- Renamed `AddRoleAction/Request/Response` to `PutRoleAction/Request/Response`
- also renamed the user/roles rest actions
- Changed the returned format for `RestGetRoleAction`. Previously this endpoint returned an array of role descriptor. Now it returns an object where the role names serve as the keys for the role objects. This is aligned with other APIs in ES (e.g. index templates).
- When `RestGetRoleAction` cannot find all the requested roles, it'll return an empty object and a 404 response status
- Also cleaned up `RoleDescriptor`
Original commit: elastic/x-pack-elasticsearch@742f6e0020
DiscoveryService was a bridge into the discovery universe. This is unneeded and we can just access discovery directly or do things in a different way.
This is a complement to elastic/elasticsearchelastic/elasticsearch#16821
Closeselastic/elasticsearch#1571
Original commit: elastic/x-pack-elasticsearch@496f0c4081
- Now it's more aligned with other APIs in ES (e.g. index template API)
- the "get user" API now returns an object as a response. The users are keyed by their username. If none of the requested users is found, an empty object will be returned with a 404 response status.
- the body of "put user" request doesn't require "username" anymore (as it's defined as part of the URL)
Original commit: elastic/x-pack-elasticsearch@f7c12648b1
In case that a single email attachment cannot be downloaded, this ensures
that the whole action fails with a correct Action.Failure.
This also fixes an NPE that would occur otherwise.
Original commit: elastic/x-pack-elasticsearch@7bb042a719
This is a small fix to use specified id when sending data attachments.
The current solution always used "data".
Also a minor refactoring was made to include get the different parser impls
from the EmailAttachmentsParser instead of specifying them twice in the
EmailAction.
Closeselastic/elasticsearch#1503
Original commit: elastic/x-pack-elasticsearch@9354e83c8b
The roles parsing does not currently handle null tokens since the YAML parser
was not emitting them. With the upgrade to Jackson 2.7.1, the parser is now
emitting the null token value.
Original commit: elastic/x-pack-elasticsearch@abcad633ad
The awaiting latch was not waiting as long as the sleep in the code
causing the latch to fail and the test to fail.
This code aligns the time to wait for the latch and the sleep code
in the mock http server.
Original commit: elastic/x-pack-elasticsearch@8a2cc61204
Going forward (from 5.0 on) we'll remove all occurrences of the "shield" name/word from the code base. For this reason we want to already start using `.security` index in 2.3 such that we won't need to migrate it to a `.security` index later on.
Original commit: elastic/x-pack-elasticsearch@74a1cbfcf2
The request timeout and the real time the webserver slept was 5000ms.
In case of loaded systems, there might be cases, where the request was
still received in time.
This commit increases the server side sleep time to 10 seconds, to ensure
that the client aborts the request early
Original commit: elastic/x-pack-elasticsearch@718c05519f
The current HTTP timeout tests had two problems.
* Binding to port 9200-9300
* The first request to hit was having a delay, the other ones had not,
so if any other component hit the test inbetween (likely in a CI env),
the HTTP request from the test itself will not be delayed.
Both cases are fixed in this commit.
Original commit: elastic/x-pack-elasticsearch@d696e020cc
When an HTTP input returns an error body, right now we check if the
error code is below 400 and only then we include the body.
However using another method from URLConnection, the body can be
access always.
Closeselastic/elasticsearch#1550
Original commit: elastic/x-pack-elasticsearch@1743fd0a77
- roles are now reliably parsed
- in `Put Role` API, added a double check to verify that the role name in the URL matches the role name if the body. Also, if the body doesn't have a role name, the role name in the URL will be used.
Original commit: elastic/x-pack-elasticsearch@5054ce8567
- Renamed `AddRoleAction/Request/Response` to `PutRoleAction/Request/Response`
- also renamed the user/roles rest actions
Original commit: elastic/x-pack-elasticsearch@ae0ccd61e5
- `full_name` and `email` are optional user fields
- `metadata` is an optional arbitrary meta data that can be associated with the user
- cleaned up the user actions - consistent naming (e.g. `PutUserAction` vs. `AddUserAction`)
- moved source parsing from the `PutUserRequest` to the `PutUserRequestBuilder`
- renamed`WatcherXContentUtils` to `XContentUtils` and moved it to sit under `o.e.xpack.commons.xcontent`
Closeselastic/elasticsearch#412
Original commit: elastic/x-pack-elasticsearch@5460e3caf7
We shouldn't have marvel enabled for these tests because we get false test failures
due to marvel indices existing and failing to lock the shard.
