Commit Graph

1326 Commits

Author SHA1 Message Date
Alexander Reelsen fe93640e43 Watcher: Be strict with chain input parsing (elastic/elasticsearch#3873)
When parsing chain inputs there were possibilities to write invalid
JSON that resulting in losing the order of the inputs without any
exception being thrown.

This commit makes the parsing more strict.

Closes elastic/elasticsearch#3736

Original commit: elastic/x-pack-elasticsearch@963641ee2b
2016-11-02 10:37:41 +01:00
Alexander Reelsen 95e1f2942b Tests: Replaced bad apple test with REST test (elastic/elasticsearch#3920)
Original commit: elastic/x-pack-elasticsearch@5052f9cfbd
2016-11-02 09:58:38 +01:00
Adrien Grand 3e92b905c7 Improve QueryShardContext creation in SecurityIndexSearcherWrapper. (elastic/elasticsearch#3930)
Currently security always parses the permissions filters with a shard id equal
to `0` even if the query is executed on a different shard. Also it does not
protect against queries that may rely on the current timestamp even though we
don`t currently have ways to make sure that all shards use a consistent
timestamp.

Sibling of elastic/elasticsearchelastic/elasticsearch#21196.

Original commit: elastic/x-pack-elasticsearch@cab47f2ed2
2016-11-02 09:49:06 +01:00
Alexander Reelsen 043da7afe8 Tests: Remove bad apples from schedule engine tests (elastic/elasticsearch#3919)
The execution time of the trigger tests was extremely slow, because it
really waited until executions happened. This uses the mock clock to
advance in time manually.

This also allows to remove the bad apples annotation and make sure that
the schedule engine tests for both implementations are run all the time.

Relates elastic/elasticsearch#1007

Original commit: elastic/x-pack-elasticsearch@f9436f506f
2016-11-02 09:35:20 +01:00
Boaz Leskes 03c5d71c12 remove hard coded dates from testDateMathExpressionsCanBeAuthorized
Original commit: elastic/x-pack-elasticsearch@d7fac0b9a0
2016-11-01 09:02:39 +01:00
Jack Conradson 7dd4188299 Cleanup ScriptType (elastic/elasticsearch#3922)
Refactored ScriptType to clean up some of the variable and method names. Added more documentation. Deprecated the 'in' ParseField in favor of 'stored' to match the indexed scripts being replaced by stored scripts.

Original commit: elastic/x-pack-elasticsearch@d7c7bd7362
2016-10-31 13:49:10 -07:00
Yannick Welsch 8350a8b2d8 [TEST] Disconnect from newly added nodes if cluster state publishing fails
Companion commit for elastic/elasticsearchelastic/elasticsearch#21197

Original commit: elastic/x-pack-elasticsearch@248a6bfb7c
2016-10-31 15:36:54 +01:00
Simon Willnauer f696ad1d10 Skip authentication and warn if shards of the .security index are not available
Original commit: elastic/x-pack-elasticsearch@9970d80f2d
2016-10-28 15:04:06 +02:00
Alexander Reelsen e67847ca8c Tests: Increase logging to get more sync inside
My current assumption is, that creating the templates is not
yet finished (as this is async), so that we need to add
another check that the templates have been added before
continuing.

Relates elastic/elasticsearch#3892

Original commit: elastic/x-pack-elasticsearch@3880d200a1
2016-10-28 11:00:09 +02:00
Simon Willnauer f4da918b09 [TEST] Pass _analyze API params in the body rather than as params. Parameters are not supported anymore
Original commit: elastic/x-pack-elasticsearch@e04d425a89
2016-10-27 22:34:35 +02:00
Jason Tedor a15f565539 Mark BWC tests as awaits fix
These tests are awaiting the BWC indices script to be upgraded for 5.x.

Original commit: elastic/x-pack-elasticsearch@540fe73bd0
2016-10-26 21:40:00 -04:00
Jack Conradson 4fd19aa00a Merge branch 'master' into stype
Original commit: elastic/x-pack-elasticsearch@37f27bef1a
2016-10-26 12:29:43 -07:00
Simon Willnauer 84b631643c Add utility method to fetch and collect results from a query (elastic/elasticsearch#3894)
Today we have the same madness in two places and no dedicated test. This
change moves the real madness into a single place and adds a test for it
to make sure it actually works and isn't just crazy.

Original commit: elastic/x-pack-elasticsearch@dabf5fdd63
2016-10-26 21:05:49 +02:00
Jack Conradson 72a49015cc Refactor ScriptType to be a top-level class.
Original commit: elastic/x-pack-elasticsearch@39afcbfdf5
2016-10-26 10:21:47 -07:00
Simon Willnauer 9f57afbdf3 Return non-existing role if the .security index is not found (elastic/elasticsearch#3895)
We used to be very lenient with all kinds of exceptions related to the
`.security` index. Yet, sometimes in tests the index is not yet there but
transport clients already pinging the node this causes issues and transport
clients disconnect. Now if the index is not present we simply return no role.

