Commit Graph

72 Commits

Author SHA1 Message Date
jaymode d9363085c3 docs: add Shield 1.3.3 release notes
Original commit: elastic/x-pack-elasticsearch@69a525677b
2015-11-24 09:32:06 -05:00
debadair 90cb7d38b3 Docs: Added dates to Shield & Watcher release notes.
Original commit: elastic/x-pack-elasticsearch@2d42762b84
2015-11-23 13:20:51 -08:00
debadair c365da861f Shield Docs: Added information about enabling DLS/FLS.
Original commit: elastic/x-pack-elasticsearch@23f9ad66d4
2015-11-23 11:19:09 -08:00
debadair a973cbcd72 Shield Docs: Added release notes for 2.1.
Original commit: elastic/x-pack-elasticsearch@042904968b
2015-11-23 11:05:21 -08:00
debadair 9f6398127c Shield Docs: Added release notes for 2.0.1.
Original commit: elastic/x-pack-elasticsearch@a35092bc06
2015-11-23 11:03:45 -08:00
jaymode cc2096b4f9 add the option to disable DLS and FLS completely
This commit reverts a previous change where searcher were not wrapped when the RequestContext
could not be found. If DLS/FLS is enabled, which is the default, any bulk request that contains an
update request will not be permitted. This change also exposes the ability to completely disable DLS
and FLS so that users who are not using these features can still use bulk updates.

See elastic/elasticsearch#938

Original commit: elastic/x-pack-elasticsearch@513782db1c
2015-11-17 12:55:26 -05:00
Chris Earle 8c5fdc7023 Fixing references to bin/plugin -i
Original commit: elastic/x-pack-elasticsearch@708d381742
2015-11-12 13:45:38 -05:00
debadair 6106128272 Docs: Added uninstall topics to Watcher & Shield. Closes elastic/elasticsearch#801.
Original commit: elastic/x-pack-elasticsearch@b990c64647
2015-11-05 17:54:35 -08:00
debadair c088d19da4 Fixed YAML error in config. Closes elastic/elasticsearch#896
Original commit: elastic/x-pack-elasticsearch@7056bd5315
2015-10-29 11:38:56 -07:00
debadair 86ed4c84d6 Fixed download links. Closes elastic/elasticsearch#891 & elastic/elasticsearch#893.
Original commit: elastic/x-pack-elasticsearch@f6711f2dbc
2015-10-28 16:33:41 -07:00
jaymode 2837a2d8dc docs: shield release notes updates for 2.0GA
Original commit: elastic/x-pack-elasticsearch@6693be06da
2015-10-28 06:21:30 -04:00
Suyog Rao 7b0dbfe3c5 Update Shield docs with Logstash 2.0 changes
Most changes are related to the change in default
protocol from node to http

Fixes elastic/elasticsearch#882

Original commit: elastic/x-pack-elasticsearch@f5cad71f84
2015-10-27 18:18:31 -07:00
debadair e81e640190 Docs: Consolidated Watcher 2.0 release notes. Fixed pkg install cmds and subscription links for Watcher & Shield.
Original commit: elastic/x-pack-elasticsearch@1387a61a8f
2015-10-27 18:01:41 -07:00
debadair 7a61d435a5 Shield Docs: Fixed another cross doc problem.
Original commit: elastic/x-pack-elasticsearch@4a100865fa
2015-10-21 15:49:29 -07:00
debadair 099266bc49 Shield Docs: Fixed broken xrefs.
Original commit: elastic/x-pack-elasticsearch@938fce0359
2015-10-21 15:49:09 -07:00
debadair ca2aaa1567 Shield Docs: Fixed messed up xrefs & removed obsolete troubleshooting & limitation info.
Original commit: elastic/x-pack-elasticsearch@a376a24ea1
2015-10-21 15:48:36 -07:00
javanna 93065acf59 Remove references to search/exists that was deleted in core
Original commit: elastic/x-pack-elasticsearch@f1da798028
2015-10-21 18:30:30 +02:00
jaymode f5e9c826b4 docs: remove configuration path setting from plugin install commands
The additional setting to specify the configuration path is no longer needed with elasticsearch 2.0, so
we should remove it from the documentation. Also cleans up the installation commands to be in line
with what 2.0 requires.

