Requests are now auth'ed on the transport level as well (in addition to the transport action level). This is required as some internal requests are not executed as actions, thus not going through the auth process in the transport action. Since we have n2n authentication, we also assume here that requests that are not associated with an authentication token are internal system calls. We then, auth the request as a system user.
Also Added a system realm (to handle system requests)
Original commit: elastic/x-pack-elasticsearch@2c917318f0
* Changed Authentication/AuthorizationException to always return RestStatus.UNAUTHORIZED
* Added the WWW-Authenticate header, which results in user/pass input in browsers
* Added tests and own assertions class
Closeselastic/elasticsearch#18
Original commit: elastic/x-pack-elasticsearch@c6ce084692
This commit adds support for disabling alerts.
This commit adds preliminary support for scripted triggers.
Original commit: elastic/x-pack-elasticsearch@e14a56dbeb
This commit contains fixes to the IndexAlertAction and normalizes the serialization of
Alerts using ToXContent interface.
Original commit: elastic/x-pack-elasticsearch@47325bdd01
This commit add functionality so that multiple nodes running alert plugins won't stand on
each other trying to run the same alerts at the same time.
Original commit: elastic/x-pack-elasticsearch@9c350c0114
This commit adds timestamp clamping on the timeperiod to alerting.
Also adds index setting on alerts.
Original commit: elastic/x-pack-elasticsearch@222cd6eaef
- Also added an overloaded version of the AuthenticationService#token method that accepts a default token and that doesn't thrown an authentication exception
- Added AuditTrail#authenticationFailed method at a higher level than the realm version. Now the realm authc failure will only be logged when trace is enabled. With this change, the audit trail logging is more consistent in its terminology (anonymous is now logged when no auth token is found)
- extended the level of audit trail logging tuning (now using all logging levels, incl. error & warn)
- Added tests for audit trails
- Added tests for authentication service
- Added mockito as a test lib (will serve as our mocking framework)
Original commit: elastic/x-pack-elasticsearch@8d21ab7484
This commit adds parsing of the triggers and actions, and allows alerts to be restricted to indices.
Original commit: elastic/x-pack-elasticsearch@44a6a51b17
This commit enables loading of alerts from the .alerts index and adds the
Quartz scheduler.
You can add the following alert :
````
curl -XPOST http://localhost:9200/.alerts/alert/myTestAlert -d '{
"query" : "myAlertQuery",
"schedule" : "00 * * * * ?",
"trigger" : {
"numberOfEvents" : ">1"
},
"timeperiod" : 300,
"action" : {
"email" : [ "brian.murphy@elasticsearch.com" ]
},
"version" : 1,
"lastRan" : "2014-05-05T12:12:12.123Z"
}
````
With the following search template:
````
curl -XPOST localhost:9200/_search/template/myAlertQuery -d '{ "template" : { "query" : { "match_all" : {} } } }'
````
This will execute the search every minute and trigger if there is more than one match (which there will be).
Original commit: elastic/x-pack-elasticsearch@708f927914
- The authentication service now exposes a token() method to extract the token from the message
- The AuthenticationService#authenticate now accepts the token (extracted using the AuthenticationService#token)
- The Realm now exposes a support(AuthenticationToken) method
- The authc service will now consult all the realms that support a specific token, and the first realm that successfully authenticate will "win".
- Removed the SecurityActionFilter class - it wasn't tested or used anywhere. We'll add a new action filter in a separate commit
Original commit: elastic/x-pack-elasticsearch@e4dd36175f
- changed Privileges class (moved away from enum and use constants instead), now implies(...) can only work on same type privilege
- introduces Permissions.Global (replacing the generic Compound)
- Fixed FileRolesStore to use new privileges & permsissions
- Changed the file format for FileRolesStore. Now instead of the `indices::privileges` array, the indices permissions are defined as an object where the indices are the keys and the privileges are the values. This moves the configuration to pure yaml format.
- Added an option on the authorization service to extract all indices & aliases permitted for a specific user+privilege
Original commit: elastic/x-pack-elasticsearch@77afce767c
* Fixed issue, where client auth was never needed for HTTP.
* Changed parameter name to `require.client.auth`
* Added tests, removed useless code in SslIntegrationTests
Original commit: elastic/x-pack-elasticsearch@ea424e0ae4
In order to use the `esusers` tool and to crypt passwords, one needs
to have the jar packaged in the zip release. This adds the depdendency
to the assembly descriptor.
Original commit: elastic/x-pack-elasticsearch@82ae451892
- Also introduced an option to disable esusers auth (such that if users configured ldap, the audit trails won't get cluttered by failed authentication in esusers
- Moved the realms initialization to a dedicated Realms class
- Also introduce an option to completely disable shield while keeping the installed plugin and its settings
Original commit: elastic/x-pack-elasticsearch@b554ad5ba7
Now the UsernamePasswordToken, once resolved, is placed in the (new) request context as is (avoids the need to re-parse headers)
Original commit: elastic/x-pack-elasticsearch@f898a94157
Two new commands to the command line tool have been added
* esusers list: Allows to list all users with their roles or only a single one
* esusers roles: Allows to add or remove roles
Roles have been configured as to only consist of lowercase alphanumeric characters.
Original commit: elastic/x-pack-elasticsearch@6fcb4c56e4
Changed the scope of the guava dependency to prevent wrong imports and always use the shaded ones.
This required a change in the forbidden API signatures, as that tool alwyas try load the class and fail
if the class cannot be found.
Original commit: elastic/x-pack-elasticsearch@90a245423a
* Add config and bin directory to assembly
* Add main method to ESUsersTool so it starts
* Fix bin/esusers to actually start
* Fix ESUsersTool to write files in config/shield by default as each plugin has its own directory after installation
* Changed bin/ and config/ directory to reflect path after installation in ES
Original commit: elastic/x-pack-elasticsearch@7d4165e389
Used the existing infra structure to filter by ip in the netty pipeline
before any other handler is hit, in order to reject as soon as possible.
Right now the connection is simply closed.
The configuration is a simple YAML file which uses allow/deny rules
Original commit: elastic/x-pack-elasticsearch@000e44f8cc
Settings for SSL now all start with `shield` as well. Changed documentation and tests to reflect this.
Original commit: elastic/x-pack-elasticsearch@9dd3bc865e
There are four modules:
- authc: realm based authentication module
- authz: role based privileges & permissions authorization module
- n2n: node to node authentication module (incl. IP filtering auth)
- audit: audit trail module (only includes log file audit trails for now)
Original commit: elastic/x-pack-elasticsearch@b1ec9e2923