Commit Graph

99 Commits

Author SHA1 Message Date
Jay Modi 4239ba5415 allow reads of native users and roles when template version hasn't been updated
This change allows reads of our native users and roles when the template version has not been updated to
match the current version. This is useful for rolling upgrades where the nodes are also being actively
queried and/or indexed into. Without this, we can wreak havoc on a cluster by causing exceptions during
replication, which leads to shard failures. On nodes that match the version defined in the template,
write operations are allowed since we know that we are backwards compatible in terms of format but we
may have added new fields and shouldn't index them until the mappings and template have been updated.

As part of this, the rolling upgrade tests from core were used as the basis for a very basic set of tests
for doing a rolling upgrade with x-pack.

Closes elastic/elasticsearch#4126

Original commit: elastic/x-pack-elasticsearch@9be518ef00
2016-11-22 12:00:09 -05:00
Areek Zillur a9f3619b5a Enable merging license in tribe node (elastic/elasticsearch#4147)
Currently, a tribe node ignored underlying cluster licenses
due to inablity to select an appropriate license from  multiple
licenses. Now that tribe node supports merging custom metadata
(elasticsearch#elastic/elasticsearch#21552), we can enable license support in tribe
node.

Now, tribe node chooses license with the highest operation
mode from underlying cluster licenses. This commit also
adds integration tests for licensing to verify that:
 - autogenerated trial license propagates to tribe node
 - tribe node chooses the highest operation mode license
 - removing a license from underlying cluster license is
   removed from tribe

closes elastic/elasticsearch#3212

Original commit: elastic/x-pack-elasticsearch@b5c003decd
2016-11-22 11:42:51 -05:00
Tanguy Leroux 18478d63c2 Watcher: Add JIRA action (elastic/elasticsearch#4014)
closes elastic/elasticsearch#493

Original commit: elastic/x-pack-elasticsearch@6b7387d3e4
2016-11-21 10:52:55 +01:00
Simon Willnauer 92040ef72e Remove netty_3 support from xpack (elastic/elasticsearch#4097)
This is a followup from elastic/elasticsearchelastic/elasticsearch#21590 and needs to be
committed first or at the same time since netty_3 is removed

Original commit: elastic/x-pack-elasticsearch@131d74dd6b
2016-11-17 12:44:24 +01:00
Tanguy Leroux 4badf28a8d Add Vagrant Gradle plugin (elastic/elasticsearch#3993)
This commit adds a new Gradle sub project that makes use of the VagrantTestPlugin in order to test the installation of X-Pack.

Original commit: elastic/x-pack-elasticsearch@e09db6602c
2016-11-15 15:30:13 +01:00
Yannick Welsch 7b165504dc Use project-defined Java installation for keytool (elastic/elasticsearch#4066)
Companion commit for elastic/elasticsearchelastic/elasticsearch#21540

Original commit: elastic/x-pack-elasticsearch@a1c21ece25
2016-11-15 09:32:04 +01:00
Ryan Ernst 23e6cab7f1 Merge pull request elastic/elasticsearch#4044 from rjernst/realm_sig
Extensions: Make resource watcher available to custom realms

Original commit: elastic/x-pack-elasticsearch@3cb494e98d
2016-11-14 12:38:27 -08:00
Yannick Welsch 9d5ebe9e2a Use project-defined Java installation for keytool
Companion commit for elastic/elasticsearchelastic/elasticsearch#21540

Original commit: elastic/x-pack-elasticsearch@aa4e2df5bf
2016-11-14 15:43:11 +01:00
Nik Everett 700467c3a7 Use index_patterns in templates
And skip a REST test that won't pass.

Original commit: elastic/x-pack-elasticsearch@e297add6c1
2016-11-10 21:42:59 -05:00
Ryan Ernst bcd32ada4f Extensions: Make resource watcher available to custom realms
This simply adds ResourceWatcherService as an arg for getting custom
realms from xpack extensions.

closes elastic/elasticsearch#4038

Original commit: elastic/x-pack-elasticsearch@fe58d8a7ee
2016-11-10 12:43:28 -08:00
Ryan Ernst fa97a806ca Remove unneeded rest test params
This is the xplugins side of elastic/elasticsearchelastic/elasticsearch#21391

Original commit: elastic/x-pack-elasticsearch@30d36e340a
2016-11-07 14:46:39 -08:00
Jay Modi bd522191b2 test: use toJSON inside a role
This commit adds a test that uses toJSON templating inside of a role with
an array defined in the user's metadata.