Original commit: elastic/x-pack-elasticsearch@11123bb660
This removes the use of group setting for `shield.` and introduces some individual settings
and some group settings that should not overlap and cause issues when iteration order
changes.
See elastic/elasticsearch#1520
Original commit: elastic/x-pack-elasticsearch@193e937193
- Moved all settings in Marvel from `marvel.*` to `xpack.monitoring.*`
- Cleaned up marvel settings in general - they're all now under `MarvelSettings` class
- fixed some integration tests along the way (they were configured wrong and never actually tested anything)
- Updated the docs accordingly
- Added `migration-5_0.asciidoc` under the Marvel docs to explain how to migrate from Marvel 2.x to XPack 5.0.
- Replaced all `marvel` mentions in the logs to `monitoring`
- Removed the `xpack.monitoring.template.version` setting from the templates
- renamed the templates to `monitoring-es-data.json` and `monitoring-es.json`
- monitoring indices are now `.monitoring-es-<version>-data` and `.monitoring-es-<version>-<timestamp>`
Original commit: elastic/x-pack-elasticsearch@17f2abe17d
Custom realms may enable the use of other authorization schemes than just basic authentication
and these schemes should work in addition to our built in realms. However, our built in realms use
the UsernamePasswordToken class to parse the Authorization header, which had a check to ensure
the token was for basic authentication and if not, an exception was thrown. The throwing of the
exception stops the authentication process and prevents custom realms from evaluating the header
if they come later in the ordering of realms.
This change removes the throwing of the exception unless the header starts with 'Basic ' and is invalid.
Original commit: elastic/x-pack-elasticsearch@fd438ded95
- renaming `ShieldPlugin` to `Shield` (it's no longer a plugin)
- renaming `WatcherPlugin` to `Watcher` (it's no longer a plugin)
- renaming `MarvelPlugin` to `Marvel` (it's no longer a plugin)
- renaming `LicensePlugin` to `Licensing` (it's no longer a plugin)
- renamed setting:`watcher.enabled` -> `xpack.watcher.enabled`
- renamed setting:`marvel.enabled` -> `xpack.marvel.enabled`
Original commit: elastic/x-pack-elasticsearch@35a6540b11
This commit removes the message digest providers in x-plugins by using
the MessageDigests abstraction in core. In particular, this permits the
removal of the use of MessageDigest#clone in x-plugins.
Closeselastic/elasticsearch#1489
Original commit: elastic/x-pack-elasticsearch@6868e6e8ed
- Consolidated the `bin` and `config` directories of watcher, shield and marvel under a single `config/xpack` and `bin/xpack` directories.
- updated docs accordingly
Original commit: elastic/x-pack-elasticsearch@c2aa6132fa
- Started to move configuration under the `xpack` name
- Cleaned up `ShieldPlugin`
- renamed `ShieldClient` to `SecurityClient`
- Introduced `XPackClient` that wraps security and watcher clients
Original commit: elastic/x-pack-elasticsearch@f05be0c180
This loads an index template for the watch history to make sure,
that field changes are taken into account.
Also, the dynamic mapping for the watch history template has been
changed from strict to false.
This means that new fields can be included in a document, but they
will not indexed and are not searchable.
In addition the index names have been changed from .watch_history-$date to
.watcher-history-$template-$date - using dashes to be more consistent.
Closeselastic/elasticsearch#1299
Original commit: elastic/x-pack-elasticsearch@794f982234
This commit fixes the bad apple tests that failed when running them. The
IndexAuditTrailEnabledTest was removed and the test was folded into the
IndexAuditIT. Some watcher tests that relied on mustache were moved
into the QA tests with the mustache plugin.
Additionally, fixing these tests uncovered a issue with the privileges needed
for writing data into an index. If the mappings need to be updated because
of a write, then the update mapping action gets executed. In 2.x this was
handled by the system user, but now is executed under the user's context,
which is the correct thing to do. The update mapping action is now added to
the read, index, crud, and write privileges for an index.
Original commit: elastic/x-pack-elasticsearch@30711f9625
In elastic/elasticsearch#1442 checkstyle checks were added, but also some files were freed from this.
