From d27c4bee82c03388730d8ef86d2e4200c8bbf820 Mon Sep 17 00:00:00 2001 From: javanna Date: Fri, 30 Sep 2016 14:41:54 +0200 Subject: [PATCH] Support allowNoIndices option in security plugin Supporting allowNoIndices means that the security plugin has a behaviour much more similar to vanilla es when dealing with wildcard expressions that match no indices, or empty clusters. The default for most request is to allow no indices, but security plugin could only disallow no indices all the time up until now. The technical problem was that when anything gets resolved to an empty set of indices, we couldn't let that go through to es core, as that would become resolved to all indices by es core, which would be a security hole. We have now found a way though to replace an empty set of indices with something that es core will for sure resolve to no indices, so we can let the request through. We simply replace empty indices with '-*'. Multi apis requests (e.g. _msearch) have yet to be fixed, as all their indices end up in the same bucket while they should each be authorized separately, so that every specific item can fail or be let through. Original commit: elastic/x-pack-elasticsearch@0f67a0bfea4a5b37e58ef7fb9729420508b75026 --- .../indices/IndexRecoveryCollector.java | 36 +- .../indices/IndexStatsCollector.java | 62 ++-- .../indices/IndicesStatsCollector.java | 43 +-- .../security/authz/AuthorizationService.java | 9 + .../accesscontrol/IndicesAccessControl.java | 4 + .../DefaultIndicesAndAliasesResolver.java | 134 ++++---- ...toringIndicesBackwardsCompatibilityIT.java | 18 +- .../local/LocalIndicesCleanerTests.java | 21 +- .../cluster/ClusterStateCollectorTests.java | 8 +- .../indices/IndexRecoveryCollectorTests.java | 25 +- .../indices/IndexStatsCollectorTests.java | 34 +- .../indices/IndicesStatsCollectorTests.java | 37 +-- .../shards/ShardsCollectorTests.java | 6 +- .../exporter/local/LocalExporterTests.java | 8 +- .../resolver/cluster/ClusterInfoTests.java | 6 +- .../resolver/cluster/ClusterStatsTests.java | 7 +- .../resolver/indices/IndexRecoveryTests.java | 8 +- .../resolver/indices/IndexStatsTests.java | 9 +- .../resolver/indices/IndicesStatsTests.java | 4 +- .../resolver/node/MultiNodesStatsTests.java | 39 +-- .../resolver/node/NodeStatsTests.java | 4 +- .../resolver/shards/ShardsTests.java | 5 +- .../MonitoringInternalClientTests.java | 26 +- .../test/MonitoringIntegTestCase.java | 96 +----- .../authz/AuthorizationServiceTests.java | 40 ++- .../security/authz/IndexAliasesTests.java | 90 ++--- .../DefaultIndicesResolverTests.java | 309 +++++++++++------- ...cesAndAliasesResolverIntegrationTests.java | 61 +++- .../test/integration/BasicWatcherTests.java | 6 - .../test/integration/BootStrapTests.java | 6 - .../test/integration/WatchMetadataTests.java | 3 - qa/core-rest-tests-with-security/build.gradle | 27 +- 32 files changed, 559 insertions(+), 632 deletions(-) diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollector.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollector.java index da0b40abf79..31c4370fbd7 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollector.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollector.java @@ -10,9 +10,7 @@ import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.client.Client; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.xpack.XPackSettings; import org.elasticsearch.xpack.monitoring.MonitoringSettings; import org.elasticsearch.xpack.monitoring.collector.AbstractCollector; import org.elasticsearch.xpack.monitoring.exporter.MonitoringDoc; @@ -49,29 +47,19 @@ public class IndexRecoveryCollector extends AbstractCollector { @Override protected Collection doCollect() throws Exception { List results = new ArrayList<>(1); - try { - RecoveryResponse recoveryResponse = client.admin().indices().prepareRecoveries() - .setIndices(monitoringSettings.indices()) - .setIndicesOptions(IndicesOptions.lenientExpandOpen()) - .setActiveOnly(monitoringSettings.recoveryActiveOnly()) - .get(monitoringSettings.recoveryTimeout()); + RecoveryResponse recoveryResponse = client.admin().indices().prepareRecoveries() + .setIndices(monitoringSettings.indices()) + .setIndicesOptions(IndicesOptions.lenientExpandOpen()) + .setActiveOnly(monitoringSettings.recoveryActiveOnly()) + .get(monitoringSettings.recoveryTimeout()); - if (recoveryResponse.hasRecoveries()) { - IndexRecoveryMonitoringDoc indexRecoveryDoc = new IndexRecoveryMonitoringDoc(monitoringId(), monitoringVersion()); - indexRecoveryDoc.setClusterUUID(clusterUUID()); - indexRecoveryDoc.setTimestamp(System.currentTimeMillis()); - indexRecoveryDoc.setSourceNode(localNode()); - indexRecoveryDoc.setRecoveryResponse(recoveryResponse); - results.add(indexRecoveryDoc); - } - } catch (IndexNotFoundException e) { - //TODO this if should go away once the empty cluster / empty set of indices behaviour is fixed in the security plugin - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - //&& IndexNameExpressionResolver.isAllIndices(Arrays.asList(monitoringSettings.indices()))) { - logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex()); - } else { - throw e; - } + if (recoveryResponse.hasRecoveries()) { + IndexRecoveryMonitoringDoc indexRecoveryDoc = new IndexRecoveryMonitoringDoc(monitoringId(), monitoringVersion()); + indexRecoveryDoc.setClusterUUID(clusterUUID()); + indexRecoveryDoc.setTimestamp(System.currentTimeMillis()); + indexRecoveryDoc.setSourceNode(localNode()); + indexRecoveryDoc.setRecoveryResponse(recoveryResponse); + results.add(indexRecoveryDoc); } return Collections.unmodifiableCollection(results); } diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollector.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollector.java index e65b616e84e..3a3542068e9 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollector.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollector.java @@ -12,9 +12,7 @@ import org.elasticsearch.client.Client; import org.elasticsearch.cluster.node.DiscoveryNode; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.xpack.XPackSettings; import org.elasticsearch.xpack.monitoring.MonitoringSettings; import org.elasticsearch.xpack.monitoring.collector.AbstractCollector; import org.elasticsearch.xpack.monitoring.exporter.MonitoringDoc; @@ -51,43 +49,33 @@ public class IndexStatsCollector extends AbstractCollector { @Override protected Collection doCollect() throws Exception { List results = new ArrayList<>(); - try { - IndicesStatsResponse indicesStats = client.admin().indices().prepareStats() - .setIndices(monitoringSettings.indices()) - .setIndicesOptions(IndicesOptions.lenientExpandOpen()) - .clear() - .setDocs(true) - .setFieldData(true) - .setIndexing(true) - .setMerge(true) - .setSearch(true) - .setSegments(true) - .setStore(true) - .setRefresh(true) - .setQueryCache(true) - .setRequestCache(true) - .get(monitoringSettings.indexStatsTimeout()); + IndicesStatsResponse indicesStats = client.admin().indices().prepareStats() + .setIndices(monitoringSettings.indices()) + .setIndicesOptions(IndicesOptions.lenientExpandOpen()) + .clear() + .setDocs(true) + .setFieldData(true) + .setIndexing(true) + .setMerge(true) + .setSearch(true) + .setSegments(true) + .setStore(true) + .setRefresh(true) + .setQueryCache(true) + .setRequestCache(true) + .get(monitoringSettings.indexStatsTimeout()); - long timestamp = System.currentTimeMillis(); - String clusterUUID = clusterUUID(); - DiscoveryNode sourceNode = localNode(); + long timestamp = System.currentTimeMillis(); + String clusterUUID = clusterUUID(); + DiscoveryNode sourceNode = localNode(); - for (IndexStats indexStats : indicesStats.getIndices().values()) { - IndexStatsMonitoringDoc indexStatsDoc = new IndexStatsMonitoringDoc(monitoringId(), monitoringVersion()); - indexStatsDoc.setClusterUUID(clusterUUID); - indexStatsDoc.setTimestamp(timestamp); - indexStatsDoc.setSourceNode(sourceNode); - indexStatsDoc.setIndexStats(indexStats); - results.add(indexStatsDoc); - } - } catch (IndexNotFoundException e) { - //TODO this if should go away once the empty cluster / empty set of indices behaviour is fixed in the security plugin - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - //&& IndexNameExpressionResolver.isAllIndices(Arrays.asList(monitoringSettings.indices()))) { - logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex()); - } else { - throw e; - } + for (IndexStats indexStats : indicesStats.getIndices().values()) { + IndexStatsMonitoringDoc indexStatsDoc = new IndexStatsMonitoringDoc(monitoringId(), monitoringVersion()); + indexStatsDoc.setClusterUUID(clusterUUID); + indexStatsDoc.setTimestamp(timestamp); + indexStatsDoc.setSourceNode(sourceNode); + indexStatsDoc.setIndexStats(indexStats); + results.add(indexStatsDoc); } return Collections.unmodifiableCollection(results); } diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollector.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollector.java index 26f406e977a..1b71cc79dab 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollector.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollector.java @@ -10,9 +10,7 @@ import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.client.Client; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.xpack.XPackSettings; import org.elasticsearch.xpack.monitoring.MonitoringSettings; import org.elasticsearch.xpack.monitoring.collector.AbstractCollector; import org.elasticsearch.xpack.monitoring.exporter.MonitoringDoc; @@ -45,32 +43,21 @@ public class IndicesStatsCollector extends AbstractCollector { @Override protected Collection doCollect() throws Exception { - try { - IndicesStatsResponse indicesStats = client.admin().indices().prepareStats() - .setIndices(monitoringSettings.indices()) - .setIndicesOptions(IndicesOptions.lenientExpandOpen()) - .clear() - .setDocs(true) - .setIndexing(true) - .setSearch(true) - .setStore(true) - .get(monitoringSettings.indicesStatsTimeout()); + IndicesStatsResponse indicesStats = client.admin().indices().prepareStats() + .setIndices(monitoringSettings.indices()) + .setIndicesOptions(IndicesOptions.lenientExpandOpen()) + .clear() + .setDocs(true) + .setIndexing(true) + .setSearch(true) + .setStore(true) + .get(monitoringSettings.indicesStatsTimeout()); - IndicesStatsMonitoringDoc indicesStatsDoc = new IndicesStatsMonitoringDoc(monitoringId(), monitoringVersion()); - indicesStatsDoc.setClusterUUID(clusterUUID()); - indicesStatsDoc.setTimestamp(System.currentTimeMillis()); - indicesStatsDoc.setSourceNode(localNode()); - indicesStatsDoc.setIndicesStats(indicesStats); - - return Collections.singletonList(indicesStatsDoc); - } catch (IndexNotFoundException e) { - //TODO this if should go away once the empty cluster / empty set of indices behaviour is fixed in the security plugin - if (XPackSettings.SECURITY_ENABLED.get(settings)) { - //&& IndexNameExpressionResolver.isAllIndices(Arrays.asList(monitoringSettings.indices()))) { - logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex()); - return Collections.emptyList(); - } - throw e; - } + IndicesStatsMonitoringDoc indicesStatsDoc = new IndicesStatsMonitoringDoc(monitoringId(), monitoringVersion()); + indicesStatsDoc.setClusterUUID(clusterUUID()); + indicesStatsDoc.setTimestamp(System.currentTimeMillis()); + indicesStatsDoc.setSourceNode(localNode()); + indicesStatsDoc.setIndicesStats(indicesStats); + return Collections.singletonList(indicesStatsDoc); } } diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index 1dc602e9d52..babc8869608 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -253,6 +253,15 @@ public class AuthorizationService extends AbstractComponent { ClusterState clusterState = clusterService.state(); Set indexNames = resolveIndices(authentication, action, request, clusterState); assert !indexNames.isEmpty() : "every indices request needs to have its indices set thus the resolved indices must not be empty"; + + //security plugin is the only responsible for the presence of "-*", as wildcards just got resolved. + //'-*' matches no indices, hence we can simply let it go through, it will yield an empty response. + if (indexNames.size() == 1 && indexNames.contains(DefaultIndicesAndAliasesResolver.NO_INDEX)) { + setIndicesAccessControl(IndicesAccessControl.ALLOW_NO_INDICES); + grant(authentication, action, request); + return; + } + MetaData metaData = clusterState.metaData(); IndicesAccessControl indicesAccessControl = permission.authorize(action, indexNames, metaData); if (!indicesAccessControl.isGranted()) { diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControl.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControl.java index 7fd832ab227..71349af6b79 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControl.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesAccessControl.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.authz.accesscontrol; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.bytes.BytesReference; +import org.elasticsearch.xpack.security.authz.indicesresolver.DefaultIndicesAndAliasesResolver; import org.elasticsearch.xpack.security.authz.permission.FieldPermissions; import java.util.Collections; @@ -22,6 +23,9 @@ import static java.util.Collections.unmodifiableSet; public class IndicesAccessControl { public static final IndicesAccessControl ALLOW_ALL = new IndicesAccessControl(true, Collections.emptyMap()); + public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true, + Collections.singletonMap(DefaultIndicesAndAliasesResolver.NO_INDEX, + new IndicesAccessControl.IndexAccessControl(true, new FieldPermissions(), null))); private final boolean granted; private final Map indexPermissions; diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java index 2e06ccd749b..91f160ff690 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesAndAliasesResolver.java @@ -9,6 +9,7 @@ import org.elasticsearch.action.AliasesRequest; import org.elasticsearch.action.CompositeIndicesRequest; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; +import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequest; import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest; import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.cluster.metadata.AliasOrIndex; @@ -33,6 +34,9 @@ import java.util.stream.Collectors; public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolver { + public static final String NO_INDEX = "-*"; + private static final List NO_INDICES = Collections.singletonList(NO_INDEX); + private final AuthorizationService authzService; private final IndexNameExpressionResolver nameExpressionResolver; @@ -76,6 +80,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv } private Set resolveIndicesAndAliases(User user, String action, IndicesRequest indicesRequest, MetaData metaData) { + boolean indicesReplacedWithNoIndices = false; final Set indices; if (indicesRequest instanceof PutMappingRequest && ((PutMappingRequest) indicesRequest).getConcreteIndex() != null) { @@ -92,16 +97,41 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv final boolean replaceWildcards = indicesRequest.indicesOptions().expandWildcardsOpen() || indicesRequest.indicesOptions().expandWildcardsClosed(); List authorizedIndicesAndAliases = authzService.authorizedIndicesAndAliases(user, action); - List replacedIndices = replaceWildcardsWithAuthorizedIndices(indicesRequest.indices(), - indicesRequest.indicesOptions(), metaData, authorizedIndicesAndAliases, replaceWildcards); - if (indicesRequest.indicesOptions().ignoreUnavailable()) { - //out of all the explicit names (expanded from wildcards and original ones that were left untouched) - //remove all the ones that the current user is not authorized for and ignore them - replacedIndices = replacedIndices.stream().filter(authorizedIndicesAndAliases::contains).collect(Collectors.toList()); - throwExceptionIfNoIndicesWereResolved(indicesRequest.indices(), replacedIndices); + + List replacedIndices = new ArrayList<>(); + // check for all and return list of authorized indices + if (IndexNameExpressionResolver.isAllIndices(indicesList(indicesRequest.indices()))) { + if (replaceWildcards) { + for (String authorizedIndex : authorizedIndicesAndAliases) { + if (isIndexVisible(authorizedIndex, indicesRequest.indicesOptions(), metaData)) { + replacedIndices.add(authorizedIndex); + } + } + } + // if we cannot replace wildcards the indices list stays empty. Same if there are no authorized indices. + // we honour allow_no_indices like es core does. + } else { + replacedIndices = replaceWildcardsWithAuthorizedIndices(indicesRequest.indices(), + indicesRequest.indicesOptions(), metaData, authorizedIndicesAndAliases, replaceWildcards); + if (indicesRequest.indicesOptions().ignoreUnavailable()) { + //out of all the explicit names (expanded from wildcards and original ones that were left untouched) + //remove all the ones that the current user is not authorized for and ignore them + replacedIndices = replacedIndices.stream().filter(authorizedIndicesAndAliases::contains).collect(Collectors.toList()); + } + } + if (replacedIndices.isEmpty()) { + if (indicesRequest.indicesOptions().allowNoIndices()) { + //this is how we tell es core to return an empty response, we can let the request through being sure + //that the '-*' wildcard expression will be resolved to no indices. We can't let empty indices through + //as that would be resolved to _all by es core. + replacedIndices = NO_INDICES; + indicesReplacedWithNoIndices = true; + } else { + throw new IndexNotFoundException(Arrays.toString(indicesRequest.indices())); + } } replaceable.indices(replacedIndices.toArray(new String[replacedIndices.size()])); - indices = Sets.newHashSet(indicesRequest.indices()); + indices = Sets.newHashSet(replacedIndices); } else { assert !containsWildcards(indicesRequest) : "There are no external requests known to support wildcards that don't support replacing their indices"; @@ -118,7 +148,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv } if (indicesRequest instanceof AliasesRequest) { - //special treatment for AliasesRequest since we need to replace wildcards among the specified aliases. + //special treatment for AliasesRequest since we need to replace wildcards among the specified aliases too. //AliasesRequest extends IndicesRequest.Replaceable, hence its indices have already been properly replaced. AliasesRequest aliasesRequest = (AliasesRequest) indicesRequest; if (aliasesRequest.expandAliasesWildcards()) { @@ -127,9 +157,16 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv (authorizedIndices, metaData)); aliasesRequest.aliases(aliases.toArray(new String[aliases.size()])); } - Collections.addAll(indices, aliasesRequest.aliases()); + if (indicesReplacedWithNoIndices) { + assert indicesRequest instanceof GetAliasesRequest : GetAliasesRequest.class.getSimpleName() + " is the only known " + + "request implementing " + AliasesRequest.class.getSimpleName() + " that may allow no indices. Found [" + + indicesRequest.getClass().getName() + "] which ended up with an empty set of indices."; + } else { + //if we are returning '-*' we shouldn't be adding the aliases to the list or the request will not get authorized. + //Leave only '-*' and ignore the rest, result will anyway be empty. + Collections.addAll(indices, aliasesRequest.aliases()); + } } - return indices; } @@ -192,24 +229,9 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv return false; } + //TODO Investigate reusing code from vanilla es to resolve index names and wildcards private List replaceWildcardsWithAuthorizedIndices(String[] indices, IndicesOptions indicesOptions, MetaData metaData, List authorizedIndices, boolean replaceWildcards) { - - // check for all and return list of authorized indices - if (IndexNameExpressionResolver.isAllIndices(indicesList(indices))) { - if (replaceWildcards == false) { - // if we cannot replace wildcards, then we should not set all indices - return throwExceptionIfNoIndicesWereResolved(indices, null); - } - List visibleIndices = new ArrayList<>(); - for (String authorizedIndex : authorizedIndices) { - if (isIndexVisible(authorizedIndex, indicesOptions, metaData)) { - visibleIndices.add(authorizedIndex); - } - } - return throwExceptionIfNoIndicesWereResolved(indices, visibleIndices); - } - //the order matters when it comes to + and - (see MetaData#convertFromWildcards) List finalIndices = new ArrayList<>(); for (int i = 0; i < indices.length; i++) { @@ -235,15 +257,22 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv } if (replaceWildcards && Regex.isSimpleMatchPattern(aliasOrIndex)) { + Set resolvedIndices = new HashSet<>(); for (String authorizedIndex : authorizedIndices) { - if (Regex.simpleMatch(aliasOrIndex, authorizedIndex)) { - if (minus) { - finalIndices.remove(authorizedIndex); - } else { - if (isIndexVisible(authorizedIndex, indicesOptions, metaData)) { - finalIndices.add(authorizedIndex); - } - } + if (Regex.simpleMatch(aliasOrIndex, authorizedIndex) && isIndexVisible(authorizedIndex, indicesOptions, metaData)) { + resolvedIndices.add(authorizedIndex); + } + } + if (resolvedIndices.isEmpty()) { + //es core honours allow_no_indices for each wildcard expression, we do the same here by throwing index not found. + if (indicesOptions.allowNoIndices() == false) { + throw new IndexNotFoundException(aliasOrIndex); + } + } else { + if (minus) { + finalIndices.removeAll(resolvedIndices); + } else { + finalIndices.addAll(resolvedIndices); } } } else { @@ -253,21 +282,22 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv // to ensure we catch this if it changes if (dateMathName != aliasOrIndex) { assert dateMathName.equals(aliasOrIndex) == false; - if (authorizedIndices.contains(dateMathName)) { + if (authorizedIndices.contains(dateMathName) && isIndexVisible(dateMathName, indicesOptions, metaData, true)) { if (minus) { finalIndices.remove(dateMathName); } else { - if (isIndexVisible(dateMathName, indicesOptions, metaData, true)) { - finalIndices.add(dateMathName); - } + finalIndices.add(dateMathName); + } + } else { + if (indicesOptions.ignoreUnavailable() == false) { + throw new IndexNotFoundException(dateMathName); } } } else { //MetaData#convertFromWildcards checks if the index exists here and throws IndexNotFoundException if not (based on - // ignore_unavailable). - //Do nothing as if the index is missing but the user is not authorized to it an AuthorizationException will be thrown. - //If the index is missing and the user is authorized to it, core will throw IndexNotFoundException later on. - //There is no problem with deferring this as we are dealing with an explicit name, not with wildcards. + // ignore_unavailable). We only add/remove the index: if the index is missing or the current user is not authorized + // to access it either an AuthorizationException will be thrown later in AuthorizationService, or the index will be + // removed from the list, based on the ignore_unavailable option. if (minus) { finalIndices.remove(aliasOrIndex); } else { @@ -276,22 +306,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv } } } - - return throwExceptionIfNoIndicesWereResolved(indices, finalIndices); - } - - private List throwExceptionIfNoIndicesWereResolved(String[] originalIndices, List resolvedIndices) { - //ignore the IndicesOptions#allowNoIndices and just throw exception if the wildcards expansion to authorized - //indices resulted in no indices. This is important as we always need to replace wildcards for security reason, - //to make sure that the operation is executed on the indices that we authorized it to execute on. - //If we can't replace because we got an empty set, we can only throw exception. - //Downside of this is that a single item exception is going to make fail the composite request that holds it as a whole. - if (resolvedIndices == null || resolvedIndices.isEmpty()) { - String indexName = IndexNameExpressionResolver.isAllIndices(indicesList(originalIndices)) ? MetaData.ALL : Arrays.toString - (originalIndices); - throw new IndexNotFoundException(indexName); - } - return resolvedIndices; + return finalIndices; } private static boolean isIndexVisible(String index, IndicesOptions indicesOptions, MetaData metaData) { @@ -304,6 +319,7 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv if (indexMetaData == null) { //it's an alias, ignore expandWildcardsOpen and expandWildcardsClosed. //complicated to support those options with aliases pointing to multiple indices... + //TODO investigate supporting expandWildcards option for aliases too, like es core does. return true; } if (indexMetaData.getState() == IndexMetaData.State.CLOSE && (indicesOptions.expandWildcardsClosed() || dateMathExpression)) { diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/OldMonitoringIndicesBackwardsCompatibilityIT.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/OldMonitoringIndicesBackwardsCompatibilityIT.java index 3d3ba19394e..dff3167ca5c 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/OldMonitoringIndicesBackwardsCompatibilityIT.