Commit Graph

4176 Commits

Author SHA1 Message Date
javanna 4bb6e856f3 Authorize composite actions based on their action name only, subrequests and their indices will be later authorized individually
Eagerly authorizing CompositeIndicesRequests allowed the security plugin to fail fast up until now, but it makes it very hard to reason about each specific item in a multi items request. Either all items fail, or none do. We would rather want to adopt a similar behaviour to es core, where individual items fail without affecting other items that are part of the same request. We can rely on the fact that es core always authorizes both main action and every subaction too, and skip authorization for the main action. By subaction we mean either all sub search requests in msearch, as well as each shard level get in mget or shard level bulk request for bulk.

 BulkRequestInterceptor was converted to intercept BulkShardRequests rather than BulkRequest as that is where bulk is authorized after this change.

 Split IndicesAndAliasesResolverIntegrationTests into ReadActionsTests and WriteActionsTests as they require different set of permissions, lots of tests added.

Explicitly listing the composite actions makes sure that the actions that can bypass security are known, somebody adding a similar action must to add it to the list, so we know it doesn't happen by mistake. At this point the CompositeIndicesRequest can be used as a marker interface only (it is not really needed but can be used to verify that composite actions use a request that implements such interface).

Given that we don't authorize composite actions based on their indices anymore, but only their sub-requests which implement IndicesRequest, printing out the indices names in the audit log for requests like bulk and msearch is confusing. Removed support for that.

Authorize composite indices actions based on their name only, their indices will be authorized at the sub-request/shard level

Rather than simply granting bulk, mget, msearch etc. and relying on authorization at the sub-request/shard level, we check that the current user can at least execute the action. This justifies the grant line that gets written in the audit log, the action is potentially possible without looking at the indices. Each specific item will fail or succeed later and will yield its own specific audit log entry.

Original commit: elastic/x-pack-elasticsearch@4570caf019
2016-10-13 16:05:02 +02:00
javanna c6edec254a special case IndicesExistsRequest to make sure index not found is never thrown while resolving indices
Like es core does in TransportIndicesExistsAction, we should only consider expandWildcardsOpen and expandWildcardsClosed out of the indices options passed in with IndicesExistsRequest. ignore_unavailable and allow_no_indices should always be considered both true, to prevent the request from throwing exception as it is supposed to return true or false, no exceptions.

Original commit: elastic/x-pack-elasticsearch@daa274b3fd
2016-10-13 16:05:02 +02:00
javanna d27c4bee82 Support allowNoIndices option in security plugin
Supporting allowNoIndices means that the security plugin has a behaviour much more similar to vanilla es when dealing with wildcard expressions that match no indices, or empty clusters. The default for most request is to allow no indices, but security plugin could only disallow no indices all the time up until now.

The technical problem was that when anything gets resolved to an empty set of indices, we couldn't let that go through to es core, as that would become resolved to all indices by es core, which would be a security hole. We have now found a way though to replace an empty set of indices with something that es core will for sure resolve to no indices, so we can let the request through. We simply replace empty indices with '-*'.

Multi apis requests (e.g. _msearch) have yet to be fixed, as all their indices end up in the same bucket while they should each be authorized separately, so that every specific item can fail or be let through.

Original commit: elastic/x-pack-elasticsearch@0f67a0bfea
2016-10-13 16:05:02 +02:00
javanna 9b46b34bed Honour ignore_unavailable option when resolving indices
For all the requests that support multiple indices and wildcards, hence implementing IndicesRequest.Replaceable, we replace the wildcard expressions with the explicit names of the authorized indices they match. _all or empty indices is treated as a wildcard expression. We can also honour the ignore_unavailable option by going over all the explicit names and filter out the non authorized ones when ignore_unavailable is set to true. If ignore_unavailable is set to false, we leave everything as-is, which will cause an authorization exception to be thrown if only one of those explicit indices is not authorized for the current user.

