Commit Graph

3911 Commits

Author SHA1 Message Date
Lukas Olson 00f8281f37 Merge pull request elastic/elasticsearch#2855 from lukasolson/fix/role_metadata
[security-ui] Use metadata._reserved rather than array of reserved roles

Original commit: elastic/x-pack-elasticsearch@11d53cb4c8
2016-07-21 14:59:31 -07:00
Tim Sullivan e566b1c245 Merge pull request elastic/elasticsearch#2859 from tsullivan/monitoring-ui-createquery-metric-fix
Monitoring ui createquery metric fix

Original commit: elastic/x-pack-elasticsearch@bb8baff352
2016-07-21 12:44:32 -07:00
Ryan Ernst a93a5fcd5b Rename LicensesService to LicenseService
We only have one license in 5.x. This change renames the service that
mantains the license state on each node to reflect that fact.

Original commit: elastic/x-pack-elasticsearch@bb241b30cb
2016-07-21 11:59:52 -07:00
Alexander Reelsen 81382262ec Watcher: Hardcode index names for auto index create validation (elastic/elasticsearch#2834)
This is broken in 2.x and returns a wrong index name. We should just use
the indices, that are hardcoded in the error message.

Relates elastic/elasticsearch#2831

Original commit: elastic/x-pack-elasticsearch@457be61013
2016-07-21 14:25:22 +02:00
Jim Ferenczi bd91603f6d Sort plugins in list x-pack extensions command
Fix tests that rely on deterministic order.

Original commit: elastic/x-pack-elasticsearch@324b0db514
2016-07-20 19:45:10 +02:00
Britta Weber 75362e70a3 fix compile
Original commit: elastic/x-pack-elasticsearch@d234e88c22
2016-07-20 19:24:56 +02:00
Ryan Ernst 59c76e1bc6 Merge pull request elastic/elasticsearch#2873 from rjernst/deguice11
Remove guice from authentication and authorization services

Original commit: elastic/x-pack-elasticsearch@323540a4eb
2016-07-20 08:52:25 -07:00
Jim Ferenczi 7467652b43 Add verbose mode for extension list command
This is a late follow up of https://github.com/elastic/elasticsearch/pull/18051
Closes elastic/elasticsearch#2806

Original commit: elastic/x-pack-elasticsearch@d1c9a3d7c5
2016-07-20 14:37:36 +02:00
Ryan Ernst f05005f667 Internal: Remove guice from authentication and authorization services
This change removes guice from most of the rest of security. It also
converts the last use of onModule in xpack extensions to a pull based
extension.

Original commit: elastic/x-pack-elasticsearch@9de072550e
2016-07-19 15:57:29 -07:00
Ryan Ernst 4b4e7158eb Merge pull request elastic/elasticsearch#2870 from rjernst/deguice14
Remove interfaces for auth services

Original commit: elastic/x-pack-elasticsearch@e10798b9aa
2016-07-19 14:57:04 -07:00
Ryan Ernst 94b9b332d4 Internal: Remove interfaces for auth services
Both AuthenticationService and AuthorizationService are currently
interfaces with single implementations. This is unnecessary, and makes
it harder to deguice. This change removes the abstractions and leaves
just AuthenticationService and AuthorizationService.

Original commit: elastic/x-pack-elasticsearch@d04c897ae4
2016-07-19 14:38:51 -07:00
Ryan Ernst 12eb53f239 Merge pull request elastic/elasticsearch#2869 from rjernst/deguice13
Internal: Remove use of AuditTrail interface in place of AuditTrailService

Original commit: elastic/x-pack-elasticsearch@9d389cf86b
2016-07-19 14:02:38 -07:00
Ryan Ernst 6c7a9af7bf Internal: Remove use of AuditTrail interface in place of
AuditTrailService

We currently have a number of actions and components which try to write
to the audit trail. But they do so by expecting a bound AuditTrail
object. In reality, this should always be AuditTrailService, except when
security is disabled. This change removes the use of the AuditTrail
interface for that purpose, and instead makes the AuditTrailService
allow an empty list of trails, so that it is always bound when running
on a node.

