Commit Graph

2016 Commits

Author SHA1 Message Date
Martijn van Groningen 5f01f793d5 Added document and field level security
This commit adds document and field level security to Shield.

Field level security can be enabled by adding the `fields` option to a role in the `role.yml` file.

For example:

```yaml
customer_care:
  indices:
    '*':
      privileges: read
      fields:
        - issue_id
        - description
        - customer_handle
        - customer_email
        - customer_address
        - customer_phone
```

The `fields` list is an inclusive list of fields that controls what fields should be accessible for that role. By default all meta fields (_uid, _type, _source, _ttl etc) are also included, otherwise ES or specific features stop working. The `_all` field if configured, isn't included by default, since that actually contains data from all the other fields. If the `_all` field is required then this needs to be added to the `fields` list in a role. In the case of the content of the `_source` field and `_field_names` there is special filtering in place so that only the content relevant for the role are being returned.

If no `fields` is specified then field level security is disabled for that role and all fields in an index are accessible.

Field level security can be setup per index group.

Field level security is implemented at the Lucene level by wrapping a directory index reader and hides fields away that aren't in the `field` list defined with the role of the current user. It as if the other fields never existed.

* Any `realtime` read operation from the translog is disabled. Instead this operations fall back to the Lucene index, which makes these operations compatible with field level security, but there aren't realtime.
*  If user with role A executes first and the result gets cached and then a user with role B executes the same query results from the query executed with role A would be returned. This is bad and therefore the query cache is disabled.
* For the same reason the request cache is also disabled.
* The update API is blocked. An update request needs to be executed via a role that doesn't have field level security enabled.

Document level security can be enabled by adding the `query` option to a role in the `role.yml` file:
```yaml
customer_care:
  indices:
    '*':
      privileges: read
      query:
        term:
         department_id: 12
```

Document level security is implemented as a filter that filters out documents there don't match with the query. This is like index aliases, but better, because the role query is embedded on the lowest level possible in ES (Engine level) and on all places the acquire an IndexSearcher the role query will always be included. While alias filters are applied at a higher level (after the searcher has been acquired)

Document level security can be setup per index group.

Right now like alias filters the document level security isn't applied on all APIs. Like for example the get api, term vector api, which ignore the alias filter. These apis do acquire an IndexSearcher, but don't use the IndexSearcher itself and directly use the index reader to access the inverted index and there for bypassing the role query. If it is required to these apis need document level security too the the implementation for document level security needs to change.

Closes elastic/elasticsearch#341

Original commit: elastic/x-pack-elasticsearch@fac085dca6
2015-08-27 17:54:50 +02:00
Tanguy Leroux 64bbc110ff Marvel: Fixes for Index Stats Collector tests
Original commit: elastic/x-pack-elasticsearch@4fdc11946e
2015-08-27 14:14:07 +02:00
Konrad Beiske 28af1e275a Merge pull request elastic/elasticsearch#3 from elastic/master
update from master

Original commit: elastic/x-pack-elasticsearch@2da5400562
2015-08-27 10:18:24 +02:00
Tanguy Leroux 38061c5f98 Marvel: Wait for shard allocation in IndexStatsCollectorTests
Original commit: elastic/x-pack-elasticsearch@f75c36f945
2015-08-26 18:00:19 +02:00
jaymode 049ff4cc9f add OSS snapshots as a plugin repository to resolve custom enforcer rule
Original commit: elastic/x-pack-elasticsearch@96e052b2de
2015-08-26 11:26:21 -04:00
Tanguy Leroux 8e5521a427 Move license status as calculated method
Original commit: elastic/x-pack-elasticsearch@92ce1d9d55
2015-08-26 10:26:27 +02:00
Tanguy Leroux 8d48382bab Marvel: Mute LicensesRendererIT test
Awaits fix for elastic/elasticsearchelastic/elasticsearch#13017

Original commit: elastic/x-pack-elasticsearch@d63df50a4a
2015-08-26 10:13:24 +02:00
Areek Zillur b24378b775 [TEST] add assertion message
Original commit: elastic/x-pack-elasticsearch@20a8b5ed1a
2015-08-26 00:24:32 -04:00
uboness f9a8c8937c fixes for hipchat integration tests
Original commit: elastic/x-pack-elasticsearch@df6311799b
2015-08-25 20:05:46 +02:00
uboness 5b363f1041 [watcher] Rename `Template` to `TextTemplate`
We have different types of templates in watcher - http request template, email template, hipchat message template, and simple text template... to avoid confusion, and clean up the codebase, this commit renames the `Template` class to `TextTemplate` to better convey what this template is about.

