carrotsearch.randomizedtesting.annotations.TestGroup; import com.carrotsearch.randomizedtesting.annotations.TestGroup;

View File

@ -24,7 +24,7 @@ dependencies {
compile project(':x-plugins:elasticsearch:license:base') compile project(':x-plugins:elasticsearch:license:base')
testCompile project(':x-plugins:elasticsearch:license:licensor') testCompile project(':x-plugins:elasticsearch:license:licensor')
// shield deps // security deps
compile 'dk.brics.automaton:automaton:1.11-8' compile 'dk.brics.automaton:automaton:1.11-8'
compile 'com.unboundid:unboundid-ldapsdk:2.3.8' compile 'com.unboundid:unboundid-ldapsdk:2.3.8'
compile 'org.bouncycastle:bcprov-jdk15on:1.54' compile 'org.bouncycastle:bcprov-jdk15on:1.54'
@ -33,7 +33,7 @@ dependencies {
// watcher deps // watcher deps
compile 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:r239' compile 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:r239'
compile 'com.google.guava:guava:16.0.1' // needed by watcher for the html sanitizer and shield tests for jimfs compile 'com.google.guava:guava:16.0.1' // needed by watcher for the html sanitizer and security tests for jimfs
compile 'com.sun.mail:javax.mail:1.5.3' compile 'com.sun.mail:javax.mail:1.5.3'
// HACK: java 9 removed javax.activation from the default modules, so instead of trying to add modules, which would have // HACK: java 9 removed javax.activation from the default modules, so instead of trying to add modules, which would have
// to be conditionalized for java 8/9, we pull in the classes directly // to be conditionalized for java 8/9, we pull in the classes directly
@ -57,7 +57,7 @@ dependencies {
// we keep the source directories in the original structure of split plugins, // we keep the source directories in the original structure of split plugins,
// in order to facilitate backports to 2.x. TODO: remove after 5.0 release // in order to facilitate backports to 2.x. TODO: remove after 5.0 release
for (String module : ['', 'license-plugin/', 'shield/', 'watcher/', 'marvel/', 'graph/']) { for (String module : ['', 'license-plugin/', 'security/', 'watcher/', 'marvel/', 'graph/']) {
sourceSets { sourceSets {
main { main {
java.srcDir("${module}src/main/java") java.srcDir("${module}src/main/java")
@ -116,10 +116,10 @@ bundlePlugin {
from('bin/x-pack') { from('bin/x-pack') {
into 'bin' into 'bin'
} }
from('shield/bin/x-pack') { from('security/bin/x-pack') {
into 'bin' into 'bin'
} }
from('shield/config/x-pack') { from('security/config/x-pack') {
into 'config' into 'config'
} }
from('watcher/bin/x-pack') { from('watcher/bin/x-pack') {

View File

@ -22,7 +22,7 @@ import org.elasticsearch.script.NativeScriptFactory;
import org.elasticsearch.script.Script; import org.elasticsearch.script.Script;
import org.elasticsearch.script.ScriptModule; import org.elasticsearch.script.ScriptModule;
import org.elasticsearch.script.ScriptService.ScriptType; import org.elasticsearch.script.ScriptService.ScriptType;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESSingleNodeTestCase; import org.elasticsearch.test.ESSingleNodeTestCase;
import org.elasticsearch.xpack.watcher.Watcher; import org.elasticsearch.xpack.watcher.Watcher;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;
@ -127,7 +127,7 @@ public class GraphTests extends ESSingleNodeTestCase {
@Override @Override
public Settings nodeSettings() { public Settings nodeSettings() {
// Disable Shield otherwise authentication failures happen creating indices. // Disable security otherwise authentication failures happen creating indices.
Builder newSettings = Settings.builder(); Builder newSettings = Settings.builder();
newSettings.put(XPackPlugin.featureEnabledSetting(Security.NAME), false); newSettings.put(XPackPlugin.featureEnabledSetting(Security.NAME), false);
newSettings.put(XPackPlugin.featureEnabledSetting(Monitoring.NAME), false); newSettings.put(XPackPlugin.featureEnabledSetting(Monitoring.NAME), false);

View File

@ -25,7 +25,7 @@ import org.elasticsearch.license.plugin.core.LicensesMetaData;
import org.elasticsearch.license.plugin.core.LicensesStatus; import org.elasticsearch.license.plugin.core.LicensesStatus;
import org.elasticsearch.marvel.Monitoring; import org.elasticsearch.marvel.Monitoring;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.InternalTestCluster; import org.elasticsearch.test.InternalTestCluster;
import org.elasticsearch.xpack.watcher.Watcher; import org.elasticsearch.xpack.watcher.Watcher;

View File

@ -22,7 +22,7 @@ import org.elasticsearch.license.plugin.core.LicensesStatus;
import org.elasticsearch.marvel.Monitoring; import org.elasticsearch.marvel.Monitoring;
import org.elasticsearch.node.Node; import org.elasticsearch.node.Node;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESSingleNodeTestCase; import org.elasticsearch.test.ESSingleNodeTestCase;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.watcher.Watcher; import org.elasticsearch.xpack.watcher.Watcher;

View File

@ -23,7 +23,7 @@ import org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing;
import org.elasticsearch.marvel.Monitoring; import org.elasticsearch.marvel.Monitoring;
import org.elasticsearch.node.Node; import org.elasticsearch.node.Node;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.test.ESIntegTestCase.Scope; import org.elasticsearch.test.ESIntegTestCase.Scope;

View File

@ -17,7 +17,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee; import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;

View File

@ -20,7 +20,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee; import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;

View File

@ -17,8 +17,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee; import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;

View File

@ -19,8 +19,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee; import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;

View File

@ -17,8 +17,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee; import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collection; import java.util.Collection;

View File

@ -21,7 +21,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector; import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee; import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;

View File

@ -6,7 +6,7 @@
package org.elasticsearch.marvel.support.init.proxy; package org.elasticsearch.marvel.support.init.proxy;
import org.elasticsearch.client.Client; import org.elasticsearch.client.Client;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.common.init.proxy.ClientProxy; import org.elasticsearch.xpack.common.init.proxy.ClientProxy;
public class MonitoringClientProxy extends ClientProxy { public class MonitoringClientProxy extends ClientProxy {

View File

@ -26,7 +26,7 @@ import org.elasticsearch.license.plugin.core.LicensesManagerService;
import org.elasticsearch.marvel.MonitoringSettings; import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.test.MarvelIntegTestCase; import org.elasticsearch.marvel.test.MarvelIntegTestCase;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;

View File

@ -45,7 +45,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
waitForNoBlocksOnNode(node); waitForNoBlocksOnNode(node);
try { try {
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(shieldEnabled ? 0 : 1)); assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
} }
@ -56,7 +56,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
waitForNoBlocksOnNode(node); waitForNoBlocksOnNode(node);
try { try {
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(shieldEnabled ? 0 : 1)); assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
} }

View File

@ -16,7 +16,7 @@ import org.elasticsearch.marvel.MonitoredSystem;
import org.elasticsearch.marvel.agent.collector.AbstractCollectorTestCase; import org.elasticsearch.marvel.agent.collector.AbstractCollectorTestCase;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc; import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee; import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import java.util.Collection; import java.util.Collection;

