Commit Graph

45661 Commits

Author SHA1 Message Date
Jason Tedor 942a1445f3
Fix reference to 7.1 in security token tests
This version should be referencing 7.2 rather than 7.1, due to some
changes in timing of the token service changes.
2019-05-01 14:00:35 -04:00
Ioannis Kakavas 8426130553
Add negative tests for security features in basic
Assert that API Keys, Tokens, DLS/FLS do not work in basic
2019-05-01 14:00:32 -04:00
Tim Vernum 3589ca8493
Add test for security on basic license.
This is modelled on the qa test for TLS on basic.

It starts a cluster on basic with security & performs a number of
security related checks.
It also performs those same checks on a trial license.
2019-05-01 14:00:29 -04:00
Tim Vernum 0ee16d0115
Security on Basic License
This adds support for using security on a basic license.
It includes:

- AllowedRealmType.NATIVE realms (reserved, native, file)
- Roles / RBAC
- TLS (already supported)

It does not support:

- Audit
- IP filters
- Token Service & API Keys
- Advanced realms (AD, LDAP, SAML, etc)
- Advanced roles (DLS, FLS)
- Pluggable security

As with trial licences, security is disabled by default.

This commit does not include any new automated tests, but existing tests have been updated.
2019-05-01 14:00:25 -04:00
Jason Tedor f08ac103ee
Add 6.8 version constant
This commit adds the 6.8 version constant to the 7.x branch.
2019-05-01 13:38:58 -04:00
Jason Tedor 7f3ab4524f
Bump 7.x branch to version 7.2.0
This commit adds the 7.2.0 version constant to the 7.x branch, and bumps
BWC logic accordingly.
2019-05-01 13:38:57 -04:00
James Rodewig c86f797df8 [DOCS] Reword `type` query deprecation note for Asciidoctor migration (#41595) 2019-05-01 09:29:05 -04:00
Henning Andersen c6abe74dd6
Close and acquire commit during reset engine fix (#41584) (#41709)
If closing a shard while resetting engine,
IndexEventListener.afterIndexShardClosed would be called while there is
still an active IndexWriter on the shard. For integration tests, this
leads to an exception during check index called from MockFSIndexStore
.Listener. Fixed.

Relates to #38561
2019-05-01 15:22:24 +02:00
Albert Zaharovits 990be1f806
Security Tokens moved to a new separate index (#40742)
This commit introduces the `.security-tokens` and `.security-tokens-7`
alias-index pair. Because index snapshotting is at the index level granularity
(ie you cannot snapshot a subset of an index) snapshoting .`security` had
the undesirable effect of storing ephemeral security tokens. The changes
herein address this issue by moving tokens "seamlessly" (without user
intervention) to another index, so that a "Security Backup" (ie snapshot of
`.security`) would not be bloated by ephemeral data.
2019-05-01 14:53:56 +03:00
Benjamin Trent bc333a5cbf
[ML] data frame, adding builder classes for complex config classes (#41638) (#41704)
* [ML] data frame, adding builder classes for complex config classes

* Addressing PR comments, adding some java docs

* cleaning up constructor

* fixing indentation

* change constructors to be package-private
2019-05-01 06:44:29 -05:00
Jason Tedor 26c72c96bd
Fix imports in KeyStoreWrapperTests
This commit addresses a checkstyle violation in KeyStoreWrapperTests,
removing a leftover import.
2019-05-01 07:21:23 -04:00
Jason Tedor 0b46a62f6b
Drop distinction in entries for keystore (#41701)
Today we allow adding entries from a file or from a string, yet we
internally maintain this distinction such that if you try to add a value
from a file for a setting that expects a string or add a value from a
string for a setting that expects a file, you will have a bad time. This
causes a pain for operators such that for each setting they need to know
this difference. Yet, we do not need to maintain this distinction
internally as they are bytes after all. This commit removes that
distinction and includes logic to upgrade legacy keystores.
2019-05-01 07:02:04 -04:00
Jake Landis 7ac3283509
Fix Watcher deadlock that can cause in-abilty to index documents. (#41418) (#41684)
This commit removes the usage of the `BulkProcessor` to write history documents
and delete triggered watches on a `EsRejectedExecutionException`. Since the
exception could be handled on the write thread, the write thread can be blocked
waiting on watcher threads (due to a synchronous method). This is problematic
since those watcher threads can be blocked waiting on write threads.