Original commit: elastic/x-pack-elasticsearch@60948d0c2a
2016-10-26 17:25:20 +02:00
Simon Willnauer 6e1287bab9 Simplify TransportGetRolesAction (elastic/elasticsearch#3888)
TransportGetRolesAction optimizes for single role case while this
optimization can be simply inside the NativeRoleStore and being
way more contained.

Original commit: elastic/x-pack-elasticsearch@c43d8ba341
2016-10-26 14:55:39 +02:00
Jason Tedor 007e49c5d9 Reveal Content-Length on x-pack info HEAD requests
This commit permits x-pack info HEAD requests to reveal the
Content-Length of the response.

Relates elastic/elasticsearch#3887

Original commit: elastic/x-pack-elasticsearch@8696caa1f6
2016-10-25 23:12:54 -04:00
Simon Willnauer 0b24f022f7 Remove all blocking calls from TransportGetUsersAction (elastic/elasticsearch#3876)
`TransportGetUsersAction` does some funky blocking calls even though
it's specifying `SAME` as the thread-pool indicating that it's fast or
forking off quickly. Both might not be true today. This change adds
async support to the methods it calls without breaking the existing
Realm interface. Yet, we might need to do this down the road.

Original commit: elastic/x-pack-elasticsearch@d0959f87f3
2016-10-25 22:11:19 +02:00
Jay Modi 542a484031 security: cache negative lookups for native roles
This changes adds a special value for negative role lookups so that we can avoid scenarios
where we overload the cluster due to continually trying to load non-existing roles as is often
the case when `unmapped_groups_as_roles` is used with the active directory realm.

Relates elastic/elasticsearch#3530 

Original commit: elastic/x-pack-elasticsearch@62567b4c22
2016-10-25 16:00:27 -04:00
Jay Modi 7d60f6b365 security: restore the correct user when switching to the system user
* security: restore the correct user when switching to the system user

For internal actions where we need to switch to the SystemUser, we should always restore the proper
context after execution. We were restoring an empty context for actions executed by the SystemUser
in the SecurityServerTransportInterceptor.

In order to accomplish this, a few changes have been made. Both the SecurityServerTransportInterceptor
and the SecurityActionFilter delegate to `SecurityContext#executeAsUser` when a user switch is necessary.
Tests were added for this method to ensure that the consumer is executed as the correct user and the proper
user is restored.

While working on this, a few other cleanups were made:

* SecurityContext can never have a null CryptoService, so a null check was removed
* We no longer replace the user with the system user when the system user is already associated with the request
* The security transport interceptor checks the license state and if auth is not allowed, delegate and return
* The security transport interceptor sendWithUser method now requires authentication to be present or a hard
exception is thrown.
* The TransportFilters integration test has been deleted. This was integration test that relied on the ability to
get instances from a node and trace the execution. This has been replaced by additional unit tests in
ServerTransportFilterTests

Closes elastic/elasticsearch#3845

Original commit: elastic/x-pack-elasticsearch@d8bcb59cb7
2016-10-25 13:48:28 -04:00
Simon Willnauer a50bc7946b Make request authorization non-blocking (elastic/elasticsearch#3837)
This change removes the blocking notion from fetching the roles
from a remote index. This also removes the blocking client calls
that can potentially deadlock a request if executed on the transport
thread.

Relates to elastic/elasticsearch#3790

Original commit: elastic/x-pack-elasticsearch@c2eda39043
2016-10-25 17:28:29 +02:00
Jay Modi f3d5d79a20 test: install a new signed license when running index BWC tests
This change now installs a signed license that has been generated at runtime so the
BWC tests can run without hitting licensing issues. The x-pack BWC tests pull in the
full cluster state, which contains the trial license from when the indices and state
was generated. After the trial license period and grace period issues arise with the
tests.

Closes elastic/elasticsearch#3858

Original commit: elastic/x-pack-elasticsearch@1c79e874e5
2016-10-24 09:18:59 -04:00
Simon Willnauer f8ba7f6fd8 Restore thread-context when executing with InternalClient (elastic/elasticsearch#3859)
Today when a request is executed with InternalClient the thread context might
be lost if another component like security exchanges it by executing an async call
or an internal action. This can be a serious security problem since if the async
call executes as the system user all subsequent calls made by the response
thread will also execute as the system user instead.

Original commit: elastic/x-pack-elasticsearch@80682f338d
2016-10-24 14:39:00 +02:00
Simon Willnauer 51b871f344 Followup API change for elastic/elasticsearchelastic/elasticsearch#21089
Original commit: elastic/x-pack-elasticsearch@5d9b2fe0c8
2016-10-24 14:06:13 +02:00
Adrien Grand 47079cf5d1 Disable bw testing due to license expiration.
Relates to elastic/elasticsearch#3858

Original commit: elastic/x-pack-elasticsearch@7d676b96d3
2016-10-24 11:47:23 +02:00
Ryan Ernst 6dc4b0b749 x-plugins side of zen ping refactoring
see elastic/elasticsearchelastic/elasticsearch#21049

Original commit: elastic/x-pack-elasticsearch@57a0405eb7
2016-10-20 13:12:41 -07:00
Tanguy Leroux fc88dfe1a6 CertificateTool must not generate world redeable files (elastic/elasticsearch#3810)
This commit changes the permissions of the files generated by the certgen tool to 600 (like syskeygen does)

Original commit: elastic/x-pack-elasticsearch@bca74e9c92
2016-10-20 16:36:35 +02:00
Jay Modi 05886cdf9f security: exclude the anonymous role from the xpack user
The calls made by the native users and roles store use the internal xpack user to make the request
and this user has a built-in role that has a single instance. A bug was introduced when fixing the logic
for applying the anonymous role to all users in elastic/elasticsearch#3716. The anonymous role was now being added to
the xpack user, even though the additional role would have no effect as this user is a superuser.

