We currently store the names of indices as a comma separated string instead
of an array. An array is the proper format for this information so this commit
changes the index audit trail to store the indices as an array.
Closeselastic/elasticsearch#917
Original commit: elastic/x-pack-elasticsearch@025393d91c
The beforeIndexDeletion method expects that nothing is still indexing when it runs
but this is not the case as the index audit trail will continue indexing events that
occur as checks are being performed in the cluster.
Original commit: elastic/x-pack-elasticsearch@02001a5222
Previously we relied on the default dynamic mapping for the audit index output, which did
not create an ideal mapping. This change adds a mapping file with default settings and
dynamic mapping disabled for the audit indexes.
Additionally, the ability to override settings for the audit indexes has been provided so that
users can customize the number of shards and replicas to meet their needs.
In order to implement these changes, the index audit service had to be moved from a lifecycle
component to an abstract component that had its own custom lifecycle on top of the cluster
state. A ShieldLifecycleService class was added to accomplish this. In the future, this class
can be used for other services that need to perform index based operations.
Closeselastic/elasticsearch#913
Original commit: elastic/x-pack-elasticsearch@231740c1cc
If auditing is not enabled, we should not bind the index audit trail as a lifecycle component
since we do not bind all of its dependent classes when auditing is disabled.
Original commit: elastic/x-pack-elasticsearch@39f736ca6a
This changes how the user defines which events should be indexed. Previously, there were
several boolean settings being used. This condenses to an include and exclude setting.
Additionally, the IndexAuditTrail needed to become a lifecycle component since parsing the
enum could throw exceptions. Given this, the IndexBulkProcessor was condensed into the
IndexAuditTrail since it did not make sense to have two lifecycle components for an index
audit trail.
Closeselastic/elasticsearch#900
Original commit: elastic/x-pack-elasticsearch@4b4d824f5e
Today, a realm could throw an exception, which will not be caught and cause the audit
trail to be skipped. This commit catches exceptions thrown by realms and ensures that
the audit trail is called and then re-throws the exceptions.
Closeselastic/elasticsearch#901
Original commit: elastic/x-pack-elasticsearch@d260c00b33
Today, some system actions could be logged by default when the actions performed are
not internal. Additionally for internal actions, we never checked if the user was the system
user.
This adds a check to ensure the user is the System user and that the actions that are being
suppressed are known system actions.
Closeselastic/elasticsearch#902
Original commit: elastic/x-pack-elasticsearch@b107994692
Elasticsearch core no longer uses shaded dependencies by default, so this change makes
the plugin use the unshaded dependencies.
Original commit: elastic/x-pack-elasticsearch@495f636266
Today, we simply return a SSLSocketFactory from a SSLContext, which provides
the default SSL configuration for sockets. This means that SSLv3 could still be
enabled on these sockets when running in an older JVM. This also means that
the ciphers and protocol settings are not honored for users of this socket factory,
which is currently the LDAP code.
This change returns a custom socket factory that delegates to the default socket
factory and sets the ciphers and protocols on the socket before returning the
socket.
Original commit: elastic/x-pack-elasticsearch@c4cfedfd51
Our current CA configuration creates certificates with only a CN and this caused
the regular expression in the PKI realm to fail. The default regular expression in
the PKI realm has been changed to allow for only a CN, while still maintaining the
ability to extract only the CN when other fields are present in the DN.
Additionally, the CA configuration has been updated so that is will copy any of the
originally specified fields (besides CN and EMAILADDRESS) over to the signed
certificate.
Original commit: elastic/x-pack-elasticsearch@ff27f69781
The IndicesTermsFilter Cache in core can leak data by not authorizing users prior to
retrieving data from the cache. We work around this by ensuring that the cache has
a maximum size of 0, effectively disabling it.
A test is also added to ensure that data is not leaked by this cache or the cache used by
the ScriptService in core.
Closeselastic/elasticsearch#854
Original commit: elastic/x-pack-elasticsearch@8a48bdad98
Today, we only have the option to require client authentication or not require it. A third case
exists where the server can want client authentication, but if the client does not have credentials
or wish to send credentials the connection will still be allowed.
This is beneficial for the PKI realm because it allows some clients to authenticate with PKI and
others to use another authentication token such as username and password authentication.
Closeselastic/elasticsearch#858
Original commit: elastic/x-pack-elasticsearch@e7cbc20bca
Today, an exception is thrown when calls to the encrypt and decrypt methods are
made without a key being present. For now, we will not require the system key and
this behavior is undesirable.
This commit changes the behavior to just return the provided characters or bytes
when no key is present. Additionally, a method has been added for callers to see
if encryption is supported. Finally, the listener interface has been made public and
expanded to provide the old keys when the keys are changed. This allows
consumers to decrypt with the old key and re-encrypt with the new key.
