Commit Graph

65 Commits

Author SHA1 Message Date
Martijn van Groningen 967a3d1da2 test: if notify is not null and needs to be unequal then just invert notify
Original commit: elastic/x-pack-elasticsearch@2de9536c9c
2015-08-28 19:57:10 +02:00
Martijn van Groningen 5f01f793d5 Added document and field level security
This commit adds document and field level security to Shield.

Field level security can be enabled by adding the `fields` option to a role in the `role.yml` file.

For example:

```yaml
customer_care:
  indices:
    '*':
      privileges: read
      fields:
        - issue_id
        - description
        - customer_handle
        - customer_email
        - customer_address
        - customer_phone
```

The `fields` list is an inclusive list of fields that controls what fields should be accessible for that role. By default all meta fields (_uid, _type, _source, _ttl etc) are also included, otherwise ES or specific features stop working. The `_all` field if configured, isn't included by default, since that actually contains data from all the other fields. If the `_all` field is required then this needs to be added to the `fields` list in a role. In the case of the content of the `_source` field and `_field_names` there is special filtering in place so that only the content relevant for the role are being returned.

If no `fields` is specified then field level security is disabled for that role and all fields in an index are accessible.

Field level security can be setup per index group.

Field level security is implemented at the Lucene level by wrapping a directory index reader and hides fields away that aren't in the `field` list defined with the role of the current user. It as if the other fields never existed.

* Any `realtime` read operation from the translog is disabled. Instead this operations fall back to the Lucene index, which makes these operations compatible with field level security, but there aren't realtime.
*  If user with role A executes first and the result gets cached and then a user with role B executes the same query results from the query executed with role A would be returned. This is bad and therefore the query cache is disabled.
* For the same reason the request cache is also disabled.
* The update API is blocked. An update request needs to be executed via a role that doesn't have field level security enabled.

Document level security can be enabled by adding the `query` option to a role in the `role.yml` file:
```yaml
customer_care:
  indices:
    '*':
      privileges: read
      query:
        term:
         department_id: 12
```

Document level security is implemented as a filter that filters out documents there don't match with the query. This is like index aliases, but better, because the role query is embedded on the lowest level possible in ES (Engine level) and on all places the acquire an IndexSearcher the role query will always be included. While alias filters are applied at a higher level (after the searcher has been acquired)

Document level security can be setup per index group.

Right now like alias filters the document level security isn't applied on all APIs. Like for example the get api, term vector api, which ignore the alias filter. These apis do acquire an IndexSearcher, but don't use the IndexSearcher itself and directly use the index reader to access the inverted index and there for bypassing the role query. If it is required to these apis need document level security too the the implementation for document level security needs to change.

Closes elastic/elasticsearch#341

Original commit: elastic/x-pack-elasticsearch@fac085dca6
2015-08-27 17:54:50 +02:00
uboness f9a8c8937c fixes for hipchat integration tests
Original commit: elastic/x-pack-elasticsearch@df6311799b
2015-08-25 20:05:46 +02:00
uboness 5b363f1041 [watcher] Rename `Template` to `TextTemplate`
We have different types of templates in watcher - http request template, email template, hipchat message template, and simple text template... to avoid confusion, and clean up the codebase, this commit renames the `Template` class to `TextTemplate` to better convey what this template is about.

Original commit: elastic/x-pack-elasticsearch@8e5202019c
2015-08-25 16:19:50 +02:00
uboness 0731a98e97 Introducing HipChat Action
An action capable of sending notifications to rooms and users on hipchat. This actions support three types of HipChat APIs:

- `v1` - The (now deprecated) legacy API where a token can be registered at the group level, and the `v1` version of the API can be used. This API only supports room notification (users cannot be notified). multi-room notification is supported.

- `integration` - The basic integration that one can create in HipChat (it is using the `v2` API version), where notifications can be sent to a single room. User notification is unsupported by this API

- `user` - this API uses an API token of a specific user. An admin user can create an API token and configure it to have access to room notification and user private messaging. This API supports multi-room and multi-user notifications.

The settings for `hipchat` are very similar to the `email` infrastructure in nature. It is possible to configure multiple/different hipchat account, each is associated with the api type (a.k.a profile) - can be `v1`, `integration` or `user`, and the respective `auth_token`. When configuring the action in the watch, one can specify what hipchat account they would like to use (when not specifying an account, the `default_account` will be used). Each account can also specify its own unique `host`/`port` for the hipchat server - for full flexibility.

