security: remove use of shield in files and directory names
This commit removes as much of the use of shield as possible in the source code. See elastic/elasticsearch#2383 Original commit: elastic/x-pack-elasticsearch@00009cc06e
This commit is contained in:
parent
0fcbf8c6ca
commit
c024dbfc49
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield.audit;
|
package org.elasticsearch.xpack.security.audit;
|
||||||
|
|
||||||
import com.carrotsearch.hppc.cursors.ObjectCursor;
|
import com.carrotsearch.hppc.cursors.ObjectCursor;
|
||||||
import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateResponse;
|
import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateResponse;
|
||||||
|
@ -14,10 +14,10 @@ import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.index.query.QueryBuilders;
|
import org.elasticsearch.index.query.QueryBuilders;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.shield.audit.index.IndexAuditTrail;
|
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
import org.elasticsearch.test.ESIntegTestCase;
|
||||||
import org.elasticsearch.test.rest.client.http.HttpResponse;
|
import org.elasticsearch.test.rest.client.http.HttpResponse;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
|
@ -35,7 +35,7 @@ public class IndexAuditIT extends ESIntegTestCase {
|
||||||
private static final String USER = "test_user";
|
private static final String USER = "test_user";
|
||||||
private static final String PASS = "changeme";
|
private static final String PASS = "changeme";
|
||||||
|
|
||||||
public void testShieldIndexAuditTrailWorking() throws Exception {
|
public void testIndexAuditTrailWorking() throws Exception {
|
||||||
HttpResponse response = httpClient().path("/")
|
HttpResponse response = httpClient().path("/")
|
||||||
.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(USER, new SecuredString(PASS.toCharArray())))
|
.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(USER, new SecuredString(PASS.toCharArray())))
|
||||||
.execute();
|
.execute();
|
||||||
|
@ -48,7 +48,7 @@ public class IndexAuditIT extends ESIntegTestCase {
|
||||||
ClusterState state = client().admin().cluster().prepareState().get().getState();
|
ClusterState state = client().admin().cluster().prepareState().get().getState();
|
||||||
lastClusterState.set(state);
|
lastClusterState.set(state);
|
||||||
for (ObjectCursor<String> cursor : state.getMetaData().getIndices().keys()) {
|
for (ObjectCursor<String> cursor : state.getMetaData().getIndices().keys()) {
|
||||||
if (cursor.value.startsWith(".shield_audit_log")) {
|
if (cursor.value.startsWith(".security_audit_log")) {
|
||||||
logger.info("found audit index [{}]", cursor.value);
|
logger.info("found audit index [{}]", cursor.value);
|
||||||
indexExists.set(true);
|
indexExists.set(true);
|
||||||
break;
|
break;
|
||||||
|
@ -60,11 +60,11 @@ public class IndexAuditIT extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ensureYellow(".shield_audit_log*");
|
ensureYellow(".security_audit_log*");
|
||||||
ClusterState state = client().admin().cluster().prepareState().get().getState();
|
ClusterState state = client().admin().cluster().prepareState().get().getState();
|
||||||
lastClusterState.set(state);
|
lastClusterState.set(state);
|
||||||
client().admin().indices().prepareRefresh().get();
|
client().admin().indices().prepareRefresh().get();
|
||||||
return client().prepareSearch(".shield_audit_log*").setQuery(QueryBuilders.matchQuery("principal", USER))
|
return client().prepareSearch(".security_audit_log*").setQuery(QueryBuilders.matchQuery("principal", USER))
|
||||||
.get().getHits().totalHits() > 0;
|
.get().getHits().totalHits() > 0;
|
||||||
}, 10L, TimeUnit.SECONDS);
|
}, 10L, TimeUnit.SECONDS);
|
||||||
|
|
||||||
|
@ -73,7 +73,7 @@ public class IndexAuditIT extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
assertThat(found, is(true));
|
assertThat(found, is(true));
|
||||||
|
|
||||||
SearchResponse searchResponse = client().prepareSearch(".shield_audit_log*").setQuery(
|
SearchResponse searchResponse = client().prepareSearch(".security_audit_log*").setQuery(
|
||||||
QueryBuilders.matchQuery("principal", USER)).get();
|
QueryBuilders.matchQuery("principal", USER)).get();
|
||||||
assertThat(searchResponse.getHits().getHits().length, greaterThan(0));
|
assertThat(searchResponse.getHits().getHits().length, greaterThan(0));
|
||||||
assertThat((String) searchResponse.getHits().getAt(0).sourceAsMap().get("principal"), is(USER));
|
assertThat((String) searchResponse.getHits().getAt(0).sourceAsMap().get("principal"), is(USER));
|
|
@ -3,20 +3,20 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import com.carrotsearch.randomizedtesting.annotations.Name;
|
import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class RestIT extends ESRestTestCase {
|
public class RestIT extends ESRestTestCase {
|
||||||
|
|
|
@ -57,7 +57,7 @@ public class GroovyManualExecutionIT extends AbstractWatcherIntegrationTestCase
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -41,7 +41,7 @@ public class GroovyScriptConditionIT extends AbstractWatcherIntegrationTestCase
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -41,8 +41,8 @@ public class HistoryTemplateTransformMappingsIT extends AbstractWatcherIntegrati
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return false; // remove shield noise from this test
|
return false; // remove security noise from this test
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testTransformFields() throws Exception {
|
public void testTransformFields() throws Exception {
|
||||||
|
|
|
@ -48,7 +48,7 @@ public class HipChatServiceIT extends AbstractWatcherIntegrationTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -72,7 +72,7 @@ public class NoMasterNodeIT extends AbstractWatcherIntegrationTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -50,7 +50,7 @@ public class PagerDutyServiceIT extends AbstractWatcherIntegrationTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
package org.elasticsearch.messy.tests;
|
package org.elasticsearch.messy.tests;
|
||||||
|
|
||||||
import org.elasticsearch.Version;
|
import org.elasticsearch.Version;
|
||||||
import org.elasticsearch.action.index.IndexRequest;
|
|
||||||
import org.elasticsearch.action.search.SearchPhaseExecutionException;
|
import org.elasticsearch.action.search.SearchPhaseExecutionException;
|
||||||
import org.elasticsearch.action.search.SearchResponse;
|
import org.elasticsearch.action.search.SearchResponse;
|
||||||
import org.elasticsearch.common.bytes.BytesArray;
|
import org.elasticsearch.common.bytes.BytesArray;
|
||||||
|
@ -17,9 +16,9 @@ import org.elasticsearch.script.ScriptService;
|
||||||
import org.elasticsearch.script.Template;
|
import org.elasticsearch.script.Template;
|
||||||
import org.elasticsearch.script.mustache.MustachePlugin;
|
import org.elasticsearch.script.mustache.MustachePlugin;
|
||||||
import org.elasticsearch.script.mustache.MustacheScriptEngineService;
|
import org.elasticsearch.script.mustache.MustacheScriptEngineService;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.ShieldIntegTestCase;
|
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||||
import org.elasticsearch.test.ShieldSettingsSource;
|
import org.elasticsearch.test.SecuritySettingsSource;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
|
|
||||||
|
@ -27,12 +26,12 @@ import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.hamcrest.Matchers.containsString;
|
import static org.hamcrest.Matchers.containsString;
|
||||||
import static org.hamcrest.Matchers.is;
|
import static org.hamcrest.Matchers.is;
|
||||||
|
|
||||||
@ShieldIntegTestCase.AwaitsFix(bugUrl = "clean up test to not use mustache templates, otherwise needs many resources here")
|
@SecurityIntegTestCase.AwaitsFix(bugUrl = "clean up test to not use mustache templates, otherwise needs many resources here")
|
||||||
public class ShieldCachePermissionIT extends ShieldIntegTestCase {
|
public class SecurityCachePermissionIT extends SecurityIntegTestCase {
|
||||||
static final String READ_ONE_IDX_USER = "read_user";
|
static final String READ_ONE_IDX_USER = "read_user";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -46,7 +45,7 @@ public class ShieldCachePermissionIT extends ShieldIntegTestCase {
|
||||||
@Override
|
@Override
|
||||||
public String configUsers() {
|
public String configUsers() {
|
||||||
return super.configUsers()
|
return super.configUsers()
|
||||||
+ READ_ONE_IDX_USER + ":" + ShieldSettingsSource.DEFAULT_PASSWORD_HASHED + "\n";
|
+ READ_ONE_IDX_USER + ":" + SecuritySettingsSource.DEFAULT_PASSWORD_HASHED + "\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
|
@ -47,7 +47,7 @@ public class SlackServiceIT extends AbstractWatcherIntegrationTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -20,12 +20,4 @@
|
||||||
* </ul>
|
* </ul>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// renames that took place:
|
|
||||||
// renamed: x-pack/watcher/src/test/java/org/elasticsearch/watcher/input/search/SearchInputTests.java ->
|
|
||||||
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchInputTests.java
|
|
||||||
// renamed: x-pack/watcher/src/test/java/org/elasticsearch/watcher/transform/search/SearchTransformTests.java ->
|
|
||||||
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformTests.java
|
|
||||||
// renamed: x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldCachePermissionTests.java ->
|
|
||||||
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/ShieldCachePermissionTests.java
|
|
||||||
|
|
||||||
package org.elasticsearch.messy.tests;
|
package org.elasticsearch.messy.tests;
|
||||||
|
|
|
@ -8,7 +8,7 @@ admin:
|
||||||
- '*'
|
- '*'
|
||||||
|
|
||||||
# Search and write on both source and destination indices. It should work if you could just search on the source and
|
# Search and write on both source and destination indices. It should work if you could just search on the source and
|
||||||
# write to the destination but that isn't how shield works.
|
# write to the destination but that isn't how security works.
|
||||||
minimal:
|
minimal:
|
||||||
indices:
|
indices:
|
||||||
- names: source
|
- names: source
|
|
@ -3,20 +3,20 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import com.carrotsearch.randomizedtesting.annotations.Name;
|
import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class RestIT extends ESRestTestCase {
|
public class RestIT extends ESRestTestCase {
|
||||||
private static final String USER = "test_admin";
|
private static final String USER = "test_admin";
|
||||||
|
@ -32,7 +32,7 @@ public class RestIT extends ESRestTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* All tests run as a an administrative user but use <code>es-shield-runas-user</code> to become a less privileged user.
|
* All tests run as a an administrative user but use <code>es-security-runas-user</code> to become a less privileged user.
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
protected Settings restClientSettings() {
|
protected Settings restClientSettings() {
|
|
@ -32,7 +32,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: powerful_user}
|
headers: {es-security-runas-user: powerful_user}
|
||||||
reindex:
|
reindex:
|
||||||
refresh: true
|
refresh: true
|
||||||
body:
|
body:
|
||||||
|
@ -65,7 +65,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: minimal_user}
|
headers: {es-security-runas-user: minimal_user}
|
||||||
reindex:
|
reindex:
|
||||||
refresh: true
|
refresh: true
|
||||||
body:
|
body:
|
||||||
|
@ -98,7 +98,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: readonly_user}
|
headers: {es-security-runas-user: readonly_user}
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
reindex:
|
reindex:
|
||||||
body:
|
body:
|
||||||
|
@ -120,7 +120,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: dest_only_user}
|
headers: {es-security-runas-user: dest_only_user}
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
reindex:
|
reindex:
|
||||||
body:
|
body:
|
||||||
|
@ -147,7 +147,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: dest_only_user}
|
headers: {es-security-runas-user: dest_only_user}
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
reindex:
|
reindex:
|
||||||
refresh: true
|
refresh: true
|
||||||
|
@ -194,7 +194,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
|
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
|
||||||
reindex:
|
reindex:
|
||||||
refresh: true
|
refresh: true
|
||||||
body:
|
body:
|
||||||
|
@ -237,7 +237,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
|
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
|
||||||
reindex:
|
reindex:
|
||||||
refresh: true
|
refresh: true
|
||||||
body:
|
body:
|
||||||
|
@ -287,7 +287,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
|
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
|
||||||
reindex:
|
reindex:
|
||||||
body:
|
body:
|
||||||
source:
|
source:
|
||||||
|
@ -308,7 +308,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
|
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
|
||||||
reindex:
|
reindex:
|
||||||
body:
|
body:
|
||||||
source:
|
source:
|
|
@ -41,7 +41,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: powerful_user}
|
headers: {es-security-runas-user: powerful_user}
|
||||||
update_by_query:
|
update_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
index: source
|
index: source
|
||||||
|
@ -72,7 +72,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: minimal_user}
|
headers: {es-security-runas-user: minimal_user}
|
||||||
update_by_query:
|
update_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
index: source
|
index: source
|
||||||
|
@ -103,7 +103,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: readonly_user}
|
headers: {es-security-runas-user: readonly_user}
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
update_by_query:
|
update_by_query:
|
||||||
index: source
|
index: source
|
||||||
|
@ -121,7 +121,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: dest_only_user}
|
headers: {es-security-runas-user: dest_only_user}
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
update_by_query:
|
update_by_query:
|
||||||
index: source
|
index: source
|
||||||
|
@ -145,7 +145,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
|
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
|
||||||
update_by_query:
|
update_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
index: source
|
index: source
|
||||||
|
@ -191,7 +191,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
|
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
|
||||||
update_by_query:
|
update_by_query:
|
||||||
index: source
|
index: source
|
||||||
body:
|
body:
|
|
@ -37,7 +37,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: powerful_user}
|
headers: {es-security-runas-user: powerful_user}
|
||||||
delete_by_query:
|
delete_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
index: source
|
index: source
|
||||||
|
@ -64,7 +64,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: minimal_user}
|
headers: {es-security-runas-user: minimal_user}
|
||||||
delete_by_query:
|
delete_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
index: source
|
index: source
|
||||||
|
