Commit Graph

67 Commits

Author SHA1 Message Date
jaymode 942a70328c test: smoke-test-plugins-ssl no longer relies on logging to start
This change adds a HTTPS check for smoke-test-plugins-ssl so it no longer has to wait for
a debug level log message.

Closes elastic/elasticsearch#2303

Original commit: elastic/x-pack-elasticsearch@f3eaaad5d4
2016-08-31 08:08:41 -04:00
Ryan Ernst 1bfef646b8 Build: Add apijar task to assemble so it gets built with other artifacts
Original commit: elastic/x-pack-elasticsearch@ab9ce9c8d6
2016-08-30 11:23:22 -07:00
Nik Everett 8f22eaf1b7 Security: Add tests for indexes created in 2.x (elastic/elasticsearch#3203)
The actual backwards compatibility support is handled by core's ability to downgrade `keyword` and `text` into `string` for indexes created in 2.x.

Original commit: elastic/x-pack-elasticsearch@6b615d9a45
2016-08-29 12:00:19 -04:00
jaymode dfdf77c536 security: upgrade to bouncy castle 1.55
Bouncy castle 1.55 was released earlier today and this commit updates the version
we use to 1.55.

Original commit: elastic/x-pack-elasticsearch@95e002431b
2016-08-25 09:41:12 -04:00
Ryan Ernst 1aa72336a0 Merge pull request elastic/elasticsearch#3191 from rjernst/api_jar
Build: Add api jar and client jar for xpack

Original commit: elastic/x-pack-elasticsearch@7743f43e23
2016-08-23 11:51:05 -07:00
jaymode 7536acdc9f security: cleanup logging and other minor enhancements/fixes
This change cleans up some of the log messages and levels that could now be considered misleading.

While performing these cleanups, the following was done:

* remove creation of dummy user for gradle run as we have the `elastic` user
* Request interceptors are not bound if field and document level security is disabled
* FLS/DLS interceptors skip execution if document and field level security is disabled by the license state
* The roles store that loaded the role is logged at the TRACE level
* The TransportXPackUsageAction was using the incorrect action name when registering a handler

Closes elastic/elasticsearch#2096
Closes elastic/elasticsearch#1861
Closes elastic/elasticsearch#2229
See elastic/elasticsearch#1879

Original commit: elastic/x-pack-elasticsearch@ac16b21c0c
2016-08-23 14:35:23 -04:00
Ryan Ernst f28f77f73c Build: Add api jar and client jar for xpack
This adds back (again) building a transport client plugin jar for
x-pack, and also adds producing an "api" jar which extension authors can
build against. For now, both these jars are exactly the same, but
eventually they could differ, and be reduced to less than the real
x-pack jar.

see elastic/stackelastic/elasticsearch#7

Original commit: elastic/x-pack-elasticsearch@0a989de18b
2016-08-22 15:40:46 -07:00
Martijn van Groningen f10fbeeb70 watcher: remove WatchScript class
Original commit: elastic/x-pack-elasticsearch@fb2f9a28f1
2016-08-22 09:39:13 +02:00
Ryan Ernst 8ae939fec7 Remove client jar
This reverts building a separate client jar for xpack. It is not
necessary because we already build x-pack as a jar and publish to
elastic maven, since extension authors need that.

Original commit: elastic/x-pack-elasticsearch@2fab06b42c
2016-08-19 16:17:54 -07:00
Ryan Ernst aa4fad9009 Build: Enable x-pack to build a transport client plugin jar
Original commit: elastic/x-pack-elasticsearch@f42f7a1cd2
2016-08-19 09:15:54 -07:00
jaymode b525891212 Netty 4 transport working
Original commit: elastic/x-pack-elasticsearch@081e68c087
2016-08-02 13:43:16 -04:00
Ryan Ernst 9d6d858449 Merge pull request elastic/elasticsearch#2958 from rjernst/move_license
Move License into xpack

