honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix shield settings to not rely on iteration order 

This removes the use of group setting for `shield.` and introduces some individual settings
and some group settings that should not overlap and cause issues when iteration order
changes.

See elastic/elasticsearch#1520

Original commit: elastic/x-pack-elasticsearch@193e937193
This commit is contained in:
jaymode 2016-02-21 10:10:21 -08:00
parent 64e4ccf9a0
commit d9ca4e0ce3
9 changed files with 46 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
elasticsearch/qa/smoke-test-plugins-ssl/build.gradle
View File

@ -39,11 +39,8 @@ processTestResources.dependsOn(createKey)
ext.pluginsCount = 1 // we install xpack explicitly ext.pluginsCount = 1 // we install xpack explicitly
project.rootProject.subprojects.findAll { it.path.startsWith(':plugins:') }.each { subproj -> project.rootProject.subprojects.findAll { it.path.startsWith(':plugins:') }.each { subproj ->
// need to get a non-decorated project object, so must re-lookup the project by path // need to get a non-decorated project object, so must re-lookup the project by path
// FIXME - fix shield settings to not rely on iteration order so this doesn't break! integTest.cluster.plugin(subproj.name, project(subproj.path))
if (subproj.name.equals("discovery-ec2") == false) { pluginsCount += 1
integTest.cluster.plugin(subproj.name, project(subproj.path))
pluginsCount += 1
}
} }
integTest { integTest {

7
elasticsearch/qa/smoke-test-plugins/build.gradle
View File

@ -9,11 +9,8 @@ dependencies {
ext.pluginsCount = 1 // we install xpack explicitly ext.pluginsCount = 1 // we install xpack explicitly
project.rootProject.subprojects.findAll { it.path.startsWith(':plugins:') }.each { subproj -> project.rootProject.subprojects.findAll { it.path.startsWith(':plugins:') }.each { subproj ->
// need to get a non-decorated project object, so must re-lookup the project by path // need to get a non-decorated project object, so must re-lookup the project by path
// FIXME - fix shield settings to not rely on iteration order so this doesn't break! integTest.cluster.plugin(subproj.name, project(subproj.path))
if (subproj.name.equals("discovery-ec2") == false) { pluginsCount += 1
integTest.cluster.plugin(subproj.name, project(subproj.path))
pluginsCount += 1
}
} }
integTest { integTest {

1
elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/LicensesServiceClusterTests.java
View File

@ -58,7 +58,6 @@ public class LicensesServiceClusterTests extends AbstractLicensesIntegrationTest
private Settings.Builder nodeSettingsBuilder(int nodeOrdinal) { private Settings.Builder nodeSettingsBuilder(int nodeOrdinal) {
return Settings.builder() return Settings.builder()
.put(super.nodeSettings(nodeOrdinal)) .put(super.nodeSettings(nodeOrdinal))
.put("plugins.load_classpath_plugins", false)
.put("node.data", true) .put("node.data", true)
// this setting is only used in tests // this setting is only used in tests
.put("_trial_license_duration_in_seconds", 9) .put("_trial_license_duration_in_seconds", 9)

1
elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MonitoringF.java
View File

@ -32,7 +32,6 @@ public class MonitoringF {
Settings.Builder settings = Settings.builder(); Settings.Builder settings = Settings.builder();
settings.put("script.inline", "true"); settings.put("script.inline", "true");
settings.put("security.manager.enabled", "false"); settings.put("security.manager.enabled", "false");
settings.put("plugins.load_classpath_plugins", "false");
settings.put("cluster.name", MonitoringF.class.getSimpleName()); settings.put("cluster.name", MonitoringF.class.getSimpleName());
settings.put("xpack.monitoring.agent.interval", "5s"); settings.put("xpack.monitoring.agent.interval", "5s");
if (!CollectionUtils.isEmpty(args)) { if (!CollectionUtils.isEmpty(args)) {

1
elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/test/MarvelIntegTestCase.java
View File

@ -419,7 +419,6 @@ public abstract class MarvelIntegTestCase extends ESIntegTestCase {
.put("shield.authc.realms.esusers.files.users", writeFile(folder, "users", USERS)) .put("shield.authc.realms.esusers.files.users", writeFile(folder, "users", USERS))
.put("shield.authc.realms.esusers.files.users_roles", writeFile(folder, "users_roles", USER_ROLES)) .put("shield.authc.realms.esusers.files.users_roles", writeFile(folder, "users_roles", USER_ROLES))
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES)) .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES))
.put("shield.transport.n2n.ip_filter.file", writeFile(folder, "ip_filter.yml", IP_FILTER))
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey)) .put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
.put("shield.authc.sign_user_header", false) .put("shield.authc.sign_user_header", false)
.put("shield.audit.enabled", auditLogsEnabled) .put("shield.audit.enabled", auditLogsEnabled)