When the anonymous role is applied to the xpack user and exists as a native role or doesn't exist
at all, we run into a deadlock since we wind up querying for the role as a user that also has the
anonymous role.

This change special cases the XPackUser when getting the collection of roles so that the only role
applied to this user is the superuser role.

Closes elastic/elasticsearch#3822

Original commit: elastic/x-pack-elasticsearch@e3093904f1
2016-10-20 08:11:01 -04:00
jaymode 388bfd761d security: use lucene automatons and remove dependency on briks
This commit removes the dependency on the briks automatons library and instead uses the lucene
version. Shield was originally implemented using the lucene version, but issues arose with supporting
multiple versions of elasticsearch and API changes, so we moved to using the briks library.

x-pack and elasticsearch are always the same version so we can use the lucene version of the
automatons and remove the briks library. This also brings with it protection from huge automatons
that we did not have before.

Original commit: elastic/x-pack-elasticsearch@e3f34b6b55
2016-10-20 06:55:01 -04:00
Jay Modi ff3d685833 security: update unboundid-ldapsdk to the latest version
This changes updates the unboundid ldapsdk to the latest version to stay up to date
with their releases.

Original commit: elastic/x-pack-elasticsearch@b9e4f7f062
2016-10-20 06:37:30 -04:00
javanna b7a10239be [TEST] Verify that date math expressions work with security plugin
Original commit: elastic/x-pack-elasticsearch@d87c9fdb30
2016-10-20 12:07:26 +02:00
javanna 8d001237df fix compile error after https://github.com/elastic/elasticsearch/pull/21032
Original commit: elastic/x-pack-elasticsearch@8372cea977
2016-10-20 12:02:18 +02:00
javanna 508784554b fix compile error after https://github.com/elastic/elasticsearch/pull/21032
Original commit: elastic/x-pack-elasticsearch@c4f400c0f7
2016-10-20 11:58:13 +02:00
Simon Willnauer 8b6867b99b Deguice Watcher Actions and Transformations (elastic/elasticsearch#3818)
This change simplifies the creation of Actions and Transformations.
It moves all instantiation away from guice into straight forward
constructor based initialization.

Original commit: elastic/x-pack-elasticsearch@3c0bca2bea
2016-10-19 23:35:16 +02:00
javanna a4c0c49b43 [TEST] Only create indices if nodes exist
Some tests manually start nodes, hence in the before test phase there are no nodes around thus indices should not be created.
Relates to elastic/elasticsearch#3770

Closes elastic/elasticsearch#3812

Original commit: elastic/x-pack-elasticsearch@a21ad39903
2016-10-19 18:34:08 +02:00
Jason Tedor 3d658c3f1e Adjust ClusterStatsResponse constructor calls
A commit in core removed the UUID parameter from the
ClusterStatsResponse constructor. This commit adjusts x-plugins to this.

Original commit: elastic/x-pack-elasticsearch@6f2f26168e
2016-10-19 11:25:07 -04:00
Simon Willnauer 09a4882a4c Remove Notification Accounts abstraction (elastic/elasticsearch#3811)
This change is a first step towards a real abstraction on top of all the
notification services. There are a bunch of followup changes coming for this
that will remove most of the classes in here but this is a first small step
to actually have a notification service interface.

Original commit: elastic/x-pack-elasticsearch@e14abf8a8b
2016-10-19 16:58:17 +02:00
Jay Modi 9ea1786596 security: only log if we actually loaded the system key
This commit changes the logging to only log if we actually loaded the system key, otherwise
the message is misleading as the key file may not even exist but we output that it was
loaded.

Original commit: elastic/x-pack-elasticsearch@0af7953c64
2016-10-19 08:36:29 -04:00
Boaz Leskes 29e35267c3 SecurityTribeIT - only wait for number nodes if they are not already there.
Original commit: elastic/x-pack-elasticsearch@3fa5da519a
2016-10-19 14:30:09 +02:00
Alexander Reelsen baf1596418 Watcher: Introduce dedicated reporting attachment type (elastic/elasticsearch#3665)
Instead of using the long running and long blocking single polling HTTP attachment for our reporting,
we should use the async API provided by kibana. The new workflow (all blocking and in a single watch)
looks like this:

1. An initial request is sent to trigger the report generation, which returns a path
2. This path is used to continuously check if the report is done (then it is sent back) or kibana sends another HTTP error code, which will result in watcher to sleep for another interval until the report is finally returned.

Features include configurable interval time and retry count, so that the total amount of waiting can be tweaked into two directions.