Original commit: elastic/x-pack-elasticsearch@de3d5b6180
Today, we always throw an AuthorizationException for an unauthorized user. This is
problematic when anonymous access is enabled and the HTTP client being used
does not support preemptive basic authentication as only the anonymous user
will be used by such a client.
This change adds a setting to allow an AuthenticationException to be thrown for
anonymous users. This will clients such as browsers to work with anonymous
access and authenticated access.
Closeselastic/elasticsearch#853
Original commit: elastic/x-pack-elasticsearch@d338b468c7
The esusers tool reads the list of roles to provide validation feedback to the user,
however since we have added custom roles the tool doesn't know about these roles
as they come from outside of Shield. When a custom role was found, a warning
was printed that can be confusing to users.
Now when validating roles, we only read the names from the roles.yml file.
Closeselastic/elasticsearch#835
Original commit: elastic/x-pack-elasticsearch@89d0e3efce
Adds a check to all of the esusers commands to ensure the correct number
of arguments are found. If extra arguments are found, they are printed out
with an error message and the tool exits.
Closeselastic/elasticsearch#817
Original commit: elastic/x-pack-elasticsearch@cd3e786267
Reduces the amount of logging on both HTTP and Transport protocols for
a channel being closed while in the middle of a handshake. This often
occurs when the client does not trust the server certificate and aborts the
handshake. Also, reduces logging on the Transport protocol for a
plain text message received on a channel that is using TLS.
Closeselastic/elasticsearch#771
Original commit: elastic/x-pack-elasticsearch@321c384ddd
This commit removes the commons codec dependency and simplifies the
hasher code by only supporting bcrypt encryption in the users file. All tests
now also exercise the esusers realm with bcrypt instead of plain text passwords.
Closeselastic/elasticsearch#806
Original commit: elastic/x-pack-elasticsearch@3119267851
This commit makes TLSv1.2 the default protocol for better security. The
old value of TLS would only pick a TLSv1.0 supporting context and cause
client connections to be negotiated using that protocol when TLSv1.2 is
supported and considered an improved protocol.
Closeselastic/elasticsearch#867
Original commit: elastic/x-pack-elasticsearch@1f062f6dde
This commit removes the DHE cipher from our list of enabled ciphers
due to the recently published Logjam attack. The default configuration
is not susceptible to the Logjam attack, but since we support Java 7
the maximum prime size (768 bit) is considered too weak. Java 8 supports
1024 bit primes, but these are also not ideal and this cipher should not be
used with a prime smaller than 2048 bits.
Closeselastic/elasticsearch#862
Original commit: elastic/x-pack-elasticsearch@9785bf47cf
Adds JNA as a test time dependency to work around it being required on
windows in elasticsearch core.
Original commit: elastic/x-pack-elasticsearch@b8fc70a051
This commit is a squashed commit of work done in conjunction with @rmuir to make
shield work properly with elasticsearch 2.0. This includes ensuring all tests
pass when running with the security manager and updating the code to be compatible
with the latest core forbidden apis.
Shield is now a child project of elasticsearch-parent and inherits a lot of common
build, test, and static coverage functionality from that project resulting in a much
smaller and simpler pom.xml for shield. As part of this work, Shield can now read
rest tests from the elasticsearch jar so the rest tests are run automatically when
running the slow tests.
Original commit: elastic/x-pack-elasticsearch@2ebbf4284a
The system user needs to be able to execute a reroute action to support the
DiskThresholdDecider. The DiskThresholdDecider executes an empty reroute
request when a high disk watermark has been exceeded.
Relates to elastic/elasticsearch#816
Original commit: elastic/x-pack-elasticsearch@890b44d79e
The testChangingAByte method was requesting a random length byte array ranging
from 0-1000. The issue is that a byte array with length of 0 cannot be changed and
therefore this test is not valid in this case. It now requests a range of 1-1000.
Original commit: elastic/x-pack-elasticsearch@88edf535f4
This changes the SignatureService into a CryptoService that now supports encryption
operations in addition to the signing operations. The encryption leverages the existing
system key and uses it with AES.
Closeselastic/elasticsearch#805
Original commit: elastic/x-pack-elasticsearch@a792ed4a54
For the CLI tools in Shield we create a new temp file and replace the existing file
to prevent issues with reloading a half written file. This has a potential side effect
of changing the user and group that own the file. Many times the commands are
run with root privileges (sudo) and when run with root privileges we can actually
reset the owner and group correctly.
Closeselastic/elasticsearch#812
Original commit: elastic/x-pack-elasticsearch@1ee3715376
For HMAC and password hash comparisons we need to use a time
constant comparison that always compares the whole value in order
to protect against timing attacks.
Original commit: elastic/x-pack-elasticsearch@f6082c76b9
Elasticsearch version 1.5.1 was released today, so move to testing against
the release version and add 1.5.2-SNAPSHOT.
Original commit: elastic/x-pack-elasticsearch@36b502dbb1
jaymode
Boaz Leskes
Alexander Reelsen
aleph-zero