The SecurityIndexSearcherWrapper was calling toQuery instead of toFilter, which in certain cases can trip the max
clause count check for a boolean query. The same query works fine as a filter and that is what users would expect when
using the query for document level security.
Original commit: elastic/x-pack-elasticsearch@40330636ec
There were two problems:
1. The location for the autodetect process was ES_HOME/config/ml
2. The location for the normalize process was its current working
directory
In both cases the correct location is ES_HOME/config/x-pack
Original commit: elastic/x-pack-elasticsearch@7d8a384fda
When retrying datafeed task only start datafeed when job is in started state.
Run datafeed task on the node where the job task is running.
Let start datafeed api waits until datafeed state has been set to started.
Original commit: elastic/x-pack-elasticsearch@ebf1d3b9aa
This commit removes the NativeRealmMigrator's dependency on the NativeUserStore and instead directly uses the
InternalClient for the migration operations. There are pros and cons to doing it both ways, but I feel this
method makes it more explicit that this is what the migrator is going to do. The downside here is that there
are two places in the code that need to know the inner details of how we store users.
Additionally, by doing this we avoid a race condition between the NativeUsersStore starting and the
NativeRealmMigrator attempting to get all of the reserved users. This race causes the
OldSecurityIndexBackwardsCompatibility tests to fail intermittently.
Original commit: elastic/x-pack-elasticsearch@6c388db535
When a watch gets written by an external process, we should refresh
immediately, so that watches and their state are immediately available,
also via search which is needed for the Watcher UI.
Closeselastic/elasticsearch#4695
Original commit: elastic/x-pack-elasticsearch@8bed60c928
In order to help watcher UI easily gather the status of a watch
and its actions, we should write the watch status in the history
as well.
This commit is doing exactly that. Tests ensure, that the status is not searchable,
as in the watch mapping itself.
This also requires the history template to be changed, thus the counter of the template
had to be increased as well.
Some minor refactorings by making ctors private that dont need to be public
have been happening as well.
Closeselastic/elasticsearch#4735
Original commit: elastic/x-pack-elasticsearch@df8352ceb5
Also, this change allows the credentials to be passed in through
gradle properties, which will allow the unified release to use its own
aws credentials, supplied securely to the build.
Original commit: elastic/x-pack-elasticsearch@62f7a30e59
This extends the DBQ to delete from a pattern, rather than a specific index. Once shared/rollover
indices are implemented, this will be capable of purging results from the matching set.
Original commit: elastic/x-pack-elasticsearch@4ec0944173
After authenticating with vault it can take time for the credentials to be propagated by the AWS API. previously we would just blindly wait for 10 seconds and then try to continue. This change introduces a retry loop where we will do a `headBucket` request every 0.5 seconds until the bucket is accessible or until we have tried 15 times. This means the build is only held up for at most 0.5 seconds after the bucket is accessible.
This is a step towards the final solution since the authentication with vault still happens on every build in the configuraiton phase. A subsequent change will be made to move this out of the configuration phase so that it only runs when the dependencies are required.
Original commit: elastic/x-pack-elasticsearch@ab3abba1ea
Also replaced the DELETING status from JobState with a boolean flag on Job. The state of a job is now stored inside a persistent task in cluster state. Jobs that aren't running don't have a persistent task, so I moved that notion of being deleted to the job config itself.
Original commit: elastic/x-pack-elasticsearch@b0ed82124d
Windows requires named pipes to be created at a specific location so we need to allow access to this special location in the security policy for the machine learning plugin to run on X-Pack
Original commit: elastic/x-pack-elasticsearch@3079e88713
This commit marks the monitoring rest bulk action as supporting a content stream. This endpoint takes the same format as the normal bulk endpoint so we need to also accept the newline delimited JSON content type header here.
Closeselastic/elasticsearch#4913
Original commit: elastic/x-pack-elasticsearch@a312cd1256
This is temporary fix to allow more time for the AWS credentials to be progagated by the AWS API. Following this we will implement a retry mechanism to keep trying to find the dependency for an amount of time
Original commit: elastic/x-pack-elasticsearch@a300b8698b
In order to have monitoring use alerts on cloud, we need to
enable watcher when the STANDARD license is in place. For
more information, please refer to the referenced issue.
Closeselastic/elasticsearch#4766
Original commit: elastic/x-pack-elasticsearch@9d5547274c
This means we can reference the local build from within the prelert-legacy build script and build it directly
Original commit: elastic/x-pack-elasticsearch@14024841ab
* Methods to update the running process with new settings
* Task to update the running autodetect process
* Don’t start process update task if not config specified
Original commit: elastic/x-pack-elasticsearch@4364b141b5
Adds a new `xpack.security.authc.accept_default_password` setting that defaults to `true`. If it is set to false, then the default password is not accepted in the reserved realm.
Adds a bootstrap check that the above setting must be set to `false` if security is enabled.
Adds docs for the new setting and bootstrap.
Changed `/_enable` and `/_disable`, to store a blank password if the user record did not previously exist, which is interpreted to mean "treat this user as having the default password". The previous functionality would explicitly set the user's password to `changeme`, which would then prevent the new configuration setting from doing its job.
For any existing reserved users that had their password set to `changeme`, migrates them to the blank password (per above paragraph)
Closes: elastic/elasticsearch#4333
Original commit: elastic/x-pack-elasticsearch@db64564093
This is related to elastic/elasticsearchelastic/elasticsearch#22964. Methods that could
open socket connections are being made forbidden apis. This commit
either replaces usages with URL.openStream() with a call to
FileSystemUtils.openFileURLStream(URL url) (in the case of a file url)
or adds SuppressForbidden annotations.
Original commit: elastic/x-pack-elasticsearch@93b1b11375
This commit brings back support an auto-generated certificate and private key for
transport traffic. The auto-generated certificate and key can only be used in development
mode; when moving to production a key and certificate must be provided.
For the edge case of a user not wanting to encrypt their traffic, the user can set
the cipher_suites setting to `TLS_RSA_WITH_NULL_SHA256` or a like cipher, but a key/cert
is still required.
Closeselastic/elasticsearch#4332
Original commit: elastic/x-pack-elasticsearch@b7a1e629f5
Flush has the contract that when it is done results are up-to-date.
Thus, it adds no value to have it timeout. In most cases, the request
should be pretty responsive apart from when it advances time forward.
In the latter scenario, it could force results to be calculated for a
long period of time which could take long. The one use case for this
is the datafeeds and there is no issue with waiting flush to finish.
This PR changes flush to always wait to completion. However, it adds
checking that the c++ process is alive every second, to avoid long
waits in vain when something has gone horribly wrong.
Fixeselastic/elasticsearch#826
Original commit: elastic/x-pack-elasticsearch@de421ab843
Dimitris Athanasiou
Jay Modi
David Roberts
Martijn van Groningen
Adrien Grand
Alexander Reelsen
Jason Tedor
Ryan Ernst
Zachary Tong
Pier-Hugues Pellerin
Colin Goodheart-Smithe
Zachary Tong
David Kyle
Simon Willnauer
Tim Vernum
Boaz Leskes
Tim Brooks