Original commit: elastic/x-pack-elasticsearch@9559dbd6c1
2016-07-19 13:41:19 -07:00
Jonathan Budzenski 92cb69b307 Merge pull request elastic/elasticsearch#2853 from jbudz/issues/2812
monitoring ui: request timestamp from source, use different timestamp field

Original commit: elastic/x-pack-elasticsearch@24d136c45e
2016-07-19 13:02:12 -05:00
jaymode 9be5c7df60 security: remove SelfReSchedulingRunnable
This commit removes the SelfReschedulingRunnable and changes the native stores
to use the threadpool for scheduling again since we have now fixed the issue in core.

Original commit: elastic/x-pack-elasticsearch@50030e31ff
2016-07-19 12:19:52 -04:00
Ryan Ernst 4552df11da Merge pull request elastic/elasticsearch#2860 from rjernst/deguice12
Internal: Simplify SecurityContext dependencies

Original commit: elastic/x-pack-elasticsearch@74d0036e80
2016-07-19 09:05:26 -07:00
javanna 63a5001837 [TEST] restore throws IOException clause on all sync performRequest callers
Original commit: elastic/x-pack-elasticsearch@d114419752
2016-07-19 16:51:07 +02:00
javanna 5c31e20746 Use ContentType constant instead of RestClient#JSON_CONTENT_TYPE
Original commit: elastic/x-pack-elasticsearch@6f3165b569
2016-07-19 16:42:32 +02:00
javanna ca557af48c Merge branch 'master' into feature/async_rest_client
Original commit: elastic/x-pack-elasticsearch@693e281d0d
2016-07-19 16:29:50 +02:00
Court Ewing ca233990e1 Merge pull request elastic/elasticsearch#2862 from ycombinator/reporting/fix-minor-typo-5.0
[5.0] Remove extra "the"

Original commit: elastic/x-pack-elasticsearch@392dd41ca8
2016-07-19 09:48:37 -04:00
Yannick Welsch ea7ad5d4c5 Add new transport handler introduced by elastic/elasticsearchelastic/elasticsearch#19287
Original commit: elastic/x-pack-elasticsearch@8e71782cba
2016-07-19 14:56:51 +02:00
Martijn van Groningen 7c12fa0eb6 Removed basic sanity test as it caused problems for the clients
Original commit: elastic/x-pack-elasticsearch@1bd7c82708
2016-07-19 10:59:23 +02:00
Martijn van Groningen cc7cfb7fd9 security: Added `set_security_user` ingest processor that enriches documents with user details of the current authenticated user
This is useful if an index is shared with many small customers, which are to small to have their own index or shard,
 and in order to share an index safely they will need to use document level security. This processor can then automatically
 add the username or roles of the current authenticated user to the documents being indexed, so that the DLS query can be simple. (`username: abc` only return data inserted by user abc)

Closes elastic/elasticsearch#2738

Original commit: elastic/x-pack-elasticsearch@f4df2f6d6f
2016-07-19 09:48:52 +02:00
Ryan Ernst a76a6b4e54 Internal: Simplify SecurityContext dependencies
Currently the security context is an object passed around to code
needing to check the user for the current request. Like recent
InternalClient changes, it current depends on the AuthenticationService,
but can be simplified by only knowing about the thread context and
crypto service. This change makes SecurityContext a class, instead of an
interface, and removes the dependency on AuthenticationService.

Original commit: elastic/x-pack-elasticsearch@b8af75e8cb
2016-07-18 17:00:55 -07:00
Ryan Ernst 7bb4c613eb Merge pull request elastic/elasticsearch#2857 from rjernst/deguice9
Remove guice from audit trail construction

Original commit: elastic/x-pack-elasticsearch@a7bf223893
2016-07-18 15:14:00 -07:00
Ryan Ernst 41eea741b8 Ensure index audit trail is bound for security lifecycle service
Original commit: elastic/x-pack-elasticsearch@bbe7ec0802
2016-07-18 15:13:10 -07:00
Ryan Ernst 411b29e7fa Merge branch 'master' into deguice9
Original commit: elastic/x-pack-elasticsearch@2474231dc1
2016-07-18 14:25:49 -07:00
Ryan Ernst 30b084d372 Merge pull request elastic/elasticsearch#2843 from rjernst/plugin_default_config
Switch to new plugin configuration for integ tests

Original commit: elastic/x-pack-elasticsearch@e2a5da4144
2016-07-18 14:19:52 -07:00
Ryan Ernst f03683fb18 Internal: Remove guice from audit trail construction
This change removes guice from audit trails.

