This adds the release notes to the documentation for Shield. Note, two new features do not
have links as the documentation for these are still pending.
Original commit: elastic/x-pack-elasticsearch@e66df5cf14
The SSL randomization can cause issues when running this test multiple times to look for an issue
since the suite cluster may have a different SSL value than the remote cluster during subsequent
runs.
Closeselastic/elasticsearch#607
Original commit: elastic/x-pack-elasticsearch@8ba3140c52
This commit cuts over to StandardCharset vs. guavas Charsets, removes
obsolete uses of Collections2 / Function and replaces all LoadingCaches
with simple CHM#loadIfAbsent
Original commit: elastic/x-pack-elasticsearch@7d1d607e9e
The IndexAuditTrail was not setting the appropriate user header on requests to see if the index exists and
the mapping is updated. This did not fail in tests because we set shield.user, but fails during a normal
installation.
Closeselastic/elasticsearch#626
Original commit: elastic/x-pack-elasticsearch@3771612b20
Remove use of com.google.common.collect.Sets.
This commit removes all uses of com.google.common.collect.Sets. This is
one of many steps in the eventual removal of Guava as a dependency.
Relates elastic/elasticsearchelastic/elasticsearch#13224
Original commit: elastic/x-pack-elasticsearch@5276ed9723
This commit removes all uses of com.google.common.collect.Maps. This is
one of many steps in the eventual removal of Guava as a dependency.
Relates elastic/elasticsearchelastic/elasticsearch#13224
Original commit: elastic/x-pack-elasticsearch@3708fc0c60
I fixed a couple more warnings and added suppressions, so that when
elastic/elasticsearchelastic/elasticsearch#13410 lands, x-plugins will not break.
Original commit: elastic/x-pack-elasticsearch@8a19b2b71b
Today, if the roles.yml file does not exist the roles that are defined programmatically are not
available. This is incorrect because the reserved roles should always be available and not depend
on the parsing of the file. This change ensures that the reserved roles are made available even
when the roles.yml file is missing.
Closeselastic/elasticsearch#602
Original commit: elastic/x-pack-elasticsearch@ee2fd2ddbf
This change removes the override of finalize in SecuredString to resolve a issue where
the char[] can be cleared by the call in the finalize method but the char array is still being used.
The specific issue that occurs is in the BCrypt usage of the SecuredString. A character is concatenated
and then the utf8Bytes method is called. In most cases, the proper bytes are returned but occasionally
the byte array is returned with only zeroes. This occurs under load and/or memory pressure and can be
provoked by running BCryptTests with a small heap (12 - 16 megabytes) and the SecuredString
implementation with the overridden finalize method.
Closeselastic/elasticsearch#589
Original commit: elastic/x-pack-elasticsearch@fb6430ea9d
This change adds a new permission that allows authorized users to execute a request as
another user. The flow is as follows:
1. The user making the request is authenticated
2. The user that is being impersonated is looked up
3. The requesting user is authorized for the privilege to run as the specified user
4. The impersonated user is then authorized for the given request
Additionally, the auditing has been updated to support this capability and indicates when a
user has been granted the ability to run as another user and then also indicates both the user
who is being impersonated and the requesting user when actions are granted/denied.
Closeselastic/elasticsearch#17
Original commit: elastic/x-pack-elasticsearch@00e5a6169b
For the RemoteIndexAuditTrailStartingTests we start a remote cluster and index into the test cluster and after
the test we stop the remote cluster but indexing operations can still be ongoing in the test cluster and thus cause
locked shards causing lots of noise in CI. We simply skip this check for these tests.
Closeselastic/elasticsearch#598
Original commit: elastic/x-pack-elasticsearch@e678f82f29
This change makes the environment optional for the ClientSSLService, which is used for
Transport Clients and also used for LDAP client connections. Since we use the ClientSSLService
for LDAP connections, we still need the environment when running as a node under the
security manager to resolve paths from the configuration directory.
Closeselastic/elasticsearch#573
Original commit: elastic/x-pack-elasticsearch@862fafffe3
Instead of wrapping the IndexSearcher and applying the role query during the rewrite, the role query gets applied in a custom filtered reader that applies the query via the live docs.
The big advantage is that DLS is being applied in all document based APIs instead of just the _search and _percolate APIs.
In order to better deal with the cost of converting the role query to a bitset, the bitsets are cached in the bitset filter cache
and if the role query bitset is sparse the role query and main query will execute in a leapfrog manner to make executing queries faster.
If the role query bitset isn't sparse, we fallback to livedocs.
Closeselastic/elasticsearch#537
Original commit: elastic/x-pack-elasticsearch@330b96e1f2
This commit removes and now forbids all uses of
com.google.common.base.Strings across the codebase.
For uses of com.google.common.base.Strings.isNullOrEmpty, use
org.elasticsearch.common.Strings.isNullOrEmpty.
For uses of com.google.common.base.Strings.padStart use
org.elasticsearch.common.Strings.padStart.
For uses of com.google.common.base.Strings.nullToEmpty use
org.elasticsearch.common.Strings.coalesceToEmpty.
Relates elastic/elasticsearchelastic/elasticsearch#13224
Original commit: elastic/x-pack-elasticsearch@d6e349e654
This commit removes and now forbids all uses of
com.google.common.base.Predicate and com.google.common.base.Predicates
across the codebase. This is one of the many steps in the eventual
removal of Guava as a dependency. This was enabled by
elastic/elasticsearchelastic/elasticsearch#13314.
Relates elastic/elasticsearchelastic/elasticsearch#13224, elastic/elasticsearchelastic/elasticsearch#13349
Original commit: elastic/x-pack-elasticsearch@968b81849f
The InternalTestCluster checks after the tests run if there are any locked shards, which is still
possible because the IndexAuditTrail is running and auditing events. This change makes the
test stop the IndexAuditTrail if they are running in the local cluster.
Original commit: elastic/x-pack-elasticsearch@f7fb564525
The ShieldWrappingCluster was added to prevent deletion of the IndexAuditTrail template when
running tests since the wipe() method will delete all templates. However, the cluster wrapping
is problematic with indexRandom() and causes noise in CI. This change removes the
ShieldWrappingCluster and changes the IndexAuditTrail to recreate the index template if it is
removed.
Closeselastic/elasticsearch#562
Original commit: elastic/x-pack-elasticsearch@0403ea7cef