View File

@ -50,7 +50,7 @@ public class LocalIndicesCleanerTests extends AbstractIndicesCleanerTestCase {
try { try {
assertThat(client().admin().indices().prepareGetSettings().get().getIndexToSettings().size(), equalTo(count)); assertThat(client().admin().indices().prepareGetSettings().get().getIndexToSettings().size(), equalTo(count));
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
if (shieldEnabled) { if (securityEnabled) {
assertThat(0, equalTo(count)); assertThat(0, equalTo(count));
} else { } else {
throw e; throw e;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.marvel.shield; package org.elasticsearch.marvel.security;
import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequestBuilder; import org.elasticsearch.action.ActionRequestBuilder;
@ -13,7 +13,7 @@ import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.marvel.MonitoringSettings; import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.test.MarvelIntegTestCase; import org.elasticsearch.marvel.test.MarvelIntegTestCase;
import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.shield.InternalClient; import org.elasticsearch.xpack.security.InternalClient;
import java.util.ArrayList; import java.util.ArrayList;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.marvel.shield; package org.elasticsearch.marvel.security;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.client.HttpClients;
@ -13,7 +13,7 @@ import org.elasticsearch.common.xcontent.json.JsonXContent;
import org.elasticsearch.http.HttpServerTransport; import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.marvel.MonitoringSettings; import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.test.MarvelIntegTestCase; import org.elasticsearch.marvel.test.MarvelIntegTestCase;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.client.http.HttpRequestBuilder; import org.elasticsearch.test.rest.client.http.HttpRequestBuilder;
import org.elasticsearch.test.rest.client.http.HttpResponse; import org.elasticsearch.test.rest.client.http.HttpResponse;
import org.hamcrest.Matchers; import org.hamcrest.Matchers;
@ -23,8 +23,8 @@ import java.io.IOException;
import java.util.Map; import java.util.Map;
import static org.elasticsearch.common.xcontent.support.XContentMapValues.extractValue; import static org.elasticsearch.common.xcontent.support.XContentMapValues.extractValue;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.CoreMatchers.nullValue; import static org.hamcrest.CoreMatchers.nullValue;
public class MarvelSettingsFilterTests extends MarvelIntegTestCase { public class MarvelSettingsFilterTests extends MarvelIntegTestCase {
@ -89,9 +89,9 @@ public class MarvelSettingsFilterTests extends MarvelIntegTestCase {
if (body != null) { if (body != null) {
requestBuilder.body(body); requestBuilder.body(body);
} }
if (shieldEnabled) { if (securityEnabled) {
requestBuilder.addHeader(BASIC_AUTH_HEADER, requestBuilder.addHeader(BASIC_AUTH_HEADER,
basicAuthHeaderValue(ShieldSettings.TEST_USERNAME, new SecuredString(ShieldSettings.TEST_PASSWORD.toCharArray()))); basicAuthHeaderValue(SecuritySettings.TEST_USERNAME, new SecuredString(SecuritySettings.TEST_PASSWORD.toCharArray())));
} }
return requestBuilder.execute(); return requestBuilder.execute();
} }

