Commit Graph

6047 Commits

Author SHA1 Message Date
Alexander Reelsen f1e5de40f5 Ip filtering: Use settings file instead of own configuration
This will allow in the future to make this a dynamic setting,
which can also be shared accress the cluster instead of having
to use (and distribute) files.

Another change is, that the order of `deny` and `allow` now does not matter
anymore. Allow will win over deny.

The last change is that `all` now is `_all` in order to align with the
rest of Elasticsearch

Documentation has been updated accordingly.

Original commit: elastic/x-pack-elasticsearch@daa0b18343
2014-11-24 10:46:15 +01:00
Martijn van Groningen 619afe51af Test: use refresh and assertBusy
Original commit: elastic/x-pack-elasticsearch@44e0dab7ef
2014-11-24 10:15:14 +01:00
Martijn van Groningen e0eecc5550 Test: ensure alerting is started before adding alerts
Original commit: elastic/x-pack-elasticsearch@f034d20016
2014-11-23 21:02:21 +01:00
Martijn van Groningen 44b9d8229f Set the manually stopped flag we a node gets shutdown.
Original commit: elastic/x-pack-elasticsearch@f3841481b0
2014-11-23 20:55:40 +01:00
Martijn van Groningen 4e239a8be6 Test: check no master block on all nodes
Original commit: elastic/x-pack-elasticsearch@611ce01d69
2014-11-23 20:32:50 +01:00
uboness b31beb1e36 [Cleanup] - renamed KeyService/KeyModule to SignatureService/SignatureModule
Also moved to appropriate package

Original commit: elastic/x-pack-elasticsearch@cb373314b8
2014-11-22 21:46:13 +01:00
uboness 22eea8aba0 [Cleanup] - Refactored security filter
Nuked the security filter and separated the different filter to their own constructs:

- Added a shield action package & module that is responsible for binding the shield action filter (and later will hold all shield actions)
- Added a shield rest package & module that is responsible for binding the shield rest filter and registering all the rest actions
- Moved the client & server transport filters to the transport package

General cleanup:

- Code formatting
- moved `ShieldPlugin` to the top level package `org.elasticsearch.shield`

Original commit: elastic/x-pack-elasticsearch@d652041860
2014-11-22 05:31:03 +01:00
uboness 6087480368 Avoid re-authenticating on in-cluster requests
Now, on first successful authentication, we put the user in the message header so it'll be send with any subsequent cluster internal requests (e.g. shard level search) to avoid re-authentication on every node in the cluster. We can do that now, as with multi-binding transport we can guarantee isolation of the internal cluster from client communication. While it's generally safe for transmission, the user header that is sent between the nodes is still signed using the `system_key` as yet another security layer.

As part of this change, also added/changed:

 - A new audit log entry - anonymous access for Rest request.
 - Changed how system user is assumed. Previously, system user was assumed on the receiving node when no user was associated with the request. Now the system user is assumed on the sending node, meaning, when a node sends a system originated request, initially this request won't be associated with a user. Shield now picks those requests up and attaches the system user to the role and then sends it together with the request. This has two advantages: 1) it's safer to assume system locally where the requests originate from. 2) this will prevent nodes without shield from connecting to nodes with shield. (currently, the attached users are signed using the system key for safety, though this behaviour may be disabled in the settings).

 - System realm is now removed (no need for that as the system user itself is serialized/attached to the requests)

 - Fixed some bugs in the tests

 Closes elastic/elasticsearch#215

Original commit: elastic/x-pack-elasticsearch@3172f5d126
2014-11-21 21:42:15 +01:00
Areek Zillur 6d5b2569f1 [CORE] Renamed internal action to be consistent
Original commit: elastic/x-pack-elasticsearch@21df16eba4
2014-11-21 13:07:59 -05:00
Martijn van Groningen beb4fada5f Core: Changed the loading logic in AlertManager to happen all in a single forked thread only. Also retry attempts stay on the the same thread and is only done if there is a new cluster state version.
Test: Added first version of test that fails the elected master multiple times.

Original commit: elastic/x-pack-elasticsearch@2f7b840f5a
2014-11-21 18:15:09 +01:00
Areek Zillur 32af5a9d9c Remove third-party licensing library
Incorporate Feedback:
 - verify signature for signed licenses whenever it is read from cluster state
 - encrypt trial licenses with default pass phrase when storing it
 - moved toSignature & fromSignature to License

Make LicenseManager a Utility class

Refactor:
 - renamed LicenseManager to LicenseVerifier
 - LicensesMetaData now holds a list of license objects (for signed licenses) and a set of encoded strings (trial licenses)
 - minor test cleanup

incorporate feedback

incorporated feedback

switch to a stronger secret key gen algo; clean up build files & LicensesMetaData

cosmetic changes to LicenseSigner

incorporate LicnesesMetaData feedback

Original commit: elastic/x-pack-elasticsearch@0510091d2d
2014-11-21 11:37:19 -05:00
Alexander Reelsen 2b108203fb SSL/TLS: Added support for different certs per profile
In order to run on different certs per port, we needed to adapt
the logic of starting up.