This is the first step towards resolving elastic/elasticsearch#1250. The remaining issue is that in case we are left with no indices after stripping out the ones that the user is not authorized for, we throw an authorization exception rather than returning an empty response. That will require honouring the allow_no_indices option, which will also change the behaviour when a cluster is empty.

Relates to elastic/elasticsearch#1250

Original commit: elastic/x-pack-elasticsearch@e4ca940d05
2016-10-13 16:05:02 +02:00
Jay Modi 219c42d7ce update to use TimeValue in CacheBuilder
Original commit: elastic/x-pack-elasticsearch@7f5a59bd73
2016-10-13 09:27:51 -04:00
Shaunak Kashyap 0deb38a95d Merge pull request elastic/elasticsearch#3733 from ycombinator/fix-browser-based-test-task
Fix browser based test task

Original commit: elastic/x-pack-elasticsearch@43207f2808
2016-10-12 13:49:50 -07:00
Areek Zillur 1a0802a157 Merge branch 'master' into cleanup/transport_bulk
Original commit: elastic/x-pack-elasticsearch@f0b88369f3
2016-10-12 13:12:16 -04:00
Tim Sullivan 07f5748ddc Merge pull request elastic/elasticsearch#3674 from tsullivan/monitoring-ui-badpermission-noauth-staticpage
Monitoring UI: new page for permission error / unauthorized error

Original commit: elastic/x-pack-elasticsearch@f891dfc18d
2016-10-12 10:02:24 -07:00
CJ Cenizal f1b591846a Merge pull request elastic/elasticsearch#3726 from cjcenizal/3657/improvement/monitoring-license-ia
Move license information out of Elasticsearch panel.

Original commit: elastic/x-pack-elasticsearch@ed745d2a98
2016-10-12 09:00:47 -07:00
Jay Modi 68eb4d981e security: wildcards for superusers includes the security index
The superuser role is the only user assignable role that grants access to the .security index, but when
resolving wildcards the index was not getting resolved. The resolution of indices and aliases explicitly
excludes the .security index for users that are not the internal user without checking if the user has the
superuser role. This commit adds a check in for the superuser role.

Original commit: elastic/x-pack-elasticsearch@02ee0a8740
2016-10-12 11:42:02 -04:00
Jay Modi 6284db3a4d security: use correct time unit for role cache expire after write
The role cache was previously using the wrong time unit for its expire after write time; the
value passed to the cache was milliseconds instead of nanoseconds.

Original commit: elastic/x-pack-elasticsearch@65f7b08763
2016-10-12 08:04:49 -04:00
Tanguy Leroux 7ba55a4c99 Remove empty comments (elastic/elasticsearch#3731)
Original commit: elastic/x-pack-elasticsearch@a3e814bf34
2016-10-12 13:22:18 +02:00
Jay Modi 9a1d33d863 security: include anonymous roles when building the global permission
The anonymous role was being applied to other users for index access control but was not being applied
in terms of action level access control. This change makes the minimum required change to apply the
anonymous role for all users when anonymous is enabled. Additionally, some minor changes were made to the native roles store to not lookup roles before the service is started.

Closes elastic/elasticsearch#3711 

Original commit: elastic/x-pack-elasticsearch@a9398e178d
2016-10-12 06:52:24 -04:00
Yannick Welsch 4e00ab2f2b Remove test for transport handler that was removed in core (elastic/elasticsearch#3717)
Relates to elastic/elasticsearchelastic/elasticsearch#20836

Original commit: elastic/x-pack-elasticsearch@38f2d2e242
2016-10-12 09:08:02 +02:00
Alexander Reelsen 8b83cf067c Watcher: Ensure awesome painless exceptions are propagated to the user (elastic/elasticsearch#3707)
When adding a watch which has a painless component, the scriptexception
was wrapped into a deprecated exception which means, that the awesome
painless descriptions were lost. This wrapping has been removed.