If we have support for checkstyle, we should check this for all files and not allow
exceptions. This commit removes the file list to ignore any files and fixes all the
java files.
Original commit: elastic/x-pack-elasticsearch@99e6cbc5be
According to RFC 2616 HTTP headers are case insensitive.
But `HttpResponse#contentType()` only looks up for Content-Type.
This stores all header responses lower cased in the HTTP response.
Closeselastic/elasticsearch#1357
Original commit: elastic/x-pack-elasticsearch@c009be8365
This commit adds a new `source_node` field to all marvel documents that holds various information (node's name/ip/host/id/transport address) about the node that emitted the document.
(cherry picked from commit elastic/x-pack@29a411a931)
Original commit: elastic/x-pack-elasticsearch@66e057d334
This change registers all filtered settings up-front and removes all
the unnecessary wrappers around SettingsFilter. This is a pretty big
change and needs some review but after all things are generally simplified and
settings are always filtered even if shield is not enabled which is the right thing
todo.
Relates to elastic/elasticsearchelastic/elasticsearch#16425
Original commit: elastic/x-pack-elasticsearch@c7df85492b
The lang-mustache module has been extended to meet Watcher's needs:
* The ability to refer the specific slots in arrays.
* An `content_type` option controls whether json string escaping is used. Otherwise there is no escaping.
Closeselastic/elasticsearch#1116
Other changes:
* I changed tests that were just using mustache just because it was around to not use mustache
* I moved tests to `test-xpack-with-mustache` module that were testing mustache with Watcher
* added smoke test for watcher and mustache
* moved some tests around
* instead of using DefaultTextTemplateEngine in watcher tests use MockTextTemplateEngine
* added a mock mustache script engine
* Cleanup some messy tests to not rely on mustache and move them back into xpack module
* moved array access test to smoke test watcher with mustache module
* test: simplified the condition search test to take the time component out of it, while still simulation a condition
* removed the mustache dependency in the messy-test-watcher-with-groovy module
Original commit: elastic/x-pack-elasticsearch@6a2a4e885f
- Consolidated `InternalMarvelUser`, `InternalWatcherUser` and `InternalShieldUser` into a single `XPackUser` - this is the single internal user for xpack that has all the permissions internally required by xpack (for marvel, watcher and shield)
- Renamed `InternalSystemUser` to `SystemUser`
- Removed the notion of "reserved roles". Now that we have a single internal user we know its role. The authz service now checks to see if the current user is the internal xpack user, and if so, it just uses its role (and not trying to resolve it from the role store). With this model, it's no longer possible for outside users to use the internal role (it's fully internal)
- Consolidated the notion of an `InternalClient` (in Marvel it was knows as the `SecuredClient`). This is an ES client that xpack is using to manage itself. If shield is enabled, it will execute all request on behalf of the internal xpack user.
- Removed the verification of the license plugin on plugin installation - no need to do it anymore as the license plugin is part of the distribution.
Original commit: elastic/x-pack-elasticsearch@c851410f93
This commit cleans up the hack we had forcefully switching the request to execute under the system
user when a internal action gets triggered from a system request. The authorization service now tracks
the originating request in the context to allow us to validate if the request should be run as the system
user.
The system user should be used only when a user action causes an internal action, which needs to
be run by the system user.
Closeselastic/elasticsearch#1403
Original commit: elastic/x-pack-elasticsearch@4972df459f
- removed `/_shield/roles` and `/_shield/users` endpoints (only keeping the singular forms)
- fixed `ClearRealmsCacheTests` to use the correct endpoint for clearing the realms cache
- used action name constants where possible in `InternalShieldUser`
Original commit: elastic/x-pack-elasticsearch@d1481de389
- Moved all role action classes to live under `o.e.s.action.role`
- Moved all realm related action classes (for now just the clear cache) to live under `o.e.s.action.realm`
- Moved all user action classes to live under `o.e.s.action.user`
- Moved all the rest actions to live under `o.e.s.rest.action`
- Changed the `clear role cache` endpoint to `/_shield/role/{id}/_clear_cache` (aligned with all other role endpoints)
- Changed `InternalShieldUserHolder` to the `InternalShieldUser` singleton user... to be aligned with `InternalMarvelUser` and `InternalWatcherUser`.