@ -91,7 +91,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: readonly_user}
|
headers: {es-security-runas-user: readonly_user}
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
delete_by_query:
|
delete_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
|
@ -118,7 +118,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: dest_only_user}
|
headers: {es-security-runas-user: dest_only_user}
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
delete_by_query:
|
delete_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
|
@ -151,7 +151,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
|
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
|
||||||
delete_by_query:
|
delete_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
index: source
|
index: source
|
||||||
|
@ -212,7 +212,7 @@
|
||||||
indices.refresh: {}
|
indices.refresh: {}
|
||||||
|
|
||||||
- do:
|
- do:
|
||||||
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
|
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
|
||||||
delete_by_query:
|
delete_by_query:
|
||||||
refresh: true
|
refresh: true
|
||||||
index: source
|
index: source
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield.qa;
|
package org.elasticsearch.xpack.security.qa;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
|
||||||
|
@ -13,8 +13,8 @@ import org.elasticsearch.client.transport.TransportClient;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.transport.TransportAddress;
|
import org.elasticsearch.common.transport.TransportAddress;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
import org.elasticsearch.test.ESIntegTestCase;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
|
|
||||||
|
@ -23,14 +23,14 @@ import java.util.Collections;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.concurrent.TimeUnit;
|
import java.util.concurrent.TimeUnit;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.hamcrest.Matchers.containsString;
|
import static org.hamcrest.Matchers.containsString;
|
||||||
import static org.hamcrest.Matchers.is;
|
import static org.hamcrest.Matchers.is;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Integration tests that test a transport client with Shield being loaded that connect to an external cluster
|
* Integration tests that test a transport client with security being loaded that connect to an external cluster
|
||||||
*/
|
*/
|
||||||
public class ShieldTransportClientIT extends ESIntegTestCase {
|
public class SecurityTransportClientIT extends ESIntegTestCase {
|
||||||
static final String ADMIN_USER_PW = "test_user:changeme";
|
static final String ADMIN_USER_PW = "test_user:changeme";
|
||||||
static final String TRANSPORT_USER_PW = "transport:changeme";
|
static final String TRANSPORT_USER_PW = "transport:changeme";
|
||||||
|
|
|
@ -8,7 +8,7 @@ package org.elasticsearch.example;
|
||||||
import org.elasticsearch.example.realm.CustomAuthenticationFailureHandler;
|
import org.elasticsearch.example.realm.CustomAuthenticationFailureHandler;
|
||||||
import org.elasticsearch.example.realm.CustomRealm;
|
import org.elasticsearch.example.realm.CustomRealm;
|
||||||
import org.elasticsearch.example.realm.CustomRealmFactory;
|
import org.elasticsearch.example.realm.CustomRealmFactory;
|
||||||
import org.elasticsearch.shield.authc.AuthenticationModule;
|
import org.elasticsearch.xpack.security.authc.AuthenticationModule;
|
||||||
import org.elasticsearch.xpack.extensions.XPackExtension;
|
import org.elasticsearch.xpack.extensions.XPackExtension;
|
||||||
|
|
||||||
import java.security.AccessController;
|
import java.security.AccessController;
|
|
@ -8,8 +8,8 @@ package org.elasticsearch.example.realm;
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.rest.RestRequest;
|
import org.elasticsearch.rest.RestRequest;
|
||||||
import org.elasticsearch.shield.authc.AuthenticationToken;
|
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
|
||||||
import org.elasticsearch.shield.authc.DefaultAuthenticationFailureHandler;
|
import org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler;
|
||||||
import org.elasticsearch.transport.TransportMessage;
|
import org.elasticsearch.transport.TransportMessage;
|
||||||
|
|
||||||
public class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler {
|
public class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler {
|
|
@ -6,12 +6,12 @@
|
||||||
package org.elasticsearch.example.realm;
|
package org.elasticsearch.example.realm;
|
||||||
|
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.user.User;
|
import org.elasticsearch.xpack.security.user.User;
|
||||||
import org.elasticsearch.shield.authc.AuthenticationToken;
|
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
|
||||||
import org.elasticsearch.shield.authc.Realm;
|
import org.elasticsearch.xpack.security.authc.Realm;
|
||||||
import org.elasticsearch.shield.authc.RealmConfig;
|
import org.elasticsearch.xpack.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||||
|
|
||||||
public class CustomRealm extends Realm<UsernamePasswordToken> {
|
public class CustomRealm extends Realm<UsernamePasswordToken> {
|
||||||
|
|
|
@ -7,8 +7,8 @@ package org.elasticsearch.example.realm;
|
||||||
|
|
||||||
import org.elasticsearch.common.inject.Inject;
|
import org.elasticsearch.common.inject.Inject;
|
||||||
import org.elasticsearch.rest.RestController;
|
import org.elasticsearch.rest.RestController;
|
||||||
import org.elasticsearch.shield.authc.Realm;
|
import org.elasticsearch.xpack.security.authc.Realm;
|
||||||
import org.elasticsearch.shield.authc.RealmConfig;
|
import org.elasticsearch.xpack.security.authc.RealmConfig;
|
||||||
|
|
||||||
public class CustomRealmFactory extends Realm.Factory<CustomRealm> {
|
public class CustomRealmFactory extends Realm.Factory<CustomRealm> {
|
||||||
|
|
|
@ -6,10 +6,10 @@
|
||||||
package org.elasticsearch.example.realm;
|
package org.elasticsearch.example.realm;
|
||||||
|
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.shield.user.User;
|
import org.elasticsearch.xpack.security.user.User;
|
||||||
import org.elasticsearch.shield.authc.RealmConfig;
|
import org.elasticsearch.xpack.security.authc.RealmConfig;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||||
import org.elasticsearch.test.ESTestCase;
|
import org.elasticsearch.test.ESTestCase;
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.equalTo;
|
import static org.hamcrest.Matchers.equalTo;
|
|
@ -1,114 +0,0 @@
|
||||||
<?xml version="1.0"?>
|
|
||||||
<!--
|
|
||||||
~ ELASTICSEARCH CONFIDENTIAL
|
|
||||||
~ __________________
|
|
||||||
~
|
|
||||||
~ [2014] Elasticsearch Incorporated. All Rights Reserved.
|
|
||||||
~
|
|
||||||
~ NOTICE: All information contained herein is, and remains
|
|
||||||
~ the property of Elasticsearch Incorporated and its suppliers,
|
|
||||||
~ if any. The intellectual and technical concepts contained
|
|
||||||
~ herein are proprietary to Elasticsearch Incorporated
|
|
||||||
~ and its suppliers and may be covered by U.S. and Foreign Patents,
|
|
||||||
~ patents in process, and are protected by trade secret or copyright law.
|
|
||||||
~ Dissemination of this information or reproduction of this material
|
|
||||||
~ is strictly forbidden unless prior written permission is obtained
|
|
||||||
~ from Elasticsearch Incorporated.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<project name="smoke-test-watcher-and-shield"
|
|
||||||
xmlns:ac="antlib:net.sf.antcontrib">
|
|
||||||
|
|
||||||
<import file="${elasticsearch.integ.antfile.default}"/>
|
|
||||||
|
|
||||||
<!-- redefined to work with auth -->
|
|
||||||
<macrodef name="waitfor-elasticsearch">
|
|
||||||
<attribute name="port"/>
|
|
||||||
<attribute name="timeoutproperty"/>
|
|
||||||
<sequential>
|
|
||||||
<echo>Waiting for elasticsearch to become available on port @{port}...</echo>
|
|
||||||
<waitfor maxwait="30" maxwaitunit="second"
|
|
||||||
checkevery="500" checkeveryunit="millisecond"
|
|
||||||
timeoutproperty="@{timeoutproperty}">
|
|
||||||
<socket server="127.0.0.1" port="@{port}"/>
|
|
||||||
</waitfor>
|
|
||||||
</sequential>
|
|
||||||
</macrodef>
|
|
||||||
|
|
||||||
<target name="start-external-cluster-with-found-license-and-shield" depends="setup-workspace">
|
|
||||||
<ac:for list="${xplugins.list}" param="xplugin.name">
|
|
||||||
<sequential>
|
|
||||||
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
|
|
||||||
<condition>
|
|
||||||
<not>
|
|
||||||
<available file="${integ.deps}/plugins/@{xplugin.name}-${elasticsearch.version}.zip" />
|
|
||||||
</not>
|
|
||||||
</condition>
|
|
||||||
</fail>
|
|
||||||
</sequential>
|
|
||||||
</ac:for>
|
|
||||||
|
|
||||||
<ac:for param="file">
|
|
||||||
<path>
|
|
||||||
<fileset dir="${integ.deps}/plugins"/>
|
|
||||||
</path>
|
|
||||||
<sequential>
|
|
||||||
<local name="plugin.name"/>
|
|
||||||
<convert-plugin-name file="@{file}" outputproperty="plugin.name"/>
|
|
||||||
<install-plugin name="${plugin.name}" file="@{file}"/>
|
|
||||||
</sequential>
|
|
||||||
</ac:for>
|
|
||||||
|
|
||||||
<local name="home"/>
|
|
||||||
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
|
|
||||||
|
|
||||||
<echo>Adding roles.yml with watcher roles</echo>
|
|
||||||
<copy file="watcher-with-shield-roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
|
|
||||||
|
|
||||||
<echo>Adding shield users...</echo>
|
|
||||||
<run-script script="${home}/bin/x-pack/esusers">
|
|
||||||
<nested>
|
|
||||||
<arg value="useradd"/>
|
|
||||||
<arg value="test_admin"/>
|
|
||||||
<arg value="-p"/>
|
|
||||||
<arg value="changeme"/>
|
|
||||||
<arg value="-r"/>
|
|
||||||
<arg value="admin"/>
|
|
||||||
</nested>
|
|
||||||
</run-script>
|
|
||||||
<run-script script="${home}/bin/x-pack/esusers">
|
|
||||||
<nested>
|
|
||||||
<arg value="useradd"/>
|
|
||||||
<arg value="watcher_manager"/>
|
|
||||||
<arg value="-p"/>
|
|
||||||
<arg value="changeme"/>
|
|
||||||
<arg value="-r"/>
|
|
||||||
<arg value="watcher_manager"/>
|
|
||||||
</nested>
|
|
||||||
</run-script>
|
|
||||||
<run-script script="${home}/bin/x-pack/esusers">
|
|
||||||
<nested>
|
|
||||||
<arg value="useradd"/>
|
|
||||||
<arg value="powerless_user"/>
|
|
||||||
<arg value="-p"/>
|
|
||||||
<arg value="changeme"/>
|
|
||||||
<arg value="-r"/>
|
|
||||||
<arg value="crapy_role"/>
|
|
||||||
</nested>
|
|
||||||
</run-script>
|
|
||||||
|
|
||||||
<startup-elasticsearch>
|
|
||||||
<!-- Useful for when debugging -->
|
|
||||||
<!--<additional-args>-->
|
|
||||||
<!--<arg value="-Des.http.cors.enabled=true"/>-->
|
|
||||||
<!--<arg value="-Des.http.cors.allow-origin=*"/>-->
|
|
||||||
<!--</additional-args>-->
|
|
||||||
</startup-elasticsearch>
|
|
||||||
|
|
||||||
<echo>Checking we can connect with basic auth on port ${integ.http.port}...</echo>
|
|
||||||
<local name="temp.file"/>
|
|
||||||
<tempfile property="temp.file" destdir="${java.io.tmpdir}"/>
|
|
||||||
<get src="http://127.0.0.1:${integ.http.port}" dest="${temp.file}"
|
|
||||||
username="test_admin" password="changeme" verbose="true" retries="10"/>
|
|
||||||
</target>
|
|
||||||
</project>
|
|
|
@ -1,95 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
|
||||||
*/
|
|
||||||
package org.elasticsearch.smoketest;
|
|
||||||
|
|
||||||
import org.elasticsearch.Version;
|
|
||||||
import org.elasticsearch.action.get.GetResponse;
|
|
||||||
import org.elasticsearch.common.Strings;
|
|
||||||
import org.elasticsearch.common.settings.Settings;
|
|
||||||
import org.elasticsearch.index.IndexNotFoundException;
|
|
||||||
import org.elasticsearch.plugins.Plugin;
|
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
|
||||||
import org.elasticsearch.shield.Shield;
|
|
||||||
import org.hamcrest.Matcher;
|
|
||||||
|
|
||||||
import java.util.Collection;
|
|
||||||
import java.util.Collections;
|
|
||||||
import java.util.Map;
|
|
||||||
import java.util.concurrent.TimeUnit;
|
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.equalTo;
|
|
||||||
import static org.hamcrest.Matchers.is;
|
|
||||||
import static org.hamcrest.Matchers.nullValue;
|
|
||||||
|
|
||||||
public class MarvelClusterInfoIT extends ESIntegTestCase {
|
|
||||||
|
|
||||||
static final String ADMIN_USER_PW = "test_admin:changeme";
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected Settings externalClusterClientSettings() {
|
|
||||||
return Settings.builder()
|
|
||||||
.put(Shield.USER_SETTING.getKey(), ADMIN_USER_PW)
|
|
||||||
.build();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected Collection<Class<? extends Plugin>> transportClientPlugins() {
|
|
||||||
return Collections.singletonList(XPackPlugin.class);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void testMarvelClusterInfoCollectorWorks() throws Exception {
|
|
||||||
final String clusterUUID = client().admin().cluster().prepareState().setMetaData(true).get().getState().metaData().clusterUUID();
|
|
||||||
assertTrue(Strings.hasText(clusterUUID));
|
|
||||||
awaitIndexExists(".monitoring-es-data");
|
|
||||||
ensureYellow(".monitoring-es-data");
|
|
||||||
awaitMarvelDocsCount(equalTo(1L), "cluster_info");
|
|
||||||
GetResponse response = client().prepareGet(".monitoring-es-data", "cluster_info", clusterUUID).get();
|
|
||||||
assertTrue(".monitoring-es-data" + " document does not exist", response.isExists());
|
|
||||||
Map<String, Object> source = response.getSource();
|
|
||||||
assertThat((String) source.get("cluster_name"), equalTo(cluster().getClusterName()));
|
|
||||||
assertThat((String) source.get("version"), equalTo(Version.CURRENT.toString()));
|
|
||||||
|
|
||||||
Object licenseObj = source.get("license");
|
|
||||||
assertThat(licenseObj, nullValue());
|
|
||||||
}
|
|
||||||
|
|
||||||
protected void awaitMarvelDocsCount(Matcher<Long> matcher, String... types) throws Exception {
|
|
||||||
flush();
|
|
||||||
refresh();
|
|
||||||
assertBusy(new Runnable() {
|
|
||||||
@Override
|
|
||||||
public void run() {
|
|
||||||
assertMarvelDocsCount(matcher, types);
|
|
||||||
}
|
|
||||||
}, 30, TimeUnit.SECONDS);
|
|
||||||
}
|
|
||||||
|
|
||||||
protected void assertMarvelDocsCount(Matcher<Long> matcher, String... types) {
|
|
||||||
try {
|
|
||||||
long count = client().prepareSearch(".monitoring-es-data").setSize(0)
|
|
||||||
.setTypes(types).get().getHits().totalHits();
|
|
||||||
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
|
|
||||||
assertThat(count, matcher);
|
|
||||||
} catch (IndexNotFoundException e) {
|
|
||||||
assertThat(0L, matcher);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
protected void awaitIndexExists(final String... indices) throws Exception {
|
|
||||||
assertBusy(new Runnable() {
|
|
||||||
@Override
|
|
||||||
public void run() {
|
|
||||||
assertIndicesExists(indices);
|
|
||||||
}
|
|
||||||
}, 30, TimeUnit.SECONDS);
|
|
||||||
}
|
|
||||||
|
|
||||||
protected void assertIndicesExists(String... indices) {
|
|
||||||
logger.trace("checking if index exists [{}]", Strings.arrayToCommaDelimitedString(indices));
|
|
||||||
assertThat(client().admin().indices().prepareExists(indices).get().isExists(), is(true));
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,98 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
|
||||||
*/
|
|
||||||
package org.elasticsearch.smoketest;
