honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support allowNoIndices option in security plugin 

Supporting allowNoIndices means that the security plugin has a behaviour much more similar to vanilla es when dealing with wildcard expressions that match no indices, or empty clusters. The default for most request is to allow no indices, but security plugin could only disallow no indices all the time up until now.

The technical problem was that when anything gets resolved to an empty set of indices, we couldn't let that go through to es core, as that would become resolved to all indices by es core, which would be a security hole. We have now found a way though to replace an empty set of indices with something that es core will for sure resolve to no indices, so we can let the request through. We simply replace empty indices with '-*'.

Multi apis requests (e.g. _msearch) have yet to be fixed, as all their indices end up in the same bucket while they should each be authorized separately, so that every specific item can fail or be let through.

Original commit: elastic/x-pack-elasticsearch@0f67a0bfea
This commit is contained in:
javanna 2016-09-30 14:41:54 +02:00 committed by Luca Cavanna
parent 9b46b34bed
commit d27c4bee82
32 changed files with 559 additions and 632 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollector.java
View File

@ -10,9 +10,7 @@ import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.monitoring.MonitoringSettings;
import org.elasticsearch.xpack.monitoring.collector.AbstractCollector;
import org.elasticsearch.xpack.monitoring.exporter.MonitoringDoc;
@ -49,29 +47,19 @@ public class IndexRecoveryCollector extends AbstractCollector {
@Override
protected Collection<MonitoringDoc> doCollect() throws Exception {
List<MonitoringDoc> results = new ArrayList<>(1);
try {
RecoveryResponse recoveryResponse = client.admin().indices().prepareRecoveries()
.setIndices(monitoringSettings.indices())
.setIndicesOptions(IndicesOptions.lenientExpandOpen())
.setActiveOnly(monitoringSettings.recoveryActiveOnly())
.get(monitoringSettings.recoveryTimeout());
RecoveryResponse recoveryResponse = client.admin().indices().prepareRecoveries()
.setIndices(monitoringSettings.indices())
.setIndicesOptions(IndicesOptions.lenientExpandOpen())
.setActiveOnly(monitoringSettings.recoveryActiveOnly())
.get(monitoringSettings.recoveryTimeout());
if (recoveryResponse.hasRecoveries()) {
IndexRecoveryMonitoringDoc indexRecoveryDoc = new IndexRecoveryMonitoringDoc(monitoringId(), monitoringVersion());
indexRecoveryDoc.setClusterUUID(clusterUUID());
indexRecoveryDoc.setTimestamp(System.currentTimeMillis());
indexRecoveryDoc.setSourceNode(localNode());
indexRecoveryDoc.setRecoveryResponse(recoveryResponse);
results.add(indexRecoveryDoc);
}
} catch (IndexNotFoundException e) {
//TODO this if should go away once the empty cluster / empty set of indices behaviour is fixed in the security plugin
if (XPackSettings.SECURITY_ENABLED.get(settings)) {
//&& IndexNameExpressionResolver.isAllIndices(Arrays.asList(monitoringSettings.indices()))) {
logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
} else {
throw e;
}
if (recoveryResponse.hasRecoveries()) {
IndexRecoveryMonitoringDoc indexRecoveryDoc = new IndexRecoveryMonitoringDoc(monitoringId(), monitoringVersion());
indexRecoveryDoc.setClusterUUID(clusterUUID());
indexRecoveryDoc.setTimestamp(System.currentTimeMillis());
indexRecoveryDoc.setSourceNode(localNode());
indexRecoveryDoc.setRecoveryResponse(recoveryResponse);
results.add(indexRecoveryDoc);
}
return Collections.unmodifiableCollection(results);
}

62
elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollector.java
View File

@ -12,9 +12,7 @@ import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.monitoring.MonitoringSettings;
import org.elasticsearch.xpack.monitoring.collector.AbstractCollector;
import org.elasticsearch.xpack.monitoring.exporter.MonitoringDoc;
@ -51,43 +49,33 @@ public class IndexStatsCollector extends AbstractCollector {
@Override
protected Collection<MonitoringDoc> doCollect() throws Exception {
List<MonitoringDoc> results = new ArrayList<>();
try {
IndicesStatsResponse indicesStats = client.admin().indices().prepareStats()
.setIndices(monitoringSettings.indices())
.setIndicesOptions(IndicesOptions.lenientExpandOpen())
.clear()
.setDocs(true)
.setFieldData(true)
.setIndexing(true)
.setMerge(true)
.setSearch(true)
.setSegments(true)
.setStore(true)
.setRefresh(true)
.setQueryCache(true)
.setRequestCache(true)
.get(monitoringSettings.indexStatsTimeout());
IndicesStatsResponse indicesStats = client.admin().indices().prepareStats()
.setIndices(monitoringSettings.indices())
.setIndicesOptions(IndicesOptions.lenientExpandOpen())
.clear()
.setDocs(true)
.setFieldData(true)
.setIndexing(true)
.setMerge(true)
.setSearch(true)
.setSegments(true)
.setStore(true)
.setRefresh(true)
.setQueryCache(true)
.setRequestCache(true)
.get(monitoringSettings.indexStatsTimeout());
long timestamp = System.currentTimeMillis();
String clusterUUID = clusterUUID();
DiscoveryNode sourceNode = localNode();
long timestamp = System.currentTimeMillis();
String clusterUUID = clusterUUID();
DiscoveryNode sourceNode = localNode();
for (IndexStats indexStats : indicesStats.getIndices().values()) {
IndexStatsMonitoringDoc indexStatsDoc = new IndexStatsMonitoringDoc(monitoringId(), monitoringVersion());
indexStatsDoc.setClusterUUID(clusterUUID);
indexStatsDoc.setTimestamp(timestamp);
indexStatsDoc.setSourceNode(sourceNode);
indexStatsDoc.setIndexStats(indexStats);
results.add(indexStatsDoc);
}
} catch (IndexNotFoundException e) {
//TODO this if should go away once the empty cluster / empty set of indices behaviour is fixed in the security plugin
if (XPackSettings.SECURITY_ENABLED.get(settings)) {
//&& IndexNameExpressionResolver.isAllIndices(Arrays.asList(monitoringSettings.indices()))) {
logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
} else {
throw e;
}
for (IndexStats indexStats : indicesStats.getIndices().values()) {
IndexStatsMonitoringDoc indexStatsDoc = new IndexStatsMonitoringDoc(monitoringId(), monitoringVersion());
indexStatsDoc.setClusterUUID(clusterUUID);
indexStatsDoc.setTimestamp(timestamp);
indexStatsDoc.setSourceNode(sourceNode);
indexStatsDoc.setIndexStats(indexStats);
results.add(indexStatsDoc);
}
return Collections.unmodifiableCollection(results);
}

43
elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollector.java
View File

@ -10,9 +10,7 @@ import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.monitoring.MonitoringSettings;
import org.elasticsearch.xpack.monitoring.collector.AbstractCollector;
import org.elasticsearch.xpack.monitoring.exporter.MonitoringDoc;
@ -45,32 +43,21 @@ public class IndicesStatsCollector extends AbstractCollector {
@Override
protected Collection<MonitoringDoc> doCollect() throws Exception {
try {
IndicesStatsResponse indicesStats = client.admin().indices().prepareStats()
.setIndices(monitoringSettings.indices())
.setIndicesOptions(IndicesOptions.lenientExpandOpen())
.clear()
.setDocs(true)
.setIndexing(true)
.setSearch(true)
.setStore(true)
.get(monitoringSettings.indicesStatsTimeout());
IndicesStatsResponse indicesStats = client.admin().indices().prepareStats()
.setIndices(monitoringSettings.indices())
.setIndicesOptions(IndicesOptions.lenientExpandOpen())
.clear()
.setDocs(true)
.setIndexing(true)
.setSearch(true)
.setStore(true)
.get(monitoringSettings.indicesStatsTimeout());
IndicesStatsMonitoringDoc indicesStatsDoc = new IndicesStatsMonitoringDoc(monitoringId(), monitoringVersion());
indicesStatsDoc.setClusterUUID(clusterUUID());
indicesStatsDoc.setTimestamp(System.currentTimeMillis());
indicesStatsDoc.setSourceNode(localNode());
indicesStatsDoc.setIndicesStats(indicesStats);
return Collections.singletonList(indicesStatsDoc);
} catch (IndexNotFoundException e) {
//TODO this if should go away once the empty cluster / empty set of indices behaviour is fixed in the security plugin
if (XPackSettings.SECURITY_ENABLED.get(settings)) {
//&& IndexNameExpressionResolver.isAllIndices(Arrays.asList(monitoringSettings.indices()))) {
logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
return Collections.emptyList();
}
throw e;
}
IndicesStatsMonitoringDoc indicesStatsDoc = new IndicesStatsMonitoringDoc(monitoringId(), monitoringVersion());
indicesStatsDoc.setClusterUUID(clusterUUID());
indicesStatsDoc.setTimestamp(System.currentTimeMillis());
indicesStatsDoc.setSourceNode(localNode());
indicesStatsDoc.setIndicesStats(indicesStats);
return Collections.singletonList(indicesStatsDoc);
}
}