- Removed the dedicated audit log user. The new `InternalShieldUser` is now the user that manages and writes to the audit log indices
- Extracted the `User.System` class to a top level `InternalSystemUser` class (to be aligned with the other internal user classes)
- Removed the `SystemRole` class (the `InternalSystemUser` class now holds all the needed info/logic)
Original commit: elastic/x-pack-elasticsearch@cf82b257d1
When using a path like `"/<logstash-{now%2Fd}>/_search"` in the
http webhook. The already escaped slash (%2F) got escaped twice
and thus did not work any more.
The escaping happened when the code created an URI and was done
as part of that constructor. This is now switched to an URL (which
is used at the end anyway) which does not do the escaping, even though
this was required for the query string, which is now done when constructing.
Closeselastic/elasticsearch#1364
Original commit: elastic/x-pack-elasticsearch@861b6d2378
Two regressions have been introduced in elastic/x-pack@156d9e4d5b: marvel index templates should not be deleted between tests and checking for marvel indices existence should not fail with IndexNotFoundException when the indices are not yet created and Shield enabled.
closeselastic/elasticsearch#1396elastic/elasticsearch#1394elastic/elasticsearch#1382
In MultiNodesStatsTests.java, multiple nodes are started in async: the first node may collect marvel data multiple times when the last one just started. So we should not check for exact 1 doc per node but at least 1 doc per node.
closeselastic/elasticsearch#1370
In HttpExporterTemplateTests.java, we must compare a long count with a long value.
Original commit: elastic/x-pack-elasticsearch@732fef995a
Similar to the lifecycle services, stopping the shield lifecycle should
also ensure that the poller threads are stopped, which is tricky, in case
they run through huge user/role lists.
Original commit: elastic/x-pack-elasticsearch@7a48f19853
Restoring empty contexts causes issues with searches, but failure to restore the
original context when executing index requests that auto-create results in a
the index operation being tried by the system user.
See elastic/elasticsearch#1380
Original commit: elastic/x-pack-elasticsearch@522f857de7
Load average is not available anymore on Windows, the tests should not check the presence of the field. Also, "node_stats.json" file is hard to maintain and quite useless so this commit removes it.
Original commit: elastic/x-pack-elasticsearch@74d2e0dce6
This removes a check in the ClearRolesCacheTests that is prone to failure due to the
possibility of the cache poller running while we modify documents and updating cached
values prior to the test issuing the get roles call.
See elastic/elasticsearch#1354
Original commit: elastic/x-pack-elasticsearch@ba0b803466
This change migrates all of the xpack code to use the new ThreadContext when
dealing with headers and context data. For the most part this is a simple
cutover, but there are some things that required special casing. The internal
actions that executed by a user's requests need to forcefully drop the context
and set the system user. The workaround for this will be improved in a followup.
Additionally, the RequestContext still lives on due to the OptOutQueryCache,
which requires some core changes to fix this issue.
Original commit: elastic/x-pack-elasticsearch@87d2966d93
This commit is the x-plugins side of the refactoring of script settings.
Relates elastic/elasticsearchelastic/elasticsearch#16197
Original commit: elastic/x-pack-elasticsearch@4c429933b9
As of elastic/elasticsearchelastic/elasticsearch#16054 all index level settings
must be registered and use the new settings infrastructure. This commit
prepares for the merge to provide a smooth transition.
Original commit: elastic/x-pack-elasticsearch@bc0a4fec07
This commit addresses the handling of load averages in Marvel due to
upstream changes in core Elasticsearch where the load average field was
changed from an array to an object.
Original commit: elastic/x-pack-elasticsearch@9ea57968bb
Due to lingering threads when shutting down when running this in CI
this disables watcher in this tests. It is really hard to reproduce
to get the correct order of start/stop. The reason here is, that watcher
is still starting and not finished, when stop is called on the plugin.
Original commit: elastic/x-pack-elasticsearch@2de85bcba6
In elastic/elasticsearchelastic/elasticsearch#15907, we changed the load average
structure to also include 5 and 15 minute load averages. This
commit adjusts the expected JSON structure for
NodeStatsRendererTests.
Original commit: elastic/x-pack-elasticsearch@59f6a1e9d9
When debugging role mapping it is useful to know the actual user DN, which is only logged
when something is actually mapped to the DN. Since this is logged at debug level, we should
always log it.
