Commit Graph

93 Commits

Author SHA1 Message Date
Tim Vernum 7cd5e1d516 Check cluster heath before setup-passwords (elastic/x-pack-elasticsearch#4104)
Trying to setup passwords on a red cluster (or a cluster that cannot
reach a quorum) is generally not a good idea.

This commit:
- Adds a check for RED cluster status
- Prompts to confirm execution if the cluster is red
- Prints out the reason/type is an error response is received
- Increases the HTTP read timeout so that master election failures are
  reported correctly.

Original commit: elastic/x-pack-elasticsearch@4ffbda23db
2018-03-20 17:03:17 +10:00
Tim Vernum bc95ad80ce Add beats_system user to security (elastic/x-pack-elasticsearch#4103)
This creates a new "beats_system" user and role with the same
privileges as the existing "logstash_system" user/role.

The "beat_system" user is also added as a managed user within
the "setup-passwords" command.

Users who upgrade from an earlier version of Elasticsearch/X-Pack
will need to manually set a password for the beats_system user via
the change password API (or Kibana UI)

Original commit: elastic/x-pack-elasticsearch@6087d3a18e
2018-03-20 17:01:53 +10:00
Albert Zaharovits 7ea79c88ab Realm along the principal in audit authz events (elastic/x-pack-elasticsearch#3260)
Add realm name to all authz audit events: accessDenied, accessGranted,
runAsDenied and runAsGranted.
These event types receive the following attributes: realm,
run_by_realm and run_as_realm to go along with with the existing
attributes: principal, run_by_principal and run_as_principal. The
'effective realm name' (run_as_realm or run_by_realm) is certainly
filterable by ignore policies.

Original commit: elastic/x-pack-elasticsearch@cb3801e197
2018-03-18 11:27:28 +02:00
Albert Zaharovits 14acdcb4f7 Fix test after elastic/x-pack-elasticsearch#28919
After elastic/x-pack-elasticsearch#28919 some rest client exceptions are wrapped by the
IOException.

Original commit: elastic/x-pack-elasticsearch@6c658ae5b7
2018-03-17 16:58:12 +02:00
Albert Zaharovits 891013a17b Update audit trail filter policy settings (elastic/x-pack-elasticsearch#3984)
Audit trail filter policies can now be updated by the cluster update
settings API. Previously, policies were static inside the conf file.
This is helpful because, in practice, coming up with a reasonable
policy set is an iterative process, adding and changing policies to
shave off yet another pesky audit event.

Original commit: elastic/x-pack-elasticsearch@e8a670c427
2018-03-17 11:30:11 +02:00
Jay Modi bccf988e9d Run active directory tests against a samba4 fixture (elastic/x-pack-elasticsearch#4067)
This commit adds a Samba4 test fixture that acts as a domain controller
and has the same contents as the cloud active directory instance that
we previously used for tests.

The tests also support reading information from environment variables
so that they can be run against a real active directory instance in our
CI builds.

In addition, this commit also fixes a few issues that surfaced when
making this change. The first is a change in the base DN that is
searched when performing down-level authentication. The base DN is
now the configuration object instead of the domain DN. This change was
required due to the original producing unnecessary referrals, which we
cannot easily follow when running against this test figure. Referrals
cannot easily be followed as they are returned by the ldap server with
an unresolvable DNS name unless the host points to the samba4 instance
for DNS. The port returned in the referral url is the one samba is bound
to, which differs from the port that is forwarded to the host by the
test fixture.

The other issue that is resolved by this change is the addition of
settings that allow specifying non-standard ports for active directory.
This is needed for down-level authentication as we may need to query
the regular port of active directory instead of the global catalog
port as the configuration object is not replicated to the global
catalog.

relates elastic/x-pack-elasticsearch#185
Relates elastic/x-pack-elasticsearch#3800

Original commit: elastic/x-pack-elasticsearch@883c742fba
2018-03-16 10:44:23 -06:00
Lee Hinman b14baf4a6f Decouple XContentBuilder from BytesReference (elastic/x-pack-elasticsearch#4119)
* Decouple XContentBuilder from BytesReference

This commit handles the removal of all mentions of BytesReference from
XContentBuilder. This is needed so that we can completely decouple the XContent
code and move it into its own dependency.

