Commit Graph

4108 Commits

Author SHA1 Message Date
Jay Modi 714b891b03 security: add setting that makes system key required
This commit adds a setting that makes the system key required. If this setting is set to
true, a node will fail to startup when the system key does not exist.

Closes elastic/elasticsearch#3957

Original commit: elastic/x-pack-elasticsearch@e6d3000974
2016-11-03 07:54:38 -04:00
Nik Everett 1de85f4740 Move test for aliases starting with - into bwc
Moves the tests for aliases starting with `-` into the backwards
compatibility tests because we can no longer create such aliases.

Original commit: elastic/x-pack-elasticsearch@3639fe4d46
2016-11-02 19:53:36 -04:00
Chris Earle 7c8fc99098 [Monitoring UI] Show Replica Count not Replication Factor in Overview (elastic/elasticsearch#3949)
* [Monitoring UI] Show Replica Count not Replication Factor in Overview

This changes it to only show the replica count as `total - primaries` rather than showing the replication factor, which is particularly unhelpful when different indices have different replica counts.

Original commit: elastic/x-pack-elasticsearch@552f94bf8f
2016-11-02 16:24:42 -04:00
Nik Everett e63580459c Fix BWC index generation and tests for 5.0.0
Fixes the create_bwc_indexes script to build the bwc indices for
either 5.0.0 or 2.x.y.

Closes elastic/elasticsearch#3908

Original commit: elastic/x-pack-elasticsearch@f857647bb3
2016-11-02 14:52:04 -04:00
Alexander Reelsen 04969bd0cd Watcher: Remove ForceDeleteWatchTests
This test does not have a purpose anymore, since deletion of watches done
in elastic/elasticsearch#3481

Original commit: elastic/x-pack-elasticsearch@4bdf3614d3
2016-11-02 17:14:57 +01:00
Clinton Gormley 93fa60b601 Made REST spec param types consistent
duration -> time

Original commit: elastic/x-pack-elasticsearch@ca34bd2bdc
2016-11-02 15:30:09 +01:00
Luca Cavanna fae2f1a90f Security plugin to honour destructive operations setting (elastic/elasticsearch#3954)
`action.destructive_requires_name` setting was ignored by the security plugin as wildcards got expanded and resolved in the plugin before es core could actually check if the operation was supposed to be allowed or not. We are discussing how we could perform the check earlier in es core, but anyways it is good to perform the same check in the security plugin just to make sure.

Closes elastic/elasticsearch#3689

Original commit: elastic/x-pack-elasticsearch@3414cb3471
2016-11-02 15:01:25 +01:00
Alexander Reelsen 87ee1f30d6 Watcher: Make SchedulerEngine job handling threadsafe (elastic/elasticsearch#3955)
The old handling was not thread safe, as it used to replace volatile
objects in the code. This implementation uses a concurrent hashmap
to easily allow adding/removing schedules without having to replace
whole objects

Original commit: elastic/x-pack-elasticsearch@0aa618b372
2016-11-02 14:50:44 +01:00
Boaz Leskes 176829c4cc Change ClusterState and PendingClusterTasksResponse's toString() to their prettyPrint format (elastic/elasticsearch#3947)
Change ClusterState and PendingClusterTasksResponse's toString() to their prettyPrint format

Original commit: elastic/x-pack-elasticsearch@4ea9d56058
2016-11-02 13:44:09 +01:00
Alexander Reelsen fe93640e43 Watcher: Be strict with chain input parsing (elastic/elasticsearch#3873)
When parsing chain inputs there were possibilities to write invalid
JSON that resulting in losing the order of the inputs without any
exception being thrown.

This commit makes the parsing more strict.

Closes elastic/elasticsearch#3736

Original commit: elastic/x-pack-elasticsearch@963641ee2b
2016-11-02 10:37:41 +01:00
Alexander Reelsen 95e1f2942b Tests: Replaced bad apple test with REST test (elastic/elasticsearch#3920)
Original commit: elastic/x-pack-elasticsearch@5052f9cfbd
2016-11-02 09:58:38 +01:00
Adrien Grand 3e92b905c7 Improve QueryShardContext creation in SecurityIndexSearcherWrapper. (elastic/elasticsearch#3930)
Currently security always parses the permissions filters with a shard id equal
to `0` even if the query is executed on a different shard. Also it does not
protect against queries that may rely on the current timestamp even though we
don`t currently have ways to make sure that all shards use a consistent
timestamp.

Sibling of elastic/elasticsearchelastic/elasticsearch#21196.

