From 7f5349db5710f4053376f429c7b50372a291dac5 Mon Sep 17 00:00:00 2001 From: Jason Tedor Date: Fri, 5 Feb 2016 10:33:56 -0500 Subject: [PATCH 1/8] Avoid cloning Mac instances This commit modifies the HmacSHA1Provider to return a thread local instance of Mac instead of using clone since some providers do not support clone. Closes elastic/elasticsearch#1468 Original commit: elastic/x-pack-elasticsearch@cb38f5f9e8a7ba9767adcc0ab66e08e54507e30f --- .../shield/crypto/InternalCryptoService.java | 25 ++++++++----------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java index bc2e54195fa..22b9ac6b0b9 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java @@ -564,30 +564,25 @@ public class InternalCryptoService extends AbstractLifecycleComponent MAC = ThreadLocal.withInitial(() -> { try { - mac = Mac.getInstance(HMAC_ALGO); + return Mac.getInstance(HMAC_ALGO); } catch (NoSuchAlgorithmException e) { - throw new IllegalStateException("could not create message authentication code instance with algorithm [HmacSHA1]", e); + throw new IllegalStateException("could not create Mac instance with algorithm [" + HMAC_ALGO + "]", e); } - } + }); private static Mac hmacSHA1() { - try { - Mac hmac = (Mac) mac.clone(); - hmac.reset(); - return hmac; - } catch (CloneNotSupportedException e) { - throw new IllegalStateException("could not create [HmacSHA1] MAC", e); - } + Mac instance = MAC.get(); + instance.reset(); + return instance; } + } /** From aa2eb15f318a7bc83de0c6dd6f2d11a0cceb2e52 Mon Sep 17 00:00:00 2001 From: jaymode Date: Fri, 29 Jan 2016 10:11:23 -0500 Subject: [PATCH 2/8] fixes to allow bad apple tests to pass This commit fixes the bad apple tests that failed when running them. The IndexAuditTrailEnabledTest was removed and the test was folded into the IndexAuditIT. Some watcher tests that relied on mustache were moved into the QA tests with the mustache plugin. Additionally, fixing these tests uncovered a issue with the privileges needed for writing data into an index. If the mappings need to be updated because of a write, then the update mapping action gets executed. In 2.x this was handled by the system user, but now is executed under the user's context, which is the correct thing to do. The update mapping action is now added to the read, index, crud, and write privileges for an index. Original commit: elastic/x-pack-elasticsearch@30711f962528d492d157fa61adbfccd9a7a90115 --- .../messy/tests}/NoMasterNodeTests.java | 26 ++++- .../messy/tests}/WatchAckTests.java | 27 ++++- .../shield/audit/IndexAuditIT.java | 33 ++++++ .../authz/privilege/IndexPrivilege.java | 14 ++- .../authz/privilege/SystemPrivilege.java | 3 +- .../integration/IndexPrivilegeTests.java | 40 +++---- .../PermissionPrecedenceTests.java | 3 - .../index/IndexAuditTrailEnabledTests.java | 108 ------------------ .../audit/index/IndexAuditTrailTests.java | 3 +- .../CachingUsernamePasswordRealmTests.java | 13 +-- .../authz/privilege/PrivilegeTests.java | 2 +- 11 files changed, 118 insertions(+), 154 deletions(-) rename elasticsearch/{x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration => qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests}/NoMasterNodeTests.java (93%) rename elasticsearch/{x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/ack => qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests}/WatchAckTests.java (94%) delete mode 100644 elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailEnabledTests.java diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/NoMasterNodeTests.java b/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/NoMasterNodeTests.java similarity index 93% rename from elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/NoMasterNodeTests.java rename to elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/NoMasterNodeTests.java index 3cb1b740101..09d6d6f471c 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/NoMasterNodeTests.java +++ b/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/NoMasterNodeTests.java @@ -3,7 +3,7 @@ * or more contributor license agreements. Licensed under the Elastic License; * you may not use this file except in compliance with the Elastic License. */ -package org.elasticsearch.watcher.test.integration; +package org.elasticsearch.messy.tests; import org.apache.lucene.util.LuceneTestCase.BadApple; import org.elasticsearch.ExceptionsHelper; @@ -18,6 +18,9 @@ import org.elasticsearch.discovery.zen.elect.ElectMasterService; import org.elasticsearch.discovery.zen.ping.ZenPing; import org.elasticsearch.discovery.zen.ping.ZenPingService; import org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing; +import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.script.MockMustacheScriptEngine; +import org.elasticsearch.script.mustache.MustachePlugin; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.test.ESIntegTestCase.SuppressLocalMode; import org.elasticsearch.test.discovery.ClusterDiscoveryConfiguration; @@ -33,6 +36,10 @@ import org.elasticsearch.watcher.test.WatcherTestUtils; import org.elasticsearch.watcher.transport.actions.delete.DeleteWatchResponse; import org.elasticsearch.watcher.transport.actions.stats.WatcherStatsResponse; +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; import java.util.concurrent.TimeUnit; import static org.elasticsearch.index.query.QueryBuilders.termQuery; @@ -81,6 +88,23 @@ public class NoMasterNodeTests extends AbstractWatcherIntegrationTestCase { .build(); } + @Override + protected Collection> nodePlugins() { + Collection> types = new ArrayList<>(); + types.addAll(super.nodePlugins()); + // TODO remove dependency on mustache + types.add(MustachePlugin.class); + return types; + } + + @Override + protected Collection> getMockPlugins() { + Set> plugins = new HashSet<>(super.getMockPlugins()); + // remove the mock because we use mustache here... + plugins.remove(MockMustacheScriptEngine.TestPlugin.class); + return plugins; + } + public void testSimpleFailure() throws Exception { // we need 3 hosts here because we stop the master and start another - it doesn't restart the pre-existing node... config = new ClusterDiscoveryConfiguration.UnicastZen(3, Settings.EMPTY); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/ack/WatchAckTests.java b/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/WatchAckTests.java similarity index 94% rename from elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/ack/WatchAckTests.java rename to elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/WatchAckTests.java index 7959394b23b..c8bdb8c3510 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/ack/WatchAckTests.java +++ b/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/WatchAckTests.java @@ -3,7 +3,7 @@ * or more contributor license agreements. Licensed under the Elastic License; * you may not use this file except in compliance with the Elastic License. */ -package org.elasticsearch.watcher.transport.action.ack; +package org.elasticsearch.messy.tests; import org.apache.lucene.util.LuceneTestCase.BadApple; @@ -13,6 +13,9 @@ import org.elasticsearch.action.get.GetRequest; import org.elasticsearch.action.get.GetResponse; import org.elasticsearch.action.index.IndexResponse; import org.elasticsearch.common.unit.TimeValue; +import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.script.MockMustacheScriptEngine; +import org.elasticsearch.script.mustache.MustachePlugin; import org.elasticsearch.watcher.actions.ActionStatus; import org.elasticsearch.watcher.client.WatcherClient; import org.elasticsearch.watcher.condition.compare.CompareCondition; @@ -29,6 +32,10 @@ import org.elasticsearch.watcher.watch.Watch; import org.elasticsearch.watcher.watch.WatchStore; import org.hamcrest.Matchers; +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; import java.util.concurrent.TimeUnit; import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery; @@ -52,6 +59,24 @@ import static org.hamcrest.core.IsEqual.equalTo; //test is just too slow, please fix it to not be sleep-based @BadApple(bugUrl = "https://github.com/elastic/x-plugins/issues/1007") public class WatchAckTests extends AbstractWatcherIntegrationTestCase { + + @Override + protected Collection> nodePlugins() { + Collection> types = new ArrayList<>(); + types.addAll(super.nodePlugins()); + // TODO remove dependency on mustache + types.add(MustachePlugin.class); + return types; + } + + @Override + protected Collection> getMockPlugins() { + Set> plugins = new HashSet<>(super.getMockPlugins()); + // remove the mock because we use mustache here... + plugins.remove(MockMustacheScriptEngine.TestPlugin.class); + return plugins; + } + private IndexResponse indexTestDoc() { createIndex("actions", "events"); ensureGreen("actions", "events"); diff --git a/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java b/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java index d0b8db46ad0..421460e91f8 100644 --- a/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java +++ b/elasticsearch/qa/shield-audit-tests/src/test/java/org/elasticsearch/shield/audit/IndexAuditIT.java @@ -5,10 +5,14 @@ */ package org.elasticsearch.shield.audit; +import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateResponse; +import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse; import org.elasticsearch.action.search.SearchResponse; +import org.elasticsearch.cluster.metadata.IndexTemplateMetaData; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.index.query.QueryBuilders; import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.shield.audit.index.IndexAuditTrail; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.test.ESIntegTestCase; @@ -49,6 +53,35 @@ public class IndexAuditIT extends ESIntegTestCase { assertThat((String) searchResponse.getHits().getAt(0).sourceAsMap().get("principal"), is(USER)); } + public void testAuditTrailTemplateIsRecreatedAfterDelete() throws Exception { + // this is already "tested" by the test framework since we wipe the templates before and after, + // but lets be explicit about the behavior + awaitIndexTemplateCreation(); + + // delete the template + DeleteIndexTemplateResponse deleteResponse = client().admin().indices() + .prepareDeleteTemplate(IndexAuditTrail.INDEX_TEMPLATE_NAME).execute().actionGet(); + assertThat(deleteResponse.isAcknowledged(), is(true)); + awaitIndexTemplateCreation(); + } + + private void awaitIndexTemplateCreation() throws InterruptedException { + boolean found = awaitBusy(() -> { + GetIndexTemplatesResponse response = client().admin().indices() + .prepareGetTemplates(IndexAuditTrail.INDEX_TEMPLATE_NAME).execute().actionGet(); + if (response.getIndexTemplates().size() > 0) { + for (IndexTemplateMetaData indexTemplateMetaData : response.getIndexTemplates()) { + if (IndexAuditTrail.INDEX_TEMPLATE_NAME.equals(indexTemplateMetaData.name())) { + return true; + } + } + } + return false; + }); + + assertThat("index template [" + IndexAuditTrail.INDEX_TEMPLATE_NAME + "] was not created", found, is(true)); + } + @Override protected Settings externalClusterClientSettings() { return Settings.builder() diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java index 34a9f1e8db0..cc56750d29a 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java @@ -32,16 +32,18 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege { public static final IndexPrivilege CREATE_INDEX = new IndexPrivilege("create_index", CreateIndexAction.NAME); public static final IndexPrivilege MANAGE_ALIASES = new IndexPrivilege("manage_aliases", "indices:admin/aliases*"); public static final IndexPrivilege MONITOR = new IndexPrivilege("monitor", "indices:monitor/*"); - public static final IndexPrivilege DATA_ACCESS = new IndexPrivilege("data_access", "indices:data/*"); - public static final IndexPrivilege CRUD = new IndexPrivilege("crud", "indices:data/write/*", "indices:data/read/*"); + public static final IndexPrivilege DATA_ACCESS = new IndexPrivilege("data_access", "indices:data/*", "indices:admin/mapping/put"); + public static final IndexPrivilege CRUD = + new IndexPrivilege("crud", "indices:data/write/*", "indices:data/read/*", "indices:admin/mapping/put"); public static final IndexPrivilege READ = new IndexPrivilege("read", "indices:data/read/*"); - public static final IndexPrivilege SEARCH = new IndexPrivilege("search", SearchAction.NAME + "*", MultiSearchAction.NAME + "*", - SuggestAction.NAME + "*"); + public static final IndexPrivilege SEARCH = + new IndexPrivilege("search", SearchAction.NAME + "*", MultiSearchAction.NAME + "*", SuggestAction.NAME + "*"); public static final IndexPrivilege GET = new IndexPrivilege("get", GetAction.NAME + "*", MultiGetAction.NAME + "*"); public static final IndexPrivilege SUGGEST = new IndexPrivilege("suggest", SuggestAction.NAME + "*"); - public static final IndexPrivilege INDEX = new IndexPrivilege("index", "indices:data/write/index*", "indices:data/write/update*"); + public static final IndexPrivilege INDEX = + new IndexPrivilege("index", "indices:data/write/index*", "indices:data/write/update*", "indices:admin/mapping/put"); public static final IndexPrivilege DELETE = new IndexPrivilege("delete", "indices:data/write/delete*"); - public static final IndexPrivilege WRITE = new IndexPrivilege("write", "indices:data/write/*"); + public static final IndexPrivilege WRITE = new IndexPrivilege("write", "indices:data/write/*", "indices:admin/mapping/put"); private static final Set values = new CopyOnWriteArraySet<>(); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/SystemPrivilege.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/SystemPrivilege.java index 1e70e1aa344..a8ae1c7fc9e 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/SystemPrivilege.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/SystemPrivilege.java @@ -22,8 +22,7 @@ public class SystemPrivilege extends Privilege { "internal:*", "indices:monitor/*", // added for marvel "cluster:monitor/*", // added for marvel - "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener - "indices:admin/mapping/put" // ES 2.0 MappingUpdatedAction - updateMappingOnMasterSynchronously + "cluster:admin/reroute" // added for DiskThresholdDecider.DiskListener )); SystemPrivilege() { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java index 40390f27b4d..168328f4d19 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndexPrivilegeTests.java @@ -8,10 +8,11 @@ package org.elasticsearch.integration; import org.apache.lucene.util.LuceneTestCase.BadApple; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.node.Node; +import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.rest.client.http.HttpResponse; import org.junit.Before; +import java.util.Collections; import java.util.HashMap; import java.util.Locale; import java.util.Map; @@ -21,6 +22,7 @@ import static org.hamcrest.Matchers.is; //test is just too slow, please fix it to not be sleep-based @BadApple(bugUrl = "https://github.com/elastic/x-plugins/issues/1007") +@ESIntegTestCase.ClusterScope(randomDynamicTemplates = false) public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { private String jsonDoc = "{ \"name\" : \"elasticsearch\"}"; @@ -94,8 +96,7 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { "u11:" + USERS_PASSWD_HASHED + "\n" + "u12:" + USERS_PASSWD_HASHED + "\n" + "u13:" + USERS_PASSWD_HASHED + "\n" + - "u14:" + USERS_PASSWD_HASHED + "\n" + - "u15:" + USERS_PASSWD_HASHED + "\n"; + "u14:" + USERS_PASSWD_HASHED + "\n"; public static final String USERS_ROLES = "all_indices_role:admin,u8\n" + @@ -120,7 +121,6 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { protected Settings nodeSettings(int nodeOrdinal) { return Settings.builder().put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put("action.disable_shutdown", true) .build(); } @@ -139,6 +139,17 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { return super.configUsersRoles() + USERS_ROLES; } + // we reduce the number of shards and replicas to help speed up this test since that is not the focus of this test + @Override + public int maximumNumberOfReplicas() { + return 1; + } + + @Override + public int maximumNumberOfShards() { + return 2; + } + @Before public void insertBaseDocumentsAsAdmin() throws Exception { // indices: a,b,c,abc @@ -296,24 +307,13 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { assertUserIsDenied("u14", "all", "c"); } - public void testUserU15() throws Exception { - //u15 has access to manage and search a, so that adding warmer templates work - assertUserIsAllowed("u15", "manage", "a"); - assertUserIsAllowed("u15", "search", "a"); - assertAccessIsAllowed("u15", "PUT", "/a/_warmer/w1", "{ \"query\" : { \"match_all\" : {} } }"); - assertAccessIsAllowed("u15", "DELETE", "/a/_warmer/w1"); - - assertUserIsDenied("u15", "all", "b"); - assertUserIsDenied("u15", "all", "c"); - } - public void testThatUnknownUserIsRejectedProperly() throws Exception { HttpResponse response = executeRequest("idonotexist", "GET", "/", null, new HashMap<>()); assertThat(response.getStatusCode(), is(401)); } private void assertUserExecutes(String user, String action, String index, boolean userIsAllowed) throws Exception { - Map refreshParams = singletonMap("refresh", "true"); + Map refreshParams = Collections.emptyMap();//singletonMap("refresh", "true"); switch (action) { case "all" : @@ -353,11 +353,6 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { assertAccessIsAllowed("admin", "PUT", "/" + index + "/foo/1", jsonDoc, refreshParams); client().admin().cluster().prepareHealth(index).setWaitForGreenStatus().get(); assertAccessIsAllowed(user, "GET", "/" + index + "/_mapping/foo/field/name"); - // putting warmers only works if the user is allowed to search as well, as the query gets validated, added an own - // test for this - assertAccessIsAllowed("admin", "PUT", "/" + index + "/_warmer/w1", "{ \"query\" : { \"match_all\" : {} } }"); - assertAccessIsAllowed(user, "GET", "/" + index + "/_warmer/w1"); - assertAccessIsAllowed(user, "DELETE", "/" + index + "/_warmer/w1"); assertAccessIsAllowed(user, "GET", "/" + index + "/_settings"); } else { assertAccessIsDenied(user, "DELETE", "/" + index); @@ -372,9 +367,6 @@ public class IndexPrivilegeTests extends AbstractPrivilegeTestCase { assertAccessIsDenied(user, "POST", "/" + index + "/_open"); assertAccessIsDenied(user, "POST", "/" + index + "/_cache/clear"); assertAccessIsDenied(user, "GET", "/" + index + "/_mapping/foo/field/name"); - assertAccessIsDenied(user, "PUT", "/" + index + "/_warmer/w1", "{ \"query\" : { \"match_all\" : {} } }"); - assertAccessIsDenied(user, "GET", "/" + index + "/_warmer/w1"); - assertAccessIsDenied(user, "DELETE", "/" + index + "/_warmer/w1"); assertAccessIsDenied(user, "GET", "/" + index + "/_settings"); } break; diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java index b636572b83e..b5636f511c1 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java @@ -5,7 +5,6 @@ */ package org.elasticsearch.integration; -import org.apache.lucene.util.LuceneTestCase.BadApple; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse; import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse; @@ -33,8 +32,6 @@ import static org.hamcrest.Matchers.hasSize; * actions that are normally categorized as index actions as cluster actions - for example, * index template actions. */ -//test is just too slow, please fix it to not be sleep-based -@BadApple(bugUrl = "https://github.com/elastic/x-plugins/issues/1007") public class PermissionPrecedenceTests extends ShieldIntegTestCase { protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray()))); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailEnabledTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailEnabledTests.java deleted file mode 100644 index 3437d66115f..00000000000 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailEnabledTests.java +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.shield.audit.index; - -import org.apache.lucene.util.LuceneTestCase.BadApple; -import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateResponse; -import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse; -import org.elasticsearch.action.search.SearchResponse; -import org.elasticsearch.cluster.metadata.IndexTemplateMetaData; -import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail; -import org.elasticsearch.test.ESIntegTestCase.ClusterScope; -import org.elasticsearch.test.ESIntegTestCase.Scope; -import org.elasticsearch.test.ShieldIntegTestCase; -import org.joda.time.DateTime; -import org.joda.time.DateTimeZone; - -import java.util.Collections; -import java.util.Set; - -import static org.hamcrest.Matchers.is; - -//test is just too slow, please fix it to not be sleep-based -@BadApple(bugUrl = "https://github.com/elastic/x-plugins/issues/1007") -@ClusterScope(scope = Scope.TEST, randomDynamicTemplates = false) -public class IndexAuditTrailEnabledTests extends ShieldIntegTestCase { - IndexNameResolver.Rollover rollover = randomFrom(IndexNameResolver.Rollover.values()); - - @Override - protected Set excludeTemplates() { - return Collections.singleton(IndexAuditTrail.INDEX_TEMPLATE_NAME); - } - - @Override - protected Settings nodeSettings(int nodeOrdinal) { - Settings.Builder builder = Settings.builder() - .put(super.nodeSettings(nodeOrdinal)); - builder.put("shield.audit.enabled", true); - if (randomBoolean()) { - builder.putArray("shield.audit.outputs", LoggingAuditTrail.NAME, IndexAuditTrail.NAME); - } else { - builder.putArray("shield.audit.outputs", IndexAuditTrail.NAME); - } - builder.put(IndexAuditTrail.ROLLOVER_SETTING, rollover); - - return builder.build(); - } - - @Override - public void beforeIndexDeletion() { - // For this test, this is a NO-OP because the index audit trail will continue to capture events and index after - // the tests have completed. The default implementation of this method expects that nothing is performing operations - // after the test has completed - } - - public void testAuditTrailIndexAndTemplateExists() throws Exception { - awaitIndexTemplateCreation(); - - // Wait for the index to be created since we have our own startup - awaitAuditDocumentCreation(); - } - - public void testAuditTrailTemplateIsRecreatedAfterDelete() throws Exception { - // this is already "tested" by the test framework since we wipe the templates before and after, but lets be explicit about the - // behavior - awaitIndexTemplateCreation(); - - // delete the template - DeleteIndexTemplateResponse deleteResponse = client().admin().indices() - .prepareDeleteTemplate(IndexAuditTrail.INDEX_TEMPLATE_NAME).execute().actionGet(); - assertThat(deleteResponse.isAcknowledged(), is(true)); - awaitIndexTemplateCreation(); - } - - void awaitAuditDocumentCreation() throws Exception { - final String indexName = IndexNameResolver.resolve(IndexAuditTrail.INDEX_NAME_PREFIX, DateTime.now(DateTimeZone.UTC), rollover); - boolean success = awaitBusy(() -> { - try { - SearchResponse searchResponse = client().prepareSearch(indexName).setSize(0).setTerminateAfter(1).execute().actionGet(); - return searchResponse.getHits().totalHits() > 0; - } catch (Exception e) { - return false; - } - }); - - assertThat("no audit document exists!", success, is(true)); - } - - void awaitIndexTemplateCreation() throws InterruptedException { - boolean found = awaitBusy(() -> { - GetIndexTemplatesResponse response = client().admin().indices() - .prepareGetTemplates(IndexAuditTrail.INDEX_TEMPLATE_NAME).execute().actionGet(); - if (response.getIndexTemplates().size() > 0) { - for (IndexTemplateMetaData indexTemplateMetaData : response.getIndexTemplates()) { - if (IndexAuditTrail.INDEX_TEMPLATE_NAME.equals(indexTemplateMetaData.name())) { - return true; - } - } - } - return false; - }); - - assertThat("index template [" + IndexAuditTrail.INDEX_TEMPLATE_NAME + "] was not created", found, is(true)); - } -} diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java index 3fa7d74214c..a61279719ca 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java @@ -177,7 +177,8 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { } }; cluster2 = new InternalTestCluster("network", randomLong(), createTempDir(), numNodes, numNodes, cluster2Name, - cluster2SettingsSource, 0, false, SECOND_CLUSTER_NODE_PREFIX, getMockPlugins(), Function.identity()); + cluster2SettingsSource, 0, false, SECOND_CLUSTER_NODE_PREFIX, getMockPlugins(), + useShield ? getClientWrapper() : Function.identity()); cluster2.beforeTest(getRandom(), 0.5); remoteClient = cluster2.client(); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealmTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealmTests.java index 58a15ca2fa7..41b6fbdbc22 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealmTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/CachingUsernamePasswordRealmTests.java @@ -5,7 +5,6 @@ */ package org.elasticsearch.shield.authc.support; -import org.apache.lucene.util.LuceneTestCase.BadApple; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.shield.User; @@ -25,8 +24,6 @@ import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.nullValue; import static org.hamcrest.Matchers.sameInstance; -//test is just too slow, please fix it to not be sleep-based -@BadApple(bugUrl = "https://github.com/elastic/x-plugins/issues/1007") public class CachingUsernamePasswordRealmTests extends ESTestCase { private Settings globalSettings; @@ -206,7 +203,9 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase { }; final CountDownLatch latch = new CountDownLatch(1); - final int numberOfThreads = randomIntBetween(8, 24); + final int numberOfProcessors = Runtime.getRuntime().availableProcessors(); + final int numberOfThreads = scaledRandomIntBetween((numberOfProcessors + 1) / 2, numberOfProcessors * 3); + final int numberOfIterations = scaledRandomIntBetween(20, 100); List threads = new ArrayList<>(); for (int i = 0; i < numberOfThreads; i++) { final boolean invalidPassword = randomBoolean(); @@ -215,9 +214,9 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase { public void run() { try { latch.await(); - for (int i = 0; i < 100; i++) { - User user = realm.authenticate( - new UsernamePasswordToken(username, invalidPassword ? randomPassword : password)); + for (int i = 0; i < numberOfIterations; i++) { + UsernamePasswordToken token = new UsernamePasswordToken(username, invalidPassword ? randomPassword : password); + User user = realm.authenticate(token); if (invalidPassword && user != null) { throw new RuntimeException("invalid password led to an authenticated user: " + user.toString()); } else if (invalidPassword == false && user == null) { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java index 7b5aff1374d..677462835f6 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java @@ -245,7 +245,7 @@ public class PrivilegeTests extends ESTestCase { assertThat(predicate.test("whatever"), is(false)); assertThat(predicate.test("cluster:admin/reroute"), is(true)); assertThat(predicate.test("cluster:admin/whatever"), is(false)); - assertThat(predicate.test("indices:admin/mapping/put"), is(true)); + assertThat(predicate.test("indices:admin/mapping/put"), is(false)); assertThat(predicate.test("indices:admin/mapping/whatever"), is(false)); } From 25c3a665025d839e7ac619bdf26f89e855f628c1 Mon Sep 17 00:00:00 2001 From: Simon Willnauer Date: Mon, 8 Feb 2016 21:57:02 +0100 Subject: [PATCH 3/8] Fix compile error after core change Original commit: elastic/x-pack-elasticsearch@ba170bbc6384f2270a2d0989d51dfc66488ed598 --- .../src/main/java/org/elasticsearch/shield/ShieldPlugin.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java index 61226c5ce55..0003dcdd210 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java @@ -210,7 +210,7 @@ public class ShieldPlugin extends Plugin { assert shieldLicenseState != null; if (flsDlsEnabled(settings)) { module.setSearcherWrapper((indexService) -> new ShieldIndexSearcherWrapper(indexService.getIndexSettings(), - indexService.getQueryShardContext(), indexService.mapperService(), + indexService.newQueryShardContext(), indexService.mapperService(), indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(), shieldLicenseState)); } From e8ad8cbb36ea80de8f9b3aebcae77250ed6e99ba Mon Sep 17 00:00:00 2001 From: Alexander Reelsen Date: Tue, 9 Feb 2016 09:39:07 +0100 Subject: [PATCH 4/8] Watcher: Load versioned index template for watch history This loads an index template for the watch history to make sure, that field changes are taken into account. Also, the dynamic mapping for the watch history template has been changed from strict to false. This means that new fields can be included in a document, but they will not indexed and are not searchable. In addition the index names have been changed from .watch_history-$date to .watcher-history-$template-$date - using dashes to be more consistent. Closes elastic/elasticsearch#1299 Original commit: elastic/x-pack-elasticsearch@794f9822347011bd12a4d3e089d2da353581250d --- ...HistoryTemplateTransformMappingsTests.java | 2 +- .../watcher-with-shield-roles.yml | 6 +- .../watcher_mustache/20_array_access.yaml | 2 +- .../smoke-test-watcher-with-shield/roles.yml | 4 +- elasticsearch/x-pack/build.gradle | 3 + .../elasticsearch/watcher/WatcherModule.java | 27 +++++++- .../elasticsearch/watcher/WatcherPlugin.java | 69 +++++++++++-------- .../execution/WatchExecutionContext.java | 2 +- .../watcher/history/HistoryStore.java | 3 +- .../support/WatcherIndexTemplateRegistry.java | 14 +++- .../src/main/resources/watch_history.json | 8 ++- .../src/main/resources/watcher.properties | 1 + .../watcher/WatcherPluginTests.java | 4 +- .../watcher/history/HistoryStoreTests.java | 16 +++-- .../HistoryTemplateTimeMappingsTests.java | 2 +- ...HistoryTemplateTransformMappingsTests.java | 2 +- .../WatcherIndexTemplateRegistryTests.java | 1 - .../action/activate/ActivateWatchTests.java | 6 +- .../watcher/array_compare_watch/10_basic.yaml | 4 +- .../10_monitor_cluster_health.yaml | 4 +- 20 files changed, 118 insertions(+), 62 deletions(-) create mode 100644 elasticsearch/x-pack/watcher/src/main/resources/watcher.properties diff --git a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/HistoryTemplateTransformMappingsTests.java b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/HistoryTemplateTransformMappingsTests.java index 075bbc50e9a..ae8782a4d93 100644 --- a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/HistoryTemplateTransformMappingsTests.java +++ b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/HistoryTemplateTransformMappingsTests.java @@ -98,7 +98,7 @@ public class HistoryTemplateTransformMappingsTests extends AbstractWatcherIntegr assertThat(mappingsResponse, notNullValue()); assertThat(mappingsResponse.getMappings().isEmpty(), is(false)); for (ObjectObjectCursor> metadatas : mappingsResponse.getMappings()) { - if (!metadatas.key.startsWith(".watch_history")) { + if (!metadatas.key.startsWith(".watcher-history")) { continue; } MappingMetaData metadata = metadatas.value.get("watch_record"); diff --git a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml index 8228084ac69..a0c1878f919 100644 --- a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml +++ b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml @@ -6,15 +6,15 @@ admin: watcher_manager: cluster: manage_watcher, cluster:monitor/nodes/info, cluster:monitor/health indices: - '.watch_history-*': all + '.watcher-history-*': all watcher_monitor: cluster: monitor_watcher indices: - '.watch_history-*': read + '.watcher-history-*': read crapy_role: cluster: - cluster:monitor/nodes/info - cluster:monitor/health - - cluster:monitor/nodes/liveness \ No newline at end of file + - cluster:monitor/nodes/liveness diff --git a/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/resources/rest-api-spec/test/watcher_mustache/20_array_access.yaml b/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/resources/rest-api-spec/test/watcher_mustache/20_array_access.yaml index d1a346e24b9..606d5c2baff 100644 --- a/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/resources/rest-api-spec/test/watcher_mustache/20_array_access.yaml +++ b/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/resources/rest-api-spec/test/watcher_mustache/20_array_access.yaml @@ -58,5 +58,5 @@ - do: search: - index: .watch_history-* + index: .watcher-history-* - match: { hits.hits.0._source.result.actions.0.logging.logged_text: "value1 value2" } diff --git a/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml b/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml index 8e695f84f9b..e5cbe14f6b5 100644 --- a/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml +++ b/elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml @@ -6,13 +6,13 @@ admin: watcher_manager: cluster: manage_watcher, cluster:monitor/nodes/info, cluster:monitor/health indices: - '.watch_history-*': all + '.watcher-history-*': all run_as: powerless_user, watcher_manager watcher_monitor: cluster: monitor_watcher indices: - '.watch_history-*': read + '.watcher-history-*': read crappy_role: cluster: diff --git a/elasticsearch/x-pack/build.gradle b/elasticsearch/x-pack/build.gradle index 2af72067e18..4bfecdc4d86 100644 --- a/elasticsearch/x-pack/build.gradle +++ b/elasticsearch/x-pack/build.gradle @@ -74,6 +74,9 @@ ext.expansions = [ // Used in marvel index templates 'marvel.plugin.version': version, 'marvel.template.version': '1', + // Used in watcher index template + 'watcher.plugin.version': version, + 'watcher.template.version': '1', ] processResources { diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherModule.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherModule.java index d6d10f48ce3..7ab1f280fb5 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherModule.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherModule.java @@ -6,6 +6,7 @@ package org.elasticsearch.watcher; +import org.elasticsearch.common.Strings; import org.elasticsearch.common.inject.AbstractModule; import org.elasticsearch.common.inject.multibindings.Multibinder; import org.elasticsearch.common.settings.Setting; @@ -14,10 +15,17 @@ import org.elasticsearch.watcher.support.WatcherIndexTemplateRegistry; import org.elasticsearch.watcher.support.WatcherIndexTemplateRegistry.TemplateConfig; import org.elasticsearch.watcher.support.validation.WatcherSettingsValidation; +import java.io.IOException; +import java.io.InputStream; +import java.util.Properties; + public class WatcherModule extends AbstractModule { - public static final String HISTORY_TEMPLATE_NAME = "watch_history"; + static final String PROPERTIES_FILE = "/watcher.properties"; + static final String VERSION_FIELD = "watcher.template.version"; + + public static final String HISTORY_TEMPLATE_NAME = "watch_history_" + getHistoryIndexTemplateVersion(); public static final String TRIGGERED_TEMPLATE_NAME = "triggered_watches"; public static final String WATCHES_TEMPLATE_NAME = "watches"; public static final Setting HISTORY_TEMPLATE_SETTING = Setting.groupSetting("watcher.history.index.", true, @@ -30,7 +38,7 @@ public class WatcherModule extends AbstractModule { public final static TemplateConfig[] TEMPLATE_CONFIGS = new TemplateConfig[]{ new TemplateConfig(TRIGGERED_TEMPLATE_NAME, TRIGGERED_TEMPLATE_SETTING), - new TemplateConfig(HISTORY_TEMPLATE_NAME, HISTORY_TEMPLATE_SETTING), + new TemplateConfig(HISTORY_TEMPLATE_NAME, "watch_history", HISTORY_TEMPLATE_SETTING), new TemplateConfig(WATCHES_TEMPLATE_NAME, WATCHES_TEMPLATE_SETTING) }; @@ -53,4 +61,19 @@ public class WatcherModule extends AbstractModule { } } + public static final Integer getHistoryIndexTemplateVersion() { + try (InputStream is = WatcherModule.class.getResourceAsStream(PROPERTIES_FILE)) { + Properties properties = new Properties(); + properties.load(is); + String version = properties.getProperty(VERSION_FIELD); + if (Strings.hasLength(version)) { + return Integer.parseInt(version); + } + return null; + } catch (NumberFormatException e) { + throw new IllegalArgumentException("failed to parse watcher template version"); + } catch (IOException e) { + throw new IllegalArgumentException("failed to load watcher template version"); + } + } } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java index 2a22b11785e..53da3a35380 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java @@ -91,13 +91,19 @@ import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.List; +import java.util.function.Function; +import static org.elasticsearch.common.settings.Setting.Scope.CLUSTER; import static org.elasticsearch.common.settings.Settings.settingsBuilder; public class WatcherPlugin extends Plugin { public static final String NAME = "watcher"; public static final String ENABLED_SETTING = NAME + ".enabled"; + public static final Setting INDEX_WATCHER_VERSION_SETTING = + new Setting<>("index.watcher.plugin.version", "", Function.identity(), false, Setting.Scope.INDEX); + public static final Setting INDEX_WATCHER_TEMPLATE_VERSION_SETTING = + new Setting<>("index.watcher.template.version", "", Function.identity(), false, Setting.Scope.INDEX); private final static ESLogger logger = Loggers.getLogger(XPackPlugin.class); @@ -193,37 +199,40 @@ public class WatcherPlugin extends Plugin { module.registerSetting(InternalEmailService.EMAIL_ACCOUNT_SETTING); module.registerSetting(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING); module.registerSetting(InternalPagerDutyService.PAGERDUTY_ACCOUNT_SETTING); - module.registerSetting(Setting.intSetting("watcher.execution.scroll.size", 0, false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.intSetting("watcher.watch.scroll.size", 0, false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.boolSetting("watcher.enabled", false, false, Setting.Scope.CLUSTER)); + module.registerSetting(INDEX_WATCHER_VERSION_SETTING); + module.registerSetting(INDEX_WATCHER_TEMPLATE_VERSION_SETTING); + module.registerSetting(Setting.intSetting("watcher.execution.scroll.size", 0, false, CLUSTER)); + module.registerSetting(Setting.intSetting("watcher.watch.scroll.size", 0, false, CLUSTER)); + module.registerSetting(Setting.boolSetting("watcher.enabled", false, false, CLUSTER)); module.registerSetting(ShieldSecretService.ENCRYPT_SENSITIVE_DATA_SETTING); // TODO add real settings for these - module.registerSetting(Setting.simpleString("resource.reload.interval", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("resource.reload.enabled", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("resource.reload.interval.low", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("resource.reload.interval.medium", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.internal.ops.search.default_timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.internal.ops.bulk.default_timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.internal.ops.index.default_timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.execution.default_throttle_period", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.http.default_read_timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.groupSetting("watcher.http.ssl.", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.groupSetting("watcher.http.proxy.", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.actions.index.default_timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.index.rest.direct_access", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.trigger.schedule.engine", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.input.search.default_timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.transform.search.default_timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.trigger.schedule.ticker.tick_interval", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.execution.scroll.timeout", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.start_immediately", false, Setting.Scope.CLUSTER)); - module.registerSetting(Setting.simpleString("watcher.http.default_connection_timeout", false, Setting.Scope.CLUSTER)); + module.registerSetting(Setting.simpleString("resource.reload.interval", false, CLUSTER)); + module.registerSetting(Setting.simpleString("resource.reload.enabled", false, CLUSTER)); + module.registerSetting(Setting.simpleString("resource.reload.interval.low", false, CLUSTER)); + module.registerSetting(Setting.simpleString("resource.reload.interval.medium", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.internal.ops.search.default_timeout", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.internal.ops.bulk.default_timeout", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.internal.ops.index.default_timeout", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.execution.default_throttle_period", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.http.default_read_timeout", false, CLUSTER)); + module.registerSetting(Setting.groupSetting("watcher.http.ssl.", false, CLUSTER)); + module.registerSetting(Setting.groupSetting("watcher.http.proxy.", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.actions.index.default_timeout", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.index.rest.direct_access", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.trigger.schedule.engine", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.input.search.default_timeout", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.transform.search.default_timeout", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.trigger.schedule.ticker.tick_interval", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.execution.scroll.timeout", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.start_immediately", false, CLUSTER)); + module.registerSetting(Setting.simpleString("watcher.http.default_connection_timeout", false, CLUSTER)); module.registerSettingsFilter("watcher.actions.email.service.account.*.smtp.password"); module.registerSettingsFilter("watcher.actions.slack.service.account.*.url"); module.registerSettingsFilter("watcher.actions.pagerduty.service.account.*.url"); module.registerSettingsFilter("watcher.actions.pagerduty.service." + PagerDutyAccount.SERVICE_KEY_SETTING); - module.registerSettingsFilter("watcher.actions.pagerduty.service.account.*." + PagerDutyAccount.SERVICE_KEY_SETTING); + module.registerSettingsFilter("watcher.actions.pagerduty.service.account.*." + + PagerDutyAccount.SERVICE_KEY_SETTING); module.registerSettingsFilter("watcher.actions.hipchat.service.account.*.auth_token"); } @@ -265,8 +274,9 @@ public class WatcherPlugin extends Plugin { return; } - String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too restrictive. disable " + - "[action.auto_create_index] or set it to [.watches,.triggered_watches,.watch_history*]", (Object) settings); + String errorMessage = LoggerMessageFormat.format("the [action.auto_create_index] setting value [{}] is too" + + " restrictive. disable [action.auto_create_index] or set it to " + + "[.watches,.triggered_watches,.watcher-history*]", (Object) settings); if (Booleans.isExplicitFalse(value)) { throw new IllegalArgumentException(errorMessage); } @@ -312,9 +322,10 @@ public class WatcherPlugin extends Plugin { throw new IllegalArgumentException(errorMessage); } } - logger.warn("the [action.auto_create_index] setting is configured to be restrictive [{}]. for the next 6 months daily history " + - "indices are allowed to be created, but please make sure that any future history indices after 6 months with the pattern " + - "[.watch_history-YYYY.MM.dd] are allowed to be created", value); + logger.warn("the [action.auto_create_index] setting is configured to be restrictive [{}]. " + + " for the next 6 months daily history indices are allowed to be created, but please make sure" + + " that any future history indices after 6 months with the pattern " + + "[.watcher-history-YYYY.MM.dd] are allowed to be created", value); } } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/execution/WatchExecutionContext.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/execution/WatchExecutionContext.java index cb47bb486eb..b6cf607c728 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/execution/WatchExecutionContext.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/execution/WatchExecutionContext.java @@ -70,7 +70,7 @@ public abstract class WatchExecutionContext { public abstract boolean skipThrottling(String actionId); /** - * @return true if this execution should be recorded in the .watch_history index + * @return true if this execution should be recorded in the .watcher-history index */ public abstract boolean recordExecution(); diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/history/HistoryStore.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/history/HistoryStore.java index d3cbe477f5b..08c6b272860 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/history/HistoryStore.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/history/HistoryStore.java @@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.common.xcontent.XContentFactory; import org.elasticsearch.index.engine.VersionConflictEngineException; +import org.elasticsearch.watcher.WatcherModule; import org.elasticsearch.watcher.execution.ExecutionState; import org.elasticsearch.watcher.support.init.proxy.ClientProxy; import org.joda.time.DateTime; @@ -30,7 +31,7 @@ import static org.elasticsearch.watcher.support.Exceptions.ioException; */ public class HistoryStore extends AbstractComponent { - public static final String INDEX_PREFIX = ".watch_history-"; + public static final String INDEX_PREFIX = ".watcher-history-" + WatcherModule.getHistoryIndexTemplateVersion() + "-"; public static final String DOC_TYPE = "watch_record"; static final DateTimeFormatter indexTimeFormat = DateTimeFormat.forPattern("YYYY.MM.dd"); diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistry.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistry.java index 7d4858ffdc0..b8264d00a7c 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistry.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistry.java @@ -153,9 +153,9 @@ public class WatcherIndexTemplateRegistry extends AbstractComponent implements C executor.execute(new Runnable() { @Override public void run() { - try (InputStream is = WatchStore.class.getResourceAsStream("/" + config.getTemplateName() + ".json")) { + try (InputStream is = WatchStore.class.getResourceAsStream("/" + config.getFileName()+ ".json")) { if (is == null) { - logger.error("Resource [/" + config.getTemplateName() + ".json] not found in classpath"); + logger.error("Resource [/" + config.getFileName() + ".json] not found in classpath"); return; } final byte[] template; @@ -184,13 +184,23 @@ public class WatcherIndexTemplateRegistry extends AbstractComponent implements C public static class TemplateConfig { private final String templateName; + private String fileName; private final Setting setting; public TemplateConfig(String templateName, Setting setting) { + this(templateName, templateName, setting); + } + + public TemplateConfig(String templateName, String fileName, Setting setting) { this.templateName = templateName; + this.fileName = fileName; this.setting = setting; } + public String getFileName() { + return fileName; + } + public String getTemplateName() { return templateName; } diff --git a/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json b/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json index 4c9e6fb8eeb..57470bb9afc 100644 --- a/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json +++ b/elasticsearch/x-pack/watcher/src/main/resources/watch_history.json @@ -1,7 +1,9 @@ { - "template": ".watch_history*", + "template": ".watcher-history-${watcher.template.version}*", "order": 2147483647, "settings": { + "watcher.plugin.version": "${watcher.plugin.version}", + "watcher.template.version": "${watcher.template.version}", "index.number_of_shards": 1, "index.mapper.dynamic": false }, @@ -29,7 +31,7 @@ } } ], - "dynamic": "strict", + "dynamic": false, "_all": { "enabled": false }, @@ -544,4 +546,4 @@ } } } -} +} \ No newline at end of file diff --git a/elasticsearch/x-pack/watcher/src/main/resources/watcher.properties b/elasticsearch/x-pack/watcher/src/main/resources/watcher.properties new file mode 100644 index 00000000000..bf7c8605062 --- /dev/null +++ b/elasticsearch/x-pack/watcher/src/main/resources/watcher.properties @@ -0,0 +1 @@ +watcher.template.version=${watcher.template.version} diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginTests.java index d0a78749f3a..31efd271688 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginTests.java @@ -19,7 +19,7 @@ public class WatcherPluginTests extends ESTestCase { } catch (IllegalArgumentException e) { } WatcherPlugin.validAutoCreateIndex(Settings.builder().put("action.auto_create_index", - ".watches,.triggered_watches,.watch_history*").build()); + ".watches,.triggered_watches,.watcher-history*").build()); WatcherPlugin.validAutoCreateIndex(Settings.builder().put("action.auto_create_index", "*w*").build()); WatcherPlugin.validAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".w*,.t*").build()); try { @@ -33,7 +33,7 @@ public class WatcherPluginTests extends ESTestCase { } catch (IllegalArgumentException e) { } try { - WatcherPlugin.validAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".watch_history*").build()); + WatcherPlugin.validAutoCreateIndex(Settings.builder().put("action.auto_create_index", ".watcher-history*").build()); fail("IllegalArgumentException expected"); } catch (IllegalArgumentException e) { } diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryStoreTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryStoreTests.java index 07ca4469ec0..d659a11c6ef 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryStoreTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryStoreTests.java @@ -10,6 +10,7 @@ import org.elasticsearch.action.index.IndexResponse; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.watcher.WatcherModule; import org.elasticsearch.watcher.execution.ExecutionState; import org.elasticsearch.watcher.execution.Wid; import org.elasticsearch.watcher.support.init.proxy.ClientProxy; @@ -45,7 +46,7 @@ public class HistoryStoreTests extends ESTestCase { WatchRecord watchRecord = new WatchRecord(wid, event, ExecutionState.EXECUTED, null); IndexResponse indexResponse = mock(IndexResponse.class); - IndexRequest indexRequest = indexRequest(".watch_history-1970.01.01", HistoryStore.DOC_TYPE, wid.value() + IndexRequest indexRequest = indexRequest(".watcher-history-1970.01.01", HistoryStore.DOC_TYPE, wid.value() , IndexRequest.OpType.CREATE); when(clientProxy.index(indexRequest, Matchers.any())).thenReturn(indexResponse); historyStore.put(watchRecord); @@ -69,9 +70,14 @@ public class HistoryStoreTests extends ESTestCase { } public void testIndexNameGeneration() { - assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(0, UTC)), equalTo(".watch_history-1970.01.01")); - assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(100000000000L, UTC)), equalTo(".watch_history-1973.03.03")); - assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(1416582852000L, UTC)), equalTo(".watch_history-2014.11.21")); - assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(2833165811000L, UTC)), equalTo(".watch_history-2059.10.12")); + Integer indexTemplateVersion = WatcherModule.getHistoryIndexTemplateVersion(); + assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(0, UTC)), + equalTo(".watcher-history-"+ indexTemplateVersion +"-1970.01.01")); + assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(100000000000L, UTC)), + equalTo(".watcher-history-" + indexTemplateVersion + "-1973.03.03")); + assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(1416582852000L, UTC)), + equalTo(".watcher-history-" + indexTemplateVersion + "-2014.11.21")); + assertThat(HistoryStore.getHistoryIndexNameForTime(new DateTime(2833165811000L, UTC)), + equalTo(".watcher-history-" + indexTemplateVersion + "-2059.10.12")); } } diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTimeMappingsTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTimeMappingsTests.java index dda571511c1..ae30a15c72c 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTimeMappingsTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTimeMappingsTests.java @@ -63,7 +63,7 @@ public class HistoryTemplateTimeMappingsTests extends AbstractWatcherIntegration assertThat(mappingsResponse, notNullValue()); assertThat(mappingsResponse.getMappings().isEmpty(), is(false)); for (ObjectObjectCursor> metadatas : mappingsResponse.getMappings()) { - if (!metadatas.key.startsWith(".watch_history")) { + if (!metadatas.key.startsWith(".watcher-history")) { continue; } MappingMetaData metadata = metadatas.value.get("watch_record"); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTransformMappingsTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTransformMappingsTests.java index 5164d69b464..17b886a0c3c 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTransformMappingsTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateTransformMappingsTests.java @@ -89,7 +89,7 @@ public class HistoryTemplateTransformMappingsTests extends AbstractWatcherIntegr assertThat(mappingsResponse, notNullValue()); assertThat(mappingsResponse.getMappings().isEmpty(), is(false)); for (ObjectObjectCursor> metadatas : mappingsResponse.getMappings()) { - if (!metadatas.key.startsWith(".watch_history")) { + if (!metadatas.key.startsWith(".watcher-history")) { continue; } MappingMetaData metadata = metadatas.value.get("watch_record"); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistryTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistryTests.java index 190b3834920..acc00f2ab37 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistryTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistryTests.java @@ -6,7 +6,6 @@ package org.elasticsearch.watcher.support; import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse; -import org.elasticsearch.cluster.metadata.IndexMetaData; import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.SettingsModule; diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/activate/ActivateWatchTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/activate/ActivateWatchTests.java index 2ec3e49c710..1859f292fd5 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/activate/ActivateWatchTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/transport/action/activate/ActivateWatchTests.java @@ -75,13 +75,13 @@ public class ActivateWatchTests extends AbstractWatcherIntegrationTestCase { flush(); refresh(); - long count1 = docCount(".watch_history*", "watch_record", matchAllQuery()); + long count1 = docCount(".watcher-history*", "watch_record", matchAllQuery()); Thread.sleep(10000); flush(); refresh(); - long count2 = docCount(".watch_history*", "watch_record", matchAllQuery()); + long count2 = docCount(".watcher-history*", "watch_record", matchAllQuery()); assertThat(count2, is(count1)); @@ -96,7 +96,7 @@ public class ActivateWatchTests extends AbstractWatcherIntegrationTestCase { assertThat(getWatchResponse.getStatus().state().isActive(), is(true)); Thread.sleep(10000); - long count3 = docCount(".watch_history*", "watch_record", matchAllQuery()); + long count3 = docCount(".watcher-history*", "watch_record", matchAllQuery()); assertThat(count3, greaterThan(count1)); } diff --git a/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/array_compare_watch/10_basic.yaml b/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/array_compare_watch/10_basic.yaml index 5a2b6734c52..104b15037db 100644 --- a/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/array_compare_watch/10_basic.yaml +++ b/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/array_compare_watch/10_basic.yaml @@ -106,11 +106,11 @@ - do: indices.refresh: - index: .watch_history-* + index: .watcher-history-* - do: search: - index: .watch_history-* + index: .watcher-history-* body: > { "query": { diff --git a/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/getting_started/10_monitor_cluster_health.yaml b/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/getting_started/10_monitor_cluster_health.yaml index 95190135d12..01431cee5c4 100644 --- a/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/getting_started/10_monitor_cluster_health.yaml +++ b/elasticsearch/x-pack/watcher/src/test/resources/rest-api-spec/test/watcher/getting_started/10_monitor_cluster_health.yaml @@ -65,11 +65,11 @@ - do: indices.refresh: - index: .watch_history-* + index: .watcher-history-* - do: search: - index: .watch_history-* + index: .watcher-history-* body: > { "query": { From 50452e403f8004d67861e2bb3a0c88baf02a5e68 Mon Sep 17 00:00:00 2001 From: jaymode Date: Tue, 9 Feb 2016 08:14:05 -0500 Subject: [PATCH 5/8] test: filter out unsupported ciphers when checking default socket factory Closes elastic/elasticsearch#2 Original commit: elastic/x-pack-elasticsearch@6510f65dc49e4aefd36f90af47bedb6ccba2ddba --- .../elasticsearch/shield/ssl/ClientSSLServiceTests.java | 6 +++--- .../elasticsearch/shield/ssl/ServerSSLServiceTests.java | 7 +++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java index 6b569f73d4d..d3a8b281896 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ClientSSLServiceTests.java @@ -251,17 +251,17 @@ public class ClientSSLServiceTests extends ESTestCase { } } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2") public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { ClientSSLService sslService = createClientSSLService(settingsBuilder() .put("shield.ssl.keystore.path", testclientStore) .put("shield.ssl.keystore.password", "testclient") .build()); SSLSocketFactory factory = sslService.sslSocketFactory(); - assertThat(factory.getDefaultCipherSuites(), is(sslService.ciphers())); + final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), sslService.ciphers()); + assertThat(factory.getDefaultCipherSuites(), is(ciphers)); try (SSLSocket socket = (SSLSocket) factory.createSocket()) { - assertThat(socket.getEnabledCipherSuites(), is(sslService.ciphers())); + assertThat(socket.getEnabledCipherSuites(), is(ciphers)); assertThat(socket.getEnabledProtocols(), is(sslService.supportedProtocols())); } } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java index e75c41bf808..2eafb33b722 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java @@ -32,7 +32,6 @@ import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; import static org.hamcrest.Matchers.sameInstance; -import static org.mockito.Mockito.mock; public class ServerSSLServiceTests extends ESTestCase { Path testnodeStore; @@ -223,17 +222,17 @@ public class ServerSSLServiceTests extends ESTestCase { } } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2") public void testThatSSLSocketFactoryHasProperCiphersAndProtocols() throws Exception { ServerSSLService sslService = new ServerSSLService(settingsBuilder() .put("shield.ssl.keystore.path", testnodeStore) .put("shield.ssl.keystore.password", "testnode") .build(), env); SSLSocketFactory factory = sslService.sslSocketFactory(); - assertThat(factory.getDefaultCipherSuites(), is(sslService.ciphers())); + final String[] ciphers = sslService.supportedCiphers(factory.getSupportedCipherSuites(), sslService.ciphers()); + assertThat(factory.getDefaultCipherSuites(), is(ciphers)); try (SSLSocket socket = (SSLSocket) factory.createSocket()) { - assertThat(socket.getEnabledCipherSuites(), is(sslService.ciphers())); + assertThat(socket.getEnabledCipherSuites(), is(ciphers)); assertThat(socket.getEnabledProtocols(), is(sslService.supportedProtocols())); } } From 92f027159a964663d7bbc09c0827b1039d4573c5 Mon Sep 17 00:00:00 2001 From: uboness Date: Fri, 5 Feb 2016 11:13:30 +0100 Subject: [PATCH 6/8] Shield refactoring for 5.0 - phase 2 - Started to move configuration under the `xpack` name - Cleaned up `ShieldPlugin` - renamed `ShieldClient` to `SecurityClient` - Introduced `XPackClient` that wraps security and watcher clients Original commit: elastic/x-pack-elasticsearch@f05be0c180496daa26238f3a0e7cf06aa80315b5 --- .../qa/shield-audit-tests/build.gradle | 2 +- .../qa/shield-client-tests/build.gradle | 4 +- .../qa/shield-core-rest-tests/build.gradle | 2 +- .../qa/shield-example-realm/build.gradle | 2 +- .../qa/smoke-test-plugins-ssl/build.gradle | 4 +- .../qa/smoke-test-plugins/build.gradle | 2 +- .../build.gradle | 8 +- elasticsearch/x-pack/build.gradle | 6 +- .../indices/IndexRecoveryCollector.java | 5 +- .../indices/IndexStatsCollector.java | 5 +- .../indices/IndicesStatsCollector.java | 5 +- .../marvel/MarvelPluginTests.java | 2 +- .../x-pack/shield/bin/shield/.in.bat | 2 +- .../x-pack/shield/bin/shield/esusers | 2 +- .../x-pack/shield/bin/shield/syskeygen | 2 +- .../elasticsearch/shield/ShieldPlugin.java | 145 ++++++++---------- .../authc/esnative/ESNativeUsersStore.java | 8 +- .../authc/esusers/FileUserPasswdStore.java | 3 +- .../authc/esusers/FileUserRolesStore.java | 3 +- .../shield/authc/support/DnRoleMapper.java | 3 +- .../authz/esnative/ESNativeRolesStore.java | 8 +- .../shield/authz/store/FileRolesStore.java | 28 ++-- ...{ShieldClient.java => SecurityClient.java} | 11 +- .../shield/client/ShieldAuthcClient.java | 54 ------- .../shield/crypto/InternalCryptoService.java | 3 +- .../rest/action/RestShieldInfoAction.java | 2 +- .../realm/RestClearRealmCacheAction.java | 4 +- .../rest/action/role/RestAddRoleAction.java | 4 +- .../role/RestClearRolesCacheAction.java | 4 +- .../action/role/RestDeleteRoleAction.java | 4 +- .../rest/action/role/RestGetRolesAction.java | 4 +- .../rest/action/user/RestAddUserAction.java | 4 +- .../action/user/RestDeleteUserAction.java | 4 +- .../rest/action/user/RestGetUsersAction.java | 4 +- .../shield/support/AbstractShieldModule.java | 2 +- .../integration/BulkUpdateTests.java | 3 +- .../integration/ClearRealmsCacheTests.java | 6 +- .../integration/ClearRolesCacheTests.java | 28 ++-- .../DocumentAndFieldLevelSecurityTests.java | 3 +- .../DocumentLevelSecurityRandomTests.java | 3 +- .../DocumentLevelSecurityTests.java | 3 +- .../FieldLevelSecurityRandomTests.java | 3 +- .../integration/FieldLevelSecurityTests.java | 3 +- ...onsWithAliasesWildcardsAndRegexsTests.java | 3 +- .../ShieldPluginEnabledDisabledTests.java | 4 +- .../shield/ShieldPluginSettingsTests.java | 18 ++- .../audit/index/IndexAuditTrailTests.java | 13 +- .../shield/authc/esnative/ESNativeTests.java | 22 +-- .../authz/store/FileRolesStoreTests.java | 11 +- .../test/ShieldIntegTestCase.java | 11 ++ .../ShieldServerTransportServiceTests.java | 3 +- .../org/elasticsearch/xpack/XPackClient.java | 57 +++++++ .../org/elasticsearch/xpack/XPackPlugin.java | 35 ++++- .../rest-api-spec/test/xpack/10_basic.yaml | 2 +- .../x-pack/watcher/bin/watcher/.in.bat | 2 +- .../x-pack/watcher/bin/watcher/croneval | 2 +- .../elasticsearch/watcher/WatcherPlugin.java | 28 +++- .../watcher/shield/ShieldSecretService.java | 41 ----- .../watcher/shield/WatcherShieldModule.java | 45 ------ .../watcher/support/secret/SecretModule.java | 10 +- .../watcher/support/secret/SecretService.java | 40 ++++- .../elasticsearch/watcher/watch/Watch.java | 2 +- .../watcher/WatcherPluginDisableTests.java | 4 +- .../email/EmailSecretsIntegrationTests.java | 7 +- .../actions/email/service/AccountTests.java | 6 +- .../actions/email/service/AccountsTests.java | 14 +- .../service/InternalEmailServiceTests.java | 2 +- .../ManualPublicSmtpServersTester.java | 4 +- .../HttpEmailAttachementParserTests.java | 4 +- .../watcher/support/http/HttpClientTests.java | 2 +- .../support/http/HttpReadTimeoutTests.java | 4 +- .../http/HttpRequestTemplateTests.java | 3 +- .../AbstractWatcherIntegrationTestCase.java | 6 +- .../HttpSecretsIntegrationTests.java | 13 +- .../watcher/watch/WatchTests.java | 6 +- 75 files changed, 415 insertions(+), 416 deletions(-) rename elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/{ShieldClient.java => SecurityClient.java} (96%) delete mode 100644 elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldAuthcClient.java create mode 100644 elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackClient.java delete mode 100644 elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldSecretService.java delete mode 100644 elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java diff --git a/elasticsearch/qa/shield-audit-tests/build.gradle b/elasticsearch/qa/shield-audit-tests/build.gradle index 90c5855c734..e06acc7f91c 100644 --- a/elasticsearch/qa/shield-audit-tests/build.gradle +++ b/elasticsearch/qa/shield-audit-tests/build.gradle @@ -10,7 +10,7 @@ integTest { systemProperty 'es.shield.audit.enabled', 'true' systemProperty 'es.shield.audit.outputs', 'index' setupCommand 'setupDummyUser', - 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') ant.get(src: "http://${node.httpUri()}", diff --git a/elasticsearch/qa/shield-client-tests/build.gradle b/elasticsearch/qa/shield-client-tests/build.gradle index 6a295696b96..a60fb47b4eb 100644 --- a/elasticsearch/qa/shield-client-tests/build.gradle +++ b/elasticsearch/qa/shield-client-tests/build.gradle @@ -8,9 +8,9 @@ integTest { cluster { plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') setupCommand 'setupDummyUser', - 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' setupCommand 'setupTransportClientUser', - 'bin/x-pack/esusers', 'useradd', 'transport', '-p', 'changeme', '-r', 'transport_client' + 'bin/xpack/esusers', 'useradd', 'transport', '-p', 'changeme', '-r', 'transport_client' waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') ant.get(src: "http://${node.httpUri()}", diff --git a/elasticsearch/qa/shield-core-rest-tests/build.gradle b/elasticsearch/qa/shield-core-rest-tests/build.gradle index d907108e267..fa7c76127f1 100644 --- a/elasticsearch/qa/shield-core-rest-tests/build.gradle +++ b/elasticsearch/qa/shield-core-rest-tests/build.gradle @@ -35,7 +35,7 @@ integTest { systemProperty 'es.watcher.enabled', 'false' systemProperty 'es.marvel.enabled', 'false' setupCommand 'setupDummyUser', - 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') ant.get(src: "http://${node.httpUri()}", diff --git a/elasticsearch/qa/shield-example-realm/build.gradle b/elasticsearch/qa/shield-example-realm/build.gradle index dcd703124d5..c7162d4cb45 100644 --- a/elasticsearch/qa/shield-example-realm/build.gradle +++ b/elasticsearch/qa/shield-example-realm/build.gradle @@ -23,7 +23,7 @@ integTest { systemProperty 'es.shield.authc.realms.esusers.type', 'esusers' setupCommand 'setupDummyUser', - 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') ant.get(src: "http://${node.httpUri()}", diff --git a/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle b/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle index 21ea63fe82d..4d69d06a877 100644 --- a/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle +++ b/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle @@ -57,9 +57,9 @@ integTest { // copy keystore into config/ extraConfigFile keystore.name, keystore setupCommand 'setupTestUser', - 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' setupCommand 'setupMarvelUser', - 'bin/x-pack/esusers', 'useradd', 'marvel_export', '-p', 'changeme', '-r', 'marvel_agent' + 'bin/xpack/esusers', 'useradd', 'marvel_export', '-p', 'changeme', '-r', 'marvel_agent' waitCondition = { node, ant -> // we just return true, doing an https check is tricky here return true diff --git a/elasticsearch/qa/smoke-test-plugins/build.gradle b/elasticsearch/qa/smoke-test-plugins/build.gradle index bd139c3701c..2a7fb4e1fd4 100644 --- a/elasticsearch/qa/smoke-test-plugins/build.gradle +++ b/elasticsearch/qa/smoke-test-plugins/build.gradle @@ -18,7 +18,7 @@ integTest { plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') setupCommand 'setupDummyUser', - 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') ant.get(src: "http://${node.httpUri()}", diff --git a/elasticsearch/qa/smoke-test-watcher-with-shield/build.gradle b/elasticsearch/qa/smoke-test-watcher-with-shield/build.gradle index 790848b639a..580aa48980f 100644 --- a/elasticsearch/qa/smoke-test-watcher-with-shield/build.gradle +++ b/elasticsearch/qa/smoke-test-watcher-with-shield/build.gradle @@ -20,13 +20,13 @@ integTest { cluster { plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack') - extraConfigFile 'x-pack/roles.yml', 'roles.yml' + extraConfigFile 'xpack/roles.yml', 'roles.yml' setupCommand 'setupTestAdminUser', - 'bin/x-pack/esusers', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'admin' + 'bin/xpack/esusers', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'admin' setupCommand 'setupWatcherManagerUser', - 'bin/x-pack/esusers', 'useradd', 'watcher_manager', '-p', 'changeme', '-r', 'watcher_manager' + 'bin/xpack/esusers', 'useradd', 'watcher_manager', '-p', 'changeme', '-r', 'watcher_manager' setupCommand 'setupPowerlessUser', - 'bin/x-pack/esusers', 'useradd', 'powerless_user', '-p', 'changeme', '-r', 'crappy_role' + 'bin/xpack/esusers', 'useradd', 'powerless_user', '-p', 'changeme', '-r', 'crappy_role' waitCondition = { node, ant -> File tmpFile = new File(node.cwd, 'wait.success') ant.get(src: "http://${node.httpUri()}", diff --git a/elasticsearch/x-pack/build.gradle b/elasticsearch/x-pack/build.gradle index 4bfecdc4d86..afca83b1a04 100644 --- a/elasticsearch/x-pack/build.gradle +++ b/elasticsearch/x-pack/build.gradle @@ -3,7 +3,7 @@ import org.elasticsearch.gradle.test.NodeInfo apply plugin: 'elasticsearch.esplugin' esplugin { - name 'x-pack' + name 'xpack' description 'Elasticsearch Expanded Pack Plugin' classname 'org.elasticsearch.xpack.XPackPlugin' // FIXME we still can't be isolated due to shield custom realms @@ -129,7 +129,7 @@ integTest { // TODO: fix this rest test to not depend on a hardcoded port! systemProperty 'tests.rest.blacklist', 'getting_started/10_monitor_cluster_health/*' cluster { - setupCommand 'setupDummyUser', 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + setupCommand 'setupDummyUser', 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' waitCondition = { NodeInfo node, AntBuilder ant -> File tmpFile = new File(node.cwd, 'wait.success') ant.get(src: "http://${node.httpUri()}", @@ -157,7 +157,7 @@ artifacts { } run { - setupCommand 'setupDummyUser', 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' + setupCommand 'setupDummyUser', 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin' } // classes are missing, e.g. com.ibm.icu.lang.UCharacter diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java index c5be33e8336..71487b77c5c 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java @@ -19,6 +19,7 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc; import org.elasticsearch.marvel.agent.settings.MarvelSettings; import org.elasticsearch.marvel.license.MarvelLicensee; import org.elasticsearch.shield.InternalClient; +import org.elasticsearch.shield.ShieldPlugin; import java.util.ArrayList; import java.util.Arrays; @@ -26,8 +27,6 @@ import java.util.Collection; import java.util.Collections; import java.util.List; -import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled; - /** * Collector for the Recovery API. *

@@ -73,7 +72,7 @@ public class IndexRecoveryCollector extends AbstractCollector @@ -87,7 +86,7 @@ public class IndexStatsCollector extends AbstractCollector results.add(indexStatsDoc); } } catch (IndexNotFoundException e) { - if (shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) { + if (ShieldPlugin.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) { logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex()); } else { throw e; diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java index 00e2969a267..6146c2c9c95 100644 --- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java +++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java @@ -19,13 +19,12 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc; import org.elasticsearch.marvel.agent.settings.MarvelSettings; import org.elasticsearch.marvel.license.MarvelLicensee; import org.elasticsearch.shield.InternalClient; +import org.elasticsearch.shield.ShieldPlugin; import java.util.Arrays; import java.util.Collection; import java.util.Collections; -import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled; - /** * Collector for indices statistics. *

@@ -72,7 +71,7 @@ public class IndicesStatsCollector extends AbstractCollector /dev/null "$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" $properties org.elasticsearch.shield.authc.esusers.tool.ESUsersTool "$@" diff --git a/elasticsearch/x-pack/shield/bin/shield/syskeygen b/elasticsearch/x-pack/shield/bin/shield/syskeygen index e79f97c3648..f3cb8bfa123 100755 --- a/elasticsearch/x-pack/shield/bin/shield/syskeygen +++ b/elasticsearch/x-pack/shield/bin/shield/syskeygen @@ -123,7 +123,7 @@ fi export HOSTNAME=`hostname -s` # include shield jars in classpath -ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*" +ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*" cd "$ES_HOME" > /dev/null $JAVA $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" $properties org.elasticsearch.shield.crypto.tool.SystemKeyTool "$@" diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java index 0003dcdd210..bfaf45273f0 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java @@ -6,7 +6,6 @@ package org.elasticsearch.shield; import org.elasticsearch.action.ActionModule; -import org.elasticsearch.client.Client; import org.elasticsearch.common.component.LifecycleComponent; import org.elasticsearch.common.inject.Module; import org.elasticsearch.common.network.NetworkModule; @@ -14,7 +13,6 @@ import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.env.Environment; import org.elasticsearch.index.IndexModule; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.shield.action.ShieldActionFilter; @@ -71,7 +69,6 @@ import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport; import org.elasticsearch.shield.transport.netty.ShieldNettyTransport; import org.elasticsearch.xpack.XPackPlugin; -import java.nio.file.Path; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -85,22 +82,19 @@ import java.util.Map; public class ShieldPlugin extends Plugin { public static final String NAME = "shield"; - public static final String ENABLED_SETTING_NAME = NAME + ".enabled"; + public static final String DLS_FLS_FEATURE = "shield.dls_fls"; public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache"; - public static final String DLS_FLS_ENABLED_SETTING = "shield.dls_fls.enabled"; - - private static final boolean DEFAULT_ENABLED_SETTING = true; private final Settings settings; private final boolean enabled; - private final boolean clientMode; + private final boolean transportClientMode; private ShieldLicenseState shieldLicenseState; public ShieldPlugin(Settings settings) { this.settings = settings; - this.enabled = shieldEnabled(settings); - this.clientMode = clientMode(settings); - if (enabled && clientMode == false) { + this.transportClientMode = XPackPlugin.transportClientMode(settings); + this.enabled = XPackPlugin.featureEnabled(settings, NAME, true); + if (enabled && !transportClientMode) { failIfShieldQueryCacheIsNotActive(settings, true); } } @@ -118,11 +112,11 @@ public class ShieldPlugin extends Plugin { @Override public Collection nodeModules() { - if (!enabled) { + if (enabled == false) { return Collections.singletonList(new ShieldDisabledModule(settings)); } - if (clientMode) { + if (transportClientMode == true) { return Arrays.asList( new ShieldTransportModule(settings), new SSLModule(settings)); @@ -147,18 +141,21 @@ public class ShieldPlugin extends Plugin { @Override public Collection> nodeServices() { - if (enabled && clientMode == false) { - List> list = new ArrayList<>(); - if (AuditTrailModule.fileAuditLoggingEnabled(settings)) { - list.add(LoggingAuditTrail.class); - } - list.add(ShieldLicensee.class); - list.add(InternalCryptoService.class); - list.add(FileRolesStore.class); - list.add(Realms.class); - return list; + if (enabled == false || transportClientMode == true) { + return Collections.emptyList(); } - return Collections.emptyList(); + List> list = new ArrayList<>(); + + //TODO why only focus on file audit logs? shouldn't we just check if audit trail is enabled in general? + if (AuditTrailModule.fileAuditLoggingEnabled(settings) == true) { + list.add(LoggingAuditTrail.class); + } + list.add(ShieldLicensee.class); + list.add(InternalCryptoService.class); + list.add(FileRolesStore.class); + list.add(Realms.class); + return list; + } @Override @@ -178,6 +175,7 @@ public class ShieldPlugin extends Plugin { } public void onModule(SettingsModule settingsModule) { + //TODO shouldn't we register these settings only if shield is enabled and we're not in a client mode? settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_SETTING); settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING); settingsModule.registerSetting(IPFilter.HTTP_FILTER_ALLOW_SETTING); @@ -187,6 +185,9 @@ public class ShieldPlugin extends Plugin { settingsModule.registerSetting(Setting.boolSetting("plugins.load_classpath_plugins", true, false, Setting.Scope.CLUSTER)); // TODO add real settings for this wildcard here settingsModule.registerSetting(Setting.groupSetting("shield.", false, Setting.Scope.CLUSTER)); + // TODO please let's just drop the old settings before releasing + settingsModule.registerSetting(Setting.groupSetting("xpack.shield.", false, Setting.Scope.CLUSTER)); + String[] asArray = settings.getAsArray("shield.hide_settings"); for (String pattern : asArray) { settingsModule.registerSettingsFilter(pattern); @@ -207,6 +208,7 @@ public class ShieldPlugin extends Plugin { if (enabled == false) { return; } + assert shieldLicenseState != null; if (flsDlsEnabled(settings)) { module.setSearcherWrapper((indexService) -> new ShieldIndexSearcherWrapper(indexService.getIndexSettings(), @@ -214,7 +216,7 @@ public class ShieldPlugin extends Plugin { indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(), shieldLicenseState)); } - if (clientMode == false) { + if (transportClientMode == false) { module.registerQueryCache(ShieldPlugin.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new); failIfShieldQueryCacheIsNotActive(module.getSettings(), false); } @@ -225,7 +227,7 @@ public class ShieldPlugin extends Plugin { return; } // registering the security filter only for nodes - if (clientMode == false) { + if (transportClientMode == false) { module.registerFilter(ShieldActionFilter.class); } @@ -241,23 +243,21 @@ public class ShieldPlugin extends Plugin { } public void onModule(NetworkModule module) { - if (clientMode == false) { - // we want to expose the shield rest action even when the plugin is disabled - module.registerRestHandler(RestShieldInfoAction.class); - } - if (enabled == false) { + if (transportClientMode) { + if (enabled) { + module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class); + module.registerTransportService(ShieldPlugin.NAME, ShieldClientTransportService.class); + } return; } - module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class); - if (clientMode) { - module.registerTransportService(ShieldPlugin.NAME, ShieldClientTransportService.class); - } else { - module.registerTransportService(ShieldPlugin.NAME, ShieldServerTransportService.class); - } + // we want to expose the shield rest action even when the plugin is disabled + module.registerRestHandler(RestShieldInfoAction.class); - if (clientMode == false) { + if (enabled) { + module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class); + module.registerTransportService(ShieldPlugin.NAME, ShieldServerTransportService.class); module.registerRestHandler(RestAuthenticateAction.class); module.registerRestHandler(RestClearRealmCacheAction.class); module.registerRestHandler(RestClearRolesCacheAction.class); @@ -290,39 +290,41 @@ public class ShieldPlugin extends Plugin { .toCharArray()))); } - /* - We inject additional settings on each tribe client if the current node is a tribe node, to make sure that every tribe has shield - installed and enabled too: - - if shield is loaded on the tribe node we make sure it is also loaded on every tribe, by making it mandatory there - (this means that the tribe node will fail at startup if shield is not loaded on any tribe due to missing mandatory plugin) - - if shield is loaded and enabled on the tribe node, we make sure it is also enabled on every tribe, by forcibly enabling it - (that means it's not possible to disable shield on the tribe clients) + /** + * If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure + * that every tribe cluster has shield installed and is enabled. We do that by: + * + * - making it mandatory on the tribe client (this means that the tribe node will fail at startup if shield is + * not loaded on any tribe due to missing mandatory plugin) + * + * - forcibly enabling it (that means it's not possible to disable shield on the tribe clients) */ private void addTribeSettings(Settings.Builder settingsBuilder) { Map tribesSettings = settings.getGroups("tribe", true); if (tribesSettings.isEmpty()) { + // it's not a tribe node return; } for (Map.Entry tribeSettings : tribesSettings.entrySet()) { String tribePrefix = "tribe." + tribeSettings.getKey() + "."; - // we copy over existing mandatory plugins under additional settings, as they would get overridden otherwise (arrays don't get - // merged) + // we copy over existing mandatory plugins under additional settings, as they would get overridden + // otherwise (arrays don't get merged) String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null); if (existingMandatoryPlugins == null) { //shield is mandatory on every tribe if installed and enabled on the tribe node - settingsBuilder.putArray(tribePrefix + "plugin.mandatory", NAME); + settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME); } else { - if (!isShieldMandatory(existingMandatoryPlugins)) { - throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [" + NAME + "] must be included in" + - " this list"); + if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) { + throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [" + + XPackPlugin.NAME + "] must be included in this list"); } } - final String tribeEnabledSetting = tribePrefix + ENABLED_SETTING_NAME; + final String tribeEnabledSetting = tribePrefix + XPackPlugin.featureEnabledSetting(NAME); if (settings.get(tribeEnabledSetting) != null) { - boolean enabled = shieldEnabled(tribeSettings.getValue()); + boolean enabled = enabled(tribeSettings.getValue()); if (!enabled) { throw new IllegalStateException("tribe setting [" + tribeEnabledSetting + "] must be set to true but the value is [" + settings.get(tribeEnabledSetting) + "]"); @@ -334,43 +336,22 @@ public class ShieldPlugin extends Plugin { } } - /* - We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation. - This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do - forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to - unauthorized users. + /** + * We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation. + * This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do + * forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to + * unauthorized users. */ private void addQueryCacheSettings(Settings.Builder settingsBuilder) { settingsBuilder.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE); } - private static boolean isShieldMandatory(String[] existingMandatoryPlugins) { - for (String existingMandatoryPlugin : existingMandatoryPlugins) { - if (NAME.equals(existingMandatoryPlugin)) { - return true; - } - } - return false; - } - - public static Path configDir(Environment env) { - return env.configFile().resolve(XPackPlugin.NAME); - } - - public static Path resolveConfigFile(Environment env, String name) { - return configDir(env).resolve(name); - } - - public static boolean clientMode(Settings settings) { - return !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey())); - } - - public static boolean shieldEnabled(Settings settings) { - return settings.getAsBoolean(ENABLED_SETTING_NAME, DEFAULT_ENABLED_SETTING); + public static boolean enabled(Settings settings) { + return XPackPlugin.featureEnabled(settings, NAME, true); } public static boolean flsDlsEnabled(Settings settings) { - return settings.getAsBoolean(DLS_FLS_ENABLED_SETTING, true); + return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true); } private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean nodeSettings) { diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ESNativeUsersStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ESNativeUsersStore.java index 6c254c2e856..b38161fd286 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ESNativeUsersStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ESNativeUsersStore.java @@ -54,7 +54,7 @@ import org.elasticsearch.shield.action.user.DeleteUserRequest; import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; import org.elasticsearch.threadpool.ThreadPool; import java.util.ArrayList; @@ -458,10 +458,10 @@ public class ESNativeUsersStore extends AbstractComponent implements ClusterStat } private void clearRealmCache(String username, ActionListener listener, Response response) { - ShieldClient shieldClient = new ShieldClient(client); - ClearRealmCacheRequest request = shieldClient.prepareClearRealmCache() + SecurityClient securityClient = new SecurityClient(client); + ClearRealmCacheRequest request = securityClient.prepareClearRealmCache() .usernames(username).request(); - shieldClient.clearRealmCache(request, new ActionListener() { + securityClient.clearRealmCache(request, new ActionListener() { @Override public void onResponse(ClearRealmCacheResponse nodes) { listener.onResponse(response); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java index f1f60a86d97..e9a6da330ab 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java @@ -20,6 +20,7 @@ import org.elasticsearch.shield.support.Validation; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.XPackPlugin; import java.io.IOException; import java.io.PrintWriter; @@ -98,7 +99,7 @@ public class FileUserPasswdStore { public static Path resolveFile(Settings settings, Environment env) { String location = settings.get("files.users"); if (location == null) { - return ShieldPlugin.resolveConfigFile(env, "users"); + return XPackPlugin.resolveConfigFile(env, "users"); } return env.binFile().getParent().resolve(location); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java index 001d1fe25bf..266f57cd487 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java @@ -19,6 +19,7 @@ import org.elasticsearch.shield.support.Validation; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.XPackPlugin; import java.io.IOException; import java.io.PrintWriter; @@ -91,7 +92,7 @@ public class FileUserRolesStore { public static Path resolveFile(Settings settings, Environment env) { String location = settings.get("files.users_roles"); if (location == null) { - return ShieldPlugin.resolveConfigFile(env, "users_roles"); + return XPackPlugin.resolveConfigFile(env, "users_roles"); } return env.binFile().getParent().resolve(location); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java index a55ba4e50a1..99c4746aedb 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java @@ -17,6 +17,7 @@ import org.elasticsearch.shield.authc.RealmConfig; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.XPackPlugin; import java.io.IOException; import java.io.InputStream; @@ -82,7 +83,7 @@ public class DnRoleMapper { public static Path resolveFile(Settings settings, Environment env) { String location = settings.get(ROLE_MAPPING_FILE_SETTING); if (location == null) { - return ShieldPlugin.resolveConfigFile(env, DEFAULT_FILE_NAME); + return XPackPlugin.resolveConfigFile(env, DEFAULT_FILE_NAME); } return env.binFile().getParent().resolve(location); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/esnative/ESNativeRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/esnative/ESNativeRolesStore.java index cf7664c2d9f..9d0c6299925 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/esnative/ESNativeRolesStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/esnative/ESNativeRolesStore.java @@ -48,7 +48,7 @@ import org.elasticsearch.shield.authc.AuthenticationService; import org.elasticsearch.shield.authz.RoleDescriptor; import org.elasticsearch.shield.authz.permission.Role; import org.elasticsearch.shield.authz.store.RolesStore; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; import org.elasticsearch.threadpool.ThreadPool; import java.util.ArrayList; @@ -84,7 +84,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore, private final ConcurrentHashMap roleCache = new ConcurrentHashMap<>(); private Client client; - private ShieldClient shieldClient; + private SecurityClient securityClient; private int scrollSize; private TimeValue scrollKeepAlive; private ScheduledFuture versionChecker; @@ -353,7 +353,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore, try { if (state.compareAndSet(State.INITIALIZED, State.STARTING)) { this.client = clientProvider.get(); - this.shieldClient = new ShieldClient(client); + this.securityClient = new SecurityClient(client); this.scrollSize = settings.getAsInt("shield.authc.native.scroll.size", 1000); this.scrollKeepAlive = settings.getAsTime("shield.authc.native.scroll.keep_alive", TimeValue.timeValueSeconds(10L)); TimeValue pollInterval = settings.getAsTime("shield.authc.native.reload.interval", TimeValue.timeValueSeconds(30L)); @@ -407,7 +407,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore, private void clearRoleCache(final String role, ActionListener listener, Response response) { ClearRolesCacheRequest request = new ClearRolesCacheRequest().roles(role); - shieldClient.clearRolesCache(request, new ActionListener() { + securityClient.clearRolesCache(request, new ActionListener() { @Override public void onResponse(ClearRolesCacheResponse nodes) { listener.onResponse(response); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java index ac03a843e4c..e817c5a3e9e 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java @@ -34,6 +34,7 @@ import org.elasticsearch.shield.support.Validation; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.XPackPlugin; import java.io.IOException; import java.nio.charset.StandardCharsets; @@ -109,7 +110,7 @@ public class FileRolesStore extends AbstractLifecycleComponent imple public static Path resolveFile(Settings settings, Environment env) { String location = settings.get("shield.authz.store.files.roles"); if (location == null) { - return ShieldPlugin.resolveConfigFile(env, "roles.yml"); + return XPackPlugin.resolveConfigFile(env, "roles.yml"); } return env.binFile().getParent().resolve(location); @@ -285,10 +286,10 @@ public class FileRolesStore extends AbstractLifecycleComponent imple if (token == XContentParser.Token.VALUE_STRING) { names.add(parser.text()); } else { - logger.error("invalid role definition [{}] in roles file [{}]. could " + - "not parse " + - "[{}] as index privilege. privilege names must be strings. " + - "skipping role...", roleName, path.toAbsolutePath(), token); + logger.error("invalid role definition [{}] in roles file [{}]. " + + "could not parse [{}] as index privilege. privilege " + + "names must be strings. skipping role...", roleName, + path.toAbsolutePath(), token); return null; } } @@ -301,26 +302,27 @@ public class FileRolesStore extends AbstractLifecycleComponent imple if (name != null) { if ((query != null || (fields != null && fields.isEmpty() == false)) && ShieldPlugin.flsDlsEnabled(settings) == false) { - logger.error("invalid role definition [{}] in roles file [{}]. document and field" + - " level security is not enabled. set [{}] to [true] in the configuration " + - "file. skipping role...", roleName, path.toAbsolutePath(), ShieldPlugin - .DLS_FLS_ENABLED_SETTING); + logger.error("invalid role definition [{}] in roles file [{}]. " + + "document and field level security is not enabled. " + + "set [{}] to [true] in the configuration file. skipping role...", + roleName, path.toAbsolutePath(), + XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE)); return null; } try { role.add(fields, query, IndexPrivilege.get(name), indices); } catch (IllegalArgumentException e) { - logger.error("invalid role definition [{}] in roles file [{}]. could not resolve " + - "indices privileges [{}]. skipping role...", roleName, + logger.error("invalid role definition [{}] in roles file [{}]. could not " + + "resolve indices privileges [{}]. skipping role...", roleName, path.toAbsolutePath(), name); return null; } } continue; } else { - logger.error("invalid role definition [{}] in roles file [{}]. could not parse [{}] as " + - "index privileges. privilege lists must either " + + logger.error("invalid role definition [{}] in roles file [{}]. " + + "could not parse [{}] as index privileges. privilege lists must either " + "be a comma delimited string or an array of strings. skipping role...", roleName, path.toAbsolutePath(), token); return null; diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldClient.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/SecurityClient.java similarity index 96% rename from elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldClient.java rename to elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/SecurityClient.java index f1c9bc9190c..5c7bb6f02de 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldClient.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/SecurityClient.java @@ -44,19 +44,12 @@ import org.elasticsearch.shield.action.role.ClearRolesCacheResponse; /** * A wrapper to elasticsearch clients that exposes all Shield related APIs */ -public class ShieldClient { +public class SecurityClient { private final ElasticsearchClient client; - private final ShieldAuthcClient authcClient; - public ShieldClient(ElasticsearchClient client) { + public SecurityClient(ElasticsearchClient client) { this.client = client; - this.authcClient = new ShieldAuthcClient(client); - } - - @Deprecated - public ShieldAuthcClient authc() { - return authcClient; } /**************** diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldAuthcClient.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldAuthcClient.java deleted file mode 100644 index 23c228f0903..00000000000 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldAuthcClient.java +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.shield.client; - -import org.elasticsearch.action.ActionFuture; -import org.elasticsearch.action.ActionListener; -import org.elasticsearch.client.ElasticsearchClient; -import org.elasticsearch.shield.action.realm.ClearRealmCacheAction; -import org.elasticsearch.shield.action.realm.ClearRealmCacheRequest; -import org.elasticsearch.shield.action.realm.ClearRealmCacheRequestBuilder; -import org.elasticsearch.shield.action.realm.ClearRealmCacheResponse; - -/** - * A client to manage Shield's authentication - * - * @deprecated Use {@link ShieldClient} directly instead - */ -@Deprecated -public class ShieldAuthcClient { - - private final ElasticsearchClient client; - - ShieldAuthcClient(ElasticsearchClient client) { - this.client = client; - } - - /** - * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively - * select the realms (by their unique names) and/or users (by their usernames) that should be evicted. - */ - public ClearRealmCacheRequestBuilder prepareClearRealmCache() { - return new ClearRealmCacheRequestBuilder(client); - } - - /** - * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively - * select the realms (by their unique names) and/or users (by their usernames) that should be evicted. - */ - public void clearRealmCache(ClearRealmCacheRequest request, ActionListener listener) { - client.execute(ClearRealmCacheAction.INSTANCE, request, listener); - } - - /** - * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively - * select the realms (by their unique names) and/or users (by their usernames) that should be evicted. - */ - public ActionFuture clearRealmCache(ClearRealmCacheRequest request) { - return client.execute(ClearRealmCacheAction.INSTANCE, request); - } - -} diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java index 22b9ac6b0b9..42f4f0206f6 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java @@ -17,6 +17,7 @@ import org.elasticsearch.shield.authc.support.CharArrays; import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileWatcher; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.XPackPlugin; import javax.crypto.BadPaddingException; import javax.crypto.Cipher; @@ -159,7 +160,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent(channel) { + new SecurityClient(client).clearRealmCache(req, new RestBuilderListener(channel) { @Override public RestResponse buildResponse(ClearRealmCacheResponse response, XContentBuilder builder) throws Exception { response.toXContent(builder, ToXContent.EMPTY_PARAMS); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestAddRoleAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestAddRoleAction.java index 271c50764df..817e73f92ff 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestAddRoleAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestAddRoleAction.java @@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.action.support.RestBuilderListener; import org.elasticsearch.shield.action.role.AddRoleRequest; import org.elasticsearch.shield.action.role.AddRoleResponse; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; /** * Rest endpoint to add a Role to the shield index @@ -38,7 +38,7 @@ public class RestAddRoleAction extends BaseRestHandler { AddRoleRequest addRoleReq = new AddRoleRequest(request.content()); addRoleReq.name(request.param("id")); - new ShieldClient(client).addRole(addRoleReq, new RestBuilderListener(channel) { + new SecurityClient(client).addRole(addRoleReq, new RestBuilderListener(channel) { @Override public RestResponse buildResponse(AddRoleResponse addRoleResponse, XContentBuilder builder) throws Exception { return new BytesRestResponse(RestStatus.OK, diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java index d8413a60731..20cd6202e44 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java @@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.action.support.RestBuilderListener; import org.elasticsearch.shield.action.role.ClearRolesCacheRequest; import org.elasticsearch.shield.action.role.ClearRolesCacheResponse; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; import static org.elasticsearch.rest.RestRequest.Method.POST; @@ -42,7 +42,7 @@ public class RestClearRolesCacheAction extends BaseRestHandler { ClearRolesCacheRequest req = new ClearRolesCacheRequest().roles(roles); - new ShieldClient(client).clearRolesCache(req, new RestBuilderListener(channel) { + new SecurityClient(client).clearRolesCache(req, new RestBuilderListener(channel) { @Override public RestResponse buildResponse(ClearRolesCacheResponse response, XContentBuilder builder) throws Exception { response.toXContent(builder, ToXContent.EMPTY_PARAMS); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java index be6079f64eb..51e20978ef4 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java @@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.action.support.RestBuilderListener; import org.elasticsearch.shield.action.role.DeleteRoleRequest; import org.elasticsearch.shield.action.role.DeleteRoleResponse; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; /** * Rest endpoint to delete a Role from the shield index @@ -37,7 +37,7 @@ public class RestDeleteRoleAction extends BaseRestHandler { String role = request.param("id"); DeleteRoleRequest delRoleRequest = new DeleteRoleRequest(role); - new ShieldClient(client).deleteRole(delRoleRequest, new RestBuilderListener(channel) { + new SecurityClient(client).deleteRole(delRoleRequest, new RestBuilderListener(channel) { @Override public RestResponse buildResponse(DeleteRoleResponse response, XContentBuilder builder) throws Exception { return new BytesRestResponse(response.found() ? RestStatus.OK : RestStatus.NOT_FOUND, diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java index b0700995112..891a3413d18 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java @@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestResponse; import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.action.support.RestBuilderListener; import org.elasticsearch.shield.action.role.GetRolesResponse; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; /** * Rest endpoint to retrieve a Role from the shield index @@ -38,7 +38,7 @@ public class RestGetRolesAction extends BaseRestHandler { protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception { String[] roles = Strings.splitStringByCommaToArray(request.param("id")); - new ShieldClient(client).prepareGetRoles().roles(roles).execute(new RestBuilderListener(channel) { + new SecurityClient(client).prepareGetRoles().roles(roles).execute(new RestBuilderListener(channel) { @Override public RestResponse buildResponse(GetRolesResponse getRolesResponse, XContentBuilder builder) throws Exception { builder.startObject(); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestAddUserAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestAddUserAction.java index dc7a5a6cde3..4324155f48f 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestAddUserAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestAddUserAction.java @@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.action.support.RestBuilderListener; import org.elasticsearch.shield.action.user.AddUserRequest; import org.elasticsearch.shield.action.user.AddUserResponse; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; /** * Rest endpoint to add a User to the shield index @@ -40,7 +40,7 @@ public class RestAddUserAction extends BaseRestHandler { addUserReq.username(request.param("username")); addUserReq.source(request.content()); - new ShieldClient(client).addUser(addUserReq, new RestBuilderListener(channel) { + new SecurityClient(client).addUser(addUserReq, new RestBuilderListener(channel) { @Override public RestResponse buildResponse(AddUserResponse addUserResponse, XContentBuilder builder) throws Exception { return new BytesRestResponse(RestStatus.OK, diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java index 6bd3ea1016a..a344bac3073 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java @@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.action.support.RestBuilderListener; import org.elasticsearch.shield.action.user.DeleteUserRequest; import org.elasticsearch.shield.action.user.DeleteUserResponse; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; /** * Rest action to delete a user from the shield index @@ -37,7 +37,7 @@ public class RestDeleteUserAction extends BaseRestHandler { String user = request.param("username"); DeleteUserRequest delUserRequest = new DeleteUserRequest(user); - new ShieldClient(client).deleteUser(delUserRequest, new RestBuilderListener(channel) { + new SecurityClient(client).deleteUser(delUserRequest, new RestBuilderListener(channel) { @Override public RestResponse buildResponse(DeleteUserResponse response, XContentBuilder builder) throws Exception { return new BytesRestResponse(response.found() ? RestStatus.OK : RestStatus.NOT_FOUND, diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java index 7d6f922ea90..2de7ca9dd1f 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java @@ -21,7 +21,7 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.rest.action.support.RestBuilderListener; import org.elasticsearch.shield.User; import org.elasticsearch.shield.action.user.GetUsersResponse; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; /** * Rest action to retrieve a user from the shield index @@ -39,7 +39,7 @@ public class RestGetUsersAction extends BaseRestHandler { protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception { String[] users = Strings.splitStringByCommaToArray(request.param("username")); - new ShieldClient(client).prepareGetUsers().users(users).execute(new RestBuilderListener(channel) { + new SecurityClient(client).prepareGetUsers().users(users).execute(new RestBuilderListener(channel) { @Override public RestResponse buildResponse(GetUsersResponse getUsersResponse, XContentBuilder builder) throws Exception { builder.startObject(); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java index 8727d45293e..c8cc8143133 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java @@ -22,7 +22,7 @@ public abstract class AbstractShieldModule extends AbstractModule { public AbstractShieldModule(Settings settings) { this.settings = settings; this.clientMode = !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey())); - this.shieldEnabled = ShieldPlugin.shieldEnabled(settings); + this.shieldEnabled = ShieldPlugin.enabled(settings); } @Override diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java index 2e7d780906b..2114a2f5984 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java @@ -16,6 +16,7 @@ import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; import org.elasticsearch.test.rest.client.http.HttpResponse; +import org.elasticsearch.xpack.XPackPlugin; import java.io.IOException; @@ -30,7 +31,7 @@ public class BulkUpdateTests extends ShieldIntegTestCase { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) .put(NetworkModule.HTTP_ENABLED.getKey(), true) - .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, randomBoolean()) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), randomBoolean()) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java index fef3c998e9f..f6ab01f40d6 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java @@ -21,7 +21,7 @@ import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.SecuredStringTests; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; import org.elasticsearch.test.rest.client.http.HttpRequestBuilder; @@ -140,11 +140,11 @@ public class ClearRealmsCacheTests extends ShieldIntegTestCase { public abstract void executeRequest() throws Exception; static void executeTransportRequest(ClearRealmCacheRequest request) throws Exception { - ShieldClient shieldClient = new ShieldClient(client()); + SecurityClient securityClient = securityClient(client()); final CountDownLatch latch = new CountDownLatch(1); final AtomicReference error = new AtomicReference<>(); - shieldClient.clearRealmCache(request, new ActionListener() { + securityClient.clearRealmCache(request, new ActionListener() { @Override public void onResponse(ClearRealmCacheResponse response) { assertThat(response.getNodes().length, equalTo(internalCluster().getNodeNames().length)); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java index 5bea6bd39a0..a150ec8eb8d 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java @@ -21,7 +21,7 @@ import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authc.support.UsernamePasswordToken; import org.elasticsearch.shield.authz.RoleDescriptor; import org.elasticsearch.shield.authz.esnative.ESNativeRolesStore; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; import org.elasticsearch.test.junit.annotations.TestLogging; @@ -57,7 +57,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase { @Before public void setupForTest() throws Exception { // Clear the realm cache for all realms since we use a SUITE scoped cluster - ShieldClient client = new ShieldClient(internalCluster().transportClient()); + SecurityClient client = securityClient(internalCluster().transportClient()); client.prepareClearRealmCache().get(); for (ESNativeUsersStore store : internalCluster().getInstances(ESNativeUsersStore.class)) { @@ -78,7 +78,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase { }); } - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); // create roles for (String role : roles) { c.prepareAddRole().name(role) @@ -109,13 +109,13 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase { public void testModifyingViaApiClearsCache() throws Exception { Client client = internalCluster().transportClient(); - ShieldClient shieldClient = new ShieldClient(client); + SecurityClient securityClient = securityClient(client); int modifiedRolesCount = randomIntBetween(1, roles.length); List toModify = randomSubsetOf(modifiedRolesCount, roles); logger.debug("--> modifying roles {} to have run_as", toModify); for (String role : toModify) { - AddRoleResponse response = shieldClient.prepareAddRole().name(role) + AddRoleResponse response = securityClient.prepareAddRole().name(role) .cluster("none") .addIndices(new String[] { "*" }, new String[] { "ALL" }, null, null) .runAs(role) @@ -124,7 +124,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase { logger.debug("--> updated role [{}] with run_as", role); } - assertRolesAreCorrect(shieldClient, toModify); + assertRolesAreCorrect(securityClient, toModify); } public void testModifyingDocumentsDirectly() throws Exception { @@ -144,7 +144,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase { // in this test, the poller runs too frequently to check the cache still has roles without run as // clear the cache and we should definitely see the latest values! - ShieldClient shieldClient = new ShieldClient(client); + SecurityClient securityClient = securityClient(client); final boolean useHttp = randomBoolean(); final boolean clearAll = randomBoolean(); logger.debug("--> starting to clear roles. using http [{}] clearing all [{}]", useHttp, clearAll); @@ -163,18 +163,18 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase { .execute(); assertThat(response.getStatusCode(), is(RestStatus.OK.getStatus())); } else { - shieldClient.prepareClearRolesCache().roles(rolesToClear).get(); + securityClient.prepareClearRolesCache().roles(rolesToClear).get(); } - assertRolesAreCorrect(shieldClient, toModify); + assertRolesAreCorrect(securityClient, toModify); } public void testDeletingRoleDocumentDirectly() throws Exception { Client client = internalCluster().transportClient(); - ShieldClient shieldClient = new ShieldClient(client); + SecurityClient securityClient = securityClient(client); final String role = randomFrom(roles); - List foundRoles = shieldClient.prepareGetRoles().roles(role).get().roles(); + List foundRoles = securityClient.prepareGetRoles().roles(role).get().roles(); assertThat(foundRoles.size(), is(1)); logger.debug("--> deleting role [{}]", role); DeleteResponse response = client.prepareDelete(ShieldTemplateService.SHIELD_ADMIN_INDEX_NAME, @@ -184,15 +184,15 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase { assertBusy(new Runnable() { @Override public void run() { - assertThat(shieldClient.prepareGetRoles().roles(role).get().roles().isEmpty(), is(true)); + assertThat(securityClient.prepareGetRoles().roles(role).get().roles().isEmpty(), is(true)); } }); } - private void assertRolesAreCorrect(ShieldClient shieldClient, List toModify) { + private void assertRolesAreCorrect(SecurityClient securityClient, List toModify) { for (String role : roles) { logger.debug("--> getting role [{}]", role); - GetRolesResponse roleResponse = shieldClient.prepareGetRoles().roles(role).get(); + GetRolesResponse roleResponse = securityClient.prepareGetRoles().roles(role).get(); assertThat(roleResponse.isExists(), is(true)); final String[] runAs = roleResponse.roles().get(0).getRunAs(); if (toModify.contains(role)) { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java index d7a4a6e7818..e7e7375246e 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; +import org.elasticsearch.xpack.XPackPlugin; import java.util.Collections; @@ -75,7 +76,7 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java index 00fd7215e93..98cfa160d1d 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java @@ -14,6 +14,7 @@ import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; +import org.elasticsearch.xpack.XPackPlugin; import java.util.ArrayList; import java.util.Collections; @@ -74,7 +75,7 @@ public class DocumentLevelSecurityRandomTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java index 1074894545b..3dce5078b84 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java @@ -28,6 +28,7 @@ import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; +import org.elasticsearch.xpack.XPackPlugin; import java.util.Collections; @@ -87,7 +88,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java index 7b7d30aa528..dc509398bcb 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java @@ -14,6 +14,7 @@ import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; +import org.elasticsearch.xpack.XPackPlugin; import java.util.ArrayList; import java.util.Collections; @@ -111,7 +112,7 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java index adb16598d92..8a061c42612 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java @@ -28,6 +28,7 @@ import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ESIntegTestCase; import org.elasticsearch.test.ShieldIntegTestCase; +import org.elasticsearch.xpack.XPackPlugin; import java.util.Collections; @@ -116,7 +117,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java index be5eafa40f1..499dda7a6c9 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java @@ -12,6 +12,7 @@ import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.test.ShieldIntegTestCase; +import org.elasticsearch.xpack.XPackPlugin; import java.util.Collections; @@ -60,7 +61,7 @@ public class IndicesPermissionsWithAliasesWildcardsAndRegexsTests extends Shield public Settings nodeSettings(int nodeOrdinal) { return Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java index 973ff9865d3..3bd96b1bd80 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java @@ -66,7 +66,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase { logger.info("******* shield is " + (enabled ? "enabled" : "disabled")); return Settings.settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.ENABLED_SETTING_NAME, enabled) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), enabled) .put(NetworkModule.HTTP_ENABLED.getKey(), true) .build(); } @@ -75,7 +75,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase { protected Settings transportClientSettings() { return Settings.settingsBuilder() .put(super.transportClientSettings()) - .put(ShieldPlugin.ENABLED_SETTING_NAME, enabled) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), enabled) .build(); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java index 094179b522a..c24031e9cee 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java @@ -7,6 +7,7 @@ package org.elasticsearch.shield; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.XPackPlugin; import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.equalTo; @@ -14,8 +15,9 @@ import static org.hamcrest.CoreMatchers.notNullValue; import static org.hamcrest.Matchers.arrayContaining; public class ShieldPluginSettingsTests extends ESTestCase { - private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + ShieldPlugin.ENABLED_SETTING_NAME; - private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + ShieldPlugin.ENABLED_SETTING_NAME; + + private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME); + private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME); public void testShieldIsMandatoryOnTribes() { Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing") @@ -26,8 +28,8 @@ public class ShieldPluginSettingsTests extends ESTestCase { Settings additionalSettings = shieldPlugin.additionalSettings(); - assertThat(additionalSettings.getAsArray("tribe.t1.plugin.mandatory", null), arrayContaining(ShieldPlugin.NAME)); - assertThat(additionalSettings.getAsArray("tribe.t2.plugin.mandatory", null), arrayContaining(ShieldPlugin.NAME)); + assertThat(additionalSettings.getAsArray("tribe.t1.plugin.mandatory", null), arrayContaining(XPackPlugin.NAME)); + assertThat(additionalSettings.getAsArray("tribe.t2.plugin.mandatory", null), arrayContaining(XPackPlugin.NAME)); } public void testAdditionalMandatoryPluginsOnTribes() { @@ -41,14 +43,14 @@ public class ShieldPluginSettingsTests extends ESTestCase { Settings.builder().put(settings).put(shieldPlugin.additionalSettings()).build(); fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown"); } catch (IllegalStateException e) { - assertThat(e.getMessage(), containsString("shield")); + assertThat(e.getMessage(), containsString(XPackPlugin.NAME)); assertThat(e.getMessage(), containsString("plugin.mandatory")); } } public void testMandatoryPluginsOnTribesShieldAlreadyMandatory() { Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing") - .putArray("tribe.t1.plugin.mandatory", "test_plugin", ShieldPlugin.NAME).build(); + .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build(); ShieldPlugin shieldPlugin = new ShieldPlugin(settings); @@ -59,7 +61,7 @@ public class ShieldPluginSettingsTests extends ESTestCase { assertThat(finalMandatoryPlugins, notNullValue()); assertThat(finalMandatoryPlugins.length, equalTo(2)); assertThat(finalMandatoryPlugins[0], equalTo("test_plugin")); - assertThat(finalMandatoryPlugins[1], equalTo(ShieldPlugin.NAME)); + assertThat(finalMandatoryPlugins[1], equalTo(XPackPlugin.NAME)); } public void testShieldIsEnabledByDefaultOnTribes() { @@ -93,7 +95,7 @@ public class ShieldPluginSettingsTests extends ESTestCase { Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing") .put(TRIBE_T1_SHIELD_ENABLED, false) .put("tribe.t2.cluster.name", "non_existing") - .putArray("tribe.t1.plugin.mandatory", "test_plugin", ShieldPlugin.NAME).build(); + .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build(); ShieldPlugin shieldPlugin = new ShieldPlugin(settings); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java index a61279719ca..487afd0bc0b 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java @@ -42,6 +42,7 @@ import org.elasticsearch.transport.Transport; import org.elasticsearch.transport.TransportInfo; import org.elasticsearch.transport.TransportMessage; import org.elasticsearch.transport.TransportRequest; +import org.elasticsearch.xpack.XPackPlugin; import org.joda.time.DateTime; import org.joda.time.DateTimeZone; import org.joda.time.format.ISODateTimeFormat; @@ -166,13 +167,15 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { public Settings nodeSettings(int nodeOrdinal) { Settings.Builder builder = Settings.builder() .put(super.nodeSettings(nodeOrdinal)) - .put(ShieldPlugin.ENABLED_SETTING_NAME, useShield); - // For tests we forcefully configure Shield's custom query cache because the test framework randomizes the query - // cache impl, - // but if shield is disabled then we don't need to forcefully set the query cache + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), useShield); + + // For tests we forcefully configure Shield's custom query cache because the test framework + // randomizes the query cache impl but if shield is disabled then we don't need to forcefully + // set the query cache if (useShield == false) { builder.remove(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey()); } + return builder.build(); } }; @@ -188,7 +191,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase { Settings.Builder builder = Settings.builder() .put(settings) - .put(ShieldPlugin.ENABLED_SETTING_NAME, useShield) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), useShield) .put(remoteSettings(NetworkAddress.formatAddress(inet.address().getAddress()), inet.address().getPort(), cluster2Name)) .put("shield.audit.index.client.shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ESNativeTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ESNativeTests.java index 5612b38e5bf..ec7375653ba 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ESNativeTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ESNativeTests.java @@ -22,7 +22,7 @@ import org.elasticsearch.shield.authc.support.SecuredString; import org.elasticsearch.shield.authz.RoleDescriptor; import org.elasticsearch.shield.authz.esnative.ESNativeRolesStore; import org.elasticsearch.shield.authz.permission.Role; -import org.elasticsearch.shield.client.ShieldClient; +import org.elasticsearch.shield.client.SecurityClient; import org.elasticsearch.test.ShieldIntegTestCase; import org.elasticsearch.test.ShieldSettingsSource; import org.junit.After; @@ -43,7 +43,7 @@ import static org.hamcrest.Matchers.isOneOf; public class ESNativeTests extends ShieldIntegTestCase { public void testDeletingNonexistingUserAndRole() throws Exception { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); DeleteUserResponse resp = c.prepareDeleteUser().user("joe").get(); assertFalse("user shouldn't be found", resp.found()); DeleteRoleResponse resp2 = c.prepareDeleteRole().role("role").get(); @@ -51,7 +51,7 @@ public class ESNativeTests extends ShieldIntegTestCase { } public void testGettingUserThatDoesntExist() throws Exception { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); GetUsersResponse resp = c.prepareGetUsers().users("joe").get(); assertFalse("user should not exist", resp.isExists()); GetRolesResponse resp2 = c.prepareGetRoles().roles("role").get(); @@ -59,7 +59,7 @@ public class ESNativeTests extends ShieldIntegTestCase { } public void testAddAndGetUser() throws Exception { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); logger.error("--> creating user"); c.prepareAddUser() .username("joe") @@ -117,7 +117,7 @@ public class ESNativeTests extends ShieldIntegTestCase { } public void testAddAndGetRole() throws Exception { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); logger.error("--> creating role"); c.prepareAddRole() .name("test_role") @@ -171,7 +171,7 @@ public class ESNativeTests extends ShieldIntegTestCase { } public void testAddUserAndRoleThenAuth() throws Exception { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); logger.error("--> creating role"); c.prepareAddRole() .name("test_role") @@ -204,7 +204,7 @@ public class ESNativeTests extends ShieldIntegTestCase { } public void testUpdatingUserAndAuthentication() throws Exception { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); logger.error("--> creating user"); c.prepareAddUser() .username("joe") @@ -248,7 +248,7 @@ public class ESNativeTests extends ShieldIntegTestCase { } public void testCreateDeleteAuthenticate() { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); logger.error("--> creating user"); c.prepareAddUser() .username("joe") @@ -285,7 +285,7 @@ public class ESNativeTests extends ShieldIntegTestCase { public void testCreateAndUpdateRole() { final boolean authenticate = randomBoolean(); - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); logger.error("--> creating role"); c.prepareAddRole() .name("test_role") @@ -340,7 +340,7 @@ public class ESNativeTests extends ShieldIntegTestCase { } public void testAuthenticateWithDeletedRole() { - ShieldClient c = new ShieldClient(client()); + SecurityClient c = securityClient(); logger.error("--> creating role"); c.prepareAddRole() .name("test_role") @@ -373,7 +373,7 @@ public class ESNativeTests extends ShieldIntegTestCase { @Before public void ensureStoresStarted() throws Exception { // Clear the realm cache for all realms since we use a SUITE scoped cluster - ShieldClient client = new ShieldClient(client()); + SecurityClient client = securityClient(); client.prepareClearRealmCache().get(); for (ESNativeUsersStore store : internalCluster().getInstances(ESNativeUsersStore.class)) { diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java index e6e35f156bf..c848082c3bd 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java @@ -19,6 +19,7 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.XPackPlugin; import java.io.BufferedWriter; import java.io.OutputStream; @@ -52,8 +53,9 @@ public class FileRolesStoreTests extends ESTestCase { public void testParseFile() throws Exception { Path path = getDataPath("roles.yml"); - Map roles = FileRolesStore.parseFile(path, logger, - Settings.builder().put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true).build()); + Map roles = FileRolesStore.parseFile(path, logger, Settings.builder() + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true) + .build()); assertThat(roles, notNullValue()); assertThat(roles.size(), is(10)); @@ -208,8 +210,9 @@ public class FileRolesStoreTests extends ESTestCase { public void testParseFileWithFLSAndDLSDisabled() throws Exception { Path path = getDataPath("roles.yml"); CapturingLogger logger = new CapturingLogger(CapturingLogger.Level.ERROR); - Map roles = FileRolesStore.parseFile(path, - logger, Settings.builder().put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, false).build()); + Map roles = FileRolesStore.parseFile(path, logger, Settings.builder() + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), false) + .build()); assertThat(roles, notNullValue()); assertThat(roles.size(), is(7)); assertThat(roles.get("role_fields"), nullValue()); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java index c64d396d8c1..49a98d873d1 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java @@ -15,9 +15,11 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.shield.InternalClient; import org.elasticsearch.shield.authc.support.SecuredString; +import org.elasticsearch.shield.client.SecurityClient; import org.elasticsearch.test.ESIntegTestCase.SuppressLocalMode; import org.elasticsearch.test.transport.AssertingLocalTransport; import org.elasticsearch.test.transport.MockTransportService; +import org.elasticsearch.xpack.XPackClient; import org.elasticsearch.xpack.XPackPlugin; import org.junit.AfterClass; import org.junit.Before; @@ -267,6 +269,7 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase { } private class CustomShieldSettingsSource extends ShieldSettingsSource { + private CustomShieldSettingsSource(boolean sslTransportEnabled, Path configDir, Scope scope) { super(maxNumberOfNodes(), sslTransportEnabled, configDir, scope); } @@ -339,4 +342,12 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase { protected InternalClient internalClient(String node) { return internalCluster().getInstance(InternalClient.class, node); } + + protected SecurityClient securityClient() { + return securityClient(client()); + } + + public static SecurityClient securityClient(Client client) { + return randomBoolean() ? new XPackClient(client).security() : new SecurityClient(client); + } } \ No newline at end of file diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java index 9657eb254ea..8c2a99377cb 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java @@ -9,6 +9,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.shield.transport.ShieldServerTransportService; import org.elasticsearch.test.ShieldIntegTestCase; +import org.elasticsearch.xpack.XPackPlugin; import java.util.Map; @@ -21,7 +22,7 @@ public class ShieldServerTransportServiceTests extends ShieldIntegTestCase { protected Settings transportClientSettings() { return Settings.settingsBuilder() .put(super.transportClientSettings()) - .put(ShieldPlugin.ENABLED_SETTING_NAME, true) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), true) .build(); } diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackClient.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackClient.java new file mode 100644 index 00000000000..9719a880d99 --- /dev/null +++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackClient.java @@ -0,0 +1,57 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack; + +import org.elasticsearch.client.Client; +import org.elasticsearch.shield.authc.support.SecuredString; +import org.elasticsearch.shield.authc.support.UsernamePasswordToken; +import org.elasticsearch.shield.client.SecurityClient; +import org.elasticsearch.watcher.client.WatcherClient; + +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER; +import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue; + +/** + * + */ +public class XPackClient { + + private final Client client; + private final SecurityClient securityClient; + private final WatcherClient watcherClient; + + public XPackClient(Client client) { + this.client = client; + this.securityClient = new SecurityClient(client); + this.watcherClient = new WatcherClient(client); + } + + public SecurityClient security() { + return securityClient; + } + + public WatcherClient watcher() { + return watcherClient; + } + + public XPackClient withHeaders(Map headers) { + return new XPackClient(client.filterWithHeader(headers)); + } + + /** + * Returns a client that will call xpack APIs on behalf of the given user. + * + * @param username The username of the user + * @param passwd The password of the user. This char array can be cleared after calling this method. + */ + public XPackClient withAuth(String username, char[] passwd) { + return withHeaders(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue(username, new SecuredString(passwd)))); + } +} diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java index 8f16b84b28d..a9e7810a700 100644 --- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java +++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java @@ -7,13 +7,13 @@ package org.elasticsearch.xpack; import org.elasticsearch.SpecialPermission; import org.elasticsearch.action.ActionModule; +import org.elasticsearch.client.Client; import org.elasticsearch.common.component.LifecycleComponent; import org.elasticsearch.common.inject.Module; -import org.elasticsearch.common.logging.ESLogger; -import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.SettingsModule; +import org.elasticsearch.env.Environment; import org.elasticsearch.index.IndexModule; import org.elasticsearch.license.plugin.LicensePlugin; import org.elasticsearch.marvel.MarvelPlugin; @@ -22,6 +22,7 @@ import org.elasticsearch.script.ScriptModule; import org.elasticsearch.shield.ShieldPlugin; import org.elasticsearch.watcher.WatcherPlugin; +import java.nio.file.Path; import java.security.AccessController; import java.security.PrivilegedAction; import java.util.ArrayList; @@ -29,9 +30,7 @@ import java.util.Collection; public class XPackPlugin extends Plugin { - public static final String NAME = "x-pack"; - - private final static ESLogger logger = Loggers.getLogger(XPackPlugin.class); + public static final String NAME = "xpack"; // TODO: clean up this library to not ask for write access to all system properties! static { @@ -143,4 +142,30 @@ public class XPackPlugin extends Plugin { watcherPlugin.onIndexModule(module); marvelPlugin.onIndexModule(module); } + + public static boolean transportClientMode(Settings settings) { + return !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey())); + } + + public static Path resolveConfigFile(Environment env, String name) { + return env.configFile().resolve(NAME).resolve(name); + } + + /** + * A consistent way to enable disable features using the following setting: + * + * {@code "xpack..enabled": true | false} + * + * Also supports the following setting as a fallback (for BWC with 1.x/2.x): + * + * {@code ".enabled": true | false} + */ + public static boolean featureEnabled(Settings settings, String featureName, boolean defaultValue) { + return settings.getAsBoolean(featureEnabledSetting(featureName), + settings.getAsBoolean(featureName + ".enabled", defaultValue)); // for bwc + } + + public static String featureEnabledSetting(String featureName) { + return NAME + "." + featureName + ".enabled"; + } } diff --git a/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/10_basic.yaml b/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/10_basic.yaml index 0a63d701d09..88059b5d5b3 100644 --- a/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/10_basic.yaml +++ b/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/10_basic.yaml @@ -10,4 +10,4 @@ - do: nodes.info: {} - - match: { nodes.$master.plugins.0.name: x-pack } + - match: { nodes.$master.plugins.0.name: xpack } diff --git a/elasticsearch/x-pack/watcher/bin/watcher/.in.bat b/elasticsearch/x-pack/watcher/bin/watcher/.in.bat index 3fd70a04222..638065040a6 100644 --- a/elasticsearch/x-pack/watcher/bin/watcher/.in.bat +++ b/elasticsearch/x-pack/watcher/bin/watcher/.in.bat @@ -76,7 +76,7 @@ REM JAVA_OPTS=%JAVA_OPTS% -XX:HeapDumpPath=$ES_HOME/logs/heapdump.hprof REM Disables explicit GC set JAVA_OPTS=%JAVA_OPTS% -XX:+DisableExplicitGC -set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/elasticsearch-1.4.0-SNAPSHOT.jar;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/x-pack/* +set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/xpack/* set ES_PARAMS=-Des.path.home="%ES_HOME%" SET HOSTNAME=%COMPUTERNAME% diff --git a/elasticsearch/x-pack/watcher/bin/watcher/croneval b/elasticsearch/x-pack/watcher/bin/watcher/croneval index 27e8e02c92b..228f4233760 100755 --- a/elasticsearch/x-pack/watcher/bin/watcher/croneval +++ b/elasticsearch/x-pack/watcher/bin/watcher/croneval @@ -114,7 +114,7 @@ fi export HOSTNAME=`hostname -s` # include watcher jars in classpath -ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*" +ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*" cd "$ES_HOME" > /dev/null $JAVA $ES_JAVA_OPTS -cp "$ES_CLASSPATH" org.elasticsearch.watcher.trigger.schedule.tool.CronEvalTool "$@" $properties diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java index 53da3a35380..f01a8192f48 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java @@ -22,6 +22,8 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.SettingsModule; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.script.ScriptModule; +import org.elasticsearch.shield.ShieldPlugin; +import org.elasticsearch.shield.authz.privilege.ClusterPrivilege; import org.elasticsearch.watcher.actions.WatcherActionModule; import org.elasticsearch.watcher.actions.email.service.EmailService; import org.elasticsearch.watcher.actions.email.service.InternalEmailService; @@ -50,8 +52,7 @@ import org.elasticsearch.watcher.rest.action.RestPutWatchAction; import org.elasticsearch.watcher.rest.action.RestWatchServiceAction; import org.elasticsearch.watcher.rest.action.RestWatcherInfoAction; import org.elasticsearch.watcher.rest.action.RestWatcherStatsAction; -import org.elasticsearch.watcher.shield.ShieldSecretService; -import org.elasticsearch.watcher.shield.WatcherShieldModule; +import org.elasticsearch.watcher.support.secret.SecretService; import org.elasticsearch.watcher.support.WatcherIndexTemplateRegistry.TemplateConfig; import org.elasticsearch.watcher.support.clock.ClockModule; import org.elasticsearch.watcher.support.http.HttpClient; @@ -120,8 +121,15 @@ public class WatcherPlugin extends Plugin { transportClient = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey())); enabled = watcherEnabled(settings); validAutoCreateIndex(settings); + + // adding the watcher privileges to shield + if (ShieldPlugin.enabled(settings)) { + registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*"); + registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*"); + } } + @Override public String name() { return NAME; } @@ -152,7 +160,6 @@ public class WatcherPlugin extends Plugin { new WatcherActionModule(), new HistoryModule(), new ExecutionModule(), - new WatcherShieldModule(settings), new SecretModule(settings)); } @@ -204,7 +211,8 @@ public class WatcherPlugin extends Plugin { module.registerSetting(Setting.intSetting("watcher.execution.scroll.size", 0, false, CLUSTER)); module.registerSetting(Setting.intSetting("watcher.watch.scroll.size", 0, false, CLUSTER)); module.registerSetting(Setting.boolSetting("watcher.enabled", false, false, CLUSTER)); - module.registerSetting(ShieldSecretService.ENCRYPT_SENSITIVE_DATA_SETTING); + module.registerSetting(SecretService.Secure.ENCRYPT_SENSITIVE_DATA_SETTING); + // TODO add real settings for these module.registerSetting(Setting.simpleString("resource.reload.interval", false, CLUSTER)); module.registerSetting(Setting.simpleString("resource.reload.enabled", false, CLUSTER)); @@ -328,4 +336,16 @@ public class WatcherPlugin extends Plugin { "[.watcher-history-YYYY.MM.dd] are allowed to be created", value); } + void registerClusterPrivilege(String name, String... patterns) { + try { + ClusterPrivilege.addCustom(name, patterns); + } catch (Exception se) { + logger.warn("could not register cluster privilege [{}]", name); + + // we need to prevent bubbling the shield exception here for the tests. In the tests + // we create multiple nodes in the same jvm and since the custom cluster is a static binding + // multiple nodes will try to add the same privileges multiple times. + } + } + } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldSecretService.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldSecretService.java deleted file mode 100644 index b33df1b85c5..00000000000 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldSecretService.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.watcher.shield; - -import org.elasticsearch.common.component.AbstractComponent; -import org.elasticsearch.common.inject.Inject; -import org.elasticsearch.common.settings.Setting; -import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.crypto.CryptoService; -import org.elasticsearch.watcher.support.secret.SecretService; - -/** - * - */ -public class ShieldSecretService extends AbstractComponent implements SecretService { - - private final CryptoService cryptoService; - private final boolean encryptSensitiveData; - public static final Setting ENCRYPT_SENSITIVE_DATA_SETTING = - Setting.boolSetting("watcher.shield.encrypt_sensitive_data", false, false, Setting.Scope.CLUSTER); - - @Inject - public ShieldSecretService(Settings settings, CryptoService cryptoService) { - super(settings); - this.encryptSensitiveData = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings); - this.cryptoService = cryptoService; - } - - @Override - public char[] encrypt(char[] text) { - return encryptSensitiveData ? cryptoService.encrypt(text) : text; - } - - @Override - public char[] decrypt(char[] text) { - return encryptSensitiveData ? cryptoService.decrypt(text) : text; - } -} diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java deleted file mode 100644 index 0814592e734..00000000000 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.watcher.shield; - -import org.elasticsearch.common.inject.AbstractModule; -import org.elasticsearch.common.logging.ESLogger; -import org.elasticsearch.common.logging.Loggers; -import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.shield.ShieldPlugin; -import org.elasticsearch.shield.authz.privilege.ClusterPrivilege; - -/** - * - */ -public class WatcherShieldModule extends AbstractModule { - - private final ESLogger logger; - - public WatcherShieldModule(Settings settings) { - this.logger = Loggers.getLogger(WatcherShieldModule.class, settings); - if (ShieldPlugin.shieldEnabled(settings)) { - registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*"); - registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*"); - } - } - - void registerClusterPrivilege(String name, String... patterns) { - try { - ClusterPrivilege.addCustom(name, patterns); - } catch (Exception se) { - logger.warn("could not register cluster privilege [{}]", name); - - // we need to prevent bubbling the shield exception here for the tests. In the tests - // we create multiple nodes in the same jvm and since the custom cluster is a static binding - // multiple nodes will try to add the same privileges multiple times. - } - } - - @Override - protected void configure() { - } -} diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java index 4bbd538f91d..459b5b8b423 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java @@ -8,7 +8,6 @@ package org.elasticsearch.watcher.support.secret; import org.elasticsearch.common.inject.AbstractModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.shield.ShieldPlugin; -import org.elasticsearch.watcher.shield.ShieldSecretService; /** * @@ -18,17 +17,16 @@ public class SecretModule extends AbstractModule { private final boolean shieldEnabled; public SecretModule(Settings settings) { - shieldEnabled = ShieldPlugin.shieldEnabled(settings); + shieldEnabled = ShieldPlugin.enabled(settings); } @Override protected void configure() { if (shieldEnabled) { - bind(ShieldSecretService.class).asEagerSingleton(); - bind(SecretService.class).to(ShieldSecretService.class); + bind(SecretService.Secure.class).asEagerSingleton(); + bind(SecretService.class).to(SecretService.Secure.class); } else { - bind(SecretService.PlainText.class).asEagerSingleton(); - bind(SecretService.class).to(SecretService.PlainText.class); + bind(SecretService.class).toInstance(SecretService.Insecure.INSTANCE); } } } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretService.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretService.java index 50018a97ba5..21da6d5d874 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretService.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretService.java @@ -5,6 +5,12 @@ */ package org.elasticsearch.watcher.support.secret; +import org.elasticsearch.common.component.AbstractComponent; +import org.elasticsearch.common.inject.Inject; +import org.elasticsearch.common.settings.Setting; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.shield.crypto.CryptoService; + /** * */ @@ -14,7 +20,12 @@ public interface SecretService { char[] decrypt(char[] text); - class PlainText implements SecretService { + class Insecure implements SecretService { + + public static final Insecure INSTANCE = new Insecure(); + + Insecure() { + } @Override public char[] encrypt(char[] text) { @@ -26,4 +37,31 @@ public interface SecretService { return text; } } + + /** + * + */ + class Secure extends AbstractComponent implements SecretService { + + private final CryptoService cryptoService; + private final boolean encryptSensitiveData; + public static final Setting ENCRYPT_SENSITIVE_DATA_SETTING = + Setting.boolSetting("watcher.shield.encrypt_sensitive_data", false, false, Setting.Scope.CLUSTER); + @Inject + public Secure(Settings settings, CryptoService cryptoService) { + super(settings); + this.encryptSensitiveData = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings); + this.cryptoService = cryptoService; + } + + @Override + public char[] encrypt(char[] text) { + return encryptSensitiveData ? cryptoService.encrypt(text) : text; + } + + @Override + public char[] decrypt(char[] text) { + return encryptSensitiveData ? cryptoService.decrypt(text) : text; + } + } } diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/watch/Watch.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/watch/Watch.java index 89c222df001..bb4be83179e 100644 --- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/watch/Watch.java +++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/watch/Watch.java @@ -257,7 +257,7 @@ public class Watch implements TriggerEngine.Job, ToXContent { * Such that the returned watch will potentially hide this sensitive data behind a "secret". A secret * is an abstraction around sensitive data (text). There can be different implementations of how the * secret holds the data, depending on the wired up {@link SecretService}. When shield is installed, a - * {@link org.elasticsearch.watcher.shield.ShieldSecretService} is used, that potentially encrypts the data + * {@link SecretService.Secure} is used, that potentially encrypts the data * using Shield's configured system key. * * This method is only called once - when the user adds a new watch. From that moment on, all representations diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java index 96fba98ef3f..b5b8d565fa1 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java @@ -41,8 +41,10 @@ public class WatcherPluginDisableTests extends ESIntegTestCase { return Settings.settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) .put(WatcherPlugin.ENABLED_SETTING, false) + // disable shield because of query cache check and authentication/authorization - .put(ShieldPlugin.ENABLED_SETTING_NAME, false) + .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), false) + .put(NetworkModule.HTTP_ENABLED.getKey(), true) .build(); } diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailSecretsIntegrationTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailSecretsIntegrationTests.java index f653f5f95b3..e5443888238 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailSecretsIntegrationTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailSecretsIntegrationTests.java @@ -12,7 +12,6 @@ import org.elasticsearch.watcher.actions.email.service.EmailTemplate; import org.elasticsearch.watcher.actions.email.service.support.EmailServer; import org.elasticsearch.watcher.client.WatcherClient; import org.elasticsearch.watcher.execution.ActionExecutionMode; -import org.elasticsearch.watcher.shield.ShieldSecretService; import org.elasticsearch.watcher.support.secret.SecretService; import org.elasticsearch.watcher.support.xcontent.XContentSource; import org.elasticsearch.watcher.test.AbstractWatcherIntegrationTestCase; @@ -100,15 +99,15 @@ public class EmailSecretsIntegrationTests extends AbstractWatcherIntegrationTest if (shieldEnabled() && encryptSensitiveData) { assertThat(value, not(is((Object) PASSWORD))); SecretService secretService = getInstanceFromMaster(SecretService.class); - assertThat(secretService, instanceOf(ShieldSecretService.class)); + assertThat(secretService, instanceOf(SecretService.Secure.class)); assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD)); } else { assertThat(value, is((Object) PASSWORD)); SecretService secretService = getInstanceFromMaster(SecretService.class); if (shieldEnabled()) { - assertThat(secretService, instanceOf(ShieldSecretService.class)); + assertThat(secretService, instanceOf(SecretService.Secure.class)); } else { - assertThat(secretService, instanceOf(SecretService.PlainText.class)); + assertThat(secretService, instanceOf(SecretService.Insecure.class)); } assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD)); } diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountTests.java index af77a319400..bc3d335e3fd 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountTests.java @@ -160,7 +160,7 @@ public class AccountTests extends ESTestCase { .put("smtp.port", server.port()) .put("smtp.user", USERNAME) .put("smtp.password", PASSWORD) - .build()), new SecretService.PlainText(), logger); + .build()), SecretService.Insecure.INSTANCE, logger); Email email = Email.builder() .id("_id") @@ -197,7 +197,7 @@ public class AccountTests extends ESTestCase { .put("smtp.port", server.port()) .put("smtp.user", USERNAME) .put("smtp.password", PASSWORD) - .build()), new SecretService.PlainText(), logger); + .build()), SecretService.Insecure.INSTANCE, logger); Email email = Email.builder() .id("_id") @@ -237,7 +237,7 @@ public class AccountTests extends ESTestCase { Account account = new Account(new Account.Config("default", Settings.builder() .put("smtp.host", "localhost") .put("smtp.port", server.port()) - .build()), new SecretService.PlainText(), logger); + .build()), SecretService.Insecure.INSTANCE, logger); Email email = Email.builder() .id("_id") diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountsTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountsTests.java index 704b7dc8871..7f857404f86 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountsTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountsTests.java @@ -24,7 +24,7 @@ public class AccountsTests extends ESTestCase { .put("default_account", "account1"); addAccountSettings("account1", builder); - Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger); + Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger); Account account = accounts.account("account1"); assertThat(account, notNullValue()); assertThat(account.name(), equalTo("account1")); @@ -37,7 +37,7 @@ public class AccountsTests extends ESTestCase { Settings.Builder builder = Settings.builder(); addAccountSettings("account1", builder); - Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger); + Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger); Account account = accounts.account("account1"); assertThat(account, notNullValue()); assertThat(account.name(), equalTo("account1")); @@ -52,7 +52,7 @@ public class AccountsTests extends ESTestCase { addAccountSettings("account1", builder); addAccountSettings("account2", builder); - Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger); + Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger); Account account = accounts.account("account1"); assertThat(account, notNullValue()); assertThat(account.name(), equalTo("account1")); @@ -70,7 +70,7 @@ public class AccountsTests extends ESTestCase { addAccountSettings("account1", builder); addAccountSettings("account2", builder); - Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger); + Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger); Account account = accounts.account("account1"); assertThat(account, notNullValue()); assertThat(account.name(), equalTo("account1")); @@ -88,7 +88,7 @@ public class AccountsTests extends ESTestCase { addAccountSettings("account1", builder); addAccountSettings("account2", builder); try { - new Accounts(builder.build(), new SecretService.PlainText(), logger); + new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger); fail("Expected SettingsException"); } catch (SettingsException e) { assertThat(e.getMessage(), is("could not find default email account [unknown]")); @@ -97,7 +97,7 @@ public class AccountsTests extends ESTestCase { public void testNoAccount() throws Exception { Settings.Builder builder = Settings.builder(); - Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger); + Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger); try { accounts.account(null); fail("no accounts are configured so trying to get the default account should throw an IllegalStateException"); @@ -110,7 +110,7 @@ public class AccountsTests extends ESTestCase { Settings.Builder builder = Settings.builder() .put("default_account", "unknown"); try { - new Accounts(builder.build(), new SecretService.PlainText(), logger); + new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger); fail("Expected SettingsException"); } catch (SettingsException e) { assertThat(e.getMessage(), is("could not find default email account [unknown]")); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java index a385b2656d7..8fedd733cf9 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java @@ -33,7 +33,7 @@ public class InternalEmailServiceTests extends ESTestCase { @Before public void init() throws Exception { accounts = mock(Accounts.class); - service = new InternalEmailService(Settings.EMPTY, new SecretService.PlainText(), + service = new InternalEmailService(Settings.EMPTY, SecretService.Insecure.INSTANCE, new ClusterSettings(Settings.EMPTY, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING))) { @Override protected Accounts createAccounts(Settings settings, ESLogger logger) { diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java index fe16973f27e..2a1cdfb3124 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java @@ -7,7 +7,6 @@ package org.elasticsearch.watcher.actions.email.service; import org.apache.lucene.util.LuceneTestCase.AwaitsFix; import org.elasticsearch.common.cli.Terminal; -import org.elasticsearch.common.inject.Provider; import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.xcontent.ToXContent; @@ -15,7 +14,6 @@ import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.watcher.support.secret.SecretService; import java.io.IOException; -import java.io.InputStream; import java.util.Collections; import java.util.Locale; @@ -124,7 +122,7 @@ public class ManualPublicSmtpServersTester { static InternalEmailService startEmailService(Settings.Builder builder) { Settings settings = builder.build(); - InternalEmailService service = new InternalEmailService(settings, new SecretService.PlainText(), + InternalEmailService service = new InternalEmailService(settings, SecretService.Insecure.INSTANCE, new ClusterSettings(settings, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING))); service.start(); return service; diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/attachment/HttpEmailAttachementParserTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/attachment/HttpEmailAttachementParserTests.java index 168d4db77c2..fd5ea57b9d1 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/attachment/HttpEmailAttachementParserTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/attachment/HttpEmailAttachementParserTests.java @@ -35,14 +35,14 @@ import static org.mockito.Mockito.when; public class HttpEmailAttachementParserTests extends ESTestCase { - private SecretService.PlainText secretService; + private SecretService.Insecure secretService; private HttpAuthRegistry authRegistry; private HttpRequestTemplate.Parser httpRequestTemplateParser; private HttpClient httpClient; @Before public void init() throws Exception { - secretService = new SecretService.PlainText(); + secretService = SecretService.Insecure.INSTANCE; authRegistry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(secretService))); httpRequestTemplateParser = new HttpRequestTemplate.Parser(authRegistry); httpClient = mock(HttpClient.class); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpClientTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpClientTests.java index 20621d91b62..0d1592ce64c 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpClientTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpClientTests.java @@ -54,7 +54,7 @@ public class HttpClientTests extends ESTestCase { @Before public void init() throws Exception { - secretService = new SecretService.PlainText(); + secretService = SecretService.Insecure.INSTANCE; authRegistry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(secretService))); webServer = startWebServer(9200, 9300); webPort = webServer.getPort(); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpReadTimeoutTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpReadTimeoutTests.java index 16b4fb0cb84..f683601ce24 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpReadTimeoutTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpReadTimeoutTests.java @@ -14,7 +14,6 @@ import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.env.Environment; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.watcher.support.http.auth.HttpAuthRegistry; -import org.elasticsearch.watcher.support.secret.SecretService; import org.junit.After; import org.junit.Before; @@ -27,13 +26,12 @@ import static org.mockito.Mockito.mock; /** */ public class HttpReadTimeoutTests extends ESTestCase { + private MockWebServer webServer; - private SecretService secretService; private int webPort; @Before public void init() throws Exception { - secretService = new SecretService.PlainText(); for (webPort = 9200; webPort < 9300; webPort++) { try { webServer = new MockWebServer(); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpRequestTemplateTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpRequestTemplateTests.java index 9356c3771e8..afa38c8daf7 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpRequestTemplateTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpRequestTemplateTests.java @@ -136,7 +136,8 @@ public class HttpRequestTemplateTests extends ESTestCase { HttpRequestTemplate template = builder.build(); - HttpAuthRegistry registry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(new SecretService.PlainText()))); + HttpAuthRegistry registry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, + new BasicAuthFactory(SecretService.Insecure.INSTANCE))); HttpRequestTemplate.Parser parser = new HttpRequestTemplate.Parser(registry); XContentBuilder xContentBuilder = template.toXContent(jsonBuilder(), ToXContent.EMPTY_PARAMS); diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java index b790084f2b0..978d5d987a2 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java @@ -61,6 +61,7 @@ import org.elasticsearch.watcher.trigger.TriggerService; import org.elasticsearch.watcher.trigger.schedule.ScheduleModule; import org.elasticsearch.watcher.watch.Watch; import org.elasticsearch.xpack.TimeWarpedXPackPlugin; +import org.elasticsearch.xpack.XPackClient; import org.elasticsearch.xpack.XPackPlugin; import org.hamcrest.Matcher; import org.jboss.netty.util.internal.SystemPropertyUtil; @@ -349,9 +350,8 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase } protected WatcherClient watcherClient() { - return shieldEnabled ? - new WatcherClient(internalCluster().transportClient()) : - new WatcherClient(client()); + Client client = shieldEnabled ? internalCluster().transportClient() : client(); + return randomBoolean() ? new XPackClient(client).watcher() : new WatcherClient(client); } protected ScriptServiceProxy scriptService() { diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/HttpSecretsIntegrationTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/HttpSecretsIntegrationTests.java index aba1029d298..defc297ac6d 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/HttpSecretsIntegrationTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/HttpSecretsIntegrationTests.java @@ -14,7 +14,6 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.xcontent.support.XContentMapValues; import org.elasticsearch.watcher.client.WatcherClient; import org.elasticsearch.watcher.execution.ActionExecutionMode; -import org.elasticsearch.watcher.shield.ShieldSecretService; import org.elasticsearch.watcher.support.http.HttpRequestTemplate; import org.elasticsearch.watcher.support.http.auth.basic.ApplicableBasicAuth; import org.elasticsearch.watcher.support.http.auth.basic.BasicAuth; @@ -118,15 +117,15 @@ public class HttpSecretsIntegrationTests extends AbstractWatcherIntegrationTestC if (shieldEnabled() && encryptSensitiveData) { assertThat(value, not(is((Object) PASSWORD))); SecretService secretService = getInstanceFromMaster(SecretService.class); - assertThat(secretService, instanceOf(ShieldSecretService.class)); + assertThat(secretService, instanceOf(SecretService.Secure.class)); assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD)); } else { assertThat(value, is((Object) PASSWORD)); SecretService secretService = getInstanceFromMaster(SecretService.class); if (shieldEnabled()) { - assertThat(secretService, instanceOf(ShieldSecretService.class)); + assertThat(secretService, instanceOf(SecretService.Secure.class)); } else { - assertThat(secretService, instanceOf(SecretService.PlainText.class)); + assertThat(secretService, instanceOf(SecretService.Insecure.class)); } assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD)); } @@ -190,15 +189,15 @@ public class HttpSecretsIntegrationTests extends AbstractWatcherIntegrationTestC if (shieldEnabled() && encryptSensitiveData) { assertThat(value, not(is((Object) PASSWORD))); SecretService secretService = getInstanceFromMaster(SecretService.class); - assertThat(secretService, instanceOf(ShieldSecretService.class)); + assertThat(secretService, instanceOf(SecretService.Secure.class)); assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD)); } else { assertThat(value, is((Object) PASSWORD)); SecretService secretService = getInstanceFromMaster(SecretService.class); if (shieldEnabled()) { - assertThat(secretService, instanceOf(ShieldSecretService.class)); + assertThat(secretService, instanceOf(SecretService.Secure.class)); } else { - assertThat(secretService, instanceOf(SecretService.PlainText.class)); + assertThat(secretService, instanceOf(SecretService.Insecure.class)); } assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD)); } diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/watch/WatchTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/watch/WatchTests.java index 139fe2968d8..f732b189b57 100644 --- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/watch/WatchTests.java +++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/watch/WatchTests.java @@ -177,7 +177,7 @@ public class WatchTests extends ESTestCase { ScheduleRegistry scheduleRegistry = registry(schedule); TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, clock); TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine)); - SecretService secretService = new SecretService.PlainText(); + SecretService secretService = SecretService.Insecure.INSTANCE; ExecutableInput input = randomInput(); InputRegistry inputRegistry = registry(input); @@ -227,7 +227,7 @@ public class WatchTests extends ESTestCase { ScheduleRegistry scheduleRegistry = registry(randomSchedule()); TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, clock); TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine)); - SecretService secretService = new SecretService.PlainText(); + SecretService secretService = SecretService.Insecure.INSTANCE; ExecutableCondition condition = randomCondition(); ConditionRegistry conditionRegistry = registry(condition); ExecutableInput input = randomInput(); @@ -258,7 +258,7 @@ public class WatchTests extends ESTestCase { ScheduleRegistry scheduleRegistry = registry(schedule); TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, SystemClock.INSTANCE); TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine)); - SecretService secretService = new SecretService.PlainText(); + SecretService secretService = SecretService.Insecure.INSTANCE; ConditionRegistry conditionRegistry = registry(new ExecutableAlwaysCondition(logger)); InputRegistry inputRegistry = registry(new ExecutableNoneInput(logger)); From 3a6a1d5dc2d02a0f3ec117e70f5ef7e1c90209a2 Mon Sep 17 00:00:00 2001 From: uboness Date: Tue, 9 Feb 2016 14:35:37 +0100 Subject: [PATCH 7/8] Shield refactoring for 5.0 - phase 3 - Consolidated the `bin` and `config` directories of watcher, shield and marvel under a single `config/xpack` and `bin/xpack` directories. - updated docs accordingly Original commit: elastic/x-pack-elasticsearch@c2aa6132fa1ae29ced85db60686c5d8ea57ba586 --- .../integration-tests.xml | 4 +- .../integration-tests.xml | 8 +- .../main/resources/ant/shield-overrides.xml | 97 ------------------- .../elasticsearch_license_header.txt | 14 --- .../license_header_definition.xml | 13 --- elasticsearch/x-pack/build.gradle | 6 +- .../shield/bin/{shield => xpack}/.in.bat | 0 .../shield/bin/{shield => xpack}/esusers | 6 +- .../shield/bin/{shield => xpack}/esusers.bat | 0 .../shield/bin/{shield => xpack}/syskeygen | 6 +- .../bin/{shield => xpack}/syskeygen.bat | 0 .../config/{shield => xpack}/logging.yml | 0 .../config/{shield => xpack}/role_mapping.yml | 0 .../shield/config/{shield => xpack}/roles.yml | 0 .../shield/config/{shield => xpack}/users | 0 .../config/{shield => xpack}/users_roles | 0 .../authc/esusers/FileUserPasswdStore.java | 2 +- .../authc/esusers/FileUserRolesStore.java | 2 +- .../shield/crypto/tool/syskey-generate.help | 2 +- .../watcher/bin/{watcher => xpack}/.in.bat | 0 .../watcher/bin/{watcher => xpack}/croneval | 0 .../bin/{watcher => xpack}/croneval.bat | 0 22 files changed, 18 insertions(+), 142 deletions(-) delete mode 100644 elasticsearch/x-dev-tools/src/main/resources/ant/shield-overrides.xml delete mode 100644 elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/elasticsearch_license_header.txt delete mode 100644 elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/license_header_definition.xml rename elasticsearch/x-pack/shield/bin/{shield => xpack}/.in.bat (100%) rename elasticsearch/x-pack/shield/bin/{shield => xpack}/esusers (93%) rename elasticsearch/x-pack/shield/bin/{shield => xpack}/esusers.bat (100%) rename elasticsearch/x-pack/shield/bin/{shield => xpack}/syskeygen (93%) rename elasticsearch/x-pack/shield/bin/{shield => xpack}/syskeygen.bat (100%) rename elasticsearch/x-pack/shield/config/{shield => xpack}/logging.yml (100%) rename elasticsearch/x-pack/shield/config/{shield => xpack}/role_mapping.yml (100%) rename elasticsearch/x-pack/shield/config/{shield => xpack}/roles.yml (100%) rename elasticsearch/x-pack/shield/config/{shield => xpack}/users (100%) rename elasticsearch/x-pack/shield/config/{shield => xpack}/users_roles (100%) rename elasticsearch/x-pack/watcher/bin/{watcher => xpack}/.in.bat (100%) rename elasticsearch/x-pack/watcher/bin/{watcher => xpack}/croneval (100%) rename elasticsearch/x-pack/watcher/bin/{watcher => xpack}/croneval.bat (100%) diff --git a/elasticsearch/qa/shield-tribe-node-tests/integration-tests.xml b/elasticsearch/qa/shield-tribe-node-tests/integration-tests.xml index 329ea365bb5..1b773cb560c 100644 --- a/elasticsearch/qa/shield-tribe-node-tests/integration-tests.xml +++ b/elasticsearch/qa/shield-tribe-node-tests/integration-tests.xml @@ -75,10 +75,10 @@ Adding roles.yml - + Adding shield users... - + diff --git a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/integration-tests.xml b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/integration-tests.xml index 7961590747f..6cbb6907506 100644 --- a/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/integration-tests.xml +++ b/elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/integration-tests.xml @@ -63,10 +63,10 @@ Adding roles.yml with watcher roles - + Adding shield users... - + @@ -76,7 +76,7 @@ - + @@ -86,7 +86,7 @@ - + diff --git a/elasticsearch/x-dev-tools/src/main/resources/ant/shield-overrides.xml b/elasticsearch/x-dev-tools/src/main/resources/ant/shield-overrides.xml deleted file mode 100644 index 79c1e3eb624..00000000000 --- a/elasticsearch/x-dev-tools/src/main/resources/ant/shield-overrides.xml +++ /dev/null @@ -1,97 +0,0 @@ - - - - - - - - - Waiting for elasticsearch to become available on port @{port}... - - - - - - - - - - - - - - - - - - - - true - - - - - - - - - - - - - - - - - - - - Setting up Shield auth - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Checking we can connect with basic auth on port ${integ.http.port}... - - - - - - diff --git a/elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/elasticsearch_license_header.txt b/elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/elasticsearch_license_header.txt deleted file mode 100644 index 250c1ffaa0b..00000000000 --- a/elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/elasticsearch_license_header.txt +++ /dev/null @@ -1,14 +0,0 @@ -ELASTICSEARCH CONFIDENTIAL -__________________ - - [2014] Elasticsearch Incorporated. All Rights Reserved. - -NOTICE: All information contained herein is, and remains -the property of Elasticsearch Incorporated and its suppliers, -if any. The intellectual and technical concepts contained -herein are proprietary to Elasticsearch Incorporated -and its suppliers and may be covered by U.S. and Foreign Patents, -patents in process, and are protected by trade secret or copyright law. -Dissemination of this information or reproduction of this material -is strictly forbidden unless prior written permission is obtained -from Elasticsearch Incorporated. \ No newline at end of file diff --git a/elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/license_header_definition.xml b/elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/license_header_definition.xml deleted file mode 100644 index 1cc53bda001..00000000000 --- a/elasticsearch/x-dev-tools/src/main/resources/commercial-license-check/license_header_definition.xml +++ /dev/null @@ -1,13 +0,0 @@ - - - - /* - * - */ - - (\s|\t)*/\*.*$ - .*\*/(\s|\t)*$ - false - true - - diff --git a/elasticsearch/x-pack/build.gradle b/elasticsearch/x-pack/build.gradle index afca83b1a04..1b074b11b05 100644 --- a/elasticsearch/x-pack/build.gradle +++ b/elasticsearch/x-pack/build.gradle @@ -114,13 +114,13 @@ bundlePlugin { include 'LICENSE.txt' include 'NOTICE.txt' } - from('shield/bin/shield') { + from('shield/bin/xpack') { into 'bin' } - from('shield/config/shield') { + from('shield/config/xpack') { into 'config' } - from('watcher/bin/watcher') { + from('watcher/bin/xpack') { into 'bin' } } diff --git a/elasticsearch/x-pack/shield/bin/shield/.in.bat b/elasticsearch/x-pack/shield/bin/xpack/.in.bat similarity index 100% rename from elasticsearch/x-pack/shield/bin/shield/.in.bat rename to elasticsearch/x-pack/shield/bin/xpack/.in.bat diff --git a/elasticsearch/x-pack/shield/bin/shield/esusers b/elasticsearch/x-pack/shield/bin/xpack/esusers similarity index 93% rename from elasticsearch/x-pack/shield/bin/shield/esusers rename to elasticsearch/x-pack/shield/bin/xpack/esusers index cf5aa74d018..50d7d522c34 100755 --- a/elasticsearch/x-pack/shield/bin/shield/esusers +++ b/elasticsearch/x-pack/shield/bin/xpack/esusers @@ -102,9 +102,9 @@ if [ -e "$CONF_DIR" ]; then case "$properties" in *-Des.default.path.conf=*) ;; *) - if [ ! -d "$CONF_DIR/shield" ]; then - echo "ERROR: The configuration directory [$CONF_DIR/shield] does not exist. The esusers tool expects Shield configuration files in that location." - echo "The plugin may not have been installed with the correct configuration path. If [$ES_HOME/config/shield] exists, please copy the shield directory to [$CONF_DIR]" + if [ ! -d "$CONF_DIR/xpack" ]; then + echo "ERROR: The configuration directory [$CONF_DIR/xpack] does not exist. The esusers tool expects security configuration files in that location." + echo "The plugin may not have been installed with the correct configuration path. If [$ES_HOME/config/xpack] exists, please copy the 'xpack' directory to [$CONF_DIR]" exit 1 fi properties="$properties -Des.default.path.conf=$CONF_DIR" diff --git a/elasticsearch/x-pack/shield/bin/shield/esusers.bat b/elasticsearch/x-pack/shield/bin/xpack/esusers.bat similarity index 100% rename from elasticsearch/x-pack/shield/bin/shield/esusers.bat rename to elasticsearch/x-pack/shield/bin/xpack/esusers.bat diff --git a/elasticsearch/x-pack/shield/bin/shield/syskeygen b/elasticsearch/x-pack/shield/bin/xpack/syskeygen similarity index 93% rename from elasticsearch/x-pack/shield/bin/shield/syskeygen rename to elasticsearch/x-pack/shield/bin/xpack/syskeygen index f3cb8bfa123..6f29cb744b8 100755 --- a/elasticsearch/x-pack/shield/bin/shield/syskeygen +++ b/elasticsearch/x-pack/shield/bin/xpack/syskeygen @@ -102,9 +102,9 @@ if [ -e "$CONF_DIR" ]; then case "$properties" in *-Des.default.path.conf=*) ;; *) - if [ ! -d "$CONF_DIR/shield" ]; then - echo "ERROR: The configuration directory [$CONF_DIR/shield] does not exist. The syskeygen tool expects Shield configuration files in that location." - echo "The plugin may not have been installed with the correct configuration path. If [$ES_HOME/config/shield] exists, please copy the shield directory to [$CONF_DIR]" + if [ ! -d "$CONF_DIR/xpack" ]; then + echo "ERROR: The configuration directory [$CONF_DIR/xpack] does not exist. The syskeygen tool expects security configuration files in that location." + echo "The plugin may not have been installed with the correct configuration path. If [$ES_HOME/config/xpack] exists, please copy the 'xpack' directory to [$CONF_DIR]" exit 1 fi properties="$properties -Des.default.path.conf=$CONF_DIR" diff --git a/elasticsearch/x-pack/shield/bin/shield/syskeygen.bat b/elasticsearch/x-pack/shield/bin/xpack/syskeygen.bat similarity index 100% rename from elasticsearch/x-pack/shield/bin/shield/syskeygen.bat rename to elasticsearch/x-pack/shield/bin/xpack/syskeygen.bat diff --git a/elasticsearch/x-pack/shield/config/shield/logging.yml b/elasticsearch/x-pack/shield/config/xpack/logging.yml similarity index 100% rename from elasticsearch/x-pack/shield/config/shield/logging.yml rename to elasticsearch/x-pack/shield/config/xpack/logging.yml diff --git a/elasticsearch/x-pack/shield/config/shield/role_mapping.yml b/elasticsearch/x-pack/shield/config/xpack/role_mapping.yml similarity index 100% rename from elasticsearch/x-pack/shield/config/shield/role_mapping.yml rename to elasticsearch/x-pack/shield/config/xpack/role_mapping.yml diff --git a/elasticsearch/x-pack/shield/config/shield/roles.yml b/elasticsearch/x-pack/shield/config/xpack/roles.yml similarity index 100% rename from elasticsearch/x-pack/shield/config/shield/roles.yml rename to elasticsearch/x-pack/shield/config/xpack/roles.yml diff --git a/elasticsearch/x-pack/shield/config/shield/users b/elasticsearch/x-pack/shield/config/xpack/users similarity index 100% rename from elasticsearch/x-pack/shield/config/shield/users rename to elasticsearch/x-pack/shield/config/xpack/users diff --git a/elasticsearch/x-pack/shield/config/shield/users_roles b/elasticsearch/x-pack/shield/config/xpack/users_roles similarity index 100% rename from elasticsearch/x-pack/shield/config/shield/users_roles rename to elasticsearch/x-pack/shield/config/xpack/users_roles diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java index e9a6da330ab..88a1ccf055b 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java @@ -167,7 +167,7 @@ public class FileUserPasswdStore { } if (users.isEmpty()) { - logger.warn("no users found in users file [{}]. use bin/shield/esusers to add users and role mappings", path.toAbsolutePath()); + logger.warn("no users found in users file [{}]. use bin/xpack/esusers to add users and role mappings", path.toAbsolutePath()); } return unmodifiableMap(users); } diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java index 266f57cd487..420fcddf308 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java @@ -182,7 +182,7 @@ public class FileUserRolesStore { } if (usersRoles.isEmpty()) { - logger.warn("no entries found in users_roles file [{}]. use bin/shield/esusers to add users and role mappings", path + logger.warn("no entries found in users_roles file [{}]. use bin/xpack/esusers to add users and role mappings", path .toAbsolutePath()); } diff --git a/elasticsearch/x-pack/shield/src/main/resources/org/elasticsearch/shield/crypto/tool/syskey-generate.help b/elasticsearch/x-pack/shield/src/main/resources/org/elasticsearch/shield/crypto/tool/syskey-generate.help index bf76a24d6b8..d4a175fb16e 100644 --- a/elasticsearch/x-pack/shield/src/main/resources/org/elasticsearch/shield/crypto/tool/syskey-generate.help +++ b/elasticsearch/x-pack/shield/src/main/resources/org/elasticsearch/shield/crypto/tool/syskey-generate.help @@ -9,7 +9,7 @@ SYNOPSIS DESCRIPTION Generates the system key and stores in the system_key file. By default - it will be stored in 'config/shield/.system_key' file. If the file location + it will be stored in 'config/xpack/system_key' file. If the file location is customized in the elasticsearch.yml (under the 'shield.system_key.file' setting), the generated key will be stored in that custom location. diff --git a/elasticsearch/x-pack/watcher/bin/watcher/.in.bat b/elasticsearch/x-pack/watcher/bin/xpack/.in.bat similarity index 100% rename from elasticsearch/x-pack/watcher/bin/watcher/.in.bat rename to elasticsearch/x-pack/watcher/bin/xpack/.in.bat diff --git a/elasticsearch/x-pack/watcher/bin/watcher/croneval b/elasticsearch/x-pack/watcher/bin/xpack/croneval similarity index 100% rename from elasticsearch/x-pack/watcher/bin/watcher/croneval rename to elasticsearch/x-pack/watcher/bin/xpack/croneval diff --git a/elasticsearch/x-pack/watcher/bin/watcher/croneval.bat b/elasticsearch/x-pack/watcher/bin/xpack/croneval.bat similarity index 100% rename from elasticsearch/x-pack/watcher/bin/watcher/croneval.bat rename to elasticsearch/x-pack/watcher/bin/xpack/croneval.bat From 602f67d7c6472c49b232642f51b6e4927d2c3204 Mon Sep 17 00:00:00 2001 From: Jason Tedor Date: Tue, 9 Feb 2016 09:02:16 -0500 Subject: [PATCH 8/8] Use MessageDigests abstraction in core This commit removes the message digest providers in x-plugins by using the MessageDigests abstraction in core. In particular, this permits the removal of the use of MessageDigest#clone in x-plugins. Closes elastic/elasticsearch#1489 Original commit: elastic/x-pack-elasticsearch@6868e6e8ed80a474d37827684396c2893edd9252 --- .../shield/authc/support/Hasher.java | 83 ++----------------- 1 file changed, 7 insertions(+), 76 deletions(-) diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java index 04c70703a49..528e0b2a5e6 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java @@ -7,6 +7,7 @@ package org.elasticsearch.shield.authc.support; import org.elasticsearch.common.Base64; import org.elasticsearch.common.Randomness; +import org.elasticsearch.common.hash.MessageDigests; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; @@ -142,7 +143,7 @@ public enum Hasher { @Override public char[] hash(SecuredString text) { byte[] textBytes = CharArrays.toUtf8Bytes(text.internalChars()); - MessageDigest md = SHA1Provider.sha1(); + MessageDigest md = MessageDigests.sha1(); md.update(textBytes); String hash = Base64.encodeBytes(md.digest()); return (SHA1_PREFIX + hash).toCharArray(); @@ -155,7 +156,7 @@ public enum Hasher { return false; } byte[] textBytes = CharArrays.toUtf8Bytes(text.internalChars()); - MessageDigest md = SHA1Provider.sha1(); + MessageDigest md = MessageDigests.sha1(); md.update(textBytes); String passwd64 = Base64.encodeBytes(md.digest()); String hashNoPrefix = hashStr.substring(SHA1_PREFIX.length()); @@ -166,7 +167,7 @@ public enum Hasher { MD5() { @Override public char[] hash(SecuredString text) { - MessageDigest md = MD5Provider.md5(); + MessageDigest md = MessageDigests.md5(); md.update(CharArrays.toUtf8Bytes(text.internalChars())); String hash = Base64.encodeBytes(md.digest()); return (MD5_PREFIX + hash).toCharArray(); @@ -179,7 +180,7 @@ public enum Hasher { return false; } hashStr = hashStr.substring(MD5_PREFIX.length()); - MessageDigest md = MD5Provider.md5(); + MessageDigest md = MessageDigests.md5(); md.update(CharArrays.toUtf8Bytes(text.internalChars())); String computedHashStr = Base64.encodeBytes(md.digest()); return SecuredString.constantTimeEquals(hashStr, computedHashStr); @@ -189,7 +190,7 @@ public enum Hasher { SSHA256() { @Override public char[] hash(SecuredString text) { - MessageDigest md = SHA256Provider.sha256(); + MessageDigest md = MessageDigests.sha256(); md.update(CharArrays.toUtf8Bytes(text.internalChars())); char[] salt = SaltProvider.salt(8); md.update(CharArrays.toUtf8Bytes(salt)); @@ -209,7 +210,7 @@ public enum Hasher { } hashStr = hashStr.substring(SSHA256_PREFIX.length()); char[] saltAndHash = hashStr.toCharArray(); - MessageDigest md = SHA256Provider.sha256(); + MessageDigest md = MessageDigests.sha256(); md.update(CharArrays.toUtf8Bytes(text.internalChars())); md.update(new String(saltAndHash, 0, 8).getBytes(StandardCharsets.UTF_8)); String computedHash = Base64.encodeBytes(md.digest()); @@ -279,76 +280,6 @@ public enum Hasher { public abstract boolean verify(SecuredString data, char[] hash); - static final class MD5Provider { - - private static final MessageDigest digest; - - static { - try { - digest = MessageDigest.getInstance("MD5"); - } catch (NoSuchAlgorithmException e) { - throw new IllegalStateException("unsupported digest algorithm [MD5]. Please verify you are running on Java 7 or above", e); - } - } - - private static MessageDigest md5() { - try { - MessageDigest md5 = (MessageDigest) digest.clone(); - md5.reset(); - return md5; - } catch (CloneNotSupportedException e) { - throw new IllegalStateException("could not create MD5 digest", e); - } - } - } - - static final class SHA1Provider { - - private static final MessageDigest digest; - - static { - try { - digest = MessageDigest.getInstance("SHA-1"); - } catch (NoSuchAlgorithmException e) { - throw new IllegalStateException("unsupported digest algorithm [SHA-1]", e); - } - } - - private static MessageDigest sha1() { - try { - MessageDigest sha1 = (MessageDigest) digest.clone(); - sha1.reset(); - return sha1; - } catch (CloneNotSupportedException e) { - throw new IllegalStateException("could not create SHA-1 digest", e); - } - } - } - - static final class SHA256Provider { - - private static final MessageDigest digest; - - static { - try { - digest = MessageDigest.getInstance("SHA-256"); - } catch (NoSuchAlgorithmException e) { - String msg = "unsupported digest algorithm [SHA-256]. Please verify you are running on Java 7 or above"; - throw new IllegalStateException(msg, e); - } - } - - private static MessageDigest sha256() { - try { - MessageDigest sha = (MessageDigest) digest.clone(); - sha.reset(); - return sha; - } catch (CloneNotSupportedException e) { - throw new IllegalStateException("could not create [SHA-256] digest", e); - } - } - } - static final class SaltProvider { static final char[] ALPHABET = new char[]{