Commit Graph

7217 Commits

Author SHA1 Message Date
Albert Zaharovits 3ea5a6df91 Augment audit authz event with role names data (elastic/x-pack-elasticsearch#3100)
Audit authz events (accessGranted, accessDenied, runAsGranted
and runAsDenied) include role names.

Original commit: elastic/x-pack-elasticsearch@6a94f65962
2017-11-30 15:56:00 +02:00
Tim Vernum 4262b29188 [Security] Add DEBUG logging on role resolution (elastic/x-pack-elasticsearch#3138)
This change adds some debug and trace logging when we look up role names, to explain how each role was resolved.

At the moment we have very little insight into how roles are being resolved which can make it difficult to diagnose some issues.

Original commit: elastic/x-pack-elasticsearch@1b3c246186
2017-11-30 21:34:07 +10:00
Albert Zaharovits a5fe074b5c LoggingAuditTrail emit events before local address available (elastic/x-pack-elasticsearch#3061)
Register LoggingAuditTrail as a ClusterStateListener.
Avoid querying for the localNode while on the ClusterStateApplier thread,
which tripps assertion. This can happen when logging audit events that
originate from the system.

relates elastic/x-pack-elasticsearch#3057

Original commit: elastic/x-pack-elasticsearch@66bc59682d
2017-11-30 12:42:34 +02:00
Hendrik Muhs 756d878983 [ML-FC] do not allow durations below the bucket span (elastic/x-pack-elasticsearch#3166)
do not allow durations below the bucket span

Original commit: elastic/x-pack-elasticsearch@0e895c1ddd
2017-11-30 07:49:21 +01:00
Tim Vernum c2ff796fea Support realm validation when Keystore is closed (elastic/x-pack-elasticsearch#3096)
If the KeyStoreWrapper is closed, then we cannot validate secure settings (because we no longer have access to them)
The Realm group setting uses the "validate" method to ensure that child settings are correct, but it must ignore secure settings as it might get called
after startup (e.g. during a settings diff)

Original commit: elastic/x-pack-elasticsearch@b30db6bc62
2017-11-30 11:22:17 +10:00
Igor Motov 6fceb2fdde SQL: Fix more JDK vs Joda TZ issues (elastic/x-pack-elasticsearch#3137)
Adds a random timezone known to both JDK and Joda as a connection parameter to all JdbcIntegrationTestCase-based tests.

Original commit: elastic/x-pack-elasticsearch@6be6a3b69b
2017-11-29 19:15:29 -05:00
Lisa Cawley 90a1da82ee [DOCS] Subdivided getting started with ML pages (elastic/x-pack-elasticsearch#3167)
* [DOCS] Subdivided getting started with ML pages

* [DOCS] Added new getting started page to build.gradle

Original commit: elastic/x-pack-elasticsearch@968187b048
2017-11-29 12:03:51 -08:00
Lisa Cawley 11ab50d9dc [DOCS] Clarified watcher cleaner service behaviour (elastic/x-pack-elasticsearch#3135)
* [DOCS] Clarified watcher cleaner service behaviour

* [DOCS] Fixed typo in watcher settings

* [DOC] Clarified watcher and monitor setting dependencies

Original commit: elastic/x-pack-elasticsearch@1386139460
2017-11-29 08:25:59 -08:00
Michael Basnight bf27cd1457 Use SPI to glean reserved roles (elastic/x-pack-elasticsearch#3012)
This commit uses SPI to get the list of system wide reserved roles in
security. It does not yet split out the RoleDescriptor to a common
location so the implementing services still depend on security. Each
role, however, only depends on its own feature as well as security.

ref elastic/x-pack-elasticsearch#2925

Original commit: elastic/x-pack-elasticsearch@efebc3e5c8
2017-11-29 09:00:23 -06:00
Alexander Reelsen c641a30bc5 Docs: Explain watcher security integration/limitations (elastic/x-pack-elasticsearch#3106)
Original commit: elastic/x-pack-elasticsearch@991e1de267
2017-11-29 14:48:06 +01:00
Costin Leau c08eb56238 SQL: Improve grammar to better handle quotes (elastic/x-pack-elasticsearch#3051)
SQL: Improve grammar to better handle quotes

Fix typo in handling (back)quoted identifiers
Clarify use of unquote (dedicated for literals) and text (generic)
Address feedback
clarify that ` are picked up but not supported/recommended
Fix merge and adjust json errors to work on windows

