Commit Graph

247 Commits

Author SHA1 Message Date
jaymode 154b10e901 add the ability to run as another user
This change adds a new permission that allows authorized users to execute a request as
another user. The flow is as follows:

1. The user making the request is authenticated
2. The user that is being impersonated is looked up
3. The requesting user is authorized for the privilege to run as the specified user
4. The impersonated user is then authorized for the given request

Additionally, the auditing has been updated to support this capability and indicates when a
user has been granted the ability to run as another user and then also indicates both the user
who is being impersonated and the requesting user when actions are granted/denied.

Closes elastic/elasticsearch#17

Original commit: elastic/x-pack-elasticsearch@00e5a6169b
2015-09-09 11:25:02 -04:00
Martijn van Groningen fd4058f921 Use the more verbose format in the default roles.yml and docs.
Closes elastic/elasticsearch#529

Original commit: elastic/x-pack-elasticsearch@9bde530a9c
2015-09-09 15:44:35 +02:00
jaymode 14c21786ee Test: add back the stop of the local audit trails
If also indexing locally, we need to stop the audit trail indexing otherwise the test cluster checks
will fail. See elastic/elasticsearch#598

Original commit: elastic/x-pack-elasticsearch@6767ab2edb
2015-09-09 08:39:51 -04:00
jaymode 0de73ec330 Test: don't check shard counters for RemoteIndexAuditTrailStartingTests
For the RemoteIndexAuditTrailStartingTests we start a remote cluster and index into the test cluster and after
the test we stop the remote cluster but indexing operations can still be ongoing in the test cluster and thus cause
locked shards causing lots of noise in CI. We simply skip this check for these tests.

Closes elastic/elasticsearch#598

Original commit: elastic/x-pack-elasticsearch@e678f82f29
2015-09-09 07:51:38 -04:00
jaymode 94dbf3f2a7 allow for the Environment to be optional in the ClientSSLService
This change makes the environment optional for the ClientSSLService, which is used for
Transport Clients and also used for LDAP client connections. Since we use the ClientSSLService
for LDAP connections, we still need the environment when running as a node under the
security manager to resolve paths from the configuration directory.

Closes elastic/elasticsearch#573

Original commit: elastic/x-pack-elasticsearch@862fafffe3
2015-09-09 06:43:34 -04:00
Ryan Ernst 5dd5f525b5 Remove some warnings caught by -Xlint
Original commit: elastic/x-pack-elasticsearch@50bea927cf
2015-09-09 00:16:13 -07:00
Ryan Ernst 2ab0db4373 Fix compile issues after removal of loadConfigSettings from transport
client

Original commit: elastic/x-pack-elasticsearch@2efe4f2980
2015-09-08 17:22:54 -07:00
Martijn van Groningen e7b338a077 test: added smoke test for the shield tribe node integration
Original commit: elastic/x-pack-elasticsearch@f7ab8b9044
2015-09-08 12:37:36 +02:00
Martijn van Groningen 547b6346f6 Changed the underlying DLS implementation
Instead of wrapping the IndexSearcher and applying the role query during the rewrite, the role query gets applied in a custom filtered reader that applies the query via the live docs.

The big advantage is that DLS is being applied in all document based APIs instead of just the _search and _percolate APIs.

In order to better deal with the cost of converting the role query to a bitset, the bitsets are cached in the bitset filter cache
and if the role query bitset is sparse the role query and main query will execute in a leapfrog manner to make executing queries faster.
 If the role query bitset isn't sparse, we fallback to livedocs.

Closes elastic/elasticsearch#537

Original commit: elastic/x-pack-elasticsearch@330b96e1f2
2015-09-08 11:04:10 +02:00
Adrien Grand 06ec935a08 Fix x-plugins following count/scan removal from elasticsearch-core.
Original commit: elastic/x-pack-elasticsearch@ee43991a0a
2015-09-07 17:44:01 +02:00
Jason Tedor 9a729638da Remove and forbid use of com.google.common.base.Strings
This commit removes and now forbids all uses of
com.google.common.base.Strings across the codebase.

For uses of com.google.common.base.Strings.isNullOrEmpty, use
org.elasticsearch.common.Strings.isNullOrEmpty.

For uses of com.google.common.base.Strings.padStart use
org.elasticsearch.common.Strings.padStart.

For uses of com.google.common.base.Strings.nullToEmpty use
org.elasticsearch.common.Strings.coalesceToEmpty.

Relates elastic/elasticsearchelastic/elasticsearch#13224

Original commit: elastic/x-pack-elasticsearch@d6e349e654
2015-09-07 09:37:30 -04:00
Jason Tedor 74cdc2f4ce Remove and forbid the use of com.google.common.base.Predicate(s)?
This commit removes and now forbids all uses of
com.google.common.base.Predicate and com.google.common.base.Predicates
across the codebase. This is one of the many steps in the eventual
removal of Guava as a dependency. This was enabled by
elastic/elasticsearchelastic/elasticsearch#13314.

Relates elastic/elasticsearchelastic/elasticsearch#13224, elastic/elasticsearchelastic/elasticsearch#13349

Original commit: elastic/x-pack-elasticsearch@968b81849f
2015-09-04 13:33:31 -04:00
uboness 533c14242f Bumped the version to 3.0.0-SNAPSHOT
Original commit: elastic/x-pack-elasticsearch@0771b3e589
2015-09-04 16:30:11 +02:00
jaymode 2f93428f22 test: poll for the index audit trail template
The template may not get recreated immediately due to other pending cluster state updates.

Original commit: elastic/x-pack-elasticsearch@810d77b397
2015-09-03 17:43:14 -04:00
jaymode 480406ebc7 Test: stop the IndexAuditTrail if running to prevent locked shards
The InternalTestCluster checks after the tests run if there are any locked shards, which is still
possible because the IndexAuditTrail is running and auditing events. This change makes the
test stop the IndexAuditTrail if they are running in the local cluster.