Original commit: elastic/x-pack-elasticsearch@6b86ce6f14
2016-07-28 08:41:23 -07:00
Tanguy Leroux 7a6ed965b9 Update LICENSE.txt
The previous LICENSE.txt file still referred to Marvel Software. This commit updates the content of the license for X-Pack for both Elasticsearch and Kibana plugins.

closes elastic/elasticsearch#2644

Original commit: elastic/x-pack-elasticsearch@bace98250e
2016-07-28 09:24:25 +02:00
Ryan Ernst 8514b1422e Move License into xpack
We currently have the license:base project, as well as license:licensor.
Xpack depends on license base. This change moves all the base license
code into xpack, and makes the license-tools (previously called
licensor) depenend on x-pack.

Original commit: elastic/x-pack-elasticsearch@7fd462ad6a
2016-07-28 00:16:18 -07:00
Ryan Ernst 3e8bc2879f Add back disabling dependency licenses check
Original commit: elastic/x-pack-elasticsearch@51b76f6f89
2016-07-25 18:06:57 -07:00
Ryan Ernst b9a3fa3079 Build: Turn on license header checks
This is dependent on elastic/elasticsearchelastic/elasticsearch#19589. It also fixes the
existing files that either were missing the license header or had the
open source license header.

Original commit: elastic/x-pack-elasticsearch@2642c20381
2016-07-25 17:09:54 -07:00
jaymode 9be5c7df60 security: remove SelfReSchedulingRunnable
This commit removes the SelfReschedulingRunnable and changes the native stores
to use the threadpool for scheduling again since we have now fixed the issue in core.

Original commit: elastic/x-pack-elasticsearch@50030e31ff
2016-07-19 12:19:52 -04:00
jaymode 59fcb205b5 security: active directory and ldap realm improvements
This commit is a combination of enhancements and fixes to the active directory
and ldap realms. The active directory realm has been enhanced to add support
for authentication against multiple domains in a forest. The ldap realm has
been updated so that:

* attributes required for group resolution are loaded eagerly if possible
* user search can now be executed using unpooled connections
* the default search filter for groups now includes posixGroup and memberUid
to avoid users needed to understand ldap filters

Finally, the UnboundID LDAP SDK was upgraded to the latest version and some
long standing AwaitsFix were addressed.

Closes elastic/elasticsearch#20
Closes elastic/elasticsearch#26
Closes elastic/elasticsearch#1950
Closes elastic/elasticsearch#2145
Closes elastic/elasticsearch#2363

Original commit: elastic/x-pack-elasticsearch@63c9be2337
2016-07-18 08:39:57 -04:00
Jason Tedor 496e112c5e Rename transport-netty to transport-netty-3
This commit renames the Netty 3 transport module from transport-netty to
transport-netty3. This is to make room for a Netty 4 transport module,
transport-netty4.

Relates elastic/elasticsearch#2827

Original commit: elastic/x-pack-elasticsearch@e6487cefa2
2016-07-14 22:03:29 -04:00
Ryan Ernst a2359d13f3 Add jar dependency on netty module
Original commit: elastic/x-pack-elasticsearch@f653855378
2016-07-11 23:57:08 -07:00
Chris Earle 16b3056b1f [Monitoring] Change xpack.monitoring.agent to xpack.monitoring.collection
This changes the xpack.monitoring.agent.* settings so that they fall under xpack.monitoring.collection.*.

- This also changes Kibana's equivalent data_collection to collection.

Original commit: elastic/x-pack-elasticsearch@a69bc18055
2016-07-11 12:03:01 -04:00
jaymode b06249279e security: REST spec cleanup and authenticate tests create user
This change cleans up the rest API specs and changes the documentation field to a link. Additionally,
the integration tests for xpack now use the elastic user rather than a dummy user from a file realm.

