This change adds a new permission that allows authorized users to execute a request as
another user. The flow is as follows:
1. The user making the request is authenticated
2. The user that is being impersonated is looked up
3. The requesting user is authorized for the privilege to run as the specified user
4. The impersonated user is then authorized for the given request
Additionally, the auditing has been updated to support this capability and indicates when a
user has been granted the ability to run as another user and then also indicates both the user
who is being impersonated and the requesting user when actions are granted/denied.
Closeselastic/elasticsearch#17
Original commit: elastic/x-pack-elasticsearch@00e5a6169b
For the RemoteIndexAuditTrailStartingTests we start a remote cluster and index into the test cluster and after
the test we stop the remote cluster but indexing operations can still be ongoing in the test cluster and thus cause
locked shards causing lots of noise in CI. We simply skip this check for these tests.
Closeselastic/elasticsearch#598
Original commit: elastic/x-pack-elasticsearch@e678f82f29
This change makes the environment optional for the ClientSSLService, which is used for
Transport Clients and also used for LDAP client connections. Since we use the ClientSSLService
for LDAP connections, we still need the environment when running as a node under the
security manager to resolve paths from the configuration directory.
Closeselastic/elasticsearch#573
Original commit: elastic/x-pack-elasticsearch@862fafffe3
Instead of wrapping the IndexSearcher and applying the role query during the rewrite, the role query gets applied in a custom filtered reader that applies the query via the live docs.
The big advantage is that DLS is being applied in all document based APIs instead of just the _search and _percolate APIs.
In order to better deal with the cost of converting the role query to a bitset, the bitsets are cached in the bitset filter cache
and if the role query bitset is sparse the role query and main query will execute in a leapfrog manner to make executing queries faster.
If the role query bitset isn't sparse, we fallback to livedocs.
Closeselastic/elasticsearch#537
Original commit: elastic/x-pack-elasticsearch@330b96e1f2
This commit removes and now forbids all uses of
com.google.common.base.Strings across the codebase.
For uses of com.google.common.base.Strings.isNullOrEmpty, use
org.elasticsearch.common.Strings.isNullOrEmpty.
For uses of com.google.common.base.Strings.padStart use
org.elasticsearch.common.Strings.padStart.
For uses of com.google.common.base.Strings.nullToEmpty use
org.elasticsearch.common.Strings.coalesceToEmpty.
Relates elastic/elasticsearchelastic/elasticsearch#13224
Original commit: elastic/x-pack-elasticsearch@d6e349e654
Today, once you add a watch to watcher, it's always active. Being "active" means that the watch is registered with the trigger engine (scheduled) and will be executed when its trigger is triggered.
Quite often, ppl want to have an option to deactivate/disable a registered watch. Such that while the watch definition still exists in watcher, it is "inactive" and is never triggered. The only way to do this today is using a "hack" where you can change the watch schedule to a cron expression targeting a really far date in the future (say somewhere around 2050). Again.. this is very hackish and it requires changing the actual definition of the watch (you loose its original trigger).
This commit introduces the notion of an active/inactive watch.. here are the differences between the two states:
- active: the watch is registered with watcher and with the trigger engine and will be executed when its trigger is fired by the engine
- inactive: the watch is registered with watcher, but is not registered with the trigger engine. An inactive watch will never be fired, regardless of its trigger.
This commit also adds two new APIs:
- `_watcher/watch/{id}/_activate`
- `_watcher/watch/{id}/_deactivate`
to activate and deactivate existing watches.
In addition, the Put Watch API now accepts an `active` parameter that indicates the initial state of the put watch (by default set to `true`, i.e. "active").
Closeselastic/elasticsearch#90
Original commit: elastic/x-pack-elasticsearch@37b9ab4d54
This commit removes and now forbids all uses of
com.google.common.base.Predicate and com.google.common.base.Predicates
across the codebase. This is one of the many steps in the eventual
removal of Guava as a dependency. This was enabled by
elastic/elasticsearchelastic/elasticsearch#13314.
Relates elastic/elasticsearchelastic/elasticsearch#13224, elastic/elasticsearchelastic/elasticsearch#13349
Original commit: elastic/x-pack-elasticsearch@968b81849f
In order to not accidentally release marvel in its current state
this removes marvel in the S3 upload as well as not deploying
marvel to artifactory.
Original commit: elastic/x-pack-elasticsearch@cb6088e18b
The InternalTestCluster checks after the tests run if there are any locked shards, which is still
possible because the IndexAuditTrail is running and auditing events. This change makes the
test stop the IndexAuditTrail if they are running in the local cluster.
Original commit: elastic/x-pack-elasticsearch@f7fb564525
The ShieldWrappingCluster was added to prevent deletion of the IndexAuditTrail template when
running tests since the wipe() method will delete all templates. However, the cluster wrapping
is problematic with indexRandom() and causes noise in CI. This change removes the
ShieldWrappingCluster and changes the IndexAuditTrail to recreate the index template if it is
removed.
Closeselastic/elasticsearch#562
Original commit: elastic/x-pack-elasticsearch@0403ea7cef
This commit adds a new compare condition called “array_compare”. This
condition enables comparing a single resolved value to an array of
resolved values. The value can be compared for equality, non-equality,
and strict and non-strict ordering; the array compare condition will
evaluate to true if the value compares to true with respect to the
specified operator against all (“all”) or at least one (“some”) of the
values in the array specified by “array_path”. Each value in the array
can be resolved to a value using “path” (e.g., “array_path”:
“cx.payload.aggregations.some_field.buckets” and “path”: “doc_count”
would resolve each value in the buckets array to its “doc_count”).
Closeselastic/elasticsearch#345
Original commit: elastic/x-pack-elasticsearch@0d74b4dc11
- This action enables sending notifications to slack channels/users
- Utilizes the incoming webhook API of slack
- Similar to the `email` and `hipchat` actions, multiple slack accounts can be configured, each with its own URL and message defaults
- Slack actions are associated with an account, or if not, they'll be sent via the default account.
- The message itself is very flexible and enables defining simple messages to one or more users and/or one or more channels. For complex message structures, one can use `attachments` as described by the slack API.
Closeselastic/elasticsearch#491
Original commit: elastic/x-pack-elasticsearch@9ecc69c17c
This change adds support for to put the watcher user in the context that is passed to the
ScriptService when Shield is installed and watcher integration with Shield is enabled.
Original commit: elastic/x-pack-elasticsearch@7e9983df0e
This includes the following:
- Updated .gitignore to be the same as the elasticsearch repo so eclipse files are correctly ignored
- Fixes ambiguous method call compile error in HipChatMessageTests
Original commit: elastic/x-pack-elasticsearch@027ee0ec63