Commit Graph

525 Commits

Author SHA1 Message Date
Daniel Mitterdorfer 7eebacc884 Disable HTTP compression by default when HTTPS is enabled.
With elastic/elasticsearchelastic/elasticsearch#7309 we enable HTTP compression by
default. However, this can pose a security risk for HTTPS
traffic (e.g. BREACH attack). Hence, we disable HTTP compression
by default again if HTTPS enabled (note that this still allows the
user to explicitly enable HTTP compression if they want to).

Relates elastic/elaticsearchelastic/elasticsearch#7309

Original commit: elastic/x-pack-elasticsearch@8da100c9a5
2016-05-03 08:54:57 +02:00
Alexander Reelsen 23ebbed95a Watcher: Expose HTTP response headers in payload
This exposes the headers (all lower-cased) in the payload, so
that the can be accessed in the conditions.

Closes elastic/elasticsearch#1560

Original commit: elastic/x-pack-elasticsearch@c9b08558fe
2016-05-02 15:06:38 +02:00
Alexander Reelsen 74edbe6332 Watcher: Refactoring, move to org.elasticsearch.xpack
This refactors the org.elasticsearch.watcher over to
org.elasticsearch.xpack.watcher

This also adds all watcher actions to the KnownActionsTests,
as watcher actions had not been taken care of until here.

Original commit: elastic/x-pack-elasticsearch@a046dc7c6a
2016-05-02 10:58:34 +02:00
jaymode 773876caee security: ssl by default on the transport layer
This commit adds the necessary changes to make SSL work on the transport layer by default. A large
portion of the SSL configuration/settings was re-worked with this change. Some notable highlights
include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and
separate LDAP configuration.

The following is a list of specific items addressed:

* `SSLSettings` renamed to `SSLConfiguration`
* `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null)
* Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback
* JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting.
* We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting
* LDAP realms can now have their own SSL configurations
* HTTP can now have its own SSL configuration
* SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names.
* `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled`
* added Bouncy Castle info to NOTICE
* consolidated NOTICE and LICENSE files

Closes elastic/elasticsearch#14
Closes elastic/elasticsearch#34
Closes elastic/elasticsearch#1483
Closes elastic/elasticsearch#1933
Addresses security portion of elastic/elasticsearch#673

Original commit: elastic/x-pack-elasticsearch@7c359db90b
2016-04-29 12:50:07 -04:00
markharwood 29b996ea1d Test fix - graph test occasionally failed to fail on all shards due to random nature of indexing. Tightened test class logic to deal with partial failures.
Original commit: elastic/x-pack-elasticsearch@b2dcdd7600
2016-04-29 14:45:15 +01:00
jaymode de48b2426b change how audit user is compared, do not setDaemon, test cleanup
This commit makes a few modifications to the IndexAuditTrail class:

* Use `InternalAuditUser#is` to determine if the principal is the auditor when we have a user
and simply compare `InternalAuditUser#NAME` when only a string principal is available
* Remove the `Thread#setDaemon` call in the QueueConsumer as this thread should be terminated
as part of the shutdown of the node

In terms of tests, there are some issues and changes to how we test certain aspects. The muted tests
were not accurate since the tests immediately checked for the existence of an index and did not poll or
wait and this operation is asynchronous so the index could be created after the exists request was
executed. These tests were removed and a new class was added to test the muted behavior. In these
tests we override the audit trails implementation of a queue, which will set a flag to indicate a message
has been added to the queue. This is a synchronous operation so it can be checked immediately.

The other tests in the IndexAuditTrail tests remain but a few changes have been made to the execution.

* ensureYellow is called for the index we expect to be created before searching for documents
* the remote cluster is only setup at the beginning of the suite rather than before every test to ensure
quicker execution
* the maximum number of shards has been reduced to three since we do not really need up to 10 shards
for a single document

Original commit: elastic/x-pack-elasticsearch@501b6ce9da
2016-04-29 09:08:10 -04:00
Alexander Reelsen 27f0a68a28 X-Pack Notification: Settings refactoring, removed 'service'
The service part is now obsolete with moving to `xpack.notification`.

