diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java index 6127c064f89..aa4cd373620 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java @@ -27,7 +27,6 @@ import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.support.Exceptions; import org.elasticsearch.xpack.security.user.AnonymousUser; -import org.elasticsearch.xpack.security.user.BeatsSystemUser; import org.elasticsearch.xpack.security.user.ElasticUser; import org.elasticsearch.xpack.security.user.KibanaUser; import org.elasticsearch.xpack.security.user.LogstashSystemUser; @@ -143,7 +142,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm { case ElasticUser.NAME: case KibanaUser.NAME: case LogstashSystemUser.NAME: - case BeatsSystemUser.NAME: return XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings); default: return AnonymousUser.isAnonymousUsername(username, settings); @@ -184,8 +182,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm { return new KibanaUser(userInfo.enabled); case LogstashSystemUser.NAME: return new LogstashSystemUser(userInfo.enabled); - case BeatsSystemUser.NAME: - return new BeatsSystemUser(userInfo.enabled); default: if (anonymousEnabled && anonymousUser.principal().equals(username)) { return anonymousUser; @@ -211,9 +207,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm { userInfo = reservedUserInfos.get(LogstashSystemUser.NAME); users.add(new LogstashSystemUser(userInfo == null || userInfo.enabled)); - userInfo = reservedUserInfos.get(BeatsSystemUser.NAME); - users.add(new BeatsSystemUser(userInfo == null || userInfo.enabled)); - if (anonymousEnabled) { users.add(anonymousUser); } @@ -256,8 +249,6 @@ public class ReservedRealm extends CachingUsernamePasswordRealm { switch (username) { case LogstashSystemUser.NAME: return LogstashSystemUser.DEFINED_SINCE; - case BeatsSystemUser.NAME: - return BeatsSystemUser.DEFINED_SINCE; default: return Version.V_5_0_0; } diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java index ad66a08d278..fe9206bafda 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java @@ -20,7 +20,6 @@ import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.json.JsonXContent; import org.elasticsearch.env.Environment; import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm; -import org.elasticsearch.xpack.security.user.BeatsSystemUser; import org.elasticsearch.xpack.security.user.ElasticUser; import org.elasticsearch.xpack.security.user.KibanaUser; import org.elasticsearch.xpack.security.user.LogstashSystemUser; @@ -40,7 +39,7 @@ public class SetupPasswordTool extends MultiCommand { private static final char[] CHARS = ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" + "~!@#$%^&*-_=+?").toCharArray(); - private static final String[] USERS = new String[]{ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME, BeatsSystemUser.NAME}; + private static final String[] USERS = new String[]{ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME}; private final Function clientFunction; private final CheckedFunction keyStoreFunction; diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java index f3235978f91..9eb0ab9a0af 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStore.java @@ -69,8 +69,6 @@ public class ReservedRolesStore { null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("logstash_system", new RoleDescriptor("logstash_system", new String[] { "monitor", MonitoringBulkAction.NAME}, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) - .put("beats_system", new RoleDescriptor("beats_system", new String[] { "monitor", MonitoringBulkAction.NAME}, - null, null, MetadataUtils.DEFAULT_RESERVED_METADATA)) .put("machine_learning_user", new RoleDescriptor("machine_learning_user", new String[] { "monitor_ml" }, new RoleDescriptor.IndicesPrivileges[] { RoleDescriptor.IndicesPrivileges.builder().indices(".ml-anomalies*", ".ml-notifications").privileges("view_index_metadata", "read").build() }, diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/user/BeatsSystemUser.java b/plugin/src/main/java/org/elasticsearch/xpack/security/user/BeatsSystemUser.java deleted file mode 100644 index fc0399a5ab2..00000000000 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/user/BeatsSystemUser.java +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ -package org.elasticsearch.xpack.security.user; - -import org.elasticsearch.Version; -import org.elasticsearch.xpack.security.support.MetadataUtils; - -public class BeatsSystemUser extends User { - public static final String NAME = "beats_system"; - private static final String ROLE_NAME = "beats_system"; - public static final Version DEFINED_SINCE = Version.V_6_0_0_alpha1; - public static final BuiltinUserInfo USER_INFO = new BuiltinUserInfo(NAME, ROLE_NAME, DEFINED_SINCE); - - public BeatsSystemUser(boolean enabled) { - super(NAME, new String[]{ ROLE_NAME }, null, null, MetadataUtils.DEFAULT_RESERVED_METADATA, enabled); - } -} diff --git a/plugin/src/test/java/org/elasticsearch/test/NativeRealmIntegTestCase.java b/plugin/src/test/java/org/elasticsearch/test/NativeRealmIntegTestCase.java index 2c149245a52..f8bd892f6d2 100644 --- a/plugin/src/test/java/org/elasticsearch/test/NativeRealmIntegTestCase.java +++ b/plugin/src/test/java/org/elasticsearch/test/NativeRealmIntegTestCase.java @@ -16,7 +16,6 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.client.SecurityClient; -import org.elasticsearch.xpack.security.user.BeatsSystemUser; import org.elasticsearch.xpack.security.user.ElasticUser; import org.elasticsearch.xpack.security.user.KibanaUser; import org.elasticsearch.xpack.security.user.LogstashSystemUser; @@ -74,7 +73,7 @@ public abstract class NativeRealmIntegTestCase extends SecurityIntegTestCase { logger.info("setting up reserved passwords for test"); SecureString defaultPassword = new SecureString("".toCharArray()); - for (String username : Arrays.asList(KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME)) { + for (String username : Arrays.asList(KibanaUser.NAME, LogstashSystemUser.NAME)) { String payload = "{\"password\": \"" + new String(reservedPassword.getChars()) + "\"}"; HttpEntity entity = new NStringEntity(payload, ContentType.APPLICATION_JSON); BasicHeader authHeader = new BasicHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java index 549de913ffa..a0a4369bada 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmIntegTests.java @@ -11,7 +11,6 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.test.NativeRealmIntegTestCase; import org.elasticsearch.xpack.security.action.user.ChangePasswordResponse; import org.elasticsearch.xpack.security.client.SecurityClient; -import org.elasticsearch.xpack.security.user.BeatsSystemUser; import org.elasticsearch.xpack.security.user.ElasticUser; import org.elasticsearch.xpack.security.user.KibanaUser; import org.elasticsearch.xpack.security.user.LogstashSystemUser; @@ -30,7 +29,7 @@ import static org.hamcrest.Matchers.notNullValue; public class ReservedRealmIntegTests extends NativeRealmIntegTestCase { public void testAuthenticate() { - for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME)) { + for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME)) { ClusterHealthResponse response = client() .filterWithHeader(singletonMap("Authorization", basicAuthHeaderValue(username, getReservedPassword()))) .admin() @@ -48,7 +47,7 @@ public class ReservedRealmIntegTests extends NativeRealmIntegTestCase { */ public void testAuthenticateAfterEnablingUser() { final SecurityClient c = securityClient(); - for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME)) { + for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME)) { c.prepareSetEnabled(username, true).get(); ClusterHealthResponse response = client() .filterWithHeader(singletonMap("Authorization", basicAuthHeaderValue(username, getReservedPassword()))) @@ -62,7 +61,7 @@ public class ReservedRealmIntegTests extends NativeRealmIntegTestCase { } public void testChangingPassword() { - String username = randomFrom(ElasticUser.NAME, KibanaUser.NAME, BeatsSystemUser.NAME, LogstashSystemUser.NAME); + String username = randomFrom(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME); final char[] newPassword = "supersecretvalue".toCharArray(); if (randomBoolean()) { diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java index 637903c935e..a4e76faf582 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealmTests.java @@ -9,7 +9,6 @@ import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.Version; import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.support.PlainActionFuture; -import org.elasticsearch.common.SuppressForbidden; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; @@ -23,7 +22,6 @@ import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.Reserved import org.elasticsearch.xpack.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken; import org.elasticsearch.xpack.security.user.AnonymousUser; -import org.elasticsearch.xpack.security.user.BeatsSystemUser; import org.elasticsearch.xpack.security.user.ElasticUser; import org.elasticsearch.xpack.security.user.KibanaUser; import org.elasticsearch.xpack.security.user.LogstashSystemUser; @@ -31,8 +29,6 @@ import org.elasticsearch.xpack.security.user.User; import org.junit.Before; import org.mockito.ArgumentCaptor; -import java.net.InetAddress; -import java.net.InetSocketAddress; import java.util.Collection; import java.util.Collections; import java.util.Map; @@ -265,7 +261,7 @@ public class ReservedRealmTests extends ESTestCase { PlainActionFuture> userFuture = new PlainActionFuture<>(); reservedRealm.users(userFuture); assertThat(userFuture.actionGet(), containsInAnyOrder(new ElasticUser(true), new KibanaUser(true), - new LogstashSystemUser(true), new BeatsSystemUser(true))); + new