View File

@ -25,12 +25,12 @@ import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver;
import org.elasticsearch.marvel.agent.resolver.ResolversRegistry; import org.elasticsearch.marvel.agent.resolver.ResolversRegistry;
import org.elasticsearch.marvel.client.MonitoringClient; import org.elasticsearch.marvel.client.MonitoringClient;
import org.elasticsearch.plugins.Plugin; import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security; import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.shield.authc.file.FileRealm; import org.elasticsearch.xpack.security.authc.file.FileRealm;
import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.shield.authz.store.FileRolesStore; import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.shield.crypto.InternalCryptoService; import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.TestCluster; import org.elasticsearch.test.TestCluster;
import org.elasticsearch.test.store.MockFSIndexStore; import org.elasticsearch.test.store.MockFSIndexStore;
@ -60,7 +60,7 @@ import java.util.function.Function;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import java.util.stream.StreamSupport; import java.util.stream.StreamSupport;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.hamcrest.Matchers.allOf; import static org.hamcrest.Matchers.allOf;
import static org.hamcrest.Matchers.greaterThan; import static org.hamcrest.Matchers.greaterThan;
@ -77,10 +77,10 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
/** /**
* Enables individual tests to control the behavior. * Enables individual tests to control the behavior.
* <p> * <p>
* Control this by overriding {@link #enableShield()}, which defaults to enabling it randomly. * Control this by overriding {@link #enableSecurity()}, which defaults to enabling it randomly.
*/ */
// SCARY: This needs to be static or lots of tests randomly fail, but it's not used statically! // SCARY: This needs to be static or lots of tests randomly fail, but it's not used statically!
protected static Boolean shieldEnabled; protected static Boolean securityEnabled;
/** /**
* Enables individual tests to control the behavior. * Enables individual tests to control the behavior.
* <p> * <p>
@ -90,14 +90,14 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
@Override @Override
protected TestCluster buildTestCluster(Scope scope, long seed) throws IOException { protected TestCluster buildTestCluster(Scope scope, long seed) throws IOException {
if (shieldEnabled == null) { if (securityEnabled == null) {
shieldEnabled = enableShield(); securityEnabled = enableSecurity();
} }
if (watcherEnabled == null) { if (watcherEnabled == null) {
watcherEnabled = enableWatcher(); watcherEnabled = enableWatcher();
} }
logger.debug("--> shield {}", shieldEnabled ? "enabled" : "disabled"); logger.debug("--> security {}", securityEnabled ? "enabled" : "disabled");
logger.debug("--> watcher {}", watcherEnabled ? "enabled" : "disabled"); logger.debug("--> watcher {}", watcherEnabled ? "enabled" : "disabled");
return super.buildTestCluster(scope, seed); return super.buildTestCluster(scope, seed);
@ -111,14 +111,14 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
// we do this by default in core, but for monitoring this isn't needed and only adds noise. // we do this by default in core, but for monitoring this isn't needed and only adds noise.
.put("index.store.mock.check_index_on_close", false); .put("index.store.mock.check_index_on_close", false);
ShieldSettings.apply(shieldEnabled, builder); SecuritySettings.apply(securityEnabled, builder);
return builder.build(); return builder.build();
} }
@Override @Override
protected Settings transportClientSettings() { protected Settings transportClientSettings() {
if (shieldEnabled) { if (securityEnabled) {
return Settings.builder() return Settings.builder()
.put(super.transportClientSettings()) .put(super.transportClientSettings())
.put("client.transport.sniff", false) .put("client.transport.sniff", false)
@ -133,8 +133,8 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
@Override @Override
protected Collection<Class<? extends Plugin>> getMockPlugins() { protected Collection<Class<? extends Plugin>> getMockPlugins() {
Set<Class<? extends Plugin>> plugins = new HashSet<>(super.getMockPlugins()); Set<Class<? extends Plugin>> plugins = new HashSet<>(super.getMockPlugins());
plugins.remove(MockTransportService.TestPlugin.class); // shield has its own transport service plugins.remove(MockTransportService.TestPlugin.class); // security has its own transport service
plugins.remove(AssertingLocalTransport.TestPlugin.class); // shield has its own transport plugins.remove(AssertingLocalTransport.TestPlugin.class); // security has its own transport
plugins.add(MockFSIndexStore.TestPlugin.class); plugins.add(MockFSIndexStore.TestPlugin.class);
return plugins; return plugins;
} }
@ -151,16 +151,16 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
@Override @Override
protected Function<Client,Client> getClientWrapper() { protected Function<Client,Client> getClientWrapper() {
if (shieldEnabled == false) { if (securityEnabled == false) {
return Function.identity(); return Function.identity();
} }
Map<String, String> headers = Collections.singletonMap("Authorization", Map<String, String> headers = Collections.singletonMap("Authorization",
basicAuthHeaderValue(ShieldSettings.TEST_USERNAME, new SecuredString(ShieldSettings.TEST_PASSWORD.toCharArray()))); basicAuthHeaderValue(SecuritySettings.TEST_USERNAME, new SecuredString(SecuritySettings.TEST_PASSWORD.toCharArray())));
return client -> (client instanceof NodeClient) ? client.filterWithHeader(headers) : client; return client -> (client instanceof NodeClient) ? client.filterWithHeader(headers) : client;
} }
protected MonitoringClient monitoringClient() { protected MonitoringClient monitoringClient() {
Client client = shieldEnabled ? internalCluster().transportClient() : client(); Client client = securityEnabled ? internalCluster().transportClient() : client();
return randomBoolean() ? new XPackClient(client).monitoring() : new MonitoringClient(client); return randomBoolean() ? new XPackClient(client).monitoring() : new MonitoringClient(client);
} }
@ -184,7 +184,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
/** /**
* Override and return {@code false} to force running without Security. * Override and return {@code false} to force running without Security.
*/ */
protected boolean enableShield() { protected boolean enableSecurity() {
return randomBoolean(); return randomBoolean();
} }
@ -231,11 +231,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
} }
protected void deleteMarvelIndices() { protected void deleteMarvelIndices() {
if (shieldEnabled) { if (securityEnabled) {
try { try {
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*")); assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
// if shield couldn't resolve any marvel index, it'll throw index not found exception. // if security couldn't resolve any marvel index, it'll throw index not found exception.
} }
} else { } else {
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*")); assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
@ -247,11 +247,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
} }
protected void ensureMarvelIndicesYellow() { protected void ensureMarvelIndicesYellow() {
if (shieldEnabled) { if (securityEnabled) {
try { try {
ensureYellow(".monitoring-es-*"); ensureYellow(".monitoring-es-*");
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
// might happen with shield... // might happen with security...
} }
} else { } else {
ensureYellow(".monitoring-es-*"); ensureYellow(".monitoring-es-*");
@ -266,7 +266,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count); logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
assertThat(count, matcher); assertThat(count, matcher);
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
if (shieldEnabled) { if (securityEnabled) {
assertThat(0L, matcher); assertThat(0L, matcher);
} else { } else {
throw e; throw e;
@ -312,8 +312,8 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
try { try {
assertIndicesExists(index); assertIndicesExists(index);
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
if (shieldEnabled) { if (securityEnabled) {
// with shield we might get that if wildcards were resolved to no indices // with security we might get that if wildcards were resolved to no indices
fail("IndexNotFoundException when checking for existence of index [" + index + "]"); fail("IndexNotFoundException when checking for existence of index [" + index + "]");
} else { } else {
throw e; throw e;
@ -336,11 +336,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
} }
protected void securedRefresh() { protected void securedRefresh() {
if (shieldEnabled) { if (securityEnabled) {
try { try {
refresh(); refresh();
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices // with security we might get that if wildcards were resolved to no indices
} }
} else { } else {
refresh(); refresh();
@ -348,11 +348,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
} }
protected void securedFlush(String... indices) { protected void securedFlush(String... indices) {
if (shieldEnabled) { if (securityEnabled) {
try { try {
flush(indices); flush(indices);
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices // with security we might get that if wildcards were resolved to no indices
} }
} else { } else {
flush(indices); flush(indices);
@ -360,11 +360,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
} }
protected void securedFlushAndRefresh(String... indices) { protected void securedFlushAndRefresh(String... indices) {
if (shieldEnabled) { if (securityEnabled) {
try { try {
flushAndRefresh(indices); flushAndRefresh(indices);
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices // with security we might get that if wildcards were resolved to no indices
} }
} else { } else {
flushAndRefresh(indices); flushAndRefresh(indices);
@ -372,11 +372,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
} }
protected void securedEnsureGreen(String... indices) { protected void securedEnsureGreen(String... indices) {
if (shieldEnabled) { if (securityEnabled) {
try { try {
ensureGreen(indices); ensureGreen(indices);
} catch (IndexNotFoundException e) { } catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices // with security we might get that if wildcards were resolved to no indices
} }
} else { } else {
ensureGreen(indices); ensureGreen(indices);
@ -477,9 +477,9 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
} }
} }
/** Shield related settings */ /** security related settings */
public static class ShieldSettings { public static class SecuritySettings {
public static final String TEST_USERNAME = "test"; public static final String TEST_USERNAME = "test";
public static final String TEST_PASSWORD = "changeme"; public static final String TEST_PASSWORD = "changeme";
@ -528,7 +528,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
return; return;
} }
try { try {
Path folder = createTempDir().resolve("marvel_shield"); Path folder = createTempDir().resolve("marvel_security");
Files.createDirectories(folder); Files.createDirectories(folder);
builder.put("xpack.security.enabled", true) builder.put("xpack.security.enabled", true)
@ -541,7 +541,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
.put("xpack.security.authc.sign_user_header", false) .put("xpack.security.authc.sign_user_header", false)
.put("xpack.security.audit.enabled", auditLogsEnabled); .put("xpack.security.audit.enabled", auditLogsEnabled);
} catch (IOException ex) { } catch (IOException ex) {
throw new RuntimeException("failed to build settings for shield", ex); throw new RuntimeException("failed to build settings for security", ex);
} }
} }

View File

@ -3,29 +3,29 @@
[partintro] [partintro]
Elasticsearch and Shield use jUnit for testing, they also use randomness Elasticsearch and X-Pack use jUnit for testing, they also use randomness
in the tests, that can be set using a seed, please refer to the in the tests, that can be set using a seed, please refer to the
Elasticsearch TESTING.asciidoc cheatsheet to know all about it. Elasticsearch TESTING.asciidoc cheatsheet to know all about it.
Tests are executed with network transport and unicast discovery, as this is Tests are executed with network transport and unicast discovery, as this is
the configuration that's secured by shield. the configuration that's secured by X-Pack.
== Testing the REST layer == Testing the REST layer
The available integration tests are specific for Shield functionalities The available integration tests are specific for Security functionalities
and make use of the java API to communicate with the elasticsearch nodes, and make use of the java API to communicate with the elasticsearch nodes,
using the internal binary transport (port 9300 by default). using the internal binary transport (port 9300 by default).
Shield is also tested using the REST tests provided by Elasticsearch core, Security is also tested using the REST tests provided by Elasticsearch core,
just by running those same tests against a cluster with Shield installed. just by running those same tests against a cluster with X-Pack installed.
The REST tests are run automatically during the integration test phase The REST tests are run automatically during the integration test phase
(`mvn verify`). Some tests are blacklisted as they are known to fail against (`gradle integTest`). Some tests are blacklisted as they are known to fail against
shield due to different behaviours introduced by the security plugin. X-Pack due to different behaviours introduced by the security plugin.
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
mvn verify gradle integTest
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
`ShieldRestIT` is the executable test class that runs all the `XPackRestIT` is the executable test class that runs all the
yaml suites available within the `rest-api-spec` folder. yaml suites available within the `rest-api-spec` folder.

