mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-23 13:26:02 +00:00
[Security] Remove beats_system User and Role until needed (elastic/x-pack-elasticsearch#2042)
The user/role was added to simplify they setup surrounding Beats monitoring, but Beats monitoring has been delayed until the UI work is begun. Original commit: elastic/x-pack-elasticsearch@1c0c85562e
This commit is contained in:
Chris Earle
GitHub
parent
a0fd423db1
commit
e0fe6da303
@ -27,7 +27,6 @@ import org.elasticsearch.xpack.security.authc.support.Hasher;
|
||||
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||
import org.elasticsearch.xpack.security.support.Exceptions;
|
||||
import org.elasticsearch.xpack.security.user.AnonymousUser;
|
||||
import org.elasticsearch.xpack.security.user.BeatsSystemUser;
|
||||
import org.elasticsearch.xpack.security.user.ElasticUser;
|
||||
import org.elasticsearch.xpack.security.user.KibanaUser;
|
||||
import org.elasticsearch.xpack.security.user.LogstashSystemUser;
|
||||
@ -143,7 +142,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
|
||||
case ElasticUser.NAME:
|
||||
case KibanaUser.NAME:
|
||||
case LogstashSystemUser.NAME:
|
||||
case BeatsSystemUser.NAME:
|
||||
return XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings);
|
||||
default:
|
||||
return AnonymousUser.isAnonymousUsername(username, settings);
|
||||
@ -184,8 +182,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
|
||||
return new KibanaUser(userInfo.enabled);
|
||||
case LogstashSystemUser.NAME:
|
||||
return new LogstashSystemUser(userInfo.enabled);
|
||||
case BeatsSystemUser.NAME:
|
||||
return new BeatsSystemUser(userInfo.enabled);
|
||||
default:
|
||||
if (anonymousEnabled && anonymousUser.principal().equals(username)) {
|
||||
return anonymousUser;
|
||||
@ -211,9 +207,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
|
||||
userInfo = reservedUserInfos.get(LogstashSystemUser.NAME);
|
||||
users.add(new LogstashSystemUser(userInfo == null || userInfo.enabled));
|
||||
|
||||
userInfo = reservedUserInfos.get(BeatsSystemUser.NAME);
|
||||
users.add(new BeatsSystemUser(userInfo == null || userInfo.enabled));
|
||||
|
||||
if (anonymousEnabled) {
|
||||
users.add(anonymousUser);
|
||||
}
|
||||
@ -256,8 +249,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
|
||||
switch (username) {
|
||||
case LogstashSystemUser.NAME:
|
||||
return LogstashSystemUser.DEFINED_SINCE;
|
||||
case BeatsSystemUser.NAME:
|
||||
return BeatsSystemUser.DEFINED_SINCE;
|
||||
default:
|
||||
return Version.V_5_0_0;
|
||||
}
|
||||
|
||||
@ -20,7 +20,6 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
|
||||
import org.elasticsearch.common.xcontent.json.JsonXContent;
|
||||
import org.elasticsearch.env.Environment;
|
||||
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
|
||||
import org.elasticsearch.xpack.security.user.BeatsSystemUser;
|
||||
import org.elasticsearch.xpack.security.user.ElasticUser;
|
||||
import org.elasticsearch.xpack.security.user.KibanaUser;
|
||||
import org.elasticsearch.xpack.security.user.LogstashSystemUser;
|
||||
@ -40,7 +39,7 @@ public class SetupPasswordTool extends MultiCommand {
|
||||
|
||||
private static final char[] CHARS = ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" +
|
||||
"~!@#$%^&*-_=+?").toCharArray();
|
||||
private static final String[] USERS = new String[]{ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME, BeatsSystemUser.NAME};
|
||||
private static final String[] USERS = new String[]{ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME};
|
||||
|
||||
private final Function<Environment, CommandLineHttpClient> clientFunction;
|
||||
private final CheckedFunction<Environment, KeyStoreWrapper, Exception> keyStoreFunction;
|
||||
|
||||