Originates from user discussion at:
https://discuss.elastic.co/t/x-pack-security-role-definition-query-template-with-terms/62790

Original commit: elastic/x-pack-elasticsearch@196f7f597c
2016-11-07 07:21:41 -05:00
Jack Conradson 7dd4188299 Cleanup ScriptType (elastic/elasticsearch#3922)
Refactored ScriptType to clean up some of the variable and method names. Added more documentation. Deprecated the 'in' ParseField in favor of 'stored' to match the indexed scripts being replaced by stored scripts.

Original commit: elastic/x-pack-elasticsearch@d7c7bd7362
2016-10-31 13:49:10 -07:00
Nik Everett 0f54f9524d Handle reindex's change to whitelist
Reindex has grown support for simple whitelist patterns like
`localhost:*` and lost support for `myself`.

Original commit: elastic/x-pack-elasticsearch@31d9c4dc5c
2016-10-18 21:46:30 -04:00
javanna 4bb6e856f3 Authorize composite actions based on their action name only, subrequests and their indices will be later authorized individually
Eagerly authorizing CompositeIndicesRequests allowed the security plugin to fail fast up until now, but it makes it very hard to reason about each specific item in a multi items request. Either all items fail, or none do. We would rather want to adopt a similar behaviour to es core, where individual items fail without affecting other items that are part of the same request. We can rely on the fact that es core always authorizes both main action and every subaction too, and skip authorization for the main action. By subaction we mean either all sub search requests in msearch, as well as each shard level get in mget or shard level bulk request for bulk.

 BulkRequestInterceptor was converted to intercept BulkShardRequests rather than BulkRequest as that is where bulk is authorized after this change.

 Split IndicesAndAliasesResolverIntegrationTests into ReadActionsTests and WriteActionsTests as they require different set of permissions, lots of tests added.

Explicitly listing the composite actions makes sure that the actions that can bypass security are known, somebody adding a similar action must to add it to the list, so we know it doesn't happen by mistake. At this point the CompositeIndicesRequest can be used as a marker interface only (it is not really needed but can be used to verify that composite actions use a request that implements such interface).

Given that we don't authorize composite actions based on their indices anymore, but only their sub-requests which implement IndicesRequest, printing out the indices names in the audit log for requests like bulk and msearch is confusing. Removed support for that.

Authorize composite indices actions based on their name only, their indices will be authorized at the sub-request/shard level

Rather than simply granting bulk, mget, msearch etc. and relying on authorization at the sub-request/shard level, we check that the current user can at least execute the action. This justifies the grant line that gets written in the audit log, the action is potentially possible without looking at the indices. Each specific item will fail or succeed later and will yield its own specific audit log entry.

Original commit: elastic/x-pack-elasticsearch@4570caf019
2016-10-13 16:05:02 +02:00
javanna d27c4bee82 Support allowNoIndices option in security plugin
Supporting allowNoIndices means that the security plugin has a behaviour much more similar to vanilla es when dealing with wildcard expressions that match no indices, or empty clusters. The default for most request is to allow no indices, but security plugin could only disallow no indices all the time up until now.

The technical problem was that when anything gets resolved to an empty set of indices, we couldn't let that go through to es core, as that would become resolved to all indices by es core, which would be a security hole. We have now found a way though to replace an empty set of indices with something that es core will for sure resolve to no indices, so we can let the request through. We simply replace empty indices with '-*'.

Multi apis requests (e.g. _msearch) have yet to be fixed, as all their indices end up in the same bucket while they should each be authorized separately, so that every specific item can fail or be let through.

Original commit: elastic/x-pack-elasticsearch@0f67a0bfea
2016-10-13 16:05:02 +02:00
javanna 9b46b34bed Honour ignore_unavailable option when resolving indices
For all the requests that support multiple indices and wildcards, hence implementing IndicesRequest.Replaceable, we replace the wildcard expressions with the explicit names of the authorized indices they match. _all or empty indices is treated as a wildcard expression. We can also honour the ignore_unavailable option by going over all the explicit names and filter out the non authorized ones when ignore_unavailable is set to true. If ignore_unavailable is set to false, we leave everything as-is, which will cause an authorization exception to be thrown if only one of those explicit indices is not authorized for the current user.

This is the first step towards resolving elastic/elasticsearch#1250. The remaining issue is that in case we are left with no indices after stripping out the ones that the user is not authorized for, we throw an authorization exception rather than returning an empty response. That will require honouring the allow_no_indices option, which will also change the behaviour when a cluster is empty.

