This change ensure that the ThreadContext is always restored after an action has been invoked when
going through the SecurityActionFilter and authentication and authorization is enabled.
Original commit: elastic/x-pack-elasticsearch@5da70bd6fa
This removes the "skipped exporter" logging at the info level in favor of debug level. The LocalExporter has been updated so that non-elected master nodes will log a "waiting for elected master node..." message when they're ready, but are stuck waiting for the master node to setup indices.
Original commit: elastic/x-pack-elasticsearch@3f8b58bc37
Turns out that this test became flaky on dev machines with specific DNS setup.
This test uses an index action to provoke an error, thus there is no dependency
on anything network specific.
The reason it was uncovered now, was due to the change to the Apache HTTP client which is doing DNS lookups. This DNS lookup happened inadvertantly because of a bug in the test, which had a URI like http://http://127.0.0.1.... However having web request was not needed at all, so it was replaced.
Closeselastic/elasticsearch#4561
Original commit: elastic/x-pack-elasticsearch@158516b5e5
The CompositeRolesStoreTests#testNegativeLookupsAreCached test had a bug where it was expected to
retrieve the superuser role but the mockito verification on the call failed. This was because there
is also randomization on the number of times to call, which could be 0.
Closeselastic/elasticsearch#4562
Original commit: elastic/x-pack-elasticsearch@5c62df15b7
We frequently have support requests to diagnose LDAP realm problems.
One of the tools that would be useful in those cases is to be able to turn on trace logging and be able to see the LDAP searches and their results
Original commit: elastic/x-pack-elasticsearch@632d8e4f19
This commit marks ActionThrottleTests#testFailingActionDoesGetThrottled
as awaits fix as this test fails reliably.
Original commit: elastic/x-pack-elasticsearch@465c48b603
Changes required are for two reasons:
1) SearchResponse is a self contained valid object which doesn't need to be wrapped in a new object anymore
2) RestToXContentBuilderListener requires ToXContentObject, hence GraphExploreResponse needs to be moved over
Original commit: elastic/x-pack-elasticsearch@12277d0220
This commit renames the current AgentService into MonitoringService and changes the way it works: it was previously based on thread sleeping and it now use thread scheduling instead.
At every given time interval, a MonitoringExecution is executed. It first checks if monitoring data can be collected and if so it will collect data from Collectors and then export the data using the Exporters. There are cases where the data cannot be collected: when the service is stopping, when the interval has been set to -1 after the MonitoringExecution has been scheduled, or when the previous data collection is not yet terminated. In this last case, MonitoringExecution will still be executed at the given interval but will not collect any data.
All tasks are executed on the generic thread pool.
closeselastic/elasticsearch#2866
Original commit: elastic/x-pack-elasticsearch@d37b4d3731
Watcher: Use Apache HttpClient for internal Watcher HttpClient
The current implementation based on URLConnection has several drawbacks.
* If server returned HTTP header but then got stuck, no timeout would help, the connection remained stuck
* GET requests with a body were not supported, the method was silently changed to POST
* More complex handling of input/error stream handling, the body could not be read from a single input stream
NOTE: This is a BWC breaker. From now on every part of the URL needs to be encoded properly before it is configured in the requeust builder. This requires an upgrade of all watches.
Closeselastic/elasticsearch#1141
Original commit: elastic/x-pack-elasticsearch@bbc8f85dd8
An integration test was failing due to the possibility of the
.watch index being an alias (which only happens rarely).
Original commit: elastic/x-pack-elasticsearch@d53a4ebdd4
Watcher: Remove async code in sync code block
When removing the watch store this code snippet sneaked in.
A call to get a watch in order to find out if it exists was async, but
the code checking the result was called immediately afterwards without
waiting for the result, thus always using the default value.
This also removes some unused code in TriggeredWatchStore.
Original commit: elastic/x-pack-elasticsearch@c47e70bf8a
Add `logstash`, in addition to `kibana` type mappings if they are missing from the _existing_ .monitoring-data-2 indices. This allows existing indices to be upgraded in place to support the Logstash monitoring feature added in 5.2 without having to delete the .monitoring-data-2 index.