Original commit: elastic/x-pack-elasticsearch@b690c757d3
Previously we only exposed the use of a single URL for LDAP realms, while the code supported
multiple URLs. Internally we always used a failover server set, which would have provided failover
to another LDAP server if multiple existed. This change introduces a new setting `load_balance.type`
on the realm that indicates the type of load balancing. Valid options are:
* `failover` - the first server in the list will be used until it fails and then additional servers will be tried until
one succeeds. The first successful server will be used from now on. This is the default.
* `round_robin` - continuously iterates through the list of servers for each new connection. If a server is down,
the iteration will continue until a successful connection is made. The downfall here is that the list does not
get reordered on a down server, so there is overhead for always trying the servers in order.
* `dns_failover` - This server set takes a single URL that uses a DNS that will resolve to multiple IP addresses.
Connections will be consistently attempted to servers in the order they are retrieved from the name service; there
is no re-ordering and the first successful connection will be used.
* `dns_round_robin` - This server set takes a single URL that uses a DNS that will resolve to multiple IP addresses.
The addresses retrieved from the name service will connected to in the same order as `round_robin`.
Closeselastic/elasticsearch#31
Original commit: elastic/x-pack-elasticsearch@9ce9a1bf23
In order to correctly check for equality in an EmailAction, all the email
attachments have to implement equals/hashCode methods.
This has already been added to the 2.x branch in elastic/x-pack@ebde22507f
Original commit: elastic/x-pack-elasticsearch@bb980ea934
This feature is mainly done for the integration with the commercial reporting, but can be used
for anything else as well.
This adds a `attachments` to the email configuration, which can be used like this
```
"attachments" : {
"some_id" : {
"http" : {
"request" : {
"url" : "http://example.org/foo.pdf"
}
}
},
"other_id" : {
"data" : {
"format" : "json"
}
}
}
```
The main reason to pick this format is extensibility. If we would like to support another
attachment type, like an file reader, we could do so easily from an API point of view.
Closeselastic/elasticsearch#870
Original commit: elastic/x-pack-elasticsearch@66d14be965
This commit removes the current implementation in HttpExporter so that it does not automatically clean indices anymore.
Original commit: elastic/x-pack-elasticsearch@7d30338355
In order to have a shortcut for the execution of a watch and
specifying the record_execution and ignore_condition booleans,
so are now supported in the HTTP request parameters as well.
Closeselastic/elasticsearch#918
Original commit: elastic/x-pack-elasticsearch@bed5da40b7
* This action enables sending notifications to pager duty services.
* Utilizes pager duty's REST API
* Similar to the `email`, `hipchat` and `slack` actions, multiple `pagerduty` accounts can be configured, each with its own Service API key
* A `pagerduty` account is roughly mapped to a service in your pagerduty service.
* `pagerduty` actions are associated with an account, or if not, their events will be sent via the default account.
* An incident can be acknowledged, resolved or triggered
Closeselastic/elasticsearch#492
Original commit: elastic/x-pack-elasticsearch@72cc21d119
This commit merge the ClusterInfoCollector in the ClusterStatsCollector so that cluster stats are retrieved only once.
Original commit: elastic/x-pack-elasticsearch@fe70149210
This commit changes the templates so that they are now versionned using a number (starting from 1). This number is used in index templates names (ex: .marvel-es-data-1, .marvel-es-1) as well as in indices names (ex: .marvel-es-1-2015-12-30, .marvel-es-data-1).
If the template does not exist, it is created. Otherwise nothing (no update) is done.
Original commit: elastic/x-pack-elasticsearch@66c1a8bed0
This commit enable tribe nodes support for Marvel. It avoid ElasticsearchSecurityException when a tribe node is connected to a cluster that has been configured for both Shield and Marvel by loading the MarvelShieldIntegration support on tribe node even if marvel.enabled is set to false. It also allows tribe nodes to be monitored using Marvel with their own marvel settings.
closeselastic/elasticsearch#1088
Original commit: elastic/x-pack-elasticsearch@e0401c1288
Instead of having to specify `scheme`, `host`, `port`, `path` and `params` each
one can now use the `url` field and specify something like `http://example.org/foo?bar=baz`
This works for HttpRequest and HttpRequestTemplate
Original commit: elastic/x-pack-elasticsearch@8c052cf419
Because of specifying the concrete implementations in WatcherPlugin.nodeServices(),
all of those services got created twice for each node (guice requires the interface here).