This commit also moves the handling of the exception to the generic threadpool
to avoid submitting write requests from the write thread pool.

fixes #41390
2019-04-30 16:13:24 -05:00
Tom Veasey b3f4533e1c [ML] Update for model selection change and disable temporarily (#41482) (#41682) 2019-04-30 15:47:54 -05:00
James Rodewig 66d8549083 [DOCS] Move block delimiter and anchor in 'Configuring Security' for Asciidoctor migration (#41604) 2019-04-30 16:41:26 -04:00
James Rodewig b65ceb36bc [DOCS] Escape quotes to avoid smart quotes in Asciidoctor (#41603) 2019-04-30 16:31:20 -04:00
James Rodewig 721787fa76 [DOCS] Remove soft line breaks (+) for Asciidoctor migration (#41600) 2019-04-30 16:22:50 -04:00
James Rodewig 3e68164825 [DOCS] Move beta[] tag for Asciidoctor migration (#41599) 2019-04-30 16:03:24 -04:00
James Rodewig 9506e3f1c5 [DOCS] Escape commas in deprecated[] for Asciidoctor migration (#41598) 2019-04-30 15:52:57 -04:00
James Rodewig d329186972 [DOCS] Escape depcreated[] note for Asciidoctor migration (#41608) 2019-04-30 15:19:43 -04:00
Nhat Nguyen 887f3f2c83 Simplify initialization of max_seq_no of updates (#41161)
Today we choose to initialize max_seq_no_of_updates on primaries only so
we can deal with a situation where a primary is on an old node (before
6.5) which does not have MUS while replicas on new nodes (6.5+).
However, this strategy is quite complex and can lead to bugs (for
example #40249) since we have to assign a correct value (not too low) to
MSU in all possible situations (before recovering from translog,
restoring history on promotion, and handing off relocation).

Fortunately, we don't have to deal with this BWC in 7.0+ since all nodes
in the cluster should have MSU. This change simplifies the
initialization of MSU by always assigning it a correct value in the
constructor of Engine regardless of whether it's a replica or primary.

Relates #33842
2019-04-30 15:14:52 -04:00
James Rodewig d46f55f013 [DOCS] Add attribute to escape minimal pt token link in Asciidoctor (#41613) 2019-04-30 14:11:48 -04:00
James Rodewig 005296dac6 [DOCS] Allow attribute substitution in titleabbrevs for Asciidoctor migration (#41574)
* [DOCS] Replace attributes in titleabbrevs for Asciidoctor migration

* [DOCS] Add [subs="attributes"] so attributes render in Asciidoctor

* Revert "[DOCS] Replace attributes in titleabbrevs for Asciidoctor migration"

This reverts commit 98f130257a7c71e9f6cddf5157af7886418338d8.

* [DOCS] Fix merge conflict
2019-04-30 13:46:45 -04:00
Armin Braun 7cc4b9a8b3
Implement Bulk Deletes for GCS Repository (#41368) (#41681)
* Implement Bulk Deletes for GCS Repository (#41368)