This is the x-pack side of https://github.com/elastic/elasticsearch/pull/28972

Original commit: elastic/x-pack-elasticsearch@8ba2e97b26
2018-03-14 13:48:05 -06:00
Jason Tedor fbb752c273 Use Elasticsearch IOUtils (elastic/x-pack-elasticsearch#4105)
This commit replaces the usage of Lucene IOUtils with Elasticsearch
IOUtils, the former of which is now forbidden.

Original commit: elastic/x-pack-elasticsearch@8e0554001f
2018-03-13 12:49:52 -04:00
Yannick Welsch 4bce53a1ad Disallow logger methods with Object parameter
Relates to elastic/elasticsearch#28969

Original commit: elastic/x-pack-elasticsearch@1eff5eecd9
2018-03-12 11:03:23 +01:00
Tim Vernum 41af46688a Make PKI BootstrapCheck work with SecureSettings (elastic/x-pack-elasticsearch#3993)
SslConfiguration can depend on SecureSettings, so it must be
constructed during the correct lifecycle phase.
For PkiRealmBootstrapCheck, moved the construction of SslConfiguration
objets into the constructor rather than the check method

Original commit: elastic/x-pack-elasticsearch@1a4d147216
2018-03-12 10:48:35 +10:00
Albert Zaharovits d31d90d378 Auditing requests with null indices (elastic/x-pack-elasticsearch#4016)
Adds null check.

relates elastic/x-pack-elasticsearch#3988

Original commit: elastic/x-pack-elasticsearch@64bab62ca6
2018-03-11 13:13:14 +02:00
Ioannis Kakavas 558679f997 Disregard comments in XML documents (elastic/x-pack-elasticsearch#4047)
* Disregard comments in XML documents
* Add tests to verify comments in XML are ignored

Original commit: elastic/x-pack-elasticsearch@8b2d8d32ef
2018-03-08 22:32:33 -08:00
Tim Vernum 3a4fa16f03 [SAML] Handle ACS URL with existing query params (elastic/x-pack-elasticsearch#4060)
If the Assertion Consumer Service URL already contained query
parameters, we would incorrectly append an addtional '?' rather than
adding the SAML parameters to the end with '&'

Original commit: elastic/x-pack-elasticsearch@60b6a977d8
2018-03-09 17:15:55 +11:00
Lee Hinman 2147d217df Wrap stream passed to createParser in try-with-resources (elastic/x-pack-elasticsearch#4055)
This wraps the stream (`.streamInput()`) that is passed to many of the
`createParser` instances in the enclosing (or a new) try-with-resources block.
This ensures the `BytesReference.streamInput()` is closed.

Relates to elastic/x-pack-elasticsearch#28504

Original commit: elastic/x-pack-elasticsearch@7546e3b4d4
2018-03-04 16:48:15 -07:00
Lee Hinman c763a14132 Pass InputStream when creating XContent parser (elastic/x-pack-elasticsearch#4001)
* Pass InputStream when creating XContent parser

Rather than passing the raw `BytesReference` in when creating the xcontent
parser, this passes the StreamInput (which is an InputStream), this allows us to
decouple XContent from BytesReference.

This is the x-pack side of https://github.com/elastic/elasticsearch/pull/28754

* Use the streamInput variant, not sourceAsString

Original commit: elastic/x-pack-elasticsearch@dd5d8b1654
2018-02-23 15:22:28 -07:00
Zachary Tong bf1550a0b2 Rollups for Elasticsearch (elastic/x-pack-elasticsearch#4002)
This adds a new Rollup module to XPack, which allows users to configure periodic "rollup jobs" to pre-aggregate data.  That data is then available later for search through a special RollupSearch API, which mimics the DSL and functionality of regular search.

Rollups are used to drastically reduce the on-disk footprint of metric-based data (e.g. timestamped document with numeric and keyword fields).  It can also be used to speed up aggregations over large datasets, since the rolled data will be considerably smaller and fewer documents to search.

The PR adds seven new endpoints to interact with Rollups; create/get/delete job, start/stop job, a capabilities API similar to field-caps, and a Rollup-enabled search.

Original commit: elastic/x-pack-elasticsearch@dcde91aacf
2018-02-23 17:10:37 -05:00
Alexander Reelsen 7f166e1927 Cleanup: Move tests calling external services into QA projects (elastic/x-pack-elasticsearch#3869)
This also moves the hipchat/pagerduty/slack tests to REST tests which put real watches and also check the history.

