security: always create the IPFilter in a node

When running as a node, we check the `xpack.security.transport.filter.enabled` setting to see
if we should create the IPFilter but this check is not really correct. The HTTP filter could be
enabled or a profile filter could be enabled so there are times when we may not be filtering connections
when we should. Additionally, since we do not bind the IPFilter to a null provider, Guice will try to create
one during startup to inject into the security transport. This results in an exception and startup fails.

This change always creates the IPFilter when running as a node. This IPFilter has its own settings and
logic to determine whether it should be filtering on a given network transport.

Closes elastic/elasticsearch#3592

Original commit: elastic/x-pack-elasticsearch@95c25651c4

elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -330,10 +330,8 @@ public class Security implements ActionPlugin, IngestPlugin, NetworkPlugin {
         components.add(new SecurityLifecycleService(settings, clusterService, threadPool, indexAuditTrail,
             nativeUsersStore, nativeRolesStore, client));
 
-        if (IPFilter.IP_FILTER_ENABLED_SETTING.get(settings)) {
-            ipFilter.set(new IPFilter(settings, auditTrailService, clusterService.getClusterSettings(), licenseState));
-            components.add(ipFilter.get());
-        }
+        ipFilter.set(new IPFilter(settings, auditTrailService, clusterService.getClusterSettings(), licenseState));
+        components.add(ipFilter.get());
         securityIntercepter.set(new SecurityServerTransportInterceptor(settings, threadPool, authcService, authzService, licenseState,
                 sslService));
         return components;

elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java

@@ -15,10 +15,13 @@ import org.elasticsearch.common.transport.InetSocketTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.http.HttpServerTransport;
 import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.node.MockNode;
+import org.elasticsearch.node.Node;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.junit.annotations.Network;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportSettings;
+import org.elasticsearch.xpack.XPackPlugin;
 import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.junit.Before;
 import org.mockito.ArgumentCaptor;
@@ -235,6 +238,17 @@ public class IPFilterTests extends ESTestCase {
         assertAddressIsDeniedForProfile("default", "8.8.8.8");
     }
 
+    public void testThatNodeStartsWithIPFilterDisabled() throws Exception {
+        Settings settings = Settings.builder()
+                .put("path.home", createTempDir())
+                .put("xpack.security.transport.filter.enabled", randomBoolean())
+                .put("xpack.security.http.filter.enabled", randomBoolean())
+                .build();
+        try (Node node = new MockNode(settings, Collections.singletonList(XPackPlugin.class))) {
+            assertNotNull(node);
+        }
+    }
+
     private void assertAddressIsAllowedForProfile(String profile, String ... inetAddresses) {
         for (String inetAddress : inetAddresses) {
             String message = String.format(Locale.ROOT, "Expected address %s to be allowed", inetAddress);