Original commit: elastic/x-pack-elasticsearch@f7fb564525
2015-09-03 13:00:42 -04:00
jaymode 1dbdf2ea1f add note on extended key usage
Closes elastic/elasticsearch#362

Original commit: elastic/x-pack-elasticsearch@0a2e0ab6d1
2015-09-03 11:53:39 -04:00
jaymode 892d9774f5 update limitations around more like this query
This updates the limitations section to indicate that the MLT query only works with Elasticsearch
1.6.2+ and 1.7.1+.

Closes elastic/elasticsearch#331

Original commit: elastic/x-pack-elasticsearch@70f2bb484e
2015-09-03 11:45:50 -04:00
jaymode afacb47828 make IndexAuditTrail recreate template and remove ShieldWrappingCluster
The ShieldWrappingCluster was added to prevent deletion of the IndexAuditTrail template when
running tests since the wipe() method will delete all templates. However, the cluster wrapping
is problematic with indexRandom() and causes noise in CI. This change removes the
ShieldWrappingCluster and changes the IndexAuditTrail to recreate the index template if it is
removed.

Closes elastic/elasticsearch#562

Original commit: elastic/x-pack-elasticsearch@0403ea7cef
2015-09-03 11:32:24 -04:00
Adrien Grand b4d5ef5904 Fix query rewriting for document-level security to be stable.
Original commit: elastic/x-pack-elasticsearch@3ad7eb4ded
2015-09-03 12:46:20 +02:00
Martijn van Groningen f270e585f4 dls: compare the rewritten query
Original commit: elastic/x-pack-elasticsearch@b84d661f33
2015-09-03 10:57:24 +02:00
Martijn van Groningen 99d91b7a9c Added wildcard support to the FLS `fields` option.
Closes elastic/elasticsearch#452

Original commit: elastic/x-pack-elasticsearch@4e82ce0472
2015-09-03 10:37:34 +02:00
Martijn van Groningen 1a84daab2a DLS: don't wrap twice
Original commit: elastic/x-pack-elasticsearch@86f6f7ac17
2015-09-03 10:31:23 +02:00
Areek Zillur dc471bc0a9 Fix naming for abstract test cases
Original commit: elastic/x-pack-elasticsearch@546ac98077
2015-09-02 16:58:06 -04:00
Britta Weber f90afd72d2 Update handler list for change in refresh and flush action
renamed actions back to admin/* and add suffix [s] instead

Original commit: elastic/x-pack-elasticsearch@32d3365941
2015-09-01 12:56:27 +02:00
Britta Weber 6cafd41d4f Update handler list for change in refresh and flush action
https://github.com/elastic/elasticsearch/pull/13068

Original commit: elastic/x-pack-elasticsearch@5e3e512481
2015-09-01 09:34:44 +02:00
debadair 75d8d12c37 Docs: Updated kibana.yml settings to match 4.2 changes. Closes elastic/elasticsearch#524.
Original commit: elastic/x-pack-elasticsearch@e305153fe5
2015-08-31 14:35:59 -07:00
Martijn van Groningen 39b7092185 test: removed the 'plugin.types' usages from the source code
Original commit: elastic/x-pack-elasticsearch@a94cdee31f
2015-08-31 22:45:56 +02:00
jaymode 2de31460c8 remove use of ImmutableList in shield
Original commit: elastic/x-pack-elasticsearch@83be549a11
2015-08-31 15:59:28 -04:00
Martijn van Groningen 5900a65085 fixed compile error due to upstream change
Original commit: elastic/x-pack-elasticsearch@70a16e125c
2015-08-31 21:28:35 +02:00
Martijn van Groningen 90d0cb22ac unmuted test
Original commit: elastic/x-pack-elasticsearch@8bd95e427e
2015-08-31 21:28:18 +02:00
Martijn van Groningen 896ee0447c test: properly delegate the ShieldIntegTestCase#transportClientPlugins() and ShieldIntegTestCase#nodePlugins() methods to the settings source.
Original commit: elastic/x-pack-elasticsearch@7d55833917
2015-08-31 17:54:48 +02:00
jaymode a63f4d3678 suppress the LocalTransport for all Shield tests
Original commit: elastic/x-pack-elasticsearch@6c0b840643
2015-08-31 09:50:22 -04:00
Martijn van Groningen bd6111e9a7 updated await fix url
Original commit: elastic/x-pack-elasticsearch@e1646af2cd
2015-08-31 15:40:38 +02:00
Jason Tedor 36b5eaf09b Add test to ensure that ShieldServerTransportService wraps all handlers
This commit adds a test to ensure that all request handlers are wrapped
by ProfileSecuredRequestHandler.

Original commit: elastic/x-pack-elasticsearch@26473d0ddc
2015-08-31 08:30:35 -04:00
jaymode fb11827f78 mute TribeTests and remove license plugin from transportClientPlugins
See elastic/elasticsearch#551

Original commit: elastic/x-pack-elasticsearch@1d2ba3fc0e
2015-08-31 08:24:05 -04:00
Martijn van Groningen 1786e8eb10 test: use mock node to supply the plugins
Original commit: elastic/x-pack-elasticsearch@3f1aa333e8
2015-08-31 13:37:37 +02:00
David Pilato 13d5619d4e Merge branch 'pr/typo'
Original commit: elastic/x-pack-elasticsearch@73d7f06605
2015-08-31 13:15:14 +02:00
Boaz Leskes d75a8b8d6c Update handler list for change in Upgrade action
See https://github.com/elastic/elasticsearch/pull/13205