Original commit: elastic/x-pack-elasticsearch@b269568a67
2015-10-21 07:14:34 -04:00
javanna 45d0ea6014 update action names after optimize and count removal from core
Original commit: elastic/x-pack-elasticsearch@614e51bd31
2015-10-21 13:01:37 +02:00
jaymode 7380e45abb document the user_group_attribute setting for LDAP realms
Closes elastic/elasticsearch#284

Original commit: elastic/x-pack-elasticsearch@d90aecbe3b
2015-10-20 14:43:08 -04:00
debadair 84ffc956a8 Shield Docs: Clarified that Shield does not support AD distribution groups. Closes elastic/elasticsearch#520.
Original commit: elastic/x-pack-elasticsearch@39f57ff08d
2015-10-20 10:34:52 -07:00
debadair 0123d33e87 Shield Docs: Updated Marvel config and license management for 2.0.
Original commit: elastic/x-pack-elasticsearch@3d225c2562
2015-10-20 10:13:51 -07:00
jaymode f7a8d31d6a update the wording around filtered aliases and document level security
Also, remove an extra period in DLS/FLS section title.

Closes elastic/elasticsearch#542
Closes elastic/elasticsearch#798

Original commit: elastic/x-pack-elasticsearch@a1556b37c7
2015-10-19 09:48:54 -04:00
PhaedrusTheGreek 6707b5d847 fixed a single character in reference docs
Original commit: elastic/x-pack-elasticsearch@6fdbe33ff9
2015-10-15 13:28:30 -04:00
jaymode 6dbad15e56 always sign messages when message signing is enabled
This change allows for messages to be signed when message signing is enabled and a system
key is not present. This is accomplished by generating a random key on startup and then using
HKDF with HmacSHA1 to generate the keying material to be used to sign the messages. The random
key from the originating node is added to the signed message so that the signing key can be
derived on the receiving node.

When a system key is present, the system key is used for signing and the preexisting behavior
is maintained.

Closes elastic/elasticsearch#711

Original commit: elastic/x-pack-elasticsearch@c41fdc0ac3
2015-10-14 06:44:22 -04:00
Areek Zillur daf4a9765c [License] Feature agnostic licensing model
This commit changes the license plugin to work with license that are not tied to any specific feature in a bwc way. It refactors the license plugin api into a lighter weight API, enabling the license plugin to manage license expiration and acknowledgment triggers.

closes elastic/elasticsearch#683, elastic/elasticsearch#686, elastic/elasticsearch#687, elastic/elasticsearch#691

Original commit: elastic/x-pack-elasticsearch@537cd3933a
2015-10-09 00:32:15 -04:00
jaymode 7b0f2628cb updates to handle renamed RenderSearchTemplateAction
Original commit: elastic/x-pack-elasticsearch@03cb49ce52
2015-10-08 09:09:00 -04:00
debadair 144d9e85df Shield Docs: Fixed GS verification step. Closes elastic/elasticsearch#760.
Original commit: elastic/x-pack-elasticsearch@9a2f810131
2015-10-07 13:46:27 -07:00
jaymode 98095a5ca8 add shield 2.0.0-rc1 release notes
Original commit: elastic/x-pack-elasticsearch@22e6a1499f
2015-10-07 07:18:02 -04:00
debadair 8e343d21cc Shield Docs: Added links to the topics for the new features.
Original commit: elastic/x-pack-elasticsearch@1fcdecb940
2015-09-14 13:35:27 -07:00
debadair 019b63e5fb Shield Docs: Adding information about how to run as another user.
Original commit: elastic/x-pack-elasticsearch@7cc8fb28ad
2015-09-14 13:29:00 -07:00
debadair 326e55528c Shield Docs: New topic about using custom realms.
Original commit: elastic/x-pack-elasticsearch@e07d945d97
2015-09-14 13:21:28 -07:00
jaymode 3676d6e370 add 2.0.0-beta2 release notes for Shield
This adds the release notes to the documentation for Shield. Note, two new features do not
have links as the documentation for these are still pending.

Original commit: elastic/x-pack-elasticsearch@e66df5cf14
2015-09-14 11:09:56 -04:00
debadair ef4eb981b1 Added _shield to the verification step. Closes elastic/elasticsearch#312.
Original commit: elastic/x-pack-elasticsearch@e76fb45dfb
2015-09-09 16:36:47 -07:00
debadair cf439f09ce Edited role mapping info to address confusion. Closes elastic/elasticsearch#302.
Original commit: elastic/x-pack-elasticsearch@e8acfd9711
2015-09-09 16:18:17 -07:00
debadair 8d0ce80d0e Clarified note about needing to perform a full cluster restart. Closes elastic/elasticsearch#109.
Original commit: elastic/x-pack-elasticsearch@d4f62cc072
2015-09-09 14:00:08 -07:00
debadair a82925b3bd Updated links to maven repo to use https. Closes elastic/elasticsearch#495.
Original commit: elastic/x-pack-elasticsearch@f95bdea57e
2015-09-09 13:14:24 -07:00
debadair ee6ac98565 Cleaned up realm topics, split off cache management. Closes elastic/elasticsearch#523, elastic/elasticsearch#451.
Original commit: elastic/x-pack-elasticsearch@99534117de
2015-09-09 12:58:07 -07:00
debadair 28f629da29 Updated actions list for 2.0. Closes elastic/elasticsearch#567.
Original commit: elastic/x-pack-elasticsearch@0ef9e834be
2015-09-09 12:52:59 -07:00
jaymode 714460c2f0 remove path.home from TransportClients in code and docs
After changes in core and elastic/elasticsearch#578, we do not need to set path.home in the settings for a
TransportClient anymore. This cleans up the usages of it in our tests and in our documentation.