Original commit: elastic/x-pack-elasticsearch@8e5202019c
2015-08-25 16:19:50 +02:00
jaymode 693d16777c correct the shield offline download links
Closes elastic/elasticsearch#499

Original commit: elastic/x-pack-elasticsearch@86a8015132
2015-08-25 10:00:58 -04:00
uboness 0731a98e97 Introducing HipChat Action
An action capable of sending notifications to rooms and users on hipchat. This actions support three types of HipChat APIs:

- `v1` - The (now deprecated) legacy API where a token can be registered at the group level, and the `v1` version of the API can be used. This API only supports room notification (users cannot be notified). multi-room notification is supported.

- `integration` - The basic integration that one can create in HipChat (it is using the `v2` API version), where notifications can be sent to a single room. User notification is unsupported by this API

- `user` - this API uses an API token of a specific user. An admin user can create an API token and configure it to have access to room notification and user private messaging. This API supports multi-room and multi-user notifications.

The settings for `hipchat` are very similar to the `email` infrastructure in nature. It is possible to configure multiple/different hipchat account, each is associated with the api type (a.k.a profile) - can be `v1`, `integration` or `user`, and the respective `auth_token`. When configuring the action in the watch, one can specify what hipchat account they would like to use (when not specifying an account, the `default_account` will be used). Each account can also specify its own unique `host`/`port` for the hipchat server - for full flexibility.

Closes elastic/elasticsearch#462

Original commit: elastic/x-pack-elasticsearch@9d9ee13542
2015-08-25 14:05:49 +02:00
Tanguy Leroux 78a70b5f65 Marvel: Fix test bug in MarvelSettingsTests
Original commit: elastic/x-pack-elasticsearch@6a68f61051
2015-08-25 13:31:22 +02:00
Tanguy Leroux 4d65f396c8 Marvel: Stop collecting data X days after license expiration
Closes elastic/elasticsearch#370, elastic/elasticsearch#470

Original commit: elastic/x-pack-elasticsearch@7ed95605ff
2015-08-25 10:47:59 +02:00
Areek Zillur ef7d4e2579 stub out acknowledge callbacks for commercial plugins
Original commit: elastic/x-pack-elasticsearch@d16f9dc1df
2015-08-24 18:25:40 -04:00
Areek Zillur 0b9021ee87 Add license acknowledgment mechanism for consumer plugins to notify users when they attempt to install a new license
closes elastic/elasticsearch#461

Original commit: elastic/x-pack-elasticsearch@bc30ac2871
2015-08-24 18:25:29 -04:00
jaymode f879ccf426 update version numbers in shield documentation to 2.1.0
Cherry-pick of commit to 2.0 and updated to change version to 2.1.0

Original commit: elastic/x-pack-elasticsearch@8672bbf1b1
2015-08-24 11:23:20 -04:00
Martijn van Groningen 31f3830cf7 unmuted scan parse tests and don't be strict when parse the search type. (Watcher fails when it sees scan is being used)
Closes elastic/elasticsearch#484

Original commit: elastic/x-pack-elasticsearch@fea5d6a22d
2015-08-24 14:12:08 +02:00
Alexander Reelsen 1177c9ee53 Release: Add release script for S3 uploading
In order to adhere to our elasticsearch core release script,
this script allows you to use a staging release to build x-plugins
against it, and then upload the created artifacts to the same
s3 bucket, so people can actually test the whole package of core
plus x-plugins.

Please read the documentation in the RELEASE.md document to understand
when to run which script!

Original commit: elastic/x-pack-elasticsearch@a43ce25b6f
2015-08-23 13:37:50 +02:00
Simon Willnauer e723c355d8 Remove unused imports - SpawnModules.java is removed
Original commit: elastic/x-pack-elasticsearch@717d38694d
2015-08-23 13:03:50 +02:00
Robert Muir 18702cae00 Bootstrap -> BootstrapInfo
Original commit: elastic/x-pack-elasticsearch@c40454618b
2015-08-22 08:41:55 -04:00
Ryan Ernst 67d9b94c5f Merge pull request elastic/elasticsearch#489 from rjernst/one_way_process
Remove use of PreProcessModule

Original commit: elastic/x-pack-elasticsearch@8b6a5c7ade
2015-08-21 19:27:19 -07:00
Ryan Ernst 670b9b5ce8 Remove use of PreProcessModule
PreProcessModule was an alternate way to customize another module's
behavior inside plugins. The preferred (and only in the future) way to
do this is with onModule in the plugin itself. This change moves the
only two remaining users of PreProcessModule to do so in their
respective plugins. The use case was adding roles for shield
authorization, but these roles were really static, so there was no
reason they could not be configured up front.