9
elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
View File

@ -253,6 +253,15 @@ public class AuthorizationService extends AbstractComponent {
ClusterState clusterState = clusterService.state();
Set<String> indexNames = resolveIndices(authentication, action, request, clusterState);
assert !indexNames.isEmpty() : "every indices request needs to have its indices set thus the resolved indices must not be empty";
//security plugin is the only responsible for the presence of "-*", as wildcards just got resolved.
//'-*' matches no indices, hence we can simply let it go through, it will yield an empty response.
if (indexNames.size() == 1 && indexNames.contains(DefaultIndicesAndAliasesResolver.NO_INDEX)) {
setIndicesAccessControl(IndicesAccessControl.ALLOW_NO_INDICES);
grant(authentication, action, request);
return;
}
MetaData metaData = clusterState.metaData();
IndicesAccessControl indicesAccessControl = permission.authorize(action, indexNames, metaData);
if (!indicesAccessControl.isGranted()) {

4
elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControl.java
View File

@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.authz.accesscontrol;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.xpack.security.authz.indicesresolver.DefaultIndicesAndAliasesResolver;
import org.elasticsearch.xpack.security.authz.permission.FieldPermissions;
import java.util.Collections;
@ -22,6 +23,9 @@ import static java.util.Collections.unmodifiableSet;
public class IndicesAccessControl {
public static final IndicesAccessControl ALLOW_ALL = new IndicesAccessControl(true, Collections.emptyMap());
public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true,
Collections.singletonMap(DefaultIndicesAndAliasesResolver.NO_INDEX,
new IndicesAccessControl.IndexAccessControl(true, new FieldPermissions(), null)));
private final boolean granted;
private final Map<String, IndexAccessControl> indexPermissions;

134
elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java
View File

@ -9,6 +9,7 @@ import org.elasticsearch.action.AliasesRequest;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequest;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.cluster.metadata.AliasOrIndex;
@ -33,6 +34,9 @@ import java.util.stream.Collectors;
public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolver<TransportRequest> {
public static final String NO_INDEX = "-*";
private static final List<String> NO_INDICES = Collections.singletonList(NO_INDEX);
private final AuthorizationService authzService;
private final IndexNameExpressionResolver nameExpressionResolver;
@ -76,6 +80,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
}
private Set<String> resolveIndicesAndAliases(User user, String action, IndicesRequest indicesRequest, MetaData metaData) {
boolean indicesReplacedWithNoIndices = false;
final Set<String> indices;
if (indicesRequest instanceof PutMappingRequest
&& ((PutMappingRequest) indicesRequest).getConcreteIndex() != null) {
@ -92,16 +97,41 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
final boolean replaceWildcards = indicesRequest.indicesOptions().expandWildcardsOpen()
|| indicesRequest.indicesOptions().expandWildcardsClosed();
List<String> authorizedIndicesAndAliases = authzService.authorizedIndicesAndAliases(user, action);
List<String> replacedIndices = replaceWildcardsWithAuthorizedIndices(indicesRequest.indices(),
indicesRequest.indicesOptions(), metaData, authorizedIndicesAndAliases, replaceWildcards);
if (indicesRequest.indicesOptions().ignoreUnavailable()) {
//out of all the explicit names (expanded from wildcards and original ones that were left untouched)
//remove all the ones that the current user is not authorized for and ignore them
replacedIndices = replacedIndices.stream().filter(authorizedIndicesAndAliases::contains).collect(Collectors.toList());
throwExceptionIfNoIndicesWereResolved(indicesRequest.indices(), replacedIndices);
List<String> replacedIndices = new ArrayList<>();
// check for all and return list of authorized indices
if (IndexNameExpressionResolver.isAllIndices(indicesList(indicesRequest.indices()))) {
if (replaceWildcards) {
for (String authorizedIndex : authorizedIndicesAndAliases) {
if (isIndexVisible(authorizedIndex, indicesRequest.indicesOptions(), metaData)) {
replacedIndices.add(authorizedIndex);
}
}
}
// if we cannot replace wildcards the indices list stays empty. Same if there are no authorized indices.
// we honour allow_no_indices like es core does.
} else {
replacedIndices = replaceWildcardsWithAuthorizedIndices(indicesRequest.indices(),
indicesRequest.indicesOptions(), metaData, authorizedIndicesAndAliases, replaceWildcards);
if (indicesRequest.indicesOptions().ignoreUnavailable()) {
//out of all the explicit names (expanded from wildcards and original ones that were left untouched)
//remove all the ones that the current user is not authorized for and ignore them
replacedIndices = replacedIndices.stream().filter(authorizedIndicesAndAliases::contains).collect(Collectors.toList());
}
}
if (replacedIndices.isEmpty()) {
if (indicesRequest.indicesOptions().allowNoIndices()) {
//this is how we tell es core to return an empty response, we can let the request through being sure
//that the '-*' wildcard expression will be resolved to no indices. We can't let empty indices through
//as that would be resolved to _all by es core.
replacedIndices = NO_INDICES;
indicesReplacedWithNoIndices = true;
} else {
throw new IndexNotFoundException(Arrays.toString(indicesRequest.indices()));
}
}
replaceable.indices(replacedIndices.toArray(new String[replacedIndices.size()]));
indices = Sets.newHashSet(indicesRequest.indices());
indices = Sets.newHashSet(replacedIndices);
} else {
assert !containsWildcards(indicesRequest) :
"There are no external requests known to support wildcards that don't support replacing their indices";
@ -118,7 +148,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
}
if (indicesRequest instanceof AliasesRequest) {
//special treatment for AliasesRequest since we need to replace wildcards among the specified aliases.
//special treatment for AliasesRequest since we need to replace wildcards among the specified aliases too.
//AliasesRequest extends IndicesRequest.Replaceable, hence its indices have already been properly replaced.
AliasesRequest aliasesRequest = (AliasesRequest) indicesRequest;
if (aliasesRequest.expandAliasesWildcards()) {
@ -127,9 +157,16 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
(authorizedIndices, metaData));
aliasesRequest.aliases(aliases.toArray(new String[aliases.size()]));
}
Collections.addAll(indices, aliasesRequest.aliases());
if (indicesReplacedWithNoIndices) {
assert indicesRequest instanceof GetAliasesRequest : GetAliasesRequest.class.getSimpleName() + " is the only known " +
"request implementing " + AliasesRequest.class.getSimpleName() + " that may allow no indices. Found [" +
indicesRequest.getClass().getName() + "] which ended up with an empty set of indices.";
} else {
//if we are returning '-*' we shouldn't be adding the aliases to the list or the request will not get authorized.
//Leave only '-*' and ignore the rest, result will anyway be empty.
Collections.addAll(indices, aliasesRequest.aliases());
}
}
return indices;
}
@ -192,24 +229,9 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
return false;
}
//TODO Investigate reusing code from vanilla es to resolve index names and wildcards
private List<String> replaceWildcardsWithAuthorizedIndices(String[] indices, IndicesOptions indicesOptions, MetaData metaData,
List<String> authorizedIndices, boolean replaceWildcards) {
// check for all and return list of authorized indices
if (IndexNameExpressionResolver.isAllIndices(indicesList(indices))) {
if (replaceWildcards == false) {
// if we cannot replace wildcards, then we should not set all indices
return throwExceptionIfNoIndicesWereResolved(indices, null);
}
List<String> visibleIndices = new ArrayList<>();
for (String authorizedIndex : authorizedIndices) {
if (isIndexVisible(authorizedIndex, indicesOptions, metaData)) {
visibleIndices.add(authorizedIndex);
}
}
return throwExceptionIfNoIndicesWereResolved(indices, visibleIndices);
}
//the order matters when it comes to + and - (see MetaData#convertFromWildcards)
List<String> finalIndices = new ArrayList<>();
for (int i = 0; i < indices.length; i++) {
@ -235,15 +257,22 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
}
if (replaceWildcards && Regex.isSimpleMatchPattern(aliasOrIndex)) {
Set<String> resolvedIndices = new HashSet<>();
for (String authorizedIndex : authorizedIndices) {
if (Regex.simpleMatch(aliasOrIndex, authorizedIndex)) {
if (minus) {
finalIndices.remove(authorizedIndex);
} else {
if (isIndexVisible(authorizedIndex, indicesOptions, metaData)) {
finalIndices.add(authorizedIndex);
}
}
if (Regex.simpleMatch(aliasOrIndex, authorizedIndex) && isIndexVisible(authorizedIndex, indicesOptions, metaData)) {
resolvedIndices.add(authorizedIndex);
}
}
if (resolvedIndices.isEmpty()) {
//es core honours allow_no_indices for each wildcard expression, we do the same here by throwing index not found.
if (indicesOptions.allowNoIndices() == false) {
throw new IndexNotFoundException(aliasOrIndex);
}
} else {
if (minus) {
finalIndices.removeAll(resolvedIndices);
} else {
finalIndices.addAll(resolvedIndices);
}
}
} else {
@ -253,21 +282,22 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
// to ensure we catch this if it changes
if (dateMathName != aliasOrIndex) {
assert dateMathName.equals(aliasOrIndex) == false;
if (authorizedIndices.contains(dateMathName)) {
if (authorizedIndices.contains(dateMathName) && isIndexVisible(dateMathName, indicesOptions, metaData, true)) {
if (minus) {
finalIndices.remove(dateMathName);
} else {
if (isIndexVisible(dateMathName, indicesOptions, metaData, true)) {
finalIndices.add(dateMathName);
}
finalIndices.add(dateMathName);
}
} else {
if (indicesOptions.ignoreUnavailable() == false) {
throw new IndexNotFoundException(dateMathName);
}
}
} else {
//MetaData#convertFromWildcards checks if the index exists here and throws IndexNotFoundException if not (based on
// ignore_unavailable).
//Do nothing as if the index is missing but the user is not authorized to it an AuthorizationException will be thrown.
//If the index is missing and the user is authorized to it, core will throw IndexNotFoundException later on.
//There is no problem with deferring this as we are dealing with an explicit name, not with wildcards.
// ignore_unavailable). We only add/remove the index: if the index is missing or the current user is not authorized
// to access it either an AuthorizationException will be thrown later in AuthorizationService, or the index will be
// removed from the list, based on the ignore_unavailable option.
if (minus) {
finalIndices.remove(aliasOrIndex);
} else {
@ -276,22 +306,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
}
}
}
return throwExceptionIfNoIndicesWereResolved(indices, finalIndices);
}
private List<String> throwExceptionIfNoIndicesWereResolved(String[] originalIndices, List<String> resolvedIndices) {
//ignore the IndicesOptions#allowNoIndices and just throw exception if the wildcards expansion to authorized
//indices resulted in no indices. This is important as we always need to replace wildcards for security reason,
//to make sure that the operation is executed on the indices that we authorized it to execute on.
//If we can't replace because we got an empty set, we can only throw exception.
//Downside of this is that a single item exception is going to make fail the composite request that holds it as a whole.
if (resolvedIndices == null || resolvedIndices.isEmpty()) {
String indexName = IndexNameExpressionResolver.isAllIndices(indicesList(originalIndices)) ? MetaData.ALL : Arrays.toString
(originalIndices);
throw new IndexNotFoundException(indexName);
}
return resolvedIndices;
return finalIndices;
}
private static boolean isIndexVisible(String index, IndicesOptions indicesOptions, MetaData metaData) {
@ -304,6 +319,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
if (indexMetaData == null) {
//it's an alias, ignore expandWildcardsOpen and expandWildcardsClosed.
//complicated to support those options with aliases pointing to multiple indices...
//TODO investigate supporting expandWildcards option for aliases too, like es core does.
return true;
}
if (indexMetaData.getState() == IndexMetaData.State.CLOSE && (indicesOptions.expandWildcardsClosed() || dateMathExpression)) {

18
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/OldMonitoringIndicesBackwardsCompatibilityIT.java
View File

@ -13,7 +13,6 @@ import org.elasticsearch.common.network.NetworkModule;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.monitoring.resolver.MonitoringIndexNameResolver;
@ -96,19 +95,10 @@ public class OldMonitoringIndicesBackwardsCompatibilityIT extends AbstractOldXPa
client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings).get();
}
// Wait for the exporter to come online and add the aliases
long end = TimeUnit.SECONDS.toNanos(30) + System.nanoTime();
SearchResponse firstIndexStats;
while (true) {
try {
firstIndexStats = search(new IndexStatsResolver(MonitoredSystem.ES, Settings.EMPTY), greaterThanOrEqualTo(10L));
break;
} catch (IndexNotFoundException e) {
if (System.nanoTime() - end > 0) {
throw e;
}
}
}
IndexStatsResolver resolver = new IndexStatsResolver(MonitoredSystem.ES, Settings.EMPTY);
assertBusy(() -> assertTrue(client().admin().indices().prepareExists(resolver.indexPattern()).get().isExists()));
SearchResponse firstIndexStats = search(resolver, greaterThanOrEqualTo(10L));
// All the other aliases should have been created by now so we can assert that we have the data we saved in the bwc indexes
SearchResponse firstShards = search(new ShardsResolver(MonitoredSystem.ES, Settings.EMPTY), greaterThanOrEqualTo(10L));
SearchResponse firstIndicesStats = search(new IndicesStatsResolver(MonitoredSystem.ES, Settings.EMPTY), greaterThanOrEqualTo(3L));

21
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/cleaner/local/LocalIndicesCleanerTests.java
View File

@ -5,13 +5,14 @@
*/
package org.elasticsearch.xpack.monitoring.cleaner.local;
import org.elasticsearch.action.admin.indices.settings.get.GetSettingsResponse;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.test.InternalSettingsPlugin;
import org.elasticsearch.xpack.monitoring.exporter.local.LocalExporter;
import org.elasticsearch.xpack.monitoring.cleaner.AbstractIndicesCleanerTestCase;
import org.elasticsearch.xpack.monitoring.exporter.local.LocalExporter;
import org.joda.time.DateTime;
import java.util.ArrayList;
@ -47,15 +48,13 @@ public class LocalIndicesCleanerTests extends AbstractIndicesCleanerTestCase {
@Override
protected void assertIndicesCount(int count) throws Exception {
assertBusy(() -> {
try {
assertThat(client().admin().indices().prepareGetSettings().get().getIndexToSettings().size(), equalTo(count));
} catch (IndexNotFoundException e) {
if (securityEnabled) {
assertThat(0, equalTo(count));
} else {
throw e;
}
}
//we set ignore_unavailable to true for this request as the monitoring index gets deleted concurrently with this assertion
//in some cases. When the plugin security is enabled, it expands wildcards to the existing index, which then gets deleted,
//so when es core gets the request with the explicit index name, it throws an index not found exception as that index
//doesn't exist anymore. If we ignore unavailable instead no error will be thrown.
GetSettingsResponse getSettingsResponse = client().admin().indices().prepareGetSettings()
.setIndicesOptions(IndicesOptions.fromOptions(true, true, true, true)).get();
assertThat(getSettingsResponse.getIndexToSettings().size(), equalTo(count));
});
}
}

8
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStateCollectorTests.java
View File

@ -52,8 +52,8 @@ public class ClusterStateCollectorTests extends AbstractCollectorTestCase {
client().prepareIndex("test", "test").setSource("num", i).get();
}
securedFlush();
securedRefresh();
flush();
refresh();
assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs);
assertMonitoringDocs(newClusterStateCollector().doCollect(), nbShards);
@ -79,8 +79,8 @@ public class ClusterStateCollectorTests extends AbstractCollectorTestCase {
}
}
securedFlush();
securedRefresh();
flush();
refresh();
for (int i = 0; i < nbIndices; i++) {
assertHitCount(client().prepareSearch("test-" + i).setSize(0).get(), docsPerIndex[i]);

25
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollectorTests.java
View File

@ -11,7 +11,6 @@ import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.indices.recovery.RecoveryState;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
@ -123,37 +122,21 @@ public class IndexRecoveryCollectorTests extends AbstractCollectorTestCase {
}
public void testEmptyCluster() throws Exception {
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(),
Strings.EMPTY_ARRAY));
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), Strings.EMPTY_ARRAY));
waitForNoBlocksOnNode(node);
try {
assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0));
}
public void testEmptyClusterAllIndices() throws Exception {
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), MetaData.ALL));
waitForNoBlocksOnNode(node);
try {
assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0));
}
public void testEmptyClusterMissingIndex() throws Exception {
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), "unknown"));
waitForNoBlocksOnNode(node);
try {
assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0));
}
private IndexRecoveryCollector newIndexRecoveryCollector(String nodeId) {

34
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollectorTests.java
View File

@ -10,7 +10,6 @@ import org.elasticsearch.action.admin.indices.stats.IndexStats;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.xpack.monitoring.MonitoredSystem;
@ -41,34 +40,19 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase {
public void testEmptyCluster() throws Exception {
final String node = internalCluster().startNode();
waitForNoBlocksOnNode(node);
try {
assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0));
}
public void testEmptyClusterAllIndices() throws Exception {
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), MetaData.ALL));
waitForNoBlocksOnNode(node);
try {
assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0));
}
public void testEmptyClusterMissingIndex() throws Exception {
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), "unknown"));
waitForNoBlocksOnNode(node);
try {
assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0));
}
public void testIndexStatsCollectorOneIndex() throws Exception {
@ -77,15 +61,15 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase {
final String indexName = "one-index";
createIndex(indexName);
securedEnsureGreen(indexName);
ensureGreen(indexName);
final int nbDocs = randomIntBetween(1, 20);
for (int i = 0; i < nbDocs; i++) {
client().prepareIndex(indexName, "test").setSource("num", i).get();
}
securedFlush();
securedRefresh();
flush();
refresh();
assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs);
@ -127,7 +111,7 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase {
for (int i = 0; i < nbIndices; i++) {
String index = indexPrefix + i;
createIndex(index);
securedEnsureGreen(index);
ensureGreen(index);
docsPerIndex[i] = randomIntBetween(1, 20);
for (int j = 0; j < docsPerIndex[i]; j++) {
@ -135,8 +119,8 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase {
}
}
securedFlush();
securedRefresh();
flush();
refresh();
for (int i = 0; i < nbIndices; i++) {
assertHitCount(client().prepareSearch(indexPrefix + i).setSize(0).get(), docsPerIndex[i]);

37
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollectorTests.java
View File

@ -12,7 +12,6 @@ import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.xpack.monitoring.MonitoredSystem;
@ -41,37 +40,19 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
public void testEmptyCluster() throws Exception {
final String node = internalCluster().startNode();
waitForNoBlocksOnNode(node);
try {
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1));
}
public void testEmptyClusterAllIndices() throws Exception {
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), MetaData.ALL));
waitForNoBlocksOnNode(node);
try {
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1));
}
@AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250")
//this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left
//with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too.
public void testEmptyClusterMissingIndex() throws Exception {
final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), "unknown"));
waitForNoBlocksOnNode(node);
try {
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1));
} catch (IndexNotFoundException e) {
fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector");
}
assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1));
}
public void testIndicesStatsCollectorOneIndex() throws Exception {
@ -80,7 +61,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
final String indexName = "one-index";
createIndex(indexName);
securedEnsureGreen(indexName);
ensureGreen(indexName);
final int nbDocs = randomIntBetween(1, 20);
@ -88,8 +69,8 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
client().prepareIndex(indexName, "test").setSource("num", i).get();
}
securedFlush();
securedRefresh();
flush();
refresh();
assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs);
@ -124,7 +105,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
for (int i = 0; i < nbIndices; i++) {
String index = indexPrefix + i;
createIndex(index);
securedEnsureGreen(index);
ensureGreen(index);
docsPerIndex[i] = randomIntBetween(1, 20);
for (int j = 0; j < docsPerIndex[i]; j++) {
@ -132,8 +113,8 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase {
}
}
securedFlush();
securedRefresh();
flush();
refresh();
for (int i = 0; i < nbIndices; i++) {
assertHitCount(client().prepareSearch(indexPrefix + i).setSize(0).get(), docsPerIndex[i]);

6
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/shards/ShardsCollectorTests.java
View File

@ -50,8 +50,8 @@ public class ShardsCollectorTests extends AbstractCollectorTestCase {
}
waitForRelocation();
securedEnsureGreen();
securedRefresh();
ensureGreen();
refresh();
assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs);
@ -108,7 +108,7 @@ public class ShardsCollectorTests extends AbstractCollectorTestCase {
}
waitForRelocation();
securedRefresh();
refresh();
int totalShards = 0;
for (int i = 0; i < nbIndices; i++) {

8
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/exporter/local/LocalExporterTests.java
View File

@ -67,7 +67,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase {
.put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE)
.put("xpack.monitoring.exporters._local.enabled", true)
.build());
securedEnsureGreen();
ensureGreen();
logger.debug("--> exporting a single monitoring doc");
export(Collections.singletonList(newRandomMonitoringDoc()));
@ -97,7 +97,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase {
internalCluster().startNode(Settings.builder()
.put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE)
.build());
securedEnsureGreen();
ensureGreen();
// start collecting
updateMonitoringInterval(3L, TimeUnit.SECONDS);
@ -113,7 +113,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase {
.put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE)
.put("xpack.monitoring.exporters._local." + LocalExporter.INDEX_NAME_TIME_FORMAT_SETTING, timeFormat)
.build());
securedEnsureGreen();
ensureGreen();
LocalExporter exporter = getLocalExporter("_local");
@ -146,7 +146,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase {
.put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE)
.put("xpack.monitoring.exporters._local.enabled", true)
.build());
securedEnsureGreen();
ensureGreen();
logger.debug("--> exporting a single monitoring doc");
export(Collections.singletonList(newRandomMonitoringDoc()));

6
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterInfoTests.java
View File

@ -57,7 +57,7 @@ public class ClusterInfoTests extends MonitoringIntegTestCase {
}
public void testClusterInfo() throws Exception {
securedEnsureGreen();
ensureGreen();
final String clusterUUID = client().admin().cluster().prepareState().setMetaData(true).get().getState().metaData().clusterUUID();
assertTrue(Strings.hasText(clusterUUID));
@ -136,8 +136,8 @@ public class ClusterInfoTests extends MonitoringIntegTestCase {
waitForMonitoringTemplates();
// check that the cluster_info is not indexed
securedFlush();
securedRefresh();
flush();
refresh();
assertHitCount(client().prepareSearch().setSize(0)
.setIndices(dataIndex)

7
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterStatsTests.java
View File

@ -18,7 +18,6 @@ import org.junit.After;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
@ -56,9 +55,9 @@ public class ClusterStatsTests extends MonitoringIntegTestCase {
index(indices[i], "foo", "1", jsonBuilder().startObject().field("dummy_field", 1).endObject());
}
securedFlush();
securedRefresh();
securedEnsureGreen();
flush();
refresh();
ensureGreen();
// ok.. we'll start collecting now...
updateMonitoringInterval(3L, TimeUnit.SECONDS);

8
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexRecoveryTests.java
View File

@ -58,8 +58,8 @@ public class IndexRecoveryTests extends MonitoringIntegTestCase {
assertBusy(new Runnable() {
@Override
public void run() {
securedFlush();
securedRefresh();
flush();
refresh();
RecoveryResponse recoveries = client().admin().indices().prepareRecoveries().get();
assertThat(recoveries.hasRecoveries(), is(true));
@ -95,8 +95,8 @@ public class IndexRecoveryTests extends MonitoringIntegTestCase {
}
}
securedFlush();
securedRefresh();
flush();
refresh();
logger.debug("--> checking that cluster_uuid field is correctly indexed");
response = client().prepareSearch().setTypes(IndexRecoveryResolver.TYPE).setSize(0).setQuery(existsQuery("cluster_uuid")).get();

9
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexStatsTests.java
View File

@ -17,7 +17,6 @@ import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase;
import org.junit.After;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import static org.hamcrest.Matchers.greaterThan;
@ -59,8 +58,8 @@ public class IndexStatsTests extends MonitoringIntegTestCase {
}
}
securedFlush();
securedRefresh();
flush();
refresh();
updateMonitoringInterval(3L, TimeUnit.SECONDS);
waitForMonitoringIndices();
@ -71,8 +70,8 @@ public class IndexStatsTests extends MonitoringIntegTestCase {
assertBusy(new Runnable() {
@Override
public void run() {
securedFlush(indices);
securedRefresh();
flush(indices);
refresh();
for (int i = 0; i < nbIndices; i++) {
SearchResponse count = client().prepareSearch()
.setSize(0)

4
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndicesStatsTests.java
View File

@ -59,8 +59,8 @@ public class IndicesStatsTests extends MonitoringIntegTestCase {
assertBusy(new Runnable() {
@Override
public void run() {
securedFlush();
securedRefresh();
flush();
refresh();
for (int i = 0; i < nbIndices; i++) {
IndicesStatsResponse indicesStats = client().admin().indices().prepareStats().get();

39
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/MultiNodesStatsTests.java
View File

@ -7,7 +7,6 @@ package org.elasticsearch.xpack.monitoring.resolver.node;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.node.Node;
import org.elasticsearch.search.aggregations.Aggregation;
import org.elasticsearch.search.aggregations.AggregationBuilders;
@ -87,31 +86,27 @@ public class MultiNodesStatsTests extends MonitoringIntegTestCase {
logger.debug("--> checking that every node correctly reported its own node stats");
assertBusy(() -> {
String indices = MONITORING_INDICES_PREFIX + "*";
securedFlush(indices);
securedRefresh();
flush(indices);
refresh();
try {
SearchResponse response = client().prepareSearch(indices)
.setTypes(NodeStatsResolver.TYPE)
.setSize(0)
.addAggregation(AggregationBuilders.terms("nodes_ids").field("node_stats.node_id"))
.get();
SearchResponse response = client().prepareSearch(indices)
.setTypes(NodeStatsResolver.TYPE)
.setSize(0)
.addAggregation(AggregationBuilders.terms("nodes_ids").field("node_stats.node_id"))
.get();
for (Aggregation aggregation : response.getAggregations()) {
assertThat(aggregation, instanceOf(StringTerms.class));
assertThat(((StringTerms) aggregation).getBuckets().size(), equalTo(nbNodes));
for (Aggregation aggregation : response.getAggregations()) {
assertThat(aggregation, instanceOf(StringTerms.class));
assertThat(((StringTerms) aggregation).getBuckets().size(), equalTo(nbNodes));
for (String nodeName : internalCluster().getNodeNames()) {
StringTerms.Bucket bucket = ((StringTerms) aggregation)
.getBucketByKey(internalCluster().clusterService(nodeName).localNode().getId());
// At least 1 doc must exist per node, but it can be more than 1
// because the first node may have already collected many node stats documents
// whereas the last node just started to collect node stats.
assertThat(bucket.getDocCount(), greaterThanOrEqualTo(1L));
}
for (String nodeName : internalCluster().getNodeNames()) {
StringTerms.Bucket bucket = ((StringTerms) aggregation)
.getBucketByKey(internalCluster().clusterService(nodeName).localNode().getId());
// At least 1 doc must exist per node, but it can be more than 1
// because the first node may have already collected many node stats documents
// whereas the last node just started to collect node stats.
assertThat(bucket.getDocCount(), greaterThanOrEqualTo(1L));
}
} catch (IndexNotFoundException e) {
fail("Caught unexpected IndexNotFoundException");
}
});
}

4
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/NodeStatsTests.java
View File

@ -51,8 +51,8 @@ public class NodeStatsTests extends MonitoringIntegTestCase {
client().prepareIndex("test", "foo").setSource("value", randomInt()).get();
}
securedFlush();
securedRefresh();
flush();
refresh();
updateMonitoringInterval(3L, TimeUnit.SECONDS);
waitForMonitoringIndices();

5
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/shards/ShardsTests.java
View File

@ -23,7 +23,6 @@ import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase;
import org.junit.After;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
@ -63,8 +62,8 @@ public class ShardsTests extends MonitoringIntegTestCase {
client().prepareIndex(INDEX_PREFIX + i, "foo").setRefreshPolicy(IMMEDIATE).setSource("field1", "value1").get();
}
securedFlush();
securedRefresh();
flush();
refresh();
updateMonitoringInterval(3L, TimeUnit.SECONDS);
waitForMonitoringIndices();

26
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/security/MonitoringInternalClientTests.java
View File

@ -5,12 +5,9 @@
*/
package org.elasticsearch.xpack.monitoring.security;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequestBuilder;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.monitoring.MonitoringSettings;
import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase;
import org.elasticsearch.xpack.security.InternalClient;
@ -18,7 +15,6 @@ import org.elasticsearch.xpack.security.InternalClient;
import java.util.stream.Collectors;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
import static org.hamcrest.Matchers.is;
public class MonitoringInternalClientTests extends MonitoringIntegTestCase {
@ -60,26 +56,8 @@ public class MonitoringInternalClientTests extends MonitoringIntegTestCase {
assertAccessIsAllowed(internalClient.admin().cluster().prepareGetRepositories());
}
public void assertAccessIsAllowed(ActionRequestBuilder request) {
try {
request.get();
} catch (IndexNotFoundException e) {
// Ok
} catch (ElasticsearchSecurityException e) {
fail("unexpected security exception: " + e.getMessage());
}
}
public void assertAccessIsDenied(ActionRequestBuilder request) {
try {
request.get();
fail("expected a security exception");
} catch (IndexNotFoundException e) {
// Ok
} catch (ElasticsearchSecurityException e) {
// expected
assertThat(e.status(), is(RestStatus.FORBIDDEN));
}
private static void assertAccessIsAllowed(ActionRequestBuilder request) {
request.get();
}
/**

96
elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java
View File

@ -236,15 +236,7 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase {
}
protected void deleteMonitoringIndices() {
if (securityEnabled) {
try {
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
} catch (IndexNotFoundException e) {
// if security couldn't resolve any monitoring index, it'll throw index not found exception.
}
} else {
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
}
assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*"));
}
protected void awaitMonitoringDocsCount(Matcher<Long> matcher, String... types) throws Exception {
@ -252,31 +244,14 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase {
}
protected void ensureMonitoringIndicesYellow() {
if (securityEnabled) {
try {
ensureYellow(".monitoring-es-*");
} catch (IndexNotFoundException e) {
// might happen with security...
}
} else {
ensureYellow(".monitoring-es-*");
}
ensureYellow(".monitoring-es-*");
}
protected void assertMonitoringDocsCount(Matcher<Long> matcher, String... types) {
try {
securedFlushAndRefresh(MONITORING_INDICES_PREFIX + "*");
long count = client().prepareSearch(MONITORING_INDICES_PREFIX + "*")
.setSize(0).setTypes(types).get().getHits().totalHits();
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
assertThat(count, matcher);
} catch (IndexNotFoundException e) {
if (securityEnabled) {
assertThat(0L, matcher);
} else {
throw e;
}
}
flushAndRefresh(MONITORING_INDICES_PREFIX + "*");
long count = client().prepareSearch(MONITORING_INDICES_PREFIX + "*").setSize(0).setTypes(types).get().getHits().totalHits();
logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count);
assertThat(count, matcher);
}
protected List<Tuple<String, String>> monitoringTemplates() {
@ -322,16 +297,7 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase {
protected void awaitIndexExists(final String index) throws Exception {
assertBusy(() -> {
try {
assertIndicesExists(index);
} catch (IndexNotFoundException e) {
if (securityEnabled) {
// with security we might get that if wildcards were resolved to no indices
fail("IndexNotFoundException when checking for existence of index [" + index + "]");
} else {
throw e;
}
}
assertIndicesExists(index);
}, 30, TimeUnit.SECONDS);
}
@ -348,54 +314,6 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase {
assertAcked(client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings));
}
protected void securedRefresh() {
if (securityEnabled) {
try {
refresh();
} catch (IndexNotFoundException e) {
// with security we might get that if wildcards were resolved to no indices
}
} else {
refresh();
}
}
protected void securedFlush(String... indices) {
if (securityEnabled) {
try {
flush(indices);
} catch (IndexNotFoundException e) {
// with security we might get that if wildcards were resolved to no indices
}
} else {
flush(indices);
}
}
protected void securedFlushAndRefresh(String... indices) {
if (securityEnabled) {
try {
flushAndRefresh(indices);
} catch (IndexNotFoundException e) {
// with security we might get that if wildcards were resolved to no indices
}
} else {
flushAndRefresh(indices);
}
}
protected void securedEnsureGreen(String... indices) {
if (securityEnabled) {
try {
ensureGreen(indices);
} catch (IndexNotFoundException e) {
// with security we might get that if wildcards were resolved to no indices
}
} else {
ensureGreen(indices);
}
}
/**
* Checks if a field exist in a map of values. If the field contains a dot like 'foo.bar'
* it checks that 'foo' exists in the map of values and that it points to a sub-map. Then

40
elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
View File

@ -43,6 +43,8 @@ import org.elasticsearch.action.search.SearchAction;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchScrollAction;
import org.elasticsearch.action.search.SearchScrollRequest;
import org.elasticsearch.action.search.SearchTransportService;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.action.termvectors.TermVectorsAction;
import org.elasticsearch.action.termvectors.TermVectorsRequest;
import org.elasticsearch.action.update.UpdateAction;
@ -55,7 +57,6 @@ import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.action.search.SearchTransportService;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.threadpool.ThreadPool;
@ -65,6 +66,8 @@ import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.Authentication.RealmRef;
import org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler;
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.security.authz.indicesresolver.DefaultIndicesAndAliasesResolver;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.authz.permission.SuperuserRole;
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
@ -222,6 +225,41 @@ public class AuthorizationServiceTests extends ESTestCase {
}
}
public void testSearchAgainstEmptyCluster() {
User user = new User("test user", "a_all");
when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build());
ClusterState state = mock(ClusterState.class);
when(clusterService.state()).thenReturn(state);
when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA);
{
//ignore_unavailable set to false, user is not authorized for this index nor does it exist
SearchRequest searchRequest = new SearchRequest("does_not_exist")
.indicesOptions(IndicesOptions.fromOptions(false, true, true, false));
try {
authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest);
fail("indices request for b should be denied since there is no such index");
} catch (ElasticsearchSecurityException e) {
assertAuthorizationException(e, containsString("action [" + SearchAction.NAME + "] is unauthorized for user [test user]"));
verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest);
verifyNoMoreInteractions(auditTrail);
}
}
{
//ignore_unavailable and allow_no_indices both set to true, user is not authorized for this index nor does it exist
SearchRequest searchRequest = new SearchRequest("does_not_exist")
.indicesOptions(IndicesOptions.fromOptions(true, true, true, false));
authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest);
verify(auditTrail).accessGranted(user, SearchAction.NAME, searchRequest);
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY);
IndicesAccessControl.IndexAccessControl indexAccessControl =
indicesAccessControl.getIndexPermissions(DefaultIndicesAndAliasesResolver.NO_INDEX);
assertFalse(indexAccessControl.getFieldPermissions().hasFieldLevelSecurity());
assertNull(indexAccessControl.getQueries());
}
}
public void testScrollRelatedRequestsAllowed() {
User user = new User("test user", "a_all");
when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build());

90
elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java
View File

@ -182,15 +182,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
assertThat(e.toString(), containsString("[_all]"));
}
try {
client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias").setIndices("test_*")
.setIndicesOptions(IndicesOptions.strictExpand()).get();
fail("get alias should have failed due to missing manage_aliases privileges");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_*]"));
}
GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
.setIndices("test_*").setIndicesOptions(IndicesOptions.strictExpand()).get();
assertEquals(0, getAliasesResponse.getAliases().size());
try {
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
//and there is no way to "allow_no_aliases" like we can do with indices.
client().filterWithHeader(headers).admin().indices().prepareGetAliases().get();
fail("get alias should have failed due to missing manage_aliases privileges");
} catch(IndexNotFoundException e) {
@ -202,13 +200,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
//user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though
Map<String, String> headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only",
new SecuredString("test123".toCharArray())));
try {
client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1").setIndices("test_1")
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
fail("get alias should have failed due empty set of indices after indices resolution");
} catch(IndexNotFoundException e) {
assertEquals("no such index", e.getMessage());
}
GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1")
.setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
assertEquals(0, getAliasesResponse.getAliases().size());
try {
client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1")
@ -226,15 +221,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
assertEquals("no such index", e.getMessage());
}
try {
client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias").setIndices("test_*")
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
fail("get alias should have failed due empty set of indices after indices resolution");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_*]"));
}
getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias")
.setIndices("test_*").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
assertEquals(0, getAliasesResponse.getAliases().size());
try {
//this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias
//and there is no way to "allow_no_aliases" like we can do with indices.
client().filterWithHeader(headers).admin().indices().prepareGetAliases()
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
fail("get alias should have failed due to missing manage_aliases privileges");
@ -518,21 +511,14 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_alias]"));
}
try {
//fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
client.admin().indices().prepareGetAliases().setIndices("test_*").setAliases("test_alias").get();
fail("get alias should have failed due to missing manage_aliases privileges on test_*");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[test_*]"));
}
//user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases()
.setIndices("test_*").setAliases("test_alias").get();
assertEquals(0, getAliasesResponse.getAliases().size());
try {
//fails: no existing indices to replace empty indices (thus _all)
client.admin().indices().prepareGetAliases().setAliases("test_alias").get();
fail("get alias should have failed due to missing manage_aliases privileges on any index");
} catch(IndexNotFoundException e) {
assertThat(e.toString(), containsString("[_all]"));
}
//no existing indices to replace empty indices (thus _all)
getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get();
assertEquals(0, getAliasesResponse.getAliases().size());
try {
//fails: no existing aliases to replace wildcards
@ -712,31 +698,19 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
//user has manage_aliases only permissions on both alias_* and test_*
//ok: manage_aliases on both test_* and alias_*
try {
client.admin().indices().prepareGetAliases("alias_1")
.addIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
fail("Expected IndexNotFoundException");
} catch(IndexNotFoundException e) {
assertEquals("no such index", e.getMessage());
}
GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases("alias_1")
.addIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
assertEquals(0, getAliasesResponse.getAliases().size());
try {
//fails: no manage_aliases privilege on non_authorized alias
client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1")
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
fail("Expected IndexNotFoundException");
} catch(IndexNotFoundException e) {
assertEquals("no such index", e.getMessage());
}
//no manage_aliases privilege on non_authorized alias
getAliasesResponse = client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1")
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
assertEquals(0, getAliasesResponse.getAliases().size());
try {
//fails: no manage_aliases privilege on non_authorized index
client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized")
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
fail("Expected IndexNotFoundException");
} catch(IndexNotFoundException e) {
assertEquals("no such index", e.getMessage());
}
//no manage_aliases privilege on non_authorized index
getAliasesResponse = client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized")
.setIndicesOptions(IndicesOptions.lenientExpandOpen()).get();
assertEquals(0, getAliasesResponse.getAliases().size());
}
private static void assertAliases(GetAliasesRequestBuilder getAliasesRequestBuilder, String index, String... aliases) {

309
elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesResolverTests.java
View File

@ -6,6 +6,7 @@
package org.elasticsearch.xpack.security.authz.indicesresolver;
import org.elasticsearch.Version;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions;
@ -110,7 +111,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveEmptyIndicesExpandWilcardsOpenAndClosed() {
SearchRequest request = new SearchRequest();
request.indicesOptions(IndicesOptions.strictExpand());
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, true));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "bar-closed", "foofoobar", "foofoo", "foofoo-closed"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -121,7 +122,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveEmptyIndicesExpandWilcardsOpen() {
SearchRequest request = new SearchRequest();
request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.lenientExpandOpen()));
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "foofoobar", "foofoo"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -132,7 +133,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveAllExpandWilcardsOpenAndClosed() {
SearchRequest request = new SearchRequest("_all");
request.indicesOptions(IndicesOptions.strictExpand());
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, true));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "bar-closed", "foofoobar", "foofoo", "foofoo-closed"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -143,7 +144,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveAllExpandWilcardsOpen() {
SearchRequest request = new SearchRequest("_all");
request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.lenientExpandOpen()));
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "foofoobar", "foofoo"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -154,7 +155,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsStrictExpand() {
SearchRequest request = new SearchRequest("barbaz", "foofoo*");
request.indicesOptions(IndicesOptions.strictExpand());
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, true));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"barbaz", "foofoobar", "foofoo", "foofoo-closed"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -165,7 +166,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsExpandOpenAndClosedIgnoreUnavailable() {
SearchRequest request = new SearchRequest("barbaz", "foofoo*");
request.indicesOptions(IndicesOptions.fromOptions(true, false, true, true));
request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, true));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"foofoobar", "foofoo", "foofoo-closed"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -176,7 +177,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsStrictExpandOpen() {
SearchRequest request = new SearchRequest("barbaz", "foofoo*");
request.indicesOptions(IndicesOptions.strictExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"barbaz", "foofoobar", "foofoo"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -187,7 +188,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsLenientExpandOpen() {
SearchRequest request = new SearchRequest("barbaz", "foofoo*");
request.indicesOptions(IndicesOptions.lenientExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"foofoobar", "foofoo"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -198,7 +199,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsMinusExpandWilcardsOpen() {
SearchRequest request = new SearchRequest("-foofoo*");
request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.lenientExpandOpen()));
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -209,7 +210,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsMinusExpandWilcardsOpenAndClosed() {
SearchRequest request = new SearchRequest("-foofoo*");
request.indicesOptions(IndicesOptions.strictExpand());
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, true));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "bar-closed"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -220,9 +221,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenStrict() {
SearchRequest request = new SearchRequest("-foofoo*", "+barbaz", "+foob*");
if (randomBoolean()) {
request.indicesOptions(IndicesOptions.strictExpandOpen());
}
request.indicesOptions(IndicesOptions.fromOptions(false, true, true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "barbaz"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -233,7 +232,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenIgnoreUnavailable() {
SearchRequest request = new SearchRequest("-foofoo*", "+barbaz", "+foob*");
request.indicesOptions(IndicesOptions.lenientExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(true, true, true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -244,7 +243,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenAndClosedStrict() {
SearchRequest request = new SearchRequest("-foofoo*", "+barbaz");
request.indicesOptions(IndicesOptions.strictExpand());
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, true));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "bar-closed", "barbaz"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -255,7 +254,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenAndClosedIgnoreUnavailable() {
SearchRequest request = new SearchRequest("-foofoo*", "+barbaz");
request.indicesOptions(IndicesOptions.fromOptions(true, false, true, true));
request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, true));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar", "bar-closed"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -264,21 +263,23 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.indices(), arrayContainingInAnyOrder(replacedIndices));
}
public void testResolveNonMatchingIndices() {
public void testResolveNonMatchingIndicesAllowNoIndices() {
SearchRequest request = new SearchRequest("missing*");
try {
defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean()));
assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
}
public void testResolveNonMatchingIndicesDisallowNoIndices() {
SearchRequest request = new SearchRequest("missing*");
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean()));
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
assertEquals("no such index", e.getMessage());
}
public void testResolveExplicitIndicesStrict() {
SearchRequest request = new SearchRequest("missing", "bar", "barbaz");
if (randomBoolean()) {
request.indicesOptions(IndicesOptions.strictExpandOpenAndForbidClosed());
}
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean()));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"missing", "bar", "barbaz"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -289,7 +290,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveExplicitIndicesIgnoreUnavailable() {
SearchRequest request = new SearchRequest("missing", "bar", "barbaz");
request.indicesOptions(IndicesOptions.lenientExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), randomBoolean(), randomBoolean()));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] replacedIndices = new String[]{"bar"};
assertThat(indices.size(), equalTo(replacedIndices.length));
@ -298,21 +299,23 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.indices(), arrayContainingInAnyOrder(replacedIndices));
}
public void testResolveNoAuthorizedIndices() {
public void testResolveNoAuthorizedIndicesAllowNoIndices() {
SearchRequest request = new SearchRequest();
if (randomBoolean()) {
request.indicesOptions(IndicesOptions.lenientExpandOpen());
}
try {
defaultIndicesResolver.resolve(userNoIndices, SearchAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean()));
assertNoIndices(request, defaultIndicesResolver.resolve(userNoIndices, SearchAction.NAME, request, metaData));
}
public void testResolveNoAuthorizedIndicesDisallowNoIndices() {
SearchRequest request = new SearchRequest();
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean()));
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(userNoIndices, SearchAction.NAME, request, metaData));
assertEquals("no such index", e.getMessage());
}
public void testResolveMissingIndexStrict() {
SearchRequest request = new SearchRequest("bar*", "missing");
request.indicesOptions(IndicesOptions.fromOptions(false, true, true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] expectedIndices = new String[]{"bar", "missing"};
assertThat(indices.size(), equalTo(expectedIndices.length));
@ -323,7 +326,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveMissingIndexIgnoreUnavailable() {
SearchRequest request = new SearchRequest("bar*", "missing");
request.indicesOptions(IndicesOptions.lenientExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] expectedIndices = new String[]{"bar"};
assertThat(indices.size(), equalTo(expectedIndices.length));
@ -334,24 +337,28 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveNonMatchingIndicesAndExplicit() {
SearchRequest request = new SearchRequest("missing*", "bar");
if (randomBoolean()) {
request.indicesOptions(randomFrom(IndicesOptions.lenientExpandOpen(), IndicesOptions.strictExpandOpen()));
}
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean()));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] expectedIndices = new String[]{"bar"};
assertThat(indices.toArray(new String[indices.size()]), equalTo(expectedIndices));
assertThat(request.indices(), equalTo(expectedIndices));
}
public void testResolveNoExpand() {
public void testResolveNoExpandStrict() {
SearchRequest request = new SearchRequest("missing*");
request.indicesOptions(IndicesOptions.strictSingleIndexNoExpandForbidClosed());
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), false, false));
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
String[] expectedIndices = new String[]{"missing*"};
assertThat(indices.toArray(new String[indices.size()]), equalTo(expectedIndices));
assertThat(request.indices(), equalTo(expectedIndices));
}
public void testResolveNoExpandIgnoreUnavailable() {
SearchRequest request = new SearchRequest("missing*");
request.indicesOptions(IndicesOptions.fromOptions(true, true, false, false));
assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
}
public void testResolveIndicesAliasesRequest() {
IndicesAliasesRequest request = new IndicesAliasesRequest();
request.addAliasAction(AliasActions.add().alias("alias1").indices("foo", "foofoo"));
@ -581,9 +588,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveGetAliasesRequestStrict() {
GetAliasesRequest request = new GetAliasesRequest("alias1").indices("foo", "foofoo");
if (randomBoolean()) {
request.indicesOptions(randomFrom(IndicesOptions.strictExpand(), IndicesOptions.strictExpandOpen()));
}
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean()));
Set<String> indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
//the union of all indices and aliases gets returned
String[] expectedIndices = new String[]{"alias1", "foo", "foofoo"};
@ -595,7 +600,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveGetAliasesRequestIgnoreUnavailable() {
GetAliasesRequest request = new GetAliasesRequest("alias1").indices("foo", "foofoo");
request.indicesOptions(IndicesOptions.lenientExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), randomBoolean(), randomBoolean()));
Set<String> indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
String[] expectedIndices = new String[]{"alias1", "foofoo"};
assertThat(indices.size(), equalTo(expectedIndices.length));
@ -606,9 +611,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveGetAliasesRequestMissingIndexStrict() {
GetAliasesRequest request = new GetAliasesRequest();
if (randomBoolean()) {
request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.strictExpand()));
}
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, randomBoolean()));
request.indices("missing");
request.aliases("alias2");
Set<String> indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
@ -620,9 +623,9 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.aliases(), arrayContainingInAnyOrder("alias2"));
}
public void testResolveGetAliasesRequestMissingIndexIgnoreUnavailable() {
public void testGetAliasesRequestMissingIndexIgnoreUnavailableDisallowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.lenientExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(true, false, randomBoolean(), randomBoolean()));
request.indices("missing");
request.aliases("alias2");
IndexNotFoundException exception = expectThrows(IndexNotFoundException.class,
@ -630,11 +633,30 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertEquals("no such index", exception.getMessage());
}
public void testGetAliasesRequestMissingIndexIgnoreUnavailableAllowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.fromOptions(true, true, randomBoolean(), randomBoolean()));
request.indices("missing");
request.aliases("alias2");
assertNoIndices(request, defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData));
}
public void testGetAliasesRequestMissingIndexStrict() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean()));
request.indices("missing");
request.aliases("alias2");
Set<String> indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
String[] expectedIndices = new String[]{"alias2", "missing"};
assertThat(indices.size(), equalTo(expectedIndices.length));
assertThat(indices, hasItems(expectedIndices));
assertThat(request.indices(), arrayContainingInAnyOrder("missing"));
assertThat(request.aliases(), arrayContainingInAnyOrder("alias2"));
}
public void testResolveWildcardsGetAliasesRequestStrictExpand() {
GetAliasesRequest request = new GetAliasesRequest();
if (randomBoolean()) {
request.indicesOptions(IndicesOptions.strictExpand());
}
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, true));
request.aliases("alias1");
request.indices("foo*");
Set<String> indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
@ -649,7 +671,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsGetAliasesRequestStrictExpandOpen() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.strictExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, false));
request.aliases("alias1");
request.indices("foo*");
Set<String> indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
@ -664,7 +686,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
public void testResolveWildcardsGetAliasesRequestLenientExpandOpen() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.lenientExpandOpen());
request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, false));
request.aliases("alias1");
request.indices("foo*", "bar", "missing");
Set<String> indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
@ -677,17 +699,22 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.aliases(), arrayContainingInAnyOrder("alias1"));
}
public void testResolveWildcardsGetAliasesRequestNoMatchingIndices() {
public void testWildcardsGetAliasesRequestNoMatchingIndicesDisallowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean()));
request.aliases("alias3");
request.indices("non_matching_*");
//indices get resolved to no indices, request gets rejected
try {
defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData));
assertEquals("no such index", e.getMessage());
}
public void testWildcardsGetAliasesRequestNoMatchingIndicesAllowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean()));
request.aliases("alias3");
request.indices("non_matching_*");
assertNoIndices(request, defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData));
}
public void testResolveAllGetAliasesRequest() {
@ -728,30 +755,41 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.aliases(), arrayContainingInAnyOrder("alias1"));
}
public void testResolveAllGetAliasesRequestNoAuthorizedIndices() {
public void testAllGetAliasesRequestNoAuthorizedIndicesAllowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean()));
request.aliases("alias1");
request.indices("_all");
//current user is not authorized for any index, _all resolves to no indices, the request fails
try {
defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
assertNoIndices(request, defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData));
}
public void testResolveWildcardsGetAliasesRequestNoAuthorizedIndices() {
public void testAllGetAliasesRequestNoAuthorizedIndicesDisallowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean()));
request.aliases("alias1");
request.indices("_all");
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData));
assertEquals("no such index", e.getMessage());
}
public void testWildcardsGetAliasesRequestNoAuthorizedIndicesAllowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.aliases("alias1");
request.indices("foo*");
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean()));
assertNoIndices(request, defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData));
}
public void testWildcardsGetAliasesRequestNoAuthorizedIndicesDisallowNoIndices() {
GetAliasesRequest request = new GetAliasesRequest();
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean()));
request.aliases("alias1");
request.indices("foo*");
//current user is not authorized for any index, foo* resolves to no indices, the request fails
try {
defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData));
assertEquals("no such index", e.getMessage());
}
public void testResolveAllAliasesGetAliasesRequest() {
@ -823,12 +861,9 @@ public class DefaultIndicesResolverTests extends ESTestCase {
//no authorized aliases match bar*, hence the request fails
request.aliases("bar*");
request.indices("*bar");
try {
defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData));
assertEquals("no such index", e.getMessage());
}
public void testResolveAliasesAllGetAliasesRequestNoAuthorizedIndices() {
@ -838,15 +873,13 @@ public class DefaultIndicesResolverTests extends ESTestCase {
}
request.indices("non_existing");
//current user is not authorized for any index, foo* resolves to no indices, the request fails
try {
defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData));
assertEquals("no such index", e.getMessage());
}
//msearch is a CompositeIndicesRequest whose items (SearchRequests) implement IndicesRequest.Replaceable, wildcards will get replaced
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testResolveMultiSearchNoWildcards() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("foo", "bar"));
@ -859,6 +892,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"bar2"}));
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testResolveMultiSearchNoWildcardsMissingIndex() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("foo", "bar"));
@ -873,6 +907,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.subRequests().get(2).indices(), equalTo(new String[]{"missing"}));
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testResolveMultiSearchWildcardsExpandOpen() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("bar*")).indicesOptions(
@ -886,6 +921,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"foobar"}));
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testResolveMultiSearchWildcardsExpandOpenAndClose() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("bar*").indicesOptions(IndicesOptions.strictExpand()));
@ -898,6 +934,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"foobar"}));
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testResolveMultiSearchWildcardsMissingIndex() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("bar*"));
@ -910,6 +947,7 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"missing"}));
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testResolveMultiSearchWildcardsNoMatchingIndices() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("missing*"));
@ -922,6 +960,20 @@ public class DefaultIndicesResolverTests extends ESTestCase {
}
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testMultiSearchWildcardsNoAuthorizedIndices() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("foofoo*"));
request.add(Requests.searchRequest("foobar"));
try {
defaultIndicesResolver.resolve(userNoIndices, MultiSearchAction.NAME, request, metaData);
fail("Expected IndexNotFoundException");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testResolveMultiSearchWildcardsNoAuthorizedIndices() {
MultiSearchRequest request = new MultiSearchRequest();
request.add(Requests.searchRequest("foofoo*"));
@ -994,37 +1046,63 @@ public class DefaultIndicesResolverTests extends ESTestCase {
assertThat(indices, not(hasItem(SecurityTemplateService.SECURITY_INDEX_NAME)));
}
public void testResolvingDateExpression() {
// the user isn't authorized so resolution should fail
public void testUnauthorizedDateMathExpressionIgnoreUnavailable() {
SearchRequest request = new SearchRequest("<datetime-{now/M}>");
if (randomBoolean()) {
request.indicesOptions(IndicesOptions.strictSingleIndexNoExpandForbidClosed());
}
try {
defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
fail("user is not authorized to see this index");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
request.indicesOptions(IndicesOptions.fromOptions(true, true, randomBoolean(), randomBoolean()));
assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
}
public void testUnauthorizedDateMathExpressionIgnoreUnavailableDisallowNoIndices() {
SearchRequest request = new SearchRequest("<datetime-{now/M}>");
request.indicesOptions(IndicesOptions.fromOptions(true, false, randomBoolean(), randomBoolean()));
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
assertEquals("no such index" , e.getMessage());
}
public void testUnauthorizedDateMathExpressionStrict() {
SearchRequest request = new SearchRequest("<datetime-{now/M}>");
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean()));
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
assertEquals("no such index" , e.getMessage());
}
public void testResolveDateMathExpression() {
// make the user authorized
String[] authorizedIndices = new String[] { "bar", "bar-closed", "foofoobar", "foofoo", "missing", "foofoo-closed",
indexNameExpressionResolver.resolveDateMathExpression("<datetime-{now/M}>")};
String dateTimeIndex = indexNameExpressionResolver.resolveDateMathExpression("<datetime-{now/M}>");
String[] authorizedIndices = new String[] { "bar", "bar-closed", "foofoobar", "foofoo", "missing", "foofoo-closed", dateTimeIndex};
when(rolesStore.role("role")).thenReturn(Role.builder("role").add(IndexPrivilege.ALL, authorizedIndices).build());
SearchRequest request = new SearchRequest("<datetime-{now/M}>");
if (randomBoolean()) {
request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), randomBoolean(), randomBoolean()));
}
Set<String> indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
assertThat(indices.size(), equalTo(1));
assertThat(request.indices()[0], equalTo(indexNameExpressionResolver.resolveDateMathExpression("<datetime-{now/M}>")));
}
public void testMissingDateExpression() {
public void testMissingDateMathExpressionIgnoreUnavailable() {
SearchRequest request = new SearchRequest("<foobar-{now/M}>");
try {
defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData);
fail("index should not exist");
} catch (IndexNotFoundException e) {
assertThat(e.getMessage(), is("no such index"));
}
request.indicesOptions(IndicesOptions.fromOptions(true, true, randomBoolean(), randomBoolean()));
assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
}
public void testMissingDateMathExpressionIgnoreUnavailableDisallowNoIndices() {
SearchRequest request = new SearchRequest("<foobar-{now/M}>");
request.indicesOptions(IndicesOptions.fromOptions(true, false, randomBoolean(), randomBoolean()));
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
assertEquals("no such index" , e.getMessage());
}
public void testMissingDateMathExpressionStrict() {
SearchRequest request = new SearchRequest("<foobar-{now/M}>");
request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean()));
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
() -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData));
assertEquals("no such index" , e.getMessage());
}
public void testAliasDateMathExpressionNotSupported() {
@ -1077,4 +1155,11 @@ public class DefaultIndicesResolverTests extends ESTestCase {
.put(IndexMetaData.SETTING_NUMBER_OF_SHARDS, 1)
.put(IndexMetaData.SETTING_NUMBER_OF_REPLICAS, 0));
}
private static void assertNoIndices(IndicesRequest.Replaceable request, Set<String> resolvedIndices) {
assertEquals(1, resolvedIndices.size());
assertEquals(DefaultIndicesAndAliasesResolver.NO_INDEX, resolvedIndices.iterator().next());
assertEquals(1, request.indices().length);
assertEquals(DefaultIndicesAndAliasesResolver.NO_INDEX, request.indices()[0]);
}
}