Relates to elastic/elasticsearch#1250

Original commit: elastic/x-pack-elasticsearch@e4ca940d05
2016-10-13 16:05:02 +02:00
Alexander Reelsen 8b83cf067c Watcher: Ensure awesome painless exceptions are propagated to the user (elastic/elasticsearch#3707)
When adding a watch which has a painless component, the scriptexception
was wrapped into a deprecated exception which means, that the awesome
painless descriptions were lost. This wrapping has been removed.

Closes elastic/elasticsearch#3161

Original commit: elastic/x-pack-elasticsearch@1703fe4eb6
2016-10-12 08:14:06 +02:00
Nik Everett 6e31ab8d99 Skip a new template rest test
It isn't compatible with security.

Relates to elastic/elasticsearch#20658

Original commit: elastic/x-pack-elasticsearch@33df690341
2016-10-11 12:30:45 -04:00
Tanguy Leroux 2e7b7be25c Watcher: Re enable array compare test (elastic/elasticsearch#3708)
This test has been blacklisted and deactivated months ago. This commit reenables this test and moves it at the right place. It also change the test to use the Execute Watch API instead of being sleep based.

Original commit: elastic/x-pack-elasticsearch@e7a9689375
2016-10-11 10:25:40 +02:00
Simon Willnauer 2f70ae92b6 Cut over to MockTcpTransport since LocalTransport is remove in core (elastic/elasticsearch#3684)
This is a followup commit to elastic/elasticsearchelastic/elasticsearch#20695

Original commit: elastic/x-pack-elasticsearch@27cd454ba6
2016-10-07 11:28:05 +02:00
Ryan Ernst 1fa0f835fe Build: Reorganize src roots
This change flattens the directory structure, both for the elasticsearch
specific directories, as well as within the elasticsearch x-pack plugin.

closes elastic/elasticsearch#2957

Original commit: elastic/x-pack-elasticsearch@45891a4632
2016-10-01 09:46:43 +02:00
Ryan Ernst 905237a56f Moved directories around
Original commit: elastic/x-pack-elasticsearch@2018bb5f9f
2016-09-29 12:03:14 +02:00
jaymode e5b0e7f5cb reorganize directory layout
See elastic/elasticsearch#1022

Original commit: elastic/x-pack-elasticsearch@3ee8761312
2015-12-03 16:22:37 +01:00
Robert Muir 9df905ff19 Simplify SSL test to not use openssl.
I think the intent here is to just test that our SSL layers work,
not invoke a long chain of keytool + openssl commands.

This simplifies the build and will work on windows.

Original commit: elastic/x-pack-elasticsearch@af07d0d4f7
2015-11-30 09:28:16 -05:00
Robert Muir 8a22ba0a08 smoke-test-plugins-ssl shoudl check if openssl is available
Today some jenkins servers dont have it (e.g. windows), and it constantly fails...

Original commit: elastic/x-pack-elasticsearch@6b561c73e0
2015-11-30 08:42:25 -05:00
javanna 171179d91f [TEST] non stored fields are not returned anymore via fields
Relates to https://github.com/elastic/elasticsearch/issues/14489

Original commit: elastic/x-pack-elasticsearch@2897dc5df7
2015-11-30 12:12:31 +01:00
Ryan Ernst a67aebc9fc Build: Remove hack to touch keystore before it is created
This will be fixed in ES with elastic/elasticsearchelastic/elasticsearch#15089

Original commit: elastic/x-pack-elasticsearch@55b42a7ad4
2015-11-28 18:07:37 -08:00
Daniel Mitterdorfer ad697c077e Reenable SSL smoke tests
Original commit: elastic/x-pack-elasticsearch@1969c6d020
2015-11-27 17:25:51 +01:00
Daniel Mitterdorfer b9b39efac8 Disable SSL integration tests temporarily
We disable SSL integration tests as  a workaround for
https://github.com/elastic/infra/issues/628 to ensure
other problems can still be caught.

Original commit: elastic/x-pack-elasticsearch@47bf56faec
2015-11-27 10:23:03 +01:00
Ryan Ernst 660ac633a6 Merge pull request elastic/elasticsearch#1043 from rjernst/remove_ant_contrib
Build: Simplify ssl test to not use ant

Original commit: elastic/x-pack-elasticsearch@14d41f6fc1
2015-11-25 11:28:46 -08:00
Ryan Ernst 59a10e6309 Build: Simplify ssl test to not use ant
This change ports the tasks from the ssl ant build file into gradle tasks.

