When we encounter a composite request, we authorize at first without looking at the indices, to see whether the action can be executed at all. We then rely on the action to delegate to an inner action per sub-request, which will be authorized based on the indices it refers to. The first step works great for the simulate mode of search template, as it doesn't involve any index. The second step will make sure that when search template involves a search, it will be authorized as a normal search request would, based on the indices it reads from.
Note that the wildcard expansion happens now on the search side, it doesn't have to happen when executing the first authorization step, hence SearchTemplateRequest doesn't have to implement IndicesRequest, only SearchRequest has to (which it does already).
Closeselastic/elasticsearch#4171
Original commit: elastic/x-pack-elasticsearch@d586bd90cb
This commit applies the same fix merged in elastic/elasticsearch#4179 for XDocsClientYamlTestSuiteIT. It adds a waitForSecurityTemplate() method in order to wait for the security-index-template to be created by the SecurityTemplateService.
Original commit: elastic/x-pack-elasticsearch@1476f30e2d
Since there is no hard requirement for a strict POSIX shell
implementation, we can switch to /bin/bash.
Clean up left over break statements and consistently use $() for command
substitutions.
Original commit: elastic/x-pack-elasticsearch@0a33dfed56
This commit moves the iteration of realms for authentication and user lookup to
be done in an asynchronous fashion. The existing blocking methods have been deprecated
to allow custom realm implementors time to switch. All internal realms implement the
asynchronous methods.
This PR is another step toward the full migration to async authentication, but does not
complete the work. Additional work is needed for the LDAP realms, which make blocking
network calls. These blocking calls will be handled in a follow-up PR.
See elastic/elasticsearch#3790
Original commit: elastic/x-pack-elasticsearch@a65a9b2bb4
Remove duplicate definition of GRADLE_OPT_TEST and rename arguments as
discussed in
https://github.com/elastic/x-plugins/pull/4137#discussion_r89660620
Default to `check` if no argument is passed, but exit with error in an
unsupported parameter is provided.
Also ensure the pipefail option is only set when the executing shell
is *really* bash as opposed to POSIX sh which doesn't support it.
Original commit: elastic/x-pack-elasticsearch@64bd740295
If the HTTP response is an invalid one, it is still logged as success.
This commit changes the behaviour, that if the response status code is
set to -1 (which means it could not be interpreted), than an IOException
is thrown and thus the execution will be marked as a failure.
Closeselastic/elasticsearch#4152
Original commit: elastic/x-pack-elasticsearch@5736fbe3c0
When one of the 2 nodes in the old cluster is shut down, shards that were on that node will become unassigned and be marked to be
delay-allocated, i.e. either a node with shard data for that shard must be available or the allocation of the shards will be delayed for a minute.
In the mixed cluster the replica shard might not be allocated as the primary is already on the node with the newer version and replicas are not allowed
then to be allocated to a node of an older version of ES. Once both nodes are upgraded, the delay might still be in place, and can only be nullified if there
is shard data available on the node. If there never was a shard on that node though, it will take a minute and run into the timeout checking for green.
This commit ensures that all shards are fully-allocated before we do the rolling restart scenario
Original commit: elastic/x-pack-elasticsearch@a0d9b1b043
* Add pom info to all xplugins generated poms
This change is the xplugins side of elastic/elasticsearchelastic/elasticsearch#21757. We were
previously adding the apache license info to the xplugins poms (but the
zips still contained our commercial EULA). There is also a placeholder
here to add license info back into xpack artifact poms. I also created a
follow up issue to do better validation of these poms in the future
(with this change, without the corresponding change in ES, a broken pom
would be generated with two `developers` sections):
elastic/elasticsearchelastic/elasticsearch#21758.
* Add commercial license info to pom
Original commit: elastic/x-pack-elasticsearch@8f6941f82b
* Do not try bind to port range but use free ephemeral port
* Start a new email server in all tests, do not use static one
* Remove selection of username/password, as it was static anyway
* Remove Listener.Handle class, as it is not needed, when not running in static context
Original commit: elastic/x-pack-elasticsearch@8816cc25f6
OldMonitoringIndicesBackwardsCompatibilityTests fails because it waits for more shards stats to be collected but that can only work if new indices are created in the meanwhile.
Original commit: elastic/x-pack-elasticsearch@003c28cf93
If the primary shard of an index with (number_of_replicas > 0) ends up on a new node in a mixed cluster, the replica cannot be allocated to the old node as
the new node might have written segments that use a new postings format or codec that is not available on the older node.
As x-pack automatically creates indices with number_of_replicas > 0, for example monitoring-data-*, the test can only wait for yellow in a mixed cluster.
Original commit: elastic/x-pack-elasticsearch@945d9e3811
We prefer just passing a single cli argument that allows the script to
choose the corresponding gradle command from a preset list of
choices. For now, valid options are `packagingtests` or `tests`. The
script defaults to `tests` if no argument is supplied.