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/OldMonitoringIndicesBackwardsCompatibilityIT.java @@ -13,7 +13,6 @@ import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.common.unit.TimeValue; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.test.SecuritySettingsSource; import org.elasticsearch.xpack.XPackSettings; import org.elasticsearch.xpack.monitoring.resolver.MonitoringIndexNameResolver; @@ -96,19 +95,10 @@ public class OldMonitoringIndicesBackwardsCompatibilityIT extends AbstractOldXPa client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings).get(); } - // Wait for the exporter to come online and add the aliases - long end = TimeUnit.SECONDS.toNanos(30) + System.nanoTime(); - SearchResponse firstIndexStats; - while (true) { - try { - firstIndexStats = search(new IndexStatsResolver(MonitoredSystem.ES, Settings.EMPTY), greaterThanOrEqualTo(10L)); - break; - } catch (IndexNotFoundException e) { - if (System.nanoTime() - end > 0) { - throw e; - } - } - } + IndexStatsResolver resolver = new IndexStatsResolver(MonitoredSystem.ES, Settings.EMPTY); + assertBusy(() -> assertTrue(client().admin().indices().prepareExists(resolver.indexPattern()).get().isExists())); + SearchResponse firstIndexStats = search(resolver, greaterThanOrEqualTo(10L)); + // All the other aliases should have been created by now so we can assert that we have the data we saved in the bwc indexes SearchResponse firstShards = search(new ShardsResolver(MonitoredSystem.ES, Settings.EMPTY), greaterThanOrEqualTo(10L)); SearchResponse firstIndicesStats = search(new IndicesStatsResolver(MonitoredSystem.ES, Settings.EMPTY), greaterThanOrEqualTo(3L)); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/cleaner/local/LocalIndicesCleanerTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/cleaner/local/LocalIndicesCleanerTests.java index a7503bee166..5a6a4f3ea4c 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/cleaner/local/LocalIndicesCleanerTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/cleaner/local/LocalIndicesCleanerTests.java @@ -5,13 +5,14 @@ */ package org.elasticsearch.xpack.monitoring.cleaner.local; +import org.elasticsearch.action.admin.indices.settings.get.GetSettingsResponse; +import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.cluster.metadata.IndexMetaData; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.test.InternalSettingsPlugin; -import org.elasticsearch.xpack.monitoring.exporter.local.LocalExporter; import org.elasticsearch.xpack.monitoring.cleaner.AbstractIndicesCleanerTestCase; +import org.elasticsearch.xpack.monitoring.exporter.local.LocalExporter; import org.joda.time.DateTime; import java.util.ArrayList; @@ -47,15 +48,13 @@ public class LocalIndicesCleanerTests extends AbstractIndicesCleanerTestCase { @Override protected void assertIndicesCount(int count) throws Exception { assertBusy(() -> { - try { - assertThat(client().admin().indices().prepareGetSettings().get().getIndexToSettings().size(), equalTo(count)); - } catch (IndexNotFoundException e) { - if (securityEnabled) { - assertThat(0, equalTo(count)); - } else { - throw e; - } - } + //we set ignore_unavailable to true for this request as the monitoring index gets deleted concurrently with this assertion + //in some cases. When the plugin security is enabled, it expands wildcards to the existing index, which then gets deleted, + //so when es core gets the request with the explicit index name, it throws an index not found exception as that index + //doesn't exist anymore. If we ignore unavailable instead no error will be thrown. + GetSettingsResponse getSettingsResponse = client().admin().indices().prepareGetSettings() + .setIndicesOptions(IndicesOptions.fromOptions(true, true, true, true)).get(); + assertThat(getSettingsResponse.getIndexToSettings().size(), equalTo(count)); }); } } diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStateCollectorTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStateCollectorTests.java index 2203d88f14c..a051643ac4a 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStateCollectorTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStateCollectorTests.java @@ -52,8 +52,8 @@ public class ClusterStateCollectorTests extends AbstractCollectorTestCase { client().prepareIndex("test", "test").setSource("num", i).get(); } - securedFlush(); - securedRefresh(); + flush(); + refresh(); assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs); assertMonitoringDocs(newClusterStateCollector().doCollect(), nbShards); @@ -79,8 +79,8 @@ public class ClusterStateCollectorTests extends AbstractCollectorTestCase { } } - securedFlush(); - securedRefresh(); + flush(); + refresh(); for (int i = 0; i < nbIndices; i++) { assertHitCount(client().prepareSearch("test-" + i).setSize(0).get(), docsPerIndex[i]); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollectorTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollectorTests.java index 9de07e59063..04489e5db3b 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollectorTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexRecoveryCollectorTests.java @@ -11,7 +11,6 @@ import org.elasticsearch.cluster.metadata.MetaData; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.Strings; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.indices.recovery.RecoveryState; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; @@ -123,37 +122,21 @@ public class IndexRecoveryCollectorTests extends AbstractCollectorTestCase { } public void testEmptyCluster() throws Exception { - final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), - Strings.EMPTY_ARRAY)); + final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), Strings.EMPTY_ARRAY)); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0)); } public void testEmptyClusterAllIndices() throws Exception { final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), MetaData.ALL)); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0)); } public void testEmptyClusterMissingIndex() throws Exception { final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), "unknown")); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndexRecoveryCollector(node).doCollect(), hasSize(0)); } private IndexRecoveryCollector newIndexRecoveryCollector(String nodeId) { diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollectorTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollectorTests.java index 238ed7f2f2c..f0f7f565623 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollectorTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndexStatsCollectorTests.java @@ -10,7 +10,6 @@ import org.elasticsearch.action.admin.indices.stats.IndexStats; import org.elasticsearch.cluster.metadata.MetaData; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.xpack.monitoring.MonitoredSystem; @@ -41,34 +40,19 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase { public void testEmptyCluster() throws Exception { final String node = internalCluster().startNode(); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0)); } public void testEmptyClusterAllIndices() throws Exception { final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), MetaData.ALL)); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0)); } public void testEmptyClusterMissingIndex() throws Exception { final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), "unknown")); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndexStatsCollector(node).doCollect(), hasSize(0)); } public void testIndexStatsCollectorOneIndex() throws Exception { @@ -77,15 +61,15 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase { final String indexName = "one-index"; createIndex(indexName); - securedEnsureGreen(indexName); + ensureGreen(indexName); final int nbDocs = randomIntBetween(1, 20); for (int i = 0; i < nbDocs; i++) { client().prepareIndex(indexName, "test").setSource("num", i).get(); } - securedFlush(); - securedRefresh(); + flush(); + refresh(); assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs); @@ -127,7 +111,7 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase { for (int i = 0; i < nbIndices; i++) { String index = indexPrefix + i; createIndex(index); - securedEnsureGreen(index); + ensureGreen(index); docsPerIndex[i] = randomIntBetween(1, 20); for (int j = 0; j < docsPerIndex[i]; j++) { @@ -135,8 +119,8 @@ public class IndexStatsCollectorTests extends AbstractCollectorTestCase { } } - securedFlush(); - securedRefresh(); + flush(); + refresh(); for (int i = 0; i < nbIndices; i++) { assertHitCount(client().prepareSearch(indexPrefix + i).setSize(0).get(), docsPerIndex[i]); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollectorTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollectorTests.java index dd614f53c33..09844ffb411 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollectorTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/indices/IndicesStatsCollectorTests.java @@ -12,7 +12,6 @@ import org.elasticsearch.cluster.metadata.MetaData; import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.Strings; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.test.ESIntegTestCase.ClusterScope; import org.elasticsearch.xpack.monitoring.MonitoredSystem; @@ -41,37 +40,19 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase { public void testEmptyCluster() throws Exception { final String node = internalCluster().startNode(); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1)); } public void testEmptyClusterAllIndices() throws Exception { final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), MetaData.ALL)); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(securityEnabled ? 0 : 1)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1)); } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250") - //this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left - //with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too. public void testEmptyClusterMissingIndex() throws Exception { final String node = internalCluster().startNode(Settings.builder().put(MonitoringSettings.INDICES.getKey(), "unknown")); waitForNoBlocksOnNode(node); - - try { - assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1)); - } catch (IndexNotFoundException e) { - fail("IndexNotFoundException has been thrown but it should have been swallowed by the collector"); - } + assertThat(newIndicesStatsCollector(node).doCollect(), hasSize(1)); } public void testIndicesStatsCollectorOneIndex() throws Exception { @@ -80,7 +61,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase { final String indexName = "one-index"; createIndex(indexName); - securedEnsureGreen(indexName); + ensureGreen(indexName); final int nbDocs = randomIntBetween(1, 20); @@ -88,8 +69,8 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase { client().prepareIndex(indexName, "test").setSource("num", i).get(); } - securedFlush(); - securedRefresh(); + flush(); + refresh(); assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs); @@ -124,7 +105,7 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase { for (int i = 0; i < nbIndices; i++) { String index = indexPrefix + i; createIndex(index); - securedEnsureGreen(index); + ensureGreen(index); docsPerIndex[i] = randomIntBetween(1, 20); for (int j = 0; j < docsPerIndex[i]; j++) { @@ -132,8 +113,8 @@ public class IndicesStatsCollectorTests extends AbstractCollectorTestCase { } } - securedFlush(); - securedRefresh(); + flush(); + refresh(); for (int i = 0; i < nbIndices; i++) { assertHitCount(client().prepareSearch(indexPrefix + i).setSize(0).get(), docsPerIndex[i]); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/shards/ShardsCollectorTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/shards/ShardsCollectorTests.java index 0895a64a584..31a46dfad2f 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/shards/ShardsCollectorTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/collector/shards/ShardsCollectorTests.java @@ -50,8 +50,8 @@ public class ShardsCollectorTests extends AbstractCollectorTestCase { } waitForRelocation(); - securedEnsureGreen(); - securedRefresh(); + ensureGreen(); + refresh(); assertHitCount(client().prepareSearch().setSize(0).get(), nbDocs); @@ -108,7 +108,7 @@ public class ShardsCollectorTests extends AbstractCollectorTestCase { } waitForRelocation(); - securedRefresh(); + refresh(); int totalShards = 0; for (int i = 0; i < nbIndices; i++) { diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/exporter/local/LocalExporterTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/exporter/local/LocalExporterTests.java index 8c889830c87..effaa7fdf15 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/exporter/local/LocalExporterTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/exporter/local/LocalExporterTests.java @@ -67,7 +67,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase { .put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE) .put("xpack.monitoring.exporters._local.enabled", true) .build()); - securedEnsureGreen(); + ensureGreen(); logger.debug("--> exporting a single monitoring doc"); export(Collections.singletonList(newRandomMonitoringDoc())); @@ -97,7 +97,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase { internalCluster().startNode(Settings.builder() .put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE) .build()); - securedEnsureGreen(); + ensureGreen(); // start collecting updateMonitoringInterval(3L, TimeUnit.SECONDS); @@ -113,7 +113,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase { .put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE) .put("xpack.monitoring.exporters._local." + LocalExporter.INDEX_NAME_TIME_FORMAT_SETTING, timeFormat) .build()); - securedEnsureGreen(); + ensureGreen(); LocalExporter exporter = getLocalExporter("_local"); @@ -146,7 +146,7 @@ public class LocalExporterTests extends MonitoringIntegTestCase { .put("xpack.monitoring.exporters._local.type", LocalExporter.TYPE) .put("xpack.monitoring.exporters._local.enabled", true) .build()); - securedEnsureGreen(); + ensureGreen(); logger.debug("--> exporting a single monitoring doc"); export(Collections.singletonList(newRandomMonitoringDoc())); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterInfoTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterInfoTests.java index ecbf9a5508b..4ddcb7c519e 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterInfoTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterInfoTests.java @@ -57,7 +57,7 @@ public class ClusterInfoTests extends MonitoringIntegTestCase { } public void testClusterInfo() throws Exception { - securedEnsureGreen(); + ensureGreen(); final String clusterUUID = client().admin().cluster().prepareState().setMetaData(true).get().getState().metaData().clusterUUID(); assertTrue(Strings.hasText(clusterUUID)); @@ -136,8 +136,8 @@ public class ClusterInfoTests extends MonitoringIntegTestCase { waitForMonitoringTemplates(); // check that the cluster_info is not indexed - securedFlush(); - securedRefresh(); + flush(); + refresh(); assertHitCount(client().prepareSearch().setSize(0) .setIndices(dataIndex) diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterStatsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterStatsTests.java index 4596c51628e..d1c9b32d123 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterStatsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/cluster/ClusterStatsTests.java @@ -18,7 +18,6 @@ import org.junit.After; import java.util.Locale; import java.util.Map; -import java.util.Set; import java.util.concurrent.TimeUnit; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; @@ -56,9 +55,9 @@ public class ClusterStatsTests extends MonitoringIntegTestCase { index(indices[i], "foo", "1", jsonBuilder().startObject().field("dummy_field", 1).endObject()); } - securedFlush(); - securedRefresh(); - securedEnsureGreen(); + flush(); + refresh(); + ensureGreen(); // ok.. we'll start collecting now... updateMonitoringInterval(3L, TimeUnit.SECONDS); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexRecoveryTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexRecoveryTests.java index 134ecacd7b3..d2a9714409d 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexRecoveryTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexRecoveryTests.java @@ -58,8 +58,8 @@ public class IndexRecoveryTests extends MonitoringIntegTestCase { assertBusy(new Runnable() { @Override public void run() { - securedFlush(); - securedRefresh(); + flush(); + refresh(); RecoveryResponse recoveries = client().admin().indices().prepareRecoveries().get(); assertThat(recoveries.hasRecoveries(), is(true)); @@ -95,8 +95,8 @@ public class IndexRecoveryTests extends MonitoringIntegTestCase { } } - securedFlush(); - securedRefresh(); + flush(); + refresh(); logger.debug("--> checking that cluster_uuid field is correctly indexed"); response = client().prepareSearch().setTypes(IndexRecoveryResolver.TYPE).setSize(0).setQuery(existsQuery("cluster_uuid")).get(); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexStatsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexStatsTests.java index f25cd2c1f6c..d5c97f58f6f 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexStatsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndexStatsTests.java @@ -17,7 +17,6 @@ import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase; import org.junit.After; import java.util.Map; -import java.util.Set; import java.util.concurrent.TimeUnit; import static org.hamcrest.Matchers.greaterThan; @@ -59,8 +58,8 @@ public class IndexStatsTests extends MonitoringIntegTestCase { } } - securedFlush(); - securedRefresh(); + flush(); + refresh(); updateMonitoringInterval(3L, TimeUnit.SECONDS); waitForMonitoringIndices(); @@ -71,8 +70,8 @@ public class IndexStatsTests extends MonitoringIntegTestCase { assertBusy(new Runnable() { @Override public void run() { - securedFlush(indices); - securedRefresh(); + flush(indices); + refresh(); for (int i = 0; i < nbIndices; i++) { SearchResponse count = client().prepareSearch() .setSize(0) diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndicesStatsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndicesStatsTests.java index 154534d349a..3ecd98e3e90 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndicesStatsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/indices/IndicesStatsTests.java @@ -59,8 +59,8 @@ public class IndicesStatsTests extends MonitoringIntegTestCase { assertBusy(new Runnable() { @Override public void run() { - securedFlush(); - securedRefresh(); + flush(); + refresh(); for (int i = 0; i < nbIndices; i++) { IndicesStatsResponse indicesStats = client().admin().indices().prepareStats().get(); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/MultiNodesStatsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/MultiNodesStatsTests.java index 5e54724e87d..63bd91ebeb9 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/MultiNodesStatsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/MultiNodesStatsTests.java @@ -7,7 +7,6 @@ package org.elasticsearch.xpack.monitoring.resolver.node; import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.node.Node; import org.elasticsearch.search.aggregations.Aggregation; import org.elasticsearch.search.aggregations.AggregationBuilders; @@ -87,31 +86,27 @@ public class MultiNodesStatsTests extends MonitoringIntegTestCase { logger.debug("--> checking that every node correctly reported its own node stats"); assertBusy(() -> { String indices = MONITORING_INDICES_PREFIX + "*"; - securedFlush(indices); - securedRefresh(); + flush(indices); + refresh(); - try { - SearchResponse response = client().prepareSearch(indices) - .setTypes(NodeStatsResolver.TYPE) - .setSize(0) - .addAggregation(AggregationBuilders.terms("nodes_ids").field("node_stats.node_id")) - .get(); + SearchResponse response = client().prepareSearch(indices) + .setTypes(NodeStatsResolver.TYPE) + .setSize(0) + .addAggregation(AggregationBuilders.terms("nodes_ids").field("node_stats.node_id")) + .get(); - for (Aggregation aggregation : response.getAggregations()) { - assertThat(aggregation, instanceOf(StringTerms.class)); - assertThat(((StringTerms) aggregation).getBuckets().size(), equalTo(nbNodes)); + for (Aggregation aggregation : response.getAggregations()) { + assertThat(aggregation, instanceOf(StringTerms.class)); + assertThat(((StringTerms) aggregation).getBuckets().size(), equalTo(nbNodes)); - for (String nodeName : internalCluster().getNodeNames()) { - StringTerms.Bucket bucket = ((StringTerms) aggregation) - .getBucketByKey(internalCluster().clusterService(nodeName).localNode().getId()); - // At least 1 doc must exist per node, but it can be more than 1 - // because the first node may have already collected many node stats documents - // whereas the last node just started to collect node stats. - assertThat(bucket.getDocCount(), greaterThanOrEqualTo(1L)); - } + for (String nodeName : internalCluster().getNodeNames()) { + StringTerms.Bucket bucket = ((StringTerms) aggregation) + .getBucketByKey(internalCluster().clusterService(nodeName).localNode().getId()); + // At least 1 doc must exist per node, but it can be more than 1 + // because the first node may have already collected many node stats documents + // whereas the last node just started to collect node stats. + assertThat(bucket.getDocCount(), greaterThanOrEqualTo(1L)); } - } catch (IndexNotFoundException e) { - fail("Caught unexpected IndexNotFoundException"); } }); } diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/NodeStatsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/NodeStatsTests.java index 16f900cc37c..814247b27af 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/NodeStatsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/node/NodeStatsTests.java @@ -51,8 +51,8 @@ public class NodeStatsTests extends MonitoringIntegTestCase { client().prepareIndex("test", "foo").setSource("value", randomInt()).get(); } - securedFlush(); - securedRefresh(); + flush(); + refresh(); updateMonitoringInterval(3L, TimeUnit.SECONDS); waitForMonitoringIndices(); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/shards/ShardsTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/shards/ShardsTests.java index 1bbc813c870..c71f0133b3d 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/shards/ShardsTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/resolver/shards/ShardsTests.java @@ -23,7 +23,6 @@ import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase; import org.junit.After; import java.util.Map; -import java.util.Set; import java.util.concurrent.TimeUnit; import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE; @@ -63,8 +62,8 @@ public class ShardsTests extends MonitoringIntegTestCase { client().prepareIndex(INDEX_PREFIX + i, "foo").setRefreshPolicy(IMMEDIATE).setSource("field1", "value1").get(); } - securedFlush(); - securedRefresh(); + flush(); + refresh(); updateMonitoringInterval(3L, TimeUnit.SECONDS); waitForMonitoringIndices(); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/security/MonitoringInternalClientTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/security/MonitoringInternalClientTests.java index db0a9b4bfa7..9fdb185f5dc 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/security/MonitoringInternalClientTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/security/MonitoringInternalClientTests.java @@ -5,12 +5,9 @@ */ package org.elasticsearch.xpack.monitoring.security; -import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.ActionRequestBuilder; import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.index.IndexNotFoundException; -import org.elasticsearch.rest.RestStatus; import org.elasticsearch.xpack.monitoring.MonitoringSettings; import org.elasticsearch.xpack.monitoring.test.MonitoringIntegTestCase; import org.elasticsearch.xpack.security.InternalClient; @@ -18,7 +15,6 @@ import org.elasticsearch.xpack.security.InternalClient; import java.util.stream.Collectors; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; -import static org.hamcrest.Matchers.is; public class MonitoringInternalClientTests extends MonitoringIntegTestCase { @@ -60,26 +56,8 @@ public class MonitoringInternalClientTests extends MonitoringIntegTestCase { assertAccessIsAllowed(internalClient.admin().cluster().prepareGetRepositories()); } - public void assertAccessIsAllowed(ActionRequestBuilder request) { - try { - request.get(); - } catch (IndexNotFoundException e) { - // Ok - } catch (ElasticsearchSecurityException e) { - fail("unexpected security exception: " + e.getMessage()); - } - } - - public void assertAccessIsDenied(ActionRequestBuilder request) { - try { - request.get(); - fail("expected a security exception"); - } catch (IndexNotFoundException e) { - // Ok - } catch (ElasticsearchSecurityException e) { - // expected - assertThat(e.status(), is(RestStatus.FORBIDDEN)); - } + private static void assertAccessIsAllowed(ActionRequestBuilder request) { + request.get(); } /** diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java index 2ac25f09b97..57d89965e26 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/monitoring/test/MonitoringIntegTestCase.java @@ -236,15 +236,7 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase { } protected void deleteMonitoringIndices() { - if (securityEnabled) { - try { - assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*")); - } catch (IndexNotFoundException e) { - // if security couldn't resolve any monitoring index, it'll throw index not found exception. - } - } else { - assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*")); - } + assertAcked(client().admin().indices().prepareDelete(MONITORING_INDICES_PREFIX + "*")); } protected void awaitMonitoringDocsCount(Matcher matcher, String... types) throws Exception { @@ -252,31 +244,14 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase { } protected void ensureMonitoringIndicesYellow() { - if (securityEnabled) { - try { - ensureYellow(".monitoring-es-*"); - } catch (IndexNotFoundException e) { - // might happen with security... - } - } else { - ensureYellow(".monitoring-es-*"); - } + ensureYellow(".monitoring-es-*"); } protected void assertMonitoringDocsCount(Matcher matcher, String... types) { - try { - securedFlushAndRefresh(MONITORING_INDICES_PREFIX + "*"); - long count = client().prepareSearch(MONITORING_INDICES_PREFIX + "*") - .setSize(0).setTypes(types).get().getHits().totalHits(); - logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count); - assertThat(count, matcher); - } catch (IndexNotFoundException e) { - if (securityEnabled) { - assertThat(0L, matcher); - } else { - throw e; - } - } + flushAndRefresh(MONITORING_INDICES_PREFIX + "*"); + long count = client().prepareSearch(MONITORING_INDICES_PREFIX + "*").setSize(0).setTypes(types).get().getHits().totalHits(); + logger.trace("--> searched for [{}] documents, found [{}]", Strings.arrayToCommaDelimitedString(types), count); + assertThat(count, matcher); } protected List> monitoringTemplates() { @@ -322,16 +297,7 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase { protected void awaitIndexExists(final String index) throws Exception { assertBusy(() -> { - try { - assertIndicesExists(index); - } catch (IndexNotFoundException e) { - if (securityEnabled) { - // with security we might get that if wildcards were resolved to no indices - fail("IndexNotFoundException when checking for existence of index [" + index + "]"); - } else { - throw e; - } - } + assertIndicesExists(index); }, 30, TimeUnit.SECONDS); } @@ -348,54 +314,6 @@ public abstract class MonitoringIntegTestCase extends ESIntegTestCase { assertAcked(client().admin().cluster().prepareUpdateSettings().setTransientSettings(settings)); } - protected void securedRefresh() { - if (securityEnabled) { - try { - refresh(); - } catch (IndexNotFoundException e) { - // with security we might get that if wildcards were resolved to no indices - } - } else { - refresh(); - } - } - - protected void securedFlush(String... indices) { - if (securityEnabled) { - try { - flush(indices); - } catch (IndexNotFoundException e) { - // with security we might get that if wildcards were resolved to no indices - } - } else { - flush(indices); - } - } - - protected void securedFlushAndRefresh(String... indices) { - if (securityEnabled) { - try { - flushAndRefresh(indices); - } catch (IndexNotFoundException e) { - // with security we might get that if wildcards were resolved to no indices - } - } else { - flushAndRefresh(indices); - } - } - - protected void securedEnsureGreen(String... indices) { - if (securityEnabled) { - try { - ensureGreen(indices); - } catch (IndexNotFoundException e) { - // with security we might get that if wildcards were resolved to no indices - } - } else { - ensureGreen(indices); - } - } - /** * Checks if a field exist in a map of values. If the field contains a dot like 'foo.bar' * it checks that 'foo' exists in the map of values and that it points to a sub-map. Then diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java index 6161ddbc354..1f0cd9b8156 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java @@ -43,6 +43,8 @@ import org.elasticsearch.action.search.SearchAction; import org.elasticsearch.action.search.SearchRequest; import org.elasticsearch.action.search.SearchScrollAction; import org.elasticsearch.action.search.SearchScrollRequest; +import org.elasticsearch.action.search.SearchTransportService; +import org.elasticsearch.action.support.IndicesOptions; import org.elasticsearch.action.termvectors.TermVectorsAction; import org.elasticsearch.action.termvectors.TermVectorsRequest; import org.elasticsearch.action.update.UpdateAction; @@ -55,7 +57,6 @@ import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; -import org.elasticsearch.action.search.SearchTransportService; import org.elasticsearch.index.IndexNotFoundException; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.threadpool.ThreadPool; @@ -65,6 +66,8 @@ import org.elasticsearch.xpack.security.audit.AuditTrailService; import org.elasticsearch.xpack.security.authc.Authentication; import org.elasticsearch.xpack.security.authc.Authentication.RealmRef; import org.elasticsearch.xpack.security.authc.DefaultAuthenticationFailureHandler; +import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl; +import org.elasticsearch.xpack.security.authz.indicesresolver.DefaultIndicesAndAliasesResolver; import org.elasticsearch.xpack.security.authz.permission.Role; import org.elasticsearch.xpack.security.authz.permission.SuperuserRole; import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege; @@ -222,6 +225,41 @@ public class AuthorizationServiceTests extends ESTestCase { } } + public void testSearchAgainstEmptyCluster() { + User user = new User("test user", "a_all"); + when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build()); + ClusterState state = mock(ClusterState.class); + when(clusterService.state()).thenReturn(state); + when(state.metaData()).thenReturn(MetaData.EMPTY_META_DATA); + + { + //ignore_unavailable set to false, user is not authorized for this index nor does it exist + SearchRequest searchRequest = new SearchRequest("does_not_exist") + .indicesOptions(IndicesOptions.fromOptions(false, true, true, false)); + try { + authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest); + fail("indices request for b should be denied since there is no such index"); + } catch (ElasticsearchSecurityException e) { + assertAuthorizationException(e, containsString("action [" + SearchAction.NAME + "] is unauthorized for user [test user]")); + verify(auditTrail).accessDenied(user, SearchAction.NAME, searchRequest); + verifyNoMoreInteractions(auditTrail); + } + } + + { + //ignore_unavailable and allow_no_indices both set to true, user is not authorized for this index nor does it exist + SearchRequest searchRequest = new SearchRequest("does_not_exist") + .indicesOptions(IndicesOptions.fromOptions(true, true, true, false)); + authorizationService.authorize(createAuthentication(user), SearchAction.NAME, searchRequest); + verify(auditTrail).accessGranted(user, SearchAction.NAME, searchRequest); + IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY); + IndicesAccessControl.IndexAccessControl indexAccessControl = + indicesAccessControl.getIndexPermissions(DefaultIndicesAndAliasesResolver.NO_INDEX); + assertFalse(indexAccessControl.getFieldPermissions().hasFieldLevelSecurity()); + assertNull(indexAccessControl.getQueries()); + } + } + public void testScrollRelatedRequestsAllowed() { User user = new User("test user", "a_all"); when(rolesStore.role("a_all")).thenReturn(Role.builder("a_role").add(IndexPrivilege.ALL, "a").build()); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java index d2cf2a78fb5..1a402ee469a 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/IndexAliasesTests.java @@ -182,15 +182,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase { assertThat(e.toString(), containsString("[_all]")); } - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias").setIndices("test_*") - .setIndicesOptions(IndicesOptions.strictExpand()).get(); - fail("get alias should have failed due to missing manage_aliases privileges"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_*]")); - } + GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias") + .setIndices("test_*").setIndicesOptions(IndicesOptions.strictExpand()).get(); + assertEquals(0, getAliasesResponse.getAliases().size()); try { + //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias + //and there is no way to "allow_no_aliases" like we can do with indices. client().filterWithHeader(headers).admin().indices().prepareGetAliases().get(); fail("get alias should have failed due to missing manage_aliases privileges"); } catch(IndexNotFoundException e) { @@ -202,13 +200,10 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //user has create permission only: allows to create indices, manage_aliases is required to retrieve aliases though Map headers = Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("create_only", new SecuredString("test123".toCharArray()))); - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1").setIndices("test_1") - .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("get alias should have failed due empty set of indices after indices resolution"); - } catch(IndexNotFoundException e) { - assertEquals("no such index", e.getMessage()); - } + + GetAliasesResponse getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_1") + .setIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); + assertEquals(0, getAliasesResponse.getAliases().size()); try { client().filterWithHeader(headers).admin().indices().prepareGetAliases("_all").setIndices("test_1") @@ -226,15 +221,13 @@ public class IndexAliasesTests extends SecurityIntegTestCase { assertEquals("no such index", e.getMessage()); } - try { - client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias").setIndices("test_*") - .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("get alias should have failed due empty set of indices after indices resolution"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_*]")); - } + getAliasesResponse = client().filterWithHeader(headers).admin().indices().prepareGetAliases("test_alias") + .setIndices("test_*").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); + assertEquals(0, getAliasesResponse.getAliases().size()); try { + //this throws exception no matter what the indices options are because the aliases part cannot be resolved to any alias + //and there is no way to "allow_no_aliases" like we can do with indices. client().filterWithHeader(headers).admin().indices().prepareGetAliases() .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); fail("get alias should have failed due to missing manage_aliases privileges"); @@ -518,21 +511,14 @@ public class IndexAliasesTests extends SecurityIntegTestCase { containsString("action [indices:admin/aliases/get] is unauthorized for user [create_test_aliases_alias]")); } - try { - //fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards - client.admin().indices().prepareGetAliases().setIndices("test_*").setAliases("test_alias").get(); - fail("get alias should have failed due to missing manage_aliases privileges on test_*"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[test_*]")); - } + //user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards + GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases() + .setIndices("test_*").setAliases("test_alias").get(); + assertEquals(0, getAliasesResponse.getAliases().size()); - try { - //fails: no existing indices to replace empty indices (thus _all) - client.admin().indices().prepareGetAliases().setAliases("test_alias").get(); - fail("get alias should have failed due to missing manage_aliases privileges on any index"); - } catch(IndexNotFoundException e) { - assertThat(e.toString(), containsString("[_all]")); - } + //no existing indices to replace empty indices (thus _all) + getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get(); + assertEquals(0, getAliasesResponse.getAliases().size()); try { //fails: no existing aliases to replace wildcards @@ -712,31 +698,19 @@ public class IndexAliasesTests extends SecurityIntegTestCase { //user has manage_aliases only permissions on both alias_* and test_* //ok: manage_aliases on both test_* and alias_* - try { - client.admin().indices().prepareGetAliases("alias_1") - .addIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("Expected IndexNotFoundException"); - } catch(IndexNotFoundException e) { - assertEquals("no such index", e.getMessage()); - } + GetAliasesResponse getAliasesResponse = client.admin().indices().prepareGetAliases("alias_1") + .addIndices("test_1").setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); + assertEquals(0, getAliasesResponse.getAliases().size()); - try { - //fails: no manage_aliases privilege on non_authorized alias - client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1") - .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("Expected IndexNotFoundException"); - } catch(IndexNotFoundException e) { - assertEquals("no such index", e.getMessage()); - } + //no manage_aliases privilege on non_authorized alias + getAliasesResponse = client.admin().indices().prepareGetAliases("non_authorized").addIndices("test_1") + .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); + assertEquals(0, getAliasesResponse.getAliases().size()); - try { - //fails: no manage_aliases privilege on non_authorized index - client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized") - .