Original commit: elastic/x-pack-elasticsearch@e67ac2dcb6
2015-08-21 14:23:23 -07:00
jaymode 204bb2accb fix custom realm integration tests on windows
Original commit: elastic/x-pack-elasticsearch@d5a8722502
2015-08-21 14:08:43 -04:00
jaymode 70a37440cf fix IndexAuditTrail test failure
Failure was caused by using NetworkAddress.format instead of NetworkAddress.formatAddress

Original commit: elastic/x-pack-elasticsearch@48c5c34f57
2015-08-21 12:00:57 -04:00
jaymode 8fd5fe7ed8 add the ability to register a custom authentication realms
This adds the extension points necessary to enable a user to write a elasticsearch plugin
that can integrate with Shield and add a custom authentication realm. For the most part,
the work here just exposes the existing interfaces we have been using for Realms and
factories to create realms. An additional interface was added to allow for a custom
authentication failure handler to be used. This was needed to support use cases like SSO
and Kerberos where additional headers may need to be sent to the user or a different
HTTP response code would need to be sent.

Relates to elastic/elasticsearch#24

Original commit: elastic/x-pack-elasticsearch@13442e5919
2015-08-21 10:39:05 -04:00
jaymode 7e552f393b fix all InetAddress forbidden apis and compile errors
This commit also fixes test shard routing compilation error and disables local address check in
the Shield IPFilter. This will be addressed in a followup, see elastic/elasticsearch#487

Original commit: elastic/x-pack-elasticsearch@984df0b131
2015-08-21 09:22:57 -04:00
jaymode 64706aefe4 mute watcher tests failing due to scan deprecation
Original commit: elastic/x-pack-elasticsearch@17f3d5c005
2015-08-20 14:06:30 -04:00
Tanguy Leroux f08b53eb2d Marvel: Use cluster UUID in hash function
Original commit: elastic/x-pack-elasticsearch@919f7928f0
2015-08-20 12:34:17 +02:00
Tanguy Leroux 392398c7aa Marvel: Remove and clean payload stuff
Closes elastic/elasticsearch#476

Original commit: elastic/x-pack-elasticsearch@9e90fe26f6
2015-08-20 12:31:51 +02:00
jaymode 8bb35cd6c3 fix transport client documentation for 2.0 and add notes about file locations
This also change ES_HOME/config -> CONFIG_DIR in the documentation to more accurately reflect the
location of configuration files as they are not always in ES_HOME/config.

Closes elastic/elasticsearch#455
Closes elastic/elasticsearch#432

Original commit: elastic/x-pack-elasticsearch@63ce35450c
2015-08-20 06:29:13 -04:00
debadair dffd30d591 Updated package installation information. Closes elastic/elasticsearch#376.
Original commit: elastic/x-pack-elasticsearch@59be16531c
2015-08-19 14:10:51 -07:00
Areek Zillur ef11bc3f05 remove using License.builder in marvel test
Original commit: elastic/x-pack-elasticsearch@bef6683b12
2015-08-19 17:03:47 -04:00
debadair 3d5fef9d8f Updated the SSL config & CA topics to make the procedures clearer.
Original commit: elastic/x-pack-elasticsearch@9a08da7703
2015-08-19 13:51:54 -07:00
Tanguy Leroux 1f41d42f39 Marvel: Use UUIDs in Marvel Docs
Related to elastic/elasticsearch#460

Original commit: elastic/x-pack-elasticsearch@ecf360eff5
2015-08-19 18:21:39 +02:00
Ryan Ernst 804cf68031 Merge pull request elastic/elasticsearch#472 from rjernst/despawn
Remove uses of SpawnModules

Original commit: elastic/x-pack-elasticsearch@09b719e9c0
2015-08-19 08:56:43 -07:00
jaymode de02fd3c9c remove AwaitsFix from IPHostnameVerification tests now that it is fixed in core
Closes elastic/elasticsearch#468

Original commit: elastic/x-pack-elasticsearch@e2623762a3
2015-08-19 10:01:31 -04:00
Tanguy Leroux 2ffd79f0f6 Marvel: Add Licenses collector to ship licensing information into a dedicated index
Closes elastic/elasticsearch#369

squash

Original commit: elastic/x-pack-elasticsearch@6d6d5c08d2
2015-08-19 12:31:53 +02:00
Tanguy Leroux 3c1372b757 Marvel: Add simple launcher to run Marvel in an IDE
Original commit: elastic/x-pack-elasticsearch@a9a29796ca
2015-08-19 09:39:31 +02:00
Ryan Ernst e0128daf9a Remove uses of SpawnModules
SpawnModules will be going away very soon as part of
elastic/elasticsearchelastic/elasticsearch#12783. This change removes its use from all
x-plugins.