Closes elastic/elasticsearch#3161

Original commit: elastic/x-pack-elasticsearch@1703fe4eb6
2016-10-12 08:14:06 +02:00
Areek Zillur 5d86c04441 Change bulk item requests from ActionRequest to DocumentWriteRequest
x-pack changes for elastisearchelastic/elasticsearch#20109

Original commit: elastic/x-pack-elasticsearch@8c12e1e102
2016-10-11 23:15:25 -04:00
Tim Sullivan 4c6e42ca2d Merge pull request elastic/elasticsearch#3584 from tsullivan/monitoring-ui-hide-system-indices-on-shards-view
[Monitoring UI] Default to hide system indices on shards view, with a checkbox to enable showing system indices

Original commit: elastic/x-pack-elasticsearch@27cb79ea6b
2016-10-11 15:55:33 -07:00
Tim Sullivan 0300c67726 Merge pull request elastic/elasticsearch#3693 from tsullivan/monitoring-ui-hide-license-expiration-option
Monitoring UI: Option to hide license expiration info

Original commit: elastic/x-pack-elasticsearch@709ea82440
2016-10-11 12:08:21 -07:00
Tim Sullivan 4905a76136 Merge pull request elastic/elasticsearch#3703 from tsullivan/monitoring-ui-kibanas-for-clusters-timerange
Monitoring UI: lib/get_kibanas_for_clusters timeRange params use timeRange from req

Original commit: elastic/x-pack-elasticsearch@6121679a95
2016-10-11 10:03:37 -07:00
Nik Everett 6e31ab8d99 Skip a new template rest test
It isn't compatible with security.

Relates to elastic/elasticsearch#20658

Original commit: elastic/x-pack-elasticsearch@33df690341
2016-10-11 12:30:45 -04:00
Tanguy Leroux 2e7b7be25c Watcher: Re enable array compare test (elastic/elasticsearch#3708)
This test has been blacklisted and deactivated months ago. This commit reenables this test and moves it at the right place. It also change the test to use the Execute Watch API instead of being sleep based.

Original commit: elastic/x-pack-elasticsearch@e7a9689375
2016-10-11 10:25:40 +02:00
Joe Fleming edc410d203 Merge pull request elastic/elasticsearch#3444 from w33ble/ui/version-in-build
Include kibana settings in build

Original commit: elastic/x-pack-elasticsearch@6c90b52089
2016-10-10 14:58:04 -07:00
Alexander Reelsen fe00615965 Watcher: Moving test to new unified directory structure
Original commit: elastic/x-pack-elasticsearch@0cc22544a4
2016-10-10 11:25:30 +02:00
Nik Everett 769554460d Handle removing NodeServicesProvider
Original commit: elastic/x-pack-elasticsearch@b43637f2fb
2016-10-08 10:27:50 -04:00
jaymode f23e40b772 test: add bwc indices for 2.4.1
Original commit: elastic/x-pack-elasticsearch@19bec2111e
2016-10-07 14:21:48 -04:00
Nik Everett 1d2c6e5180 Handle new nullable ctor parmater
Original commit: elastic/x-pack-elasticsearch@d604dfe1d0
2016-10-07 10:40:35 -04:00
Simon Willnauer c226dfddc0 Filter out assertion transport interceptors in tests that expect an XPack request handler
in core we wrap request handlers with an asserting one to ensure we can serialize messages
with different versions. Yet, xpack uses the same functionality to add security aspects to
the network layer. These tests assert that the right handlers are in-place.

Original commit: elastic/x-pack-elasticsearch@e39c8995ae
2016-10-07 15:44:48 +02:00
Simon Willnauer 4c349a76fb just use hostname in tests since it's simplify forwarding
Original commit: elastic/x-pack-elasticsearch@b5cf3a4435
2016-10-07 11:58:59 +02:00
Simon Willnauer 2f70ae92b6 Cut over to MockTcpTransport since LocalTransport is remove in core (elastic/elasticsearch#3684)
This is a followup commit to elastic/elasticsearchelastic/elasticsearch#20695