Original commit: elastic/x-pack-elasticsearch@a7907f24a5
2016-04-29 09:02:36 +02:00
Ryan Ernst 4be1266616 Fix xpack rest test with new xpack info output (timestamp instead of date)
Original commit: elastic/x-pack-elasticsearch@ccb89481cf
2016-04-28 11:46:31 -07:00
Ryan Ernst 09a0276a56 Merge pull request elastic/elasticsearch#2123 from rjernst/build_info
Build: use jar metadata instead of expecting a properties file for xpack build info

Original commit: elastic/x-pack-elasticsearch@a7238cf527
2016-04-28 08:58:52 -07:00
jaymode c39b3ba2fc security: add the proper behavior for the standard license
This change adds the proper behavior for the standard license which is:

* authentication is enabled but only the reserved, native and file realms are available
* authorization is enabled

Features that are disabled:

* auditing
* ip filtering
* custom realms
* LDAP, Active Directory, PKI realms

See elastic/elasticsearch#1263

Original commit: elastic/x-pack-elasticsearch@920c045bf1
2016-04-28 09:33:57 -04:00
markharwood 077599b63f X-plugin tests - added testing for Standard licence in graph plugin. See https://github.com/elastic/x-plugins/issues/1263
Original commit: elastic/x-pack-elasticsearch@6773ead0fc
2016-04-28 13:51:43 +01:00
jaymode 91943318bf security: cleanup authentication service
This commit removes duplicated code in the authentication service by combining
the authentication logic for rest and transport requests. As part of this we no longer
cache the authentication token since we put the user in the context and serialize the
user.

Additionally we now pass the thread context to the AuthenticationFailureHandler to
restore access to the headers and context.

Original commit: elastic/x-pack-elasticsearch@79e2375a13
2016-04-28 07:59:16 -04:00
jaymode 4f7dad8da2 security: handle null values for full name and email
This commit adds logic so that we properly handle null tokens for full name and
email.

Closes elastic/elasticsearch#1887

Original commit: elastic/x-pack-elasticsearch@e03188c29f
2016-04-28 07:41:27 -04:00
Alexander Reelsen 917101f7a3 Smoke Testing: Add smoke tester for licensing
In order to prevent shipping of RCs with the wrong license, this
smoke tester downloads the internal RC, installs x-pack and puts
a license in there.

if putting is successful, we can be sure, we got the right license.

Closes elastic/elasticsearch#2087

Original commit: elastic/x-pack-elasticsearch@021d228e29
2016-04-28 08:47:31 +02:00
Ryan Ernst 4d1f4a244a Build: use jar metadata instead of expecting a properties file for xpack
build info

There are many other things that should be cleaned up around this (eg
XpackInfoResponse.BuildInfo should not exist, it is the exact same as
what XPackBuild has), but this change gets the build info output working
again.

closes elastic/elasticsearch#2116

Original commit: elastic/x-pack-elasticsearch@0730daf031
2016-04-27 13:33:42 -07:00
jaymode f4f156b351 test: add awaits fix to FLS field stats tests
See elastic/elasticsearch#2120

Original commit: elastic/x-pack-elasticsearch@fc7950bf65
2016-04-27 13:55:59 -04:00
Alexander Reelsen 5d53080a1f Watcher: Remove build based property creation (elastic/elasticsearch#2107)
There we still left over files from the clean up PR to not use
build properties for the watcher templates.

Relates elastic/elasticsearch#2040

Original commit: elastic/x-pack-elasticsearch@b838d92124
2016-04-26 17:54:27 +02:00
Alexander Reelsen 3bbe5916d1 Fix compilation issue
Original commit: elastic/x-pack-elasticsearch@803275d634
2016-04-26 14:03:19 +02:00
Alexander Reelsen 91242f3a98 Tests: Increase logging for tests for randomly failing tests
Relates elastic/elasticsearch#2090

Original commit: elastic/x-pack-elasticsearch@4051354f45
2016-04-25 17:46:09 +02:00
jaymode c7ad6b9872 test: add a simple test for reserved realm authentication
See elastic/elasticsearch#2089

Original commit: elastic/x-pack-elasticsearch@1bede0a206
2016-04-25 07:34:14 -04:00
Alexander Reelsen b47d161b9e X-Pack: Porting watcher notifications to xpack notifications (elastic/elasticsearch#2056)
This mainly moves packages over to the x-pack directory and renames the settings
from `xpack.watcher.actions.` to `xpack.notification.`

Moved services include pagerduty, hipchat, slack and email.