Original commit: elastic/x-pack-elasticsearch@af88196050
2015-11-25 11:23:26 -08:00
Robert Muir ae24881484 Move disabled watcher+groovy "unit" tests to qa/messy-test-watcher-with-groovy
This is all the tests disabled from https://github.com/elastic/x-plugins/issues/724

At least, they will be running in the build in some way. If we can fix gradle to
add plugin metadata from lang-groovy to the test classpath, security manager
can be re-enabled for these as well.

But its also only 8 tests, maybe its easier to fix them?

Original commit: elastic/x-pack-elasticsearch@a5c407b80f
2015-11-25 13:29:00 -05:00
Robert Muir 7ed4ea56b2 re-enable smoke-test-plugins with ssl
Note, its a bit crazy/hackish, but it works.

Original commit: elastic/x-pack-elasticsearch@377113c1c2
2015-11-24 23:19:04 -05:00
Robert Muir 140a399dfb Merge pull request elastic/elasticsearch#1033 from rmuir/enable_shield_example_realm_qa
re-enable shield example realm QA test

Original commit: elastic/x-pack-elasticsearch@73177eacc8
2015-11-24 20:12:47 -05:00
Robert Muir ac898ef4f3 re-enable shield example realm QA test
Original commit: elastic/x-pack-elasticsearch@98fd46f3aa
2015-11-24 20:10:46 -05:00
Ryan Ernst 66f3d18af0 Build: Add back smoke test plugins for xplugins
This checks that all ES plugins and xplugins are installed. I also
changed the rest check to be a simple plugin count, so it does not fail
when new plugins are added.

Original commit: elastic/x-pack-elasticsearch@eaab182e43
2015-11-24 17:09:56 -08:00
Robert Muir f0c0f75dbd Merge pull request elastic/elasticsearch#1031 from rmuir/shield_audit_qa
add back shield audit qa tests

Original commit: elastic/x-pack-elasticsearch@ce1e637b5f
2015-11-24 19:44:05 -05:00
Robert Muir 71d50ec058 add back shield audit qa tests
Original commit: elastic/x-pack-elasticsearch@f34b2c99e9
2015-11-24 19:41:50 -05:00
Ryan Ernst 19b7cad39c Build: Add back shield client qa tests
Original commit: elastic/x-pack-elasticsearch@6cecea3992
2015-11-24 16:40:05 -08:00
Ryan Ernst f96a6700c4 Build: Remove hack in shield+watcher rest test for copying config file
Original commit: elastic/x-pack-elasticsearch@e31ef685d0
2015-11-24 16:13:22 -08:00
Robert Muir 4b35407510 re-enable smoke-test-watcher-with-shield qa test
Original commit: elastic/x-pack-elasticsearch@2710eb67ef
2015-11-24 18:49:15 -05:00
Robert Muir a4f596b204 get watcher+groovy QA test working again (without hack)
Original commit: elastic/x-pack-elasticsearch@843a5ea6e4
2015-11-24 17:41:21 -05:00
Ryan Ernst 4f44ccedb5 Build: Simplify plugin installs for integTests
This is the xplugins side of elastic/elasticsearchelastic/elasticsearch#14986, making use of
the simplification in configuration.

Original commit: elastic/x-pack-elasticsearch@a24ad7b08a
2015-11-24 12:54:11 -08:00
Ryan Ernst b011490320 Add more retries for wait condition, in case jenkins is slow
Original commit: elastic/x-pack-elasticsearch@04e5648cd9
2015-11-24 08:24:57 -08:00
Ryan Ernst 9da4b6160c Build: Get shield qa test with core rest tests working
This adds back the shield qa rest tests module with gradle. There is
also a small fix in ShieldPlugin for a bug that was discovered around
checking for a custom query cache (which was using the node settings
instead of index settings).

Original commit: elastic/x-pack-elasticsearch@28c6d58f37
2015-11-24 01:05:21 -08:00
Robert Muir cfb77bf572 Remove confusing pom.xml files
Original commit: elastic/x-pack-elasticsearch@772a1eb5d3
2015-11-05 10:39:28 -05:00
jaymode bb6fe2abcd test: re-sync the smoke test plugins lists with core
Original commit: elastic/x-pack-elasticsearch@ba45f84d97
2015-10-27 09:48:31 -04:00
jaymode 203e6f4c6e add ensureYellow
Original commit: elastic/x-pack-elasticsearch@698c00dd6b
2015-10-26 16:25:50 -04:00
jaymode f4991d862a remove the ensure green
The random index template can set a number of replicas that will prevent the index
from ever being green in a single node cluster...

Original commit: elastic/x-pack-elasticsearch@81ecfe0818
2015-10-26 16:22:08 -04:00