Closes elastic/elasticsearch#462

Original commit: elastic/x-pack-elasticsearch@9d9ee13542
2015-08-25 14:05:49 +02:00
Areek Zillur ef7d4e2579 stub out acknowledge callbacks for commercial plugins
Original commit: elastic/x-pack-elasticsearch@d16f9dc1df
2015-08-24 18:25:40 -04:00
Areek Zillur 0b9021ee87 Add license acknowledgment mechanism for consumer plugins to notify users when they attempt to install a new license
closes elastic/elasticsearch#461

Original commit: elastic/x-pack-elasticsearch@bc30ac2871
2015-08-24 18:25:29 -04:00
Martijn van Groningen 31f3830cf7 unmuted scan parse tests and don't be strict when parse the search type. (Watcher fails when it sees scan is being used)
Closes elastic/elasticsearch#484

Original commit: elastic/x-pack-elasticsearch@fea5d6a22d
2015-08-24 14:12:08 +02:00
Simon Willnauer e723c355d8 Remove unused imports - SpawnModules.java is removed
Original commit: elastic/x-pack-elasticsearch@717d38694d
2015-08-23 13:03:50 +02:00
Ryan Ernst 670b9b5ce8 Remove use of PreProcessModule
PreProcessModule was an alternate way to customize another module's
behavior inside plugins. The preferred (and only in the future) way to
do this is with onModule in the plugin itself. This change moves the
only two remaining users of PreProcessModule to do so in their
respective plugins. The use case was adding roles for shield
authorization, but these roles were really static, so there was no
reason they could not be configured up front.

Original commit: elastic/x-pack-elasticsearch@e67ac2dcb6
2015-08-21 14:23:23 -07:00
jaymode 7e552f393b fix all InetAddress forbidden apis and compile errors
This commit also fixes test shard routing compilation error and disables local address check in
the Shield IPFilter. This will be addressed in a followup, see elastic/elasticsearch#487

Original commit: elastic/x-pack-elasticsearch@984df0b131
2015-08-21 09:22:57 -04:00
jaymode 64706aefe4 mute watcher tests failing due to scan deprecation
Original commit: elastic/x-pack-elasticsearch@17f3d5c005
2015-08-20 14:06:30 -04:00
debadair dffd30d591 Updated package installation information. Closes elastic/elasticsearch#376.
Original commit: elastic/x-pack-elasticsearch@59be16531c
2015-08-19 14:10:51 -07:00
Ryan Ernst e0128daf9a Remove uses of SpawnModules
SpawnModules will be going away very soon as part of
elastic/elasticsearchelastic/elasticsearch#12783. This change removes its use from all
x-plugins.

Most spawnmodules uses here were to either collect a number of modules
into one (so the modules were just moved up into the plugin itself), or
to spawn a module which interacted with an extension point from ES. This
change moves those, as well as most uses of PreProcessModule, to use
onModule.

Original commit: elastic/x-pack-elasticsearch@6430e35379
2015-08-18 18:41:44 -07:00
Ryan Ernst 2b5cb6b9f2 Fix compile after removal of apache commons and refactoring of plugin api
Original commit: elastic/x-pack-elasticsearch@5171192d16
2015-08-18 15:35:01 -07:00
David Pilato 29f8362bce [maven] fix build issues with artifactId renaming
Related to elastic/elasticsearch#450

Original commit: elastic/x-pack-elasticsearch@780002a9de
2015-08-18 18:03:40 +02:00
David Pilato 7b10f36775 [maven] rename artifactIds from `elasticsearch-something` to `something`
When https://github.com/elastic/elasticsearch/pull/12879 will be merged, this commit should be merged as well.

```
[INFO] Reactor Summary:
[INFO]
[INFO] Elasticsearch Commercial Plugin Build Resources .... SUCCESS [  0.228 s]
[INFO] Elasticsearch X-Plugins - Parent POM ............... SUCCESS [  0.282 s]
[INFO] X-Plugins: License: Parent POM ..................... SUCCESS [  0.089 s]
[INFO] X-Plugins: License: Core ........................... SUCCESS [  0.118 s]
[INFO] X-Plugins: License: Licensor ....................... SUCCESS [  0.150 s]
[INFO] X-Plugins: License: Plugin API ..................... SUCCESS [  0.106 s]
[INFO] X-Plugins: License: Plugin ......................... SUCCESS [  0.112 s]
[INFO] X-Plugins: Shield .................................. SUCCESS [  0.234 s]
[INFO] X-Plugins: Watcher ................................. SUCCESS [  0.264 s]
[INFO] X-Plugins: Marvel .................................. SUCCESS [  0.113 s]
[INFO] QA: Parent POM ..................................... SUCCESS [  0.097 s]
[INFO] QA: Smoke Test X-Plugins ........................... SUCCESS [  0.107 s]
[INFO] QA: Shield core REST tests ......................... SUCCESS [  0.093 s]
[INFO] QA: Smoke Test Watcher's Shield integration ........ SUCCESS [  0.109 s]
```