Original commit: elastic/x-pack-elasticsearch@cab47f2ed2
2016-11-02 09:49:06 +01:00
Alexander Reelsen 043da7afe8 Tests: Remove bad apples from schedule engine tests (elastic/elasticsearch#3919)
The execution time of the trigger tests was extremely slow, because it
really waited until executions happened. This uses the mock clock to
advance in time manually.

This also allows to remove the bad apples annotation and make sure that
the schedule engine tests for both implementations are run all the time.

Relates elastic/elasticsearch#1007

Original commit: elastic/x-pack-elasticsearch@f9436f506f
2016-11-02 09:35:20 +01:00
Areek Zillur f6800f7b8b Fix license command line tools
Original commit: elastic/x-pack-elasticsearch@756c0f2384
2016-11-01 11:05:29 -04:00
Boaz Leskes 03c5d71c12 remove hard coded dates from testDateMathExpressionsCanBeAuthorized
Original commit: elastic/x-pack-elasticsearch@d7fac0b9a0
2016-11-01 09:02:39 +01:00
Jack Conradson 7dd4188299 Cleanup ScriptType (elastic/elasticsearch#3922)
Refactored ScriptType to clean up some of the variable and method names. Added more documentation. Deprecated the 'in' ParseField in favor of 'stored' to match the indexed scripts being replaced by stored scripts.

Original commit: elastic/x-pack-elasticsearch@d7c7bd7362
2016-10-31 13:49:10 -07:00
Yannick Welsch 8350a8b2d8 [TEST] Disconnect from newly added nodes if cluster state publishing fails
Companion commit for elastic/elasticsearchelastic/elasticsearch#21197

Original commit: elastic/x-pack-elasticsearch@248a6bfb7c
2016-10-31 15:36:54 +01:00
Simon Willnauer f696ad1d10 Skip authentication and warn if shards of the .security index are not available
Original commit: elastic/x-pack-elasticsearch@9970d80f2d
2016-10-28 15:04:06 +02:00
Alexander Reelsen e67847ca8c Tests: Increase logging to get more sync inside
My current assumption is, that creating the templates is not
yet finished (as this is async), so that we need to add
another check that the templates have been added before
continuing.

Relates elastic/elasticsearch#3892

Original commit: elastic/x-pack-elasticsearch@3880d200a1
2016-10-28 11:00:09 +02:00
Simon Willnauer f4da918b09 [TEST] Pass _analyze API params in the body rather than as params. Parameters are not supported anymore
Original commit: elastic/x-pack-elasticsearch@e04d425a89
2016-10-27 22:34:35 +02:00
Jason Tedor a15f565539 Mark BWC tests as awaits fix
These tests are awaiting the BWC indices script to be upgraded for 5.x.

Original commit: elastic/x-pack-elasticsearch@540fe73bd0
2016-10-26 21:40:00 -04:00
Jack Conradson 54a71289cc Merge pull request elastic/elasticsearch#3902 from jdconrad/stype
Refactor ScriptType to be a top-level class.

Original commit: elastic/x-pack-elasticsearch@22862a3727
2016-10-26 12:46:09 -07:00
Jack Conradson 4fd19aa00a Merge branch 'master' into stype
Original commit: elastic/x-pack-elasticsearch@37f27bef1a
2016-10-26 12:29:43 -07:00
Simon Willnauer 84b631643c Add utility method to fetch and collect results from a query (elastic/elasticsearch#3894)
Today we have the same madness in two places and no dedicated test. This
change moves the real madness into a single place and adds a test for it
to make sure it actually works and isn't just crazy.

Original commit: elastic/x-pack-elasticsearch@dabf5fdd63
2016-10-26 21:05:49 +02:00
Spencer 163e5feb6e Merge pull request elastic/elasticsearch#3864 from spalger/race-condition-xpack-info
Fix xpackInfo loading race condition

Original commit: elastic/x-pack-elasticsearch@3acd6bfe03
2016-10-26 11:06:18 -07:00
Jack Conradson 72a49015cc Refactor ScriptType to be a top-level class.
Original commit: elastic/x-pack-elasticsearch@39afcbfdf5
2016-10-26 10:21:47 -07:00
Simon Willnauer 9f57afbdf3 Return non-existing role if the .security index is not found (elastic/elasticsearch#3895)
We used to be very lenient with all kinds of exceptions related to the
`.security` index. Yet, sometimes in tests the index is not yet there but
transport clients already pinging the node this causes issues and transport
clients disconnect. Now if the index is not present we simply return no role.