|
|
||||||
|
|
||||||
import com.carrotsearch.randomizedtesting.annotations.Name;
|
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
|
||||||
import org.apache.http.client.methods.HttpPut;
|
|
||||||
import org.apache.http.impl.client.CloseableHttpClient;
|
|
||||||
import org.apache.http.impl.client.HttpClients;
|
|
||||||
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
|
|
||||||
import org.elasticsearch.client.support.Headers;
|
|
||||||
import org.elasticsearch.common.network.NetworkAddress;
|
|
||||||
import org.elasticsearch.common.settings.Settings;
|
|
||||||
import org.elasticsearch.plugins.Plugin;
|
|
||||||
import org.elasticsearch.shield.Shield;
|
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
|
||||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
|
||||||
import org.junit.After;
|
|
||||||
import org.junit.Before;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
import java.net.InetSocketAddress;
|
|
||||||
import java.net.URI;
|
|
||||||
import java.util.Collection;
|
|
||||||
import java.util.Collections;
|
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
|
||||||
|
|
||||||
public class WatcherWithShieldIT extends ESRestTestCase {
|
|
||||||
|
|
||||||
private final static String TEST_ADMIN_USERNAME = "test_admin";
|
|
||||||
private final static String TEST_ADMIN_PASSWORD = "changeme";
|
|
||||||
|
|
||||||
public WatcherWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
|
|
||||||
super(testCandidate);
|
|
||||||
}
|
|
||||||
|
|
||||||
@ParametersFactory
|
|
||||||
public static Iterable<Object[]> parameters() throws IOException, RestTestParseException {
|
|
||||||
return ESRestTestCase.createParameters(0, 1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Before
|
|
||||||
public void startWatcher() throws Exception {
|
|
||||||
try(CloseableHttpClient client = HttpClients.createMinimal(new BasicHttpClientConnectionManager())) {
|
|
||||||
InetSocketAddress address = cluster().httpAddresses()[0];
|
|
||||||
HttpPut request = new HttpPut(new URI("http", null, NetworkAddress.format(address.getAddress()), address.getPort(), "/_xpack/watcher/_start", null, null));
|
|
||||||
String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, new SecuredString(TEST_ADMIN_PASSWORD.toCharArray()));
|
|
||||||
request.addHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, token);
|
|
||||||
client.execute(request);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@After
|
|
||||||
public void stopWatcher() throws Exception {
|
|
||||||
try(CloseableHttpClient client = HttpClients.createMinimal(new BasicHttpClientConnectionManager())) {
|
|
||||||
InetSocketAddress address = cluster().httpAddresses()[0];
|
|
||||||
HttpPut request = new HttpPut(new URI("http", null, NetworkAddress.format(address.getAddress()), address.getPort(), "/_xpack/watcher/_stop", null, null));
|
|
||||||
String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, new SecuredString(TEST_ADMIN_PASSWORD.toCharArray()));
|
|
||||||
request.addHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, token);
|
|
||||||
client.execute(request);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected Settings restClientSettings() {
|
|
||||||
String[] credentials = getCredentials();
|
|
||||||
String token = basicAuthHeaderValue(credentials[0], new SecuredString(credentials[1].toCharArray()));
|
|
||||||
return Settings.builder()
|
|
||||||
.put(Headers.PREFIX + ".Authorization", token)
|
|
||||||
.build();
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected Settings externalClusterClientSettings() {
|
|
||||||
return Settings.builder()
|
|
||||||
.put(Shield.USER_SETTING.getKey(), TEST_ADMIN_USERNAME + ":" + TEST_ADMIN_PASSWORD)
|
|
||||||
.build();
|
|
||||||
}
|
|
||||||
|
|
||||||
protected String[] getCredentials() {
|
|
||||||
return new String[]{"watcher_manager", "changeme"};
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected Collection<Class<? extends Plugin>> transportClientPlugins() {
|
|
||||||
return Collections.<Class<? extends Plugin>>singleton(XPackPlugin.class);
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,36 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
|
||||||
*/
|
|
||||||
package org.elasticsearch.smoketest;
|
|
||||||
|
|
||||||
import com.carrotsearch.randomizedtesting.annotations.Name;
|
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.anyOf;
|
|
||||||
import static org.hamcrest.Matchers.containsString;
|
|
||||||
|
|
||||||
public class WatcherWithShieldInsufficientRoleIT extends WatcherWithShieldIT {
|
|
||||||
public WatcherWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
|
|
||||||
super(testCandidate);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void test() throws IOException {
|
|
||||||
try {
|
|
||||||
super.test();
|
|
||||||
fail();
|
|
||||||
} catch(AssertionError ae) {
|
|
||||||
assertThat(ae.getMessage(), anyOf(containsString("action [cluster:monitor/watcher/"), containsString("action [cluster:admin/watcher/")));
|
|
||||||
assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
|
|
||||||
assertThat(ae.getMessage(), containsString("is unauthorized for user [powerless_user]"));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected String[] getCredentials() {
|
|
||||||
return new String[]{"powerless_user", "changeme"};
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,20 +0,0 @@
|
||||||
admin:
|
|
||||||
cluster: all
|
|
||||||
indices:
|
|
||||||
'*': all
|
|
||||||
|
|
||||||
watcher_manager:
|
|
||||||
cluster: manage
|
|
||||||
indices:
|
|
||||||
'.watcher-history-*': all
|
|
||||||
|
|
||||||
watcher_monitor:
|
|
||||||
cluster: monitor
|
|
||||||
indices:
|
|
||||||
'.watcher-history-*': read
|
|
||||||
|
|
||||||
crapy_role:
|
|
||||||
cluster:
|
|
||||||
- cluster:monitor/nodes/info
|
|
||||||
- cluster:monitor/health
|
|
||||||
- cluster:monitor/nodes/liveness
|
|
|
@ -8,37 +8,23 @@ package org.elasticsearch.smoketest;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.Name;
|
import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
||||||
|
|
||||||
import org.apache.http.client.methods.HttpPut;
|
|
||||||
import org.apache.http.impl.client.CloseableHttpClient;
|
|
||||||
import org.apache.http.impl.client.HttpClients;
|
|
||||||
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
|
|
||||||
//import org.elasticsearch.client.support.Headers;
|
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
//import org.elasticsearch.shield.ShieldPlugin;
|
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
|
||||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
import org.junit.After;
|
|
||||||
import org.junit.Before;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.net.URI;
|
|
||||||
import java.net.URL;
|
|
||||||
import java.util.Collection;
|
|
||||||
import java.util.Collections;
|
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class GraphWithShieldIT extends ESRestTestCase {
|
public class GraphWithSecurityIT extends ESRestTestCase {
|
||||||
|
|
||||||
private final static String TEST_ADMIN_USERNAME = "test_admin";
|
private final static String TEST_ADMIN_USERNAME = "test_admin";
|
||||||
private final static String TEST_ADMIN_PASSWORD = "changeme";
|
private final static String TEST_ADMIN_PASSWORD = "changeme";
|
||||||
|
|
||||||
public GraphWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
|
public GraphWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
|
||||||
super(testCandidate);
|
super(testCandidate);
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,15 +7,14 @@ package org.elasticsearch.smoketest;
|
||||||
|
|
||||||
import com.carrotsearch.randomizedtesting.annotations.Name;
|
import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.junit.Test;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.containsString;
|
import static org.hamcrest.Matchers.containsString;
|
||||||
|
|
||||||
public class GraphWithShieldInsufficientRoleIT extends GraphWithShieldIT {
|
public class GraphWithSecurityInsufficientRoleIT extends GraphWithSecurityIT {
|
||||||
|
|
||||||
public GraphWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
|
public GraphWithSecurityInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
|
||||||
super(testCandidate);
|
super(testCandidate);
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,19 +9,19 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.hamcrest.Matchers.containsString;
|
import static org.hamcrest.Matchers.containsString;
|
||||||
|
|
||||||
public class MonitoringWithShieldInsufficientRoleIT extends ESRestTestCase {
|
public class MonitoringWithSecurityInsufficientRoleIT extends ESRestTestCase {
|
||||||
|
|
||||||
public MonitoringWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
|
public MonitoringWithSecurityInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
|
||||||
super(testCandidate);
|
super(testCandidate);
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,18 +9,18 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class MonitoringWithShieldIT extends ESRestTestCase {
|
public class MonitoringWithSecurityIT extends ESRestTestCase {
|
||||||
|
|
||||||
public MonitoringWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
|
public MonitoringWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
|
||||||
super(testCandidate);
|
super(testCandidate);
|
||||||
}
|
}
|
||||||
|
|
|
@ -12,8 +12,8 @@ import org.elasticsearch.common.io.PathUtils;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.transport.InetSocketTransportAddress;
|
import org.elasticsearch.common.transport.InetSocketTransportAddress;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
|
import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
import org.elasticsearch.test.ESIntegTestCase;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
import org.junit.After;
|
import org.junit.After;
|
||||||
|
@ -37,14 +37,14 @@ import static org.hamcrest.Matchers.greaterThanOrEqualTo;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This test checks that a Monitoring's HTTP exporter correctly exports to a monitoring cluster
|
* This test checks that a Monitoring's HTTP exporter correctly exports to a monitoring cluster
|
||||||
* protected by Shield with HTTPS/SSL.
|
* protected by security with HTTPS/SSL.
|
||||||
*
|
*
|
||||||
* It sets up a cluster with Monitoring and Shield configured with SSL. Once started,
|
* It sets up a cluster with Monitoring and Security configured with SSL. Once started,
|
||||||
* an HTTP exporter is activated and it exports data locally over HTTPS/SSL. The test
|
* an HTTP exporter is activated and it exports data locally over HTTPS/SSL. The test
|
||||||
* then uses a transport client to check that the data have been correctly received and
|
* then uses a transport client to check that the data have been correctly received and
|
||||||
* indexed in the cluster.
|
* indexed in the cluster.
|
||||||
*/
|
*/
|
||||||
public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
|
public class SmokeTestMonitoringWithSecurityIT extends ESIntegTestCase {
|
||||||
|
|
||||||
private static final String USER = "test_user";
|
private static final String USER = "test_user";
|
||||||
private static final String PASS = "changeme";
|
private static final String PASS = "changeme";
|
||||||
|
@ -61,7 +61,7 @@ public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
|
||||||
protected Settings externalClusterClientSettings() {
|
protected Settings externalClusterClientSettings() {
|
||||||
return Settings.builder()
|
return Settings.builder()
|
||||||
.put(Security.USER_SETTING.getKey(), USER + ":" + PASS)
|
.put(Security.USER_SETTING.getKey(), USER + ":" + PASS)
|
||||||
.put(ShieldNettyTransport.SSL_SETTING.getKey(), true)
|
.put(SecurityNettyTransport.SSL_SETTING.getKey(), true)
|
||||||
.put("xpack.security.ssl.keystore.path", clientKeyStore)
|
.put("xpack.security.ssl.keystore.path", clientKeyStore)
|
||||||
.put("xpack.security.ssl.keystore.password", KEYSTORE_PASS)
|
.put("xpack.security.ssl.keystore.password", KEYSTORE_PASS)
|
||||||
.build();
|
.build();
|
||||||
|
@ -133,7 +133,7 @@ public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
|
||||||
@BeforeClass
|
@BeforeClass
|
||||||
public static void loadKeyStore() {
|
public static void loadKeyStore() {
|
||||||
try {
|
try {
|
||||||
clientKeyStore = PathUtils.get(SmokeTestMonitoringWithShieldIT.class.getResource("/test-client.jks").toURI());
|
clientKeyStore = PathUtils.get(SmokeTestMonitoringWithSecurityIT.class.getResource("/test-client.jks").toURI());
|
||||||
} catch (URISyntaxException e) {
|
} catch (URISyntaxException e) {
|
||||||
throw new ElasticsearchException("exception while reading the store", e);
|
throw new ElasticsearchException("exception while reading the store", e);
|
||||||
}
|
}
|
|
@ -11,7 +11,7 @@ import org.elasticsearch.ElasticsearchException;
|
||||||
import org.elasticsearch.common.io.PathUtils;
|
import org.elasticsearch.common.io.PathUtils;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.client.RestClient;
|
import org.elasticsearch.test.rest.client.RestClient;
|
||||||
|
@ -24,7 +24,7 @@ import java.net.URISyntaxException;
|
||||||
import java.nio.file.Files;
|
import java.nio.file.Files;
|
||||||
import java.nio.file.Path;
|
import java.nio.file.Path;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class SmokeTestPluginsSslIT extends ESRestTestCase {
|
public class SmokeTestPluginsSslIT extends ESRestTestCase {
|
||||||
|
|
||||||
|
|
|
@ -9,14 +9,14 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class SmokeTestPluginsIT extends ESRestTestCase {
|
public class SmokeTestPluginsIT extends ESRestTestCase {
|
||||||
|
|
||||||
|
|
|
@ -17,22 +17,22 @@ import org.apache.http.impl.client.HttpClients;
|
||||||
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
|
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
import org.junit.After;
|
import org.junit.After;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class WatcherWithShieldIT extends ESRestTestCase {
|
public class WatcherWithSecurityIT extends ESRestTestCase {
|
||||||
|
|
||||||
private final static String TEST_ADMIN_USERNAME = "test_admin";
|
private final static String TEST_ADMIN_USERNAME = "test_admin";
|
||||||
private final static String TEST_ADMIN_PASSWORD = "changeme";
|
private final static String TEST_ADMIN_PASSWORD = "changeme";
|
||||||
|
|
||||||
public WatcherWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
|
public WatcherWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
|
||||||
super(testCandidate);
|
super(testCandidate);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
"Test watcher is protected by shield":
|
"Test watcher is protected by security":
|
||||||
- do:
|
- do:
|
||||||
headers: { es-shield-runas-user: powerless_user }
|
headers: { es-security-runas-user: powerless_user }
|
||||||
catch: forbidden
|
catch: forbidden
|
||||||
xpack.watcher.stats: {}
|
xpack.watcher.stats: {}
|
||||||
# there seems to be a bug in the yaml parser we use, where a single element list
|
# there seems to be a bug in the yaml parser we use, where a single element list
|
|
@ -16,14 +16,14 @@
|
||||||
~ from Elasticsearch Incorporated.
|
~ from Elasticsearch Incorporated.