View File

@ -72,7 +72,7 @@ fi
export HOSTNAME=`hostname -s` export HOSTNAME=`hostname -s`
# include shield jars in classpath # include x-pack jars in classpath
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*" ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu) # don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
@ -96,7 +96,7 @@ if [ -e "$CONF_DIR" ]; then
fi fi
cd "$ES_HOME" > /dev/null cd "$ES_HOME" > /dev/null
"$JAVA" $ES_JAVA_OPTS -Des.path.home="$ES_HOME" -cp "$ES_CLASSPATH" org.elasticsearch.shield.crypto.tool.SystemKeyTool $properties "{args[@]}" "$JAVA" $ES_JAVA_OPTS -Des.path.home="$ES_HOME" -cp "$ES_CLASSPATH" org.elasticsearch.xpack.security.crypto.tool.SystemKeyTool $properties "{args[@]}"
status=$? status=$?
cd - > /dev/null cd - > /dev/null
exit $status exit $status

View File

@ -5,5 +5,5 @@ rem or more contributor license agreements. Licensed under the Elastic License;
rem you may not use this file except in compliance with the Elastic License. rem you may not use this file except in compliance with the Elastic License.
PUSHD "%~dp0" PUSHD "%~dp0"
CALL "%~dp0.in.bat" org.elasticsearch.shield.crypto.tool.SystemKeyTool %* CALL "%~dp0.in.bat" org.elasticsearch.xpack.security.crypto.tool.SystemKeyTool %*
POPD POPD

View File

@ -72,7 +72,7 @@ fi
export HOSTNAME=`hostname -s` export HOSTNAME=`hostname -s`
# include shield jars in classpath # include x-pack jars in classpath
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*" ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu) # don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
@ -96,7 +96,7 @@ if [ -e "$CONF_DIR" ]; then
fi fi
cd "$ES_HOME" > /dev/null cd "$ES_HOME" > /dev/null
"$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.shield.authc.file.tool.UsersTool "${args[@]}" "$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.xpack.security.authc.file.tool.UsersTool "${args[@]}"
status=$? status=$?
cd - > /dev/null cd - > /dev/null
exit $status exit $status

View File

@ -5,5 +5,5 @@ rem or more contributor license agreements. Licensed under the Elastic License;
rem you may not use this file except in compliance with the Elastic License. rem you may not use this file except in compliance with the Elastic License.
PUSHD "%~dp0" PUSHD "%~dp0"
CALL "%~dp0.in.bat" org.elasticsearch.shield.authc.file.tool.UsersTool %* CALL "%~dp0.in.bat" org.elasticsearch.xpack.security.authc.file.tool.UsersTool %*
POPD POPD

View File

@ -1,8 +1,8 @@
logger: logger:
shield.audit.logfile: INFO, access_log security.audit.logfile: INFO, access_log
additivity: additivity:
shield.audit.logfile: false security.audit.logfile: false
appender: appender:

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.Action; import org.elasticsearch.action.Action;
@ -15,8 +15,8 @@ import org.elasticsearch.client.Client;
import org.elasticsearch.client.FilterClient; import org.elasticsearch.client.FilterClient;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.shield.user.XPackUser; import org.elasticsearch.xpack.security.user.XPackUser;
import java.io.IOException; import java.io.IOException;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.action.ActionModule; import org.elasticsearch.action.ActionModule;
import org.elasticsearch.common.Booleans; import org.elasticsearch.common.Booleans;
@ -20,68 +20,68 @@ import org.elasticsearch.common.settings.Setting.Property;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.IndexModule; import org.elasticsearch.index.IndexModule;
import org.elasticsearch.shield.action.ShieldActionModule; import org.elasticsearch.xpack.security.action.SecurityActionModule;
import org.elasticsearch.shield.action.filter.ShieldActionFilter; import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter;
import org.elasticsearch.shield.action.realm.ClearRealmCacheAction; import org.elasticsearch.xpack.security.action.realm.ClearRealmCacheAction;
import org.elasticsearch.shield.action.realm.TransportClearRealmCacheAction; import org.elasticsearch.xpack.security.action.realm.TransportClearRealmCacheAction;
import org.elasticsearch.shield.action.role.ClearRolesCacheAction; import org.elasticsearch.xpack.security.action.role.ClearRolesCacheAction;
import org.elasticsearch.shield.action.role.DeleteRoleAction; import org.elasticsearch.xpack.security.action.role.DeleteRoleAction;
import org.elasticsearch.shield.action.role.GetRolesAction; import org.elasticsearch.xpack.security.action.role.GetRolesAction;
import org.elasticsearch.shield.action.role.PutRoleAction; import org.elasticsearch.xpack.security.action.role.PutRoleAction;
import org.elasticsearch.shield.action.role.TransportClearRolesCacheAction; import org.elasticsearch.xpack.security.action.role.TransportClearRolesCacheAction;
import org.elasticsearch.shield.action.role.TransportDeleteRoleAction; import org.elasticsearch.xpack.security.action.role.TransportDeleteRoleAction;
import org.elasticsearch.shield.action.role.TransportGetRolesAction; import org.elasticsearch.xpack.security.action.role.TransportGetRolesAction;
import org.elasticsearch.shield.action.role.TransportPutRoleAction; import org.elasticsearch.xpack.security.action.role.TransportPutRoleAction;
import org.elasticsearch.shield.action.user.AuthenticateAction; import org.elasticsearch.xpack.security.action.user.AuthenticateAction;
import org.elasticsearch.shield.action.user.ChangePasswordAction; import org.elasticsearch.xpack.security.action.user.ChangePasswordAction;
import org.elasticsearch.shield.action.user.DeleteUserAction; import org.elasticsearch.xpack.security.action.user.DeleteUserAction;
import org.elasticsearch.shield.action.user.GetUsersAction; import org.elasticsearch.xpack.security.action.user.GetUsersAction;
import org.elasticsearch.shield.action.user.PutUserAction; import org.elasticsearch.xpack.security.action.user.PutUserAction;
import org.elasticsearch.shield.action.user.TransportAuthenticateAction; import org.elasticsearch.xpack.security.action.user.TransportAuthenticateAction;
import org.elasticsearch.shield.action.user.TransportChangePasswordAction; import org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction;
import org.elasticsearch.shield.action.user.TransportDeleteUserAction; import org.elasticsearch.xpack.security.action.user.TransportDeleteUserAction;
import org.elasticsearch.shield.action.user.TransportGetUsersAction; import org.elasticsearch.xpack.security.action.user.TransportGetUsersAction;
import org.elasticsearch.shield.action.user.TransportPutUserAction; import org.elasticsearch.xpack.security.action.user.TransportPutUserAction;
import org.elasticsearch.shield.audit.AuditTrailModule; import org.elasticsearch.xpack.security.audit.AuditTrailModule;
import org.elasticsearch.shield.audit.index.IndexAuditTrail; import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
import org.elasticsearch.shield.audit.index.IndexNameResolver; import org.elasticsearch.xpack.security.audit.index.IndexNameResolver;
import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail; import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.shield.authc.AuthenticationModule; import org.elasticsearch.xpack.security.authc.AuthenticationModule;
import org.elasticsearch.shield.authc.InternalAuthenticationService; import org.elasticsearch.xpack.security.authc.InternalAuthenticationService;
import org.elasticsearch.shield.authc.Realms; import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.shield.authc.esnative.NativeUsersStore; import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.shield.authc.ldap.support.SessionFactory; import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.shield.authz.AuthorizationModule; import org.elasticsearch.xpack.security.authz.AuthorizationModule;
import org.elasticsearch.shield.authz.InternalAuthorizationService; import org.elasticsearch.xpack.security.authz.InternalAuthorizationService;
import org.elasticsearch.shield.authz.accesscontrol.OptOutQueryCache; import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache;
import org.elasticsearch.shield.authz.accesscontrol.ShieldIndexSearcherWrapper; import org.elasticsearch.xpack.security.authz.accesscontrol.SecurityIndexSearcherWrapper;
import org.elasticsearch.shield.authz.store.FileRolesStore; import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.shield.authz.store.NativeRolesStore; import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
import org.elasticsearch.shield.crypto.CryptoModule; import org.elasticsearch.xpack.security.crypto.CryptoModule;
import org.elasticsearch.shield.crypto.InternalCryptoService; import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
import org.elasticsearch.shield.rest.ShieldRestModule; import org.elasticsearch.xpack.security.rest.SecurityRestModule;
import org.elasticsearch.shield.rest.action.RestAuthenticateAction; import org.elasticsearch.xpack.security.rest.action.RestAuthenticateAction;
import org.elasticsearch.shield.rest.action.realm.RestClearRealmCacheAction; import org.elasticsearch.xpack.security.rest.action.realm.RestClearRealmCacheAction;
import org.elasticsearch.shield.rest.action.role.RestClearRolesCacheAction; import org.elasticsearch.xpack.security.rest.action.role.RestClearRolesCacheAction;
import org.elasticsearch.shield.rest.action.role.RestDeleteRoleAction; import org.elasticsearch.xpack.security.rest.action.role.RestDeleteRoleAction;
import org.elasticsearch.shield.rest.action.role.RestGetRolesAction; import org.elasticsearch.xpack.security.rest.action.role.RestGetRolesAction;
import org.elasticsearch.shield.rest.action.role.RestPutRoleAction; import org.elasticsearch.xpack.security.rest.action.role.RestPutRoleAction;
import org.elasticsearch.shield.rest.action.user.RestChangePasswordAction; import org.elasticsearch.xpack.security.rest.action.user.RestChangePasswordAction;
import org.elasticsearch.shield.rest.action.user.RestDeleteUserAction; import org.elasticsearch.xpack.security.rest.action.user.RestDeleteUserAction;
import org.elasticsearch.shield.rest.action.user.RestGetUsersAction; import org.elasticsearch.xpack.security.rest.action.user.RestGetUsersAction;
import org.elasticsearch.shield.rest.action.user.RestPutUserAction; import org.elasticsearch.xpack.security.rest.action.user.RestPutUserAction;
import org.elasticsearch.shield.ssl.SSLConfiguration; import org.elasticsearch.xpack.security.ssl.SSLConfiguration;
import org.elasticsearch.shield.ssl.SSLModule; import org.elasticsearch.xpack.security.ssl.SSLModule;
import org.elasticsearch.shield.support.OptionalSettings; import org.elasticsearch.xpack.security.support.OptionalSettings;
import org.elasticsearch.shield.transport.ShieldClientTransportService; import org.elasticsearch.xpack.security.transport.SecurityClientTransportService;
import org.elasticsearch.shield.transport.ShieldServerTransportService; import org.elasticsearch.xpack.security.transport.SecurityServerTransportService;
import org.elasticsearch.shield.transport.ShieldTransportModule; import org.elasticsearch.xpack.security.transport.SecurityTransportModule;
import org.elasticsearch.shield.transport.filter.IPFilter; import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport; import org.elasticsearch.xpack.security.transport.netty.SecurityNettyHttpServerTransport;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
import org.elasticsearch.shield.user.AnonymousUser; import org.elasticsearch.xpack.security.user.AnonymousUser;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;
import org.joda.time.DateTime; import org.joda.time.DateTime;
import org.joda.time.DateTimeZone; import org.joda.time.DateTimeZone;
@ -104,7 +104,6 @@ public class Security {
public static final String NAME = "security"; public static final String NAME = "security";
public static final String DLS_FLS_FEATURE = "security.dls_fls"; public static final String DLS_FLS_FEATURE = "security.dls_fls";
public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache";
public static final Setting<Optional<String>> USER_SETTING = OptionalSettings.createString(setting("user"), Property.NodeScope); public static final Setting<Optional<String>> USER_SETTING = OptionalSettings.createString(setting("user"), Property.NodeScope);
private final Settings settings; private final Settings settings;
@ -129,7 +128,7 @@ public class Security {
return modules; return modules;
} }
modules.add(new SecurityModule(settings, securityLicenseState)); modules.add(new SecurityModule(settings, securityLicenseState));
modules.add(new ShieldTransportModule(settings)); modules.add(new SecurityTransportModule(settings));
modules.add(new SSLModule(settings)); modules.add(new SSLModule(settings));
return modules; return modules;
} }
@ -148,9 +147,9 @@ public class Security {
modules.add(new CryptoModule(settings)); modules.add(new CryptoModule(settings));
modules.add(new AuthorizationModule(settings)); modules.add(new AuthorizationModule(settings));
modules.add(new AuditTrailModule(settings)); modules.add(new AuditTrailModule(settings));
modules.add(new ShieldRestModule(settings)); modules.add(new SecurityRestModule(settings));
modules.add(new ShieldActionModule(settings)); modules.add(new SecurityActionModule(settings));