Original commit: elastic/x-pack-elasticsearch@8759f59eb5
2015-08-31 13:05:05 +02:00
Martijn van Groningen fd84ea7e90 test: make sure plugins are loaded in transport client
Original commit: elastic/x-pack-elasticsearch@81dd18d8b8
2015-08-31 13:01:39 +02:00
Martijn van Groningen b79be0db42 muted test
Original commit: elastic/x-pack-elasticsearch@112546cad9
2015-08-31 12:58:10 +02:00
Martijn van Groningen 677cf7e573 delegate
Original commit: elastic/x-pack-elasticsearch@5999c5d17b
2015-08-31 12:58:03 +02:00
Martijn van Groningen c81af81cd3 test: more fixes due to upstream changes
Original commit: elastic/x-pack-elasticsearch@92119d102c
2015-08-31 12:30:05 +02:00
Martijn van Groningen 98f5f489d0 test: more fixes due to upstream test infrastructure changes
Original commit: elastic/x-pack-elasticsearch@ab2dcca86d
2015-08-31 11:45:33 +02:00
David Pilato 88e389dd2e [typo] LICESE_EXPIRATION_ACTION_MATCHER should be LICENSE_...
Original commit: elastic/x-pack-elasticsearch@1e91087de7
2015-08-31 11:19:11 +02:00
Martijn van Groningen af4af34e2b fix compile errors
Original commit: elastic/x-pack-elasticsearch@38feef1376
2015-08-31 10:47:49 +02:00
Jason Tedor c09c5611b8 Add override of handler registration method to wrap handler
Original commit: elastic/x-pack-elasticsearch@4dcfb637c2
2015-08-30 17:49:56 -04:00
Boaz Leskes add8dd4cc4 Update handler list for changes made in https://github.com/elastic/elasticsearch/pull/12944
Original commit: elastic/x-pack-elasticsearch@2dcbf8bc99
2015-08-30 09:16:34 +02:00
jaymode d6eb2c8261 do not copy the authorization header from rest requests
Currently we copy the authorization header from every rest request to the action request. This is not
necessary because the user associated with each request is copied into the context and then if the
request leaves the node, the user will be serialized into a string and attached as a header.

This commit removes the copying of the authorization header as it is not necessary and by not copying
it, we limit the amount of copies we make of this sensitive information.

Original commit: elastic/x-pack-elasticsearch@4e5ba4b4aa
2015-08-28 09:04:39 -04:00
Martijn van Groningen fc9aff30bc fixed forbidden api failures:
Arrays.newArrayList() -> new ArrayList<>()
ImmutableSet.of() -> Collections.emptyList()

Original commit: elastic/x-pack-elasticsearch@a36a4eaa16
2015-08-28 10:18:48 +02:00
Martijn van Groningen 5f01f793d5 Added document and field level security
This commit adds document and field level security to Shield.

Field level security can be enabled by adding the `fields` option to a role in the `role.yml` file.

For example:

```yaml
customer_care:
  indices:
    '*':
      privileges: read
      fields:
        - issue_id
        - description
        - customer_handle
        - customer_email
        - customer_address
        - customer_phone
```

The `fields` list is an inclusive list of fields that controls what fields should be accessible for that role. By default all meta fields (_uid, _type, _source, _ttl etc) are also included, otherwise ES or specific features stop working. The `_all` field if configured, isn't included by default, since that actually contains data from all the other fields. If the `_all` field is required then this needs to be added to the `fields` list in a role. In the case of the content of the `_source` field and `_field_names` there is special filtering in place so that only the content relevant for the role are being returned.

If no `fields` is specified then field level security is disabled for that role and all fields in an index are accessible.

Field level security can be setup per index group.

Field level security is implemented at the Lucene level by wrapping a directory index reader and hides fields away that aren't in the `field` list defined with the role of the current user. It as if the other fields never existed.

* Any `realtime` read operation from the translog is disabled. Instead this operations fall back to the Lucene index, which makes these operations compatible with field level security, but there aren't realtime.
*  If user with role A executes first and the result gets cached and then a user with role B executes the same query results from the query executed with role A would be returned. This is bad and therefore the query cache is disabled.
* For the same reason the request cache is also disabled.
* The update API is blocked. An update request needs to be executed via a role that doesn't have field level security enabled.

Document level security can be enabled by adding the `query` option to a role in the `role.yml` file:
```yaml
customer_care:
  indices:
    '*':
      privileges: read
      query:
        term:
         department_id: 12
```

Document level security is implemented as a filter that filters out documents there don't match with the query. This is like index aliases, but better, because the role query is embedded on the lowest level possible in ES (Engine level) and on all places the acquire an IndexSearcher the role query will always be included. While alias filters are applied at a higher level (after the searcher has been acquired)

Document level security can be setup per index group.

Right now like alias filters the document level security isn't applied on all APIs. Like for example the get api, term vector api, which ignore the alias filter. These apis do acquire an IndexSearcher, but don't use the IndexSearcher itself and directly use the index reader to access the inverted index and there for bypassing the role query. If it is required to these apis need document level security too the the implementation for document level security needs to change.