Closes elastic/elasticsearch#2458
Closes elastic/elasticsearch#2437

Original commit: elastic/x-pack-elasticsearch@8059a0d856
2016-06-29 11:42:44 -04:00
Tanguy Leroux a06f4a02fd Rename Marvel packages and directories to Monitoring
related to elastic/elasticsearch#2383

Original commit: elastic/x-pack-elasticsearch@7f4001a031
2016-06-29 09:10:25 +02:00
Alexander Reelsen ebf00cc9e5 Dependencies: Upgrade jimfs to 1.1 removed unneeded guava calls (elastic/elasticsearch#2614)
Guava should only be used by the HTML sanitizer and no other code

Original commit: elastic/x-pack-elasticsearch@6a20674768
2016-06-27 11:07:15 +02:00
jaymode c024dbfc49 security: remove use of shield in files and directory names
This commit removes as much of the use of shield as possible in the source code.

See elastic/elasticsearch#2383

Original commit: elastic/x-pack-elasticsearch@00009cc06e
2016-06-20 10:26:10 -04:00
Ryan Ernst b5dc201f5a Add thirdparty excludes for javax.activation classes
Original commit: elastic/x-pack-elasticsearch@d60891f56f
2016-05-21 22:42:15 -07:00
Ryan Ernst f5bbe1858c Make java 9 work
This is the xplugins side of elastic/elasticsearchelastic/elasticsearch#18496
Most of the changes here are related to javax.activation.

Original commit: elastic/x-pack-elasticsearch@2a47f94ab5
2016-05-21 14:28:52 -07:00
Tanguy Leroux 8f097d24e4 Mute XPackRestIT.test {p0=bulk/10_basic/Bulk indexing of monitoring data}
Original commit: elastic/x-pack-elasticsearch@e3a889222e
2016-05-09 13:27:54 +02:00
jaymode 773876caee security: ssl by default on the transport layer
This commit adds the necessary changes to make SSL work on the transport layer by default. A large
portion of the SSL configuration/settings was re-worked with this change. Some notable highlights
include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and
separate LDAP configuration.

The following is a list of specific items addressed:

* `SSLSettings` renamed to `SSLConfiguration`
* `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null)
* Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback
* JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting.
* We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting
* LDAP realms can now have their own SSL configurations
* HTTP can now have its own SSL configuration
* SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names.
* `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled`
* added Bouncy Castle info to NOTICE
* consolidated NOTICE and LICENSE files

Closes elastic/elasticsearch#14
Closes elastic/elasticsearch#34
Closes elastic/elasticsearch#1483
Closes elastic/elasticsearch#1933
Addresses security portion of elastic/elasticsearch#673

Original commit: elastic/x-pack-elasticsearch@7c359db90b
2016-04-29 12:50:07 -04:00
Alexander Reelsen 5d53080a1f Watcher: Remove build based property creation (elastic/elasticsearch#2107)
There we still left over files from the clean up PR to not use
build properties for the watcher templates.

Relates elastic/elasticsearch#2040

Original commit: elastic/x-pack-elasticsearch@b838d92124
2016-04-26 17:54:27 +02:00
Alexander Reelsen 276d5fbbca Watcher: Updated dependencies (elastic/elasticsearch#2064)
Updated okhttp and moved the jsr305 dependency into testing.
This required a minor change in tests using SSL, as otherwise
the security manager barfs, when the okhttp webserver tries
to load sun internal SSL based classes.

Original commit: elastic/x-pack-elasticsearch@77131589e0
2016-04-22 09:45:46 +02:00
jaymode 8c8e33889c build: remove test dependencies from published pom file
See elastic/elasticsearch#2063

Original commit: elastic/x-pack-elasticsearch@3653368363
2016-04-21 09:27:12 -04:00
jaymode 0cce436641 build: fix x-pack pom and allow installation
* The found-license project is removed since it is no longer needed
* The plugin-api classes have moved into the license-plugin since there is only one plugin
* The license/base project publishes the proper artifactId in the pom file
* The x-pack jar file is added as an artifact so that it can be installed
* The x-pack pom no longer declares the packaging as `zip`
* The x-pack pom uses the right artifactId for license-core
* Removed disabling of installing the x-plugins artifacts
* Cleaned up a use of guava in watcher (found when trying to remove guava as a compile
dependency but is needed by the HTML sanitizer)
* Removed the dependency on the mustache compiler since it is no longer necessary