Original commit: elastic/x-pack-elasticsearch@f6315b1ad5
This commit updates the watch_history.json file so that it includes mappings for the new Jira action. It also update the JiraIssue format so that it now includes the name of the account used to create the Jira issue. It also update the REST tests to check that Jira action result are searchable and hide the user's password.
Original commit: elastic/x-pack-elasticsearch@75888f7748
This commit adds a timeout to the cluster health call that we wait on so that we can
see the status of the health request instead of getting timeouts failures with no
information to go on.
Original commit: elastic/x-pack-elasticsearch@2f34d01e00
This commit adds tests to ensure that user lookup in caching realms works as expected. An unclear
contract in the Cache#computeIfAbsent method allowed for null values to be returned from this method
even if there should have been exception reported to the loader. This has been fixed in the cache
implementation and we add tests to verify that the caching of user lookups is done properly under
concurrent operations.
Closeselastic/elasticsearch#4054
Original commit: elastic/x-pack-elasticsearch@41567c6ed9
This change allows reads of our native users and roles when the template version has not been updated to
match the current version. This is useful for rolling upgrades where the nodes are also being actively
queried and/or indexed into. Without this, we can wreak havoc on a cluster by causing exceptions during
replication, which leads to shard failures. On nodes that match the version defined in the template,
write operations are allowed since we know that we are backwards compatible in terms of format but we
may have added new fields and shouldn't index them until the mappings and template have been updated.
As part of this, the rolling upgrade tests from core were used as the basis for a very basic set of tests
for doing a rolling upgrade with x-pack.
Closeselastic/elasticsearch#4126
Original commit: elastic/x-pack-elasticsearch@9be518ef00
Currently, a tribe node ignored underlying cluster licenses
due to inablity to select an appropriate license from multiple
licenses. Now that tribe node supports merging custom metadata
(elasticsearch#elastic/elasticsearch#21552), we can enable license support in tribe
node.
Now, tribe node chooses license with the highest operation
mode from underlying cluster licenses. This commit also
adds integration tests for licensing to verify that:
- autogenerated trial license propagates to tribe node
- tribe node chooses the highest operation mode license
- removing a license from underlying cluster license is
removed from tribe
closeselastic/elasticsearch#3212
Original commit: elastic/x-pack-elasticsearch@b5c003decd
This commit changes the toXContent() method so that it generates content that can be parsed again by the parse() method. Before this commit, the authentication of the HTTP request is rendered as:
{ "auth": {"username": "foo", "password": "bar" } }
but the parsing method expects the authentication type to be a root object:
{ "auth": { "basic" : {"username": "foo", "password": "bar" } } }
The toXContent method has been adapted to include the type of authentication in the generated content.
Original commit: elastic/x-pack-elasticsearch@b740466109
This removes the mock webserver trying to bind to a port range, just
try to bind to any port.
Also removed unneeded wrapper class in the process.
Original commit: elastic/x-pack-elasticsearch@19b6ac393a
When a fatal error is thrown on the network layer, such an error never
makes its way to the uncaught exception handler. This prevents the node
from being torn down if an out of memory error or other fatal error is
thrown while handling HTTP or transport traffic. This commit adds logic
to ensure that such errors bubble their way up to the uncaught exception
handler, even though Netty tries really hard to swallow everything.
Original commit: elastic/x-pack-elasticsearch@f76757674f
Prevent the ci script from going to infinite loop if the user provides a
non POSIX style command line argument (not prefixed with - or --)
Original commit: elastic/x-pack-elasticsearch@e0eb0e6df7
This commit aims to fix the regularly failing test OldMonitoringIndicesBackwardsCompatibilityTests. It enables/disables monitoring data collection using time interval "-1" as well as stopping AgentService instances directly and checks multiple times if indices are still present at the end of the test.
closeselastic/elasticsearch#3999
Original commit: elastic/x-pack-elasticsearch@8ac785061a
* Record audit trail even if indicies-resolver throws exception
If the IndicesAndAliasesResolver throws an exception, treat is as "accessDenied" for the purpose of the audit-trail.
This can occur when an index request has a wildcard that doesn't match (and "allowNoIndices" is false)
Closeselastic/elasticsearch#3719
Original commit: elastic/x-pack-elasticsearch@ca6567e5ed
RemoteIndexAuditTrailStartingTests has been failing quite often due to several
race conditions. This change simplifies the test (one node per cluster, local and
remote) and fixes some issues in IndexAuditTrail. The interrupt based shutdown has
been removed from the `QueueConsumer` and an additional health call has been added
to trigger another start attempt if the first one failed. This stabilize the test
that now run in 1 second rather than 1 minute.
Original commit: elastic/x-pack-elasticsearch@a1c8131cd2