This is what the reporting type looks like right now

```
{
   "my-attachment":{
      "reporting":{
         "url":"http://www.example.org/my-dashboard",
         "retries":6, // optional, default 40
         "interval":"1s", // optional, default 15s
         "auth":{
            "basic":{
               "username":"foo",
               "password":"secret"
            }
         }
      }
   }
}
```

The interval/retries can also be configured via settings.

Note, that this is just a temporal workaround until the watcher execution can execute in an asynchronous fashion.

Closes elastic/elasticsearch#3524

Original commit: elastic/x-pack-elasticsearch@d1eaa856b9
2016-10-19 12:21:25 +02:00
Alexander Reelsen 1c3baa61fe Security/Watcher: Increase index priority for indices (elastic/elasticsearch#3709)
The `.triggered-watches`, `.watches` and `.security` indices should load
as early as possible, and not wait for other indices (especially not
for time-based indices, that are old).

This commit adds an index.priority to the template for those indices.
The values 1000, 900 and 800 were chosen rather arbitrary, mainly we
did not want to go with 10, because it was used in the sample documentation.

Security should always be loaded first, because we might need this index for
other operations.

Any administrator can still change all the values in the indices, but this
cares for better defaults.

Original commit: elastic/x-pack-elasticsearch@6ed0fb7975
2016-10-19 11:14:47 +02:00
Alexander Reelsen 0228a94d80 Watcher: Add support for aliases for watches/triggered watches index (elastic/elasticsearch#3770)
As discussed in #elastic/elasticsearch-migration/79 supporting aliases for watcher allows
the migration plugin to work.

This adds the relevent checks in the WatchStore and the TriggeredWatchStore that aliases are
supported, as the current assumption was always to just load an index.

Also, this rarely sets those indices as aliases in all the integration tests, so that this
case gets tested.

Note: The new WatchStoreUtils.getConcreteIndex() method will be put into core, as this is a
useful helper for others.

Original commit: elastic/x-pack-elasticsearch@4a98af691d
2016-10-19 10:29:27 +02:00
Boaz Leskes aa1eedc062 SecurityTribeIT - wait for tribe node to full process incoming cluster states
Original commit: elastic/x-pack-elasticsearch@4da1303965
2016-10-19 10:00:54 +02:00
Boaz Leskes 9bfd1721ca Fix SecurityTribeIT to properly add mock plugins in tribe node
Original commit: elastic/x-pack-elasticsearch@e82c39c5c4
2016-10-18 22:05:38 +02:00
Boaz Leskes 966600fc90 Adapt testing code to the removal of local discovery (elastic/elasticsearch#3767)
See https://github.com/elastic/elasticsearch/pull/20960

Original commit: elastic/x-pack-elasticsearch@f368fd4b1c
2016-10-18 21:12:36 +02:00
Simon Willnauer 435bd29dd5 Cleanup Condition infrastructure (elastic/elasticsearch#3795)
This change reduces the Condition infrastructure to a single interface called
`Condition` this interface is used to produce and parse requests but also
encapsulates the executable condition. The per class Result, Factory and Executable
are removed and replaced by a single class containing all logic.

Original commit: elastic/x-pack-elasticsearch@2870dff7ad
2016-10-18 17:34:37 +02:00
javanna 7191bb76ee Only negate index expression on all indices with preceding wildcard
Adapt security plugin to https://github.com/elastic/elasticsearch/pull/20898 .

Closes elastic/elasticsearch#3749

Original commit: elastic/x-pack-elasticsearch@2f3b0b17e1
2016-10-18 17:24:58 +02:00
Alexander Reelsen 74334b3713 Watcher: Remove watcherbuild info (elastic/elasticsearch#3792)
Watcher does not require any unique build info anymore, as all is put into
the MANIFEST.MF file during the build.

Also the xpack-properties is unused now and can be deleted.

Original commit: elastic/x-pack-elasticsearch@62f121c979
2016-10-18 13:19:13 +02:00
Simon Willnauer 9c54173e74 Remove ExecutableActions in favor of List and Map (elastic/elasticsearch#3779)
ExecutableActions is really an unnecessary abstraction on top of
List and Map. This commit remove the class and all its usage.

Original commit: elastic/x-pack-elasticsearch@b938499fcf
2016-10-17 22:47:54 +02:00
Simon Willnauer ee520c3c70 Remove obsolete Condition.Builder (elastic/elasticsearch#3781)
Condition.Builder simply forwards to the condition constructors
and can be removed.

Original commit: elastic/x-pack-elasticsearch@8c82efeb23
2016-10-17 22:45:42 +02:00
jaymode 70e1fc0447 test: ShrinkIndexWithSecurityIT needs at least 2 shards
Original commit: elastic/x-pack-elasticsearch@fcdc95d4a3
2016-10-17 12:20:19 -04:00
Luca Cavanna e53248edd1 [TEST] Fix typo in index name -index22->-index21
Original commit: elastic/x-pack-elasticsearch@f1c206d184
2016-10-17 17:18:20 +02:00
Jay Modi aa0e4d425f security: system user needs put mapping permissions to shrink indices
The system user gets used to put mappings for an index during recovery from local shards, which
is how the shrink index process works. The system user previously had this privilege in 2.x as
we did not have the ThreadContext and dynamic mapping updates would be done by the system user;
with the ThreadContext, these mapping updates are done by the actual user so this privilege
was removed from the SystemUser.

