honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Marvel: Reimplement SecuredClient 

closes elastic/elasticsearch#1150

i#Update after Uri's review

Original commit: elastic/x-pack-elasticsearch@2526dc9da1
This commit is contained in:
Tanguy Leroux 2015-12-21 13:35:43 +01:00
parent 2655db3d72
commit cc0933733c
3 changed files with 90 additions and 1397 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1401
elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/SecuredClient.java
View File

File diff suppressed because it is too large Load Diff

8
elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/ExportersTests.java
View File

@ -5,6 +5,7 @@
*/
package org.elasticsearch.marvel.agent.exporter;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.ClusterService;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.settings.ClusterSettings;
@ -14,6 +15,7 @@ import org.elasticsearch.marvel.agent.exporter.local.LocalExporter;
import org.elasticsearch.marvel.agent.renderer.RendererRegistry;
import org.elasticsearch.marvel.agent.settings.MarvelSettings;
import org.elasticsearch.marvel.shield.MarvelSettingsFilter;
import org.elasticsearch.marvel.shield.MarvelShieldIntegration;
import org.elasticsearch.marvel.shield.SecuredClient;
import org.elasticsearch.test.ESTestCase;
import org.junit.Before;
@ -52,12 +54,12 @@ public class ExportersTests extends ESTestCase {
public void init() throws Exception {
factories = new HashMap<>();
SecuredClient securedClient = mock(SecuredClient.class);
when(securedClient.settings()).thenReturn(Settings.EMPTY);
Client client = mock(Client.class);
when(client.settings()).thenReturn(Settings.EMPTY);
clusterService = mock(ClusterService.class);
// we always need to have the local exporter as it serves as the default one
factories.put(LocalExporter.TYPE, new LocalExporter.Factory(securedClient, clusterService, mock(RendererRegistry.class)));
factories.put(LocalExporter.TYPE, new LocalExporter.Factory(new SecuredClient(client, mock(MarvelShieldIntegration.class)), clusterService, mock(RendererRegistry.class)));
clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(MarvelSettings.COLLECTORS_SETTING, MarvelSettings.INTERVAL_SETTING, Exporters.EXPORTERS_SETTING)));
settingsFilter = mock(MarvelSettingsFilter.class);
exporters = new Exporters(Settings.EMPTY, factories, settingsFilter, clusterService, clusterSettings);

78
elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/shield/SecuredClientTests.java Normal file
View File

@ -0,0 +1,78 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.marvel.shield;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequestBuilder;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.marvel.agent.exporter.MarvelTemplateUtils;
import org.elasticsearch.marvel.agent.settings.MarvelSettings;
import org.elasticsearch.marvel.test.MarvelIntegTestCase;
import org.elasticsearch.rest.RestStatus;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.hamcrest.Matchers.is;
public class SecuredClientTests extends MarvelIntegTestCase {
public void testAllowedAccess() {
SecuredClient securedClient = internalCluster().getInstance(SecuredClient.class);
assertAccessIsAllowed(securedClient.admin().cluster().prepareHealth());
assertAccessIsAllowed(securedClient.admin().cluster().prepareClusterStats());
assertAccessIsAllowed(securedClient.admin().cluster().prepareState());
assertAccessIsAllowed(securedClient.admin().cluster().prepareNodesInfo());
assertAccessIsAllowed(securedClient.admin().cluster().prepareNodesStats());
assertAccessIsAllowed(securedClient.admin().cluster().prepareNodesHotThreads());
assertAccessIsAllowed(securedClient.admin().indices().prepareGetSettings());
assertAccessIsAllowed(securedClient.admin().indices().prepareSegments());
assertAccessIsAllowed(securedClient.admin().indices().prepareRecoveries());
assertAccessIsAllowed(securedClient.admin().indices().prepareStats());
assertAccessIsAllowed(securedClient.admin().indices().prepareDelete(MarvelSettings.MARVEL_INDICES_PREFIX));
assertAccessIsAllowed(securedClient.admin().indices().prepareCreate(MarvelSettings.MARVEL_INDICES_PREFIX + "test"));
assertAccessIsAllowed(securedClient.admin().indices().preparePutTemplate("foo").setSource(MarvelTemplateUtils.loadDefaultTemplate()));
assertAccessIsAllowed(securedClient.admin().indices().prepareGetTemplates("foo"));
}
public void testDeniedAccess() {
SecuredClient securedClient = internalCluster().getInstance(SecuredClient.class);
assertAcked(securedClient.admin().indices().preparePutTemplate("foo").setSource(MarvelTemplateUtils.loadDefaultTemplate()).get());
if (shieldEnabled) {
assertAccessIsDenied(securedClient.admin().indices().prepareDeleteTemplate("foo"));
assertAccessIsDenied(securedClient.admin().cluster().prepareGetRepositories());
} else {
assertAccessIsAllowed(securedClient.admin().indices().prepareDeleteTemplate("foo"));
assertAccessIsAllowed(securedClient.admin().cluster().prepareGetRepositories());
}
}
public void assertAccessIsAllowed(ActionRequestBuilder request) {
try {
request.get();
} catch (IndexNotFoundException e) {
// Ok
} catch (ElasticsearchSecurityException e) {
fail("unexpected security exception: " + e.getMessage());
}
}
public void assertAccessIsDenied(ActionRequestBuilder request) {
try {
request.get();
fail("expected a security exception");
} catch (IndexNotFoundException e) {
// Ok
} catch (ElasticsearchSecurityException e) {
// expected
assertThat(e.status(), is(RestStatus.FORBIDDEN));
}
}
}