61
elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/IndicesAndAliasesResolverIntegrationTests.java
View File

@ -21,6 +21,7 @@ import java.util.ArrayList;
import java.util.List;
import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException;
import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoSearchHits;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.hasItems;
@ -57,29 +58,59 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest
public void testSearchNonAuthorizedWildcard() {
//wildcard doesn't match any authorized index
createIndices("test1", "test2", "index1", "index2");
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("index*").get());
assertNoSearchHits(client().prepareSearch("index*").get());
}
public void testSearchNonAuthorizedWildcardDisallowNoIndices() {
//wildcard doesn't match any authorized index
createIndices("test1", "test2", "index1", "index2");
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("index*")
.setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get());
assertEquals("no such index", e.getMessage());
}
public void testEmptyClusterSearchForAll() {
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch().get());
assertNoSearchHits(client().prepareSearch().get());
}
public void testEmptyClusterSearchForAllDisallowNoIndices() {
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch()
.setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get());
assertEquals("no such index", e.getMessage());
}
public void testEmptyClusterSearchForWildcard() {
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*").get());
SearchResponse searchResponse = client().prepareSearch("*").get();
assertNoSearchHits(searchResponse);
}
public void testEmptyClusterSearchForWildcardDisallowNoIndices() {
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*")
.setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get());
assertEquals("no such index", e.getMessage());
}
public void testEmptyAuthorizedIndicesSearchForAll() {
createIndices("index1", "index2");
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch().get());
assertNoSearchHits(client().prepareSearch().get());
}
public void testEmptyAuthorizedIndicesSearchForAllDisallowNoIndices() {
createIndices("index1", "index2");
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch()
.setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get());
assertEquals("no such index", e.getMessage());
}
public void testEmptyAuthorizedIndicesSearchForWildcard() {
createIndices("index1", "index2");
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*").get());
assertNoSearchHits(client().prepareSearch("*").get());
}
public void testEmptyAuthorizedIndicesSearchForWildcardDisallowNoIndices() {
createIndices("index1", "index2");
IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*")
.setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get());
assertEquals("no such index", e.getMessage());
}
@ -103,6 +134,21 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest
assertReturnedIndices(client().prepareSearch("missing", "test*").setIndicesOptions(indicesOptions).get(), "test1", "test2");
assertReturnedIndices(client().prepareSearch("missing_*", "test*").setIndicesOptions(indicesOptions).get(), "test1", "test2");
//an unauthorized index is the same as a missing one
assertNoSearchHits(client().prepareSearch("missing").setIndicesOptions(indicesOptions).get());
assertNoSearchHits(client().prepareSearch("index1").setIndicesOptions(indicesOptions).get());
assertNoSearchHits(client().prepareSearch("missing", "index1").setIndicesOptions(indicesOptions).get());
assertNoSearchHits(client().prepareSearch("does_not_match_any_*").setIndicesOptions(indicesOptions).get());
assertNoSearchHits(client().prepareSearch("does_not_match_any_*", "index1").setIndicesOptions(indicesOptions).get());
assertNoSearchHits(client().prepareSearch("index*").setIndicesOptions(indicesOptions).get());
assertNoSearchHits(client().prepareSearch("index*", "missing").setIndicesOptions(indicesOptions).get());
}
public void testExplicitExclusion() {
@ -145,6 +191,10 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest
assertReturnedIndices(searchResponse, "test10");
}
public void testMissingDateMath() {
expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("<logstash-{now/M}>").get());
}
public void testMultiSearchUnauthorizedIndex() {
//index1 is not authorized, the whole request fails due to that
createIndices("test1", "test2", "test3", "index1");
@ -171,6 +221,7 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest
assertThat(multiSearchResponse.getResponses()[1].getFailure().toString(), equalTo("[test4] IndexNotFoundException[no such index]"));
}
@AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection")
public void testMultiSearchWildcard() {
//test4 is missing but authorized, only that specific item fails
createIndices("test1", "test2", "test3", "index1");

6
elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BasicWatcherTests.java
View File

@ -86,9 +86,6 @@ public class BasicWatcherTests extends AbstractWatcherIntegrationTestCase {
assertThat(getWatchResponse.getSource(), notNullValue());
}
@AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250")
//this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left
//with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too.
public void testIndexWatchRegisterWatchBeforeTargetIndex() throws Exception {
WatcherClient watcherClient = watcherClient();
WatcherSearchTemplateRequest searchRequest = templateRequest(searchSource().query(termQuery("field", "value")), "idx");
@ -172,9 +169,6 @@ public class BasicWatcherTests extends AbstractWatcherIntegrationTestCase {
}
}
@AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250")
//this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left
//with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too.
public void testModifyWatches() throws Exception {
WatcherSearchTemplateRequest searchRequest = templateRequest(searchSource().query(matchAllQuery()), "idx");

6
elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java
View File

@ -238,9 +238,6 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase {
assertThat(response.getWatchesCount(), equalTo((long) numWatches));
}
@AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250")
//this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left
//with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too.
@TestLogging("org.elasticsearch.watcher.actions:DEBUG")
public void testTriggeredWatchLoading() throws Exception {
createIndex("output");
@ -298,9 +295,6 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase {
}, 30, TimeUnit.SECONDS);
}
@AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250")
//this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left
//with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too.
public void testMixedTriggeredWatchLoading() throws Exception {
createIndex("output");
WatcherStatsResponse response = watcherClient().prepareWatcherStats().get();

3
elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/WatchMetadataTests.java
View File

@ -73,9 +73,6 @@ public class WatchMetadataTests extends AbstractWatcherIntegrationTestCase {
assertThat(searchResponse.getHits().getTotalHits(), greaterThan(0L));
}
@AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250")
//this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left
//with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too.
public void testWatchMetadataAvailableAtExecution() throws Exception {
Map<String, Object> metadata = new HashMap<>();
metadata.put("foo", "bar");

27
qa/core-rest-tests-with-security/build.gradle
View File

@ -7,34 +7,11 @@ dependencies {
integTest {
includePackaged true
systemProperty 'tests.rest.blacklist',
['indices.get/10_basic/*allow_no_indices*',
'indices.get/10_basic/Missing index should return empty object if ignore_unavailable',
'cat.count/10_basic/Test cat count output',
'cat.aliases/10_basic/Empty cluster',
'indices.segments/10_basic/no segments test',
'indices.clear_cache/10_basic/clear_cache test',
'indices.status/10_basic/Indices status test',
'cat.indices/10_basic/Test cat indices output',
'cat.recovery/10_basic/Test cat recovery output',
'cat.shards/10_basic/Test cat shards output',
'termvector/20_issue7121/*',
['cat.aliases/10_basic/Empty cluster',
'index/10_with_id/Index with ID',
'indices.get_alias/20_emtpy/*',
'cat.segments/10_basic/Test cat segments output',
'indices.put_settings/10_basic/Test indices settings allow_no_indices',
'indices.put_settings/10_basic/Test indices settings ignore_unavailable',
'indices.refresh/10_basic/Indices refresh test no-match wildcard',
'indices.stats/10_index/Index - star*',
'indices.recovery/10_basic/Indices recovery test*',
'indices.shard_stores/10_basic/no indices test',
'cat.nodeattrs/10_basic/Test cat nodes attrs output',
'bulk/40_fields/Fields',
'indices.get_alias/10_basic/Get alias against closed indices',
'ingest/70_bulk/*',
'ingest/10_crud/Check availability of default processors',
'search/80_date_math_index_names/Missing index with catch',
'cat.templates/10_basic/No templates',
'cat.templates/10_basic/Sort templates',
'cat.templates/10_basic/Sort templates'
].join(',')
cluster {