Closes elastic/elasticsearch#3766

Original commit: elastic/x-pack-elasticsearch@cd5d7bea53
2016-10-17 11:00:04 -04:00
javanna 0504f02026 inclusions and exclusions shouldn't be considered wildcard expressions
The security indices resolver checks through an assertion that shard level requests always have their wildcard expressions resolved. Index names that start with `-` or `+` though shouldn't be considered wild card expressions. Up to 6.x there can be indices with names starting with `-` or `+` and we have to take that into account.

Also moved from assertion to explicit exception so we can also test it better.

Original commit: elastic/x-pack-elasticsearch@a520bbf247
2016-10-17 16:45:47 +02:00
javanna 99d198c715 [TEST] remove leftover comment in createIndicesWithRandomAliases
Original commit: elastic/x-pack-elasticsearch@80546bae7f
2016-10-17 15:00:25 +02:00
javanna 667be843ce [TEST] modify aliases names in createIndicesWithRandomAliases
If we create index test1 and alias test1-alias, and tests configure access for test* for some users, this is going to cause problems when verifying exclusions like -test2, as the index itself gets excluded but the alias that points to it doesn't. That is expected behaviour, with this commit we modify the way aliases are named to use a prefix rather than a suffix (e.g. from test1-alias to alias-test1).

Changed also the way aliases creation is randomized.

Original commit: elastic/x-pack-elasticsearch@7f9877e858
2016-10-17 14:54:54 +02:00
javanna 3e5833e85c [TEST] random aliases were never created in createRandomIndicesWithAliases
missing `.get()` :)  the create index request was never sent. The indices were being automatically created when indexing a document into them.

Original commit: elastic/x-pack-elasticsearch@129d69c88e
2016-10-17 12:22:24 +02:00
Tanguy Leroux 21af0d5dc7 Fix OldMonitoringIndicesBackwardsCompatibilityIT (elastic/elasticsearch#3760)
The checkNodeStats method in this test checks for many fields in every documents of all bwc indices, but some fields like disk_threshold_enabled have been removed in 5.x. This commit changes the method so that it checks for the right fields in the right version.

closes elastic/elasticsearch#3672

Original commit: elastic/x-pack-elasticsearch@c95209cc3b
2016-10-14 18:30:05 +02:00
Jason Tedor 864cfb417a Remove artificial default processors limit
This commit responds to an API change in core migrating from
EsExecutors#boundedNumberOfProcessors to EsExecutors#numberOfProcessors.

Original commit: elastic/x-pack-elasticsearch@87d6fad971
2016-10-14 06:40:20 -04:00
javanna 71d2c25fcb Simplify AuthorizationService and extract loading of authorized indices to its own class
extracted loading of authorized indices and aliases to separate class (AuthorizedIndices) with reduced dependencies. Allows also to lazily load authorized indices the first time they are required, and reuse them if they are needed again later. Removes AuthzService dependency in indices resolver.

 Removed array of resolvers in authorization service as we support only one. Removed IndicesAndAliasesResolver interface and rename DefaultIndicesAndAliasesResolver to IndicesAndAliasesResolver.

Original commit: elastic/x-pack-elasticsearch@a267fefa07
2016-10-13 16:05:02 +02:00
javanna 06b5d42741 [TEST] consolidate different assertAuthorizationException methods in one place
Original commit: elastic/x-pack-elasticsearch@27de6db7e0
2016-10-13 16:05:02 +02:00
javanna 3dbea2f4c2 Simplify FieldAndDocumentLevelSecurityRequestInterceptor
FieldAndDocumentLevelSecurityRequestInterceptor really support intercepting only subclasses of IndicesRequests, we shouldn't have logic that is never used around intercepting CompositeIndicesRequest. Also we can guarantee at compile time, using generics, that only supported subclasses are intercepted through it, no need to verify that at runtime.

Original commit: elastic/x-pack-elasticsearch@6ab6e2d50e
2016-10-13 16:05:02 +02:00
javanna 4bb6e856f3 Authorize composite actions based on their action name only, subrequests and their indices will be later authorized individually
Eagerly authorizing CompositeIndicesRequests allowed the security plugin to fail fast up until now, but it makes it very hard to reason about each specific item in a multi items request. Either all items fail, or none do. We would rather want to adopt a similar behaviour to es core, where individual items fail without affecting other items that are part of the same request. We can rely on the fact that es core always authorizes both main action and every subaction too, and skip authorization for the main action. By subaction we mean either all sub search requests in msearch, as well as each shard level get in mget or shard level bulk request for bulk.

 BulkRequestInterceptor was converted to intercept BulkShardRequests rather than BulkRequest as that is where bulk is authorized after this change.

 Split IndicesAndAliasesResolverIntegrationTests into ReadActionsTests and WriteActionsTests as they require different set of permissions, lots of tests added.

