Add transport actions for configuration.
Add Listener so that components can listen for config changes.
Original commit: elastic/x-pack-elasticsearch@bab02770d9
This commit adds the ConfigurationManager which the components use to load configuration from the index.
The configuration manager exposes an isReady method which components should not start until it is returns true.
Original commit: elastic/x-pack-elasticsearch@96a2f9f44f
Build number maven plugin requires this info to retrieve the build number and make it available as a variable, which is then published through RestShieldInfoAction, which is currently null. This commit makes sure the build number gets currently published.
Closeselastic/elasticsearch#428
Original commit: elastic/x-pack-elasticsearch@0a2bc7646b
- where the licenses were enabled on any cluster event. Instead they should only be enabled either explicitly by the test or at start up.
- also modified `ShieldActionModule` to for `ShieldActionFilter` to be bound as an eager singleton (es core doesn't define the scope for the registered action filters)
Original commit: elastic/x-pack-elasticsearch@47ac0d2e6f
- Added a `LicenseService` to handle license feature enable/disable events
- LicenseEventNotifier is responsible for notifying the license events to whatever registered listeners that are interested in them
- In Shield, when a license is disabled for `shield` feature, we block all read operations (done in the `ShieldActionFilter`)
- Added initial documentation around licensing
Closeselastic/elasticsearch#347
Original commit: elastic/x-pack-elasticsearch@6ba7a10cd4
This is a little cleanup to only iterate IP filter rules for each
profile instead of iterating all of them and check for the profile
inside of the rule.
Original commit: elastic/x-pack-elasticsearch@6774f1f165
The locale is being randomized but never printed out for now (fixed upstream but we still depend on 1.4.0). We need to temporarily log it out manually to debug some test failures that might be related to the locale randomization (in combination with build machines settings).
Original commit: elastic/x-pack-elasticsearch@6f7e9625d1
Every random call should happen all the time on all platforms (unless randomized!), otherwise tests won't reproduce on different platforms.
Original commit: elastic/x-pack-elasticsearch@d5b2d2079c
This PR allows to configure different ServerTransportFilters per profile.
By default there is a `server` transport filter, that does authentication
and a `client` on that rejects internal actions and shard actions.
Closeselastic/elasticsearch#312
Original commit: elastic/x-pack-elasticsearch@1ce66495a5
In order to fixelastic/elasticsearch#378 a problem was revealed, that the ip filter for HTTP was
always the one for the default profile, which lead to failed tests (along
with wrong socket connections, which made the test go green irregularly).
This commit fixes the tests and allow to configure own HTTP ip filters, adding
the following settings
* shield.http.filter.enabled
* shield.http.filter.allow
* shield.http.filter.deny
If not specific settings are configured, the one of the default profile are used.
Closeselastic/elasticsearch#378
Original commit: elastic/x-pack-elasticsearch@89dbaefe9a
N2NAuthenticator was not really used. Only the ip filtering authenticator was used, and was used directory (no use for a generic interface). `IPFilteringN2NAuthenticator` is now `IPFilter` and all relevant classes were moved to `shield.transport.filter` package.
Original commit: elastic/x-pack-elasticsearch@43f6faeb4b
In order to not require client side SSL certs for transport clients
another option was added in the profile configuration to enable
or disable client side certs. The same option has also been added
for HTTP.
Original commit: elastic/x-pack-elasticsearch@9658598bdc
Force validation of eusers username & password, and the role names.
role names and usernames follow the following validation rule:
```
A valid name must be at least 1 characher and no longer than 30 characters. It must begin with a letter (`a-z` or `A-Z`)
or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any of the following
symbols `@`, `-` or `$`
```
passwords must be at least 6 characters long.
Closeselastic/elasticsearch#399
Original commit: elastic/x-pack-elasticsearch@e6be51b357
Local gateway has been removed in core, but it's a master only change. If we don't set it to local in our settings, we end up using the none gateway and KnownActionsTests fails because the local gateway endpoint are not registered to core.
Original commit: elastic/x-pack-elasticsearch@9bb550329f
Local gateway has been removed in core, but it's a master only change. If we don't set it to local in our settings, we end up using the none gateway and KnownActionsTests fails because the local gateway endpoint are not registered to core.
Original commit: elastic/x-pack-elasticsearch@c3bc37df4b
This class will be deleted when we'll depend on the next version, for now we forked it and we have to keep it up-to-date
Original commit: elastic/x-pack-elasticsearch@0d7cfdfe3d
We currently run with ssl always on on the transport layer, which means that we never test with ssl off. We found bugs in the past caused by the ssl classes being loaded even when ssl was disabled, those should be caught by this new randomization.
Added method to override whether ssl is enabled or not for SUITE and TEST tests, called sslTransportEnabled(). A couple of tests do require ssl always on, thus they enable it through that method, which means that both nodes and transport client will have the keystore configured and ssl enabled on the transport.
Note that ssl on http is not touched here, that stays off by default unless enabled specifically in SUITE or TEST tests.
Closeselastic/elasticsearch#396
Original commit: elastic/x-pack-elasticsearch@63061b97ff
This replaces the use of the logger in the IPFilteringN2NAuthenticator with the
AuditTrail, so that the connection granted or denied messages will now be seen
with the rest of the audit output.
Closeselastic/elasticsearch#101
Original commit: elastic/x-pack-elasticsearch@10218a45a9
- SSLService needs to be lazy loaded (only loaded when required). Guice provider doesn't seem to work as all singleton bindings are forced to be loaded eagerly. For this reason, a new `SSLServiceProvider` is introduced and is injected wherever the SSLService might be needed (SSLService is never injected directly)
- `IPFilteringN2NAuthenticator` is now always injected and used. enabling/disabling the filtering is handled within the `IPFilteringN2NAuthenticator` and the `SecuredMessageChannelHandler` on the transport is always set. Although we add another handler to netty's event chain (even while having ip filtering disabled), the overhead of this handler is negligible and this will also enabled enabling/disabling filtering at runtime (if we choose to support it) via API later on.
Original commit: elastic/x-pack-elasticsearch@cd44ecd6ac
Brian Murphy
javanna
uboness
Areek Zillur
Martijn van Groningen
Alexander Reelsen
jaymode