Original commit: elastic/x-pack-elasticsearch@ace1f11dc4
2016-07-18 13:59:51 -07:00
Ryan Ernst c3a3898da9 Merge pull request elastic/elasticsearch#2844 from rjernst/deguice8
Remove guice from realms construction

Original commit: elastic/x-pack-elasticsearch@8bfeef931c
2016-07-18 13:55:12 -07:00
Ryan Ernst e2303f2584 Merge branch 'master' into deguice8
Original commit: elastic/x-pack-elasticsearch@8b273d3f8a
2016-07-18 13:54:43 -07:00
Ryan Ernst 2de185ac72 Merge pull request elastic/elasticsearch#2845 from rjernst/remove_script_proxy
Remove script service proxy

Original commit: elastic/x-pack-elasticsearch@c4a1dfda1a
2016-07-18 13:41:41 -07:00
Ryan Ernst 07c9903e8f Merge branch 'master' into remove_script_proxy
Original commit: elastic/x-pack-elasticsearch@0046ab598a
2016-07-18 13:41:21 -07:00
jaymode 67f473a992 test: mute ldap timeout tests
See elastic/elasticsearch#2849

Original commit: elastic/x-pack-elasticsearch@318307073e
2016-07-18 11:20:52 -04:00
Simon Willnauer 12c709ea3a Move over to dedicated TransportClient implementations (elastic/elasticsearch#2819)
Followup of elastic/elasticsearchelastic/elasticsearch#19435
Relates to elastic/elasticsearchelastic/elasticsearch#19412

Original commit: elastic/x-pack-elasticsearch@60f7047ea9
2016-07-18 15:43:29 +02:00
jaymode 34d04a8c78 security: mention comma-separated for IP and DNS name prompts
Original commit: elastic/x-pack-elasticsearch@3e58fc282a
2016-07-18 08:53:17 -04:00
jaymode 59fcb205b5 security: active directory and ldap realm improvements
This commit is a combination of enhancements and fixes to the active directory
and ldap realms. The active directory realm has been enhanced to add support
for authentication against multiple domains in a forest. The ldap realm has
been updated so that:

* attributes required for group resolution are loaded eagerly if possible
* user search can now be executed using unpooled connections
* the default search filter for groups now includes posixGroup and memberUid
to avoid users needed to understand ldap filters

Finally, the UnboundID LDAP SDK was upgraded to the latest version and some
long standing AwaitsFix were addressed.

Closes elastic/elasticsearch#20
Closes elastic/elasticsearch#26
Closes elastic/elasticsearch#1950
Closes elastic/elasticsearch#2145
Closes elastic/elasticsearch#2363

Original commit: elastic/x-pack-elasticsearch@63c9be2337
2016-07-18 08:39:57 -04:00
jaymode 5be3832889 security: add metadata to roles
This commit adds the ability to define metadata for roles. This metadata is currently
only used for the API and to indicate that a role is reserved. We can continue passing
on the metadata as needed, when necessary.

Closes elastic/elasticsearch#2036

Original commit: elastic/x-pack-elasticsearch@8b5f606138
2016-07-18 08:11:43 -04:00
jaymode f42f8cf756 security: add tool to simplify creation of certificate and csr files
This commit adds a CLI tool that can be used to generate a CA and signed certificates in PEM
format. The tool only requires a name of an instance to be provided by the user; ip and dns values
are supported but optional. By default, the tool is interactive and will prompt the user for input but
an option exists to provide a yaml file that contains the necessary information to generate certificates
or signing requests.

The output is in the form of a zip file with subfolders for each instance. Neither the zip file or the PEM
files are encrypted as some parts of our stack do not support encrypted PEM files.

Original commit: elastic/x-pack-elasticsearch@3dc0f8d495
2016-07-18 07:50:17 -04:00
Alexander Reelsen c7e4f51d56 Watcher: Prioritize configured response content type in HttpInput (elastic/elasticsearch#2790)
When a HTTP input has a configured response content, then this should
always be treated as preferred over the content type that is returned
by the server in order to give the user the power to decide.

This also refactors the code a bit to make it more readable.

Closes elastic/elasticsearch#2211

Original commit: elastic/x-pack-elasticsearch@ecdb4f931c
2016-07-18 10:54:48 +02:00
Martijn van Groningen 5b5e0bd787 Updated xpack for changed in elastic/elasticsearch#19425 related to templates
Original commit: elastic/x-pack-elasticsearch@7747f92b89
2016-07-18 08:34:11 +02:00
Ryan Ernst 91441bbd2a Internal: Remove script service proxy
ScriptServiceProxy is a thin wrapper around the ScriptService which does
a runAs the xpack user when compiling. But script services know nothing
about xpack users, so this has no real effect. I believe this is a
remnant of when we had indexed scripts, where the compilation may have
done a get on the scripts index.

This change removes the ScriptServiceProxy. It also renames Script in
watcher to WatcherScript, to remove confusion between elasticsearch's
Script and watchers Script.

Original commit: elastic/x-pack-elasticsearch@4e2fdbc518
2016-07-16 00:10:17 -07:00
Ryan Ernst 525562e48f Add tests for realm construction
Original commit: elastic/x-pack-elasticsearch@a35c103726
2016-07-15 21:36:22 -07:00
Ryan Ernst 9df9957307 Remove guice from realms construction
This change makes the internal realms factories, as well as those added
by extensions, constructed directly instead of via guice. Adding realms
in extensions is now pull based. Finally, all of the generics for realms
and realm factories have been removed.

Original commit: elastic/x-pack-elasticsearch@f0de9d2340
2016-07-15 15:55:28 -07:00
Ryan Ernst 01dfb7481e Build: Switch to new plugin configuration for integ tests
This is the xplugins side of elastic/elasticsearchelastic/elasticsearch#19461

Original commit: elastic/x-pack-elasticsearch@bb29f9e948
2016-07-15 14:48:50 -07:00
Tim Sullivan c827a4be79 Merge pull request elastic/elasticsearch#2784 from tsullivan/monitoring-ui-fix-definesyntax
monitoring ui: fix define/amd syntax

Original commit: elastic/x-pack-elasticsearch@fb8c701600
2016-07-15 11:03:11 -07:00
Chris Earle 1311935122 [Monitoring] Add Request Cache to returned stats for tests
Original commit: elastic/x-pack-elasticsearch@9bc34609c5
2016-07-15 12:51:43 -04:00
Areek Zillur 0db0e2f0c9 Implements cloud_internal license type
"cloud_internal" license type enables dynamically updating license operation mode via a config file.

When the installed license is "cloud_internal", the node level operation mode can be updated by writing
a `license_mode` file in the x-pack config directory (config/x-pack/license_mode). The file is expected
to have a string representing the desired license mode (e.g. "gold", "basic"). In case of a failure to
read a valid license mode from the `license_mode` file, the operation mode for "cloud_internal" license
defaults to PLATINUM.
This change also ensures that the correct operation mode is reported via the _xpack endpoint.

closes elastic/elasticsearch#2042

Original commit: elastic/x-pack-elasticsearch@6a2d788e45
2016-07-15 12:08:34 -04:00
Ryan Ernst 4e81ef42a0 Merge pull request elastic/elasticsearch#2829 from rjernst/deguice7
Remove guice from ssl services

Original commit: elastic/x-pack-elasticsearch@3c19ffd744
2016-07-15 08:28:49 -07:00
Ryan Ernst 8407f6aaf6 Remove leftover guicyness from client ssl service
Original commit: elastic/x-pack-elasticsearch@f362097ad7
2016-07-15 08:25:59 -07:00