Original commit: elastic/x-pack-elasticsearch@864343a116
* [Monitoring] BWC Allow New Types to be added to .monitoring-data-2 index
This adds the new Logstash (and technically Kibana) types to the index mapping if they're not already there. Pre-existing indices will be blocked from creating new types in the index due to the index setting. The index setting cannot be flipped without opening/closing the index, so manually adding the new types is easier.
Original commit: elastic/x-pack-elasticsearch@e85e800335
Currently, roles making use of field or document level security are still applied when
the license level does not enable field and document level security. There is no indication
that these roles are not being applied so it is misleading to users. This change prevents
these roles for applying to authorization and also adds a transient metadata to the response
that indicates which features of a role is unlicensed.
Additionally, this PR prevents the addition or modification of roles to include field or
document level security.
Closeselastic/elasticsearch#2472
Original commit: elastic/x-pack-elasticsearch@c9455958f5
The interval value set is "minimumShouldMatch" and also the documented query dsl
parameter is `minimum_should_match` so we can deprecate
`minimum_number_should_match` and its getters/setters in 5.x and remove them in 6.
Original commit: elastic/x-pack-elasticsearch@53ce64b7b3
* [Monitoring] Use Cgroup Data from _nodes/stats
This adds Cgroup data from _nodes/stats.
- This also adds 5m and 15m from system load, which are sent from ES, but
were not recorded. Kibana does record/report those values though.
Original commit: elastic/x-pack-elasticsearch@8e04452c60
This PR adds UI for visualizing Logstash internal metrics with contributions from @ph, @jsvd and @pickypg
Changes include:
* x-pack component for Logstash which installs a monitoring exporter plugin to Logstash core. This periodically ships
monitoring data to the monitoring bulk API endpoint.
* Adds xpack.monitoring.* setting to logstash.yml when x-pack is installed.
* UI changes to graph Logstash monitoring data. Logstash processes are called nodes. They send separate monitoring info
which gets aggregated and displayed at cluster level and also at individual node level.
* Adds gradle build support for Logstash x-pack which can be controled via `xpack.logstash.build=false`
Fixeselastic/elasticsearch#4169
Original commit: elastic/x-pack-elasticsearch@f58ef406c1
When migrating realms to use the new settings for SSL, the removal of the
hostname_verification setting was missed in addition to actually using the
ssl.verification_mode setting. This change deprecates the
hostname_verification and enables the use of the ssl.verification_mode setting.
Original commit: elastic/x-pack-elasticsearch@ea24e83fd3
This PR changes how we use roles and how we look at the roles of a user. Previously we looked up each role individually, parsed each into their own `Role` object, and had a wrapper that essentially served as an iterator over the roles. The same pattern was also followed for the permissions that composed a role (ClusterPermission, IndicesPermission, and RunAsPermission). This resulted in a lot of code that was hard to follow and could be inefficient.
Now, we look up the roles for a user in bulk and only get the RoleDescriptor for each role. Once all role descriptors have been retrieved, we build a single Role that represents the user's permissions and we also cache this combination for better performance as authorization can happen many times for a single top level request as we authorize the top level request and any sub requests, which could be a large number in the case of shard requests.
This change also enabled a large cleanup of our permission and privilege classes, which should reduce the footprint of what needs to be followed. Some of the notable changes are:
* Consolidation of GeneralPrivilege and AbstractAutomatonPrivilege into the Privilege class
* The DefaultRole class has been removed and the permissions it provided were moved into the AuthorizationService
* The GlobalPermission class was removed as there is a single role that represents a user's permissions
* The Global inner classes for the various permissions were removed
* The Core inner class was removed and ClusterPermission, IndexPermission, RunAsPermission became final classes instead of interfaces
* The Permission interface has been removed. The isEmpty() method defined by this interface is not needed as we can simply evaluate the permission to get the same effect
* The ClusterPermission#check method only takes the action name again
* The AutomatonPredicate class was removed and replaced by Automatons#predicate
* IndicesAccessControl objects no longer need to be merged when evaluating permissions
* MergedFieldPermissions has been removed
* The Name class that was used to hold an array of strings has been removed and replaced with the use of a Set
* Privilege resolution is more efficient by only combining automata once
Other items:
* NativeRolesStore no longer does caching, so the RoleAndVersion class could be removed
* FileRolesStore doesn't need to be an AbstractLifecycleComponent
Relates elastic/elasticsearch#4327
Original commit: elastic/x-pack-elasticsearch@c1901bc82e