Original commit: elastic/x-pack-elasticsearch@60948d0c2a
2016-10-26 17:25:20 +02:00
Simon Willnauer 6e1287bab9 Simplify TransportGetRolesAction (elastic/elasticsearch#3888)
TransportGetRolesAction optimizes for single role case while this
optimization can be simply inside the NativeRoleStore and being
way more contained.

Original commit: elastic/x-pack-elasticsearch@c43d8ba341
2016-10-26 14:55:39 +02:00
Jason Tedor 007e49c5d9 Reveal Content-Length on x-pack info HEAD requests
This commit permits x-pack info HEAD requests to reveal the
Content-Length of the response.

Relates elastic/elasticsearch#3887

Original commit: elastic/x-pack-elasticsearch@8696caa1f6
2016-10-25 23:12:54 -04:00
Simon Willnauer 0b24f022f7 Remove all blocking calls from TransportGetUsersAction (elastic/elasticsearch#3876)
`TransportGetUsersAction` does some funky blocking calls even though
it's specifying `SAME` as the thread-pool indicating that it's fast or
forking off quickly. Both might not be true today. This change adds
async support to the methods it calls without breaking the existing
Realm interface. Yet, we might need to do this down the road.

Original commit: elastic/x-pack-elasticsearch@d0959f87f3
2016-10-25 22:11:19 +02:00
Jay Modi 542a484031 security: cache negative lookups for native roles
This changes adds a special value for negative role lookups so that we can avoid scenarios
where we overload the cluster due to continually trying to load non-existing roles as is often
the case when `unmapped_groups_as_roles` is used with the active directory realm.

Relates elastic/elasticsearch#3530 

Original commit: elastic/x-pack-elasticsearch@62567b4c22
2016-10-25 16:00:27 -04:00
spalger a291fa77d3 Merge branch 'master' of github.com:elastic/x-plugins into race-condition-xpack-info
Original commit: elastic/x-pack-elasticsearch@ade5fae76b
2016-10-25 12:33:31 -07:00
Jay Modi 7d60f6b365 security: restore the correct user when switching to the system user
* security: restore the correct user when switching to the system user

For internal actions where we need to switch to the SystemUser, we should always restore the proper
context after execution. We were restoring an empty context for actions executed by the SystemUser
in the SecurityServerTransportInterceptor.

In order to accomplish this, a few changes have been made. Both the SecurityServerTransportInterceptor
and the SecurityActionFilter delegate to `SecurityContext#executeAsUser` when a user switch is necessary.
Tests were added for this method to ensure that the consumer is executed as the correct user and the proper
user is restored.

While working on this, a few other cleanups were made:

* SecurityContext can never have a null CryptoService, so a null check was removed
* We no longer replace the user with the system user when the system user is already associated with the request
* The security transport interceptor checks the license state and if auth is not allowed, delegate and return
* The security transport interceptor sendWithUser method now requires authentication to be present or a hard
exception is thrown.
* The TransportFilters integration test has been deleted. This was integration test that relied on the ability to
get instances from a node and trace the execution. This has been replaced by additional unit tests in
ServerTransportFilterTests

Closes elastic/elasticsearch#3845

Original commit: elastic/x-pack-elasticsearch@d8bcb59cb7
2016-10-25 13:48:28 -04:00
Simon Willnauer a50bc7946b Make request authorization non-blocking (elastic/elasticsearch#3837)
This change removes the blocking notion from fetching the roles
from a remote index. This also removes the blocking client calls
that can potentially deadlock a request if executed on the transport
thread.

Relates to elastic/elasticsearch#3790

Original commit: elastic/x-pack-elasticsearch@c2eda39043
2016-10-25 17:28:29 +02:00
Tim Sullivan c56eec6d26 Merge pull request elastic/elasticsearch#3862 from tsullivan/monitoring-ui-fix-kibana-stats-when-monitoring-disabled
monitoring ui: check monitoring is enabled before sending kibana stats

Original commit: elastic/x-pack-elasticsearch@f5cbf629c3
2016-10-24 14:55:07 -07:00
Tim Sullivan 1efddec0b0 Merge pull request elastic/elasticsearch#3854 from tsullivan/monitoring-ui-removed-unused-css-round-3
Monitoring ui removed unused css round 3

Original commit: elastic/x-pack-elasticsearch@1e0213d23a
2016-10-24 10:34:53 -07:00
Jay Modi f3d5d79a20 test: install a new signed license when running index BWC tests
This change now installs a signed license that has been generated at runtime so the
BWC tests can run without hitting licensing issues. The x-pack BWC tests pull in the
full cluster state, which contains the trial license from when the indices and state
was generated. After the trial license period and grace period issues arise with the
tests.