Also different profiles can now be applied to the N2NAuthenticator, so that
a different profile can allow/deny different hosts.

In addition minor refactorings have been done
* Group keystore/truststore settings instead of using underscores
* Change to transport profile settings instead of using specific shield ones

Documentation has been updated as well

Closes elastic/elasticsearch#290

Original commit: elastic/x-pack-elasticsearch@ad1ab974ea
2014-11-21 17:02:58 +01:00
Brian Murphy c471abdab5 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-alerts
Original commit: elastic/x-pack-elasticsearch@7aee9aef96
2014-11-21 15:52:08 +00:00
Martijn van Groningen e6336010be Changed info log into debug log
Original commit: elastic/x-pack-elasticsearch@b142696ca5
2014-11-21 14:30:51 +01:00
Brian Murphy 97bbd747ea DOCS : Add REST API doc for akcing alerts.
Original commit: elastic/x-pack-elasticsearch@633444773d
2014-11-21 12:52:31 +00:00
Martijn van Groningen bb4d85a1a7 Removed error log statement
Original commit: elastic/x-pack-elasticsearch@8a33309b71
2014-11-21 13:44:18 +01:00
Martijn van Groningen 1adb25127b Added start, stop and restart apis.
Closes elastic/elasticsearch#37

Original commit: elastic/x-pack-elasticsearch@6d491c4cec
2014-11-21 12:28:54 +01:00
Brian Murphy 6ea6256e35 TEST : Fix ACK test
Get the count AFTER we ack.

Original commit: elastic/x-pack-elasticsearch@23dacea151
2014-11-21 10:41:08 +00:00
javanna f2abfb35f9 Work around circular dependency in core
There is a circular dependency in core 1.4.0 that cause plugins to fail depending on their constructors injection. We have ClusterService in InternalAuthorizationService that triggers this problem, solved for now replacing the dependency with a Provider. The original bug is already fixed in core: https://github.com/elasticsearch/elasticsearch/pull/8415 .

The problem manifested when enablieng a tribe node having shield installed on that node at the same time.

Closes elastic/elasticsearch#363

Original commit: elastic/x-pack-elasticsearch@ac339ef247
2014-11-21 10:45:39 +01:00
Martijn van Groningen c4787d9160 fixed bug, expected and update was swapped.
Original commit: elastic/x-pack-elasticsearch@78e42879be
2014-11-21 01:01:29 +01:00
c-a-m 8397112422 Documentation updates for Active Directory Realm. Also replaces empty string arrays with Strings.EMPTY_ARRAY
Original commit: elastic/x-pack-elasticsearch@3f02d89a20
2014-11-20 16:26:57 -07:00
c-a-m 350665bb26 Changed from code-review feedback
Original commit: elastic/x-pack-elasticsearch@356c829f5a
2014-11-20 16:26:57 -07:00
c-a-m 32f0f621d5 LDAP: splitting AD and LDAP realm
This splits the realm into two so that configuration for both are separate.

Original commit: elastic/x-pack-elasticsearch@782997d54b
2014-11-20 16:26:57 -07:00
c-a-m e8119ec933 LDAP: Changed AD group lookup to include nested groups
This expands the ActiveDirectoryConnectionFactory to lookup nested groups, in a non standard way.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/286

Original commit: elastic/x-pack-elasticsearch@7a3c5643f6
2014-11-20 16:26:57 -07:00
c-a-m 852529bf53 LDAP: Changed AD group lookup to include nested groups
This expands the ActiveDirectoryConnectionFactory to lookup nested groups, in a non standard way.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/286

Original commit: elastic/x-pack-elasticsearch@01781a8305
2014-11-20 16:26:57 -07:00
Brian Murphy 178a701724 ACKS : Fix some issues when a transport client was used.
Original commit: elastic/x-pack-elasticsearch@9276820a90
2014-11-20 22:24:25 +00:00
Brian Murphy 42d484b62a TEST: Add extra logging when alert didn't trigger an action.
Original commit: elastic/x-pack-elasticsearch@bc389fccdc
2014-11-20 22:22:50 +00:00
Brian Murphy 32e7bc45b1 REST : Add ACK Rest Action
This commit adds the alert ack rest action.

Original commit: elastic/x-pack-elasticsearch@73a0286863
2014-11-20 18:02:54 +00:00
Brian Murphy bed7ddbb01 DOCS : Add some java docs.
Original commit: elastic/x-pack-elasticsearch@394d957364
2014-11-20 17:24:20 +00:00
Brian Murphy a3259e9c62 TEST: Up wait time to allow things to settle down once we ACK.
Original commit: elastic/x-pack-elasticsearch@69f7680348
2014-11-20 17:00:21 +00:00
Brian Murphy b1f64f4103 Fixes after merge conflicts.
Original commit: elastic/x-pack-elasticsearch@65adad6ea7
2014-11-20 16:28:00 +00:00
Brian Murphy 3fcae91633 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-alerts
Conflicts:
	src/main/java/org/elasticsearch/alerts/actions/AlertActionManager.java
	src/test/java/org/elasticsearch/alerts/BootStrapTest.java
	src/test/java/org/elasticsearch/alerts/actions/AlertActionsTest.java

Original commit: elastic/x-pack-elasticsearch@8dcb986dff
2014-11-20 15:44:25 +00:00
Brian Murphy 64325d4f30 THROTTLING : Add throttling support for alerts.
This commit adds throttling support for alerts.