27
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java
View File

@ -77,6 +77,7 @@ import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.function.Function;
/** /**
* *
@ -173,11 +174,27 @@ public class Shield {
settingsModule.registerSetting(IPFilter.HTTP_FILTER_DENY_SETTING); settingsModule.registerSetting(IPFilter.HTTP_FILTER_DENY_SETTING);
settingsModule.registerSetting(IPFilter.TRANSPORT_FILTER_ALLOW_SETTING); settingsModule.registerSetting(IPFilter.TRANSPORT_FILTER_ALLOW_SETTING);
settingsModule.registerSetting(IPFilter.TRANSPORT_FILTER_DENY_SETTING); settingsModule.registerSetting(IPFilter.TRANSPORT_FILTER_DENY_SETTING);
settingsModule.registerSetting(Setting.boolSetting("plugins.load_classpath_plugins", true, false, Setting.Scope.CLUSTER)); XPackPlugin.registerFeatureEnabledSettings(settingsModule, NAME, true);
// TODO add real settings for this wildcard here XPackPlugin.registerFeatureEnabledSettings(settingsModule, DLS_FLS_FEATURE, true);
settingsModule.registerSetting(Setting.groupSetting("shield.", false, Setting.Scope.CLUSTER)); settingsModule.registerSetting(Setting.groupSetting("shield.audit.", false, Setting.Scope.CLUSTER));
// TODO please let's just drop the old settings before releasing settingsModule.registerSetting(Setting.listSetting("shield.hide_settings", Collections.emptyList(), Function.identity(), false,
settingsModule.registerSetting(Setting.groupSetting("xpack.shield.", false, Setting.Scope.CLUSTER)); Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.groupSetting("shield.ssl.", false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.groupSetting("shield.authc.", false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.simpleString("shield.authz.store.files.roles", false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.simpleString("shield.system_key.file", false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.boolSetting(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING,
ShieldNettyHttpServerTransport.HTTP_SSL_DEFAULT, false, Setting.Scope.CLUSTER));
// FIXME need to register a real setting with the defaults here
settingsModule.registerSetting(Setting.simpleString(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING,
false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.boolSetting(ShieldNettyTransport.TRANSPORT_SSL_SETTING,
ShieldNettyTransport.TRANSPORT_SSL_DEFAULT, false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.simpleString(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, false,
Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.simpleString("shield.user", false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.simpleString("shield.encryption_key.algorithm", false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.simpleString("shield.encryption.algorithm", false, Setting.Scope.CLUSTER));
String[] asArray = settings.getAsArray("shield.hide_settings"); String[] asArray = settings.getAsArray("shield.hide_settings");
for (String pattern : asArray) { for (String pattern : asArray) {

1
elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java
View File

@ -47,7 +47,6 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
public static final Settings DEFAULT_SETTINGS = settingsBuilder() public static final Settings DEFAULT_SETTINGS = settingsBuilder()
.put("node.mode", "network") .put("node.mode", "network")
.put("plugins.load_classpath_plugins", false)
.build(); .build();
public static final String DEFAULT_USER_NAME = "test_user"; public static final String DEFAULT_USER_NAME = "test_user";

21
elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
View File

@ -171,7 +171,7 @@ public class XPackPlugin extends Plugin {
*/ */
public static boolean featureEnabled(Settings settings, String featureName, boolean defaultValue) { public static boolean featureEnabled(Settings settings, String featureName, boolean defaultValue) {
return settings.getAsBoolean(featureEnabledSetting(featureName), return settings.getAsBoolean(featureEnabledSetting(featureName),
settings.getAsBoolean(featureName + ".enabled", defaultValue)); // for bwc settings.getAsBoolean(legacyFeatureEnabledSetting(featureName), defaultValue)); // for bwc
} }
public static String featureEnabledSetting(String featureName) { public static String featureEnabledSetting(String featureName) {
@ -181,4 +181,23 @@ public class XPackPlugin extends Plugin {
public static String featureSettingPrefix(String featureName) { public static String featureSettingPrefix(String featureName) {
return NAME + "." + featureName; return NAME + "." + featureName;
} }
public static String legacyFeatureEnabledSetting(String featureName) {
return featureName + ".enabled";
}
/**
* A consistent way to register the settings used to enable disable features, supporting the following format:
*
* {@code "xpack.<feature>.enabled": true | false}
*
* Also supports the following setting as a fallback (for BWC with 1.x/2.x):
*
* {@code "<feature>.enabled": true | false}
*/
public static void registerFeatureEnabledSettings(SettingsModule settingsModule, String featureName, boolean defaultValue) {
settingsModule.registerSetting(Setting.boolSetting(featureEnabledSetting(featureName), defaultValue, false, Setting.Scope.CLUSTER));
settingsModule.registerSetting(Setting.boolSetting(legacyFeatureEnabledSetting(featureName),
defaultValue, false, Setting.Scope.CLUSTER));
}
} }

1
elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java
View File

@ -715,7 +715,6 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase
.put("shield.authc.realms.esusers.files.users", writeFile(folder, "users", USERS)) .put("shield.authc.realms.esusers.files.users", writeFile(folder, "users", USERS))
.put("shield.authc.realms.esusers.files.users_roles", writeFile(folder, "users_roles", USER_ROLES)) .put("shield.authc.realms.esusers.files.users_roles", writeFile(folder, "users_roles", USER_ROLES))
.put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES)) .put("shield.authz.store.files.roles", writeFile(folder, "roles.yml", ROLES))
.put("shield.transport.n2n.ip_filter.file", writeFile(folder, "ip_filter.yml", IP_FILTER))
.put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey)) .put("shield.system_key.file", writeFile(folder, "system_key.yml", systemKey))
.put("shield.authc.sign_user_header", false) .put("shield.authc.sign_user_header", false)
.put("shield.audit.enabled", auditLogsEnabled) .put("shield.audit.enabled", auditLogsEnabled)