Original commit: elastic/x-pack-elasticsearch@e9871261cf
2015-08-18 13:55:11 +02:00
Martijn van Groningen 5c09618224 Fixed compile error due to upstream change in how dynamic cluster and index settings are registered.
Original commit: elastic/x-pack-elasticsearch@21c9bfdd73
2015-08-17 14:16:42 +02:00
Martijn van Groningen d7665293cb Changed pom version to 2.1.0-SNAPSHOT
as ES core does in its master branch

Original commit: elastic/x-pack-elasticsearch@fc9b1a7327
2015-08-17 13:44:33 +02:00
uboness c8b83daf44 Removed plugin specific version classes
Now that the versions are aligned with ES version, we can just use the es `Version` class. Version compatibility is applied by the `PluginService`.

Closes elastic/elasticsearch#439

Original commit: elastic/x-pack-elasticsearch@32f305abb8
2015-08-13 17:54:38 +02:00
uboness c4e213fc92 Updated version to 2.0.0-SNAPSHOT
Original commit: elastic/x-pack-elasticsearch@8fb8035596
2015-08-13 00:05:11 +02:00
Martijn van Groningen ae7d9c3048 test: fixed test due to upstream change timed out cluster health now returns 408 instead of 200 response code.
Original commit: elastic/x-pack-elasticsearch@5a0be2e70d
2015-08-12 21:17:03 +02:00
Martijn van Groningen ca8a7bb262 added watcher+shield qa rest tests
only run watcher rest tests during verify phase
never run the rest tests with shield enabled, because that is now tested in the new qa module
removed the disabled license watcher rest tests, because the disabled license use case is already tested by the LicenseIntegrationTests
enabled the getting started rest test

Closes elastic/elasticsearch#403

Original commit: elastic/x-pack-elasticsearch@67f0f7f596
2015-08-12 14:11:45 +02:00
Martijn van Groningen 8a4260db46 test: disable getting started rest test until it gets fixed
Original commit: elastic/x-pack-elasticsearch@40ba3d6ba9
2015-08-11 14:27:11 +02:00
Martijn van Groningen 1372bdef22 test: moved smoke test to yaml rest test.
Original commit: elastic/x-pack-elasticsearch@5a8bfeee2e
2015-08-11 13:03:42 +02:00
Martijn van Groningen 682fdc3024 test: removed es core rest spec copies and fetch them during the build process instead.
Original commit: elastic/x-pack-elasticsearch@e92e3e3778
2015-08-11 10:53:48 +02:00
Martijn van Groningen 3876bde0c2 Don't use Settings#getClassLoader() because it doesn't return the classloader the plugin was being loaded with.
Closes elastic/elasticsearch#419

Original commit: elastic/x-pack-elasticsearch@1c4b4b8760
2015-08-10 16:13:15 +02:00
Adrien Grand f38b92b917 Merge pull request elastic/elasticsearch#405 from jpountz/enhancement/qa_tests
Add a skeleton for QA tests.

Original commit: elastic/x-pack-elasticsearch@97df15390c
2015-08-10 11:00:53 +02:00
Adrien Grand 2cd124d263 Add a skeleton for QA tests.
For now this just tries to install license, marvel and watcher, and then checks
that these plugins are listed in the node infos. I can do shield once I figure
out how to set it up for REST tests.

Original commit: elastic/x-pack-elasticsearch@8549f4bc5a
2015-08-10 10:55:58 +02:00
Martijn van Groningen cf1409ed02 fix watcher runner
Original commit: elastic/x-pack-elasticsearch@243fa1b153
2015-08-10 10:48:21 +02:00
Tanguy Leroux 20a65dd6ca Watcher: Fix compilation issue in WatcherF class
Related to elastic/elasticsearch@368c41666c

Original commit: elastic/x-pack-elasticsearch@ae6de46457
2015-08-10 09:55:28 +02:00
Martijn van Groningen f726a8a017 Fixed rest runners that check watcher+shield and an expired license.
* The watcher+shield test failed, but the error was ignored due to a buggy if statement that existed for the hijack rest test.
* Blacklisted the hijack test.
* Also ade sure that we run the watcher+rest test with an user that doesn't have credentials.

Original commit: elastic/x-pack-elasticsearch@61b1bf0142
2015-08-07 14:26:22 +02:00
Alexander Reelsen b433ee390c Packaging: Changing groupId to org.elasticsearch.plugin
This commit changes the groupId to the above mentioned one
so that S3 uploads will end up in the right bucket. This will
allow the Elasticsearch plugin manager to install the commercial
plugins like

```
bin/plugin install {watcher,shield,license,marvel}
```

like the official ones.