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<project name="smoke-test-tribe-node-with-shield"
|
<project name="smoke-test-tribe-node-with-security"
|
||||||
xmlns:ac="antlib:net.sf.antcontrib">
|
xmlns:ac="antlib:net.sf.antcontrib">
|
||||||
|
|
||||||
<taskdef name="xhttp" classname="org.elasticsearch.ant.HttpTask" classpath="${test_classpath}" />
|
<taskdef name="xhttp" classname="org.elasticsearch.ant.HttpTask" classpath="${test_classpath}" />
|
||||||
<typedef name="xhttp" classname="org.elasticsearch.ant.HttpCondition" classpath="${test_classpath}"/>
|
<typedef name="xhttp" classname="org.elasticsearch.ant.HttpCondition" classpath="${test_classpath}"/>
|
||||||
|
|
||||||
<import file="${elasticsearch.integ.antfile.default}"/>
|
<import file="${elasticsearch.integ.antfile.default}"/>
|
||||||
<import file="${elasticsearch.tools.directory}/ant/shield-overrides.xml"/>
|
<import file="${elasticsearch.tools.directory}/ant/security-overrides.xml"/>
|
||||||
|
|
||||||
<property name="tribe_node.pidfile" location="${integ.scratch}/tribe-node.pid"/>
|
<property name="tribe_node.pidfile" location="${integ.scratch}/tribe-node.pid"/>
|
||||||
<available property="tribe_node.pidfile.exists" file="${tribe_node.pidfile}"/>
|
<available property="tribe_node.pidfile.exists" file="${tribe_node.pidfile}"/>
|
||||||
|
@ -47,7 +47,7 @@
|
||||||
</sequential>
|
</sequential>
|
||||||
</macrodef>
|
</macrodef>
|
||||||
|
|
||||||
<target name="start-tribe-node-and-2-clusters-with-shield" depends="setup-workspace">
|
<target name="start-tribe-node-and-2-clusters-with-security" depends="setup-workspace">
|
||||||
<ac:for list="${xplugins.list}" param="xplugin.name">
|
<ac:for list="${xplugins.list}" param="xplugin.name">
|
||||||
<sequential>
|
<sequential>
|
||||||
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
|
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
|
||||||
|
@ -75,9 +75,9 @@
|
||||||
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
|
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
|
||||||
|
|
||||||
<echo>Adding roles.yml</echo>
|
<echo>Adding roles.yml</echo>
|
||||||
<copy file="shield-roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
|
<copy file="roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
|
||||||
|
|
||||||
<echo>Adding shield users...</echo>
|
<echo>Adding security users...</echo>
|
||||||
<run-script script="${home}/bin/x-pack/esusers">
|
<run-script script="${home}/bin/x-pack/esusers">
|
||||||
<nested>
|
<nested>
|
||||||
<arg value="useradd"/>
|
<arg value="useradd"/>
|
|
@ -3,20 +3,20 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import com.carrotsearch.randomizedtesting.annotations.Name;
|
import com.carrotsearch.randomizedtesting.annotations.Name;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
|
||||||
import org.elasticsearch.client.support.Headers;
|
import org.elasticsearch.client.support.Headers;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.ESRestTestCase;
|
import org.elasticsearch.test.rest.ESRestTestCase;
|
||||||
import org.elasticsearch.test.rest.RestTestCandidate;
|
import org.elasticsearch.test.rest.RestTestCandidate;
|
||||||
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
import org.elasticsearch.test.rest.parser.RestTestParseException;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
|
|
||||||
public class RestIT extends TribeRestTestCase {
|
public class RestIT extends TribeRestTestCase {
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import com.carrotsearch.randomizedtesting.RandomizedTest;
|
import com.carrotsearch.randomizedtesting.RandomizedTest;
|
||||||
import com.carrotsearch.randomizedtesting.annotations.TestGroup;
|
import com.carrotsearch.randomizedtesting.annotations.TestGroup;
|
|
@ -24,7 +24,7 @@ dependencies {
|
||||||
compile project(':x-plugins:elasticsearch:license:base')
|
compile project(':x-plugins:elasticsearch:license:base')
|
||||||
testCompile project(':x-plugins:elasticsearch:license:licensor')
|
testCompile project(':x-plugins:elasticsearch:license:licensor')
|
||||||
|
|
||||||
// shield deps
|
// security deps
|
||||||
compile 'dk.brics.automaton:automaton:1.11-8'
|
compile 'dk.brics.automaton:automaton:1.11-8'
|
||||||
compile 'com.unboundid:unboundid-ldapsdk:2.3.8'
|
compile 'com.unboundid:unboundid-ldapsdk:2.3.8'
|
||||||
compile 'org.bouncycastle:bcprov-jdk15on:1.54'
|
compile 'org.bouncycastle:bcprov-jdk15on:1.54'
|
||||||
|
@ -33,7 +33,7 @@ dependencies {
|
||||||
|
|
||||||
// watcher deps
|
// watcher deps
|
||||||
compile 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:r239'
|
compile 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:r239'
|
||||||
compile 'com.google.guava:guava:16.0.1' // needed by watcher for the html sanitizer and shield tests for jimfs
|
compile 'com.google.guava:guava:16.0.1' // needed by watcher for the html sanitizer and security tests for jimfs
|
||||||
compile 'com.sun.mail:javax.mail:1.5.3'
|
compile 'com.sun.mail:javax.mail:1.5.3'
|
||||||
// HACK: java 9 removed javax.activation from the default modules, so instead of trying to add modules, which would have
|
// HACK: java 9 removed javax.activation from the default modules, so instead of trying to add modules, which would have
|
||||||
// to be conditionalized for java 8/9, we pull in the classes directly
|
// to be conditionalized for java 8/9, we pull in the classes directly
|
||||||
|
@ -57,7 +57,7 @@ dependencies {
|
||||||
|
|
||||||
// we keep the source directories in the original structure of split plugins,
|
// we keep the source directories in the original structure of split plugins,
|
||||||
// in order to facilitate backports to 2.x. TODO: remove after 5.0 release
|
// in order to facilitate backports to 2.x. TODO: remove after 5.0 release
|
||||||
for (String module : ['', 'license-plugin/', 'shield/', 'watcher/', 'marvel/', 'graph/']) {
|
for (String module : ['', 'license-plugin/', 'security/', 'watcher/', 'marvel/', 'graph/']) {
|
||||||
sourceSets {
|
sourceSets {
|
||||||
main {
|
main {
|
||||||
java.srcDir("${module}src/main/java")
|
java.srcDir("${module}src/main/java")
|
||||||
|
@ -116,10 +116,10 @@ bundlePlugin {
|
||||||
from('bin/x-pack') {
|
from('bin/x-pack') {
|
||||||
into 'bin'
|
into 'bin'
|
||||||
}
|
}
|
||||||
from('shield/bin/x-pack') {
|
from('security/bin/x-pack') {
|
||||||
into 'bin'
|
into 'bin'
|
||||||
}
|
}
|
||||||
from('shield/config/x-pack') {
|
from('security/config/x-pack') {
|
||||||
into 'config'
|
into 'config'
|
||||||
}
|
}
|
||||||
from('watcher/bin/x-pack') {
|
from('watcher/bin/x-pack') {
|
||||||
|
|
|
@ -22,7 +22,7 @@ import org.elasticsearch.script.NativeScriptFactory;
|
||||||
import org.elasticsearch.script.Script;
|
import org.elasticsearch.script.Script;
|
||||||
import org.elasticsearch.script.ScriptModule;
|
import org.elasticsearch.script.ScriptModule;
|
||||||
import org.elasticsearch.script.ScriptService.ScriptType;
|
import org.elasticsearch.script.ScriptService.ScriptType;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.test.ESSingleNodeTestCase;
|
import org.elasticsearch.test.ESSingleNodeTestCase;
|
||||||
import org.elasticsearch.xpack.watcher.Watcher;
|
import org.elasticsearch.xpack.watcher.Watcher;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
|
@ -127,7 +127,7 @@ public class GraphTests extends ESSingleNodeTestCase {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Settings nodeSettings() {
|
public Settings nodeSettings() {
|
||||||
// Disable Shield otherwise authentication failures happen creating indices.
|
// Disable security otherwise authentication failures happen creating indices.
|
||||||
Builder newSettings = Settings.builder();
|
Builder newSettings = Settings.builder();
|
||||||
newSettings.put(XPackPlugin.featureEnabledSetting(Security.NAME), false);
|
newSettings.put(XPackPlugin.featureEnabledSetting(Security.NAME), false);
|
||||||
newSettings.put(XPackPlugin.featureEnabledSetting(Monitoring.NAME), false);
|
newSettings.put(XPackPlugin.featureEnabledSetting(Monitoring.NAME), false);
|
||||||
|
|
|
@ -25,7 +25,7 @@ import org.elasticsearch.license.plugin.core.LicensesMetaData;
|
||||||
import org.elasticsearch.license.plugin.core.LicensesStatus;
|
import org.elasticsearch.license.plugin.core.LicensesStatus;
|
||||||
import org.elasticsearch.marvel.Monitoring;
|
import org.elasticsearch.marvel.Monitoring;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
import org.elasticsearch.test.ESIntegTestCase;
|
||||||
import org.elasticsearch.test.InternalTestCluster;
|
import org.elasticsearch.test.InternalTestCluster;
|
||||||
import org.elasticsearch.xpack.watcher.Watcher;
|
import org.elasticsearch.xpack.watcher.Watcher;
|
||||||
|
|
|
@ -22,7 +22,7 @@ import org.elasticsearch.license.plugin.core.LicensesStatus;
|
||||||
import org.elasticsearch.marvel.Monitoring;
|
import org.elasticsearch.marvel.Monitoring;
|
||||||
import org.elasticsearch.node.Node;
|
import org.elasticsearch.node.Node;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.test.ESSingleNodeTestCase;
|
import org.elasticsearch.test.ESSingleNodeTestCase;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
import org.elasticsearch.xpack.watcher.Watcher;
|
import org.elasticsearch.xpack.watcher.Watcher;
|
||||||
|
|
|
@ -23,7 +23,7 @@ import org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing;
|
||||||
import org.elasticsearch.marvel.Monitoring;
|
import org.elasticsearch.marvel.Monitoring;
|
||||||
import org.elasticsearch.node.Node;
|
import org.elasticsearch.node.Node;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
import org.elasticsearch.test.ESIntegTestCase;
|
||||||
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
|
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
|
||||||
import org.elasticsearch.test.ESIntegTestCase.Scope;
|
import org.elasticsearch.test.ESIntegTestCase.Scope;
|
||||||
|
|
|
@ -17,7 +17,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.MonitoringLicensee;
|
import org.elasticsearch.marvel.MonitoringLicensee;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
|
|
@ -20,7 +20,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.MonitoringLicensee;
|
import org.elasticsearch.marvel.MonitoringLicensee;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
|
|
@ -17,8 +17,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.MonitoringLicensee;
|
import org.elasticsearch.marvel.MonitoringLicensee;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
|
|
@ -19,8 +19,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.MonitoringLicensee;
|
import org.elasticsearch.marvel.MonitoringLicensee;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
|
|
@ -17,8 +17,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.MonitoringLicensee;
|
import org.elasticsearch.marvel.MonitoringLicensee;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
|
|
@ -21,7 +21,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.MonitoringLicensee;
|
import org.elasticsearch.marvel.MonitoringLicensee;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
|
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
package org.elasticsearch.marvel.support.init.proxy;
|
package org.elasticsearch.marvel.support.init.proxy;
|
||||||
|
|
||||||
import org.elasticsearch.client.Client;
|
import org.elasticsearch.client.Client;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
import org.elasticsearch.xpack.common.init.proxy.ClientProxy;
|
import org.elasticsearch.xpack.common.init.proxy.ClientProxy;
|
||||||
|
|
||||||
public class MonitoringClientProxy extends ClientProxy {
|
public class MonitoringClientProxy extends ClientProxy {
|
||||||
|
|
|
@ -26,7 +26,7 @@ import org.elasticsearch.license.plugin.core.LicensesManagerService;
|
||||||
import org.elasticsearch.marvel.MonitoringSettings;
|
import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
|
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
import org.elasticsearch.test.ESIntegTestCase;
|
||||||
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
|
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
|
|
|
@ -45,7 +45,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
|
||||||
waitForNoBlocksOnNode(node);
|
waitForNoBlocksOnNode(node);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(shieldEnabled ? 0 : 1));
|
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
|
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
|
||||||
}
|
}
|
||||||
|
@ -56,7 +56,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
|
||||||
waitForNoBlocksOnNode(node);
|
waitForNoBlocksOnNode(node);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(shieldEnabled ? 0 : 1));
|
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
|
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,7 +16,7 @@ import org.elasticsearch.marvel.MonitoredSystem;
|
||||||
import org.elasticsearch.marvel.agent.collector.AbstractCollectorTestCase;
|
import org.elasticsearch.marvel.agent.collector.AbstractCollectorTestCase;
|
||||||
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
|
||||||
import org.elasticsearch.marvel.MonitoringLicensee;
|
import org.elasticsearch.marvel.MonitoringLicensee;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
|
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
|
||||||
|
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
|
|
@ -50,7 +50,7 @@ public class LocalIndicesCleanerTests extends AbstractIndicesCleanerTestCase {
|
||||||
try {
|
try {
|
||||||
assertThat(client().admin().indices().prepareGetSettings().get().getIndexToSettings().size(), equalTo(count));
|
assertThat(client().admin().indices().prepareGetSettings().get().getIndexToSettings().size(), equalTo(count));
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
assertThat(0, equalTo(count));
|
assertThat(0, equalTo(count));
|
||||||
} else {
|
} else {
|
||||||
throw e;
|
throw e;
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.marvel.shield;
|
package org.elasticsearch.marvel.security;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
import org.elasticsearch.action.ActionRequestBuilder;
|
import org.elasticsearch.action.ActionRequestBuilder;
|
||||||
|
@ -13,7 +13,7 @@ import org.elasticsearch.index.IndexNotFoundException;
|
||||||
import org.elasticsearch.marvel.MonitoringSettings;
|
import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
|
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
|
||||||
import org.elasticsearch.rest.RestStatus;
|
import org.elasticsearch.rest.RestStatus;
|
||||||
import org.elasticsearch.shield.InternalClient;
|
import org.elasticsearch.xpack.security.InternalClient;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.marvel.shield;
|
package org.elasticsearch.marvel.security;
|
||||||
|
|
||||||
import org.apache.http.impl.client.CloseableHttpClient;
|
import org.apache.http.impl.client.CloseableHttpClient;
|
||||||
import org.apache.http.impl.client.HttpClients;
|
import org.apache.http.impl.client.HttpClients;
|
||||||
|
@ -13,7 +13,7 @@ import org.elasticsearch.common.xcontent.json.JsonXContent;
|
||||||
import org.elasticsearch.http.HttpServerTransport;
|
import org.elasticsearch.http.HttpServerTransport;
|
||||||
import org.elasticsearch.marvel.MonitoringSettings;
|
import org.elasticsearch.marvel.MonitoringSettings;
|
||||||
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
|
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.test.rest.client.http.HttpRequestBuilder;
|
import org.elasticsearch.test.rest.client.http.HttpRequestBuilder;
|
||||||
import org.elasticsearch.test.rest.client.http.HttpResponse;
|
import org.elasticsearch.test.rest.client.http.HttpResponse;
|
||||||
import org.hamcrest.Matchers;
|
import org.hamcrest.Matchers;
|
||||||
|
@ -23,8 +23,8 @@ import java.io.IOException;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import static org.elasticsearch.common.xcontent.support.XContentMapValues.extractValue;
|
import static org.elasticsearch.common.xcontent.support.XContentMapValues.extractValue;
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.hamcrest.CoreMatchers.nullValue;
|
import static org.hamcrest.CoreMatchers.nullValue;
|
||||||
|
|
||||||
public class MarvelSettingsFilterTests extends MarvelIntegTestCase {
|
public class MarvelSettingsFilterTests extends MarvelIntegTestCase {
|
||||||
|
@ -89,9 +89,9 @@ public class MarvelSettingsFilterTests extends MarvelIntegTestCase {
|
||||||
if (body != null) {
|
if (body != null) {
|
||||||
requestBuilder.body(body);
|
requestBuilder.body(body);
|
||||||
}
|
}
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
requestBuilder.addHeader(BASIC_AUTH_HEADER,
|
requestBuilder.addHeader(BASIC_AUTH_HEADER,
|
||||||
basicAuthHeaderValue(ShieldSettings.TEST_USERNAME, new SecuredString(ShieldSettings.TEST_PASSWORD.toCharArray())));
|
basicAuthHeaderValue(SecuritySettings.TEST_USERNAME, new SecuredString(SecuritySettings.TEST_PASSWORD.toCharArray())));
|
||||||
}
|
}
|
||||||
return requestBuilder.execute();
|
return requestBuilder.execute();
|
||||||
}
|
}
|
|
@ -25,12 +25,12 @@ import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver;
|
||||||
import org.elasticsearch.marvel.agent.resolver.ResolversRegistry;
|
import org.elasticsearch.marvel.agent.resolver.ResolversRegistry;
|
||||||
import org.elasticsearch.marvel.client.MonitoringClient;
|
import org.elasticsearch.marvel.client.MonitoringClient;
|
||||||
import org.elasticsearch.plugins.Plugin;
|
import org.elasticsearch.plugins.Plugin;
|
||||||
import org.elasticsearch.shield.Security;
|
import org.elasticsearch.xpack.security.Security;
|
||||||
import org.elasticsearch.shield.authc.file.FileRealm;
|
import org.elasticsearch.xpack.security.authc.file.FileRealm;
|
||||||
import org.elasticsearch.shield.authc.support.Hasher;
|
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.shield.authz.store.FileRolesStore;
|
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
|
||||||
import org.elasticsearch.shield.crypto.InternalCryptoService;
|
import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
|
||||||
import org.elasticsearch.test.ESIntegTestCase;
|
import org.elasticsearch.test.ESIntegTestCase;
|
||||||
import org.elasticsearch.test.TestCluster;
|
import org.elasticsearch.test.TestCluster;
|
||||||
import org.elasticsearch.test.store.MockFSIndexStore;
|
import org.elasticsearch.test.store.MockFSIndexStore;
|
||||||
|
@ -60,7 +60,7 @@ import java.util.function.Function;
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
import java.util.stream.StreamSupport;
|
import java.util.stream.StreamSupport;
|
||||||
|
|
||||||
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
|
||||||
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
|
||||||
import static org.hamcrest.Matchers.allOf;
|
import static org.hamcrest.Matchers.allOf;
|
||||||
import static org.hamcrest.Matchers.greaterThan;
|
import static org.hamcrest.Matchers.greaterThan;
|
||||||
|
@ -77,10 +77,10 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
/**
|
/**
|
||||||
* Enables individual tests to control the behavior.