Relates elastic/x-pack-elasticsearch#3800


Original commit: elastic/x-pack-elasticsearch@fce08d9cb7
2018-02-23 13:31:28 +01:00
Tim Brooks 33ae455e6c Selectors operate on channel contexts (elastic/x-pack-elasticsearch#3803)
This is related to elastic/elasticsearch#28468. It is a compatibility
commit to ensure that x-pack is compatible with those changes.

Original commit: elastic/x-pack-elasticsearch@3ddf719adc
2018-02-22 09:45:07 -07:00
Tim Vernum 828387a25a Add more info logging when loading roles.yml (elastic/x-pack-elasticsearch#3992)
Although not frequently used in production, we make heavy use of the
FileRolesStore within integration tests. This change adds a little bit
more logging at INFO level when the roles.yml file is (re)loaded.

Original commit: elastic/x-pack-elasticsearch@bbacd46e28
2018-02-22 11:10:27 +11:00
Jay Modi e3e82ccb2d Security: IndexAuditTrail updates mappings when indexing locally (elastic/x-pack-elasticsearch#3944)
This change makes the IndexAuditTrail update mappings for the current
index even when indexing locally. This is needed in a couple of
scenarios; the first being upgrades from 5x to 6x where the document
type was changed and the second is when upgrading minor versions and
a new field has been introduced. A new field was introduced in 6.2.

Additionally, writing tests for the rolling upgrade revealed a bug
where the actual node name was never being set as it was using the name
key instead of the node.name key.

relates elastic/x-pack-elasticsearch#3901
relates elastic/x-pack-elasticsearch#3718

Original commit: elastic/x-pack-elasticsearch@7374a62ff1
2018-02-20 11:09:56 -07:00
Jay Modi 0fc0034509 Test: remove outdated logic for file writing in security tests (elastic/x-pack-elasticsearch#3947)
This commit removes some outdated logic in the SecurityTestUtils class
for writing files and creating directories. A long, long time ago there
was a global cluster for tests that was used across suites and because
of this there were calls to delete files if they already existed. The
global cluster has been removed, so we no longer need the code that
deletes the content of a directory if it already exists.

Additionally, the file writing used in SecurityTestUtils did not use
atomic moves when possible and this commit changes the code such that a
temp file is written and we try to atomically move it to the correct
path; if atomic moves are not supported a regular move is performed.

relates elastic/x-pack-elasticsearch#3912

Original commit: elastic/x-pack-elasticsearch@973fcfe2e1
2018-02-20 09:34:17 -07:00
Lee Hinman 6728912c87 Handle removing log4j dependency from elasticsearch-core jar (elastic/x-pack-elasticsearch#3976)
This handles the removal of the log4j dependency from our elasticsearch-core
project. It was originally necessary only for our jar classpath checking. It is
now replaced by a `Consumer<String>`.

This is the x-pack side of https://github.com/elastic/elasticsearch/pull/28705

Original commit: elastic/x-pack-elasticsearch@1186a7eaf6
2018-02-20 09:15:56 -07:00
Tim Vernum 56c761f241 Log roles.yml changes in TokenAuthIntegTests
This test recently failed and it appears that the cause was that
roles.yml was deleted while the cluster was still running.
This turns on logging for the FileRolesStore so that changes to file
based roles can traced more easily.

Original commit: elastic/x-pack-elasticsearch@fbce5a8027
2018-02-20 17:19:39 +11:00
Tim Vernum c4582cdcd0 Additional settings for SAML NameID policy (elastic/x-pack-elasticsearch#3969)
* Additional settings for SAML NameID policy

We should not be populating SPNameQualifier by default as it is
intended to be used to specify an alternate SP EntityID rather than
our own. Some IdPs (ADFS) fail when presented with this value.

This commit
- makes the SPNameQualifier a setting that defaults to blank
- adds a setting for "AllowCreate"
- documents the above

Original commit: elastic/x-pack-elasticsearch@093557e88f
2018-02-20 13:51:42 +11:00
Albert Zaharovits 5833ed296e Fix embarrassing NPE in audit trail.
relates elastic/x-pack-elasticsearch#3988

Original commit: elastic/x-pack-elasticsearch@72c16ea50f
2018-02-19 20:14:37 +02:00
Lee Hinman affc9e3563 Move more XContent.createParser calls to non-deprecated version (elastic/x-pack-elasticsearch#3928)
Part 2

This moves more of the callers to pass in the DeprecationHandler.