Closes elastic/elasticsearch#1998

Original commit: elastic/x-pack-elasticsearch@40c16fe123
2016-04-22 15:57:34 +02:00
Martijn van Groningen 358fa38cf6 test: fix id, script_lang mix up
Original commit: elastic/x-pack-elasticsearch@7c4a3152ba
2016-04-22 15:12:35 +02:00
Martijn van Groningen 4650592150 Remove LazyInitializable from ScriptServiceProxy
Closes elastic/elasticsearch#2062

Original commit: elastic/x-pack-elasticsearch@4eaf323158
2016-04-22 14:31:02 +02:00
Martijn van Groningen b9515357fa Migrated from indexed scripts to store scripts
Original commit: elastic/x-pack-elasticsearch@a0218f1c9e
2016-04-22 13:43:55 +02:00
Alexander Reelsen 276d5fbbca Watcher: Updated dependencies (elastic/elasticsearch#2064)
Updated okhttp and moved the jsr305 dependency into testing.
This required a minor change in tests using SSL, as otherwise
the security manager barfs, when the okhttp webserver tries
to load sun internal SSL based classes.

Original commit: elastic/x-pack-elasticsearch@77131589e0
2016-04-22 09:45:46 +02:00
Alexander Reelsen 12ff8853f0 Monitoring/Watcher: Load version of templates in a static way (elastic/elasticsearch#2040)
The old implementation was to use properties at build-time. This however did not work,
as the tests could not be run in the IDE. This has been removed of monitoring for some
time already, but needs to be removed from watcher as well.

This commit uses static variables and refactors the code a bit. First, there is a generic
TemplateUtils class, to be used in monitoring and watcher. Also the watcher code has been changed
to copy the needed variables into the template registry class instead of keeping it in the
WatcherModule.

This commit also includes some refactoring to remove the version parameter in marvel, was static anyway

Closes elastic/elasticsearch#1372

Original commit: elastic/x-pack-elasticsearch@fbfc22ea09
2016-04-22 09:26:40 +02:00
uboness df3bbd42b9 Changed the default output of X-Pack Info API
- by default the response includes all info - build, license, features + human descriptions.
- you can still control the output using `categories` and `human` parameters
- Added docs to this API

Original commit: elastic/x-pack-elasticsearch@85115495ec
2016-04-21 18:43:17 -07:00
Chris Earle a84347f711 Monitoring: Ignore NodesStatsResposne if no stats are returned
This avoids exceptional cases where node stats are not returned due to some concurrent modification.

Original commit: elastic/x-pack-elasticsearch@6f6b8ec393
2016-04-21 16:16:00 -04:00
Nik Everett 629c585fba Handle core removing <T> from Writeable
Original commit: elastic/x-pack-elasticsearch@34632c8a67
2016-04-21 13:00:57 -04:00
Nik Everett c4dc28e7f7 Remove the last readFrom from xpack
This the last Writeable#readFrom in xpack!

Original commit: elastic/x-pack-elasticsearch@5412160bdd
2016-04-21 10:13:10 -04:00
jaymode 8c8e33889c build: remove test dependencies from published pom file
See elastic/elasticsearch#2063

Original commit: elastic/x-pack-elasticsearch@3653368363
2016-04-21 09:27:12 -04:00
Nik Everett de6d3e1a72 Remove readFrom from xpack
Writeable#readFrom has become a method you just implement because
the interface requires it but the prefered way to actually do the
reading is a ctor that takes a StreamReader. readFrom just delegates
to the ctor. This removes readFrom entirely because it is not needed
anymore and is going away in core.

Relates to https://github.com/elastic/elasticsearch/issues/17085

Original commit: elastic/x-pack-elasticsearch@dd74db5ded
2016-04-21 07:58:51 -04:00
uboness 5c9d96211f Extended X-Pack Info API with Features Info
- introduced the "Feature Set" notion - graph, security, monitoring, watcher, these are all feature sets
- each feature set can be:
 - `available` - indicates whether this feature set is available under the current license
 - `enabled` - indicates whether this feature set is enabled (note that the feature set can be enabled, yet unavailable under the current license)
- while at it, cleaned up the main modules of watcher, security, monitoring and graph.

Original commit: elastic/x-pack-elasticsearch@5b3e19fe8c
2016-04-20 14:30:48 -07:00
Jay Greenberg 8af3f91eb5 Merge pull request elastic/elasticsearch#2044 from PhaedrusTheGreek/group_search_noattrs
Change some LDAP searches to NOATTRS to avoid unnecessary results

Original commit: elastic/x-pack-elasticsearch@60c41af5a6
2016-04-20 09:29:38 -04:00
jaymode 659439841e test: adapt to removal of setting
Original commit: elastic/x-pack-elasticsearch@5f195001b9
2016-04-19 14:31:06 -04:00
Nik Everett 28bb39955c Replace (read|write)Query with (read|write)NamedWriteable
(read|write)Query is going away.

