This change disables document and field level security by default so that we are able to maintain
bulk update functionality. Users that enable DLS/FLS will not have this functionality. Additionally,
if a user tries to configure DLS/FLS in a role without enabling it, the role will be skipped during
parsing and a log message will be logged at the error level.
See elastic/elasticsearch#938
Original commit: elastic/x-pack-elasticsearch@60c7519092
This commit reverts a previous change where searcher were not wrapped when the RequestContext
could not be found. If DLS/FLS is enabled, which is the default, any bulk request that contains an
update request will not be permitted. This change also exposes the ability to completely disable DLS
and FLS so that users who are not using these features can still use bulk updates.
See elastic/elasticsearch#938
Original commit: elastic/x-pack-elasticsearch@513782db1c
Previously, when the RequestContext could not be located a FieldSubsetReader was returned that only
allowed meta fields to be read. This was done for safety in case there was an API missed so we did not
leak data. However, this causes issues because some requests in elasticsearch execute on a different
thread than the one with the RequestContext so we effectively lose this context and prevent access to
the fields in the document. This is especially problematic with update requests, because that means that
fields that aren't included in the updated document will be lost.
This commit removes the wrapping of the readers in this case and adds tests for bulk updates.
Closeselastic/elasticsearch#938
Original commit: elastic/x-pack-elasticsearch@74c8059da0
In elastic/elasticsearchelastic/elasticsearch#14668, transitive dependencies were removed
from elasticsearch, and plugins now no longer get transitive deps
either. This commit fixes xplugins to remove transitive deps.
Original commit: elastic/x-pack-elasticsearch@5c41657b6e
Currently, running any task while attached to elasticsearch will also
try to run that task in all elasticsearch projects. This change causes
x-plugins to be moved into a subproject when attached. It does this by
dynamically creating a fake root project, and making this root project
think it is attached to the existing attachments, along with x-plugins
itself.
This also fixes buildSrc so attachment to elasticsearch's buildSrc
actually works.
Original commit: elastic/x-pack-elasticsearch@da0adf1da5
This commit adds SuppressForbidden annotations to command line tools to
still allow to call System#exit() (see also issue 12596 in ES core).
Original commit: elastic/x-pack-elasticsearch@1dd3f1dcb1
The cache provides a get method with a callable to load the value into the cache. Our callable
performs authentication and then returns a value. The issue with this is that the cache will queue
concurrent calls if a value is already being loaded and return the result to all callers. This is
problematic since the key is only the username and we do not validate the credentials as part of
the get call. This means it is possible for valid credentials to be returned a null user and authentication
fails.
Additionally, another variant exists where it is possible for invalid credentials to be returned a valid
user, which allows an attacker to gain access by only knowing a username and issuing a large number
of concurrent requests.
Closeselastic/elasticsearch#860
Original commit: elastic/x-pack-elasticsearch@3d122d3bbb
The additional setting to specify the configuration path is no longer needed with elasticsearch 2.0, so
we should remove it from the documentation. Also cleans up the installation commands to be in line
with what 2.0 requires.
Original commit: elastic/x-pack-elasticsearch@b269568a67