Closes elastic/elasticsearch#3858

Original commit: elastic/x-pack-elasticsearch@1c79e874e5
2016-10-24 09:18:59 -04:00
Simon Willnauer f8ba7f6fd8 Restore thread-context when executing with InternalClient (elastic/elasticsearch#3859)
Today when a request is executed with InternalClient the thread context might
be lost if another component like security exchanges it by executing an async call
or an internal action. This can be a serious security problem since if the async
call executes as the system user all subsequent calls made by the response
thread will also execute as the system user instead.

Original commit: elastic/x-pack-elasticsearch@80682f338d
2016-10-24 14:39:00 +02:00
Simon Willnauer 51b871f344 Followup API change for elastic/elasticsearchelastic/elasticsearch#21089
Original commit: elastic/x-pack-elasticsearch@5d9b2fe0c8
2016-10-24 14:06:13 +02:00
Adrien Grand 47079cf5d1 Disable bw testing due to license expiration.
Relates to elastic/elasticsearch#3858

Original commit: elastic/x-pack-elasticsearch@7d676b96d3
2016-10-24 11:47:23 +02:00
CJ Cenizal 546e364417 Merge pull request elastic/elasticsearch#3831 from cjcenizal/3650/improvement/license-page
Redesign license page in Monitoring.

Original commit: elastic/x-pack-elasticsearch@ca5c86096b
2016-10-21 14:30:04 -07:00
CJ Cenizal f7a4edc384 Merge pull request elastic/elasticsearch#3828 from cjcenizal/3666/improvement/side-nav-app-order
Reorder apps for more logical order.

Original commit: elastic/x-pack-elasticsearch@5b65fd6fcf
2016-10-21 09:58:31 -07:00
Ryan Ernst 6dc4b0b749 x-plugins side of zen ping refactoring
see elastic/elasticsearchelastic/elasticsearch#21049

Original commit: elastic/x-pack-elasticsearch@57a0405eb7
2016-10-20 13:12:41 -07:00
Tanguy Leroux fc88dfe1a6 CertificateTool must not generate world redeable files (elastic/elasticsearch#3810)
This commit changes the permissions of the files generated by the certgen tool to 600 (like syskeygen does)

Original commit: elastic/x-pack-elasticsearch@bca74e9c92
2016-10-20 16:36:35 +02:00
Jay Modi 05886cdf9f security: exclude the anonymous role from the xpack user
The calls made by the native users and roles store use the internal xpack user to make the request
and this user has a built-in role that has a single instance. A bug was introduced when fixing the logic
for applying the anonymous role to all users in elastic/elasticsearch#3716. The anonymous role was now being added to
the xpack user, even though the additional role would have no effect as this user is a superuser.

When the anonymous role is applied to the xpack user and exists as a native role or doesn't exist
at all, we run into a deadlock since we wind up querying for the role as a user that also has the
anonymous role.

This change special cases the XPackUser when getting the collection of roles so that the only role
applied to this user is the superuser role.

Closes elastic/elasticsearch#3822

Original commit: elastic/x-pack-elasticsearch@e3093904f1
2016-10-20 08:11:01 -04:00
jaymode 388bfd761d security: use lucene automatons and remove dependency on briks
This commit removes the dependency on the briks automatons library and instead uses the lucene
version. Shield was originally implemented using the lucene version, but issues arose with supporting
multiple versions of elasticsearch and API changes, so we moved to using the briks library.

x-pack and elasticsearch are always the same version so we can use the lucene version of the
automatons and remove the briks library. This also brings with it protection from huge automatons
that we did not have before.

Original commit: elastic/x-pack-elasticsearch@e3f34b6b55
2016-10-20 06:55:01 -04:00
Jay Modi ff3d685833 security: update unboundid-ldapsdk to the latest version
This changes updates the unboundid ldapsdk to the latest version to stay up to date
with their releases.

Original commit: elastic/x-pack-elasticsearch@b9e4f7f062
2016-10-20 06:37:30 -04:00
javanna b7a10239be [TEST] Verify that date math expressions work with security plugin
Original commit: elastic/x-pack-elasticsearch@d87c9fdb30
2016-10-20 12:07:26 +02:00
javanna 8d001237df fix compile error after https://github.com/elastic/elasticsearch/pull/21032
Original commit: elastic/x-pack-elasticsearch@8372cea977
2016-10-20 12:02:18 +02:00
javanna 508784554b fix compile error after https://github.com/elastic/elasticsearch/pull/21032
Original commit: elastic/x-pack-elasticsearch@c4f400c0f7
2016-10-20 11:58:13 +02:00