Most spawnmodules uses here were to either collect a number of modules
into one (so the modules were just moved up into the plugin itself), or
to spawn a module which interacted with an extension point from ES. This
change moves those, as well as most uses of PreProcessModule, to use
onModule.

Original commit: elastic/x-pack-elasticsearch@6430e35379
2015-08-18 18:41:44 -07:00
Ryan Ernst 2b5cb6b9f2 Fix compile after removal of apache commons and refactoring of plugin api
Original commit: elastic/x-pack-elasticsearch@5171192d16
2015-08-18 15:35:01 -07:00
Tanguy Leroux 9dc9a1cce7 Marvel: Mute IndexStatsCollectorTests
Original commit: elastic/x-pack-elasticsearch@7b1f2dab6d
2015-08-18 23:43:40 +02:00
jaymode 152aeaa776 remove NetworkUtils and InetAddress getLocalHost usage in shield
Original commit: elastic/x-pack-elasticsearch@460ef63824
2015-08-18 13:31:03 -04:00
Tanguy Leroux 4756f07f2b Marvel: Update settings
Original commit: elastic/x-pack-elasticsearch@2cc525e95a
2015-08-18 19:01:27 +02:00
David Pilato 29f8362bce [maven] fix build issues with artifactId renaming
Related to elastic/elasticsearch#450

Original commit: elastic/x-pack-elasticsearch@780002a9de
2015-08-18 18:03:40 +02:00
David Pilato 5899dc5f46 [maven] fix build issues with artifactId renaming
Related to elastic/elasticsearch#450

Original commit: elastic/x-pack-elasticsearch@d84fc8e85f
2015-08-18 17:29:09 +02:00
David Pilato 22a191ba0a [maven] change also artifactId for x-dev-tools
Original commit: elastic/x-pack-elasticsearch@dd837702d2
2015-08-18 13:55:12 +02:00
David Pilato a7d3a9408f [maven] change also name for parent and dev-tools
Original commit: elastic/x-pack-elasticsearch@119d4cfa02
2015-08-18 13:55:12 +02:00
David Pilato 7b10f36775 [maven] rename artifactIds from `elasticsearch-something` to `something`
When https://github.com/elastic/elasticsearch/pull/12879 will be merged, this commit should be merged as well.

```
[INFO] Reactor Summary:
[INFO]
[INFO] Elasticsearch Commercial Plugin Build Resources .... SUCCESS [  0.228 s]
[INFO] Elasticsearch X-Plugins - Parent POM ............... SUCCESS [  0.282 s]
[INFO] X-Plugins: License: Parent POM ..................... SUCCESS [  0.089 s]
[INFO] X-Plugins: License: Core ........................... SUCCESS [  0.118 s]
[INFO] X-Plugins: License: Licensor ....................... SUCCESS [  0.150 s]
[INFO] X-Plugins: License: Plugin API ..................... SUCCESS [  0.106 s]
[INFO] X-Plugins: License: Plugin ......................... SUCCESS [  0.112 s]
[INFO] X-Plugins: Shield .................................. SUCCESS [  0.234 s]
[INFO] X-Plugins: Watcher ................................. SUCCESS [  0.264 s]
[INFO] X-Plugins: Marvel .................................. SUCCESS [  0.113 s]
[INFO] QA: Parent POM ..................................... SUCCESS [  0.097 s]
[INFO] QA: Smoke Test X-Plugins ........................... SUCCESS [  0.107 s]
[INFO] QA: Shield core REST tests ......................... SUCCESS [  0.093 s]
[INFO] QA: Smoke Test Watcher's Shield integration ........ SUCCESS [  0.109 s]
```

Original commit: elastic/x-pack-elasticsearch@e9871261cf
2015-08-18 13:55:11 +02:00
Ryan Ernst dbaf3166ef Fix compile, NetworkUtils get hostname and address methods changed
Original commit: elastic/x-pack-elasticsearch@64a94930dd
2015-08-18 00:13:23 -07:00