LogstashSystemUser(true))); } public void testGetUsersDisabled() { diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolTests.java index b6665881a0b..7563c2b887b 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordToolTests.java @@ -15,7 +15,6 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.common.xcontent.XContentParser; import org.elasticsearch.common.xcontent.json.JsonXContent; import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm; -import org.elasticsearch.xpack.security.user.BeatsSystemUser; import org.elasticsearch.xpack.security.user.ElasticUser; import org.elasticsearch.xpack.security.user.KibanaUser; import org.elasticsearch.xpack.security.user.LogstashSystemUser; @@ -42,7 +41,6 @@ public class SetupPasswordToolTests extends CommandTestCase { private final String ep = "elastic-password"; private final String kp = "kibana-password"; private final String lp = "logstash-password"; - private final String bp = "beats-password"; private CommandLineHttpClient httpClient; private KeyStoreWrapper keyStore; @@ -58,8 +56,6 @@ public class SetupPasswordToolTests extends CommandTestCase { terminal.addSecretInput(kp); terminal.addSecretInput(lp); terminal.addSecretInput(lp); - terminal.addSecretInput(bp); - terminal.addSecretInput(bp); } @Override @@ -79,7 +75,7 @@ public class SetupPasswordToolTests extends CommandTestCase { inOrder.verify(httpClient).postURL(eq("PUT"), eq(elasticUrl), eq(ElasticUser.NAME), eq(bootstrapPassword), passwordCaptor.capture()); - String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME, BeatsSystemUser.NAME}; + String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME}; SecureString newPassword = new SecureString(parsePassword(passwordCaptor.getValue()).toCharArray()); for (String user : users) { String urlWithRoute = "http://localhost:9200/_xpack/security/user/" + user + "/_password"; @@ -98,7 +94,7 @@ public class SetupPasswordToolTests extends CommandTestCase { inOrder.verify(httpClient).postURL(eq("PUT"), eq(elasticUrl), eq(ElasticUser.NAME), eq(bootstrapPassword), passwordCaptor.capture()); - String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME, BeatsSystemUser.NAME}; + String[] users = {KibanaUser.NAME, LogstashSystemUser.NAME}; SecureString newPassword = new SecureString(parsePassword(passwordCaptor.getValue()).toCharArray()); for (String user : users) { String urlWithRoute = url + "/_xpack/security/user/" + user + "/_password"; @@ -120,8 +116,6 @@ public class SetupPasswordToolTests extends CommandTestCase { inOrder.verify(httpClient).postURL(eq("PUT"), eq(kibanaUrl), eq(ElasticUser.NAME), eq(newPassword), contains(kp)); String logstashUrl = "http://localhost:9200/_xpack/security/user/" + LogstashSystemUser.NAME + "/_password"; inOrder.verify(httpClient).postURL(eq("PUT"), eq(logstashUrl), eq(ElasticUser.NAME), eq(newPassword), contains(lp)); - String beatsUrl = "http://localhost:9200/_xpack/security/user/" + BeatsSystemUser.NAME + "/_password"; - inOrder.verify(httpClient).postURL(eq("PUT"), eq(beatsUrl), eq(ElasticUser.NAME), eq(newPassword), contains(bp)); } public void testInteractivePasswordsNotMatching() throws Exception { diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java index d6c7d90c167..d16b6e438bb 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/store/ReservedRolesStoreTests.java @@ -381,28 +381,6 @@ public class ReservedRolesStoreTests extends ESTestCase { is(false)); } - public void testBeatsSystemRole() { - RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("beats_system"); - assertNotNull(roleDescriptor); - assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - - Role beatsSystemRole = Role.builder(roleDescriptor, null).build(); - assertThat(beatsSystemRole.cluster().check(ClusterHealthAction.NAME), is(true)); - assertThat(beatsSystemRole.cluster().check(ClusterStateAction.NAME), is(true)); - assertThat(beatsSystemRole.cluster().check(ClusterStatsAction.NAME), is(true)); - assertThat(beatsSystemRole.cluster().check(PutIndexTemplateAction.NAME), is(false)); - assertThat(beatsSystemRole.cluster().check(ClusterRerouteAction.NAME), is(false)); - assertThat(beatsSystemRole.cluster().check(ClusterUpdateSettingsAction.NAME), is(false)); - assertThat(beatsSystemRole.cluster().check(MonitoringBulkAction.NAME), is(true)); - - assertThat(beatsSystemRole.runAs().check(randomAlphaOfLengthBetween(1, 30)), is(false)); - - assertThat(beatsSystemRole.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false)); - assertThat(beatsSystemRole.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false)); - assertThat(beatsSystemRole.indices().allowedIndicesMatcher("indices:foo").test(randomAlphaOfLengthBetween(8, 24)), - is(false)); - } - public void testWatcherAdminRole() { RoleDescriptor roleDescriptor = new ReservedRolesStore().roleDescriptor("watcher_admin"); assertNotNull(roleDescriptor);