@ -69,8 +69,6 @@ public class ReservedRolesStore {
|
||||
null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||
.put("logstash_system", new RoleDescriptor("logstash_system", new String[] { "monitor", MonitoringBulkAction.NAME},
|
||||
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||
.put("beats_system", new RoleDescriptor("beats_system", new String[] { "monitor", MonitoringBulkAction.NAME},
|
||||
null, null, MetadataUtils.DEFAULT_RESERVED_METADATA))
|
||||
.put("machine_learning_user", new RoleDescriptor("machine_learning_user", new String[] { "monitor_ml" },
|
||||
new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*",
|
||||
".ml-notifications").privileges("view_index_metadata", "read").build() },
|
||||
|
||||
@ -1,20 +0,0 @@
|
||||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.xpack.security.user;
|
||||
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.xpack.security.support.MetadataUtils;
|
||||
|
||||
public class BeatsSystemUser extends User {
|
||||
public static final String NAME = "beats_system";
|
||||
private static final String ROLE_NAME = "beats_system";
|
||||
public static final Version DEFINED_SINCE = Version.V_6_0_0_alpha1;
|
||||
public static final BuiltinUserInfo USER_INFO = new BuiltinUserInfo(NAME, ROLE_NAME, DEFINED_SINCE);
|
||||
|
||||
public BeatsSystemUser(boolean enabled) {
|
||||
super(NAME, new String[]{ ROLE_NAME }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, enabled);
|
||||
}
|
||||
}
|
||||
@ -16,7 +16,6 @@ import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||
import org.elasticsearch.xpack.security.client.SecurityClient;
|
||||
import org.elasticsearch.xpack.security.user.BeatsSystemUser;
|
||||
import org.elasticsearch.xpack.security.user.ElasticUser;
|
||||
import org.elasticsearch.xpack.security.user.KibanaUser;
|
||||
import org.elasticsearch.xpack.security.user.LogstashSystemUser;
|
||||
@ -74,7 +73,7 @@ public abstract class NativeRealmIntegTestCase extends SecurityIntegTestCase {
|
||||
logger.info("setting up reserved passwords for test");
|
||||
SecureString defaultPassword = new SecureString("".toCharArray());
|
||||
|
||||
for (String username : Arrays.asList(KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME)) {
|
||||
for (String username : Arrays.asList(KibanaUser.NAME, LogstashSystemUser.NAME)) {
|
||||
String payload = "{\"password\": \"" + new String(reservedPassword.getChars()) + "\"}";
|
||||
HttpEntity entity = new NStringEntity(payload, ContentType.APPLICATION_JSON);
|
||||
BasicHeader authHeader = new BasicHeader(UsernamePasswordToken.BASIC_AUTH_HEADER,
|
||||
|
||||
@ -11,7 +11,6 @@ import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.test.NativeRealmIntegTestCase;
|
||||
import org.elasticsearch.xpack.security.action.user.ChangePasswordResponse;
|
||||
import org.elasticsearch.xpack.security.client.SecurityClient;
|
||||
import org.elasticsearch.xpack.security.user.BeatsSystemUser;
|
||||
import org.elasticsearch.xpack.security.user.ElasticUser;
|
||||
import org.elasticsearch.xpack.security.user.KibanaUser;
|
||||
import org.elasticsearch.xpack.security.user.LogstashSystemUser;
|
||||
@ -30,7 +29,7 @@ import static org.hamcrest.Matchers.notNullValue;
|
||||
public class ReservedRealmIntegTests extends NativeRealmIntegTestCase {
|
||||
|
||||
public void testAuthenticate() {
|
||||
for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME)) {
|
||||
for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME)) {
|
||||
ClusterHealthResponse response = client()
|
||||
.filterWithHeader(singletonMap("Authorization", basicAuthHeaderValue(username, getReservedPassword())))
|
||||
.admin()
|
||||
@ -48,7 +47,7 @@ public class ReservedRealmIntegTests extends NativeRealmIntegTestCase {
|
||||
*/
|
||||