This resulted in NPEs as the first instantiation did not run doStart() and thus had empty
settings, that resulted in a NPE.
Closeselastic/elasticsearch#1179
Original commit: elastic/x-pack-elasticsearch@c6a1f5093f
* allow bulk requests with updates if fls/dls isn't configured for targetted index
* throw a hard error if the current call can't resolve an associated transport request
marvel: node stats collector should use the client instead of the internal apis, because otherwise the index searcher wrapper can't locate the transport request that is associated with current call and would then throw an exception, which then prevents the marvel agent from collecting stats.
* if both field or document level security is enabled then all forbidden operations should fail
Original commit: elastic/x-pack-elasticsearch@b2c40d6559
The REST authenticate API can be used to test credentials and retrieve details about the
user that has been authenticated. This currently includes retrieving the user's username
and roles.
Closeselastic/elasticsearch#1019
Original commit: elastic/x-pack-elasticsearch@117a226187
This commit removes usage of Collections#shuffle(List) as this is a
forbidden method in upstream Elasticsearch.
Relates elastic/elasticsearchelastic/elasticsearch#15287, relates elastic/elasticsearchelastic/elasticsearch#15299
Original commit: elastic/x-pack-elasticsearch@2943569ee1
This commit simplifies xcontent usage in x-pack in a way that is compatible with
elastic/elasticsearchelastic/elasticsearch#15358.
Original commit: elastic/x-pack-elasticsearch@0d6ce5f22f
Squashed commit of the following:
commit 54de841112778b01e817e465d2f59840970bb4f3
Author: Robert Muir <rmuir@apache.org>
Date: Thu Dec 10 08:47:12 2015 -0500
see exactly how far MessyTestPlugin can go (unit tests depend on both groovy and mustache!)
commit 743b5a4e0cc9a05e307339dfcb4569feed31f337
Author: Robert Muir <rmuir@apache.org>
Date: Thu Dec 10 08:35:03 2015 -0500
fix x-pack compile/tests to work with https://github.com/elastic/elasticsearch/pull/15328
Original commit: elastic/x-pack-elasticsearch@4307bb163b
This commit update the Local & Http exporters so that they have the same behavior. Exporters now try to update the mappings of the current marvel indices if they exist (only new document types will be added)
It also adds dedicated tests to verify that the Marvel template is correctly updated depending of the current template version.
Original commit: elastic/x-pack-elasticsearch@ac650f5aba
When the logging audit trail is configured to add the node hostname or ip address
as a prefix, the logging audit trail can invoke guice dependency injection issues since
the transport that is injected is a proxy. This change makes the logging audit trail a
lifecycle component and waits for the transport to be started before initializing the
prefix.
Closeselastic/elasticsearch#1104
Original commit: elastic/x-pack-elasticsearch@3b19283969
In order to be able to send emails, the thread context classs loader
must be set to the watcher plugin class loader (and reset afterwards),
otherwise some javax.activation classes needed to create mime attachments
cannot be found.
In addition the activation jar dependency has been removed.
Closeselastic/elasticsearch#1066Closeselastic/elasticsearch#708
Original commit: elastic/x-pack-elasticsearch@10042375ec
Since we combined all of the plugins marvel will also be enabled and will cause
the cluster to never get to a green state since we only have a single node.
Original commit: elastic/x-pack-elasticsearch@60fbfa97f1
* move static initialization hack for UnboundID Debug to XPackPlugin
* cleanup bundlePlugin calls in build file
* properly disable watcher and marvel for shield core tests
Original commit: elastic/x-pack-elasticsearch@2b89cf2225
This commit fixes the integration tests and qa test after the reorganization to be
packaged as a single plugin.
Original commit: elastic/x-pack-elasticsearch@d6f488627f
- added the license-plugin dir as a src dir
- Made XPackPlugin customizable for tests. Now tests that need to plug in different behaviours (e.g. a custom license plugin) can do that by simply resetting the relevant delegee plugins (i.e. shield, marvel, license, watcher) in the ctor of a new XPackPlugin.
Original commit: elastic/x-pack-elasticsearch@ab83104955