Original commit: elastic/x-pack-elasticsearch@27cd454ba6
2016-10-07 11:28:05 +02:00
Colin Goodheart-Smithe f9aba3944e Changes to support the removal of the now callable in core (elastic/elasticsearch#3685)
Fixes to x-plugins code now that DateMathParser accepts a LongSupplier rather than a Callable to get the value of now

Relates to elastic/elasticsearchelastic/elasticsearch#20796

Original commit: elastic/x-pack-elasticsearch@99fc47a8a7
2016-10-07 10:26:42 +01:00
Simon Willnauer 31ed371ed0 Remove SearchContext#current and all it's threadlocals (elastic/elasticsearch#3677)
Followup PR for elastic/elasticsearchelastic/elasticsearch#20778

Original commit: elastic/x-pack-elasticsearch@1e3959545e
2016-10-06 19:52:34 +02:00
Igor Motov bb8c08f254 Explicitly specify analyzer scope
Related to elastic/elasticsearchelastic/elasticsearch#20197

Original commit: elastic/x-pack-elasticsearch@af9258a8a6
2016-10-06 09:11:28 -04:00
Jay Modi 6c587330fd security: use SSLParameters to set ciphers/protocols/client auth
This change moves to using SSLParameters as the configuration source for SSLEngine and SSLSocket
objects that are configured by the SSLService. Previously we used a mix of specific methods and
SSLParameters, which resulted in issues where ordering of calls is important. For example, if configuring
client authentication directly on the engine prior to setting the SSLParameters resulted in the client
authentication configuration being reset to the default.

Additionally, this change also sets use cipher suite order to true to ensure preferred ciphers will be used.

Original commit: elastic/x-pack-elasticsearch@8ddecdc20c
2016-10-06 07:19:28 -04:00
Colin Goodheart-Smithe 288f682fee elastic/elasticsearch#3667 Changes to DLS to support preventing requests that use scripts or now() from being cached
Changes to DLS to support preventing requests that use scripts or now() from being cached

Original commit: elastic/x-pack-elasticsearch@b69c2f5ca4
2016-10-06 10:24:59 +01:00
jaymode dd64ced206 test: wait for response before closing client
This change ensures we wait for a response before the async http client is closed. Otherwise we can
close the client during the connection to the remote endpoint or never even connect to the remote
endpoint.

Closes elastic/elasticsearch#3640

Original commit: elastic/x-pack-elasticsearch@54900b1b4a
2016-10-05 11:49:21 -04:00
jaymode 15f6021f30 build: use artifactId instead pom.projectIdentity.artifactId
Original commit: elastic/x-pack-elasticsearch@18c0026046
2016-10-05 11:08:13 -04:00
Colin Goodheart-Smithe f2703f2d11 Changes to DLS to support elastic/elasticsearch#20750
This change fixes document level security to support the changes made in
elastic/elasticsearch#20750.

Original commit: elastic/x-pack-elasticsearch@d234be077d
2016-10-05 15:50:29 +01:00
Jay Modi 706f53c497 build: fix the artifactId in the pom for x-pack-transport
This changes the pom generation to use the value of archivesBaseName when generating
the pom file.

Closes elastic/elasticsearch#3668

Original commit: elastic/x-pack-elasticsearch@a6e537cffe
2016-10-05 10:46:24 -04:00
Alexander Reelsen 5aacf3e205 Revert "Change Watcher thread pool to be scaling"
This reverts commit elastic/x-pack@943bd259f9.

See discussion in elastic/elasticsearch#3660

Original commit: elastic/x-pack-elasticsearch@35d236df59
2016-10-05 14:45:34 +02:00
jaymode a7e25cbaf9 test: ensure security index exists in tests expecting it to
This changes does two things in the tribe tests. The first is that when we split data up between
multiple clusters, we always force create the security index so that randomization does not cause
edge cases like the index not existing in the preferred cluster. The second is we look at the cluster
state of the nodes and ensure the tribe node sees the indices and has all primaries active.