Explicitly listing the composite actions makes sure that the actions that can bypass security are known, somebody adding a similar action must to add it to the list, so we know it doesn't happen by mistake. At this point the CompositeIndicesRequest can be used as a marker interface only (it is not really needed but can be used to verify that composite actions use a request that implements such interface).

Given that we don't authorize composite actions based on their indices anymore, but only their sub-requests which implement IndicesRequest, printing out the indices names in the audit log for requests like bulk and msearch is confusing. Removed support for that.

Authorize composite indices actions based on their name only, their indices will be authorized at the sub-request/shard level

Rather than simply granting bulk, mget, msearch etc. and relying on authorization at the sub-request/shard level, we check that the current user can at least execute the action. This justifies the grant line that gets written in the audit log, the action is potentially possible without looking at the indices. Each specific item will fail or succeed later and will yield its own specific audit log entry.

Original commit: elastic/x-pack-elasticsearch@4570caf019
2016-10-13 16:05:02 +02:00
javanna c6edec254a special case IndicesExistsRequest to make sure index not found is never thrown while resolving indices
Like es core does in TransportIndicesExistsAction, we should only consider expandWildcardsOpen and expandWildcardsClosed out of the indices options passed in with IndicesExistsRequest. ignore_unavailable and allow_no_indices should always be considered both true, to prevent the request from throwing exception as it is supposed to return true or false, no exceptions.

Original commit: elastic/x-pack-elasticsearch@daa274b3fd
2016-10-13 16:05:02 +02:00
javanna d27c4bee82 Support allowNoIndices option in security plugin
Supporting allowNoIndices means that the security plugin has a behaviour much more similar to vanilla es when dealing with wildcard expressions that match no indices, or empty clusters. The default for most request is to allow no indices, but security plugin could only disallow no indices all the time up until now.

The technical problem was that when anything gets resolved to an empty set of indices, we couldn't let that go through to es core, as that would become resolved to all indices by es core, which would be a security hole. We have now found a way though to replace an empty set of indices with something that es core will for sure resolve to no indices, so we can let the request through. We simply replace empty indices with '-*'.

Multi apis requests (e.g. _msearch) have yet to be fixed, as all their indices end up in the same bucket while they should each be authorized separately, so that every specific item can fail or be let through.

Original commit: elastic/x-pack-elasticsearch@0f67a0bfea
2016-10-13 16:05:02 +02:00
javanna 9b46b34bed Honour ignore_unavailable option when resolving indices
For all the requests that support multiple indices and wildcards, hence implementing IndicesRequest.Replaceable, we replace the wildcard expressions with the explicit names of the authorized indices they match. _all or empty indices is treated as a wildcard expression. We can also honour the ignore_unavailable option by going over all the explicit names and filter out the non authorized ones when ignore_unavailable is set to true. If ignore_unavailable is set to false, we leave everything as-is, which will cause an authorization exception to be thrown if only one of those explicit indices is not authorized for the current user.

This is the first step towards resolving elastic/elasticsearch#1250. The remaining issue is that in case we are left with no indices after stripping out the ones that the user is not authorized for, we throw an authorization exception rather than returning an empty response. That will require honouring the allow_no_indices option, which will also change the behaviour when a cluster is empty.

Relates to elastic/elasticsearch#1250

Original commit: elastic/x-pack-elasticsearch@e4ca940d05
2016-10-13 16:05:02 +02:00
Jay Modi 219c42d7ce update to use TimeValue in CacheBuilder
Original commit: elastic/x-pack-elasticsearch@7f5a59bd73
2016-10-13 09:27:51 -04:00
Areek Zillur 1a0802a157 Merge branch 'master' into cleanup/transport_bulk
Original commit: elastic/x-pack-elasticsearch@f0b88369f3
2016-10-12 13:12:16 -04:00
Jay Modi 68eb4d981e security: wildcards for superusers includes the security index
The superuser role is the only user assignable role that grants access to the .security index, but when
resolving wildcards the index was not getting resolved. The resolution of indices and aliases explicitly
excludes the .security index for users that are not the internal user without checking if the user has the
superuser role. This commit adds a check in for the superuser role.

Original commit: elastic/x-pack-elasticsearch@02ee0a8740
2016-10-12 11:42:02 -04:00
Jay Modi 6284db3a4d security: use correct time unit for role cache expire after write
The role cache was previously using the wrong time unit for its expire after write time; the
value passed to the cache was milliseconds instead of nanoseconds.

Original commit: elastic/x-pack-elasticsearch@65f7b08763
2016-10-12 08:04:49 -04:00
Tanguy Leroux 7ba55a4c99 Remove empty comments (elastic/elasticsearch#3731)
Original commit: elastic/x-pack-elasticsearch@a3e814bf34
2016-10-12 13:22:18 +02:00
Jay Modi 9a1d33d863 security: include anonymous roles when building the global permission
The anonymous role was being applied to other users for index access control but was not being applied
in terms of action level access control. This change makes the minimum required change to apply the
anonymous role for all users when anonymous is enabled. Additionally, some minor changes were made to the native roles store to not lookup roles before the service is started.