* Just like #40322 for AWS
* We already had a bulk delete API but weren't using it from the blob container implementation, now we are using it
  * Made the bulk delete API also compliant with our interface that only suppresses errors about non existent blobs by stating failed deletes (I didn't use any bulk stat action here since having to stat here should be the exception anyway and it would make error handling a lot more complex)
* Fixed bulk delete API to limit its batch size to 100 in line with GCS recommendations

back port of #41368
2019-04-30 17:03:57 +02:00
James Rodewig 53702efddd [DOCS] Add anchors for Asciidoctor migration (#41648) 2019-04-30 10:20:17 -04:00
James Rodewig c26b8eb4de [DOCS] Remove line break from deprecated[] macro (#41616) 2019-04-30 09:58:58 -04:00
James Rodewig cc39233ff8 [DOCS] Add soft line breaks to maintain nested definition list (#41617) 2019-04-30 09:25:43 -04:00
David Kyle f737b05ad1 Mute CcrRetentionLeaseIT.testForgetFollower
https://github.com/elastic/elasticsearch/issues/39850
2019-04-30 09:55:16 +01:00
Armin Braun 08c0ecb90e
Upgrade to Netty 4.1.35 (#41499) (#41651)
* Some fixes and possible performance fixes in the last 3 versions ->
upgrading
2019-04-30 09:27:51 +02:00
Tim Brooks df3ef66294
Remove dedicated SSL network write buffer (#41654)
This is related to #27260. Currently for the SSLDriver we allocate a
dedicated network write buffer and encrypt the data into that buffer one
buffer at a time. This requires constantly switching between encrypting
and flushing. This commit adds a dedicated outbound buffer for SSL
operations that will internally allocate new packet sized buffers as
they are need (for writing encrypted data). This allows us to totally
encrypt an operation before writing it to the network. Eventually it can
be hooked up to buffer recycling.

This commit also backports the following commit:

Handle WRAP ops during SSL read

It is possible that a WRAP operation can occur while decrypting
handshake data in TLS 1.3. The SSLDriver does not currently handle this
well as it does not have access to the outbound buffer during read call.
This commit moves the buffer into the Driver to fix this issue. Data
wrapped during a read call will be queued for writing after the read
call is complete.
2019-04-29 17:59:13 -06:00
Igor Motov 10ab838106
Geo: Add GeoJson parser to libs/geo classes (#41575) (#41657)
Adds GeoJson parser for Geometry classes defined in libs/geo.

Relates #40908 and #29872
2019-04-29 19:43:31 -04:00
Benjamin Trent 92a820bc1a
[ML] Add bucket_script agg support to data frames (#41594) (#41639) 2019-04-29 10:14:17 -05:00
Alan Woodward a01f451ef7 Limit complexity of IntervalQueryBuilderTests#testRandomSource() (#41538)
IntervalsSources can throw IllegalArgumentExceptions if they would produce
too many disjunctions.  To mitigate against this when building random
sources, we limit the depth of the randomly generated source to four
nested sources

Fixes #41402
2019-04-29 13:31:19 +01:00
Dan Hermann b23709b178
Applies the same naming restrictions to repositories as to snapshots except that leading underscores and uppercase characters are permitted. (#41585)
Fixes #40817.
2019-04-29 07:31:01 -05:00
James Rodewig fc4f401214 [DOCS] Document 200 http code response for partial results (#40367) 2019-04-29 08:30:17 -04:00
Armin Braun 6e51b6f96d
Add Repository Consistency Assertion to SnapshotResiliencyTests (#41631)
* Add Repository Consistency Assertion to SnapshotResiliencyTests (#40857)

* Add Repository Consistency Assertion to SnapshotResiliencyTests

* Add some quick validation on not leaving behind any dangling metadata or dangling indices to the snapshot resiliency tests
   * Added todo about expanding this assertion further

* Fix SnapshotResiliencyTest Repo Consistency Check (#41332)

* Fix SnapshotResiliencyTest Repo Consistency Check

* Due to the random creation of an empty `extra0` file by the Lucene mockFS we see broken tests because we use the existence of an index folder in assertions and the index deletion doesn't go through if there are extra files in an index folder
  * Fixed by removing the `extra0` file and resulting empty directory trees before asserting repo consistency
* Closes #41326

* Reenable SnapshotResiliency Test (#41437)

This was fixed in https://github.com/elastic/elasticsearch/pull/41332
but I forgot to reenable the test.