public void testAuthenticateAfterEnablingUser() {
|
||||
final SecurityClient c = securityClient();
|
||||
for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME)) {
|
||||
for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME)) {
|
||||
c.prepareSetEnabled(username, true).get();
|
||||
ClusterHealthResponse response = client()
|
||||
.filterWithHeader(singletonMap("Authorization", basicAuthHeaderValue(username, getReservedPassword())))
|
||||
@ -62,7 +61,7 @@ public class ReservedRealmIntegTests extends NativeRealmIntegTestCase {
|
||||
}
|
||||
|
||||
public void testChangingPassword() {
|
||||
String username = randomFrom(ElasticUser.NAME, KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME);
|
||||
String username = randomFrom(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME);
|
||||
final char[] newPassword = "supersecretvalue".toCharArray();
|
||||
|
||||
if (randomBoolean()) {
|
||||
|
||||
@ -9,7 +9,6 @@ import org.elasticsearch.ElasticsearchSecurityException;
|
||||
import org.elasticsearch.Version;
|
||||
import org.elasticsearch.action.ActionListener;
|
||||
import org.elasticsearch.action.support.PlainActionFuture;
|
||||
import org.elasticsearch.common.SuppressForbidden;
|
||||
import org.elasticsearch.common.settings.SecureString;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
@ -23,7 +22,6 @@ import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.Reserved
|
||||
import org.elasticsearch.xpack.security.authc.support.Hasher;
|
||||
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
|
||||
import org.elasticsearch.xpack.security.user.AnonymousUser;
|
||||
import org.elasticsearch.xpack.security.user.BeatsSystemUser;
|
||||
import org.elasticsearch.xpack.security.user.ElasticUser;
|
||||
import org.elasticsearch.xpack.security.user.KibanaUser;
|
||||
import org.elasticsearch.xpack.security.user.LogstashSystemUser;
|
||||
@ -31,8 +29,6 @@ import org.elasticsearch.xpack.security.user.User;
|
||||
import org.junit.Before;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
|
||||
import java.net.InetAddress;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
@ -265,7 +261,7 @@ public class ReservedRealmTests extends ESTestCase {
|
||||
PlainActionFuture<Collection<User>> userFuture = new PlainActionFuture<>();
|
||||
reservedRealm.users(userFuture);
|
||||
assertThat(userFuture.actionGet(), containsInAnyOrder(new ElasticUser(true), new KibanaUser(true),
|
||||
new LogstashSystemUser(true), new BeatsSystemUser(true)));
|
||||
new LogstashSystemUser(true)));
|
||||
}
|
||||
|
||||
public void testGetUsersDisabled() {
|
||||
|
||||
@ -15,7 +15,6 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry;
|
||||
import org.elasticsearch.common.xcontent.XContentParser;
|
||||
import org.elasticsearch.common.xcontent.json.JsonXContent;
|
||||
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
|
||||
import org.elasticsearch.xpack.security.user.BeatsSystemUser;
|
||||
import org.elasticsearch.xpack.security.user.ElasticUser;
|
||||
import org.elasticsearch.xpack.security.user.KibanaUser;
|
||||
import org.elasticsearch.xpack.security.user.LogstashSystemUser;
|
||||
@ -42,7 +41,6 @@ public class SetupPasswordToolTests extends CommandTestCase {
|
||||
private final String ep = "elastic-password";
|
||||
private final String kp = "kibana-password";
|
||||
private final String lp = "logstash-password";
|
||||
private final String bp = "beats-password";
|
||||
private CommandLineHttpClient httpClient;
|
||||
private KeyStoreWrapper keyStore;
|
||||
|
||||
@ -58,8 +56,6 @@ public class SetupPasswordToolTests extends CommandTestCase {
|
||||
terminal.addSecretInput(kp);
|
||||
terminal.addSecretInput(lp);
|
||||
terminal.addSecretInput(lp);
|
||||
terminal.addSecretInput(bp);
|
||||
