From d44ba28d27f5115159e891ad514bc5345c77aa9f Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Fri, 23 Sep 2016 10:12:24 -0400 Subject: [PATCH] security: always create the IPFilter in a node When running as a node, we check the `xpack.security.transport.filter.enabled` setting to see if we should create the IPFilter but this check is not really correct. The HTTP filter could be enabled or a profile filter could be enabled so there are times when we may not be filtering connections when we should. Additionally, since we do not bind the IPFilter to a null provider, Guice will try to create one during startup to inject into the security transport. This results in an exception and startup fails. This change always creates the IPFilter when running as a node. This IPFilter has its own settings and logic to determine whether it should be filtering on a given network transport. Closes elastic/elasticsearch#3592 Original commit: elastic/x-pack-elasticsearch@95c25651c40b7669d5487b4041bc42204c65df3b --- .../org/elasticsearch/xpack/security/Security.java | 6 ++---- .../security/transport/filter/IPFilterTests.java | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java index b77b43566ad..cfbb7399d4b 100644 --- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -330,10 +330,8 @@ public class Security implements ActionPlugin, IngestPlugin, NetworkPlugin { components.add(new SecurityLifecycleService(settings, clusterService, threadPool, indexAuditTrail, nativeUsersStore, nativeRolesStore, client)); - if (IPFilter.IP_FILTER_ENABLED_SETTING.get(settings)) { - ipFilter.set(new IPFilter(settings, auditTrailService, clusterService.getClusterSettings(), licenseState)); - components.add(ipFilter.get()); - } + ipFilter.set(new IPFilter(settings, auditTrailService, clusterService.getClusterSettings(), licenseState)); + components.add(ipFilter.get()); securityIntercepter.set(new SecurityServerTransportInterceptor(settings, threadPool, authcService, authzService, licenseState, sslService)); return components; diff --git a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java index 12a368a02d9..19ba97e619b 100644 --- a/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java +++ b/elasticsearch/x-pack/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java @@ -15,10 +15,13 @@ import org.elasticsearch.common.transport.InetSocketTransportAddress; import org.elasticsearch.common.transport.TransportAddress; import org.elasticsearch.http.HttpServerTransport; import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.node.MockNode; +import org.elasticsearch.node.Node; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.junit.annotations.Network; import org.elasticsearch.transport.Transport; import org.elasticsearch.transport.TransportSettings; +import org.elasticsearch.xpack.XPackPlugin; import org.elasticsearch.xpack.security.audit.AuditTrailService; import org.junit.Before; import org.mockito.ArgumentCaptor; @@ -235,6 +238,17 @@ public class IPFilterTests extends ESTestCase { assertAddressIsDeniedForProfile("default", "8.8.8.8"); } + public void testThatNodeStartsWithIPFilterDisabled() throws Exception { + Settings settings = Settings.builder() + .put("path.home", createTempDir()) + .put("xpack.security.transport.filter.enabled", randomBoolean()) + .put("xpack.security.http.filter.enabled", randomBoolean()) + .build(); + try (Node node = new MockNode(settings, Collections.singletonList(XPackPlugin.class))) { + assertNotNull(node); + } + } + private void assertAddressIsAllowedForProfile(String profile, String ... inetAddresses) { for (String inetAddress : inetAddresses) { String message = String.format(Locale.ROOT, "Expected address %s to be allowed", inetAddress);