Original commit: elastic/x-pack-elasticsearch@67e0f3f38e
2017-11-29 15:42:04 +02:00
Igor Motov d5525f38f3 SQL: Return proper NUM_PREC_RADIX for non-numeric types (elastic/x-pack-elasticsearch#3086)
NUM_PREC_RADIX should be 10 for integer types, 2 for rational types and null for everything else.

relates elastic/x-pack-elasticsearch#3085

Original commit: elastic/x-pack-elasticsearch@81d5ee04b3
2017-11-29 08:21:42 -05:00
David Kyle 171c48fd2f [TESTS] Refactor yml test suite classes (elastic/x-pack-elasticsearch#3145)
* Use XPackRestIT as base class for XDocsClientYamlTestSuiteIT

* Remove the XPackRestTestCase class

* Address review comments

* Fix checkstyle checks

Original commit: elastic/x-pack-elasticsearch@c2a5e60c12
2017-11-29 12:43:53 +00:00
David Roberts ef96831515 [ML] Don't mention unrelated indices when deleting job index aliases (elastic/x-pack-elasticsearch#3160)
This change fixes a problem that would cause job deletion to fail if ANY
index had a block on it, e.g. read-only.

The problem was that we were requesting the job aliases be deleted from
ALL indices in the system due to a misunderstanding with the format of the
get_aliases response.  This didn't usually cause any noticable effects, as
only the ML indices would have the aliases.  But in the case of a read-only
index it would cause an error, leading to unnecessary failure of the job
deletion.

Fixes elastic/machine-learning-cpp#428

Original commit: elastic/x-pack-elasticsearch@a573f85a00
2017-11-29 11:39:30 +00:00
Dimitris Athanasiou 9ef9edc1ca [ML] Rework ScrollDataExtractorTests to make scroll clearing more robust (elastic/x-pack-elasticsearch#3150)
Original commit: elastic/x-pack-elasticsearch@7784497a3d
2017-11-29 11:19:13 +00:00
David Roberts 8cb6e63a0e [ML] Increase default limit on ML jobs per node from 10 to 20 (elastic/x-pack-elasticsearch#3141)
Following the changes of elastic/x-pack-elasticsearch#2975 the hard limit on the number of ML jobs
per node is no longer the only limiting factor.  Additionally there is
now a limit based on the estimated memory usage of the jobs, and this is
expected to provide a more sensible limit that accounts for differing
resource requirements per job.

As a result, it makes sense to raise the default for the hard limit on
the number of jobs, on the assumption that the memory limit will prevent
the node becoming overloaded if an attempt is made to run many large jobs.
Increasing the hard limit will allow more small jobs to be run than was
previously the case by default.

Of course, this change to the default will have no effect for customers
who have already overridden the default in their config files.

Original commit: elastic/x-pack-elasticsearch@9fed1d1237
2017-11-28 20:40:55 +00:00
Nik Everett 0cc153f6d3 Merge branch 'master' into feature/sql
Original commit: elastic/x-pack-elasticsearch@ccc2fc708e
2017-11-28 13:24:36 -05:00
Igor Motov da180bd9f9 Tests: Muted FullClusterRestartIT.testMonitoring
Tracked by elastic/x-pack-elasticsearch#3068

Original commit: elastic/x-pack-elasticsearch@199d4bb6b9
2017-11-28 12:06:10 -05:00
Nik Everett 18e88122eb SQL: Add more error integration tests (elastic/x-pack-elasticsearch#3134)
We didn't have many integration tests for errors other than the security
errors. This adds some and sets up a way we can make sure we are
consistent across the REST, JDBC, and CLI.

relates elastic/x-pack-elasticsearch#3033

Original commit: elastic/x-pack-elasticsearch@debbb2ec46
2017-11-28 11:54:51 -05:00
Dimitris Athanasiou d96be6c51f [ML] Only clear scroll whan a scroll id exists (elastic/x-pack-elasticsearch#3148)
The issue here is that if the first search request fails
(initScroll), then we do not have a scroll_id. However,
in order to retry the search, we reset the scroll. That
involves clearing the current search, but since we do
not have a scroll_id, the clear scroll request fails.
We end up reporting the failure for the scroll clearing,
rather than the actual problem.