Closes elastic/elasticsearch#341

Original commit: elastic/x-pack-elasticsearch@fac085dca6
2015-08-27 17:54:50 +02:00
jaymode 693d16777c correct the shield offline download links
Closes elastic/elasticsearch#499

Original commit: elastic/x-pack-elasticsearch@86a8015132
2015-08-25 10:00:58 -04:00
Areek Zillur ef7d4e2579 stub out acknowledge callbacks for commercial plugins
Original commit: elastic/x-pack-elasticsearch@d16f9dc1df
2015-08-24 18:25:40 -04:00
Areek Zillur 0b9021ee87 Add license acknowledgment mechanism for consumer plugins to notify users when they attempt to install a new license
closes elastic/elasticsearch#461

Original commit: elastic/x-pack-elasticsearch@bc30ac2871
2015-08-24 18:25:29 -04:00
jaymode f879ccf426 update version numbers in shield documentation to 2.1.0
Cherry-pick of commit to 2.0 and updated to change version to 2.1.0

Original commit: elastic/x-pack-elasticsearch@8672bbf1b1
2015-08-24 11:23:20 -04:00
Simon Willnauer e723c355d8 Remove unused imports - SpawnModules.java is removed
Original commit: elastic/x-pack-elasticsearch@717d38694d
2015-08-23 13:03:50 +02:00
Ryan Ernst 670b9b5ce8 Remove use of PreProcessModule
PreProcessModule was an alternate way to customize another module's
behavior inside plugins. The preferred (and only in the future) way to
do this is with onModule in the plugin itself. This change moves the
only two remaining users of PreProcessModule to do so in their
respective plugins. The use case was adding roles for shield
authorization, but these roles were really static, so there was no
reason they could not be configured up front.

Original commit: elastic/x-pack-elasticsearch@e67ac2dcb6
2015-08-21 14:23:23 -07:00
jaymode 70a37440cf fix IndexAuditTrail test failure
Failure was caused by using NetworkAddress.format instead of NetworkAddress.formatAddress

Original commit: elastic/x-pack-elasticsearch@48c5c34f57
2015-08-21 12:00:57 -04:00
jaymode 8fd5fe7ed8 add the ability to register a custom authentication realms
This adds the extension points necessary to enable a user to write a elasticsearch plugin
that can integrate with Shield and add a custom authentication realm. For the most part,
the work here just exposes the existing interfaces we have been using for Realms and
factories to create realms. An additional interface was added to allow for a custom
authentication failure handler to be used. This was needed to support use cases like SSO
and Kerberos where additional headers may need to be sent to the user or a different
HTTP response code would need to be sent.

Relates to elastic/elasticsearch#24

Original commit: elastic/x-pack-elasticsearch@13442e5919
2015-08-21 10:39:05 -04:00
jaymode 7e552f393b fix all InetAddress forbidden apis and compile errors
This commit also fixes test shard routing compilation error and disables local address check in
the Shield IPFilter. This will be addressed in a followup, see elastic/elasticsearch#487

Original commit: elastic/x-pack-elasticsearch@984df0b131
2015-08-21 09:22:57 -04:00
jaymode 8bb35cd6c3 fix transport client documentation for 2.0 and add notes about file locations
This also change ES_HOME/config -> CONFIG_DIR in the documentation to more accurately reflect the
location of configuration files as they are not always in ES_HOME/config.

Closes elastic/elasticsearch#455
Closes elastic/elasticsearch#432

Original commit: elastic/x-pack-elasticsearch@63ce35450c
2015-08-20 06:29:13 -04:00
debadair dffd30d591 Updated package installation information. Closes elastic/elasticsearch#376.
Original commit: elastic/x-pack-elasticsearch@59be16531c
2015-08-19 14:10:51 -07:00
debadair 3d5fef9d8f Updated the SSL config & CA topics to make the procedures clearer.
Original commit: elastic/x-pack-elasticsearch@9a08da7703
2015-08-19 13:51:54 -07:00
Ryan Ernst 804cf68031 Merge pull request elastic/elasticsearch#472 from rjernst/despawn
Remove uses of SpawnModules

Original commit: elastic/x-pack-elasticsearch@09b719e9c0
2015-08-19 08:56:43 -07:00
jaymode de02fd3c9c remove AwaitsFix from IPHostnameVerification tests now that it is fixed in core
Closes elastic/elasticsearch#468

Original commit: elastic/x-pack-elasticsearch@e2623762a3
2015-08-19 10:01:31 -04:00
Ryan Ernst e0128daf9a Remove uses of SpawnModules
SpawnModules will be going away very soon as part of
elastic/elasticsearchelastic/elasticsearch#12783. This change removes its use from all
x-plugins.

Most spawnmodules uses here were to either collect a number of modules
into one (so the modules were just moved up into the plugin itself), or
to spawn a module which interacted with an extension point from ES. This
change moves those, as well as most uses of PreProcessModule, to use
onModule.

Original commit: elastic/x-pack-elasticsearch@6430e35379
2015-08-18 18:41:44 -07:00
Ryan Ernst 2b5cb6b9f2 Fix compile after removal of apache commons and refactoring of plugin api
Original commit: elastic/x-pack-elasticsearch@5171192d16
2015-08-18 15:35:01 -07:00
jaymode 152aeaa776 remove NetworkUtils and InetAddress getLocalHost usage in shield
Original commit: elastic/x-pack-elasticsearch@460ef63824
2015-08-18 13:31:03 -04:00
David Pilato 29f8362bce [maven] fix build issues with artifactId renaming
Related to elastic/elasticsearch#450

Original commit: elastic/x-pack-elasticsearch@780002a9de
2015-08-18 18:03:40 +02:00
David Pilato 5899dc5f46 [maven] fix build issues with artifactId renaming
Related to elastic/elasticsearch#450