|
* Enables individual tests to control the behavior.
|
||||||
* <p>
|
* <p>
|
||||||
* Control this by overriding {@link #enableShield()}, which defaults to enabling it randomly.
|
* Control this by overriding {@link #enableSecurity()}, which defaults to enabling it randomly.
|
||||||
*/
|
*/
|
||||||
// SCARY: This needs to be static or lots of tests randomly fail, but it's not used statically!
|
// SCARY: This needs to be static or lots of tests randomly fail, but it's not used statically!
|
||||||
protected static Boolean shieldEnabled;
|
protected static Boolean securityEnabled;
|
||||||
/**
|
/**
|
||||||
* Enables individual tests to control the behavior.
|
* Enables individual tests to control the behavior.
|
||||||
* <p>
|
* <p>
|
||||||
|
@ -90,14 +90,14 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected TestCluster buildTestCluster(Scope scope, long seed) throws IOException {
|
protected TestCluster buildTestCluster(Scope scope, long seed) throws IOException {
|
||||||
if (shieldEnabled == null) {
|
if (securityEnabled == null) {
|
||||||
shieldEnabled = enableShield();
|
securityEnabled = enableSecurity();
|
||||||
}
|
}
|
||||||
if (watcherEnabled == null) {
|
if (watcherEnabled == null) {
|
||||||
watcherEnabled = enableWatcher();
|
watcherEnabled = enableWatcher();
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.debug("--> shield {}", shieldEnabled ? "enabled" : "disabled");
|
logger.debug("--> security {}", securityEnabled ? "enabled" : "disabled");
|
||||||
logger.debug("--> watcher {}", watcherEnabled ? "enabled" : "disabled");
|
logger.debug("--> watcher {}", watcherEnabled ? "enabled" : "disabled");
|
||||||
|
|
||||||
return super.buildTestCluster(scope, seed);
|
return super.buildTestCluster(scope, seed);
|
||||||
|
@ -111,14 +111,14 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
// we do this by default in core, but for monitoring this isn't needed and only adds noise.
|
// we do this by default in core, but for monitoring this isn't needed and only adds noise.
|
||||||
.put("index.store.mock.check_index_on_close", false);
|
.put("index.store.mock.check_index_on_close", false);
|
||||||
|
|
||||||
ShieldSettings.apply(shieldEnabled, builder);
|
SecuritySettings.apply(securityEnabled, builder);
|
||||||
|
|
||||||
return builder.build();
|
return builder.build();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected Settings transportClientSettings() {
|
protected Settings transportClientSettings() {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
return Settings.builder()
|
return Settings.builder()
|
||||||
.put(super.transportClientSettings())
|
.put(super.transportClientSettings())
|
||||||
.put("client.transport.sniff", false)
|
.put("client.transport.sniff", false)
|
||||||
|
@ -133,8 +133,8 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
@Override
|
@Override
|
||||||
protected Collection<Class<? extends Plugin>> getMockPlugins() {
|
protected Collection<Class<? extends Plugin>> getMockPlugins() {
|
||||||
Set<Class<? extends Plugin>> plugins = new HashSet<>(super.getMockPlugins());
|
Set<Class<? extends Plugin>> plugins = new HashSet<>(super.getMockPlugins());
|
||||||
plugins.remove(MockTransportService.TestPlugin.class); // shield has its own transport service
|
plugins.remove(MockTransportService.TestPlugin.class); // security has its own transport service
|
||||||
plugins.remove(AssertingLocalTransport.TestPlugin.class); // shield has its own transport
|
plugins.remove(AssertingLocalTransport.TestPlugin.class); // security has its own transport
|
||||||
plugins.add(MockFSIndexStore.TestPlugin.class);
|
plugins.add(MockFSIndexStore.TestPlugin.class);
|
||||||
return plugins;
|
return plugins;
|
||||||
}
|
}
|
||||||
|
@ -151,16 +151,16 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected Function<Client,Client> getClientWrapper() {
|
protected Function<Client,Client> getClientWrapper() {
|
||||||
if (shieldEnabled == false) {
|
if (securityEnabled == false) {
|
||||||
return Function.identity();
|
return Function.identity();
|
||||||
}
|
}
|
||||||
Map<String, String> headers = Collections.singletonMap("Authorization",
|
Map<String, String> headers = Collections.singletonMap("Authorization",
|
||||||
basicAuthHeaderValue(ShieldSettings.TEST_USERNAME, new SecuredString(ShieldSettings.TEST_PASSWORD.toCharArray())));
|
basicAuthHeaderValue(SecuritySettings.TEST_USERNAME, new SecuredString(SecuritySettings.TEST_PASSWORD.toCharArray())));
|
||||||
return client -> (client instanceof NodeClient) ? client.filterWithHeader(headers) : client;
|
return client -> (client instanceof NodeClient) ? client.filterWithHeader(headers) : client;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected MonitoringClient monitoringClient() {
|
protected MonitoringClient monitoringClient() {
|
||||||
Client client = shieldEnabled ? internalCluster().transportClient() : client();
|
Client client = securityEnabled ? internalCluster().transportClient() : client();
|
||||||
return randomBoolean() ? new XPackClient(client).monitoring() : new MonitoringClient(client);
|
return randomBoolean() ? new XPackClient(client).monitoring() : new MonitoringClient(client);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -184,7 +184,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
/**
|
/**
|
||||||
* Override and return {@code false} to force running without Security.
|
* Override and return {@code false} to force running without Security.
|
||||||
*/
|
*/
|
||||||
protected boolean enableShield() {
|
protected boolean enableSecurity() {
|
||||||
return randomBoolean();
|
return randomBoolean();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -231,11 +231,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void deleteMarvelIndices() {
|
protected void deleteMarvelIndices() {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
try {
|
try {
|
||||||
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
|
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
// if shield couldn't resolve any marvel index, it'll throw index not found exception.
|
// if security couldn't resolve any marvel index, it'll throw index not found exception.
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
|
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
|
||||||
|
@ -247,11 +247,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void ensureMarvelIndicesYellow() {
|
protected void ensureMarvelIndicesYellow() {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
try {
|
try {
|
||||||
ensureYellow(".monitoring-es-*");
|
ensureYellow(".monitoring-es-*");
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
// might happen with shield...
|
// might happen with security...
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
ensureYellow(".monitoring-es-*");
|
ensureYellow(".monitoring-es-*");
|
||||||
|
@ -266,7 +266,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
|
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
|
||||||
assertThat(count, matcher);
|
assertThat(count, matcher);
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
assertThat(0L, matcher);
|
assertThat(0L, matcher);
|
||||||
} else {
|
} else {
|
||||||
throw e;
|
throw e;
|
||||||
|
@ -312,8 +312,8 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
try {
|
try {
|
||||||
assertIndicesExists(index);
|
assertIndicesExists(index);
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
// with shield we might get that if wildcards were resolved to no indices
|
// with security we might get that if wildcards were resolved to no indices
|
||||||
fail("IndexNotFoundException when checking for existence of index [" + index + "]");
|
fail("IndexNotFoundException when checking for existence of index [" + index + "]");
|
||||||
} else {
|
} else {
|
||||||
throw e;
|
throw e;
|
||||||
|
@ -336,11 +336,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void securedRefresh() {
|
protected void securedRefresh() {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
try {
|
try {
|
||||||
refresh();
|
refresh();
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
// with shield we might get that if wildcards were resolved to no indices
|
// with security we might get that if wildcards were resolved to no indices
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
refresh();
|
refresh();
|
||||||
|
@ -348,11 +348,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void securedFlush(String... indices) {
|
protected void securedFlush(String... indices) {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
try {
|
try {
|
||||||
flush(indices);
|
flush(indices);
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
// with shield we might get that if wildcards were resolved to no indices
|
// with security we might get that if wildcards were resolved to no indices
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
flush(indices);
|
flush(indices);
|
||||||
|
@ -360,11 +360,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void securedFlushAndRefresh(String... indices) {
|
protected void securedFlushAndRefresh(String... indices) {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
try {
|
try {
|
||||||
flushAndRefresh(indices);
|
flushAndRefresh(indices);
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
// with shield we might get that if wildcards were resolved to no indices
|
// with security we might get that if wildcards were resolved to no indices
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
flushAndRefresh(indices);
|
flushAndRefresh(indices);
|
||||||
|
@ -372,11 +372,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void securedEnsureGreen(String... indices) {
|
protected void securedEnsureGreen(String... indices) {
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
try {
|
try {
|
||||||
ensureGreen(indices);
|
ensureGreen(indices);
|
||||||
} catch (IndexNotFoundException e) {
|
} catch (IndexNotFoundException e) {
|
||||||
// with shield we might get that if wildcards were resolved to no indices
|
// with security we might get that if wildcards were resolved to no indices
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
ensureGreen(indices);
|
ensureGreen(indices);
|
||||||
|
@ -477,9 +477,9 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Shield related settings */
|
/** security related settings */
|
||||||
|
|
||||||
public static class ShieldSettings {
|
public static class SecuritySettings {
|
||||||
|
|
||||||
public static final String TEST_USERNAME = "test";
|
public static final String TEST_USERNAME = "test";
|
||||||
public static final String TEST_PASSWORD = "changeme";
|
public static final String TEST_PASSWORD = "changeme";
|
||||||
|
@ -528,7 +528,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
Path folder = createTempDir().resolve("marvel_shield");
|
Path folder = createTempDir().resolve("marvel_security");
|
||||||
Files.createDirectories(folder);
|
Files.createDirectories(folder);
|
||||||
|
|
||||||
builder.put("xpack.security.enabled", true)
|
builder.put("xpack.security.enabled", true)
|
||||||
|
@ -541,7 +541,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
|
||||||
.put("xpack.security.authc.sign_user_header", false)
|
.put("xpack.security.authc.sign_user_header", false)
|
||||||
.put("xpack.security.audit.enabled", auditLogsEnabled);
|
.put("xpack.security.audit.enabled", auditLogsEnabled);
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
throw new RuntimeException("failed to build settings for shield", ex);
|
throw new RuntimeException("failed to build settings for security", ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -3,29 +3,29 @@
|
||||||
|
|
||||||
[partintro]
|
[partintro]
|
||||||
|
|
||||||
Elasticsearch and Shield use jUnit for testing, they also use randomness
|
Elasticsearch and X-Pack use jUnit for testing, they also use randomness
|
||||||
in the tests, that can be set using a seed, please refer to the
|
in the tests, that can be set using a seed, please refer to the
|
||||||
Elasticsearch TESTING.asciidoc cheatsheet to know all about it.
|
Elasticsearch TESTING.asciidoc cheatsheet to know all about it.
|
||||||
|
|
||||||
Tests are executed with network transport and unicast discovery, as this is
|
Tests are executed with network transport and unicast discovery, as this is
|
||||||
the configuration that's secured by shield.
|
the configuration that's secured by X-Pack.
|
||||||
|
|
||||||
== Testing the REST layer
|
== Testing the REST layer
|
||||||
|
|
||||||
The available integration tests are specific for Shield functionalities
|
The available integration tests are specific for Security functionalities
|
||||||
and make use of the java API to communicate with the elasticsearch nodes,
|
and make use of the java API to communicate with the elasticsearch nodes,
|
||||||
using the internal binary transport (port 9300 by default).
|
using the internal binary transport (port 9300 by default).
|
||||||
Shield is also tested using the REST tests provided by Elasticsearch core,
|
Security is also tested using the REST tests provided by Elasticsearch core,
|
||||||
just by running those same tests against a cluster with Shield installed.
|
just by running those same tests against a cluster with X-Pack installed.
|
||||||
|
|
||||||
The REST tests are run automatically during the integration test phase
|
The REST tests are run automatically during the integration test phase
|
||||||
(`mvn verify`). Some tests are blacklisted as they are known to fail against
|
(`gradle integTest`). Some tests are blacklisted as they are known to fail against
|
||||||
shield due to different behaviours introduced by the security plugin.
|
X-Pack due to different behaviours introduced by the security plugin.
|
||||||
|
|
||||||
---------------------------------------------------------------------------
|
---------------------------------------------------------------------------
|
||||||
mvn verify
|
gradle integTest
|
||||||
---------------------------------------------------------------------------
|
---------------------------------------------------------------------------
|
||||||
|
|
||||||
`ShieldRestIT` is the executable test class that runs all the
|
`XPackRestIT` is the executable test class that runs all the
|
||||||
yaml suites available within the `rest-api-spec` folder.
|
yaml suites available within the `rest-api-spec` folder.
|
||||||
|
|
|
@ -72,7 +72,7 @@ fi
|
||||||
|
|
||||||
export HOSTNAME=`hostname -s`
|
export HOSTNAME=`hostname -s`
|
||||||
|
|
||||||
# include shield jars in classpath
|
# include x-pack jars in classpath
|
||||||
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
|
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
|
||||||
|
|
||||||
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
|
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
|
||||||
|
@ -96,7 +96,7 @@ if [ -e "$CONF_DIR" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd "$ES_HOME" > /dev/null
|
cd "$ES_HOME" > /dev/null
|
||||||
"$JAVA" $ES_JAVA_OPTS -Des.path.home="$ES_HOME" -cp "$ES_CLASSPATH" org.elasticsearch.shield.crypto.tool.SystemKeyTool $properties "{args[@]}"
|
"$JAVA" $ES_JAVA_OPTS -Des.path.home="$ES_HOME" -cp "$ES_CLASSPATH" org.elasticsearch.xpack.security.crypto.tool.SystemKeyTool $properties "{args[@]}"
|
||||||
status=$?