This commit fixes that by avoiding clearing the scroll
when the scroll_id is null.

relates elastic/x-pack-elasticsearch#3146

Original commit: elastic/x-pack-elasticsearch@b5086028f6
2017-11-28 16:48:24 +00:00
Lisa Cawley b6f322e72e [DOCS] Enable code snippet testing in open job API (elastic/x-pack-elasticsearch#3053)
* [DOCS] Enable code snippet testing in open job API

* [DOCS] Fixed open job API example

Original commit: elastic/x-pack-elasticsearch@f789041c2a
2017-11-28 08:26:58 -08:00
David Kyle ac01962a62 [DOCS] Disable monitoring for the docs tests (elastic/x-pack-elasticsearch#3143)
Original commit: elastic/x-pack-elasticsearch@114fdbf2d9
2017-11-28 15:57:17 +00:00
Jay Modi fa33f45cfb Test: remove KnownActionsTests (elastic/x-pack-elasticsearch#3133)
This commit removes the KnownActionsTests as it no longer serves the intended purpose of catching
actions/handlers added to elasticsearch that security needs to be aware of. Today, it is common
for this test to break the build and as a mechanical response developers just add to the actions
or handlers file to get the build green again.

Relates elastic/x-pack-elasticsearch#1489

Original commit: elastic/x-pack-elasticsearch@0bdb5341f5
2017-11-28 08:06:36 -07:00
Michael Basnight c7fea95476 Revert " Add "client-api-objects" dependency for xpack plugin and transport-client (elastic/x-pack-elasticsearch#2995)" (elastic/x-pack-elasticsearch#3083)
This reverts commit elastic/x-pack-elasticsearch@a6d83299d0.

Original commit: elastic/x-pack-elasticsearch@ca55ee747c
2017-11-28 09:05:00 -06:00
Dimitris Athanasiou 83e28bea3e [ML] Increase autodetect thread pool queue size (elastic/x-pack-elasticsearch#3142)
relates elastic/x-pack-elasticsearch#2981

Original commit: elastic/x-pack-elasticsearch@86719ada89
2017-11-28 14:46:04 +00:00
Dimitrios Athanasiou 84694fa4b4 [ML][DOCS] Fix doc error for forecast API
Original commit: elastic/x-pack-elasticsearch@999045d510
2017-11-28 14:15:40 +00:00
Adrien Grand 4e25ffad39 Fix compilation with Lucene 6.2.
Original commit: elastic/x-pack-elasticsearch@a34002a11c
2017-11-28 15:00:53 +01:00
Alexander Reelsen cdb85d8317 Watcher: Run tests without security enabled (elastic/x-pack-elasticsearch#3060)
In order to support the repository split, this changes the
`AbstractWatcherIntegrationTestCase` to not run with security enabled.

We have a dedicated QA project called `smoke-test-watcher-with-security`,
where tests that explicitely need security should be running.

This commit removes the possibility to enable security as part of the
test case. In addition some tests have been moved over to the dedicated
project.

In addition the `timewarp` functionality cannot be configured with a
system property anymore. This would not have worked anyway, because
tests were already dependent on that  functionality and did not have any
other means of running. A bit of redundant code was removed due to this.

Relates elastic/x-pack-elasticsearch#2925

Original commit: elastic/x-pack-elasticsearch@b24b365ad1
2017-11-28 13:11:49 +01:00
Dimitris Athanasiou 3e52e0ba48 [ML] Validate duration and expires_in params in forecast API (elastic/x-pack-elasticsearch#3139)
Relates elastic/machine-learning-cpp#443

Original commit: elastic/x-pack-elasticsearch@f42e4490d1
2017-11-28 10:57:48 +00:00
Dimitris Athanasiou e396c61afc [ML] Remove forecast end param (elastic/x-pack-elasticsearch#3121)
The forecast API provides a `duration` parameters
which is the most convenient way of specifying
the span of the forecast. End time is now unnecessary
and possibly confusing.

Relates elastic/machine-learning-cpp#443

Original commit: elastic/x-pack-elasticsearch@04eb0408e7
2017-11-28 10:49:15 +00:00
David Roberts 220d0647b8 [ML] Specify ML_ORIGIN when batch scrolling results (elastic/x-pack-elasticsearch#3125)
This change applies the same pattern that was applied in elastic/x-pack-elasticsearch#3054 to the
ML batched results iterators, which are used to scroll through ML results
during some internal ML implementation details, such as renormalization
and nightly maintenance.

Additionally the thread context is reset before submitting the results
processor to a thread pool, to avoid masking the problem in situations
where the user opening the job coincidentally had workable permissions.