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); - fail("Expected IndexNotFoundException"); - } catch(IndexNotFoundException e) { - assertEquals("no such index", e.getMessage()); - } + //no manage_aliases privilege on non_authorized index + getAliasesResponse = client.admin().indices().prepareGetAliases("alias_1").addIndices("non_authorized") + .setIndicesOptions(IndicesOptions.lenientExpandOpen()).get(); + assertEquals(0, getAliasesResponse.getAliases().size()); } private static void assertAliases(GetAliasesRequestBuilder getAliasesRequestBuilder, String index, String... aliases) { diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesResolverTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesResolverTests.java index 6131e91116e..a75e8a013e8 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesResolverTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/DefaultIndicesResolverTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.security.authz.indicesresolver; import org.elasticsearch.Version; +import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions; @@ -110,7 +111,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveEmptyIndicesExpandWilcardsOpenAndClosed() { SearchRequest request = new SearchRequest(); - request.indicesOptions(IndicesOptions.strictExpand()); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, true)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "bar-closed", "foofoobar", "foofoo", "foofoo-closed"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -121,7 +122,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveEmptyIndicesExpandWilcardsOpen() { SearchRequest request = new SearchRequest(); - request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.lenientExpandOpen())); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "foofoobar", "foofoo"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -132,7 +133,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveAllExpandWilcardsOpenAndClosed() { SearchRequest request = new SearchRequest("_all"); - request.indicesOptions(IndicesOptions.strictExpand()); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, true)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "bar-closed", "foofoobar", "foofoo", "foofoo-closed"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -143,7 +144,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveAllExpandWilcardsOpen() { SearchRequest request = new SearchRequest("_all"); - request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.lenientExpandOpen())); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "foofoobar", "foofoo"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -154,7 +155,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsStrictExpand() { SearchRequest request = new SearchRequest("barbaz", "foofoo*"); - request.indicesOptions(IndicesOptions.strictExpand()); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, true)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"barbaz", "foofoobar", "foofoo", "foofoo-closed"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -165,7 +166,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsExpandOpenAndClosedIgnoreUnavailable() { SearchRequest request = new SearchRequest("barbaz", "foofoo*"); - request.indicesOptions(IndicesOptions.fromOptions(true, false, true, true)); + request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, true)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"foofoobar", "foofoo", "foofoo-closed"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -176,7 +177,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsStrictExpandOpen() { SearchRequest request = new SearchRequest("barbaz", "foofoo*"); - request.indicesOptions(IndicesOptions.strictExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"barbaz", "foofoobar", "foofoo"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -187,7 +188,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsLenientExpandOpen() { SearchRequest request = new SearchRequest("barbaz", "foofoo*"); - request.indicesOptions(IndicesOptions.lenientExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"foofoobar", "foofoo"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -198,7 +199,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsMinusExpandWilcardsOpen() { SearchRequest request = new SearchRequest("-foofoo*"); - request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.lenientExpandOpen())); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -209,7 +210,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsMinusExpandWilcardsOpenAndClosed() { SearchRequest request = new SearchRequest("-foofoo*"); - request.indicesOptions(IndicesOptions.strictExpand()); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), true, true)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "bar-closed"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -220,9 +221,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenStrict() { SearchRequest request = new SearchRequest("-foofoo*", "+barbaz", "+foob*"); - if (randomBoolean()) { - request.indicesOptions(IndicesOptions.strictExpandOpen()); - } + request.indicesOptions(IndicesOptions.fromOptions(false, true, true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "barbaz"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -233,7 +232,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenIgnoreUnavailable() { SearchRequest request = new SearchRequest("-foofoo*", "+barbaz", "+foob*"); - request.indicesOptions(IndicesOptions.lenientExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(true, true, true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -244,7 +243,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenAndClosedStrict() { SearchRequest request = new SearchRequest("-foofoo*", "+barbaz"); - request.indicesOptions(IndicesOptions.strictExpand()); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, true)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "bar-closed", "barbaz"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -255,7 +254,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsPlusAndMinusExpandWilcardsOpenAndClosedIgnoreUnavailable() { SearchRequest request = new SearchRequest("-foofoo*", "+barbaz"); - request.indicesOptions(IndicesOptions.fromOptions(true, false, true, true)); + request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, true)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar", "bar-closed"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -264,21 +263,23 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.indices(), arrayContainingInAnyOrder(replacedIndices)); } - public void testResolveNonMatchingIndices() { + public void testResolveNonMatchingIndicesAllowNoIndices() { SearchRequest request = new SearchRequest("missing*"); - try { - defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); - fail("Expected IndexNotFoundException"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean())); + assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + } + + public void testResolveNonMatchingIndicesDisallowNoIndices() { + SearchRequest request = new SearchRequest("missing*"); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + assertEquals("no such index", e.getMessage()); } public void testResolveExplicitIndicesStrict() { SearchRequest request = new SearchRequest("missing", "bar", "barbaz"); - if (randomBoolean()) { - request.indicesOptions(IndicesOptions.strictExpandOpenAndForbidClosed()); - } + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean())); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"missing", "bar", "barbaz"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -289,7 +290,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveExplicitIndicesIgnoreUnavailable() { SearchRequest request = new SearchRequest("missing", "bar", "barbaz"); - request.indicesOptions(IndicesOptions.lenientExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), randomBoolean(), randomBoolean())); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] replacedIndices = new String[]{"bar"}; assertThat(indices.size(), equalTo(replacedIndices.length)); @@ -298,21 +299,23 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.indices(), arrayContainingInAnyOrder(replacedIndices)); } - public void testResolveNoAuthorizedIndices() { + public void testResolveNoAuthorizedIndicesAllowNoIndices() { SearchRequest request = new SearchRequest(); - if (randomBoolean()) { - request.indicesOptions(IndicesOptions.lenientExpandOpen()); - } - try { - defaultIndicesResolver.resolve(userNoIndices, SearchAction.NAME, request, metaData); - fail("Expected IndexNotFoundException"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean())); + assertNoIndices(request, defaultIndicesResolver.resolve(userNoIndices, SearchAction.NAME, request, metaData)); + } + + public void testResolveNoAuthorizedIndicesDisallowNoIndices() { + SearchRequest request = new SearchRequest(); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(userNoIndices, SearchAction.NAME, request, metaData)); + assertEquals("no such index", e.getMessage()); } public void testResolveMissingIndexStrict() { SearchRequest request = new SearchRequest("bar*", "missing"); + request.indicesOptions(IndicesOptions.fromOptions(false, true, true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] expectedIndices = new String[]{"bar", "missing"}; assertThat(indices.size(), equalTo(expectedIndices.length)); @@ -323,7 +326,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveMissingIndexIgnoreUnavailable() { SearchRequest request = new SearchRequest("bar*", "missing"); - request.indicesOptions(IndicesOptions.lenientExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] expectedIndices = new String[]{"bar"}; assertThat(indices.size(), equalTo(expectedIndices.length)); @@ -334,24 +337,28 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveNonMatchingIndicesAndExplicit() { SearchRequest request = new SearchRequest("missing*", "bar"); - if (randomBoolean()) { - request.indicesOptions(randomFrom(IndicesOptions.lenientExpandOpen(), IndicesOptions.strictExpandOpen())); - } + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean())); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] expectedIndices = new String[]{"bar"}; assertThat(indices.toArray(new String[indices.size()]), equalTo(expectedIndices)); assertThat(request.indices(), equalTo(expectedIndices)); } - public void testResolveNoExpand() { + public void testResolveNoExpandStrict() { SearchRequest request = new SearchRequest("missing*"); - request.indicesOptions(IndicesOptions.strictSingleIndexNoExpandForbidClosed()); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), false, false)); Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); String[] expectedIndices = new String[]{"missing*"}; assertThat(indices.toArray(new String[indices.size()]), equalTo(expectedIndices)); assertThat(request.indices(), equalTo(expectedIndices)); } + public void testResolveNoExpandIgnoreUnavailable() { + SearchRequest request = new SearchRequest("missing*"); + request.indicesOptions(IndicesOptions.fromOptions(true, true, false, false)); + assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + } + public void testResolveIndicesAliasesRequest() { IndicesAliasesRequest request = new IndicesAliasesRequest(); request.addAliasAction(AliasActions.add().alias("alias1").indices("foo", "foofoo")); @@ -581,9 +588,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveGetAliasesRequestStrict() { GetAliasesRequest request = new GetAliasesRequest("alias1").indices("foo", "foofoo"); - if (randomBoolean()) { - request.indicesOptions(randomFrom(IndicesOptions.strictExpand(), IndicesOptions.strictExpandOpen())); - } + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean())); Set indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); //the union of all indices and aliases gets returned String[] expectedIndices = new String[]{"alias1", "foo", "foofoo"}; @@ -595,7 +600,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveGetAliasesRequestIgnoreUnavailable() { GetAliasesRequest request = new GetAliasesRequest("alias1").indices("foo", "foofoo"); - request.indicesOptions(IndicesOptions.lenientExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), randomBoolean(), randomBoolean())); Set indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); String[] expectedIndices = new String[]{"alias1", "foofoo"}; assertThat(indices.size(), equalTo(expectedIndices.length)); @@ -606,9 +611,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveGetAliasesRequestMissingIndexStrict() { GetAliasesRequest request = new GetAliasesRequest(); - if (randomBoolean()) { - request.indicesOptions(randomFrom(IndicesOptions.strictExpandOpen(), IndicesOptions.strictExpand())); - } + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, randomBoolean())); request.indices("missing"); request.aliases("alias2"); Set indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); @@ -620,9 +623,9 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.aliases(), arrayContainingInAnyOrder("alias2")); } - public void testResolveGetAliasesRequestMissingIndexIgnoreUnavailable() { + public void testGetAliasesRequestMissingIndexIgnoreUnavailableDisallowNoIndices() { GetAliasesRequest request = new GetAliasesRequest(); - request.indicesOptions(IndicesOptions.lenientExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(true, false, randomBoolean(), randomBoolean())); request.indices("missing"); request.aliases("alias2"); IndexNotFoundException exception = expectThrows(IndexNotFoundException.class, @@ -630,11 +633,30 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertEquals("no such index", exception.getMessage()); } + public void testGetAliasesRequestMissingIndexIgnoreUnavailableAllowNoIndices() { + GetAliasesRequest request = new GetAliasesRequest(); + request.indicesOptions(IndicesOptions.fromOptions(true, true, randomBoolean(), randomBoolean())); + request.indices("missing"); + request.aliases("alias2"); + assertNoIndices(request, defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData)); + } + + public void testGetAliasesRequestMissingIndexStrict() { + GetAliasesRequest request = new GetAliasesRequest(); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean())); + request.indices("missing"); + request.aliases("alias2"); + Set indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); + String[] expectedIndices = new String[]{"alias2", "missing"}; + assertThat(indices.size(), equalTo(expectedIndices.length)); + assertThat(indices, hasItems(expectedIndices)); + assertThat(request.indices(), arrayContainingInAnyOrder("missing")); + assertThat(request.aliases(), arrayContainingInAnyOrder("alias2")); + } + public void testResolveWildcardsGetAliasesRequestStrictExpand() { GetAliasesRequest request = new GetAliasesRequest(); - if (randomBoolean()) { - request.indicesOptions(IndicesOptions.strictExpand()); - } + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, true)); request.aliases("alias1"); request.indices("foo*"); Set indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); @@ -649,7 +671,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsGetAliasesRequestStrictExpandOpen() { GetAliasesRequest request = new GetAliasesRequest(); - request.indicesOptions(IndicesOptions.strictExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), true, false)); request.aliases("alias1"); request.indices("foo*"); Set indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); @@ -664,7 +686,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { public void testResolveWildcardsGetAliasesRequestLenientExpandOpen() { GetAliasesRequest request = new GetAliasesRequest(); - request.indicesOptions(IndicesOptions.lenientExpandOpen()); + request.indicesOptions(IndicesOptions.fromOptions(true, randomBoolean(), true, false)); request.aliases("alias1"); request.indices("foo*", "bar", "missing"); Set indices = defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); @@ -677,17 +699,22 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.aliases(), arrayContainingInAnyOrder("alias1")); } - public void testResolveWildcardsGetAliasesRequestNoMatchingIndices() { + public void testWildcardsGetAliasesRequestNoMatchingIndicesDisallowNoIndices() { GetAliasesRequest request = new GetAliasesRequest(); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())); request.aliases("alias3"); request.indices("non_matching_*"); - //indices get resolved to no indices, request gets rejected - try { - defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); - fail("Expected IndexNotFoundException"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData)); + assertEquals("no such index", e.getMessage()); + } + + public void testWildcardsGetAliasesRequestNoMatchingIndicesAllowNoIndices() { + GetAliasesRequest request = new GetAliasesRequest(); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean())); + request.aliases("alias3"); + request.indices("non_matching_*"); + assertNoIndices(request, defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData)); } public void testResolveAllGetAliasesRequest() { @@ -728,30 +755,41 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.aliases(), arrayContainingInAnyOrder("alias1")); } - public void testResolveAllGetAliasesRequestNoAuthorizedIndices() { + public void testAllGetAliasesRequestNoAuthorizedIndicesAllowNoIndices() { GetAliasesRequest request = new GetAliasesRequest(); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean())); request.aliases("alias1"); request.indices("_all"); - //current user is not authorized for any index, _all resolves to no indices, the request fails - try { - defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData); - fail("Expected IndexNotFoundException"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + assertNoIndices(request, defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData)); } - public void testResolveWildcardsGetAliasesRequestNoAuthorizedIndices() { + public void testAllGetAliasesRequestNoAuthorizedIndicesDisallowNoIndices() { + GetAliasesRequest request = new GetAliasesRequest(); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())); + request.aliases("alias1"); + request.indices("_all"); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData)); + assertEquals("no such index", e.getMessage()); + } + + public void testWildcardsGetAliasesRequestNoAuthorizedIndicesAllowNoIndices() { GetAliasesRequest request = new GetAliasesRequest(); request.aliases("alias1"); request.indices("foo*"); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), true, true, randomBoolean())); + assertNoIndices(request, defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData)); + } + + public void testWildcardsGetAliasesRequestNoAuthorizedIndicesDisallowNoIndices() { + GetAliasesRequest request = new GetAliasesRequest(); + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())); + request.aliases("alias1"); + request.indices("foo*"); //current user is not authorized for any index, foo* resolves to no indices, the request fails - try { - defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData); - fail("Expected IndexNotFoundException"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData)); + assertEquals("no such index", e.getMessage()); } public void testResolveAllAliasesGetAliasesRequest() { @@ -823,12 +861,9 @@ public class DefaultIndicesResolverTests extends ESTestCase { //no authorized aliases match bar*, hence the request fails request.aliases("bar*"); request.indices("*bar"); - try { - defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData); - fail("Expected IndexNotFoundException"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(user, GetAliasesAction.NAME, request, metaData)); + assertEquals("no such index", e.getMessage()); } public void testResolveAliasesAllGetAliasesRequestNoAuthorizedIndices() { @@ -838,15 +873,13 @@ public class DefaultIndicesResolverTests extends ESTestCase { } request.indices("non_existing"); //current user is not authorized for any index, foo* resolves to no indices, the request fails - try { - defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData); - fail("Expected IndexNotFoundException"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(userNoIndices, GetAliasesAction.NAME, request, metaData)); + assertEquals("no such index", e.getMessage()); } //msearch is a CompositeIndicesRequest whose items (SearchRequests) implement IndicesRequest.Replaceable, wildcards will get replaced + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testResolveMultiSearchNoWildcards() { MultiSearchRequest request = new MultiSearchRequest(); request.add(Requests.searchRequest("foo", "bar")); @@ -859,6 +892,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"bar2"})); } + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testResolveMultiSearchNoWildcardsMissingIndex() { MultiSearchRequest request = new MultiSearchRequest(); request.add(Requests.searchRequest("foo", "bar")); @@ -873,6 +907,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.subRequests().get(2).indices(), equalTo(new String[]{"missing"})); } + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testResolveMultiSearchWildcardsExpandOpen() { MultiSearchRequest request = new MultiSearchRequest(); request.add(Requests.searchRequest("bar*")).indicesOptions( @@ -886,6 +921,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"foobar"})); } + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testResolveMultiSearchWildcardsExpandOpenAndClose() { MultiSearchRequest request = new MultiSearchRequest(); request.add(Requests.searchRequest("bar*").indicesOptions(IndicesOptions.strictExpand())); @@ -898,6 +934,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"foobar"})); } + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testResolveMultiSearchWildcardsMissingIndex() { MultiSearchRequest request = new MultiSearchRequest(); request.add(Requests.searchRequest("bar*")); @@ -910,6 +947,7 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(request.subRequests().get(1).indices(), equalTo(new String[]{"missing"})); } + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testResolveMultiSearchWildcardsNoMatchingIndices() { MultiSearchRequest request = new MultiSearchRequest(); request.add(Requests.searchRequest("missing*")); @@ -922,6 +960,20 @@ public class DefaultIndicesResolverTests extends ESTestCase { } } + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") + public void testMultiSearchWildcardsNoAuthorizedIndices() { + MultiSearchRequest request = new MultiSearchRequest(); + request.add(Requests.searchRequest("foofoo*")); + request.add(Requests.searchRequest("foobar")); + try { + defaultIndicesResolver.resolve(userNoIndices, MultiSearchAction.NAME, request, metaData); + fail("Expected IndexNotFoundException"); + } catch (IndexNotFoundException e) { + assertThat(e.getMessage(), is("no such index")); + } + } + + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testResolveMultiSearchWildcardsNoAuthorizedIndices() { MultiSearchRequest request = new MultiSearchRequest(); request.add(Requests.searchRequest("foofoo*")); @@ -994,37 +1046,63 @@ public class DefaultIndicesResolverTests extends ESTestCase { assertThat(indices, not(hasItem(SecurityTemplateService.SECURITY_INDEX_NAME))); } - public void testResolvingDateExpression() { - // the user isn't authorized so resolution should fail + public void testUnauthorizedDateMathExpressionIgnoreUnavailable() { SearchRequest request = new SearchRequest(""); - if (randomBoolean()) { - request.indicesOptions(IndicesOptions.strictSingleIndexNoExpandForbidClosed()); - } - try { - defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); - fail("user is not authorized to see this index"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + request.indicesOptions(IndicesOptions.fromOptions(true, true, randomBoolean(), randomBoolean())); + assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + } + public void testUnauthorizedDateMathExpressionIgnoreUnavailableDisallowNoIndices() { + SearchRequest request = new SearchRequest(""); + request.indicesOptions(IndicesOptions.fromOptions(true, false, randomBoolean(), randomBoolean())); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + assertEquals("no such index" , e.getMessage()); + } + + public void testUnauthorizedDateMathExpressionStrict() { + SearchRequest request = new SearchRequest(""); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean())); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + assertEquals("no such index" , e.getMessage()); + } + + public void testResolveDateMathExpression() { // make the user authorized - String[] authorizedIndices = new String[] { "bar", "bar-closed", "foofoobar", "foofoo", "missing", "foofoo-closed", - indexNameExpressionResolver.resolveDateMathExpression("")}; + String dateTimeIndex = indexNameExpressionResolver.resolveDateMathExpression(""); + String[] authorizedIndices = new String[] { "bar", "bar-closed", "foofoobar", "foofoo", "missing", "foofoo-closed", dateTimeIndex}; when(rolesStore.role("role")).thenReturn(Role.builder("role").add(IndexPrivilege.ALL, authorizedIndices).build()); + SearchRequest request = new SearchRequest(""); + if (randomBoolean()) { + request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), randomBoolean(), randomBoolean())); + } Set indices = defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); assertThat(indices.size(), equalTo(1)); assertThat(request.indices()[0], equalTo(indexNameExpressionResolver.resolveDateMathExpression(""))); } - public