|
status=$?
|
||||||
cd - > /dev/null
|
cd - > /dev/null
|
||||||
exit $status
|
exit $status
|
|
@ -5,5 +5,5 @@ rem or more contributor license agreements. Licensed under the Elastic License;
|
||||||
rem you may not use this file except in compliance with the Elastic License.
|
rem you may not use this file except in compliance with the Elastic License.
|
||||||
|
|
||||||
PUSHD "%~dp0"
|
PUSHD "%~dp0"
|
||||||
CALL "%~dp0.in.bat" org.elasticsearch.shield.crypto.tool.SystemKeyTool %*
|
CALL "%~dp0.in.bat" org.elasticsearch.xpack.security.crypto.tool.SystemKeyTool %*
|
||||||
POPD
|
POPD
|
|
@ -72,7 +72,7 @@ fi
|
||||||
|
|
||||||
export HOSTNAME=`hostname -s`
|
export HOSTNAME=`hostname -s`
|
||||||
|
|
||||||
# include shield jars in classpath
|
# include x-pack jars in classpath
|
||||||
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
|
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
|
||||||
|
|
||||||
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
|
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
|
||||||
|
@ -96,7 +96,7 @@ if [ -e "$CONF_DIR" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd "$ES_HOME" > /dev/null
|
cd "$ES_HOME" > /dev/null
|
||||||
"$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.shield.authc.file.tool.UsersTool "${args[@]}"
|
"$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.xpack.security.authc.file.tool.UsersTool "${args[@]}"
|
||||||
status=$?
|
status=$?
|
||||||
cd - > /dev/null
|
cd - > /dev/null
|
||||||
exit $status
|
exit $status
|
|
@ -5,5 +5,5 @@ rem or more contributor license agreements. Licensed under the Elastic License;
|
||||||
rem you may not use this file except in compliance with the Elastic License.
|
rem you may not use this file except in compliance with the Elastic License.
|
||||||
|
|
||||||
PUSHD "%~dp0"
|
PUSHD "%~dp0"
|
||||||
CALL "%~dp0.in.bat" org.elasticsearch.shield.authc.file.tool.UsersTool %*
|
CALL "%~dp0.in.bat" org.elasticsearch.xpack.security.authc.file.tool.UsersTool %*
|
||||||
POPD
|
POPD
|
|
@ -1,8 +1,8 @@
|
||||||
logger:
|
logger:
|
||||||
shield.audit.logfile: INFO, access_log
|
security.audit.logfile: INFO, access_log
|
||||||
|
|
||||||
additivity:
|
additivity:
|
||||||
shield.audit.logfile: false
|
security.audit.logfile: false
|
||||||
|
|
||||||
appender:
|
appender:
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchException;
|
import org.elasticsearch.ElasticsearchException;
|
||||||
import org.elasticsearch.action.Action;
|
import org.elasticsearch.action.Action;
|
||||||
|
@ -15,8 +15,8 @@ import org.elasticsearch.client.Client;
|
||||||
import org.elasticsearch.client.FilterClient;
|
import org.elasticsearch.client.FilterClient;
|
||||||
import org.elasticsearch.common.inject.Inject;
|
import org.elasticsearch.common.inject.Inject;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.AuthenticationService;
|
import org.elasticsearch.xpack.security.authc.AuthenticationService;
|
||||||
import org.elasticsearch.shield.user.XPackUser;
|
import org.elasticsearch.xpack.security.user.XPackUser;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.action.ActionModule;
|
import org.elasticsearch.action.ActionModule;
|
||||||
import org.elasticsearch.common.Booleans;
|
import org.elasticsearch.common.Booleans;
|
||||||
|
@ -20,68 +20,68 @@ import org.elasticsearch.common.settings.Setting.Property;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.index.IndexModule;
|
import org.elasticsearch.index.IndexModule;
|
||||||
import org.elasticsearch.shield.action.ShieldActionModule;
|
import org.elasticsearch.xpack.security.action.SecurityActionModule;
|
||||||
import org.elasticsearch.shield.action.filter.ShieldActionFilter;
|
import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter;
|
||||||
import org.elasticsearch.shield.action.realm.ClearRealmCacheAction;
|
import org.elasticsearch.xpack.security.action.realm.ClearRealmCacheAction;
|
||||||
import org.elasticsearch.shield.action.realm.TransportClearRealmCacheAction;
|
import org.elasticsearch.xpack.security.action.realm.TransportClearRealmCacheAction;
|
||||||
import org.elasticsearch.shield.action.role.ClearRolesCacheAction;
|
import org.elasticsearch.xpack.security.action.role.ClearRolesCacheAction;
|
||||||
import org.elasticsearch.shield.action.role.DeleteRoleAction;
|
import org.elasticsearch.xpack.security.action.role.DeleteRoleAction;
|
||||||
import org.elasticsearch.shield.action.role.GetRolesAction;
|
import org.elasticsearch.xpack.security.action.role.GetRolesAction;
|
||||||
import org.elasticsearch.shield.action.role.PutRoleAction;
|
import org.elasticsearch.xpack.security.action.role.PutRoleAction;
|
||||||
import org.elasticsearch.shield.action.role.TransportClearRolesCacheAction;
|
import org.elasticsearch.xpack.security.action.role.TransportClearRolesCacheAction;
|
||||||
import org.elasticsearch.shield.action.role.TransportDeleteRoleAction;
|
import org.elasticsearch.xpack.security.action.role.TransportDeleteRoleAction;
|
||||||
import org.elasticsearch.shield.action.role.TransportGetRolesAction;
|
import org.elasticsearch.xpack.security.action.role.TransportGetRolesAction;
|
||||||
import org.elasticsearch.shield.action.role.TransportPutRoleAction;
|
import org.elasticsearch.xpack.security.action.role.TransportPutRoleAction;
|
||||||
import org.elasticsearch.shield.action.user.AuthenticateAction;
|
import org.elasticsearch.xpack.security.action.user.AuthenticateAction;
|
||||||
import org.elasticsearch.shield.action.user.ChangePasswordAction;
|
import org.elasticsearch.xpack.security.action.user.ChangePasswordAction;
|
||||||
import org.elasticsearch.shield.action.user.DeleteUserAction;
|
import org.elasticsearch.xpack.security.action.user.DeleteUserAction;
|
||||||
import org.elasticsearch.shield.action.user.GetUsersAction;
|
import org.elasticsearch.xpack.security.action.user.GetUsersAction;
|
||||||
import org.elasticsearch.shield.action.user.PutUserAction;
|
import org.elasticsearch.xpack.security.action.user.PutUserAction;
|
||||||
import org.elasticsearch.shield.action.user.TransportAuthenticateAction;
|
import org.elasticsearch.xpack.security.action.user.TransportAuthenticateAction;
|
||||||
import org.elasticsearch.shield.action.user.TransportChangePasswordAction;
|
import org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction;
|
||||||
import org.elasticsearch.shield.action.user.TransportDeleteUserAction;
|
import org.elasticsearch.xpack.security.action.user.TransportDeleteUserAction;
|
||||||
import org.elasticsearch.shield.action.user.TransportGetUsersAction;
|
import org.elasticsearch.xpack.security.action.user.TransportGetUsersAction;
|
||||||
import org.elasticsearch.shield.action.user.TransportPutUserAction;
|
import org.elasticsearch.xpack.security.action.user.TransportPutUserAction;
|
||||||
import org.elasticsearch.shield.audit.AuditTrailModule;
|
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
|
||||||
import org.elasticsearch.shield.audit.index.IndexAuditTrail;
|
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||||
import org.elasticsearch.shield.audit.index.IndexNameResolver;
|
import org.elasticsearch.xpack.security.audit.index.IndexNameResolver;
|
||||||
import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
|
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
|
||||||
import org.elasticsearch.shield.authc.AuthenticationModule;
|
import org.elasticsearch.xpack.security.authc.AuthenticationModule;
|
||||||
import org.elasticsearch.shield.authc.InternalAuthenticationService;
|
import org.elasticsearch.xpack.security.authc.InternalAuthenticationService;
|
||||||
import org.elasticsearch.shield.authc.Realms;
|
import org.elasticsearch.xpack.security.authc.Realms;
|
||||||
import org.elasticsearch.shield.authc.esnative.NativeUsersStore;
|
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
|
||||||
import org.elasticsearch.shield.authc.ldap.support.SessionFactory;
|
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
|
||||||
import org.elasticsearch.shield.authc.support.SecuredString;
|
import org.elasticsearch.xpack.security.authc.support.SecuredString;
|
||||||
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
|
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||||
import org.elasticsearch.shield.authz.AuthorizationModule;
|
import org.elasticsearch.xpack.security.authz.AuthorizationModule;
|
||||||
import org.elasticsearch.shield.authz.InternalAuthorizationService;
|
import org.elasticsearch.xpack.security.authz.InternalAuthorizationService;
|
||||||
import org.elasticsearch.shield.authz.accesscontrol.OptOutQueryCache;
|
import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache;
|
||||||
import org.elasticsearch.shield.authz.accesscontrol.ShieldIndexSearcherWrapper;
|
import org.elasticsearch.xpack.security.authz.accesscontrol.SecurityIndexSearcherWrapper;
|
||||||
import org.elasticsearch.shield.authz.store.FileRolesStore;
|
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
|
||||||
import org.elasticsearch.shield.authz.store.NativeRolesStore;
|
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
|
||||||
import org.elasticsearch.shield.crypto.CryptoModule;
|
import org.elasticsearch.xpack.security.crypto.CryptoModule;
|
||||||
import org.elasticsearch.shield.crypto.InternalCryptoService;
|
import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
|
||||||
import org.elasticsearch.shield.rest.ShieldRestModule;
|
import org.elasticsearch.xpack.security.rest.SecurityRestModule;
|
||||||
import org.elasticsearch.shield.rest.action.RestAuthenticateAction;
|
import org.elasticsearch.xpack.security.rest.action.RestAuthenticateAction;
|
||||||
import org.elasticsearch.shield.rest.action.realm.RestClearRealmCacheAction;
|
import org.elasticsearch.xpack.security.rest.action.realm.RestClearRealmCacheAction;
|
||||||
import org.elasticsearch.shield.rest.action.role.RestClearRolesCacheAction;
|
import org.elasticsearch.xpack.security.rest.action.role.RestClearRolesCacheAction;
|
||||||
import org.elasticsearch.shield.rest.action.role.RestDeleteRoleAction;
|
import org.elasticsearch.xpack.security.rest.action.role.RestDeleteRoleAction;
|
||||||
import org.elasticsearch.shield.rest.action.role.RestGetRolesAction;
|
import org.elasticsearch.xpack.security.rest.action.role.RestGetRolesAction;
|
||||||
import org.elasticsearch.shield.rest.action.role.RestPutRoleAction;
|
import org.elasticsearch.xpack.security.rest.action.role.RestPutRoleAction;
|
||||||
import org.elasticsearch.shield.rest.action.user.RestChangePasswordAction;
|
import org.elasticsearch.xpack.security.rest.action.user.RestChangePasswordAction;
|
||||||
import org.elasticsearch.shield.rest.action.user.RestDeleteUserAction;
|
import org.elasticsearch.xpack.security.rest.action.user.RestDeleteUserAction;
|
||||||
import org.elasticsearch.shield.rest.action.user.RestGetUsersAction;
|
import org.elasticsearch.xpack.security.rest.action.user.RestGetUsersAction;
|
||||||
import org.elasticsearch.shield.rest.action.user.RestPutUserAction;
|
import org.elasticsearch.xpack.security.rest.action.user.RestPutUserAction;
|
||||||
import org.elasticsearch.shield.ssl.SSLConfiguration;
|
import org.elasticsearch.xpack.security.ssl.SSLConfiguration;
|
||||||
import org.elasticsearch.shield.ssl.SSLModule;
|
import org.elasticsearch.xpack.security.ssl.SSLModule;
|
||||||
import org.elasticsearch.shield.support.OptionalSettings;
|
import org.elasticsearch.xpack.security.support.OptionalSettings;
|
||||||
import org.elasticsearch.shield.transport.ShieldClientTransportService;
|
import org.elasticsearch.xpack.security.transport.SecurityClientTransportService;
|
||||||
import org.elasticsearch.shield.transport.ShieldServerTransportService;
|
import org.elasticsearch.xpack.security.transport.SecurityServerTransportService;
|
||||||
import org.elasticsearch.shield.transport.ShieldTransportModule;
|
import org.elasticsearch.xpack.security.transport.SecurityTransportModule;
|
||||||
import org.elasticsearch.shield.transport.filter.IPFilter;
|
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
|
||||||
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
|
import org.elasticsearch.xpack.security.transport.netty.SecurityNettyHttpServerTransport;
|
||||||
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
|
import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
|
||||||
import org.elasticsearch.shield.user.AnonymousUser;
|
import org.elasticsearch.xpack.security.user.AnonymousUser;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
import org.joda.time.DateTime;
|
import org.joda.time.DateTime;
|
||||||
import org.joda.time.DateTimeZone;
|
import org.joda.time.DateTimeZone;
|
||||||
|
@ -104,7 +104,6 @@ public class Security {
|
||||||
|
|
||||||
public static final String NAME = "security";
|
public static final String NAME = "security";
|
||||||
public static final String DLS_FLS_FEATURE = "security.dls_fls";
|
public static final String DLS_FLS_FEATURE = "security.dls_fls";
|
||||||
public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache";
|
|
||||||
public static final Setting<Optional<String>> USER_SETTING = OptionalSettings.createString(setting("user"), Property.NodeScope);
|
public static final Setting<Optional<String>> USER_SETTING = OptionalSettings.createString(setting("user"), Property.NodeScope);
|
||||||
|
|
||||||
private final Settings settings;
|
private final Settings settings;
|
||||||
|
@ -129,7 +128,7 @@ public class Security {
|
||||||
return modules;
|
return modules;
|
||||||
}
|
}
|
||||||
modules.add(new SecurityModule(settings, securityLicenseState));
|
modules.add(new SecurityModule(settings, securityLicenseState));
|
||||||
modules.add(new ShieldTransportModule(settings));
|
modules.add(new SecurityTransportModule(settings));
|
||||||
modules.add(new SSLModule(settings));
|
modules.add(new SSLModule(settings));
|
||||||
return modules;
|
return modules;
|
||||||
}
|
}
|
||||||
|
@ -148,9 +147,9 @@ public class Security {
|
||||||
modules.add(new CryptoModule(settings));
|
modules.add(new CryptoModule(settings));
|
||||||
modules.add(new AuthorizationModule(settings));
|
modules.add(new AuthorizationModule(settings));
|
||||||
modules.add(new AuditTrailModule(settings));
|
modules.add(new AuditTrailModule(settings));
|
||||||
modules.add(new ShieldRestModule(settings));
|
modules.add(new SecurityRestModule(settings));
|
||||||
modules.add(new ShieldActionModule(settings));
|
modules.add(new SecurityActionModule(settings));
|
||||||
modules.add(new ShieldTransportModule(settings));
|
modules.add(new SecurityTransportModule(settings));
|
||||||
modules.add(new SSLModule(settings));
|
modules.add(new SSLModule(settings));
|
||||||
return modules;
|
return modules;
|
||||||
}
|
}
|
||||||
|
@ -181,7 +180,7 @@ public class Security {
|
||||||
settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME);
|
settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME);
|
||||||
settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME);
|
settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME);
|
||||||
settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME);
|
settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME);
|
||||||
ShieldNettyHttpServerTransport.overrideSettings(settingsBuilder, settings);
|
SecurityNettyHttpServerTransport.overrideSettings(settingsBuilder, settings);
|
||||||
addUserSettings(settingsBuilder);
|
addUserSettings(settingsBuilder);
|
||||||
addTribeSettings(settingsBuilder);
|
addTribeSettings(settingsBuilder);
|
||||||
return settingsBuilder.build();
|
return settingsBuilder.build();
|
||||||
|
@ -197,7 +196,7 @@ public class Security {
|
||||||
SSLConfiguration.Global.addSettings(settingsList);
|
SSLConfiguration.Global.addSettings(settingsList);
|
||||||
|
|
||||||
// transport settings
|
// transport settings
|
||||||
ShieldNettyTransport.addSettings(settingsList);
|
SecurityNettyTransport.addSettings(settingsList);
|
||||||
|
|
||||||
if (transportClientMode) {
|
if (transportClientMode) {
|
||||||
return settingsList;
|
return settingsList;
|
||||||
|
@ -222,7 +221,7 @@ public class Security {
|
||||||
InternalAuthorizationService.addSettings(settingsList);
|
InternalAuthorizationService.addSettings(settingsList);
|
||||||
|
|
||||||
// HTTP settings
|
// HTTP settings
|
||||||
ShieldNettyHttpServerTransport.addSettings(settingsList);
|
SecurityNettyHttpServerTransport.addSettings(settingsList);
|
||||||
|
|
||||||
// encryption settings
|
// encryption settings
|
||||||
InternalCryptoService.addSettings(settingsList);
|
InternalCryptoService.addSettings(settingsList);
|
||||||
|
@ -260,13 +259,13 @@ public class Security {
|
||||||
|
|
||||||
assert securityLicenseState != null;
|
assert securityLicenseState != null;
|
||||||
if (flsDlsEnabled(settings)) {
|
if (flsDlsEnabled(settings)) {
|
||||||
module.setSearcherWrapper((indexService) -> new ShieldIndexSearcherWrapper(indexService.getIndexSettings(),
|
module.setSearcherWrapper((indexService) -> new SecurityIndexSearcherWrapper(indexService.getIndexSettings(),
|
||||||
indexService.newQueryShardContext(), indexService.mapperService(),
|
indexService.newQueryShardContext(), indexService.mapperService(),
|
||||||
indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(),
|
indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(),
|
||||||
securityLicenseState));
|
securityLicenseState));
|
||||||
}
|
}
|
||||||
if (transportClientMode == false) {
|
if (transportClientMode == false) {
|
||||||
/* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
|
/* We need to forcefully overwrite the query cache implementation to use security's opt out query cache implementation.