Fixes elastic/machine-learning-cpp#438

Original commit: elastic/x-pack-elasticsearch@bd1e2dc7d4
2017-11-28 09:48:49 +00:00
Nik Everett 193f22b97f SQL: Support larger strings in binary protocol (elastic/x-pack-elasticsearch#3130)
While we're fairly sure we're going to remove the binary protocol in the
long run, we're also fairly sure we're going to release the first
version of SQL with the binary protocol. One big problem with it is that
it blows up when it attempts to serialize fairly long strings. These
long strings are actually quite common in the CLI. They are also
possible in JDBC. I say "fairly long strings" because exactly how long
the strings has to be is kind of funky. It is based on the number of
bytes that it takes to encode the string, and the strings are encoded in
a utf-8-like encoding of utf-16 encoded string documented here:
https://docs.oracle.com/javase/7/docs/api/java/io/DataOutput.html#writeUTF(java.lang.String)

Anyway, this fixes the protocol for these "fairly long strings" by
chunking the strings and adding an extra 4 byte integer before each
string to count the number of chunks. After that 4 byte integer the
strings are serialized using the "normal" DataInput/DataOutput encoding,
the funny utf-8-like encoding of the utf-16 encoded string.

relates elastic/x-pack-elasticsearch#3018

Original commit: elastic/x-pack-elasticsearch@11f0d59f20
2017-11-27 18:59:31 -05:00
Nik Everett df802b40c8 SQL: Rework SSL testing (elastic/x-pack-elasticsearch#3126)
Drop the ssl tests against the java builtin https server. They were
failing and the failures were undebuggable. I still don't know what was
happening because you can't get any logging out of the server.

Add SSL tests against Elasticsearch because that is what actually needs
to work.

relates elastic/x-pack-elasticsearch#2870

Original commit: elastic/x-pack-elasticsearch@284cf7fb58
2017-11-27 18:52:16 -05:00
Igor Motov 5c88fa0b3b SQL: Add support for plain text output to /_sql endpoint (elastic/x-pack-elasticsearch#3124)
The /_sql endpoint now returns the results in the text format by default. Structured formats are also supported using the format parameter or accept header similar to _cat endpoints.

Original commit: elastic/x-pack-elasticsearch@4353793b83
2017-11-27 18:10:13 -05:00
Igor Motov 0228020c5c SQL: Switch to URI parsing (elastic/x-pack-elasticsearch#3108)
Replaces custom URL parsing with URI parsing and moves baseURI from each client call into connection configuration.

relates elastic/x-pack-elasticsearch#2882

Original commit: elastic/x-pack-elasticsearch@c51059f56f
2017-11-27 18:09:05 -05:00
Lisa Cawley 9f59ef6697 [DOCS] Move migrate tool reference (elastic/x-pack-elasticsearch#3011)
* [DOCS] Move migrate tool reference

* [DOCS] Fixed link to migration tool

* [DOCS] Small edits to the migrate tool parameters

* [DOCS] Fixed migrate tool example

Original commit: elastic/x-pack-elasticsearch@0ff40ebdcc
2017-11-27 14:58:18 -08:00
Nik Everett 378abf1d8f SQL: Basic REST spec and tests (elastic/x-pack-elasticsearch#3128)
Adds a basic REST spec and tests for the SQL and translate endpoints so
that clients can can execute these endpoints. We'll keep our complex
REST testing in Java REST tests though.

relates elastic/x-pack-elasticsearch#3115

Original commit: elastic/x-pack-elasticsearch@c5de301f3d
2017-11-27 14:57:12 -05:00
Lisa Cawley a7456cd87d [DOCS] Enabled code snippet testing for start datafeed API (elastic/x-pack-elasticsearch#3055)
* [DOCS] Enabled code snippet testing for start datafeed API

* [DOCS] Added datafeed creation to build.gradle

Original commit: elastic/x-pack-elasticsearch@1acb452cf0
2017-11-27 10:57:37 -08:00
Lisa Cawley b5d42c40e4 [DOCS] Enabled code snippet testing in stop datafeed API (elastic/x-pack-elasticsearch#3127)
Original commit: elastic/x-pack-elasticsearch@282eb587d5
2017-11-27 10:15:46 -08:00
Lisa Cawley 5507c46257 [DOCS] Fixed cross cluster search docs issue (elastic/x-pack-elasticsearch#3113)
Original commit: elastic/x-pack-elasticsearch@023d220082
2017-11-27 07:56:38 -08:00
Igor Motov 626e9b87a1 Merge remote-tracking branch 'elastic/master' into feature/sql
Original commit: elastic/x-pack-elasticsearch@6c5a683209
2017-11-27 09:26:14 -05:00
Alexander Reelsen 6406c9816a Watcher: Add transform input for chained input (elastic/x-pack-elasticsearch#2861)
The chained input in watcher is a useful feature to
call several endpoints before execution a condition.
However it was pretty hard to modify data from a previous
input in order to be able to execute it in another input.