Original commit: elastic/x-pack-elasticsearch@d84fc8e85f
2015-08-18 17:29:09 +02:00
David Pilato 7b10f36775 [maven] rename artifactIds from `elasticsearch-something` to `something`
When https://github.com/elastic/elasticsearch/pull/12879 will be merged, this commit should be merged as well.

```
[INFO] Reactor Summary:
[INFO]
[INFO] Elasticsearch Commercial Plugin Build Resources .... SUCCESS [  0.228 s]
[INFO] Elasticsearch X-Plugins - Parent POM ............... SUCCESS [  0.282 s]
[INFO] X-Plugins: License: Parent POM ..................... SUCCESS [  0.089 s]
[INFO] X-Plugins: License: Core ........................... SUCCESS [  0.118 s]
[INFO] X-Plugins: License: Licensor ....................... SUCCESS [  0.150 s]
[INFO] X-Plugins: License: Plugin API ..................... SUCCESS [  0.106 s]
[INFO] X-Plugins: License: Plugin ......................... SUCCESS [  0.112 s]
[INFO] X-Plugins: Shield .................................. SUCCESS [  0.234 s]
[INFO] X-Plugins: Watcher ................................. SUCCESS [  0.264 s]
[INFO] X-Plugins: Marvel .................................. SUCCESS [  0.113 s]
[INFO] QA: Parent POM ..................................... SUCCESS [  0.097 s]
[INFO] QA: Smoke Test X-Plugins ........................... SUCCESS [  0.107 s]
[INFO] QA: Shield core REST tests ......................... SUCCESS [  0.093 s]
[INFO] QA: Smoke Test Watcher's Shield integration ........ SUCCESS [  0.109 s]
```

Original commit: elastic/x-pack-elasticsearch@e9871261cf
2015-08-18 13:55:11 +02:00
Ryan Ernst dbaf3166ef Fix compile, NetworkUtils get hostname and address methods changed
Original commit: elastic/x-pack-elasticsearch@64a94930dd
2015-08-18 00:13:23 -07:00
Martijn van Groningen 59fdd54dbc Fixed compile error due to upstream change.
Original commit: elastic/x-pack-elasticsearch@a07877571c
2015-08-17 13:44:59 +02:00
Martijn van Groningen d7665293cb Changed pom version to 2.1.0-SNAPSHOT
as ES core does in its master branch

Original commit: elastic/x-pack-elasticsearch@fc9b1a7327
2015-08-17 13:44:33 +02:00
Adrien Grand b8666f0bca Merge pull request elastic/elasticsearch#441 from jpountz/fix/shield_core_rest_tests_to_qa
Tests: Move Shield "run core REST tests" to qa.

Original commit: elastic/x-pack-elasticsearch@4040a1766a
2015-08-14 11:23:40 +02:00
Adrien Grand 06d84f00e4 Tests: Move Shield "run core REST tests" to qa.
Close elastic/elasticsearch#404

Original commit: elastic/x-pack-elasticsearch@1250e1449e
2015-08-14 11:18:11 +02:00
uboness c8b83daf44 Removed plugin specific version classes
Now that the versions are aligned with ES version, we can just use the es `Version` class. Version compatibility is applied by the `PluginService`.

Closes elastic/elasticsearch#439

Original commit: elastic/x-pack-elasticsearch@32f305abb8
2015-08-13 17:54:38 +02:00
uboness c4e213fc92 Updated version to 2.0.0-SNAPSHOT
Original commit: elastic/x-pack-elasticsearch@8fb8035596
2015-08-13 00:05:11 +02:00
jaymode 0b4512582f fix integration test runs due to changes in core around argument definition
Original commit: elastic/x-pack-elasticsearch@af2a85cf91
2015-08-11 09:01:14 -04:00
Ryan Ernst ceb932a276 Fix transport test to use plugin to hookup mock
Original commit: elastic/x-pack-elasticsearch@397c6bc2dc
2015-08-10 17:53:37 -07:00
jaymode 85eeeab88a add release notes for Shield 1.3.2
Original commit: elastic/x-pack-elasticsearch@f4f3101aa2
2015-08-10 13:10:28 -04:00
jaymode 1b72f13458 fix the rest response for the clear cache action and add tests
Today the XContent building of the response for the ClearRealmsCacheResponse is broken and causes
an exception to be thrown. This fixes the building of the response and adds tests that call the HTTP
endpoint and do a basic check on the response.

Closes elastic/elasticsearch#390

Original commit: elastic/x-pack-elasticsearch@8ad9dae4ea
2015-08-06 12:48:44 -04:00
Alexander Reelsen b433ee390c Packaging: Changing groupId to org.elasticsearch.plugin
This commit changes the groupId to the above mentioned one
so that S3 uploads will end up in the right bucket. This will
allow the Elasticsearch plugin manager to install the commercial
plugins like

```
bin/plugin install {watcher,shield,license,marvel}
```

like the official ones.

Original commit: elastic/x-pack-elasticsearch@642f1f006a
2015-08-06 15:46:48 +02:00
Robert Muir ef01b29158 fix shield integ startup to be cleaner
Original commit: elastic/x-pack-elasticsearch@65bbc5b64a
2015-08-06 08:32:49 -04:00
jaymode fc7d0c017a fix Shield compilation error due to changes in core
Original commit: elastic/x-pack-elasticsearch@1e2a77595b
2015-08-06 07:11:30 -04:00
Robert Muir faec3cffa9 Merge branch 'master' of github.com:elastic/x-plugins
Original commit: elastic/x-pack-elasticsearch@43a0149126
2015-08-06 06:13:32 -04:00
Robert Muir 0ba276d44f FUCK YOU GIT
Squashed commit of the following:

commit 9e1eee30eca33e96fc0010300331207ae609a825
Author: Robert Muir <rmuir@apache.org>
Date:   Thu Aug 6 06:11:15 2015 -0400

    fix shield integration tests with master changes

    TODO: this all needs cleanup

commit elastic/x-pack@098f8994a6
Author: debadair <deb.adair@elasticsearch.com>
Date:   Wed Aug 5 13:09:17 2015 -0700

    Added missing description and edited the table.

commit elastic/x-pack@f1782adb40
Author: Martijn van Groningen <martijn.v.groningen@gmail.com>
Date:   Wed Jul 15 14:08:27 2015 +0200

    There is no need to check if the primary shards of the history indices are started, since we don't load watch records any more during the Watcher startup process.

commit elastic/x-pack@689fdcd00b
Author: Martijn van Groningen <martijn.v.groningen@gmail.com>
Date:   Fri Jul 17 22:44:52 2015 +0200

    Use custom metadata to remember that Watcher stopped via an explicit stop api call.