|
||||||
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
|
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
|
||||||
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
|
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
|
||||||
* unauthorized users. */
|
* unauthorized users. */
|
||||||
|
@ -280,10 +279,10 @@ public class Security {
|
||||||
}
|
}
|
||||||
// registering the security filter only for nodes
|
// registering the security filter only for nodes
|
||||||
if (transportClientMode == false) {
|
if (transportClientMode == false) {
|
||||||
module.registerFilter(ShieldActionFilter.class);
|
module.registerFilter(SecurityActionFilter.class);
|
||||||
}
|
}
|
||||||
|
|
||||||
// registering all shield actions
|
// registering all security actions
|
||||||
module.registerAction(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class);
|
module.registerAction(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class);
|
||||||
module.registerAction(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class);
|
module.registerAction(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class);
|
||||||
module.registerAction(GetUsersAction.INSTANCE, TransportGetUsersAction.class);
|
module.registerAction(GetUsersAction.INSTANCE, TransportGetUsersAction.class);
|
||||||
|
@ -300,15 +299,15 @@ public class Security {
|
||||||
|
|
||||||
if (transportClientMode) {
|
if (transportClientMode) {
|
||||||
if (enabled) {
|
if (enabled) {
|
||||||
module.registerTransport(Security.NAME, ShieldNettyTransport.class);
|
module.registerTransport(Security.NAME, SecurityNettyTransport.class);
|
||||||
module.registerTransportService(Security.NAME, ShieldClientTransportService.class);
|
module.registerTransportService(Security.NAME, SecurityClientTransportService.class);
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (enabled) {
|
if (enabled) {
|
||||||
module.registerTransport(Security.NAME, ShieldNettyTransport.class);
|
module.registerTransport(Security.NAME, SecurityNettyTransport.class);
|
||||||
module.registerTransportService(Security.NAME, ShieldServerTransportService.class);
|
module.registerTransportService(Security.NAME, SecurityServerTransportService.class);
|
||||||
module.registerRestHandler(RestAuthenticateAction.class);
|
module.registerRestHandler(RestAuthenticateAction.class);
|
||||||
module.registerRestHandler(RestClearRealmCacheAction.class);
|
module.registerRestHandler(RestClearRealmCacheAction.class);
|
||||||
module.registerRestHandler(RestClearRolesCacheAction.class);
|
module.registerRestHandler(RestClearRolesCacheAction.class);
|
||||||
|
@ -319,7 +318,7 @@ public class Security {
|
||||||
module.registerRestHandler(RestPutRoleAction.class);
|
module.registerRestHandler(RestPutRoleAction.class);
|
||||||
module.registerRestHandler(RestDeleteRoleAction.class);
|
module.registerRestHandler(RestDeleteRoleAction.class);
|
||||||
module.registerRestHandler(RestChangePasswordAction.class);
|
module.registerRestHandler(RestChangePasswordAction.class);
|
||||||
module.registerHttpTransport(Security.NAME, ShieldNettyHttpServerTransport.class);
|
module.registerHttpTransport(Security.NAME, SecurityNettyHttpServerTransport.class);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -344,12 +343,12 @@ public class Security {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure
|
* If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure
|
||||||
* that every tribe cluster has shield installed and is enabled. We do that by:
|
* that every tribe cluster has x-pack installed and security is enabled. We do that by:
|
||||||
*
|
*
|
||||||
* - making it mandatory on the tribe client (this means that the tribe node will fail at startup if shield is
|
* - making it mandatory on the tribe client (this means that the tribe node will fail at startup if x-pack is
|
||||||
* not loaded on any tribe due to missing mandatory plugin)
|
* not loaded on any tribe due to missing mandatory plugin)
|
||||||
*
|
*
|
||||||
* - forcibly enabling it (that means it's not possible to disable shield on the tribe clients)
|
* - forcibly enabling it (that means it's not possible to disable security on the tribe clients)
|
||||||
*/
|
*/
|
||||||
private void addTribeSettings(Settings.Builder settingsBuilder) {
|
private void addTribeSettings(Settings.Builder settingsBuilder) {
|
||||||
Map<String, Settings> tribesSettings = settings.getGroups("tribe", true);
|
Map<String, Settings> tribesSettings = settings.getGroups("tribe", true);
|
||||||
|
@ -366,7 +365,7 @@ public class Security {
|
||||||
// otherwise (arrays don't get merged)
|
// otherwise (arrays don't get merged)
|
||||||
String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null);
|
String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null);
|
||||||
if (existingMandatoryPlugins == null) {
|
if (existingMandatoryPlugins == null) {
|
||||||
//shield is mandatory on every tribe if installed and enabled on the tribe node
|
//x-pack is mandatory on every tribe if installed and enabled on the tribe node
|
||||||
settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME);
|
settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME);
|
||||||
} else {
|
} else {
|
||||||
if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) {
|
if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) {
|
||||||
|
@ -383,11 +382,11 @@ public class Security {
|
||||||
+ settings.get(tribeEnabledSetting) + "]");
|
+ settings.get(tribeEnabledSetting) + "]");
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
//shield must be enabled on every tribe if it's enabled on the tribe node
|
//x-pack security must be enabled on every tribe if it's enabled on the tribe node
|
||||||
settingsBuilder.put(tribeEnabledSetting, true);
|
settingsBuilder.put(tribeEnabledSetting, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
// we passed all the checks now we need to copy in all of the shield settings
|
// we passed all the checks now we need to copy in all of the x-pack security settings
|
||||||
for (Map.Entry<String, String> entry : settingsMap.entrySet()) {
|
for (Map.Entry<String, String> entry : settingsMap.entrySet()) {
|
||||||
String key = entry.getKey();
|
String key = entry.getKey();
|
||||||
if (key.startsWith("xpack.security.")) {
|
if (key.startsWith("xpack.security.")) {
|
||||||
|
@ -433,7 +432,7 @@ public class Security {
|
||||||
final String auditIndex = indexAuditingEnabled ? "," + IndexAuditTrail.INDEX_NAME_PREFIX + "*" : "";
|
final String auditIndex = indexAuditingEnabled ? "," + IndexAuditTrail.INDEX_NAME_PREFIX + "*" : "";
|
||||||
String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too" +
|
String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too" +
|
||||||
" restrictive. disable [action.auto_create_index] or set it to " +
|
" restrictive. disable [action.auto_create_index] or set it to " +
|
||||||
"[{}{}]", (Object) value, ShieldTemplateService.SECURITY_INDEX_NAME, auditIndex);
|
"[{}{}]", (Object) value, SecurityTemplateService.SECURITY_INDEX_NAME, auditIndex);
|
||||||
if (Booleans.isExplicitFalse(value)) {
|
if (Booleans.isExplicitFalse(value)) {
|
||||||
throw new IllegalArgumentException(errorMessage);
|
throw new IllegalArgumentException(errorMessage);
|
||||||
}
|
}
|
||||||
|
@ -444,7 +443,7 @@ public class Security {
|
||||||
|
|
||||||
String[] matches = Strings.commaDelimitedListToStringArray(value);
|
String[] matches = Strings.commaDelimitedListToStringArray(value);
|
||||||
List<String> indices = new ArrayList<>();
|
List<String> indices = new ArrayList<>();
|
||||||
indices.add(ShieldTemplateService.SECURITY_INDEX_NAME);
|
indices.add(SecurityTemplateService.SECURITY_INDEX_NAME);
|
||||||
if (indexAuditingEnabled) {
|
if (indexAuditingEnabled) {
|
||||||
DateTime now = new DateTime(DateTimeZone.UTC);
|
DateTime now = new DateTime(DateTimeZone.UTC);
|
||||||
// just use daily rollover
|
// just use daily rollover
|
||||||
|
@ -487,7 +486,7 @@ public class Security {
|
||||||
logger.warn("the [action.auto_create_index] setting is configured to be restrictive [{}]. " +
|
logger.warn("the [action.auto_create_index] setting is configured to be restrictive [{}]. " +
|
||||||
" for the next 6 months audit indices are allowed to be created, but please make sure" +
|
" for the next 6 months audit indices are allowed to be created, but please make sure" +
|
||||||
" that any future history indices after 6 months with the pattern " +
|
" that any future history indices after 6 months with the pattern " +
|
||||||
"[.shield_audit_log*] are allowed to be created", value);
|
"[.security_audit_log*] are allowed to be created", value);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -3,14 +3,14 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchException;
|
import org.elasticsearch.ElasticsearchException;
|
||||||
import org.elasticsearch.common.inject.Inject;
|
import org.elasticsearch.common.inject.Inject;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.shield.authc.Authentication;
|
import org.elasticsearch.xpack.security.authc.Authentication;
|
||||||
import org.elasticsearch.shield.authc.AuthenticationService;
|
import org.elasticsearch.xpack.security.authc.AuthenticationService;
|
||||||
import org.elasticsearch.shield.user.User;
|
import org.elasticsearch.xpack.security.user.User;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.common.Nullable;
|
import org.elasticsearch.common.Nullable;
|
||||||
import org.elasticsearch.common.inject.Inject;
|
import org.elasticsearch.common.inject.Inject;
|
||||||
|
@ -13,9 +13,9 @@ import org.elasticsearch.common.io.stream.StreamOutput;
|
||||||
import org.elasticsearch.common.io.stream.Writeable;
|
import org.elasticsearch.common.io.stream.Writeable;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.xcontent.XContentBuilder;
|
import org.elasticsearch.common.xcontent.XContentBuilder;
|
||||||
import org.elasticsearch.shield.authc.Realm;
|
import org.elasticsearch.xpack.security.authc.Realm;
|
||||||
import org.elasticsearch.shield.authc.Realms;
|
import org.elasticsearch.xpack.security.authc.Realms;
|
||||||
import org.elasticsearch.shield.authc.esnative.ReservedRealm;
|
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
|
||||||
import org.elasticsearch.xpack.XPackFeatureSet;
|
import org.elasticsearch.xpack.XPackFeatureSet;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.license.core.License.OperationMode;
|
import org.elasticsearch.license.core.License.OperationMode;
|
||||||
import org.elasticsearch.license.plugin.core.LicenseState;
|
import org.elasticsearch.license.plugin.core.LicenseState;
|
||||||
|
@ -11,7 +11,7 @@ import org.elasticsearch.license.plugin.core.Licensee.Status;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class serves to decouple shield code that needs to check the license state from the {@link SecurityLicensee} as the
|
* This class serves to decouple security code that needs to check the license state from the {@link SecurityLicensee} as the
|
||||||
* tight coupling causes issues with guice injection and circular dependencies
|
* tight coupling causes issues with guice injection and circular dependencies
|
||||||
*/
|
*/
|
||||||
public class SecurityLicenseState {
|
public class SecurityLicenseState {
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchException;
|
import org.elasticsearch.ElasticsearchException;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
|
@ -20,19 +20,19 @@ import org.elasticsearch.license.plugin.core.LicenseeRegistry;
|
||||||
public class SecurityLicensee extends AbstractLicenseeComponent<SecurityLicensee> implements Licensee {
|
public class SecurityLicensee extends AbstractLicenseeComponent<SecurityLicensee> implements Licensee {
|
||||||
|
|
||||||
private final boolean isTribeNode;
|
private final boolean isTribeNode;
|
||||||
private final SecurityLicenseState shieldLicenseState;
|
private final SecurityLicenseState securityLicenseState;
|
||||||
|
|
||||||
@Inject
|
@Inject
|
||||||
public SecurityLicensee(Settings settings, LicenseeRegistry clientService, SecurityLicenseState shieldLicenseState) {
|
public SecurityLicensee(Settings settings, LicenseeRegistry clientService, SecurityLicenseState securityLicenseState) {
|
||||||
super(settings, Security.NAME, clientService);
|
super(settings, Security.NAME, clientService);
|
||||||
this.shieldLicenseState = shieldLicenseState;
|
this.securityLicenseState = securityLicenseState;
|
||||||
this.isTribeNode = settings.getGroups("tribe", true).isEmpty() == false;
|
this.isTribeNode = settings.getGroups("tribe", true).isEmpty() == false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void onChange(Status status) {
|
public void onChange(Status status) {
|
||||||
super.onChange(status);
|
super.onChange(status);
|
||||||
shieldLicenseState.updateStatus(status);
|
securityLicenseState.updateStatus(status);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.cluster.ClusterChangedEvent;
|
import org.elasticsearch.cluster.ClusterChangedEvent;
|
||||||
import org.elasticsearch.cluster.service.ClusterService;
|
import org.elasticsearch.cluster.service.ClusterService;
|
||||||
|
@ -14,10 +14,10 @@ import org.elasticsearch.common.inject.Inject;
|
||||||
import org.elasticsearch.common.inject.Provider;
|
import org.elasticsearch.common.inject.Provider;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
|
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
|
||||||
import org.elasticsearch.shield.audit.AuditTrailModule;
|
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
|
||||||
import org.elasticsearch.shield.audit.index.IndexAuditTrail;
|
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
|
||||||
import org.elasticsearch.shield.authc.esnative.NativeUsersStore;
|
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
|
||||||
import org.elasticsearch.shield.authz.store.NativeRolesStore;
|
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -31,7 +31,7 @@ import org.elasticsearch.threadpool.ThreadPool;
|
||||||
* successful. This lifecycle service allows for this to happen by listening for {@link ClusterChangedEvent} and checking
|
* successful. This lifecycle service allows for this to happen by listening for {@link ClusterChangedEvent} and checking
|
||||||
* if the services can start. Additionally, the service also provides hooks for stop and close functionality.