Closes elastic/elasticsearch#1987

Original commit: elastic/x-pack-elasticsearch@9d3b50b054
2016-04-15 11:31:09 -04:00
Alexander Reelsen a1f7fff901 Watcher: Cut settings over to xpack.watcher (elastic/elasticsearch#1909)
This cuts over all settings from `watcher.` to `xpack.watcher` as
part of the settings cleanup for 5.0.

Relates elastic/elasticsearch#1441

Original commit: elastic/x-pack-elasticsearch@c82483bf25
2016-04-12 10:34:23 +02:00
Tanguy Leroux 98fc26c614 Monitoring: Manage multiple index templates
Original commit: elastic/x-pack-elasticsearch@fef9dcc5d1
2016-04-08 11:44:03 +02:00
jaymode d08446e221 security: add reserved roles and users
This commit adds reserved or built-in user and role support to x-pack. The reserved roles
cannot be modified by users. The reserved users also cannot be modified with the exception
of changing the password for a user.

In order to change the password for a user, a new API has been added. This API only supports
changing passwords for native and reserved users.

To support allowing a user to change their own password, a default role has been added to grant
access. This default role only grants access to user operations that pertain to the user that is
being authorized. In other words, the default role grants `joe` the ability to change their own password
but does not allow them to change the password of a different user.

Additionally, the authenticate API was made a transport action and is granted by the default role.

Closes elastic/elasticsearch#1727
Closes elastic/elasticsearch#1185
Closes elastic/elasticsearch#1158

Original commit: elastic/x-pack-elasticsearch@1a6689d90f
2016-04-06 18:23:18 -04:00
jaymode 4036ce97c1 shield: do not use ThreadPool#scheduleWithFixedDelay for pollers
This commit makes the user and roles poller use a self rescheduling runnable to schedule the
next run of the poller rather than using scheduleWithFixedDelay. This is done because the
pollers perform blocking I/O operations and everything using that thread pool method runs on
the schedule thread and because of this, in certain situations this can lead to a deadlock which
will prevent the cluster from forming.

Original commit: elastic/x-pack-elasticsearch@9fd0748c8c
2016-04-01 21:25:16 -04:00
Tanguy Leroux 8a15a17442 Monitoring: Simplify bulk REST test
Original commit: elastic/x-pack-elasticsearch@0a02d3f3be
2016-03-31 17:49:27 +02:00
Alexander Reelsen e0fcbcbb51 Elasticsearch: Rename plugin from 'xpack' to 'x-pack'
This is just to be consistent with out naming, which is
supposed to be `x-pack`.

Closes elastic/elasticsearch#1759

Original commit: elastic/x-pack-elasticsearch@0697f70855
2016-03-30 09:48:46 +02:00
Tanguy Leroux b8e8d7d246 Rename bin/xpack/esusers to /bin/xpack/users
Original commit: elastic/x-pack-elasticsearch@388eda9f24
2016-03-29 10:36:38 +02:00
jaymode 0d1f3da353 security: rename ESUsersRealm to FileRealm
This commit is the forward port of renaming the type for esusers to file. There is no
backwards compatibility maintained here. Additionally, a few other renames and
cleanups have been made:

* `esusers` commands is now `users`
* org.elasticsearch.shield.authc.esusers -> org.elasticsearch.shield.authc.file
* Validation.ESUsers -> Validation.Users
* ESUsersTool -> UsersTool
* ESUsersToolTests -> UsersToolTests
* ESNativeUsersStore -> NativeUsersStore
* ESNativeRolesStore -> NativeRolesStore.
* org.elasticsearch.shield.authz.esnative collapsed to org.elasticsearch.shield.authz.store
*  ESNativeTests -> NativeRealmIntegTests

Closes elastic/elasticsearch#1793

Original commit: elastic/x-pack-elasticsearch@d2a0c136f3
2016-03-28 06:18:57 -04:00
Alexander Reelsen cf6cadf19f Build: Move xpack to plugin group
This is needed in order to make `bin/elasticsearch-plugin install xpack`
work, as it expects the plugin in a certain path.