Original commit: elastic/x-pack-elasticsearch@642f1f006a
2015-08-06 15:46:48 +02:00
Robert Muir 9133f766d3 fix skip.integ.tests to work everywhere again
Original commit: elastic/x-pack-elasticsearch@9cd5ca6db8
2015-08-06 07:07:23 -04:00
Martijn van Groningen 64ee394460 There is no need to check if the primary shards of the history indices are started, since we don't load watch records any more during the Watcher startup process.
Original commit: elastic/x-pack-elasticsearch@e6bfb37477
2015-08-05 18:58:11 +02:00
Martijn van Groningen 3f0509923a Use custom metadata to remember that Watcher stopped via an explicit stop api call.
Also expose WatcherMetaData in stats api

Original commit: elastic/x-pack-elasticsearch@5581615f9c
2015-08-05 18:55:52 +02:00
uboness 5f932952f2 [watcher] Remove default timezone usage
Closes elastic/elasticsearch#387

Original commit: elastic/x-pack-elasticsearch@5382fecf10
2015-08-05 00:20:14 +02:00
Ryan Ernst cfc4c6eca2 Rename integ tests back from IT extension
Original commit: elastic/x-pack-elasticsearch@e4ffa393ba
2015-08-03 18:47:33 -07:00
Ryan Ernst ae02762b95 Rename test cases to use new test name patterns
With elastic/elasticsearchelastic/elasticsearch#12623 base test classes were renamed
to use "TestCase" suffix. This updates x-plugins to reflect those
name changes. It also renames some tests that were marked
with @Slow (which was forbidden with elastic/elasticsearchelastic/elasticsearch#12617 and
elastic/elasticsearch elastic/elasticsearch#12618) to use the IT suffix to run
under `mvn verify`.

Original commit: elastic/x-pack-elasticsearch@05ffe2f202
2015-08-03 18:18:18 -07:00
Robert Muir 875e2e67c5 switch over uses of homeFile() to binFile().getParent().
homeFile() is removed and should not be used, we need to cleanup,
but this is just a rote change to get builds green.

Original commit: elastic/x-pack-elasticsearch@05d0fb4a7c
2015-08-03 13:36:22 -04:00
jaymode 77eb27001b fix WatcherF compile error
Original commit: elastic/x-pack-elasticsearch@a8383fa2bb
2015-08-03 07:10:09 -04:00
Tanguy Leroux 101ea6deab Remove usage of Streams.copyToBytesFromClasspath()
Original commit: elastic/x-pack-elasticsearch@8f813e9275
2015-07-31 16:37:30 +02:00
Alexander Reelsen 7ec8a7ab27 CLI tool: Fix exit status changes
In elastic/elasticsearch#12165 the return value of the CLITool was changed from an integer
to the ExitStatus enum. This commit adapts the cli tools of x-plugins.

Original commit: elastic/x-pack-elasticsearch@fc6478bfa5
2015-07-30 16:06:54 +02:00
jaymode 78068bd66f apply the useBaseVersion fix to watcher as well
Original commit: elastic/x-pack-elasticsearch@f3b5d76c11
2015-07-28 11:35:20 -04:00
jaymode 868b6b01cf add isClosed method to SensitiveXContentParser
Original commit: elastic/x-pack-elasticsearch@b1cada3bfc
2015-07-24 14:44:52 -04:00
Alexander Reelsen ba5900cf0b Documentation: Fix calls for bin/plugin to be compatible with master
Original commit: elastic/x-pack-elasticsearch@e9ce3f401c
2015-07-24 12:24:44 +02:00
Robert Muir 4b5faf00ac Add description elements to pom.xml's for plugins, it goes in their metadata file
Original commit: elastic/x-pack-elasticsearch@753f7a67f4
2015-07-22 21:57:30 -04:00
Robert Muir 8dea4500c5 get watcher verify working
Original commit: elastic/x-pack-elasticsearch@56978b71f9
2015-07-22 09:49:57 -04:00
Robert Muir 0cd1aa5aa2 get build (kinda) working
Original commit: elastic/x-pack-elasticsearch@c230faf732
2015-07-22 08:49:20 -04:00
Brian Murphy 7609d5f823 [TEST] Fix test compilation
This fixes the WatchStoreTests and the TriggeredWatchStore tests with the new shard constructor.

Original commit: elastic/x-pack-elasticsearch@3d1b00b132
2015-07-21 13:56:15 -04:00