Closes elastic/elasticsearch#3711 

Original commit: elastic/x-pack-elasticsearch@a9398e178d
2016-10-12 06:52:24 -04:00
Yannick Welsch 4e00ab2f2b Remove test for transport handler that was removed in core (elastic/elasticsearch#3717)
Relates to elastic/elasticsearchelastic/elasticsearch#20836

Original commit: elastic/x-pack-elasticsearch@38f2d2e242
2016-10-12 09:08:02 +02:00
Alexander Reelsen 8b83cf067c Watcher: Ensure awesome painless exceptions are propagated to the user (elastic/elasticsearch#3707)
When adding a watch which has a painless component, the scriptexception
was wrapped into a deprecated exception which means, that the awesome
painless descriptions were lost. This wrapping has been removed.

Closes elastic/elasticsearch#3161

Original commit: elastic/x-pack-elasticsearch@1703fe4eb6
2016-10-12 08:14:06 +02:00
Areek Zillur 5d86c04441 Change bulk item requests from ActionRequest to DocumentWriteRequest
x-pack changes for elastisearchelastic/elasticsearch#20109

Original commit: elastic/x-pack-elasticsearch@8c12e1e102
2016-10-11 23:15:25 -04:00
Tanguy Leroux 2e7b7be25c Watcher: Re enable array compare test (elastic/elasticsearch#3708)
This test has been blacklisted and deactivated months ago. This commit reenables this test and moves it at the right place. It also change the test to use the Execute Watch API instead of being sleep based.

Original commit: elastic/x-pack-elasticsearch@e7a9689375
2016-10-11 10:25:40 +02:00
Alexander Reelsen fe00615965 Watcher: Moving test to new unified directory structure
Original commit: elastic/x-pack-elasticsearch@0cc22544a4
2016-10-10 11:25:30 +02:00
Nik Everett 769554460d Handle removing NodeServicesProvider
Original commit: elastic/x-pack-elasticsearch@b43637f2fb
2016-10-08 10:27:50 -04:00
jaymode f23e40b772 test: add bwc indices for 2.4.1
Original commit: elastic/x-pack-elasticsearch@19bec2111e
2016-10-07 14:21:48 -04:00
Nik Everett 1d2c6e5180 Handle new nullable ctor parmater
Original commit: elastic/x-pack-elasticsearch@d604dfe1d0
2016-10-07 10:40:35 -04:00
Simon Willnauer c226dfddc0 Filter out assertion transport interceptors in tests that expect an XPack request handler
in core we wrap request handlers with an asserting one to ensure we can serialize messages
with different versions. Yet, xpack uses the same functionality to add security aspects to
the network layer. These tests assert that the right handlers are in-place.

Original commit: elastic/x-pack-elasticsearch@e39c8995ae
2016-10-07 15:44:48 +02:00
Simon Willnauer 4c349a76fb just use hostname in tests since it's simplify forwarding
Original commit: elastic/x-pack-elasticsearch@b5cf3a4435
2016-10-07 11:58:59 +02:00
Simon Willnauer 2f70ae92b6 Cut over to MockTcpTransport since LocalTransport is remove in core (elastic/elasticsearch#3684)
This is a followup commit to elastic/elasticsearchelastic/elasticsearch#20695

Original commit: elastic/x-pack-elasticsearch@27cd454ba6
2016-10-07 11:28:05 +02:00
Colin Goodheart-Smithe f9aba3944e Changes to support the removal of the now callable in core (elastic/elasticsearch#3685)
Fixes to x-plugins code now that DateMathParser accepts a LongSupplier rather than a Callable to get the value of now

Relates to elastic/elasticsearchelastic/elasticsearch#20796

Original commit: elastic/x-pack-elasticsearch@99fc47a8a7
2016-10-07 10:26:42 +01:00
Simon Willnauer 31ed371ed0 Remove SearchContext#current and all it's threadlocals (elastic/elasticsearch#3677)
Followup PR for elastic/elasticsearchelastic/elasticsearch#20778

Original commit: elastic/x-pack-elasticsearch@1e3959545e
2016-10-06 19:52:34 +02:00
Igor Motov bb8c08f254 Explicitly specify analyzer scope
Related to elastic/elasticsearchelastic/elasticsearch#20197

Original commit: elastic/x-pack-elasticsearch@af9258a8a6
2016-10-06 09:11:28 -04:00
Jay Modi 6c587330fd security: use SSLParameters to set ciphers/protocols/client auth
This change moves to using SSLParameters as the configuration source for SSLEngine and SSLSocket
objects that are configured by the SSLService. Previously we used a mix of specific methods and
SSLParameters, which resulted in issues where ordering of calls is important. For example, if configuring
client authentication directly on the engine prior to setting the SSLParameters resulted in the client
authentication configuration being reset to the default.

Additionally, this change also sets use cipher suite order to true to ensure preferred ciphers will be used.