terminal.addSecretInput(bp);
|
||||
}
|
||||
|
||||
@Override
|
||||
@ -79,7 +75,7 @@ public class SetupPasswordToolTests extends CommandTestCase {
|
||||
inOrder.verify(httpClient).postURL(eq("PUT"), eq(elasticUrl), eq(ElasticUser.NAME), eq(bootstrapPassword),
|
||||
passwordCaptor.capture());
|
||||
|
||||
String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME, BeatsSystemUser.NAME};
|
||||
String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME};
|
||||
SecureString newPassword = new SecureString(parsePassword(passwordCaptor.getValue()).toCharArray());
|
||||
for (String user : users) {
|
||||
String urlWithRoute = "http://localhost:9200/_xpack/security/user/" + user + "/_password";
|
||||
@ -98,7 +94,7 @@ public class SetupPasswordToolTests extends CommandTestCase {
|
||||
inOrder.verify(httpClient).postURL(eq("PUT"), eq(elasticUrl), eq(ElasticUser.NAME), eq(bootstrapPassword),
|
||||
passwordCaptor.capture());
|
||||
|
||||
String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME, BeatsSystemUser.NAME};
|
||||
String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME};
|
||||
SecureString newPassword = new SecureString(parsePassword(passwordCaptor.getValue()).toCharArray());
|
||||
for (String user : users) {
|
||||
String urlWithRoute = url + "/_xpack/security/user/" + user + "/_password";
|
||||
@ -120,8 +116,6 @@ public class SetupPasswordToolTests extends CommandTestCase {
|
||||
inOrder.verify(httpClient).postURL(eq("PUT"), eq(kibanaUrl), eq(ElasticUser.NAME), eq(newPassword), contains(kp));
|
||||
String logstashUrl = "http://localhost:9200/_xpack/security/user/" + LogstashSystemUser.NAME + "/_password";
|
||||
inOrder.verify(httpClient).postURL(eq("PUT"), eq(logstashUrl), eq(ElasticUser.NAME), eq(newPassword), contains(lp));
|
||||
String beatsUrl = "http://localhost:9200/_xpack/security/user/" + BeatsSystemUser.NAME + "/_password";
|
||||
inOrder.verify(httpClient).postURL(eq("PUT"), eq(beatsUrl), eq(ElasticUser.NAME), eq(newPassword), contains(bp));
|
||||
}
|
||||
|
||||
public void testInteractivePasswordsNotMatching() throws Exception {
|
||||
|
||||
@ -381,28 +381,6 @@ public class ReservedRolesStoreTests extends ESTestCase {
|
||||
is(false));
|
||||
}
|
||||
|
||||
public void testBeatsSystemRole() {
|
||||
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("beats_system");
|
||||
assertNotNull(roleDescriptor);
|
||||
assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true));
|
||||
|
||||
Role beatsSystemRole = Role.builder(roleDescriptor, null).build();
|
||||
assertThat(beatsSystemRole.cluster().check(ClusterHealthAction.NAME), is(true));
|
||||
assertThat(beatsSystemRole.cluster().check(ClusterStateAction.NAME), is(true));
|
||||
assertThat(beatsSystemRole.cluster().check(ClusterStatsAction.NAME), is(true));
|
||||
assertThat(beatsSystemRole.cluster().check(PutIndexTemplateAction.NAME), is(false));
|
||||
assertThat(beatsSystemRole.cluster().check(ClusterRerouteAction.NAME), is(false));
|
||||
assertThat(beatsSystemRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false));
|
||||
assertThat(beatsSystemRole.cluster().check(MonitoringBulkAction.NAME), is(true));
|
||||
|
||||
assertThat(beatsSystemRole.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false));
|
||||
|
||||
assertThat(beatsSystemRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
|
||||
assertThat(beatsSystemRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
|
||||
assertThat(beatsSystemRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)),
|
||||
is(false));
|
||||
}
|
||||
|
||||
public void testWatcherAdminRole() {
|
||||
RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("watcher_admin");
|
||||
assertNotNull(roleDescriptor);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user