    Also expose WatcherMetaData in stats api

commit elastic/x-pack@abaa42d608
Author: Tanguy Leroux <tlrx.dev@gmail.com>
Date:   Wed Aug 5 11:31:42 2015 +0200

    Marvel: Add Cluster Stats timeout

commit elastic/x-pack@1be4701a4b
Author: uboness <uboness@gmail.com>
Date:   Wed Aug 5 00:20:05 2015 +0200

    [watcher] Remove default timezone usage

    Closes elastic/elasticsearch#387

commit elastic/x-pack@88f588d97b
Merge: elastic/x-pack@c49a303 elastic/x-pack@bb12e9a
Author: Robert Muir <rcmuir@gmail.com>
Date:   Tue Aug 4 17:11:52 2015 -0400

    Merge pull request elastic/elasticsearch#386 from rmuir/shield_integ_update

    adapt shield to integration tests changes

commit elastic/x-pack@bb12e9aa8d
Author: Robert Muir <rmuir@apache.org>
Date:   Tue Aug 4 16:17:23 2015 -0400

    adapt shield to integration tests changes

    we don't use ports 9200/9300 by default for integration tests anymore.
    they easily conflict with the user running/debugging es on their machine.

Original commit: elastic/x-pack-elasticsearch@17a474df2c
2015-08-06 06:13:16 -04:00
debadair 56c3f41a6e Added missing description and edited the table.
Original commit: elastic/x-pack-elasticsearch@69f07459af
2015-08-05 13:09:17 -07:00
Robert Muir 46685fd5ee adapt shield to integration tests changes
we don't use ports 9200/9300 by default for integration tests anymore.
they easily conflict with the user running/debugging es on their machine.

Original commit: elastic/x-pack-elasticsearch@3ff7491459
2015-08-04 16:17:23 -04:00
jaymode e8364d6b50 add a property for attaching assemblies and disable it for public deployment
Currently, we attach the zip assembly for all plugins but Shield when deploying. This is problematic because
we want to track the downloads of the zips through our downloads service. This commit changes the
behavior to not attach the zip assembly when deploying publicly.

The source files were also being attached even for public deployments and this commit adds a property to
stop that for public deployments and a check to ensure that no sources or zip file is attached when deploying
publicly.

Additionally, the default profile overrides the distribution management of the parent pom(s) so that a deploy
without a profile specified will not work. Without this change issuing a deploy command on a machine that
has credentials for sonatype's repositories could have deployed the artifacts to the sonatype OSS repository.

Closes elastic/elasticsearch#321

Original commit: elastic/x-pack-elasticsearch@37a0a6c312
2015-08-04 12:46:04 -04:00
jaymode 571c04dd79 add realm name to connection pool log message
See elastic/elasticsearch#325

Original commit: elastic/x-pack-elasticsearch@c25019cbb9
2015-08-04 07:36:27 -04:00
Robert Muir 40083d9152 Don't redundantly run rest tests in both unit and integ tests.
We can just run these during the integration test phase: there is
no benefit in running them during `mvn test` too.

Original commit: elastic/x-pack-elasticsearch@4b275920e2
2015-08-03 22:04:33 -04:00
Ryan Ernst cfc4c6eca2 Rename integ tests back from IT extension
Original commit: elastic/x-pack-elasticsearch@e4ffa393ba
2015-08-03 18:47:33 -07:00
Ryan Ernst ae02762b95 Rename test cases to use new test name patterns
With elastic/elasticsearchelastic/elasticsearch#12623 base test classes were renamed
to use "TestCase" suffix. This updates x-plugins to reflect those
name changes. It also renames some tests that were marked
with @Slow (which was forbidden with elastic/elasticsearchelastic/elasticsearch#12617 and
elastic/elasticsearch elastic/elasticsearch#12618) to use the IT suffix to run
under `mvn verify`.

Original commit: elastic/x-pack-elasticsearch@05ffe2f202
2015-08-03 18:18:18 -07:00
Robert Muir aca4133fbd Fix mocking here
Original commit: elastic/x-pack-elasticsearch@39903ee7b5
2015-08-03 13:46:28 -04:00
Robert Muir 875e2e67c5 switch over uses of homeFile() to binFile().getParent().
homeFile() is removed and should not be used, we need to cleanup,
but this is just a rote change to get builds green.

Original commit: elastic/x-pack-elasticsearch@05d0fb4a7c
2015-08-03 13:36:22 -04:00
jaymode 462d1b335f fix shield integration tests
Original commit: elastic/x-pack-elasticsearch@fb063b5ad1
2015-07-31 14:20:18 -04:00
debadair 25d7dfa555 Added step-by-step instructions for using Kibana with Shield. Closes elastic/elasticsearch#283.
Original commit: elastic/x-pack-elasticsearch@f3aab8e6a4
2015-07-31 09:38:24 -07:00
Tanguy Leroux 101ea6deab Remove usage of Streams.copyToBytesFromClasspath()
Original commit: elastic/x-pack-elasticsearch@8f813e9275
2015-07-31 16:37:30 +02:00
jaymode 3713b3dfdd use NetworkUtils instead of InetAddress.getLocalHost
Prior to this commit, we were InetAddress.getLocalHost() to get the hostname and host
address when auditing. This is different than how we report the node's hostname and host
address in other places where we use NetworkUtils. This caused false failures to be seen
with the IndexAuditTrail tests. This commit switches the audit trails to use the NetworkUtils
methods.