Relates to elastic/x-pack-elasticsearch#28504

Original commit: elastic/x-pack-elasticsearch@e0b52bf050
2018-02-14 09:41:26 -07:00
Lee Hinman e8ef20b219 Move more XContent.createParser calls to non-deprecated version (elastic/x-pack-elasticsearch#3927)
* Move more XContent.createParser calls to non-deprecated version

This moves more of the callers to pass in the DeprecationHandler.

Relates to https://github.com/elastic/elasticsearch/issues/28504

* Mockito ಠ_ಠ

Original commit: elastic/x-pack-elasticsearch@81cb99ba52
2018-02-14 09:24:47 -07:00
Yogesh Gaikwad 20503a997f X-Pack-Security: Improve error messaging during setup password (elastic/x-pack-elasticsearch#3809)
* X-Pack-Security: Improve error messaging during setup password

Changes are done to improve logging and exception messages when
setup passwords. Now it checks whether
- X-Pack plugin is available
- X-Pack Security is available 
- X-Pack Security is enabled
by invoking /_xpack query and throws a specific error message.
1. Modifications to simple http client to return http response.
2. Changes in SetupPasswordTool for throwing appropriate exceptions.
2. Unit tests

relates elastic/x-pack-elasticsearch#3476

Original commit: elastic/x-pack-elasticsearch@eb0c5a19c5
2018-02-14 13:11:00 +11:00
Tim Brooks 5dbbe8fef8 Default to basic license at startup (elastic/x-pack-elasticsearch#3878)
This is related to elastic/x-pack-elasticsearch#3877. This commit modifies the license settings to
default to self generating a basic license.

Original commit: elastic/x-pack-elasticsearch@cd6ee8e06f
2018-02-12 12:57:04 -07:00
Ryan Ernst 4e578fe7cc Build: Replace provided configuration with compileOnly (elastic/x-pack-elasticsearch#3868)
This is the xpack side of elastic/elasticsearch#28564

Original commit: elastic/x-pack-elasticsearch@60033824a4
2018-02-09 11:30:43 -08:00
Ioannis Kakavas 7504e33da7 Change value of METADATA_REFRESH for the tests (elastic/x-pack-elasticsearch#3879)
Ensure that the next triggered metadata refresh is always in the
future. relates elastic/x-pack-elasticsearch#3815

Original commit: elastic/x-pack-elasticsearch@edd9ba911d
2018-02-09 18:22:26 +01:00
Albert Zaharovits fb8adb4a1c [Security][Tests] Azeri(Turkish) locale tripps opensaml dependency
Original commit: elastic/x-pack-elasticsearch@9c4ecabe48
2018-02-09 13:57:09 +02:00
Albert Zaharovits a57999e1e1 [Security][Tests] Print LDAP reconnect stacktrace on fail
Original commit: elastic/x-pack-elasticsearch@18f235197c
2018-02-08 13:41:02 +02:00
Alexander Reelsen 064a0819d9 Cleanup: Remove HaltedClock (elastic/x-pack-elasticsearch#3731)
java.time features it's own halted clock, called a fixed clock, we can
use that one.

On top of that the watcher xcontent parser does not need a clock at all,
just a timestamp when parsing happened.

Original commit: elastic/x-pack-elasticsearch@2061aeffe1
2018-02-08 09:24:08 +01:00
Tim Vernum 3102b94946 [TEST] Don't fail IndexAuditTrailTests if the test runs very fast
Relates: elastic/x-pack-elasticsearch#3472

Original commit: elastic/x-pack-elasticsearch@00fde8973f
2018-02-08 16:44:58 +11:00
Ryan Ernst f360d2d8d7 Build: Cleanup gradle files (elastic/x-pack-elasticsearch#3867)
There were a number of leftover unnecessary elements in the module
build.gradle files that were holdovers from copying the original plugin
build.gradle. This commit removes these elements.

Original commit: elastic/x-pack-elasticsearch@08babbd520
2018-02-07 16:58:09 -08:00
Nik Everett b95745956e Merge branch 'master' into feature/sql_2
Original commit: elastic/x-pack-elasticsearch@5f6bbb588a
2018-02-07 09:38:13 -05:00
Tim Vernum 7bb2cba14f [Security] Reset IndexAuditTrail to INITIALISED before start (elastic/x-pack-elasticsearch#3807)
Calling start() when already in the STARTING state doesn't do anything, so the component
gets stuck in STARTING state forever.