* fix compile on java8
2019-04-29 12:01:58 +02:00
David Kyle 1a6ffb2644 Mute ClusterPrivilegeTests.testThatSnapshotAndRestore
Tracked in #38030
2019-04-29 16:45:01 +10:00
Yogesh Gaikwad 719e4452af Revert "Suppress illegal access in plugin install (#41620)"
This reverts commit fb9f729426.
2019-04-29 13:56:31 +10:00
Jason Tedor fb9f729426
Suppress illegal access in plugin install (#41620)
We use Bouncy Castle to verify signatures when installing official
plugins. This leads to illegal access warnings because Bouncy Castle
accesses the Sun security provider constructor. This commit adds an
add-opens flag to suppress this illegal access.
2019-04-28 23:04:32 -04:00
Jason Tedor 3b3f7b7e34
Bump the bundled JDK to 12.0.1 (#41627)
This commit bumps the bundled JDK to version 12.0.1. Note that we had to
add a new pattern here as Oracle has changed the source of the
builds. This commit will be backported to 6.7 in a different form to
bump the bundled JDK in the Docker images too.
2019-04-28 21:04:42 -04:00
Jason Tedor 7a82277bc3
Change JDK distribution source (#41626)
We had been obtaining JDK distributions from download.java.net. This
site is now presenting a certificate that does not list
download.java.net as a SAN. Therefore with host verification, the build
can not use this site. This commit switches to using download.oracle.com
which appears to be an alternative name for the same CNAME
download.oracle.com.edgekey.net. This allows our builds to resume.
2019-04-28 20:16:06 -04:00
Yogesh Gaikwad c0d40ae4ca
Remove deprecated stashWithOrigin calls and use the alternative (#40847) (#41562)
This commit removes the deprecated `stashWithOrigin` and
modifies its usage to use the alternative.
2019-04-28 21:25:42 +10:00
Jim Ferenczi a8c3c5cd78
Restore rolling upgrade test for the _all field (#41462)
This commit adapts the rolling upgrade test introduced in #37808
to ignore runs that upgrade from a version on or after 7.0.

Closes #41453
2019-04-27 18:37:15 +02:00
Nhat Nguyen 615a0211f0 Recovery should not indefinitely retry on mapping error (#41099)
A stuck peer recovery in #40913 reveals that we indefinitely retry on
new cluster states if indexing translog operations hits a mapper
exception. We should not wait and retry if the mapping on the target is
as recent as the mapping that the primary used to index the replaying
operations.

Relates #40913
2019-04-27 10:55:08 -04:00
Michael Morello 75283294f5 Fix multi-node parsing in voting config exclusions REST API (#41588)
Fixes an issue where multiple nodes where not properly parsed in the voting config exclusions REST API.

Closes #41587
2019-04-27 12:20:03 +02:00
Benjamin Trent a0990ca239
[ML] cleanup + adding description field to transforms (#41554) (#41605)
* [ML] cleanup + adding description field to transforms

* making description length have a max of 1k
2019-04-26 16:50:59 -05:00
Chris Earle 858e7f4a62
[7.x] [Monitoring] Add `usage` mapping for `monitoring-kibana` index (#40899) (#41601)
Backports the usage change to 7.x. A separate backport is needed to
change the version for 6.7, which will complete this backport.
2019-04-26 16:44:03 -04:00
Hicham Mallah 22f3b53ed7 Deprecate using 0 value for `min_children` in `has_child` query (#41555)
After changing the allowed minimum value for min_children in has_child query from 0 to 1 in 
the next major version, this PR adds a deprecation warning for these cases.

Closes #41548
2019-04-26 21:00:11 +02:00
Alan Woodward d7ab86db9c Document restrictions on fuzzy matching when using synonyms (#40783)
Relates to #25518 #41592
2019-04-26 10:10:32 -07:00
James Rodewig d548901855 [DOCS] Add space to fix Asciidoctor output (#41579) 2019-04-26 12:13:33 -04:00