Closes elastic/elasticsearch#285

Original commit: elastic/x-pack-elasticsearch@c0bd7e94f6
2015-07-31 09:42:01 -04:00
Suyog Rao 63a04169a2 Docs: Add PKI auth support for Logstash http protocol
Closes elastic/elasticsearch#328

Original commit: elastic/x-pack-elasticsearch@04235e714a
2015-07-30 14:05:59 -07:00
jaymode 4b779b6fd6 allow ldap user search connection pool creation to be retried if it fails on startup
Today, if a LDAP server is down and the LDAP realm uses the user search mechanism this will prevent the
node from starting up. This is not ideal because users can still authenticate with another realm if it is
configured. This change tries to create the connection pool on initialization but if it fails, creation will retried
on each attempted authentication until the server is available again.

Closes elastic/elasticsearch#107

Original commit: elastic/x-pack-elasticsearch@f2ccf858ff
2015-07-30 14:24:52 -04:00
Alexander Reelsen 7ec8a7ab27 CLI tool: Fix exit status changes
In elastic/elasticsearch#12165 the return value of the CLITool was changed from an integer
to the ExitStatus enum. This commit adapts the cli tools of x-plugins.

Original commit: elastic/x-pack-elasticsearch@fc6478bfa5
2015-07-30 16:06:54 +02:00
jaymode 52be1aa943 [Test] mute the cat node attributes rest test
The integration tests do not have any node attributes so the body that is returned is empty
and causes the test to fail.

Original commit: elastic/x-pack-elasticsearch@ad846796f1
2015-07-30 07:03:03 -04:00
jaymode d3cbea6f4c use correct cluster state when starting index audit trail
Currently, we use the local cluster state when determining if the index audit trail can be
started. This is correct when we are logging to the same cluster but is incorrect when we
log to a remote cluster. Instead we should try to initialize the client and get the remote
cluster's state.

This also changes the enqueue method to stop throwing an exception on failing to add a
message to the queue. The exception was unnecessary and causing hard to read logs.
It is now replaced with a simple warn log message.

Closes elastic/elasticsearch#317

Original commit: elastic/x-pack-elasticsearch@238e9159b3
2015-07-28 12:37:51 -04:00
jaymode 5de2b799e0 don't attach audit user to remote requests and fix rest origin address
Currently, we attach the internal audit user to all requests. This is incorrect for requests that
need to be sent to a remote cluster. For these cases, we should require a user to be defined
to access the remote cluster if it is protected by Shield.

Additionally, the origin_address field for rest request fields is formatted differently than other
address fields. This changes the field to only be the remote address.

Closes elastic/elasticsearch#278
Closes elastic/elasticsearch#279

Original commit: elastic/x-pack-elasticsearch@a5f86b1974
2015-07-28 12:37:51 -04:00
Alexander Reelsen bf2f1e35ea Testing: Fix copying of files in shield integration tests
In order to correctly copy the license plugin version, we have
to enable useBaseVersion in order to strip the snapshot version
number.

Original commit: elastic/x-pack-elasticsearch@025da92c35
2015-07-28 16:55:07 +02:00
jaymode 7e78f09a1d update shield limitations around document level security
Original commit: elastic/x-pack-elasticsearch@4afbf69ce2
2015-07-27 13:25:19 -04:00
Martijn van Groningen 3abe6e02d6 fixed compile error due to an upstream change in the MetaData class
Original commit: elastic/x-pack-elasticsearch@b74276d43c
2015-07-24 22:26:36 +02:00
Alexander Reelsen ba5900cf0b Documentation: Fix calls for bin/plugin to be compatible with master
Original commit: elastic/x-pack-elasticsearch@e9ce3f401c
2015-07-24 12:24:44 +02:00
jaymode 92e6d301f2 [Test] don't use the shard AnalyzeAction when checking action mapping
Original commit: elastic/x-pack-elasticsearch@6501695edf
2015-07-24 06:08:24 -04:00
jaymode 1e63141bf2 update ShieldActionMapper to handle the change to use TransportSingleShardAction
This relates to commit cafc7078e2 in elasticsearch

Original commit: elastic/x-pack-elasticsearch@72f8a92b80
2015-07-23 13:55:48 -04:00
Robert Muir 4b5faf00ac Add description elements to pom.xml's for plugins, it goes in their metadata file
Original commit: elastic/x-pack-elasticsearch@753f7a67f4
2015-07-22 21:57:30 -04:00
jaymode 3d74a68e00 shield publishes the zip for internal deployments and x-dev-tools doesn't need a parent
This removes the parent from x-dev-tools because we won't be publishing this artifact to sonatype's repository.

Original commit: elastic/x-pack-elasticsearch@013efb50e9
2015-07-22 12:23:18 -04:00
jaymode d7d8ca125a load shield for external cluster client
Original commit: elastic/x-pack-elasticsearch@96e8df2ac3
2015-07-22 10:25:20 -04:00
jaymode 187be6c602 tell shield tests to explicitly load shield and license plugins
Original commit: elastic/x-pack-elasticsearch@4f70d6ee93
2015-07-22 10:01:44 -04:00
Robert Muir de61163c1b add back shield assembly
Original commit: elastic/x-pack-elasticsearch@14c7d7ea8e
2015-07-22 09:31:51 -04:00
Robert Muir 360a302511 fix test compilation
Original commit: elastic/x-pack-elasticsearch@53074ee0c1
2015-07-22 09:10:34 -04:00
Robert Muir d68f94b859 give license plugin its assembly back
Original commit: elastic/x-pack-elasticsearch@ec972de2b5
2015-07-22 09:06:04 -04:00
Robert Muir 0cd1aa5aa2 get build (kinda) working
Original commit: elastic/x-pack-elasticsearch@c230faf732
2015-07-22 08:49:20 -04:00
jaymode cc7fe390eb [[getting-started-with-shield]] back to [[getting-started]]
The redirect has been removed that was causing a loop. This reverts commit elastic/x-pack@546d4d4205.