Separate tests were also added to cover the scenario where the security index only exists in the non
preferred node.

Original commit: elastic/x-pack-elasticsearch@17b78ec837
2016-10-05 08:38:20 -04:00
Alexander Reelsen 53103e988f Watcher: Add proxy support to pagerduty action (elastic/elasticsearch#3542)
This is the last action that needs additional support for proxies.

You can set a proxy in the JSON like this:

```
"actions" : {
  "notify-pagerduty" : {
    "pagerduty" : {
      "description" : "Main system down, please check!",
      "proxy" : { "host" : "localhost", "port" : 8080 }
    }
  }
}
```

Closes elastic/elasticsearch#3372

Original commit: elastic/x-pack-elasticsearch@b99969fd6b
2016-10-05 10:10:02 +02:00
Alexander Reelsen 7ffebef2cd Watcher: Add proxy support to slack action (elastic/elasticsearch#3487)
You can set it like this in the JSON

"actions" : {
  "notify-slack" : {
    "slack" : {
      "account" : "integration-account",
      "proxy" : {
        "host" : "localhost",
        "port" : 8080
      },
      "message" : {
        ...
      }
    }
  }
}

Relates elastic/elasticsearch#3372

Original commit: elastic/x-pack-elasticsearch@de86233d4f
2016-10-05 09:07:09 +02:00
Jason Tedor 00cecac86e Change Watcher thread pool to be scaling
Watcher uses a custom thread pool. This is because executing watches can
be long-running tasks that often block on I/O and it is best to not
consume the core thread pools with these tasks. Today this thread pool
is fixed, and sized at five times the bounded number of cores (so 160 on
a 32-core box). It makes sense for there to possibly be so many threads,
again because these tasks can block on I/O and having excess capacity
lets unblocked watches execute. It's the fixed size that can cause
problem, all these threads are always consuming resources even when
there are no or not that many watches running. This commit changes this
thread pool to be a scaling thread pool.

Relates elastic/elasticsearch#3660

Original commit: elastic/x-pack-elasticsearch@3cafab6e83
2016-10-04 18:15:19 -04:00
Jason Tedor a0e1d44a44 Remove lenient URL parameter parsing
This commit adapts x-plugins for a change in core Elasticsearch that
removes lenient URL parameter parsing.

Relates elastic/elasticsearch#3641

Original commit: elastic/x-pack-elasticsearch@cc0687f32c
2016-10-04 12:46:54 -04:00
jaymode ddae0694c9 test: move SecurityTribeIT to right directory
Relates elastic/elasticsearch#3635

Original commit: elastic/x-pack-elasticsearch@b46ab0b63e
2016-10-04 09:22:21 -04:00
Luca Cavanna 91a68e9873 adapt to IndicesAliasesRequest not implementing CompositeIndicesRequest (elastic/elasticsearch#3645)
We need to special case IndicesAliasesRequest as it doesn't implement CompositeIndicesRequest anymore. Note that the similar loop for CompositeIndicesRequests's subrequests will soon go away

Relates to elastic/elasticsearch#3638

Original commit: elastic/x-pack-elasticsearch@50d119ff61
2016-10-04 10:39:31 +02:00
Ryan Ernst 36c7070217 Fix xpack api jar artifact naming
Original commit: elastic/x-pack-elasticsearch@bb7b0a6392
2016-10-03 19:25:44 -07:00
Ryan Ernst fa4d389c99 Fix artifact id for x-pack api jar
Original commit: elastic/x-pack-elasticsearch@26e47099a2
2016-10-03 16:38:25 -07:00
Ryan Ernst 1911e5da02 Build: Fix artifact id for xpack transport client
Original commit: elastic/x-pack-elasticsearch@2658d3f087
2016-10-03 12:37:45 -07:00
Ryan Ernst ee9dbac0c7 Update conditional version from alpha6 to beta1 in http exporter
Original commit: elastic/x-pack-elasticsearch@fdcef033b9
2016-10-03 09:37:12 -07:00