|
* if the services can start. Additionally, the service also provides hooks for stop and close functionality.
|
||||||
*/
|
*/
|
||||||
public class ShieldLifecycleService extends AbstractComponent implements ClusterStateListener {
|
public class SecurityLifecycleService extends AbstractComponent implements ClusterStateListener {
|
||||||
|
|
||||||
private final Settings settings;
|
private final Settings settings;
|
||||||
private final ThreadPool threadPool;
|
private final ThreadPool threadPool;
|
||||||
|
@ -40,7 +40,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
|
||||||
private final NativeRolesStore nativeRolesStore;
|
private final NativeRolesStore nativeRolesStore;
|
||||||
|
|
||||||
@Inject
|
@Inject
|
||||||
public ShieldLifecycleService(Settings settings, ClusterService clusterService, ThreadPool threadPool,
|
public SecurityLifecycleService(Settings settings, ClusterService clusterService, ThreadPool threadPool,
|
||||||
IndexAuditTrail indexAuditTrail, NativeUsersStore nativeUserStore,
|
IndexAuditTrail indexAuditTrail, NativeUsersStore nativeUserStore,
|
||||||
NativeRolesStore nativeRolesStore, Provider<InternalClient> clientProvider) {
|
NativeRolesStore nativeRolesStore, Provider<InternalClient> clientProvider) {
|
||||||
super(settings);
|
super(settings);
|
||||||
|
@ -54,7 +54,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
|
||||||
clusterService.add(this);
|
clusterService.add(this);
|
||||||
clusterService.add(nativeUserStore);
|
clusterService.add(nativeUserStore);
|
||||||
clusterService.add(nativeRolesStore);
|
clusterService.add(nativeRolesStore);
|
||||||
clusterService.add(new ShieldTemplateService(settings, clusterService, clientProvider, threadPool));
|
clusterService.add(new SecurityTemplateService(settings, clusterService, clientProvider, threadPool));
|
||||||
clusterService.addLifecycleListener(new LifecycleListener() {
|
clusterService.addLifecycleListener(new LifecycleListener() {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -78,7 +78,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
|
||||||
@Override
|
@Override
|
||||||
public void onFailure(Throwable throwable) {
|
public void onFailure(Throwable throwable) {
|
||||||
logger.error("failed to start native user store service", throwable);
|
logger.error("failed to start native user store service", throwable);
|
||||||
assert false : "shield lifecycle services startup failed";
|
assert false : "security lifecycle services startup failed";
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -97,7 +97,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
|
||||||
@Override
|
@Override
|
||||||
public void onFailure(Throwable throwable) {
|
public void onFailure(Throwable throwable) {
|
||||||
logger.error("failed to start native roles store services", throwable);
|
logger.error("failed to start native roles store services", throwable);
|
||||||
assert false : "shield lifecycle services startup failed";
|
assert false : "security lifecycle services startup failed";
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -119,7 +119,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
|
||||||
@Override
|
@Override
|
||||||
public void onFailure(Throwable throwable) {
|
public void onFailure(Throwable throwable) {
|
||||||
logger.error("failed to start index audit trail services", throwable);
|
logger.error("failed to start index audit trail services", throwable);
|
||||||
assert false : "shield lifecycle services startup failed";
|
assert false : "security lifecycle services startup failed";
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
|
@ -3,17 +3,17 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.common.inject.util.Providers;
|
import org.elasticsearch.common.inject.util.Providers;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.shield.support.AbstractShieldModule;
|
import org.elasticsearch.xpack.security.support.AbstractSecurityModule;
|
||||||
import org.elasticsearch.xpack.XPackPlugin;
|
import org.elasticsearch.xpack.XPackPlugin;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class SecurityModule extends AbstractShieldModule {
|
public class SecurityModule extends AbstractSecurityModule {
|
||||||
|
|
||||||
private final SecurityLicenseState securityLicenseState;
|
private final SecurityLicenseState securityLicenseState;
|
||||||
|
|
||||||
|
@ -36,10 +36,10 @@ public class SecurityModule extends AbstractShieldModule {
|
||||||
|
|
||||||
XPackPlugin.bindFeatureSet(binder(), SecurityFeatureSet.class);
|
XPackPlugin.bindFeatureSet(binder(), SecurityFeatureSet.class);
|
||||||
|
|
||||||
if (shieldEnabled) {
|
if (securityEnabled) {
|
||||||
bind(SecurityContext.Secure.class).asEagerSingleton();
|
bind(SecurityContext.Secure.class).asEagerSingleton();
|
||||||
bind(SecurityContext.class).to(SecurityContext.Secure.class);
|
bind(SecurityContext.class).to(SecurityContext.Secure.class);
|
||||||
bind(ShieldLifecycleService.class).asEagerSingleton();
|
bind(SecurityLifecycleService.class).asEagerSingleton();
|
||||||
bind(InternalClient.Secure.class).asEagerSingleton();
|
bind(InternalClient.Secure.class).asEagerSingleton();
|
||||||
bind(InternalClient.class).to(InternalClient.Secure.class);
|
bind(InternalClient.class).to(InternalClient.Secure.class);
|
||||||
} else {
|
} else {
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.xpack.security;
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchException;
|
import org.elasticsearch.ElasticsearchException;
|
||||||
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
|
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
|
||||||
|
@ -28,10 +28,10 @@ import java.io.InputStream;
|
||||||
import java.util.concurrent.atomic.AtomicBoolean;
|
import java.util.concurrent.atomic.AtomicBoolean;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ShieldTemplateService is responsible for adding the template needed for the
|
* SecurityTemplateService is responsible for adding the template needed for the
|
||||||
* {@code .security} administrative index.
|
* {@code .security} administrative index.
|
||||||
*/
|
*/
|
||||||
public class ShieldTemplateService extends AbstractComponent implements ClusterStateListener {
|
public class SecurityTemplateService extends AbstractComponent implements ClusterStateListener {
|
||||||
|
|
||||||
public static final String SECURITY_INDEX_NAME = ".security";
|
public static final String SECURITY_INDEX_NAME = ".security";
|
||||||
public static final String SECURITY_TEMPLATE_NAME = "security-index-template";
|
public static final String SECURITY_TEMPLATE_NAME = "security-index-template";
|
||||||
|
@ -40,7 +40,7 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
|
||||||
private final Provider<InternalClient> clientProvider;
|
private final Provider<InternalClient> clientProvider;
|
||||||
private final AtomicBoolean templateCreationPending = new AtomicBoolean(false);
|
private final AtomicBoolean templateCreationPending = new AtomicBoolean(false);
|
||||||
|
|
||||||
public ShieldTemplateService(Settings settings, ClusterService clusterService,
|
public SecurityTemplateService(Settings settings, ClusterService clusterService,
|
||||||
Provider<InternalClient> clientProvider, ThreadPool threadPool) {
|
Provider<InternalClient> clientProvider, ThreadPool threadPool) {
|
||||||
super(settings);
|
super(settings);
|
||||||
this.threadPool = threadPool;
|
this.threadPool = threadPool;
|
||||||
|
@ -48,23 +48,23 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
|
||||||
clusterService.add(this);
|
clusterService.add(this);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void createShieldTemplate() {
|
private void createSecurityTemplate() {
|
||||||
final Client client = clientProvider.get();
|
final Client client = clientProvider.get();
|
||||||
try (InputStream is = getClass().getResourceAsStream("/" + SECURITY_TEMPLATE_NAME + ".json")) {
|
try (InputStream is = getClass().getResourceAsStream("/" + SECURITY_TEMPLATE_NAME + ".json")) {
|
||||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||||
Streams.copy(is, out);
|
Streams.copy(is, out);
|
||||||
final byte[] template = out.toByteArray();
|
final byte[] template = out.toByteArray();
|
||||||
logger.debug("putting the shield index template");
|
logger.debug("putting the security index template");
|
||||||
PutIndexTemplateRequest putTemplateRequest = client.admin().indices()
|
PutIndexTemplateRequest putTemplateRequest = client.admin().indices()
|
||||||
.preparePutTemplate(SECURITY_TEMPLATE_NAME).setSource(template).request();
|
.preparePutTemplate(SECURITY_TEMPLATE_NAME).setSource(template).request();
|
||||||
PutIndexTemplateResponse templateResponse = client.admin().indices().putTemplate(putTemplateRequest).get();
|
PutIndexTemplateResponse templateResponse = client.admin().indices().putTemplate(putTemplateRequest).get();
|
||||||
if (templateResponse.isAcknowledged() == false) {
|
if (templateResponse.isAcknowledged() == false) {
|
||||||
throw new ElasticsearchException("adding template for shield admin index was not acknowledged");
|
throw new ElasticsearchException("adding template for security index was not acknowledged");
|
||||||
}
|
}
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
logger.error("failed to create shield admin index template [{}]",
|
logger.error("failed to create security index template [{}]",
|
||||||
e, SECURITY_INDEX_NAME);
|
e, SECURITY_INDEX_NAME);
|
||||||
throw new IllegalStateException("failed to create shield admin index template [" +
|
throw new IllegalStateException("failed to create security index template [" +
|
||||||
SECURITY_INDEX_NAME + "]", e);
|
SECURITY_INDEX_NAME + "]", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -72,15 +72,15 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
|
||||||
@Override
|
@Override
|
||||||
public void clusterChanged(ClusterChangedEvent event) {
|
public void clusterChanged(ClusterChangedEvent event) {
|
||||||
if (event.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
|
if (event.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
|
||||||
// wait until the gateway has recovered from disk, otherwise we think may not have .shield-audit-
|
// wait until the gateway has recovered from disk, otherwise we think may not have .security-audit-
|
||||||
// but they may not have been restored from the cluster state on disk
|
// but they may not have been restored from the cluster state on disk
|
||||||
logger.debug("template service waiting until state has been recovered");
|
logger.debug("template service waiting until state has been recovered");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
IndexRoutingTable shieldIndexRouting = event.state().routingTable().index(SECURITY_INDEX_NAME);
|
IndexRoutingTable securityIndexRouting = event.state().routingTable().index(SECURITY_INDEX_NAME);
|
||||||
|
|
||||||
if (shieldIndexRouting == null) {
|
if (securityIndexRouting == null) {
|
||||||
if (event.localNodeMaster()) {
|
if (event.localNodeMaster()) {
|
||||||
ClusterState state = event.state();
|
ClusterState state = event.state();
|
||||||
// TODO for the future need to add some checking in the event the template needs to be updated...
|
// TODO for the future need to add some checking in the event the template needs to be updated...
|
||||||
|
@ -91,14 +91,14 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
|
||||||
threadPool.generic().execute(new AbstractRunnable() {
|
threadPool.generic().execute(new AbstractRunnable() {
|
||||||
@Override
|
@Override
|
||||||
public void onFailure(Throwable t) {
|
public void onFailure(Throwable t) {
|
||||||
logger.warn("failed to create shield admin template", t);
|
logger.warn("failed to create security index template", t);
|
||||||
templateCreationPending.set(false);
|
templateCreationPending.set(false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void doRun() throws Exception {
|
protected void doRun() throws Exception {
|
||||||
if (createTemplate) {
|
if (createTemplate) {
|
||||||
createShieldTemplate();
|
createSecurityTemplate();
|
||||||
}
|
}
|
||||||
templateCreationPending.set(false);
|
templateCreationPending.set(false);
|
||||||
}
|
}
|
|
@ -3,7 +3,7 @@
|
||||||
* or more contributor license agreements. Licensed under the Elastic License;
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
* you may not use this file except in compliance with the Elastic License.
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield.action;
|
package org.elasticsearch.xpack.security.action;
|
||||||
|
|
||||||
import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction;
|
import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction;
|
||||||
import org.elasticsearch.action.admin.indices.analyze.AnalyzeRequest;
|
import org.elasticsearch.action.admin.indices.analyze.AnalyzeRequest;
|
||||||
|
@ -12,18 +12,18 @@ import org.elasticsearch.action.search.ClearScrollRequest;
|
||||||
import org.elasticsearch.transport.TransportRequest;
|
import org.elasticsearch.transport.TransportRequest;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class analyzes an incoming request and its action name, and returns the shield action name for it.
|
* This class analyzes an incoming request and its action name, and returns the security action name for it.
|
||||||
* In many cases the action name is the same as the original one used in es core, but in some exceptional cases it might need
|
* In many cases the action name is the same as the original one used in es core, but in some exceptional cases it might need
|
||||||
* to be converted. For instance a clear_scroll that targets all opened scrolls gets converted to a different action that requires
|
* to be converted. For instance a clear_scroll that targets all opened scrolls gets converted to a different action that requires
|
||||||
* cluster privileges instead of the default indices privileges, still valid for clear scrolls that target specific scroll ids.
|
* cluster privileges instead of the default indices privileges, still valid for clear scrolls that target specific scroll ids.
|
||||||
*/
|
*/
|
||||||
public class ShieldActionMapper {
|
public class SecurityActionMapper {
|
||||||
|
|
||||||
static final String CLUSTER_PERMISSION_SCROLL_CLEAR_ALL_NAME = "cluster:admin/indices/scroll/clear_all";
|
static final String CLUSTER_PERMISSION_SCROLL_CLEAR_ALL_NAME = "cluster:admin/indices/scroll/clear_all";
|
||||||
static final String CLUSTER_PERMISSION_ANALYZE = "cluster:admin/analyze";
|
static final String CLUSTER_PERMISSION_ANALYZE = "cluster:admin/analyze";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the shield specific action name given the incoming action name and request
|
* Returns the security specific action name given the incoming action name and request
|
||||||
*/
|
*/
|
||||||
public String action(String action, TransportRequest request) {
|
public String action(String action, TransportRequest request) {
|
||||||
switch (action) {
|
switch (action) {
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue