security: remove use of shield in files and directory names

This commit removes as much of the use of shield as possible in the source code.

See elastic/elasticsearch#2383

Original commit: elastic/x-pack-elasticsearch@00009cc06e
This commit is contained in:
jaymode 2016-06-17 11:53:55 -04:00
parent 0fcbf8c6ca
commit c024dbfc49
585 changed files with 2939 additions and 3570 deletions

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.audit;
package org.elasticsearch.xpack.security.audit;
import com.carrotsearch.hppc.cursors.ObjectCursor;
import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateResponse;
@ -14,10 +14,10 @@ import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security;
import org.elasticsearch.shield.audit.index.IndexAuditTrail;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.rest.client.http.HttpResponse;
import org.elasticsearch.xpack.XPackPlugin;
@ -35,7 +35,7 @@ public class IndexAuditIT extends ESIntegTestCase {
private static final String USER = "test_user";
private static final String PASS = "changeme";
public void testShieldIndexAuditTrailWorking() throws Exception {
public void testIndexAuditTrailWorking() throws Exception {
HttpResponse response = httpClient().path("/")
.addHeader("Authorization", UsernamePasswordToken.basicAuthHeaderValue(USER, new SecuredString(PASS.toCharArray())))
.execute();
@ -48,7 +48,7 @@ public class IndexAuditIT extends ESIntegTestCase {
ClusterState state = client().admin().cluster().prepareState().get().getState();
lastClusterState.set(state);
for (ObjectCursor<String> cursor : state.getMetaData().getIndices().keys()) {
if (cursor.value.startsWith(".shield_audit_log")) {
if (cursor.value.startsWith(".security_audit_log")) {
logger.info("found audit index [{}]", cursor.value);
indexExists.set(true);
break;
@ -60,11 +60,11 @@ public class IndexAuditIT extends ESIntegTestCase {
}
}
ensureYellow(".shield_audit_log*");
ensureYellow(".security_audit_log*");
ClusterState state = client().admin().cluster().prepareState().get().getState();
lastClusterState.set(state);
client().admin().indices().prepareRefresh().get();
return client().prepareSearch(".shield_audit_log*").setQuery(QueryBuilders.matchQuery("principal", USER))
return client().prepareSearch(".security_audit_log*").setQuery(QueryBuilders.matchQuery("principal", USER))
.get().getHits().totalHits() > 0;
}, 10L, TimeUnit.SECONDS);
@ -73,7 +73,7 @@ public class IndexAuditIT extends ESIntegTestCase {
}
assertThat(found, is(true));
SearchResponse searchResponse = client().prepareSearch(".shield_audit_log*").setQuery(
SearchResponse searchResponse = client().prepareSearch(".security_audit_log*").setQuery(
QueryBuilders.matchQuery("principal", USER)).get();
assertThat(searchResponse.getHits().getHits().length, greaterThan(0));
assertThat((String) searchResponse.getHits().getAt(0).sourceAsMap().get("principal"), is(USER));

View File

@ -3,20 +3,20 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class RestIT extends ESRestTestCase {

View File

@ -57,7 +57,7 @@ public class GroovyManualExecutionIT extends AbstractWatcherIntegrationTestCase
}
@Override
protected boolean enableShield() {
protected boolean enableSecurity() {
return false;
}

View File

@ -41,7 +41,7 @@ public class GroovyScriptConditionIT extends AbstractWatcherIntegrationTestCase
}
@Override
protected boolean enableShield() {
protected boolean enableSecurity() {
return false;
}

View File

@ -41,8 +41,8 @@ public class HistoryTemplateTransformMappingsIT extends AbstractWatcherIntegrati
}
@Override
protected boolean enableShield() {
return false; // remove shield noise from this test
protected boolean enableSecurity() {
return false; // remove security noise from this test
}
public void testTransformFields() throws Exception {

View File

@ -48,7 +48,7 @@ public class HipChatServiceIT extends AbstractWatcherIntegrationTestCase {
}
@Override
protected boolean enableShield() {
protected boolean enableSecurity() {
return false;
}

View File

@ -72,7 +72,7 @@ public class NoMasterNodeIT extends AbstractWatcherIntegrationTestCase {
}
@Override
protected boolean enableShield() {
protected boolean enableSecurity() {
return false;
}

View File

@ -50,7 +50,7 @@ public class PagerDutyServiceIT extends AbstractWatcherIntegrationTestCase {
}
@Override
protected boolean enableShield() {
protected boolean enableSecurity() {
return false;
}

View File

@ -6,7 +6,6 @@
package org.elasticsearch.messy.tests;
import org.elasticsearch.Version;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchPhaseExecutionException;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.common.bytes.BytesArray;
@ -17,9 +16,9 @@ import org.elasticsearch.script.ScriptService;
import org.elasticsearch.script.Template;
import org.elasticsearch.script.mustache.MustachePlugin;
import org.elasticsearch.script.mustache.MustacheScriptEngineService;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.test.ShieldIntegTestCase;
import org.elasticsearch.test.ShieldSettingsSource;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.junit.Before;
import org.junit.BeforeClass;
@ -27,12 +26,12 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
@ShieldIntegTestCase.AwaitsFix(bugUrl = "clean up test to not use mustache templates, otherwise needs many resources here")
public class ShieldCachePermissionIT extends ShieldIntegTestCase {
@SecurityIntegTestCase.AwaitsFix(bugUrl = "clean up test to not use mustache templates, otherwise needs many resources here")
public class SecurityCachePermissionIT extends SecurityIntegTestCase {
static final String READ_ONE_IDX_USER = "read_user";
@Override
@ -46,7 +45,7 @@ public class ShieldCachePermissionIT extends ShieldIntegTestCase {
@Override
public String configUsers() {
return super.configUsers()
+ READ_ONE_IDX_USER + ":" + ShieldSettingsSource.DEFAULT_PASSWORD_HASHED + "\n";
+ READ_ONE_IDX_USER + ":" + SecuritySettingsSource.DEFAULT_PASSWORD_HASHED + "\n";
}
@Override

View File

@ -47,7 +47,7 @@ public class SlackServiceIT extends AbstractWatcherIntegrationTestCase {
}
@Override
protected boolean enableShield() {
protected boolean enableSecurity() {
return false;
}

View File

@ -20,12 +20,4 @@
* </ul>
*/
// renames that took place:
// renamed: x-pack/watcher/src/test/java/org/elasticsearch/watcher/input/search/SearchInputTests.java ->
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchInputTests.java
// renamed: x-pack/watcher/src/test/java/org/elasticsearch/watcher/transform/search/SearchTransformTests.java ->
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformTests.java
// renamed: x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldCachePermissionTests.java ->
// qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/ShieldCachePermissionTests.java
package org.elasticsearch.messy.tests;

View File

@ -8,7 +8,7 @@ admin:
- '*'
# Search and write on both source and destination indices. It should work if you could just search on the source and
# write to the destination but that isn't how shield works.
# write to the destination but that isn't how security works.
minimal:
indices:
- names: source

View File

@ -3,20 +3,20 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class RestIT extends ESRestTestCase {
private static final String USER = "test_admin";
@ -32,7 +32,7 @@ public class RestIT extends ESRestTestCase {
}
/**
* All tests run as a an administrative user but use <code>es-shield-runas-user</code> to become a less privileged user.
* All tests run as a an administrative user but use <code>es-security-runas-user</code> to become a less privileged user.
*/
@Override
protected Settings restClientSettings() {

View File

@ -32,7 +32,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: powerful_user}
headers: {es-security-runas-user: powerful_user}
reindex:
refresh: true
body:
@ -65,7 +65,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: minimal_user}
headers: {es-security-runas-user: minimal_user}
reindex:
refresh: true
body:
@ -98,7 +98,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: readonly_user}
headers: {es-security-runas-user: readonly_user}
catch: forbidden
reindex:
body:
@ -120,7 +120,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: dest_only_user}
headers: {es-security-runas-user: dest_only_user}
catch: forbidden
reindex:
body:
@ -147,7 +147,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: dest_only_user}
headers: {es-security-runas-user: dest_only_user}
catch: forbidden
reindex:
refresh: true
@ -194,7 +194,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
reindex:
refresh: true
body:
@ -237,7 +237,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
reindex:
refresh: true
body:
@ -287,7 +287,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
reindex:
body:
source:
@ -308,7 +308,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
reindex:
body:
source:

View File

@ -41,7 +41,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: powerful_user}
headers: {es-security-runas-user: powerful_user}
update_by_query:
refresh: true
index: source
@ -72,7 +72,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: minimal_user}
headers: {es-security-runas-user: minimal_user}
update_by_query:
refresh: true
index: source
@ -103,7 +103,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: readonly_user}
headers: {es-security-runas-user: readonly_user}
catch: forbidden
update_by_query:
index: source
@ -121,7 +121,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: dest_only_user}
headers: {es-security-runas-user: dest_only_user}
catch: forbidden
update_by_query:
index: source
@ -145,7 +145,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
update_by_query:
refresh: true
index: source
@ -191,7 +191,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
update_by_query:
index: source
body:

View File

@ -37,7 +37,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: powerful_user}
headers: {es-security-runas-user: powerful_user}
delete_by_query:
refresh: true
index: source
@ -64,7 +64,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: minimal_user}
headers: {es-security-runas-user: minimal_user}
delete_by_query:
refresh: true
index: source
@ -91,7 +91,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: readonly_user}
headers: {es-security-runas-user: readonly_user}
catch: forbidden
delete_by_query:
refresh: true
@ -118,7 +118,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: dest_only_user}
headers: {es-security-runas-user: dest_only_user}
catch: forbidden
delete_by_query:
refresh: true
@ -151,7 +151,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_docs_user}
headers: {es-security-runas-user: can_not_see_hidden_docs_user}
delete_by_query:
refresh: true
index: source
@ -212,7 +212,7 @@
indices.refresh: {}
- do:
headers: {es-shield-runas-user: can_not_see_hidden_fields_user}
headers: {es-security-runas-user: can_not_see_hidden_fields_user}
delete_by_query:
refresh: true
index: source

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.qa;
package org.elasticsearch.xpack.security.qa;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
@ -13,8 +13,8 @@ import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.xpack.XPackPlugin;
@ -23,14 +23,14 @@ import java.util.Collections;
import java.util.List;
import java.util.concurrent.TimeUnit;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
/**
* Integration tests that test a transport client with Shield being loaded that connect to an external cluster
* Integration tests that test a transport client with security being loaded that connect to an external cluster
*/
public class ShieldTransportClientIT extends ESIntegTestCase {
public class SecurityTransportClientIT extends ESIntegTestCase {
static final String ADMIN_USER_PW = "test_user:changeme";
static final String TRANSPORT_USER_PW = "transport:changeme";

View File

@ -8,7 +8,7 @@ package org.elasticsearch.example;
import org.elasticsearch.example.realm.CustomAuthenticationFailureHandler;
import org.elasticsearch.example.realm.CustomRealm;
import org.elasticsearch.example.realm.CustomRealmFactory;
import org.elasticsearch.shield.authc.AuthenticationModule;
import org.elasticsearch.xpack.security.authc.AuthenticationModule;
import org.elasticsearch.xpack.extensions.XPackExtension;
import java.security.AccessController;

View File

@ -8,8 +8,8 @@ package org.elasticsearch.example.realm;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.shield.authc.AuthenticationToken;
import org.elasticsearch.shield.authc.DefaultAuthenticationFailureHandler;
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler;
import org.elasticsearch.transport.TransportMessage;
public class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler {

View File

@ -6,12 +6,12 @@
package org.elasticsearch.example.realm;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.user.User;
import org.elasticsearch.shield.authc.AuthenticationToken;
import org.elasticsearch.shield.authc.Realm;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.Realm;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
public class CustomRealm extends Realm<UsernamePasswordToken> {

View File

@ -7,8 +7,8 @@ package org.elasticsearch.example.realm;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.shield.authc.Realm;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.Realm;
import org.elasticsearch.xpack.security.authc.RealmConfig;
public class CustomRealmFactory extends Realm.Factory<CustomRealm> {

View File

@ -6,10 +6,10 @@
package org.elasticsearch.example.realm;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.user.User;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.ESTestCase;
import static org.hamcrest.Matchers.equalTo;

View File

@ -1,114 +0,0 @@
<?xml version="1.0"?>
<!--
~ ELASTICSEARCH CONFIDENTIAL
~ __________________
~
~ [2014] Elasticsearch Incorporated. All Rights Reserved.
~
~ NOTICE: All information contained herein is, and remains
~ the property of Elasticsearch Incorporated and its suppliers,
~ if any. The intellectual and technical concepts contained
~ herein are proprietary to Elasticsearch Incorporated
~ and its suppliers and may be covered by U.S. and Foreign Patents,
~ patents in process, and are protected by trade secret or copyright law.
~ Dissemination of this information or reproduction of this material
~ is strictly forbidden unless prior written permission is obtained
~ from Elasticsearch Incorporated.
-->
<project name="smoke-test-watcher-and-shield"
xmlns:ac="antlib:net.sf.antcontrib">
<import file="${elasticsearch.integ.antfile.default}"/>
<!-- redefined to work with auth -->
<macrodef name="waitfor-elasticsearch">
<attribute name="port"/>
<attribute name="timeoutproperty"/>
<sequential>
<echo>Waiting for elasticsearch to become available on port @{port}...</echo>
<waitfor maxwait="30" maxwaitunit="second"
checkevery="500" checkeveryunit="millisecond"
timeoutproperty="@{timeoutproperty}">
<socket server="127.0.0.1" port="@{port}"/>
</waitfor>
</sequential>
</macrodef>
<target name="start-external-cluster-with-found-license-and-shield" depends="setup-workspace">
<ac:for list="${xplugins.list}" param="xplugin.name">
<sequential>
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
<condition>
<not>
<available file="${integ.deps}/plugins/@{xplugin.name}-${elasticsearch.version}.zip" />
</not>
</condition>
</fail>
</sequential>
</ac:for>
<ac:for param="file">
<path>
<fileset dir="${integ.deps}/plugins"/>
</path>
<sequential>
<local name="plugin.name"/>
<convert-plugin-name file="@{file}" outputproperty="plugin.name"/>
<install-plugin name="${plugin.name}" file="@{file}"/>
</sequential>
</ac:for>
<local name="home"/>
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
<echo>Adding roles.yml with watcher roles</echo>
<copy file="watcher-with-shield-roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
<echo>Adding shield users...</echo>
<run-script script="${home}/bin/x-pack/esusers">
<nested>
<arg value="useradd"/>
<arg value="test_admin"/>
<arg value="-p"/>
<arg value="changeme"/>
<arg value="-r"/>
<arg value="admin"/>
</nested>
</run-script>
<run-script script="${home}/bin/x-pack/esusers">
<nested>
<arg value="useradd"/>
<arg value="watcher_manager"/>
<arg value="-p"/>
<arg value="changeme"/>
<arg value="-r"/>
<arg value="watcher_manager"/>
</nested>
</run-script>
<run-script script="${home}/bin/x-pack/esusers">
<nested>
<arg value="useradd"/>
<arg value="powerless_user"/>
<arg value="-p"/>
<arg value="changeme"/>
<arg value="-r"/>
<arg value="crapy_role"/>
</nested>
</run-script>
<startup-elasticsearch>
<!-- Useful for when debugging -->
<!--<additional-args>-->
<!--<arg value="-Des.http.cors.enabled=true"/>-->
<!--<arg value="-Des.http.cors.allow-origin=*"/>-->
<!--</additional-args>-->
</startup-elasticsearch>
<echo>Checking we can connect with basic auth on port ${integ.http.port}...</echo>
<local name="temp.file"/>
<tempfile property="temp.file" destdir="${java.io.tmpdir}"/>
<get src="http://127.0.0.1:${integ.http.port}" dest="${temp.file}"
username="test_admin" password="changeme" verbose="true" retries="10"/>
</target>
</project>

View File

@ -1,95 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.smoketest;
import org.elasticsearch.Version;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.shield.Shield;
import org.hamcrest.Matcher;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.nullValue;
public class MarvelClusterInfoIT extends ESIntegTestCase {
static final String ADMIN_USER_PW = "test_admin:changeme";
@Override
protected Settings externalClusterClientSettings() {
return Settings.builder()
.put(Shield.USER_SETTING.getKey(), ADMIN_USER_PW)
.build();
}
@Override
protected Collection<Class<? extends Plugin>> transportClientPlugins() {
return Collections.singletonList(XPackPlugin.class);
}
public void testMarvelClusterInfoCollectorWorks() throws Exception {
final String clusterUUID = client().admin().cluster().prepareState().setMetaData(true).get().getState().metaData().clusterUUID();
assertTrue(Strings.hasText(clusterUUID));
awaitIndexExists(".monitoring-es-data");
ensureYellow(".monitoring-es-data");
awaitMarvelDocsCount(equalTo(1L), "cluster_info");
GetResponse response = client().prepareGet(".monitoring-es-data", "cluster_info", clusterUUID).get();
assertTrue(".monitoring-es-data" + " document does not exist", response.isExists());
Map<String, Object> source = response.getSource();
assertThat((String) source.get("cluster_name"), equalTo(cluster().getClusterName()));
assertThat((String) source.get("version"), equalTo(Version.CURRENT.toString()));
Object licenseObj = source.get("license");
assertThat(licenseObj, nullValue());
}
protected void awaitMarvelDocsCount(Matcher<Long> matcher, String... types) throws Exception {
flush();
refresh();
assertBusy(new Runnable() {
@Override
public void run() {
assertMarvelDocsCount(matcher, types);
}
}, 30, TimeUnit.SECONDS);
}
protected void assertMarvelDocsCount(Matcher<Long> matcher, String... types) {
try {
long count = client().prepareSearch(".monitoring-es-data").setSize(0)
.setTypes(types).get().getHits().totalHits();
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
assertThat(count, matcher);
} catch (IndexNotFoundException e) {
assertThat(0L, matcher);
}
}
protected void awaitIndexExists(final String... indices) throws Exception {
assertBusy(new Runnable() {
@Override
public void run() {
assertIndicesExists(indices);
}
}, 30, TimeUnit.SECONDS);
}
protected void assertIndicesExists(String... indices) {
logger.trace("checking if index exists [{}]", Strings.arrayToCommaDelimitedString(indices));
assertThat(client().admin().indices().prepareExists(indices).get().isExists(), is(true));
}
}

View File

@ -1,98 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
import org.elasticsearch.client.support.Headers;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Shield;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import org.elasticsearch.xpack.XPackPlugin;
import org.junit.After;
import org.junit.Before;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URI;
import java.util.Collection;
import java.util.Collections;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class WatcherWithShieldIT extends ESRestTestCase {
private final static String TEST_ADMIN_USERNAME = "test_admin";
private final static String TEST_ADMIN_PASSWORD = "changeme";
public WatcherWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}
@ParametersFactory
public static Iterable<Object[]> parameters() throws IOException, RestTestParseException {
return ESRestTestCase.createParameters(0, 1);
}
@Before
public void startWatcher() throws Exception {
try(CloseableHttpClient client = HttpClients.createMinimal(new BasicHttpClientConnectionManager())) {
InetSocketAddress address = cluster().httpAddresses()[0];
HttpPut request = new HttpPut(new URI("http", null, NetworkAddress.format(address.getAddress()), address.getPort(), "/_xpack/watcher/_start", null, null));
String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, new SecuredString(TEST_ADMIN_PASSWORD.toCharArray()));
request.addHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, token);
client.execute(request);
}
}
@After
public void stopWatcher() throws Exception {
try(CloseableHttpClient client = HttpClients.createMinimal(new BasicHttpClientConnectionManager())) {
InetSocketAddress address = cluster().httpAddresses()[0];
HttpPut request = new HttpPut(new URI("http", null, NetworkAddress.format(address.getAddress()), address.getPort(), "/_xpack/watcher/_stop", null, null));
String token = basicAuthHeaderValue(TEST_ADMIN_USERNAME, new SecuredString(TEST_ADMIN_PASSWORD.toCharArray()));
request.addHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, token);
client.execute(request);
}
}
@Override
protected Settings restClientSettings() {
String[] credentials = getCredentials();
String token = basicAuthHeaderValue(credentials[0], new SecuredString(credentials[1].toCharArray()));
return Settings.builder()
.put(Headers.PREFIX + ".Authorization", token)
.build();
}
@Override
protected Settings externalClusterClientSettings() {
return Settings.builder()
.put(Shield.USER_SETTING.getKey(), TEST_ADMIN_USERNAME + ":" + TEST_ADMIN_PASSWORD)
.build();
}
protected String[] getCredentials() {
return new String[]{"watcher_manager", "changeme"};
}
@Override
protected Collection<Class<? extends Plugin>> transportClientPlugins() {
return Collections.<Class<? extends Plugin>>singleton(XPackPlugin.class);
}
}

View File

@ -1,36 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name;
import org.elasticsearch.test.rest.RestTestCandidate;
import java.io.IOException;
import static org.hamcrest.Matchers.anyOf;
import static org.hamcrest.Matchers.containsString;
public class WatcherWithShieldInsufficientRoleIT extends WatcherWithShieldIT {
public WatcherWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}
public void test() throws IOException {
try {
super.test();
fail();
} catch(AssertionError ae) {
assertThat(ae.getMessage(), anyOf(containsString("action [cluster:monitor/watcher/"), containsString("action [cluster:admin/watcher/")));
assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
assertThat(ae.getMessage(), containsString("is unauthorized for user [powerless_user]"));
}
}
@Override
protected String[] getCredentials() {
return new String[]{"powerless_user", "changeme"};
}
}

View File

@ -1,20 +0,0 @@
admin:
cluster: all
indices:
'*': all
watcher_manager:
cluster: manage
indices:
'.watcher-history-*': all
watcher_monitor:
cluster: monitor
indices:
'.watcher-history-*': read
crapy_role:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
- cluster:monitor/nodes/liveness

View File

@ -8,37 +8,23 @@ package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
//import org.elasticsearch.client.support.Headers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.plugins.Plugin;
//import org.elasticsearch.shield.ShieldPlugin;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import org.junit.After;
import org.junit.Before;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.util.Collection;
import java.util.Collections;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class GraphWithShieldIT extends ESRestTestCase {
public class GraphWithSecurityIT extends ESRestTestCase {
private final static String TEST_ADMIN_USERNAME = "test_admin";
private final static String TEST_ADMIN_PASSWORD = "changeme";
public GraphWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
public GraphWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}

View File

@ -7,15 +7,14 @@ package org.elasticsearch.smoketest;
import com.carrotsearch.randomizedtesting.annotations.Name;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.junit.Test;
import java.io.IOException;
import static org.hamcrest.Matchers.containsString;
public class GraphWithShieldInsufficientRoleIT extends GraphWithShieldIT {
public class GraphWithSecurityInsufficientRoleIT extends GraphWithSecurityIT {
public GraphWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
public GraphWithSecurityInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}

View File

@ -9,19 +9,19 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.Matchers.containsString;
public class MonitoringWithShieldInsufficientRoleIT extends ESRestTestCase {
public class MonitoringWithSecurityInsufficientRoleIT extends ESRestTestCase {
public MonitoringWithShieldInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
public MonitoringWithSecurityInsufficientRoleIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}

View File

@ -9,18 +9,18 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class MonitoringWithShieldIT extends ESRestTestCase {
public class MonitoringWithSecurityIT extends ESRestTestCase {
public MonitoringWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
public MonitoringWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}

View File

@ -12,8 +12,8 @@ import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.xpack.XPackPlugin;
import org.junit.After;
@ -37,14 +37,14 @@ import static org.hamcrest.Matchers.greaterThanOrEqualTo;
/**
* This test checks that a Monitoring's HTTP exporter correctly exports to a monitoring cluster
* protected by Shield with HTTPS/SSL.
* protected by security with HTTPS/SSL.
*
* It sets up a cluster with Monitoring and Shield configured with SSL. Once started,
* It sets up a cluster with Monitoring and Security configured with SSL. Once started,
* an HTTP exporter is activated and it exports data locally over HTTPS/SSL. The test
* then uses a transport client to check that the data have been correctly received and
* indexed in the cluster.
*/
public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
public class SmokeTestMonitoringWithSecurityIT extends ESIntegTestCase {
private static final String USER = "test_user";
private static final String PASS = "changeme";
@ -61,7 +61,7 @@ public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
protected Settings externalClusterClientSettings() {
return Settings.builder()
.put(Security.USER_SETTING.getKey(), USER + ":" + PASS)
.put(ShieldNettyTransport.SSL_SETTING.getKey(), true)
.put(SecurityNettyTransport.SSL_SETTING.getKey(), true)
.put("xpack.security.ssl.keystore.path", clientKeyStore)
.put("xpack.security.ssl.keystore.password", KEYSTORE_PASS)
.build();
@ -133,7 +133,7 @@ public class SmokeTestMonitoringWithShieldIT extends ESIntegTestCase {
@BeforeClass
public static void loadKeyStore() {
try {
clientKeyStore = PathUtils.get(SmokeTestMonitoringWithShieldIT.class.getResource("/test-client.jks").toURI());
clientKeyStore = PathUtils.get(SmokeTestMonitoringWithSecurityIT.class.getResource("/test-client.jks").toURI());
} catch (URISyntaxException e) {
throw new ElasticsearchException("exception while reading the store", e);
}

View File

@ -11,7 +11,7 @@ import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.client.RestClient;
@ -24,7 +24,7 @@ import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.Path;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class SmokeTestPluginsSslIT extends ESRestTestCase {

View File

@ -9,14 +9,14 @@ import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class SmokeTestPluginsIT extends ESRestTestCase {

View File

@ -17,22 +17,22 @@ import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import org.junit.After;
import org.junit.Before;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class WatcherWithShieldIT extends ESRestTestCase {
public class WatcherWithSecurityIT extends ESRestTestCase {
private final static String TEST_ADMIN_USERNAME = "test_admin";
private final static String TEST_ADMIN_PASSWORD = "changeme";
public WatcherWithShieldIT(@Name("yaml") RestTestCandidate testCandidate) {
public WatcherWithSecurityIT(@Name("yaml") RestTestCandidate testCandidate) {
super(testCandidate);
}

View File

@ -1,7 +1,7 @@
---
"Test watcher is protected by shield":
"Test watcher is protected by security":
- do:
headers: { es-shield-runas-user: powerless_user }
headers: { es-security-runas-user: powerless_user }
catch: forbidden
xpack.watcher.stats: {}
# there seems to be a bug in the yaml parser we use, where a single element list

View File

@ -16,14 +16,14 @@
~ from Elasticsearch Incorporated.
-->
<project name="smoke-test-tribe-node-with-shield"
<project name="smoke-test-tribe-node-with-security"
xmlns:ac="antlib:net.sf.antcontrib">
<taskdef name="xhttp" classname="org.elasticsearch.ant.HttpTask" classpath="${test_classpath}" />
<typedef name="xhttp" classname="org.elasticsearch.ant.HttpCondition" classpath="${test_classpath}"/>
<import file="${elasticsearch.integ.antfile.default}"/>
<import file="${elasticsearch.tools.directory}/ant/shield-overrides.xml"/>
<import file="${elasticsearch.tools.directory}/ant/security-overrides.xml"/>
<property name="tribe_node.pidfile" location="${integ.scratch}/tribe-node.pid"/>
<available property="tribe_node.pidfile.exists" file="${tribe_node.pidfile}"/>
@ -47,7 +47,7 @@
</sequential>
</macrodef>
<target name="start-tribe-node-and-2-clusters-with-shield" depends="setup-workspace">
<target name="start-tribe-node-and-2-clusters-with-security" depends="setup-workspace">
<ac:for list="${xplugins.list}" param="xplugin.name">
<sequential>
<fail message="Expected @{xplugin.name}-${version}.zip as a dependency, but could not be found in ${integ.deps}/plugins}">
@ -75,9 +75,9 @@
<property name="home" location="${integ.scratch}/elasticsearch-${elasticsearch.version}"/>
<echo>Adding roles.yml</echo>
<copy file="shield-roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
<copy file="roles.yml" tofile="${home}/config/x-pack/roles.yml" overwrite="true"/>
<echo>Adding shield users...</echo>
<echo>Adding security users...</echo>
<run-script script="${home}/bin/x-pack/esusers">
<nested>
<arg value="useradd"/>

View File

@ -3,20 +3,20 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.annotations.Name;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.client.support.Headers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.ESRestTestCase;
import org.elasticsearch.test.rest.RestTestCandidate;
import org.elasticsearch.test.rest.parser.RestTestParseException;
import java.io.IOException;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
public class RestIT extends TribeRestTestCase {

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import com.carrotsearch.randomizedtesting.RandomizedTest;
import com.carrotsearch.randomizedtesting.annotations.TestGroup;

View File

@ -24,7 +24,7 @@ dependencies {
compile project(':x-plugins:elasticsearch:license:base')
testCompile project(':x-plugins:elasticsearch:license:licensor')
// shield deps
// security deps
compile 'dk.brics.automaton:automaton:1.11-8'
compile 'com.unboundid:unboundid-ldapsdk:2.3.8'
compile 'org.bouncycastle:bcprov-jdk15on:1.54'
@ -33,7 +33,7 @@ dependencies {
// watcher deps
compile 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:r239'
compile 'com.google.guava:guava:16.0.1' // needed by watcher for the html sanitizer and shield tests for jimfs
compile 'com.google.guava:guava:16.0.1' // needed by watcher for the html sanitizer and security tests for jimfs
compile 'com.sun.mail:javax.mail:1.5.3'
// HACK: java 9 removed javax.activation from the default modules, so instead of trying to add modules, which would have
// to be conditionalized for java 8/9, we pull in the classes directly
@ -57,7 +57,7 @@ dependencies {
// we keep the source directories in the original structure of split plugins,
// in order to facilitate backports to 2.x. TODO: remove after 5.0 release
for (String module : ['', 'license-plugin/', 'shield/', 'watcher/', 'marvel/', 'graph/']) {
for (String module : ['', 'license-plugin/', 'security/', 'watcher/', 'marvel/', 'graph/']) {
sourceSets {
main {
java.srcDir("${module}src/main/java")
@ -116,10 +116,10 @@ bundlePlugin {
from('bin/x-pack') {
into 'bin'
}
from('shield/bin/x-pack') {
from('security/bin/x-pack') {
into 'bin'
}
from('shield/config/x-pack') {
from('security/config/x-pack') {
into 'config'
}
from('watcher/bin/x-pack') {

View File

@ -22,7 +22,7 @@ import org.elasticsearch.script.NativeScriptFactory;
import org.elasticsearch.script.Script;
import org.elasticsearch.script.ScriptModule;
import org.elasticsearch.script.ScriptService.ScriptType;
import org.elasticsearch.shield.Security;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESSingleNodeTestCase;
import org.elasticsearch.xpack.watcher.Watcher;
import org.elasticsearch.xpack.XPackPlugin;
@ -127,7 +127,7 @@ public class GraphTests extends ESSingleNodeTestCase {
@Override
public Settings nodeSettings() {
// Disable Shield otherwise authentication failures happen creating indices.
// Disable security otherwise authentication failures happen creating indices.
Builder newSettings = Settings.builder();
newSettings.put(XPackPlugin.featureEnabledSetting(Security.NAME), false);
newSettings.put(XPackPlugin.featureEnabledSetting(Monitoring.NAME), false);

View File

@ -25,7 +25,7 @@ import org.elasticsearch.license.plugin.core.LicensesMetaData;
import org.elasticsearch.license.plugin.core.LicensesStatus;
import org.elasticsearch.marvel.Monitoring;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.InternalTestCluster;
import org.elasticsearch.xpack.watcher.Watcher;

View File

@ -22,7 +22,7 @@ import org.elasticsearch.license.plugin.core.LicensesStatus;
import org.elasticsearch.marvel.Monitoring;
import org.elasticsearch.node.Node;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESSingleNodeTestCase;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.watcher.Watcher;

View File

@ -23,7 +23,7 @@ import org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing;
import org.elasticsearch.marvel.Monitoring;
import org.elasticsearch.node.Node;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.test.ESIntegTestCase.Scope;

View File

@ -17,7 +17,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.xpack.security.InternalClient;
import java.util.ArrayList;
import java.util.Collection;

View File

@ -20,7 +20,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.xpack.security.InternalClient;
import java.util.ArrayList;
import java.util.Collection;

View File

@ -17,8 +17,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.shield.Security;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.Security;
import java.util.ArrayList;
import java.util.Arrays;

View File

@ -19,8 +19,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.shield.Security;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.Security;
import java.util.ArrayList;
import java.util.Arrays;

View File

@ -17,8 +17,8 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.shield.Security;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.Security;
import java.util.Arrays;
import java.util.Collection;

View File

@ -21,7 +21,7 @@ import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.agent.collector.AbstractCollector;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.xpack.security.InternalClient;
import java.util.Collection;
import java.util.Collections;

View File

@ -6,7 +6,7 @@
package org.elasticsearch.marvel.support.init.proxy;
import org.elasticsearch.client.Client;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.common.init.proxy.ClientProxy;
public class MonitoringClientProxy extends ClientProxy {

View File

@ -26,7 +26,7 @@ import org.elasticsearch.license.plugin.core.LicensesManagerService;
import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.xpack.XPackPlugin;

View File

@ -45,7 +45,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
waitForNoBlocksOnNode(node);
try {
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(shieldEnabled ? 0 : 1));
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
@ -56,7 +56,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
waitForNoBlocksOnNode(node);
try {
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(shieldEnabled ? 0 : 1));
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}

View File

@ -16,7 +16,7 @@ import org.elasticsearch.marvel.MonitoredSystem;
import org.elasticsearch.marvel.agent.collector.AbstractCollectorTestCase;
import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
import org.elasticsearch.marvel.MonitoringLicensee;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import java.util.Collection;

View File

@ -50,7 +50,7 @@ public class LocalIndicesCleanerTests extends AbstractIndicesCleanerTestCase {
try {
assertThat(client().admin().indices().prepareGetSettings().get().getIndexToSettings().size(), equalTo(count));
} catch (IndexNotFoundException e) {
if (shieldEnabled) {
if (securityEnabled) {
assertThat(0, equalTo(count));
} else {
throw e;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.marvel.shield;
package org.elasticsearch.marvel.security;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequestBuilder;
@ -13,7 +13,7 @@ import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.shield.InternalClient;
import org.elasticsearch.xpack.security.InternalClient;
import java.util.ArrayList;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.marvel.shield;
package org.elasticsearch.marvel.security;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
@ -13,7 +13,7 @@ import org.elasticsearch.common.xcontent.json.JsonXContent;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.marvel.MonitoringSettings;
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.test.rest.client.http.HttpRequestBuilder;
import org.elasticsearch.test.rest.client.http.HttpResponse;
import org.hamcrest.Matchers;
@ -23,8 +23,8 @@ import java.io.IOException;
import java.util.Map;
import static org.elasticsearch.common.xcontent.support.XContentMapValues.extractValue;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.hamcrest.CoreMatchers.nullValue;
public class MarvelSettingsFilterTests extends MarvelIntegTestCase {
@ -89,9 +89,9 @@ public class MarvelSettingsFilterTests extends MarvelIntegTestCase {
if (body != null) {
requestBuilder.body(body);
}
if (shieldEnabled) {
if (securityEnabled) {
requestBuilder.addHeader(BASIC_AUTH_HEADER,
basicAuthHeaderValue(ShieldSettings.TEST_USERNAME, new SecuredString(ShieldSettings.TEST_PASSWORD.toCharArray())));
basicAuthHeaderValue(SecuritySettings.TEST_USERNAME, new SecuredString(SecuritySettings.TEST_PASSWORD.toCharArray())));
}
return requestBuilder.execute();
}

View File

@ -25,12 +25,12 @@ import org.elasticsearch.marvel.agent.resolver.MonitoringIndexNameResolver;
import org.elasticsearch.marvel.agent.resolver.ResolversRegistry;
import org.elasticsearch.marvel.client.MonitoringClient;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.shield.Security;
import org.elasticsearch.shield.authc.file.FileRealm;
import org.elasticsearch.shield.authc.support.Hasher;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authz.store.FileRolesStore;
import org.elasticsearch.shield.crypto.InternalCryptoService;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.authc.file.FileRealm;
import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
import org.elasticsearch.test.ESIntegTestCase;
import org.elasticsearch.test.TestCluster;
import org.elasticsearch.test.store.MockFSIndexStore;
@ -60,7 +60,7 @@ import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.hamcrest.Matchers.allOf;
import static org.hamcrest.Matchers.greaterThan;
@ -77,10 +77,10 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
/**
* Enables individual tests to control the behavior.
* <p>
* Control this by overriding {@link #enableShield()}, which defaults to enabling it randomly.
* Control this by overriding {@link #enableSecurity()}, which defaults to enabling it randomly.
*/
// SCARY: This needs to be static or lots of tests randomly fail, but it's not used statically!
protected static Boolean shieldEnabled;
protected static Boolean securityEnabled;
/**
* Enables individual tests to control the behavior.
* <p>
@ -90,14 +90,14 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
@Override
protected TestCluster buildTestCluster(Scope scope, long seed) throws IOException {
if (shieldEnabled == null) {
shieldEnabled = enableShield();
if (securityEnabled == null) {
securityEnabled = enableSecurity();
}
if (watcherEnabled == null) {
watcherEnabled = enableWatcher();
}
logger.debug("--> shield {}", shieldEnabled ? "enabled" : "disabled");
logger.debug("--> security {}", securityEnabled ? "enabled" : "disabled");
logger.debug("--> watcher {}", watcherEnabled ? "enabled" : "disabled");
return super.buildTestCluster(scope, seed);
@ -111,14 +111,14 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
// we do this by default in core, but for monitoring this isn't needed and only adds noise.
.put("index.store.mock.check_index_on_close", false);
ShieldSettings.apply(shieldEnabled, builder);
SecuritySettings.apply(securityEnabled, builder);
return builder.build();
}
@Override
protected Settings transportClientSettings() {
if (shieldEnabled) {
if (securityEnabled) {
return Settings.builder()
.put(super.transportClientSettings())
.put("client.transport.sniff", false)
@ -133,8 +133,8 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
@Override
protected Collection<Class<? extends Plugin>> getMockPlugins() {
Set<Class<? extends Plugin>> plugins = new HashSet<>(super.getMockPlugins());
plugins.remove(MockTransportService.TestPlugin.class); // shield has its own transport service
plugins.remove(AssertingLocalTransport.TestPlugin.class); // shield has its own transport
plugins.remove(MockTransportService.TestPlugin.class); // security has its own transport service
plugins.remove(AssertingLocalTransport.TestPlugin.class); // security has its own transport
plugins.add(MockFSIndexStore.TestPlugin.class);
return plugins;
}
@ -151,16 +151,16 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
@Override
protected Function<Client,Client> getClientWrapper() {
if (shieldEnabled == false) {
if (securityEnabled == false) {
return Function.identity();
}
Map<String, String> headers = Collections.singletonMap("Authorization",
basicAuthHeaderValue(ShieldSettings.TEST_USERNAME, new SecuredString(ShieldSettings.TEST_PASSWORD.toCharArray())));
basicAuthHeaderValue(SecuritySettings.TEST_USERNAME, new SecuredString(SecuritySettings.TEST_PASSWORD.toCharArray())));
return client -> (client instanceof NodeClient) ? client.filterWithHeader(headers) : client;
}
protected MonitoringClient monitoringClient() {
Client client = shieldEnabled ? internalCluster().transportClient() : client();
Client client = securityEnabled ? internalCluster().transportClient() : client();
return randomBoolean() ? new XPackClient(client).monitoring() : new MonitoringClient(client);
}
@ -184,7 +184,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
/**
* Override and return {@code false} to force running without Security.
*/
protected boolean enableShield() {
protected boolean enableSecurity() {
return randomBoolean();
}
@ -231,11 +231,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
}
protected void deleteMarvelIndices() {
if (shieldEnabled) {
if (securityEnabled) {
try {
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
} catch (IndexNotFoundException e) {
// if shield couldn't resolve any marvel index, it'll throw index not found exception.
// if security couldn't resolve any marvel index, it'll throw index not found exception.
}
} else {
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
@ -247,11 +247,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
}
protected void ensureMarvelIndicesYellow() {
if (shieldEnabled) {
if (securityEnabled) {
try {
ensureYellow(".monitoring-es-*");
} catch (IndexNotFoundException e) {
// might happen with shield...
// might happen with security...
}
} else {
ensureYellow(".monitoring-es-*");
@ -266,7 +266,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
assertThat(count, matcher);
} catch (IndexNotFoundException e) {
if (shieldEnabled) {
if (securityEnabled) {
assertThat(0L, matcher);
} else {
throw e;
@ -312,8 +312,8 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
try {
assertIndicesExists(index);
} catch (IndexNotFoundException e) {
if (shieldEnabled) {
// with shield we might get that if wildcards were resolved to no indices
if (securityEnabled) {
// with security we might get that if wildcards were resolved to no indices
fail("IndexNotFoundException when checking for existence of index [" + index + "]");
} else {
throw e;
@ -336,11 +336,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
}
protected void securedRefresh() {
if (shieldEnabled) {
if (securityEnabled) {
try {
refresh();
} catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices
// with security we might get that if wildcards were resolved to no indices
}
} else {
refresh();
@ -348,11 +348,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
}
protected void securedFlush(String... indices) {
if (shieldEnabled) {
if (securityEnabled) {
try {
flush(indices);
} catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices
// with security we might get that if wildcards were resolved to no indices
}
} else {
flush(indices);
@ -360,11 +360,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
}
protected void securedFlushAndRefresh(String... indices) {
if (shieldEnabled) {
if (securityEnabled) {
try {
flushAndRefresh(indices);
} catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices
// with security we might get that if wildcards were resolved to no indices
}
} else {
flushAndRefresh(indices);
@ -372,11 +372,11 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
}
protected void securedEnsureGreen(String... indices) {
if (shieldEnabled) {
if (securityEnabled) {
try {
ensureGreen(indices);
} catch (IndexNotFoundException e) {
// with shield we might get that if wildcards were resolved to no indices
// with security we might get that if wildcards were resolved to no indices
}
} else {
ensureGreen(indices);
@ -477,9 +477,9 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
}
}
/** Shield related settings */
/** security related settings */
public static class ShieldSettings {
public static class SecuritySettings {
public static final String TEST_USERNAME = "test";
public static final String TEST_PASSWORD = "changeme";
@ -528,7 +528,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
return;
}
try {
Path folder = createTempDir().resolve("marvel_shield");
Path folder = createTempDir().resolve("marvel_security");
Files.createDirectories(folder);
builder.put("xpack.security.enabled", true)
@ -541,7 +541,7 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
.put("xpack.security.authc.sign_user_header", false)
.put("xpack.security.audit.enabled", auditLogsEnabled);
} catch (IOException ex) {
throw new RuntimeException("failed to build settings for shield", ex);
throw new RuntimeException("failed to build settings for security", ex);
}
}

View File

@ -3,29 +3,29 @@
[partintro]
Elasticsearch and Shield use jUnit for testing, they also use randomness
Elasticsearch and X-Pack use jUnit for testing, they also use randomness
in the tests, that can be set using a seed, please refer to the
Elasticsearch TESTING.asciidoc cheatsheet to know all about it.
Tests are executed with network transport and unicast discovery, as this is
the configuration that's secured by shield.
the configuration that's secured by X-Pack.
== Testing the REST layer
The available integration tests are specific for Shield functionalities
The available integration tests are specific for Security functionalities
and make use of the java API to communicate with the elasticsearch nodes,
using the internal binary transport (port 9300 by default).
Shield is also tested using the REST tests provided by Elasticsearch core,
just by running those same tests against a cluster with Shield installed.
Security is also tested using the REST tests provided by Elasticsearch core,
just by running those same tests against a cluster with X-Pack installed.
The REST tests are run automatically during the integration test phase
(`mvn verify`). Some tests are blacklisted as they are known to fail against
shield due to different behaviours introduced by the security plugin.
(`gradle integTest`). Some tests are blacklisted as they are known to fail against
X-Pack due to different behaviours introduced by the security plugin.
---------------------------------------------------------------------------
mvn verify
gradle integTest
---------------------------------------------------------------------------
`ShieldRestIT` is the executable test class that runs all the
`XPackRestIT` is the executable test class that runs all the
yaml suites available within the `rest-api-spec` folder.

View File

@ -72,7 +72,7 @@ fi
export HOSTNAME=`hostname -s`
# include shield jars in classpath
# include x-pack jars in classpath
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
@ -96,7 +96,7 @@ if [ -e "$CONF_DIR" ]; then
fi
cd "$ES_HOME" > /dev/null
"$JAVA" $ES_JAVA_OPTS -Des.path.home="$ES_HOME" -cp "$ES_CLASSPATH" org.elasticsearch.shield.crypto.tool.SystemKeyTool $properties "{args[@]}"
"$JAVA" $ES_JAVA_OPTS -Des.path.home="$ES_HOME" -cp "$ES_CLASSPATH" org.elasticsearch.xpack.security.crypto.tool.SystemKeyTool $properties "{args[@]}"
status=$?
cd - > /dev/null
exit $status

View File

@ -5,5 +5,5 @@ rem or more contributor license agreements. Licensed under the Elastic License;
rem you may not use this file except in compliance with the Elastic License.
PUSHD "%~dp0"
CALL "%~dp0.in.bat" org.elasticsearch.shield.crypto.tool.SystemKeyTool %*
CALL "%~dp0.in.bat" org.elasticsearch.xpack.security.crypto.tool.SystemKeyTool %*
POPD

View File

@ -72,7 +72,7 @@ fi
export HOSTNAME=`hostname -s`
# include shield jars in classpath
# include x-pack jars in classpath
ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
# don't let JAVA_TOOL_OPTIONS slip in (e.g. crazy agents in ubuntu)
@ -96,7 +96,7 @@ if [ -e "$CONF_DIR" ]; then
fi
cd "$ES_HOME" > /dev/null
"$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.shield.authc.file.tool.UsersTool "${args[@]}"
"$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" org.elasticsearch.xpack.security.authc.file.tool.UsersTool "${args[@]}"
status=$?
cd - > /dev/null
exit $status

View File

@ -5,5 +5,5 @@ rem or more contributor license agreements. Licensed under the Elastic License;
rem you may not use this file except in compliance with the Elastic License.
PUSHD "%~dp0"
CALL "%~dp0.in.bat" org.elasticsearch.shield.authc.file.tool.UsersTool %*
CALL "%~dp0.in.bat" org.elasticsearch.xpack.security.authc.file.tool.UsersTool %*
POPD

View File

@ -1,8 +1,8 @@
logger:
shield.audit.logfile: INFO, access_log
security.audit.logfile: INFO, access_log
additivity:
shield.audit.logfile: false
security.audit.logfile: false
appender:

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.Action;
@ -15,8 +15,8 @@ import org.elasticsearch.client.Client;
import org.elasticsearch.client.FilterClient;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.AuthenticationService;
import org.elasticsearch.shield.user.XPackUser;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.user.XPackUser;
import java.io.IOException;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.action.ActionModule;
import org.elasticsearch.common.Booleans;
@ -20,68 +20,68 @@ import org.elasticsearch.common.settings.Setting.Property;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.shield.action.ShieldActionModule;
import org.elasticsearch.shield.action.filter.ShieldActionFilter;
import org.elasticsearch.shield.action.realm.ClearRealmCacheAction;
import org.elasticsearch.shield.action.realm.TransportClearRealmCacheAction;
import org.elasticsearch.shield.action.role.ClearRolesCacheAction;
import org.elasticsearch.shield.action.role.DeleteRoleAction;
import org.elasticsearch.shield.action.role.GetRolesAction;
import org.elasticsearch.shield.action.role.PutRoleAction;
import org.elasticsearch.shield.action.role.TransportClearRolesCacheAction;
import org.elasticsearch.shield.action.role.TransportDeleteRoleAction;
import org.elasticsearch.shield.action.role.TransportGetRolesAction;
import org.elasticsearch.shield.action.role.TransportPutRoleAction;
import org.elasticsearch.shield.action.user.AuthenticateAction;
import org.elasticsearch.shield.action.user.ChangePasswordAction;
import org.elasticsearch.shield.action.user.DeleteUserAction;
import org.elasticsearch.shield.action.user.GetUsersAction;
import org.elasticsearch.shield.action.user.PutUserAction;
import org.elasticsearch.shield.action.user.TransportAuthenticateAction;
import org.elasticsearch.shield.action.user.TransportChangePasswordAction;
import org.elasticsearch.shield.action.user.TransportDeleteUserAction;
import org.elasticsearch.shield.action.user.TransportGetUsersAction;
import org.elasticsearch.shield.action.user.TransportPutUserAction;
import org.elasticsearch.shield.audit.AuditTrailModule;
import org.elasticsearch.shield.audit.index.IndexAuditTrail;
import org.elasticsearch.shield.audit.index.IndexNameResolver;
import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.shield.authc.AuthenticationModule;
import org.elasticsearch.shield.authc.InternalAuthenticationService;
import org.elasticsearch.shield.authc.Realms;
import org.elasticsearch.shield.authc.esnative.NativeUsersStore;
import org.elasticsearch.shield.authc.ldap.support.SessionFactory;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.shield.authz.AuthorizationModule;
import org.elasticsearch.shield.authz.InternalAuthorizationService;
import org.elasticsearch.shield.authz.accesscontrol.OptOutQueryCache;
import org.elasticsearch.shield.authz.accesscontrol.ShieldIndexSearcherWrapper;
import org.elasticsearch.shield.authz.store.FileRolesStore;
import org.elasticsearch.shield.authz.store.NativeRolesStore;
import org.elasticsearch.shield.crypto.CryptoModule;
import org.elasticsearch.shield.crypto.InternalCryptoService;
import org.elasticsearch.shield.rest.ShieldRestModule;
import org.elasticsearch.shield.rest.action.RestAuthenticateAction;
import org.elasticsearch.shield.rest.action.realm.RestClearRealmCacheAction;
import org.elasticsearch.shield.rest.action.role.RestClearRolesCacheAction;
import org.elasticsearch.shield.rest.action.role.RestDeleteRoleAction;
import org.elasticsearch.shield.rest.action.role.RestGetRolesAction;
import org.elasticsearch.shield.rest.action.role.RestPutRoleAction;
import org.elasticsearch.shield.rest.action.user.RestChangePasswordAction;
import org.elasticsearch.shield.rest.action.user.RestDeleteUserAction;
import org.elasticsearch.shield.rest.action.user.RestGetUsersAction;
import org.elasticsearch.shield.rest.action.user.RestPutUserAction;
import org.elasticsearch.shield.ssl.SSLConfiguration;
import org.elasticsearch.shield.ssl.SSLModule;
import org.elasticsearch.shield.support.OptionalSettings;
import org.elasticsearch.shield.transport.ShieldClientTransportService;
import org.elasticsearch.shield.transport.ShieldServerTransportService;
import org.elasticsearch.shield.transport.ShieldTransportModule;
import org.elasticsearch.shield.transport.filter.IPFilter;
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
import org.elasticsearch.shield.user.AnonymousUser;
import org.elasticsearch.xpack.security.action.SecurityActionModule;
import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter;
import org.elasticsearch.xpack.security.action.realm.ClearRealmCacheAction;
import org.elasticsearch.xpack.security.action.realm.TransportClearRealmCacheAction;
import org.elasticsearch.xpack.security.action.role.ClearRolesCacheAction;
import org.elasticsearch.xpack.security.action.role.DeleteRoleAction;
import org.elasticsearch.xpack.security.action.role.GetRolesAction;
import org.elasticsearch.xpack.security.action.role.PutRoleAction;
import org.elasticsearch.xpack.security.action.role.TransportClearRolesCacheAction;
import org.elasticsearch.xpack.security.action.role.TransportDeleteRoleAction;
import org.elasticsearch.xpack.security.action.role.TransportGetRolesAction;
import org.elasticsearch.xpack.security.action.role.TransportPutRoleAction;
import org.elasticsearch.xpack.security.action.user.AuthenticateAction;
import org.elasticsearch.xpack.security.action.user.ChangePasswordAction;
import org.elasticsearch.xpack.security.action.user.DeleteUserAction;
import org.elasticsearch.xpack.security.action.user.GetUsersAction;
import org.elasticsearch.xpack.security.action.user.PutUserAction;
import org.elasticsearch.xpack.security.action.user.TransportAuthenticateAction;
import org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction;
import org.elasticsearch.xpack.security.action.user.TransportDeleteUserAction;
import org.elasticsearch.xpack.security.action.user.TransportGetUsersAction;
import org.elasticsearch.xpack.security.action.user.TransportPutUserAction;
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
import org.elasticsearch.xpack.security.audit.index.IndexNameResolver;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.AuthenticationModule;
import org.elasticsearch.xpack.security.authc.InternalAuthenticationService;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.ldap.support.SessionFactory;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.authz.AuthorizationModule;
import org.elasticsearch.xpack.security.authz.InternalAuthorizationService;
import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache;
import org.elasticsearch.xpack.security.authz.accesscontrol.SecurityIndexSearcherWrapper;
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
import org.elasticsearch.xpack.security.crypto.CryptoModule;
import org.elasticsearch.xpack.security.crypto.InternalCryptoService;
import org.elasticsearch.xpack.security.rest.SecurityRestModule;
import org.elasticsearch.xpack.security.rest.action.RestAuthenticateAction;
import org.elasticsearch.xpack.security.rest.action.realm.RestClearRealmCacheAction;
import org.elasticsearch.xpack.security.rest.action.role.RestClearRolesCacheAction;
import org.elasticsearch.xpack.security.rest.action.role.RestDeleteRoleAction;
import org.elasticsearch.xpack.security.rest.action.role.RestGetRolesAction;
import org.elasticsearch.xpack.security.rest.action.role.RestPutRoleAction;
import org.elasticsearch.xpack.security.rest.action.user.RestChangePasswordAction;
import org.elasticsearch.xpack.security.rest.action.user.RestDeleteUserAction;
import org.elasticsearch.xpack.security.rest.action.user.RestGetUsersAction;
import org.elasticsearch.xpack.security.rest.action.user.RestPutUserAction;
import org.elasticsearch.xpack.security.ssl.SSLConfiguration;
import org.elasticsearch.xpack.security.ssl.SSLModule;
import org.elasticsearch.xpack.security.support.OptionalSettings;
import org.elasticsearch.xpack.security.transport.SecurityClientTransportService;
import org.elasticsearch.xpack.security.transport.SecurityServerTransportService;
import org.elasticsearch.xpack.security.transport.SecurityTransportModule;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.xpack.security.transport.netty.SecurityNettyHttpServerTransport;
import org.elasticsearch.xpack.security.transport.netty.SecurityNettyTransport;
import org.elasticsearch.xpack.security.user.AnonymousUser;
import org.elasticsearch.xpack.XPackPlugin;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
@ -104,7 +104,6 @@ public class Security {
public static final String NAME = "security";
public static final String DLS_FLS_FEATURE = "security.dls_fls";
public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache";
public static final Setting<Optional<String>> USER_SETTING = OptionalSettings.createString(setting("user"), Property.NodeScope);
private final Settings settings;
@ -129,7 +128,7 @@ public class Security {
return modules;
}
modules.add(new SecurityModule(settings, securityLicenseState));
modules.add(new ShieldTransportModule(settings));
modules.add(new SecurityTransportModule(settings));
modules.add(new SSLModule(settings));
return modules;
}
@ -148,9 +147,9 @@ public class Security {
modules.add(new CryptoModule(settings));
modules.add(new AuthorizationModule(settings));
modules.add(new AuditTrailModule(settings));
modules.add(new ShieldRestModule(settings));
modules.add(new ShieldActionModule(settings));
modules.add(new ShieldTransportModule(settings));
modules.add(new SecurityRestModule(settings));
modules.add(new SecurityActionModule(settings));
modules.add(new SecurityTransportModule(settings));
modules.add(new SSLModule(settings));
return modules;
}
@ -181,7 +180,7 @@ public class Security {
settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME);
settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME);
settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME);
ShieldNettyHttpServerTransport.overrideSettings(settingsBuilder, settings);
SecurityNettyHttpServerTransport.overrideSettings(settingsBuilder, settings);
addUserSettings(settingsBuilder);
addTribeSettings(settingsBuilder);
return settingsBuilder.build();
@ -197,7 +196,7 @@ public class Security {
SSLConfiguration.Global.addSettings(settingsList);
// transport settings
ShieldNettyTransport.addSettings(settingsList);
SecurityNettyTransport.addSettings(settingsList);
if (transportClientMode) {
return settingsList;
@ -222,7 +221,7 @@ public class Security {
InternalAuthorizationService.addSettings(settingsList);
// HTTP settings
ShieldNettyHttpServerTransport.addSettings(settingsList);
SecurityNettyHttpServerTransport.addSettings(settingsList);
// encryption settings
InternalCryptoService.addSettings(settingsList);
@ -260,13 +259,13 @@ public class Security {
assert securityLicenseState != null;
if (flsDlsEnabled(settings)) {
module.setSearcherWrapper((indexService) -> new ShieldIndexSearcherWrapper(indexService.getIndexSettings(),
module.setSearcherWrapper((indexService) -> new SecurityIndexSearcherWrapper(indexService.getIndexSettings(),
indexService.newQueryShardContext(), indexService.mapperService(),
indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(),
securityLicenseState));
}
if (transportClientMode == false) {
/* We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
/* We need to forcefully overwrite the query cache implementation to use security's opt out query cache implementation.
* This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
* forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
* unauthorized users. */
@ -280,10 +279,10 @@ public class Security {
}
// registering the security filter only for nodes
if (transportClientMode == false) {
module.registerFilter(ShieldActionFilter.class);
module.registerFilter(SecurityActionFilter.class);
}
// registering all shield actions
// registering all security actions
module.registerAction(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class);
module.registerAction(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class);
module.registerAction(GetUsersAction.INSTANCE, TransportGetUsersAction.class);
@ -300,15 +299,15 @@ public class Security {
if (transportClientMode) {
if (enabled) {
module.registerTransport(Security.NAME, ShieldNettyTransport.class);
module.registerTransportService(Security.NAME, ShieldClientTransportService.class);
module.registerTransport(Security.NAME, SecurityNettyTransport.class);
module.registerTransportService(Security.NAME, SecurityClientTransportService.class);
}
return;
}
if (enabled) {
module.registerTransport(Security.NAME, ShieldNettyTransport.class);
module.registerTransportService(Security.NAME, ShieldServerTransportService.class);
module.registerTransport(Security.NAME, SecurityNettyTransport.class);
module.registerTransportService(Security.NAME, SecurityServerTransportService.class);
module.registerRestHandler(RestAuthenticateAction.class);
module.registerRestHandler(RestClearRealmCacheAction.class);
module.registerRestHandler(RestClearRolesCacheAction.class);
@ -319,7 +318,7 @@ public class Security {
module.registerRestHandler(RestPutRoleAction.class);
module.registerRestHandler(RestDeleteRoleAction.class);
module.registerRestHandler(RestChangePasswordAction.class);
module.registerHttpTransport(Security.NAME, ShieldNettyHttpServerTransport.class);
module.registerHttpTransport(Security.NAME, SecurityNettyHttpServerTransport.class);
}
}
@ -344,12 +343,12 @@ public class Security {
/**
* If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure
* that every tribe cluster has shield installed and is enabled. We do that by:
* that every tribe cluster has x-pack installed and security is enabled. We do that by:
*
* - making it mandatory on the tribe client (this means that the tribe node will fail at startup if shield is
* - making it mandatory on the tribe client (this means that the tribe node will fail at startup if x-pack is
* not loaded on any tribe due to missing mandatory plugin)
*
* - forcibly enabling it (that means it's not possible to disable shield on the tribe clients)
* - forcibly enabling it (that means it's not possible to disable security on the tribe clients)
*/
private void addTribeSettings(Settings.Builder settingsBuilder) {
Map<String, Settings> tribesSettings = settings.getGroups("tribe", true);
@ -366,7 +365,7 @@ public class Security {
// otherwise (arrays don't get merged)
String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null);
if (existingMandatoryPlugins == null) {
//shield is mandatory on every tribe if installed and enabled on the tribe node
//x-pack is mandatory on every tribe if installed and enabled on the tribe node
settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME);
} else {
if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) {
@ -383,11 +382,11 @@ public class Security {
+ settings.get(tribeEnabledSetting) + "]");
}
} else {
//shield must be enabled on every tribe if it's enabled on the tribe node
//x-pack security must be enabled on every tribe if it's enabled on the tribe node
settingsBuilder.put(tribeEnabledSetting, true);
}
// we passed all the checks now we need to copy in all of the shield settings
// we passed all the checks now we need to copy in all of the x-pack security settings
for (Map.Entry<String, String> entry : settingsMap.entrySet()) {
String key = entry.getKey();
if (key.startsWith("xpack.security.")) {
@ -433,7 +432,7 @@ public class Security {
final String auditIndex = indexAuditingEnabled ? "," + IndexAuditTrail.INDEX_NAME_PREFIX + "*" : "";
String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too" +
" restrictive. disable [action.auto_create_index] or set it to " +
"[{}{}]", (Object) value, ShieldTemplateService.SECURITY_INDEX_NAME, auditIndex);
"[{}{}]", (Object) value, SecurityTemplateService.SECURITY_INDEX_NAME, auditIndex);
if (Booleans.isExplicitFalse(value)) {
throw new IllegalArgumentException(errorMessage);
}
@ -444,7 +443,7 @@ public class Security {
String[] matches = Strings.commaDelimitedListToStringArray(value);
List<String> indices = new ArrayList<>();
indices.add(ShieldTemplateService.SECURITY_INDEX_NAME);
indices.add(SecurityTemplateService.SECURITY_INDEX_NAME);
if (indexAuditingEnabled) {
DateTime now = new DateTime(DateTimeZone.UTC);
// just use daily rollover
@ -487,7 +486,7 @@ public class Security {
logger.warn("the [action.auto_create_index] setting is configured to be restrictive [{}]. " +
" for the next 6 months audit indices are allowed to be created, but please make sure" +
" that any future history indices after 6 months with the pattern " +
"[.shield_audit_log*] are allowed to be created", value);
"[.security_audit_log*] are allowed to be created", value);
}
}
}