Original commit: elastic/x-pack-elasticsearch@8ddecdc20c
2016-10-06 07:19:28 -04:00
Colin Goodheart-Smithe 288f682fee elastic/elasticsearch#3667 Changes to DLS to support preventing requests that use scripts or now() from being cached
Changes to DLS to support preventing requests that use scripts or now() from being cached

Original commit: elastic/x-pack-elasticsearch@b69c2f5ca4
2016-10-06 10:24:59 +01:00
jaymode dd64ced206 test: wait for response before closing client
This change ensures we wait for a response before the async http client is closed. Otherwise we can
close the client during the connection to the remote endpoint or never even connect to the remote
endpoint.

Closes elastic/elasticsearch#3640

Original commit: elastic/x-pack-elasticsearch@54900b1b4a
2016-10-05 11:49:21 -04:00
Colin Goodheart-Smithe f2703f2d11 Changes to DLS to support elastic/elasticsearch#20750
This change fixes document level security to support the changes made in
elastic/elasticsearch#20750.

Original commit: elastic/x-pack-elasticsearch@d234be077d
2016-10-05 15:50:29 +01:00
Alexander Reelsen 5aacf3e205 Revert "Change Watcher thread pool to be scaling"
This reverts commit elastic/x-pack@943bd259f9.

See discussion in elastic/elasticsearch#3660

Original commit: elastic/x-pack-elasticsearch@35d236df59
2016-10-05 14:45:34 +02:00
jaymode a7e25cbaf9 test: ensure security index exists in tests expecting it to
This changes does two things in the tribe tests. The first is that when we split data up between
multiple clusters, we always force create the security index so that randomization does not cause
edge cases like the index not existing in the preferred cluster. The second is we look at the cluster
state of the nodes and ensure the tribe node sees the indices and has all primaries active.

Separate tests were also added to cover the scenario where the security index only exists in the non
preferred node.

Original commit: elastic/x-pack-elasticsearch@17b78ec837
2016-10-05 08:38:20 -04:00
Alexander Reelsen 53103e988f Watcher: Add proxy support to pagerduty action (elastic/elasticsearch#3542)
This is the last action that needs additional support for proxies.

You can set a proxy in the JSON like this:

```
"actions" : {
  "notify-pagerduty" : {
    "pagerduty" : {
      "description" : "Main system down, please check!",
      "proxy" : { "host" : "localhost", "port" : 8080 }
    }
  }
}
```

Closes elastic/elasticsearch#3372

Original commit: elastic/x-pack-elasticsearch@b99969fd6b
2016-10-05 10:10:02 +02:00
Alexander Reelsen 7ffebef2cd Watcher: Add proxy support to slack action (elastic/elasticsearch#3487)
You can set it like this in the JSON

"actions" : {
  "notify-slack" : {
    "slack" : {
      "account" : "integration-account",
      "proxy" : {
        "host" : "localhost",
        "port" : 8080
      },
      "message" : {
        ...
      }
    }
  }
}

Relates elastic/elasticsearch#3372

Original commit: elastic/x-pack-elasticsearch@de86233d4f
2016-10-05 09:07:09 +02:00
Jason Tedor 00cecac86e Change Watcher thread pool to be scaling
Watcher uses a custom thread pool. This is because executing watches can
be long-running tasks that often block on I/O and it is best to not
consume the core thread pools with these tasks. Today this thread pool
is fixed, and sized at five times the bounded number of cores (so 160 on
a 32-core box). It makes sense for there to possibly be so many threads,
again because these tasks can block on I/O and having excess capacity
lets unblocked watches execute. It's the fixed size that can cause
problem, all these threads are always consuming resources even when
there are no or not that many watches running. This commit changes this
thread pool to be a scaling thread pool.

Relates elastic/elasticsearch#3660

Original commit: elastic/x-pack-elasticsearch@3cafab6e83
2016-10-04 18:15:19 -04:00
Jason Tedor a0e1d44a44 Remove lenient URL parameter parsing
This commit adapts x-plugins for a change in core Elasticsearch that
removes lenient URL parameter parsing.

Relates elastic/elasticsearch#3641

Original commit: elastic/x-pack-elasticsearch@cc0687f32c
2016-10-04 12:46:54 -04:00
jaymode ddae0694c9 test: move SecurityTribeIT to right directory
Relates elastic/elasticsearch#3635

Original commit: elastic/x-pack-elasticsearch@b46ab0b63e
2016-10-04 09:22:21 -04:00
Luca Cavanna 91a68e9873 adapt to IndicesAliasesRequest not implementing CompositeIndicesRequest (elastic/elasticsearch#3645)
We need to special case IndicesAliasesRequest as it doesn't implement CompositeIndicesRequest anymore. Note that the similar loop for CompositeIndicesRequests's subrequests will soon go away

Relates to elastic/elasticsearch#3638

Original commit: elastic/x-pack-elasticsearch@50d119ff61
2016-10-04 10:39:31 +02:00
Ryan Ernst 36c7070217 Fix xpack api jar artifact naming
Original commit: elastic/x-pack-elasticsearch@bb7b0a6392
2016-10-03 19:25:44 -07:00
Ryan Ernst fa4d389c99 Fix artifact id for x-pack api jar
Original commit: elastic/x-pack-elasticsearch@26e47099a2
2016-10-03 16:38:25 -07:00