Commit Graph

30 Commits

Author SHA1 Message Date
Martijn van Groningen 547b6346f6 Changed the underlying DLS implementation
Instead of wrapping the IndexSearcher and applying the role query during the rewrite, the role query gets applied in a custom filtered reader that applies the query via the live docs.

The big advantage is that DLS is being applied in all document based APIs instead of just the _search and _percolate APIs.

In order to better deal with the cost of converting the role query to a bitset, the bitsets are cached in the bitset filter cache
and if the role query bitset is sparse the role query and main query will execute in a leapfrog manner to make executing queries faster.
 If the role query bitset isn't sparse, we fallback to livedocs.

Closes elastic/elasticsearch#537

Original commit: elastic/x-pack-elasticsearch@330b96e1f2
2015-09-08 11:04:10 +02:00
jaymode 1dbdf2ea1f add note on extended key usage
Closes elastic/elasticsearch#362

Original commit: elastic/x-pack-elasticsearch@0a2e0ab6d1
2015-09-03 11:53:39 -04:00
jaymode 892d9774f5 update limitations around more like this query
This updates the limitations section to indicate that the MLT query only works with Elasticsearch
1.6.2+ and 1.7.1+.

Closes elastic/elasticsearch#331

Original commit: elastic/x-pack-elasticsearch@70f2bb484e
2015-09-03 11:45:50 -04:00
Martijn van Groningen 99d91b7a9c Added wildcard support to the FLS `fields` option.
Closes elastic/elasticsearch#452

Original commit: elastic/x-pack-elasticsearch@4e82ce0472
2015-09-03 10:37:34 +02:00
debadair 75d8d12c37 Docs: Updated kibana.yml settings to match 4.2 changes. Closes elastic/elasticsearch#524.
Original commit: elastic/x-pack-elasticsearch@e305153fe5
2015-08-31 14:35:59 -07:00
Martijn van Groningen 39b7092185 test: removed the 'plugin.types' usages from the source code
Original commit: elastic/x-pack-elasticsearch@a94cdee31f
2015-08-31 22:45:56 +02:00
Martijn van Groningen 5f01f793d5 Added document and field level security
This commit adds document and field level security to Shield.

Field level security can be enabled by adding the `fields` option to a role in the `role.yml` file.

For example:

```yaml
customer_care:
  indices:
    '*':
      privileges: read
      fields:
        - issue_id
        - description
        - customer_handle
        - customer_email
        - customer_address
        - customer_phone
```

The `fields` list is an inclusive list of fields that controls what fields should be accessible for that role. By default all meta fields (_uid, _type, _source, _ttl etc) are also included, otherwise ES or specific features stop working. The `_all` field if configured, isn't included by default, since that actually contains data from all the other fields. If the `_all` field is required then this needs to be added to the `fields` list in a role. In the case of the content of the `_source` field and `_field_names` there is special filtering in place so that only the content relevant for the role are being returned.

If no `fields` is specified then field level security is disabled for that role and all fields in an index are accessible.

Field level security can be setup per index group.

Field level security is implemented at the Lucene level by wrapping a directory index reader and hides fields away that aren't in the `field` list defined with the role of the current user. It as if the other fields never existed.

* Any `realtime` read operation from the translog is disabled. Instead this operations fall back to the Lucene index, which makes these operations compatible with field level security, but there aren't realtime.
*  If user with role A executes first and the result gets cached and then a user with role B executes the same query results from the query executed with role A would be returned. This is bad and therefore the query cache is disabled.
* For the same reason the request cache is also disabled.
* The update API is blocked. An update request needs to be executed via a role that doesn't have field level security enabled.

Document level security can be enabled by adding the `query` option to a role in the `role.yml` file:
```yaml
customer_care:
  indices:
    '*':
      privileges: read
      query:
        term:
         department_id: 12
```

Document level security is implemented as a filter that filters out documents there don't match with the query. This is like index aliases, but better, because the role query is embedded on the lowest level possible in ES (Engine level) and on all places the acquire an IndexSearcher the role query will always be included. While alias filters are applied at a higher level (after the searcher has been acquired)

Document level security can be setup per index group.

Right now like alias filters the document level security isn't applied on all APIs. Like for example the get api, term vector api, which ignore the alias filter. These apis do acquire an IndexSearcher, but don't use the IndexSearcher itself and directly use the index reader to access the inverted index and there for bypassing the role query. If it is required to these apis need document level security too the the implementation for document level security needs to change.

Closes elastic/elasticsearch#341

Original commit: elastic/x-pack-elasticsearch@fac085dca6
2015-08-27 17:54:50 +02:00
jaymode 693d16777c correct the shield offline download links
Closes elastic/elasticsearch#499

Original commit: elastic/x-pack-elasticsearch@86a8015132
2015-08-25 10:00:58 -04:00
jaymode f879ccf426 update version numbers in shield documentation to 2.1.0
Cherry-pick of commit to 2.0 and updated to change version to 2.1.0

Original commit: elastic/x-pack-elasticsearch@8672bbf1b1
2015-08-24 11:23:20 -04:00
jaymode 8bb35cd6c3 fix transport client documentation for 2.0 and add notes about file locations
This also change ES_HOME/config -> CONFIG_DIR in the documentation to more accurately reflect the
location of configuration files as they are not always in ES_HOME/config.