modules.add(new ShieldTransportModule(settings)); modules.add(new SecurityTransportModule(settings));
modules.add(new SSLModule(settings)); modules.add(new SSLModule(settings));
return modules; return modules;
} }
@ -181,7 +180,7 @@ public class Security {
settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME); settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME);
settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME); settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME);
settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME); settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME);
ShieldNettyHttpServerTransport.overrideSettings(settingsBuilder, settings); SecurityNettyHttpServerTransport.overrideSettings(settingsBuilder, settings);
addUserSettings(settingsBuilder); addUserSettings(settingsBuilder);
addTribeSettings(settingsBuilder); addTribeSettings(settingsBuilder);
return settingsBuilder.build(); return settingsBuilder.build();
@ -197,7 +196,7 @@ public class Security {
SSLConfiguration.Global.addSettings(settingsList); SSLConfiguration.Global.addSettings(settingsList);
// transport settings // transport settings
ShieldNettyTransport.addSettings(settingsList); SecurityNettyTransport.addSettings(settingsList);
if (transportClientMode) { if (transportClientMode) {
return settingsList; return settingsList;
@ -222,7 +221,7 @@ public class Security {
InternalAuthorizationService.addSettings(settingsList); InternalAuthorizationService.addSettings(settingsList);
// HTTP settings // HTTP settings
ShieldNettyHttpServerTransport.addSettings(settingsList); SecurityNettyHttpServerTransport.addSettings(settingsList);
// encryption settings // encryption settings
InternalCryptoService.addSettings(settingsList); InternalCryptoService.addSettings(settingsList);
@ -260,13 +259,13 @@ public class Security {
assert securityLicenseState != null; assert securityLicenseState != null;
if (flsDlsEnabled(settings)) { if (flsDlsEnabled(settings)) {
module.setSearcherWrapper((indexService) -> new ShieldIndexSearcherWrapper(indexService.getIndexSettings(), module.setSearcherWrapper((indexService) -> new SecurityIndexSearcherWrapper(indexService.getIndexSettings(),
indexService.newQueryShardContext(), indexService.mapperService(), indexService.newQueryShardContext(), indexService.mapperService(),
indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(), indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(),
securityLicenseState)); securityLicenseState));
} }
if (transportClientMode == false) { if (transportClientMode == false) {
/* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation. /* We need to forcefully overwrite the query cache implementation to use security's opt out query cache implementation.
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do * This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to * forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
* unauthorized users. */ * unauthorized users. */
@ -280,10 +279,10 @@ public class Security {
} }
// registering the security filter only for nodes // registering the security filter only for nodes
if (transportClientMode == false) { if (transportClientMode == false) {
module.registerFilter(ShieldActionFilter.class); module.registerFilter(SecurityActionFilter.class);
} }
// registering all shield actions // registering all security actions
module.registerAction(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class); module.registerAction(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class);
module.registerAction(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class); module.registerAction(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class);
module.registerAction(GetUsersAction.INSTANCE, TransportGetUsersAction.class); module.registerAction(GetUsersAction.INSTANCE, TransportGetUsersAction.class);
@ -300,15 +299,15 @@ public class Security {
if (transportClientMode) { if (transportClientMode) {
if (enabled) { if (enabled) {
module.registerTransport(Security.NAME, ShieldNettyTransport.class); module.registerTransport(Security.NAME, SecurityNettyTransport.class);
module.registerTransportService(Security.NAME, ShieldClientTransportService.class); module.registerTransportService(Security.NAME, SecurityClientTransportService.class);
} }
return; return;
} }
if (enabled) { if (enabled) {
module.registerTransport(Security.NAME, ShieldNettyTransport.class); module.registerTransport(Security.NAME, SecurityNettyTransport.class);
module.registerTransportService(Security.NAME, ShieldServerTransportService.class); module.registerTransportService(Security.NAME, SecurityServerTransportService.class);
module.registerRestHandler(RestAuthenticateAction.class); module.registerRestHandler(RestAuthenticateAction.class);
module.registerRestHandler(RestClearRealmCacheAction.class); module.registerRestHandler(RestClearRealmCacheAction.class);
module.registerRestHandler(RestClearRolesCacheAction.class); module.registerRestHandler(RestClearRolesCacheAction.class);
@ -319,7 +318,7 @@ public class Security {
module.registerRestHandler(RestPutRoleAction.class); module.registerRestHandler(RestPutRoleAction.class);
module.registerRestHandler(RestDeleteRoleAction.class); module.registerRestHandler(RestDeleteRoleAction.class);
module.registerRestHandler(RestChangePasswordAction.class); module.registerRestHandler(RestChangePasswordAction.class);
module.registerHttpTransport(Security.NAME, ShieldNettyHttpServerTransport.class); module.registerHttpTransport(Security.NAME, SecurityNettyHttpServerTransport.class);
} }
} }
@ -344,12 +343,12 @@ public class Security {
/** /**
* If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure * If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure
* that every tribe cluster has shield installed and is enabled. We do that by: * that every tribe cluster has x-pack installed and security is enabled. We do that by:
* *
* - making it mandatory on the tribe client (this means that the tribe node will fail at startup if shield is * - making it mandatory on the tribe client (this means that the tribe node will fail at startup if x-pack is
* not loaded on any tribe due to missing mandatory plugin) * not loaded on any tribe due to missing mandatory plugin)
* *
* - forcibly enabling it (that means it's not possible to disable shield on the tribe clients) * - forcibly enabling it (that means it's not possible to disable security on the tribe clients)
*/ */
private void addTribeSettings(Settings.Builder settingsBuilder) { private void addTribeSettings(Settings.Builder settingsBuilder) {
Map<String, Settings> tribesSettings = settings.getGroups("tribe", true); Map<String, Settings> tribesSettings = settings.getGroups("tribe", true);
@ -366,7 +365,7 @@ public class Security {
// otherwise (arrays don't get merged) // otherwise (arrays don't get merged)
String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null); String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null);
if (existingMandatoryPlugins == null) { if (existingMandatoryPlugins == null) {
//shield is mandatory on every tribe if installed and enabled on the tribe node //x-pack is mandatory on every tribe if installed and enabled on the tribe node
settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME); settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME);
} else { } else {
if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) { if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) {
@ -383,11 +382,11 @@ public class Security {
+ settings.get(tribeEnabledSetting) + "]"); + settings.get(tribeEnabledSetting) + "]");
} }
} else { } else {
//shield must be enabled on every tribe if it's enabled on the tribe node //x-pack security must be enabled on every tribe if it's enabled on the tribe node
settingsBuilder.put(tribeEnabledSetting, true); settingsBuilder.put(tribeEnabledSetting, true);
} }
// we passed all the checks now we need to copy in all of the shield settings // we passed all the checks now we need to copy in all of the x-pack security settings
for (Map.Entry<String, String> entry : settingsMap.entrySet()) { for (Map.Entry<String, String> entry : settingsMap.entrySet()) {
String key = entry.getKey(); String key = entry.getKey();
if (key.startsWith("xpack.security.")) { if (key.startsWith("xpack.security.")) {
@ -433,7 +432,7 @@ public class Security {
final String auditIndex = indexAuditingEnabled ? "," + IndexAuditTrail.INDEX_NAME_PREFIX + "*" : ""; final String auditIndex = indexAuditingEnabled ? "," + IndexAuditTrail.INDEX_NAME_PREFIX + "*" : "";
String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too" + String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too" +
" restrictive. disable [action.auto_create_index] or set it to " + " restrictive. disable [action.auto_create_index] or set it to " +
"[{}{}]", (Object) value, ShieldTemplateService.SECURITY_INDEX_NAME, auditIndex); "[{}{}]", (Object) value, SecurityTemplateService.SECURITY_INDEX_NAME, auditIndex);
if (Booleans.isExplicitFalse(value)) { if (Booleans.isExplicitFalse(value)) {
throw new IllegalArgumentException(errorMessage); throw new IllegalArgumentException(errorMessage);
} }
@ -444,7 +443,7 @@ public class Security {
String[] matches = Strings.commaDelimitedListToStringArray(value); String[] matches = Strings.commaDelimitedListToStringArray(value);
List<String> indices = new ArrayList<>(); List<String> indices = new ArrayList<>();
indices.add(ShieldTemplateService.SECURITY_INDEX_NAME); indices.add(SecurityTemplateService.SECURITY_INDEX_NAME);
if (indexAuditingEnabled) { if (indexAuditingEnabled) {
DateTime now = new DateTime(DateTimeZone.UTC); DateTime now = new DateTime(DateTimeZone.UTC);
// just use daily rollover // just use daily rollover
@ -487,7 +486,7 @@ public class Security {
logger.warn("the [action.auto_create_index] setting is configured to be restrictive [{}]. " + logger.warn("the [action.auto_create_index] setting is configured to be restrictive [{}]. " +
" for the next 6 months audit indices are allowed to be created, but please make sure" + " for the next 6 months audit indices are allowed to be created, but please make sure" +
" that any future history indices after 6 months with the pattern " + " that any future history indices after 6 months with the pattern " +
"[.shield_audit_log*] are allowed to be created", value); "[.security_audit_log*] are allowed to be created", value);
} }
} }
} }

View File

@ -3,14 +3,14 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.Authentication; import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.shield.user.User; import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import java.io.IOException; import java.io.IOException;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.common.Nullable; import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
@ -13,9 +13,9 @@ import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable; import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.shield.authc.Realm; import org.elasticsearch.xpack.security.authc.Realm;
import org.elasticsearch.shield.authc.Realms; import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.shield.authc.esnative.ReservedRealm; import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.XPackFeatureSet; import org.elasticsearch.xpack.XPackFeatureSet;
import java.io.IOException; import java.io.IOException;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.license.core.License.OperationMode; import org.elasticsearch.license.core.License.OperationMode;
import org.elasticsearch.license.plugin.core.LicenseState; import org.elasticsearch.license.plugin.core.LicenseState;
@ -11,7 +11,7 @@ import org.elasticsearch.license.plugin.core.Licensee.Status;
/** /**
* This class serves to decouple shield code that needs to check the license state from the {@link SecurityLicensee} as the * This class serves to decouple security code that needs to check the license state from the {@link SecurityLicensee} as the
* tight coupling causes issues with guice injection and circular dependencies * tight coupling causes issues with guice injection and circular dependencies
*/ */
public class SecurityLicenseState { public class SecurityLicenseState {

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
@ -20,19 +20,19 @@ import org.elasticsearch.license.plugin.core.LicenseeRegistry;
public class SecurityLicensee extends AbstractLicenseeComponent<SecurityLicensee> implements Licensee { public class SecurityLicensee extends AbstractLicenseeComponent<SecurityLicensee> implements Licensee {
private final boolean isTribeNode; private final boolean isTribeNode;
private final SecurityLicenseState shieldLicenseState; private final SecurityLicenseState securityLicenseState;
@Inject @Inject
public SecurityLicensee(Settings settings, LicenseeRegistry clientService, SecurityLicenseState shieldLicenseState) { public SecurityLicensee(Settings settings, LicenseeRegistry clientService, SecurityLicenseState securityLicenseState) {
super(settings, Security.NAME, clientService); super(settings, Security.NAME, clientService);
this.shieldLicenseState = shieldLicenseState; this.securityLicenseState = securityLicenseState;
this.isTribeNode = settings.getGroups("tribe", true).isEmpty() == false; this.isTribeNode = settings.getGroups("tribe", true).isEmpty() == false;
} }
@Override @Override
public void onChange(Status status) { public void onChange(Status status) {
super.onChange(status); super.onChange(status);
shieldLicenseState.updateStatus(status); securityLicenseState.updateStatus(status);
} }
@Override @Override

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.cluster.ClusterChangedEvent; import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.cluster.service.ClusterService;
@ -14,10 +14,10 @@ import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.Provider; import org.elasticsearch.common.inject.Provider;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.AbstractRunnable; import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.shield.audit.AuditTrailModule; import org.elasticsearch.xpack.security.audit.AuditTrailModule;
import org.elasticsearch.shield.audit.index.IndexAuditTrail; import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
import org.elasticsearch.shield.authc.esnative.NativeUsersStore; import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.shield.authz.store.NativeRolesStore; import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
/** /**
@ -31,7 +31,7 @@ import org.elasticsearch.threadpool.ThreadPool;
* successful. This lifecycle service allows for this to happen by listening for {@link ClusterChangedEvent} and checking * successful. This lifecycle service allows for this to happen by listening for {@link ClusterChangedEvent} and checking
* if the services can start. Additionally, the service also provides hooks for stop and close functionality. * if the services can start. Additionally, the service also provides hooks for stop and close functionality.
*/ */
public class ShieldLifecycleService extends AbstractComponent implements ClusterStateListener { public class SecurityLifecycleService extends AbstractComponent implements ClusterStateListener {
private final Settings settings; private final Settings settings;
private final ThreadPool threadPool; private final ThreadPool threadPool;
@ -40,7 +40,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
private final NativeRolesStore nativeRolesStore; private final NativeRolesStore nativeRolesStore;
@Inject @Inject
public ShieldLifecycleService(Settings settings, ClusterService clusterService, ThreadPool threadPool, public SecurityLifecycleService(Settings settings, ClusterService clusterService, ThreadPool threadPool,
IndexAuditTrail indexAuditTrail, NativeUsersStore nativeUserStore, IndexAuditTrail indexAuditTrail, NativeUsersStore nativeUserStore,
NativeRolesStore nativeRolesStore, Provider<InternalClient> clientProvider) { NativeRolesStore nativeRolesStore, Provider<InternalClient> clientProvider) {
super(settings); super(settings);
@ -54,7 +54,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
clusterService.add(this); clusterService.add(this);
clusterService.add(nativeUserStore); clusterService.add(nativeUserStore);
clusterService.add(nativeRolesStore); clusterService.add(nativeRolesStore);
clusterService.add(new ShieldTemplateService(settings, clusterService, clientProvider, threadPool)); clusterService.add(new SecurityTemplateService(settings, clusterService, clientProvider, threadPool));
clusterService.addLifecycleListener(new LifecycleListener() { clusterService.addLifecycleListener(new LifecycleListener() {
@Override @Override
@ -78,7 +78,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
@Override @Override
public void onFailure(Throwable throwable) { public void onFailure(Throwable throwable) {
logger.error("failed to start native user store service", throwable); logger.error("failed to start native user store service", throwable);
assert false : "shield lifecycle services startup failed"; assert false : "security lifecycle services startup failed";
} }
@Override @Override
@ -97,7 +97,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
@Override @Override
public void onFailure(Throwable throwable) { public void onFailure(Throwable throwable) {
logger.error("failed to start native roles store services", throwable); logger.error("failed to start native roles store services", throwable);
assert false : "shield lifecycle services startup failed"; assert false : "security lifecycle services startup failed";
} }
@Override @Override
@ -119,7 +119,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
@Override @Override
public void onFailure(Throwable throwable) { public void onFailure(Throwable throwable) {
logger.error("failed to start index audit trail services", throwable); logger.error("failed to start index audit trail services", throwable);
assert false : "shield lifecycle services startup failed"; assert false : "security lifecycle services startup failed";
} }
@Override @Override

View File

@ -3,17 +3,17 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.common.inject.util.Providers; import org.elasticsearch.common.inject.util.Providers;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.support.AbstractShieldModule; import org.elasticsearch.xpack.security.support.AbstractSecurityModule;
import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.XPackPlugin;
/** /**
* *
*/ */
public class SecurityModule extends AbstractShieldModule { public class SecurityModule extends AbstractSecurityModule {
private final SecurityLicenseState securityLicenseState; private final SecurityLicenseState securityLicenseState;
@ -36,10 +36,10 @@ public class SecurityModule extends AbstractShieldModule {
XPackPlugin.bindFeatureSet(binder(), SecurityFeatureSet.class); XPackPlugin.bindFeatureSet(binder(), SecurityFeatureSet.class);
if (shieldEnabled) { if (securityEnabled) {
bind(SecurityContext.Secure.class).asEagerSingleton(); bind(SecurityContext.Secure.class).asEagerSingleton();
bind(SecurityContext.class).to(SecurityContext.Secure.class); bind(SecurityContext.class).to(SecurityContext.Secure.class);
bind(ShieldLifecycleService.class).asEagerSingleton(); bind(SecurityLifecycleService.class).asEagerSingleton();
bind(InternalClient.Secure.class).asEagerSingleton(); bind(InternalClient.Secure.class).asEagerSingleton();
bind(InternalClient.class).to(InternalClient.Secure.class); bind(InternalClient.class).to(InternalClient.Secure.class);
} else { } else {

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield; package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException; import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest; import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
@ -28,10 +28,10 @@ import java.io.InputStream;
import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicBoolean;
/** /**
* ShieldTemplateService is responsible for adding the template needed for the * SecurityTemplateService is responsible for adding the template needed for the
* {@code .security} administrative index. * {@code .security} administrative index.
*/ */
public class ShieldTemplateService extends AbstractComponent implements ClusterStateListener { public class SecurityTemplateService extends AbstractComponent implements ClusterStateListener {
public static final String SECURITY_INDEX_NAME = ".security"; public static final String SECURITY_INDEX_NAME = ".security";
public static final String SECURITY_TEMPLATE_NAME = "security-index-template"; public static final String SECURITY_TEMPLATE_NAME = "security-index-template";
@ -40,7 +40,7 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
private final Provider<InternalClient> clientProvider; private final Provider<InternalClient> clientProvider;
private final AtomicBoolean templateCreationPending = new AtomicBoolean(false); private final AtomicBoolean templateCreationPending = new AtomicBoolean(false);
public ShieldTemplateService(Settings settings, ClusterService clusterService, public SecurityTemplateService(Settings settings, ClusterService clusterService,
Provider<InternalClient> clientProvider, ThreadPool threadPool) { Provider<InternalClient> clientProvider, ThreadPool threadPool) {
super(settings); super(settings);
this.threadPool = threadPool; this.threadPool = threadPool;
@ -48,23 +48,23 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
clusterService.add(this); clusterService.add(this);
} }
private void createShieldTemplate() { private void createSecurityTemplate() {
final Client client = clientProvider.get(); final Client client = clientProvider.get();
try (InputStream is = getClass().getResourceAsStream("/" + SECURITY_TEMPLATE_NAME + ".json")) { try (InputStream is = getClass().getResourceAsStream("/" + SECURITY_TEMPLATE_NAME + ".json")) {
ByteArrayOutputStream out = new ByteArrayOutputStream(); ByteArrayOutputStream out = new ByteArrayOutputStream();
Streams.copy(is, out); Streams.copy(is, out);
final byte[] template = out.toByteArray(); final byte[] template = out.toByteArray();
logger.debug("putting the shield index template"); logger.debug("putting the security index template");
PutIndexTemplateRequest putTemplateRequest = client.admin().indices() PutIndexTemplateRequest putTemplateRequest = client.admin().indices()
.preparePutTemplate(SECURITY_TEMPLATE_NAME).setSource(template).request(); .preparePutTemplate(SECURITY_TEMPLATE_NAME).setSource(template).request();
PutIndexTemplateResponse templateResponse = client.admin().indices().putTemplate(putTemplateRequest).get(); PutIndexTemplateResponse templateResponse = client.admin().indices().putTemplate(putTemplateRequest).get();
if (templateResponse.isAcknowledged() == false) { if (templateResponse.isAcknowledged() == false) {
throw new ElasticsearchException("adding template for shield admin index was not acknowledged"); throw new ElasticsearchException("adding template for security index was not acknowledged");
} }
} catch (Exception e) { } catch (Exception e) {
logger.error("failed to create shield admin index template [{}]", logger.error("failed to create security index template [{}]",
e, SECURITY_INDEX_NAME); e, SECURITY_INDEX_NAME);
throw new IllegalStateException("failed to create shield admin index template [" + throw new IllegalStateException("failed to create security index template [" +
SECURITY_INDEX_NAME + "]", e); SECURITY_INDEX_NAME + "]", e);
} }
} }
@ -72,15 +72,15 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
@Override @Override
public void clusterChanged(ClusterChangedEvent event) { public void clusterChanged(ClusterChangedEvent event) {
if (event.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) { if (event.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
// wait until the gateway has recovered from disk, otherwise we think may not have .shield-audit- // wait until the gateway has recovered from disk, otherwise we think may not have .security-audit-
// but they may not have been restored from the cluster state on disk // but they may not have been restored from the cluster state on disk
logger.debug("template service waiting until state has been recovered"); logger.debug("template service waiting until state has been recovered");
return; return;
} }
IndexRoutingTable shieldIndexRouting = event.state().routingTable().index(SECURITY_INDEX_NAME); IndexRoutingTable securityIndexRouting = event.state().routingTable().index(SECURITY_INDEX_NAME);
if (shieldIndexRouting == null) { if (securityIndexRouting == null) {
if (event.localNodeMaster()) { if (event.localNodeMaster()) {
ClusterState state = event.state(); ClusterState state = event.state();
// TODO for the future need to add some checking in the event the template needs to be updated... // TODO for the future need to add some checking in the event the template needs to be updated...
@ -91,14 +91,14 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
threadPool.generic().execute(new AbstractRunnable() { threadPool.generic().execute(new AbstractRunnable() {
@Override @Override
public void onFailure(Throwable t) { public void onFailure(Throwable t) {
logger.warn("failed to create shield admin template", t); logger.warn("failed to create security index template", t);
templateCreationPending.set(false); templateCreationPending.set(false);
} }
@Override @Override
protected void doRun() throws Exception { protected void doRun() throws Exception {
if (createTemplate) { if (createTemplate) {
createShieldTemplate(); createSecurityTemplate();
} }
templateCreationPending.set(false); templateCreationPending.set(false);
} }

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.shield.action; package org.elasticsearch.xpack.security.action;
import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction; import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction;
import org.elasticsearch.action.admin.indices.analyze.AnalyzeRequest; import org.elasticsearch.action.admin.indices.analyze.AnalyzeRequest;
@ -12,18 +12,18 @@ import org.elasticsearch.action.search.ClearScrollRequest;
import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.transport.TransportRequest;
/** /**
* This class analyzes an incoming request and its action name, and returns the shield action name for it. * This class analyzes an incoming request and its action name, and returns the security action name for it.
* In many cases the action name is the same as the original one used in es core, but in some exceptional cases it might need * In many cases the action name is the same as the original one used in es core, but in some exceptional cases it might need
* to be converted. For instance a clear_scroll that targets all opened scrolls gets converted to a different action that requires * to be converted. For instance a clear_scroll that targets all opened scrolls gets converted to a different action that requires
* cluster privileges instead of the default indices privileges, still valid for clear scrolls that target specific scroll ids. * cluster privileges instead of the default indices privileges, still valid for clear scrolls that target specific scroll ids.
*/ */
public class ShieldActionMapper { public class SecurityActionMapper {
static final String CLUSTER_PERMISSION_SCROLL_CLEAR_ALL_NAME = "cluster:admin/indices/scroll/clear_all"; static final String CLUSTER_PERMISSION_SCROLL_CLEAR_ALL_NAME = "cluster:admin/indices/scroll/clear_all";
static final String CLUSTER_PERMISSION_ANALYZE = "cluster:admin/analyze"; static final String CLUSTER_PERMISSION_ANALYZE = "cluster:admin/analyze";
/** /**
* Returns the shield specific action name given the incoming action name and request * Returns the security specific action name given the incoming action name and request
*/ */
public String action(String action, TransportRequest request) { public String action(String action, TransportRequest request) {
switch (action) { switch (action) {

Some files were not shown because too many files have changed in this diff Show More