View File

@ -3,14 +3,14 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.shield.authc.Authentication;
import org.elasticsearch.shield.authc.AuthenticationService;
import org.elasticsearch.shield.user.User;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.threadpool.ThreadPool;
import java.io.IOException;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.inject.Inject;
@ -13,9 +13,9 @@ import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.shield.authc.Realm;
import org.elasticsearch.shield.authc.Realms;
import org.elasticsearch.shield.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.authc.Realm;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.XPackFeatureSet;
import java.io.IOException;

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.license.core.License.OperationMode;
import org.elasticsearch.license.plugin.core.LicenseState;
@ -11,7 +11,7 @@ import org.elasticsearch.license.plugin.core.Licensee.Status;
/**
* This class serves to decouple shield code that needs to check the license state from the {@link SecurityLicensee} as the
* This class serves to decouple security code that needs to check the license state from the {@link SecurityLicensee} as the
* tight coupling causes issues with guice injection and circular dependencies
*/
public class SecurityLicenseState {

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.Strings;
@ -20,19 +20,19 @@ import org.elasticsearch.license.plugin.core.LicenseeRegistry;
public class SecurityLicensee extends AbstractLicenseeComponent<SecurityLicensee> implements Licensee {
private final boolean isTribeNode;
private final SecurityLicenseState shieldLicenseState;
private final SecurityLicenseState securityLicenseState;
@Inject
public SecurityLicensee(Settings settings, LicenseeRegistry clientService, SecurityLicenseState shieldLicenseState) {
public SecurityLicensee(Settings settings, LicenseeRegistry clientService, SecurityLicenseState securityLicenseState) {
super(settings, Security.NAME, clientService);
this.shieldLicenseState = shieldLicenseState;
this.securityLicenseState = securityLicenseState;
this.isTribeNode = settings.getGroups("tribe", true).isEmpty() == false;
}
@Override
public void onChange(Status status) {
super.onChange(status);
shieldLicenseState.updateStatus(status);
securityLicenseState.updateStatus(status);
}
@Override

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.service.ClusterService;
@ -14,10 +14,10 @@ import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.Provider;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.shield.audit.AuditTrailModule;
import org.elasticsearch.shield.audit.index.IndexAuditTrail;
import org.elasticsearch.shield.authc.esnative.NativeUsersStore;
import org.elasticsearch.shield.authz.store.NativeRolesStore;
import org.elasticsearch.xpack.security.audit.AuditTrailModule;
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
import org.elasticsearch.threadpool.ThreadPool;
/**
@ -31,7 +31,7 @@ import org.elasticsearch.threadpool.ThreadPool;
* successful. This lifecycle service allows for this to happen by listening for {@link ClusterChangedEvent} and checking
* if the services can start. Additionally, the service also provides hooks for stop and close functionality.
*/
public class ShieldLifecycleService extends AbstractComponent implements ClusterStateListener {
public class SecurityLifecycleService extends AbstractComponent implements ClusterStateListener {
private final Settings settings;
private final ThreadPool threadPool;
@ -40,7 +40,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
private final NativeRolesStore nativeRolesStore;
@Inject
public ShieldLifecycleService(Settings settings, ClusterService clusterService, ThreadPool threadPool,
public SecurityLifecycleService(Settings settings, ClusterService clusterService, ThreadPool threadPool,
IndexAuditTrail indexAuditTrail, NativeUsersStore nativeUserStore,
NativeRolesStore nativeRolesStore, Provider<InternalClient> clientProvider) {
super(settings);
@ -54,7 +54,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
clusterService.add(this);
clusterService.add(nativeUserStore);
clusterService.add(nativeRolesStore);
clusterService.add(new ShieldTemplateService(settings, clusterService, clientProvider, threadPool));
clusterService.add(new SecurityTemplateService(settings, clusterService, clientProvider, threadPool));
clusterService.addLifecycleListener(new LifecycleListener() {
@Override
@ -78,7 +78,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
@Override
public void onFailure(Throwable throwable) {
logger.error("failed to start native user store service", throwable);
assert false : "shield lifecycle services startup failed";
assert false : "security lifecycle services startup failed";
}
@Override
@ -97,7 +97,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
@Override
public void onFailure(Throwable throwable) {
logger.error("failed to start native roles store services", throwable);
assert false : "shield lifecycle services startup failed";
assert false : "security lifecycle services startup failed";
}
@Override
@ -119,7 +119,7 @@ public class ShieldLifecycleService extends AbstractComponent implements Cluster
@Override
public void onFailure(Throwable throwable) {
logger.error("failed to start index audit trail services", throwable);
assert false : "shield lifecycle services startup failed";
assert false : "security lifecycle services startup failed";
}
@Override

View File

@ -3,17 +3,17 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.common.inject.util.Providers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.support.AbstractShieldModule;
import org.elasticsearch.xpack.security.support.AbstractSecurityModule;
import org.elasticsearch.xpack.XPackPlugin;
/**
*
*/
public class SecurityModule extends AbstractShieldModule {
public class SecurityModule extends AbstractSecurityModule {
private final SecurityLicenseState securityLicenseState;
@ -36,10 +36,10 @@ public class SecurityModule extends AbstractShieldModule {
XPackPlugin.bindFeatureSet(binder(), SecurityFeatureSet.class);
if (shieldEnabled) {
if (securityEnabled) {
bind(SecurityContext.Secure.class).asEagerSingleton();
bind(SecurityContext.class).to(SecurityContext.Secure.class);
bind(ShieldLifecycleService.class).asEagerSingleton();
bind(SecurityLifecycleService.class).asEagerSingleton();
bind(InternalClient.Secure.class).asEagerSingleton();
bind(InternalClient.class).to(InternalClient.Secure.class);
} else {

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield;
package org.elasticsearch.xpack.security;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
@ -28,10 +28,10 @@ import java.io.InputStream;
import java.util.concurrent.atomic.AtomicBoolean;
/**
* ShieldTemplateService is responsible for adding the template needed for the
* SecurityTemplateService is responsible for adding the template needed for the
* {@code .security} administrative index.
*/
public class ShieldTemplateService extends AbstractComponent implements ClusterStateListener {
public class SecurityTemplateService extends AbstractComponent implements ClusterStateListener {
public static final String SECURITY_INDEX_NAME = ".security";
public static final String SECURITY_TEMPLATE_NAME = "security-index-template";
@ -40,7 +40,7 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
private final Provider<InternalClient> clientProvider;
private final AtomicBoolean templateCreationPending = new AtomicBoolean(false);
public ShieldTemplateService(Settings settings, ClusterService clusterService,
public SecurityTemplateService(Settings settings, ClusterService clusterService,
Provider<InternalClient> clientProvider, ThreadPool threadPool) {
super(settings);
this.threadPool = threadPool;
@ -48,23 +48,23 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
clusterService.add(this);
}
private void createShieldTemplate() {
private void createSecurityTemplate() {
final Client client = clientProvider.get();
try (InputStream is = getClass().getResourceAsStream("/" + SECURITY_TEMPLATE_NAME + ".json")) {
ByteArrayOutputStream out = new ByteArrayOutputStream();
Streams.copy(is, out);
final byte[] template = out.toByteArray();
logger.debug("putting the shield index template");
logger.debug("putting the security index template");
PutIndexTemplateRequest putTemplateRequest = client.admin().indices()
.preparePutTemplate(SECURITY_TEMPLATE_NAME).setSource(template).request();
PutIndexTemplateResponse templateResponse = client.admin().indices().putTemplate(putTemplateRequest).get();
if (templateResponse.isAcknowledged() == false) {
throw new ElasticsearchException("adding template for shield admin index was not acknowledged");
throw new ElasticsearchException("adding template for security index was not acknowledged");
}
} catch (Exception e) {
logger.error("failed to create shield admin index template [{}]",
logger.error("failed to create security index template [{}]",
e, SECURITY_INDEX_NAME);
throw new IllegalStateException("failed to create shield admin index template [" +
throw new IllegalStateException("failed to create security index template [" +
SECURITY_INDEX_NAME + "]", e);
}
}
@ -72,15 +72,15 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
@Override
public void clusterChanged(ClusterChangedEvent event) {
if (event.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
// wait until the gateway has recovered from disk, otherwise we think may not have .shield-audit-
// wait until the gateway has recovered from disk, otherwise we think may not have .security-audit-
// but they may not have been restored from the cluster state on disk
logger.debug("template service waiting until state has been recovered");
return;
}
IndexRoutingTable shieldIndexRouting = event.state().routingTable().index(SECURITY_INDEX_NAME);
IndexRoutingTable securityIndexRouting = event.state().routingTable().index(SECURITY_INDEX_NAME);
if (shieldIndexRouting == null) {
if (securityIndexRouting == null) {
if (event.localNodeMaster()) {
ClusterState state = event.state();
// TODO for the future need to add some checking in the event the template needs to be updated...
@ -91,14 +91,14 @@ public class ShieldTemplateService extends AbstractComponent implements ClusterS
threadPool.generic().execute(new AbstractRunnable() {
@Override
public void onFailure(Throwable t) {
logger.warn("failed to create shield admin template", t);
logger.warn("failed to create security index template", t);
templateCreationPending.set(false);
}
@Override
protected void doRun() throws Exception {
if (createTemplate) {
createShieldTemplate();
createSecurityTemplate();
}
templateCreationPending.set(false);
}

View File

@ -3,7 +3,7 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.action;
package org.elasticsearch.xpack.security.action;
import org.elasticsearch.action.admin.indices.analyze.AnalyzeAction;
import org.elasticsearch.action.admin.indices.analyze.AnalyzeRequest;
@ -12,18 +12,18 @@ import org.elasticsearch.action.search.ClearScrollRequest;
import org.elasticsearch.transport.TransportRequest;
/**
* This class analyzes an incoming request and its action name, and returns the shield action name for it.
* This class analyzes an incoming request and its action name, and returns the security action name for it.
* In many cases the action name is the same as the original one used in es core, but in some exceptional cases it might need
* to be converted. For instance a clear_scroll that targets all opened scrolls gets converted to a different action that requires
* cluster privileges instead of the default indices privileges, still valid for clear scrolls that target specific scroll ids.
*/
public class ShieldActionMapper {
public class SecurityActionMapper {
static final String CLUSTER_PERMISSION_SCROLL_CLEAR_ALL_NAME = "cluster:admin/indices/scroll/clear_all";
static final String CLUSTER_PERMISSION_ANALYZE = "cluster:admin/analyze";
/**
* Returns the shield specific action name given the incoming action name and request
* Returns the security specific action name given the incoming action name and request
*/
public String action(String action, TransportRequest request) {
switch (action) {

Some files were not shown because too many files have changed in this diff Show More