Closes elastic/elasticsearch#455
Closes elastic/elasticsearch#432

Original commit: elastic/x-pack-elasticsearch@63ce35450c
2015-08-20 06:29:13 -04:00
debadair dffd30d591 Updated package installation information. Closes elastic/elasticsearch#376.
Original commit: elastic/x-pack-elasticsearch@59be16531c
2015-08-19 14:10:51 -07:00
debadair 3d5fef9d8f Updated the SSL config & CA topics to make the procedures clearer.
Original commit: elastic/x-pack-elasticsearch@9a08da7703
2015-08-19 13:51:54 -07:00
jaymode 85eeeab88a add release notes for Shield 1.3.2
Original commit: elastic/x-pack-elasticsearch@f4f3101aa2
2015-08-10 13:10:28 -04:00
jaymode 1b72f13458 fix the rest response for the clear cache action and add tests
Today the XContent building of the response for the ClearRealmsCacheResponse is broken and causes
an exception to be thrown. This fixes the building of the response and adds tests that call the HTTP
endpoint and do a basic check on the response.

Closes elastic/elasticsearch#390

Original commit: elastic/x-pack-elasticsearch@8ad9dae4ea
2015-08-06 12:48:44 -04:00
Alexander Reelsen b433ee390c Packaging: Changing groupId to org.elasticsearch.plugin
This commit changes the groupId to the above mentioned one
so that S3 uploads will end up in the right bucket. This will
allow the Elasticsearch plugin manager to install the commercial
plugins like

```
bin/plugin install {watcher,shield,license,marvel}
```

like the official ones.

Original commit: elastic/x-pack-elasticsearch@642f1f006a
2015-08-06 15:46:48 +02:00
debadair 56c3f41a6e Added missing description and edited the table.
Original commit: elastic/x-pack-elasticsearch@69f07459af
2015-08-05 13:09:17 -07:00
debadair 25d7dfa555 Added step-by-step instructions for using Kibana with Shield. Closes elastic/elasticsearch#283.
Original commit: elastic/x-pack-elasticsearch@f3aab8e6a4
2015-07-31 09:38:24 -07:00
Suyog Rao 63a04169a2 Docs: Add PKI auth support for Logstash http protocol
Closes elastic/elasticsearch#328

Original commit: elastic/x-pack-elasticsearch@04235e714a
2015-07-30 14:05:59 -07:00
jaymode 7e78f09a1d update shield limitations around document level security
Original commit: elastic/x-pack-elasticsearch@4afbf69ce2
2015-07-27 13:25:19 -04:00
Alexander Reelsen ba5900cf0b Documentation: Fix calls for bin/plugin to be compatible with master
Original commit: elastic/x-pack-elasticsearch@e9ce3f401c
2015-07-24 12:24:44 +02:00
jaymode cc7fe390eb [[getting-started-with-shield]] back to [[getting-started]]
The redirect has been removed that was causing a loop. This reverts commit elastic/x-pack@546d4d4205.

Original commit: elastic/x-pack-elasticsearch@f9fb88a9d0
2015-07-21 13:43:52 -04:00
jaymode a676a1199f release notes for Shield 1.3.1 and 1.2.3
Original commit: elastic/x-pack-elasticsearch@027b905d80
2015-07-21 11:08:55 -04:00
debadair 91786f4662 Stated that node client is unsupported, removed node client config info, and edited the transport client config section. Closes elastic/elasticsearch#906
Original commit: elastic/x-pack-elasticsearch@9bbd6726a8
2015-07-20 10:51:06 -07:00
Clinton Gormley cbeb6fdd66 Renamed [[getting-started]] to [[getting-started-with-shield]] to avoid 301 redirect
Closes elastic/elasticsearch#303

Original commit: elastic/x-pack-elasticsearch@84b535a68c
2015-07-20 14:14:45 +02:00
jaymode 4f1aaa8882 [docs] change `active-directory` to `active_directory`
In the documentation reorgantization for Shield, the type of the active directory realm changed
and is not valid. Users are configuring Shield incorrectly and running into issues because of
this. This changes the realm type to the correct value.

Closes elastic/elasticsearch#291

Original commit: elastic/x-pack-elasticsearch@7f8b65eda7
2015-07-17 19:07:52 -04:00
Clinton Gormley 7d986eb295 Docs: Fixed bad link to disk allocation in ES 1.7
Original commit: elastic/x-pack-elasticsearch@8abbf7468b
2015-07-16 16:07:45 +02:00
Clinton Gormley d6d13661e8 Docs: Fix bad ID in Shield intro
Original commit: elastic/x-pack-elasticsearch@61b72d57ae
2015-07-16 10:46:52 +02:00
debadair 79e12ad65b Docs: Revised the Shield intro to be more Shield-centric.
Original commit: elastic/x-pack-elasticsearch@ba7d73fd61
2015-07-15 10:38:38 -07:00
debadair dce7c48f67 Docs: Reorganized Shield TOC, renamed files, cleaned up hierarchy.
Original commit: elastic/x-pack-elasticsearch@15caf307c4
2015-07-15 10:17:17 -07:00
uboness 8babe1c456 initial migration of shield
Original commit: elastic/x-pack-elasticsearch@2bf095d3cb
2015-07-13 12:31:34 +02:00