Original commit: elastic/x-pack-elasticsearch@252c55e5a8
2016-03-24 18:38:58 +01:00
Jim Ferenczi 1fa22c921a xpack plugin can be isolated now that we have xpack extension support
Original commit: elastic/x-pack-elasticsearch@9f742c754f
2016-03-22 15:27:30 +01:00
markharwood 925afa3cab Graph - port of 2.x graph API and kibana UI plugin
Closes X-plugins issue 518

Original commit: elastic/x-pack-elasticsearch@6c6371ed74
2016-03-11 14:22:31 +00:00
Alexander Reelsen 6d0d09468b Watcher/Shield: Ensure only one .in.bat file exists
This was a leftover from watcher/shield being different plugins.

Closes elastic/elasticsearch#1530

Original commit: elastic/x-pack-elasticsearch@521b4bad14
2016-02-21 15:20:24 -08:00
uboness ffe339ae31 Refactoring for 5.0 - phase 5
- Moved all settings in Marvel from `marvel.*` to `xpack.monitoring.*`
- Cleaned up marvel settings in general - they're all now under `MarvelSettings` class
- fixed some integration tests along the way (they were configured wrong and never actually tested anything)
- Updated the docs accordingly
- Added `migration-5_0.asciidoc` under the Marvel docs to explain how to migrate from Marvel 2.x to XPack 5.0.
- Replaced all `marvel` mentions in the logs to `monitoring`
- Removed the `xpack.monitoring.template.version` setting from the templates
- renamed the templates to `monitoring-es-data.json` and `monitoring-es.json`
- monitoring indices are now `.monitoring-es-<version>-data` and `.monitoring-es-<version>-<timestamp>`

Original commit: elastic/x-pack-elasticsearch@17f2abe17d
2016-02-11 21:34:38 +01:00
uboness 3a6a1d5dc2 Shield refactoring for 5.0 - phase 3
- Consolidated the `bin` and `config` directories of watcher, shield and marvel under a single `config/xpack` and `bin/xpack` directories.

 - updated docs accordingly

Original commit: elastic/x-pack-elasticsearch@c2aa6132fa
2016-02-09 16:06:49 +01:00
uboness 92f027159a Shield refactoring for 5.0 - phase 2
- Started to move configuration under the `xpack` name
 - Cleaned up `ShieldPlugin`
 - renamed `ShieldClient` to `SecurityClient`
 - Introduced `XPackClient` that wraps security and watcher clients

Original commit: elastic/x-pack-elasticsearch@f05be0c180
2016-02-09 14:32:33 +01:00
Alexander Reelsen e8ad8cbb36 Watcher: Load versioned index template for watch history
This loads an index template for the watch history to make sure,
that field changes are taken into account.

Also, the dynamic mapping for the watch history template has been
changed from strict to false.

This means that new fields can be included in a document, but they
will not indexed and are not searchable.

In addition the index names have been changed from .watch_history-$date to
.watcher-history-$template-$date - using dashes to be more consistent.

Closes elastic/elasticsearch#1299

Original commit: elastic/x-pack-elasticsearch@794f982234
2016-02-09 09:39:07 +01:00
Lee Hinman da3d7177be Add Shield HTTP APIs for users and roles
Relates to elastic/elasticsearch#33

Original commit: elastic/x-pack-elasticsearch@a0942c9334
2016-01-18 16:21:22 -07:00