Core reworked how it registered tasks status's with NamedWriteableRegistry
so it was more pluggable. It changed a few signatures and x-plugins needs
these small changes to keep compiling.
Original commit: elastic/x-pack-elasticsearch@3dcf1df152
Adds a check to the settings at startup to ensure that the security and audit indices are
allowed to be auto created if a user has disabled auto create explicitly.
Additionally fixes a small issue with the error message for watcher passing the incorrect
value.
Closeselastic/elasticsearch#1453
Original commit: elastic/x-pack-elasticsearch@2b0698ff19
If a user configures only custom realms and they are not licensed to use the custom realms then
we need to return our default realms. The default realms should be the esusers and esnative realms.
We were only returning the esusers realm previously.
Closeselastic/elasticsearch#1491
Original commit: elastic/x-pack-elasticsearch@3dc2b5d3a8
PutMappingRequest has a special case since it can come with one and only
one concrete index. In such a case we can't replace the indices list
with all authorized indices but should rather only check if the index
is authorized and otherwise fail the request.
Original commit: elastic/x-pack-elasticsearch@4ee20029e1
Also make logging message String constant to allow static checks
Relates to elastic/elasticsearchelastic/elasticsearch#16707
Original commit: elastic/x-pack-elasticsearch@b5bd423de4
The shield settings need to be copied down to the tribe nodes so that they are
aware of the shield configuration. Otherwise there will be issues such as SSL
not carrying over or authentication realms not being available.
Closeselastic/elasticsearch#702
Original commit: elastic/x-pack-elasticsearch@7bd7674f3e
This commit adds the logic to protect the user and roles index that we store locally
by restricting access to the internal XPack user. We need to do this in two places;
the first is when resolving wildcards and the other is when authorizing requests
made against specific indices.
Original commit: elastic/x-pack-elasticsearch@8ee0ce02db
We would previosly check if a node was a client node, we can now check it by just verifying that it is not a transport client through client_type setting.
Original commit: elastic/x-pack-elasticsearch@bddd44866e
When thinking about applications and the need to update a user, we should not need to
update the password of the user when making changes to things like roles, email, full
name, or metadata. This commit changes how we handle operations where the password
field is missing.
When the password field is missing, we try to execute an update. If the user exists, all
values for the user are updated except for the password field. If the user does not exist
and the password field is missing then a ValidationException is returned.
When the password field is present, we always issue an index request.
Closeselastic/elasticsearch#1492
Original commit: elastic/x-pack-elasticsearch@3d8a5f2db6
This commit introduces the default refresh on user and role update and delete
operations. The behavior can be controlled via the `refresh` parameter on the
REST API and the refresh option in the Java API.
Closeselastic/elasticsearch#1494
Original commit: elastic/x-pack-elasticsearch@aff4d13886
This commit bumps the Elasticsearch version to 5.0.0-SNAPSHOT in line
with the alignment of versions across the stack.
Relates elastic/elasticsearchelastic/elasticsearch#16862
Original commit: elastic/x-pack-elasticsearch@155641c5e4
This commit changes the behavior of combining multiple document level security queries
from an AND operation to an OR operation.
Additionally, the behavior is also changed when evaluating the combination of roles that
have document level security and roles that do not have document level security. Previously
when the permissions for these roles were combined, the queries from the roles with document
level security were still being applied, even though the user had access to all the documents.
This change now grants the user access to all documents in this scenario and the same applies
for field level security.
Closeselastic/elasticsearch#1074
Original commit: elastic/x-pack-elasticsearch@291107ec27
- Renamed `AddRoleAction/Request/Response` to `PutRoleAction/Request/Response`
- also renamed the user/roles rest actions
- Changed the returned format for `RestGetRoleAction`. Previously this endpoint returned an array of role descriptor. Now it returns an object where the role names serve as the keys for the role objects. This is aligned with other APIs in ES (e.g. index templates).
- When `RestGetRoleAction` cannot find all the requested roles, it'll return an empty object and a 404 response status
- Also cleaned up `RoleDescriptor`
Original commit: elastic/x-pack-elasticsearch@742f6e0020
DiscoveryService was a bridge into the discovery universe. This is unneeded and we can just access discovery directly or do things in a different way.
This is a complement to elastic/elasticsearchelastic/elasticsearch#16821
Closeselastic/elasticsearch#1571
Original commit: elastic/x-pack-elasticsearch@496f0c4081
- Now it's more aligned with other APIs in ES (e.g. index template API)
- the "get user" API now returns an object as a response. The users are keyed by their username. If none of the requested users is found, an empty object will be returned with a 404 response status.
- the body of "put user" request doesn't require "username" anymore (as it's defined as part of the URL)
Original commit: elastic/x-pack-elasticsearch@f7c12648b1
The roles parsing does not currently handle null tokens since the YAML parser
was not emitting them. With the upgrade to Jackson 2.7.1, the parser is now
emitting the null token value.
Original commit: elastic/x-pack-elasticsearch@abcad633ad
Going forward (from 5.0 on) we'll remove all occurrences of the "shield" name/word from the code base. For this reason we want to already start using `.security` index in 2.3 such that we won't need to migrate it to a `.security` index later on.
Original commit: elastic/x-pack-elasticsearch@74a1cbfcf2
- roles are now reliably parsed
- in `Put Role` API, added a double check to verify that the role name in the URL matches the role name if the body. Also, if the body doesn't have a role name, the role name in the URL will be used.
Original commit: elastic/x-pack-elasticsearch@5054ce8567
- Renamed `AddRoleAction/Request/Response` to `PutRoleAction/Request/Response`
- also renamed the user/roles rest actions
Original commit: elastic/x-pack-elasticsearch@ae0ccd61e5
- `full_name` and `email` are optional user fields
- `metadata` is an optional arbitrary meta data that can be associated with the user
- cleaned up the user actions - consistent naming (e.g. `PutUserAction` vs. `AddUserAction`)
- moved source parsing from the `PutUserRequest` to the `PutUserRequestBuilder`
- renamed`WatcherXContentUtils` to `XContentUtils` and moved it to sit under `o.e.xpack.commons.xcontent`
Closeselastic/elasticsearch#412
Original commit: elastic/x-pack-elasticsearch@5460e3caf7