void testMissingDateExpression() { + public void testMissingDateMathExpressionIgnoreUnavailable() { SearchRequest request = new SearchRequest(""); - try { - defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData); - fail("index should not exist"); - } catch (IndexNotFoundException e) { - assertThat(e.getMessage(), is("no such index")); - } + request.indicesOptions(IndicesOptions.fromOptions(true, true, randomBoolean(), randomBoolean())); + assertNoIndices(request, defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + } + + public void testMissingDateMathExpressionIgnoreUnavailableDisallowNoIndices() { + SearchRequest request = new SearchRequest(""); + request.indicesOptions(IndicesOptions.fromOptions(true, false, randomBoolean(), randomBoolean())); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + assertEquals("no such index" , e.getMessage()); + } + + public void testMissingDateMathExpressionStrict() { + SearchRequest request = new SearchRequest(""); + request.indicesOptions(IndicesOptions.fromOptions(false, randomBoolean(), randomBoolean(), randomBoolean())); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, + () -> defaultIndicesResolver.resolve(user, SearchAction.NAME, request, metaData)); + assertEquals("no such index" , e.getMessage()); } public void testAliasDateMathExpressionNotSupported() { @@ -1077,4 +1155,11 @@ public class DefaultIndicesResolverTests extends ESTestCase { .put(IndexMetaData.SETTING_NUMBER_OF_SHARDS, 1) .put(IndexMetaData.SETTING_NUMBER_OF_REPLICAS, 0)); } + + private static void assertNoIndices(IndicesRequest.Replaceable request, Set resolvedIndices) { + assertEquals(1, resolvedIndices.size()); + assertEquals(DefaultIndicesAndAliasesResolver.NO_INDEX, resolvedIndices.iterator().next()); + assertEquals(1, request.indices().length); + assertEquals(DefaultIndicesAndAliasesResolver.NO_INDEX, request.indices()[0]); + } } diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/IndicesAndAliasesResolverIntegrationTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/IndicesAndAliasesResolverIntegrationTests.java index a8725dc89ba..ec6a76ee60c 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/IndicesAndAliasesResolverIntegrationTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/authz/indicesresolver/IndicesAndAliasesResolverIntegrationTests.java @@ -21,6 +21,7 @@ import java.util.ArrayList; import java.util.List; import static org.elasticsearch.test.SecurityTestsUtils.assertAuthorizationException; +import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoSearchHits; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasItems; @@ -57,29 +58,59 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest public void testSearchNonAuthorizedWildcard() { //wildcard doesn't match any authorized index createIndices("test1", "test2", "index1", "index2"); - IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("index*").get()); + assertNoSearchHits(client().prepareSearch("index*").get()); + } + + public void testSearchNonAuthorizedWildcardDisallowNoIndices() { + //wildcard doesn't match any authorized index + createIndices("test1", "test2", "index1", "index2"); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("index*") + .setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get()); assertEquals("no such index", e.getMessage()); } public void testEmptyClusterSearchForAll() { - IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch().get()); + assertNoSearchHits(client().prepareSearch().get()); + } + + public void testEmptyClusterSearchForAllDisallowNoIndices() { + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch() + .setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get()); assertEquals("no such index", e.getMessage()); } public void testEmptyClusterSearchForWildcard() { - IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*").get()); + SearchResponse searchResponse = client().prepareSearch("*").get(); + assertNoSearchHits(searchResponse); + } + + public void testEmptyClusterSearchForWildcardDisallowNoIndices() { + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*") + .setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get()); assertEquals("no such index", e.getMessage()); } public void testEmptyAuthorizedIndicesSearchForAll() { createIndices("index1", "index2"); - IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch().get()); + assertNoSearchHits(client().prepareSearch().get()); + } + + public void testEmptyAuthorizedIndicesSearchForAllDisallowNoIndices() { + createIndices("index1", "index2"); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch() + .setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get()); assertEquals("no such index", e.getMessage()); } public void testEmptyAuthorizedIndicesSearchForWildcard() { createIndices("index1", "index2"); - IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*").get()); + assertNoSearchHits(client().prepareSearch("*").get()); + } + + public void testEmptyAuthorizedIndicesSearchForWildcardDisallowNoIndices() { + createIndices("index1", "index2"); + IndexNotFoundException e = expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("*") + .setIndicesOptions(IndicesOptions.fromOptions(randomBoolean(), false, true, randomBoolean())).get()); assertEquals("no such index", e.getMessage()); } @@ -103,6 +134,21 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest assertReturnedIndices(client().prepareSearch("missing", "test*").setIndicesOptions(indicesOptions).get(), "test1", "test2"); assertReturnedIndices(client().prepareSearch("missing_*", "test*").setIndicesOptions(indicesOptions).get(), "test1", "test2"); + + //an unauthorized index is the same as a missing one + assertNoSearchHits(client().prepareSearch("missing").setIndicesOptions(indicesOptions).get()); + + assertNoSearchHits(client().prepareSearch("index1").setIndicesOptions(indicesOptions).get()); + + assertNoSearchHits(client().prepareSearch("missing", "index1").setIndicesOptions(indicesOptions).get()); + + assertNoSearchHits(client().prepareSearch("does_not_match_any_*").setIndicesOptions(indicesOptions).get()); + + assertNoSearchHits(client().prepareSearch("does_not_match_any_*", "index1").setIndicesOptions(indicesOptions).get()); + + assertNoSearchHits(client().prepareSearch("index*").setIndicesOptions(indicesOptions).get()); + + assertNoSearchHits(client().prepareSearch("index*", "missing").setIndicesOptions(indicesOptions).get()); } public void testExplicitExclusion() { @@ -145,6 +191,10 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest assertReturnedIndices(searchResponse, "test10"); } + public void testMissingDateMath() { + expectThrows(IndexNotFoundException.class, () -> client().prepareSearch("").get()); + } + public void testMultiSearchUnauthorizedIndex() { //index1 is not authorized, the whole request fails due to that createIndices("test1", "test2", "test3", "index1"); @@ -171,6 +221,7 @@ public class IndicesAndAliasesResolverIntegrationTests extends SecurityIntegTest assertThat(multiSearchResponse.getResponses()[1].getFailure().toString(), equalTo("[test4] IndexNotFoundException[no such index]")); } + @AwaitsFix(bugUrl = "multi requests endpoints need fixing, we shouldn't merge all the indices in one collection") public void testMultiSearchWildcard() { //test4 is missing but authorized, only that specific item fails createIndices("test1", "test2", "test3", "index1"); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BasicWatcherTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BasicWatcherTests.java index a152b171900..55f3b8cf043 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BasicWatcherTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BasicWatcherTests.java @@ -86,9 +86,6 @@ public class BasicWatcherTests extends AbstractWatcherIntegrationTestCase { assertThat(getWatchResponse.getSource(), notNullValue()); } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250") - //this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left - //with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too. public void testIndexWatchRegisterWatchBeforeTargetIndex() throws Exception { WatcherClient watcherClient = watcherClient(); WatcherSearchTemplateRequest searchRequest = templateRequest(searchSource().query(termQuery("field", "value")), "idx"); @@ -172,9 +169,6 @@ public class BasicWatcherTests extends AbstractWatcherIntegrationTestCase { } } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250") - //this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left - //with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too. public void testModifyWatches() throws Exception { WatcherSearchTemplateRequest searchRequest = templateRequest(searchSource().query(matchAllQuery()), "idx"); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java index 0abdf8d1d46..74b36ec3ce4 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java @@ -238,9 +238,6 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase { assertThat(response.getWatchesCount(), equalTo((long) numWatches)); } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250") - //this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left - //with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too. @TestLogging("org.elasticsearch.watcher.actions:DEBUG") public void testTriggeredWatchLoading() throws Exception { createIndex("output"); @@ -298,9 +295,6 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase { }, 30, TimeUnit.SECONDS); } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250") - //this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left - //with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too. public void testMixedTriggeredWatchLoading() throws Exception { createIndex("output"); WatcherStatsResponse response = watcherClient().prepareWatcherStats().get(); diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/WatchMetadataTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/WatchMetadataTests.java index 5ebdb245632..b618026b3bd 100644 --- a/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/WatchMetadataTests.java +++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/watcher/test/integration/WatchMetadataTests.java @@ -73,9 +73,6 @@ public class WatchMetadataTests extends AbstractWatcherIntegrationTestCase { assertThat(searchResponse.getHits().getTotalHits(), greaterThan(0L)); } - @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/1250") - //this test is temporarily disabled. The security plugin honours now ignore_unavailable, but whenever there's a request left - //with an empty set of indices it throws exception. This will be fixed once security plugin honours allow_no_indices too. public void testWatchMetadataAvailableAtExecution() throws Exception { Map metadata = new HashMap<>(); metadata.put("foo", "bar"); diff --git a/qa/core-rest-tests-with-security/build.gradle b/qa/core-rest-tests-with-security/build.gradle index f0069def3c1..7b18fbd3fa4 100644 --- a/qa/core-rest-tests-with-security/build.gradle +++ b/qa/core-rest-tests-with-security/build.gradle @@ -7,34 +7,11 @@ dependencies { integTest { includePackaged true systemProperty 'tests.rest.blacklist', - ['indices.get/10_basic/*allow_no_indices*', - 'indices.get/10_basic/Missing index should return empty object if ignore_unavailable', - 'cat.count/10_basic/Test cat count output', - 'cat.aliases/10_basic/Empty cluster', - 'indices.segments/10_basic/no segments test', - 'indices.clear_cache/10_basic/clear_cache test', - 'indices.status/10_basic/Indices status test', - 'cat.indices/10_basic/Test cat indices output', - 'cat.recovery/10_basic/Test cat recovery output', - 'cat.shards/10_basic/Test cat shards output', - 'termvector/20_issue7121/*', + ['cat.aliases/10_basic/Empty cluster', 'index/10_with_id/Index with ID', - 'indices.get_alias/20_emtpy/*', - 'cat.segments/10_basic/Test cat segments output', - 'indices.put_settings/10_basic/Test indices settings allow_no_indices', - 'indices.put_settings/10_basic/Test indices settings ignore_unavailable', - 'indices.refresh/10_basic/Indices refresh test no-match wildcard', - 'indices.stats/10_index/Index - star*', - 'indices.recovery/10_basic/Indices recovery test*', - 'indices.shard_stores/10_basic/no indices test', - 'cat.nodeattrs/10_basic/Test cat nodes attrs output', - 'bulk/40_fields/Fields', 'indices.get_alias/10_basic/Get alias against closed indices', - 'ingest/70_bulk/*', - 'ingest/10_crud/Check availability of default processors', - 'search/80_date_math_index_names/Missing index with catch', 'cat.templates/10_basic/No templates', - 'cat.templates/10_basic/Sort templates', + 'cat.templates/10_basic/Sort templates' ].join(',') cluster {