Original commit: elastic/x-pack-elasticsearch@5ac3ded68e
2016-04-19 11:06:39 -04:00
PhaedrusTheGreek 962729bd3b Changed LDAP searches to NOATTRS in order to avoid returning unecessary
data in searches where only getDn() is done on results

Original commit: elastic/x-pack-elasticsearch@5ce64235a1
2016-04-19 10:47:27 -04:00
Martijn van Groningen e24d09b54e test: allow percolate api to fail when the percolator field can't be found
Original commit: elastic/x-pack-elasticsearch@3343c9dc3a
2016-04-19 14:11:53 +02:00
Alexander Reelsen 98feb695ff Tests: Fixing failing history transform tests after mapping changes
Original commit: elastic/x-pack-elasticsearch@b1b13c52b0
2016-04-19 13:56:50 +02:00
Martijn van Groningen 0c7dff4fa7 security: Deal with upstream percolator changes.
From now on, if field level security and percolator is used then the percolator field needs to be included in the allowed fields.

Original commit: elastic/x-pack-elasticsearch@7d39b5caf6
2016-04-19 11:23:04 +02:00
Daniel Mitterdorfer fb825d7fd3 Use underscore notation for field names
Relates elastic/elasticsearchelastic/elasticsearch#17800

Original commit: elastic/x-pack-elasticsearch@1f6022116c
2016-04-19 08:41:47 +02:00
Ryan Ernst 14df2663ae Replace more occurences of new String(CONSTANT) with CONSTANT
Original commit: elastic/x-pack-elasticsearch@339de6350f
2016-04-18 14:54:14 -07:00
Ryan Ernst 7275d48bbd Remove XContentBuilderString
This is the xplugins side of elastic/elasticsearchelastic/elasticsearch#17833

Original commit: elastic/x-pack-elasticsearch@2400192775
2016-04-18 14:37:17 -07:00
Ryan Ernst 74c9358bdf Merge pull request elastic/elasticsearch#2029 from rjernst/camelcase1
Simplify xcontentstring usages

Original commit: elastic/x-pack-elasticsearch@13fd6d0e6a
2016-04-18 14:36:13 -07:00
Christoph Büscher e6bce6b36e Adapt to changes in core ES (elastic/elasticsearch#17417)
Original commit: elastic/x-pack-elasticsearch@2df6d5b27e
2016-04-18 15:33:25 +02:00
jaymode e66a6871c0 security: fix initialization of server sets in ldap session factories
The SessionFactory construction was calling the `ldapServers` method in the constructor,
which was fine for all of the session factories except for the ActiveDirectorySessionFactory.
The ActiveDirectorySessionFactory overrides the ldapServers method and use class variables
that are initialized in its constructor so the value was always null.

This change moves setup to an init method for objects that depend on variables set during
construction.

Closes elastic/elasticsearch#2011

Original commit: elastic/x-pack-elasticsearch@07c15ce171
2016-04-18 07:22:21 -04:00
Alexander Reelsen aa77646e3d Tests: Fixing xpack info tests
Even though HEAD is a possible method, this implies that no data is returned
and thus the tests fail randomly.

If HEAD should be added to the api it needs it's own API definition IMO.

Original commit: elastic/x-pack-elasticsearch@a216393f6b
2016-04-18 12:19:16 +02:00
Alexander Reelsen 99cff6f3b9 Watcher: Create module to test with painless scripting language
Also changed some documentation to use painless instead of groovy
to get people used to it.

Original commit: elastic/x-pack-elasticsearch@92a007cc0d
2016-04-18 09:14:31 +02:00
uboness 8aa48ffaff Introduced the X-Pack Info API
- Removed Shield's Info API
- Removed Watcher's Info API

Closes elastic/elasticsearch#2014

Original commit: elastic/x-pack-elasticsearch@6910cb1d6e
2016-04-17 13:38:19 +02:00
jaymode 0cce436641 build: fix x-pack pom and allow installation
* The found-license project is removed since it is no longer needed
* The plugin-api classes have moved into the license-plugin since there is only one plugin
* The license/base project publishes the proper artifactId in the pom file
* The x-pack jar file is added as an artifact so that it can be installed
* The x-pack pom no longer declares the packaging as `zip`
* The x-pack pom uses the right artifactId for license-core
* Removed disabling of installing the x-plugins artifacts
* Cleaned up a use of guava in watcher (found when trying to remove guava as a compile
dependency but is needed by the HTML sanitizer)
* Removed the dependency on the mustache compiler since it is no longer necessary

Closes elastic/elasticsearch#1987

Original commit: elastic/x-pack-elasticsearch@9d3b50b054
2016-04-15 11:31:09 -04:00