We don't really need a generic compound throttler. Instead we now have an `AlertThrottler` that can be configured with optional `AckThrottler` and `PeriodThrottler`.
The logic of what throttler is applied first has therefore moved from the `Alert` to the `AlertThrottler` (back to its natural place)
Original commit: elastic/x-pack-elasticsearch@b81e467c97
- Renamed `AlertingModule` to `AlertsModule`
- Started modularizing the code base.. each module has its own guice module and `AlertsModule` spawn all the sub-modules
- Renamed `*Helper` classes to `*Utils` for consistency sake and moved all utilities to `support` package
- Moved `AlertsPlugin` to the base package (no need for `plugin` package... it just creates noise)
- Moved `State` to be inner enum within `AlertsService` (that's where it belongs)
- Moved all the rest actions to `rest.action` package
Original commit: elastic/x-pack-elasticsearch@4ce9bf8dcd
This adds a few tests using the Java default truststore (cacerts) to SslMultiPortTests
and validates that when using that truststore, the client cannot connect to a node
that is using a self signed certificate.
Original commit: elastic/x-pack-elasticsearch@d7c2eaa16b
Separates the SSLService into a ClientSSLService and a ServerSSLService. The ClientSSLService
should be used for client connections and removes the requirement for setting a keystore or a
truststore. The ServerSSLService maintains the existing requirement to have a keystore. Also, fixed
a small issue where the HandshakeWaitingHandlerTests called handshake more than once.
Closeselastic/elasticsearch#622
Original commit: elastic/x-pack-elasticsearch@67b6121b04
Instead of having another client interface, the alerts client should be a wrapper around the standard es client. This will make sure that whatever logic that is applied on these std clients will also be applied to any requests/actions that are executed in the alerts client.
Using the es client introduces a cyclic dependency for all those services that use the es client and that are also injected into the transport actions. For this reason, instead of using the es client and script service directory, we're using proxies. The proxies are initialized lazily be a new `InitializationService`.
Also introduced the `AlertsClientModule` and `AlertsTransportModule`
Closeselastic/elasticsearch#56
Original commit: elastic/x-pack-elasticsearch@58990a7c85
When a request (rest/transport) that arrives to elasticsearch, and that has no authentication token associated with it, the request is then considered to be sent by an anonymous user. By default, we disallow anonymous requests and fail it by returning an authentication error.
Anonymous access can be enabled by configuring the `shield.authc.anonymous.roles` setting in `elasticsearch.yml` file. When set, an anonymous request will be associated with an `anonymous` user that holds the configured roles. From there on, authorization will continue as usual, and will try to authorize the request based on these roles.
Closeselastic/elasticsearch#376
Original commit: elastic/x-pack-elasticsearch@028b3a380b
mostly renamed `Secured....` classes to `Shield...` classes. applied to construct that replace other similar constructs either in es core or in other libraries. This will make it clear that the new constructs are coming from shield (in the logs). Also no need to call it "secured" as if shield replaces them, it's very likely they relate to security in one way or another :)
Original commit: elastic/x-pack-elasticsearch@f528a10b14
Two aliases were supposed to be created, while only one was, which was also associated with a broken filter.
Original commit: elastic/x-pack-elasticsearch@695acbd668
make the download URL consistent:
- changed from elasticsearch-license to just license.
- file name will be "shield-{version}.zip".
- download location will be https://download.elasticsearch.org/elasticsearch/shield/{filename}
- update URL for license download.
- update esvmrc to account for license plugin name change
- update error message for license plugin name change
Original commit: elastic/x-pack-elasticsearch@bebde15b4f
We need to assume the license is enabled until we're told otherwise by the license plugin. It's required as we should allow the execution of APIs (like cluster health) on a node that just started and didn't receive the cluster state yet.
Original commit: elastic/x-pack-elasticsearch@ce5fa68bfa
A NullPointerException was triggered in InternalAuthenticationService
in case a user did not exist because of trying to access the non-existing user.
While fixing this, a test added in IndexPrivilegeTests uncovered lots of wrong
assumptions about HTTP error codes, which have been fixed as well (a successful
operation now is expected to have a non 4XX/5XX HTTP return code). Also made sure
that certain preconditions are fulfilled before going on.
Fixeselastic/elasticsearch#646
Original commit: elastic/x-pack-elasticsearch@c4ed759e16
As Elasticsearch 1.4.2 and below do not copy the headers in
TransportSnapshotsStatusAction, we need to allow the system user
to execute this in action, in order to see snapshots being currently
in progress.
This should be removed once we support elasticsearch 1.4.3
Closeselastic/elasticsearch#640
Original commit: elastic/x-pack-elasticsearch@00adf3dacf
This test adds an amount of users with different privileges, and
then goes on to not only test if the user is allowed to execute requests
but also if other requests are rejected as intended.
Closes elasticsearch/elasticsearch-shield-qaelastic/elasticsearch#17
Original commit: elastic/x-pack-elasticsearch@213a219c78
The randomization of the `network.host` property on OSX only
could lead to connecting to the wrong HTTP port in our functional
tests.
As this randomization is not really needed, we can simply remove it
Closeselastic/elasticsearch#586
Original commit: elastic/x-pack-elasticsearch@fb16bd8644
Changed form `bcrypt5` to `bcrypt4`. Also added more bcrypt hash algorithms to choose from when configuring it (added `bcrypt4`, `bcrypt6`, `bcrypt8` and `bcrypt9`)
Original commit: elastic/x-pack-elasticsearch@64bc26cafe
* Fix: `ShieldFiles.openAtomicMoveWriter()` always changed permissions to 600
now changes back to original perms
* Fix: Required log message change by @skearns
* Improvement: When permissions change, before/after perms are now shown
* Improvement: Added more CheckFileCommand tests
Closeselastic/elasticsearch#634
Original commit: elastic/x-pack-elasticsearch@e44495aaff
Introduced three new hasher implementations:
- `bcrypt5` - a bcrypt hasher configured with a salt generated with 5 iterations
- `bcrypt7` - a bcrypt hasher configured with a salt generated with 7 iterations
- `noop` - a hasher that doesn't hash and works with the original text
Also, due to poor performance and based on the external security audit review feedback, the default realm caching hash is now changed to `bcrypt5` (used to be `sha2`).
Original commit: elastic/x-pack-elasticsearch@53d4f40564
Instead of creating an automaton predicate on each request (very expensive) we now have a static create_index matcher (predicate) that is reused.
Original commit: elastic/x-pack-elasticsearch@f70dae13ac
- on license expiration, we only block cluster stats/health and indices stats.
- depend on the latest snapshot of the licensing plugin that supports registrations of expiration callbacks
- registering expiration callbacks to periodically log and warn about license expiration (pre and post expiration)
Original commit: elastic/x-pack-elasticsearch@5aee30fac4
uboness
jaymode
Brian Murphy
Martijn van Groningen
Areek Zillur
javanna
Alexander Reelsen
Kevin Kluge