This commit adds a another input, called a `transform` input,
which allows you to do a transform as another input in a chained
input.

See this example

```
"input" : {
  "chain" : {
    "inputs" : [ <1>
      {
        "first" : {
          "simple" : { "path" : "/_search" }
        }
      },
      {
        "second" : {
          "transform" : {
            "script" : "return [ 'path' : 'ctx.payload.first.path' + '/' ]"
          }
        }
      },
      {
        "third" : {
          "http" : {
            "request" : {
              "host" : "localhost",
              "port" : 9200,
              "path" : "{{ctx.payload.second.path}}" <2>
            }
          }
        }
      }
    ]
  }
}
```

This allows for far more flexibility before executing the next input in a chained
one.

Original commit: elastic/x-pack-elasticsearch@3af9ba6e9b
2017-11-27 13:27:56 +01:00
David Kyle 3957518ab2 [DOCS] Fix cleaning up ML resources after tests
Original commit: elastic/x-pack-elasticsearch@986bdcd1f3
2017-11-27 10:02:16 +00:00
David Roberts 304330e1bc [ML] Specify ML_ORIGIN when calling the job update endpoint internally (elastic/x-pack-elasticsearch#3110)
This change applies the same pattern that was applied in elastic/x-pack-elasticsearch#3054 to a new
method that was introduced in elastic/x-pack-elasticsearch#2975 which was in-flight at the same time
so missed the original batch of changes.

relates elastic/x-pack-elasticsearch#3109

Original commit: elastic/x-pack-elasticsearch@8076c6cf6a
2017-11-27 09:18:24 +00:00
Jason Tedor c777c1d36f Refactor CLI commands as logging-aware commands
We have to ensure logging is configured for any CLI command that depends
on core Elasticsearch (since it might directly or indirectly touch
logging). This commit does this for all commands in X-Pack.

Relates elastic/x-pack-elasticsearch#3112

Original commit: elastic/x-pack-elasticsearch@f77f9b5052
2017-11-25 11:40:29 -05:00
Dimitris Athanasiou eb4186dd5c [ML] Stop datafeed when job fails (elastic/x-pack-elasticsearch#3107)
The problem here was that when the autodetect process crashes
we set the job state to FAILED but we did not remove the
communicator from the map in AutodetectProcessManager.

relates elastic/x-pack-elasticsearch#2773

Original commit: elastic/x-pack-elasticsearch@9b8eafb4d0
2017-11-24 15:04:29 +00:00
Alexander Reelsen d89d8abec9 Watcher: Fix equals/hashcode for WatchStatus (elastic/x-pack-elasticsearch#3105)
This was missed in elastic/x-pack-elasticsearch#3103 and fixes to add the headers variable to both
methods to ensure comparisons work as expected.

Original commit: elastic/x-pack-elasticsearch@df5e422698
2017-11-24 15:32:25 +01:00
Russ Cam e4e8870b13 Add opening state to Job states (elastic/x-pack-elasticsearch#2317)
Also updated open state to opened.

Original commit: elastic/x-pack-elasticsearch@663d95db1a
2017-11-24 11:35:51 +00:00
Alexander Reelsen 4fe9ac734b Watcher: Store thread context headers in watch (elastic/x-pack-elasticsearch#2808)
In order to be able to execute a watch as the user, who stored the
watch, this commit stores certain headers of the thread context, that
was used when the watch was stored.

Upon loading the watch the headers are loaded and applied for the
following watcher execution features

* search transform
* search input
* index action

A special case is the execute watch API, which overrides the headers loaded
from the watch with the one of the current request, so that a user
cannot execute this watch with other privileges of the user who stored it.

Only the headers "es-security-runas-user", "_xpack_security_authentication" are
copied for now, as those are needed for our security features.

The headers are stored in watch status in the watch and are not returned by default,
when the GET Watch API is used. A search reveals those of course.

relates elastic/x-pack-elasticsearch#2201

Original commit: elastic/x-pack-elasticsearch@9803bd51c2
2017-11-24 09:15:54 +01:00
David Turner 933c22dce6 Tidy up after elastic/x-pack-elasticsearch#3078 (elastic/x-pack-elasticsearch#3099)
Original commit: elastic/x-pack-elasticsearch@ebe599a422
2017-11-24 08:13:13 +00:00