Also: wait on the required index name not just the cluster.

Also: added more logging to help diagnose such issues (either in RemoteIndexAuditTrailStartingTests or production)

Original commit: elastic/x-pack-elasticsearch@fb81214fe7
2018-02-07 12:30:23 +11:00
Nik Everett 5b46899cc3 Merge branch 'master' into feature/sql_2
Original commit: elastic/x-pack-elasticsearch@9a49ecbbd5
2018-02-06 14:40:55 -05:00
Jay Modi 18c04c714d [Security] handle null values when attempting to parse as DN when mapping roles (elastic/x-pack-elasticsearch#3791)
This commit adds special handling for null values when building a DistinguishedNamePredicate for
role mapping. Previously this would have resulted in an exception from the unboundid ldapsdk as
the DN is invalid.

relates elastic/x-pack-elasticsearch#3787

Original commit: elastic/x-pack-elasticsearch@9386dae03e
2018-02-06 10:19:49 -07:00
Costin Leau b5dd4c649a SQL: Minor fixes
Original commit: elastic/x-pack-elasticsearch@14ea747e20
2018-02-02 17:50:33 +02:00
Nik Everett f66e01369a Merge branch 'master' into feature/sql_2
Original commit: elastic/x-pack-elasticsearch@6ba2651f46
2018-02-01 17:21:37 -05:00
Tim Vernum 415bb7f039 Clear Realm Caches on role mapping health change (elastic/x-pack-elasticsearch#3782)
If any of the follow take place on security index, then any cached role mappings
are potentially invalid and the associated realms need to clear any cached users.
- Index recovers from red
- Index is deleted
- Index becomes out-of-date / not-out-of-date

Original commit: elastic/x-pack-elasticsearch@1bcd86fcd4
2018-02-01 10:01:57 +11:00
Lee Hinman 1b36133988 Merge remote-tracking branch 'origin/master' into feature/sql_2
Original commit: elastic/x-pack-elasticsearch@4176773659
2018-01-31 10:49:25 -07:00
Tim Vernum d0f6d273d0 [TEST] Add additional logging to test
Attempt to diagnose elastic/x-pack-elasticsearch#3292 if it occurs again.

Original commit: elastic/x-pack-elasticsearch@eb262540f0
2018-01-31 18:26:57 +11:00
Simon Willnauer 570411c2dc Remove all tribe related code, comments and documentation (elastic/x-pack-elasticsearch#3784)
Relates to elastic/elasticsearch#28443

Original commit: elastic/x-pack-elasticsearch@5c4e7fccc7
2018-01-30 20:40:46 +01:00
Nik Everett 6631fe0376 Merge branch 'master' into feature/sql_2
Original commit: elastic/x-pack-elasticsearch@ec3a82494e
2018-01-30 12:50:27 -05:00
Jay Modi 71788671ad Test: fix skip check for EllipticCurveSSLTests (elastic/x-pack-elasticsearch#3771)
This change fixes the skip check for the EllipticCurveSSLTests. The skip check that is in the test
was added to proctect against failures on JVMs that do not support EC ciphers such as the packaged
openjdk in some linux distributions. The old skip check did not execute until the cluster was up
so the test would still fail with errors such as no cipher suites in common. This change moves the
check into a before class method that checks availability.

Original commit: elastic/x-pack-elasticsearch@5550ca4e1e
2018-01-30 08:21:15 -07:00
David Kyle 10fae5e58f [ML][TEST] Scheduled events integration test (elastic/x-pack-elasticsearch#3555)
* Scheduled events integration test

Original commit: elastic/x-pack-elasticsearch@8181645fe5
2018-01-30 10:38:13 +00:00
Tim Vernum da7560a079 [Security] Correct DN matches in role-mapping rules (elastic/x-pack-elasticsearch#3704)
Changes the behaviour of the role mapping API to perform a "DistinguishedNameMatch"
when the field is a DN. This is achieved by moving the responsibility for defining
the matching rules from the expression to the data (ExpressionModel)

Because the role mapping API is used within the SAML realm, which may or may not be
using DNs, this implementation assumes that the "dn" and "groups" should be
compared as DNs if they parse as a DN.
For SAML this behaviour will generally do the right thing, as members of the "groups"
field might be DNs (if the data is sourced from an LDAP directory) but often will not be.

Original commit: elastic/x-pack-elasticsearch@3a4dfbba79
2018-01-30 15:47:17 +11:00