Original commit: elastic/x-pack-elasticsearch@f9fb88a9d0
2015-07-21 13:43:52 -04:00
jaymode a676a1199f release notes for Shield 1.3.1 and 1.2.3
Original commit: elastic/x-pack-elasticsearch@027b905d80
2015-07-21 11:08:55 -04:00
jaymode dbca30808f update index privilege to include shard action for indices:data/write/update
Original commit: elastic/x-pack-elasticsearch@d10b763c91
2015-07-21 10:22:53 -04:00
jaymode b54d9f9f3c add 1.3.1 and 1.2.3 to shield version
Original commit: elastic/x-pack-elasticsearch@02b798fa15
2015-07-21 10:10:35 -04:00
jaymode db0b745fa6 finish cleaning up exceptions
This commit finishes the exception cleanup and resolves the TODOs that were left from
the last set of exception changes and re-enables all muted tests.

Closes elastic/elasticsearch#5

Original commit: elastic/x-pack-elasticsearch@742fa948ce
2015-07-21 06:52:22 -04:00
debadair 91786f4662 Stated that node client is unsupported, removed node client config info, and edited the transport client config section. Closes elastic/elasticsearch#906
Original commit: elastic/x-pack-elasticsearch@9bbd6726a8
2015-07-20 10:51:06 -07:00
Clinton Gormley cbeb6fdd66 Renamed [[getting-started]] to [[getting-started-with-shield]] to avoid 301 redirect
Closes elastic/elasticsearch#303

Original commit: elastic/x-pack-elasticsearch@84b535a68c
2015-07-20 14:14:45 +02:00
jaymode 4f1aaa8882 [docs] change `active-directory` to `active_directory`
In the documentation reorgantization for Shield, the type of the active directory realm changed
and is not valid. Users are configuring Shield incorrectly and running into issues because of
this. This changes the realm type to the correct value.

Closes elastic/elasticsearch#291

Original commit: elastic/x-pack-elasticsearch@7f8b65eda7
2015-07-17 19:07:52 -04:00
jaymode a2c23cdc6f update the active directory cert in the testnode keystore
Original commit: elastic/x-pack-elasticsearch@8b3d65896d
2015-07-17 08:45:39 -04:00
jaymode 41799e44a4 blacklist rest test with no indices since shield changes the behavior
Original commit: elastic/x-pack-elasticsearch@1a58146296
2015-07-17 08:17:38 -04:00
jaymode 5ac477fbb7 add shard stores api to known actions/handlers
Original commit: elastic/x-pack-elasticsearch@8f3bad4f80
2015-07-17 07:58:05 -04:00
jaymode b3c1e3a34c add new active directory certificate
Original commit: elastic/x-pack-elasticsearch@ad902dcd57
2015-07-17 07:53:36 -04:00
Clinton Gormley 7d986eb295 Docs: Fixed bad link to disk allocation in ES 1.7
Original commit: elastic/x-pack-elasticsearch@8abbf7468b
2015-07-16 16:07:45 +02:00
jaymode f95f86764c shield rest tests use the ElasticsearchRestTestCase nodeSettings
Original commit: elastic/x-pack-elasticsearch@855014dd4b
2015-07-16 06:19:57 -04:00
Clinton Gormley d6d13661e8 Docs: Fix bad ID in Shield intro
Original commit: elastic/x-pack-elasticsearch@61b72d57ae
2015-07-16 10:46:52 +02:00
jaymode 4619e71af1 remove dependency on license zip in test scope and update integration test xml
Original commit: elastic/x-pack-elasticsearch@c7b4f67b3f
2015-07-15 14:02:59 -04:00
debadair 79e12ad65b Docs: Revised the Shield intro to be more Shield-centric.
Original commit: elastic/x-pack-elasticsearch@ba7d73fd61
2015-07-15 10:38:38 -07:00
debadair dce7c48f67 Docs: Reorganized Shield TOC, renamed files, cleaned up hierarchy.
Original commit: elastic/x-pack-elasticsearch@15caf307c4
2015-07-15 10:17:17 -07:00
Robert Muir 4626fdfcaa remove cruft
Original commit: elastic/x-pack-elasticsearch@b51b9685b6
2015-07-14 14:10:31 -04:00
Robert Muir a225d3434d Remove redundant dependencies
Original commit: elastic/x-pack-elasticsearch@6a50cb8b01
2015-07-14 13:55:58 -04:00
Robert Muir 5305d46c32 remove redundant plugins
Original commit: elastic/x-pack-elasticsearch@543789fc55
2015-07-14 13:43:55 -04:00
Robert Muir 35b14612b0 Hook in x-dev-tools properly
Original commit: elastic/x-pack-elasticsearch@1f439bb5e9
2015-07-14 13:29:18 -04:00
Robert Muir 62615ae60c Remove more redundancy
Original commit: elastic/x-pack-elasticsearch@9721e8707c
2015-07-14 13:04:25 -04:00
Robert Muir cd24eeb5a3 fix compile failures (IndexMissingException -> IndexNotFoundException)
Original commit: elastic/x-pack-elasticsearch@c61492d962
2015-07-14 11:52:30 -04:00
Robert Muir 1d2be681f7 fix shield tests
Original commit: elastic/x-pack-elasticsearch@2b521a705b
2015-07-14 10:12:08 -04:00
Robert Muir 3b63e22dce Get shield integ tests working. Watcher still has assembly issues
Original commit: elastic/x-pack-elasticsearch@68d221d776
2015-07-14 09:45:06 -04:00
uboness cef77541a4 initial merge of the build for all the sub modules
Original commit: elastic/x-pack-elasticsearch@f084b626ce
2015-07-14 12:52:25 +02:00
uboness 8babe1c456 initial migration of shield
Original commit: elastic/x-pack-elasticsearch@2bf095d3cb
2015-07-13 12:31:34 +02:00