If an alert is added with the throttle_state NOT_TRIGGERED
This alert can be ACKed.
If an alert is ACKed no further actions will be performed until the alert stops triggering.
If an alert is added with the throttle_period as a TimeValue alerts will only be triggered at least that TimeValue apart in time.

Original commit: elastic/x-pack-elasticsearch@65dfda7d1a
2014-11-20 15:31:04 +00:00
Martijn van Groningen 64d49dae5c Forked CronExpression because it uses the default Locale to determine the maximum allowed year to be used. It now uses Locale.ENGLISH to do this.
Original commit: elastic/x-pack-elasticsearch@41f27aa33c
2014-11-20 15:19:35 +01:00
Martijn van Groningen e3694655af Only stop the scheduler once it is set.
Original commit: elastic/x-pack-elasticsearch@4238a62673
2014-11-20 14:44:31 +01:00
Martijn van Groningen 306fefd847 Removed useless if check
Original commit: elastic/x-pack-elasticsearch@c9fea5aca4
2014-11-20 12:42:41 +01:00
Martijn van Groningen 15d9101ea9 First stop the alert action manager and enforce started property inside alert action manager.
Original commit: elastic/x-pack-elasticsearch@75a98a93f5
2014-11-20 12:39:09 +01:00
Martijn van Groningen cfdc061908 In the AlertsClusterStateListener fork the call to stop if we're no longer master
Original commit: elastic/x-pack-elasticsearch@1b40f14570
2014-11-20 12:09:12 +01:00
Martijn van Groningen 0438e61404 Let Quartz interrupt jobs on shutdown.
Original commit: elastic/x-pack-elasticsearch@3084f9b3f4
2014-11-20 11:56:48 +01:00
Martijn van Groningen 79b10f8c0d Don't let Quartz check for updates.
Original commit: elastic/x-pack-elasticsearch@dd1e4c2577
2014-11-20 11:32:54 +01:00
Martijn van Groningen ca00e59911 Make AlertManager#stop() synchronized so that the call from beforeClose waits if an stop is being performed already.
This prevents the test framework to complain about the fact that threads are lingering around when the test cluster has been shutdown.

Original commit: elastic/x-pack-elasticsearch@315be3f376
2014-11-20 11:12:25 +01:00
Martijn van Groningen 42dda5b975 Test: Let AlertActionsTest extend from AbstractAlertingTests.
Original commit: elastic/x-pack-elasticsearch@4c11aef8cb
2014-11-19 21:44:58 +01:00
Martijn van Groningen 43e6aa5b23 Moved json field variable from AlertActionEntry to AlertActionManager and made AlertActionEntry not implement ToXContent.
Original commit: elastic/x-pack-elasticsearch@76731aee22
2014-11-19 21:37:23 +01:00
Martijn van Groningen 72e9d9e4b7 Leftover from IndexAlert* to PutAlert*
Original commit: elastic/x-pack-elasticsearch@6af1e77e43
2014-11-19 21:32:18 +01:00
Martijn van Groningen c2e4fe375d Test: Fixed and cleanup bootstrap test
Original commit: elastic/x-pack-elasticsearch@7455bd8c00
2014-11-19 21:27:51 +01:00
Martijn van Groningen 19622d4f0b Moved more initialization responsibilty to AlertManager.
Original commit: elastic/x-pack-elasticsearch@5799ecbd23
2014-11-19 18:08:56 +01:00
javanna 34a69cd1cf SSL: make sure SSLService is loaded only when needed
Our two transport impls depend on the SSLService at this point. Although we bind the SSLService only if ssl is enabled, it gets loaded anyway as it's a required dependency for the transports. We need to declare the dependency nullable and bind a null service manually when ssl is off.

Also resolved a couple of compiler warnings in SSLService and renamed some of its variables for better readability.

Closes elastic/elasticsearch#359

Original commit: elastic/x-pack-elasticsearch@2c99b2052e
2014-11-19 16:02:54 +01:00
Martijn van Groningen 506daca17e Added state to AlertManager that replaced the started flag.
This helps us preventing endless re-loading logic while a node steps down as master while while we in the process of starting alert store and action manager.

Original commit: elastic/x-pack-elasticsearch@e18c8215a9
2014-11-19 15:12:52 +01:00
uboness 50556c120c [Cleanup] - Added SSLModule
Moved the SSLService binding to its own module

Original commit: elastic/x-pack-elasticsearch@b08662c680
2014-11-19 14:08:53 +01:00
uboness 8783abcc6f Empty list of privileges should be skipped
When a role is configured with an entry with an empty list of privileges (cluster or indices), the entry should be skipped.

Fixes elastic/elasticsearch#339

Original commit: elastic/x-pack-elasticsearch@44d957529e
2014-11-19 14:05:02 +01:00