Closes elastic/elasticsearch#605

Original commit: elastic/x-pack-elasticsearch@d70875fe2b
2015-09-09 15:16:30 -04:00
jaymode 9e3bf47a87 update the transport client and add integration tests
Closes elastic/elasticsearch#477

Original commit: elastic/x-pack-elasticsearch@8926f6ca44
2015-09-09 12:30:41 -04:00
Martijn van Groningen fd4058f921 Use the more verbose format in the default roles.yml and docs.
Closes elastic/elasticsearch#529

Original commit: elastic/x-pack-elasticsearch@9bde530a9c
2015-09-09 15:44:35 +02:00
Martijn van Groningen 547b6346f6 Changed the underlying DLS implementation
Instead of wrapping the IndexSearcher and applying the role query during the rewrite, the role query gets applied in a custom filtered reader that applies the query via the live docs.

The big advantage is that DLS is being applied in all document based APIs instead of just the _search and _percolate APIs.

In order to better deal with the cost of converting the role query to a bitset, the bitsets are cached in the bitset filter cache
and if the role query bitset is sparse the role query and main query will execute in a leapfrog manner to make executing queries faster.
 If the role query bitset isn't sparse, we fallback to livedocs.

Closes elastic/elasticsearch#537

Original commit: elastic/x-pack-elasticsearch@330b96e1f2
2015-09-08 11:04:10 +02:00
jaymode 1dbdf2ea1f add note on extended key usage
Closes elastic/elasticsearch#362

Original commit: elastic/x-pack-elasticsearch@0a2e0ab6d1
2015-09-03 11:53:39 -04:00
jaymode 892d9774f5 update limitations around more like this query
This updates the limitations section to indicate that the MLT query only works with Elasticsearch
1.6.2+ and 1.7.1+.

Closes elastic/elasticsearch#331

Original commit: elastic/x-pack-elasticsearch@70f2bb484e
2015-09-03 11:45:50 -04:00
Martijn van Groningen 99d91b7a9c Added wildcard support to the FLS `fields` option.
Closes elastic/elasticsearch#452

Original commit: elastic/x-pack-elasticsearch@4e82ce0472
2015-09-03 10:37:34 +02:00
debadair 75d8d12c37 Docs: Updated kibana.yml settings to match 4.2 changes. Closes elastic/elasticsearch#524.
Original commit: elastic/x-pack-elasticsearch@e305153fe5
2015-08-31 14:35:59 -07:00
Martijn van Groningen 39b7092185 test: removed the 'plugin.types' usages from the source code
Original commit: elastic/x-pack-elasticsearch@a94cdee31f
2015-08-31 22:45:56 +02:00
Martijn van Groningen 5f01f793d5 Added document and field level security
This commit adds document and field level security to Shield.

Field level security can be enabled by adding the `fields` option to a role in the `role.yml` file.

For example:

```yaml
customer_care:
  indices:
    '*':
      privileges: read
      fields:
        - issue_id
        - description
        - customer_handle
        - customer_email
        - customer_address
        - customer_phone
```

The `fields` list is an inclusive list of fields that controls what fields should be accessible for that role. By default all meta fields (_uid, _type, _source, _ttl etc) are also included, otherwise ES or specific features stop working. The `_all` field if configured, isn't included by default, since that actually contains data from all the other fields. If the `_all` field is required then this needs to be added to the `fields` list in a role. In the case of the content of the `_source` field and `_field_names` there is special filtering in place so that only the content relevant for the role are being returned.

If no `fields` is specified then field level security is disabled for that role and all fields in an index are accessible.

Field level security can be setup per index group.

Field level security is implemented at the Lucene level by wrapping a directory index reader and hides fields away that aren't in the `field` list defined with the role of the current user. It as if the other fields never existed.

* Any `realtime` read operation from the translog is disabled. Instead this operations fall back to the Lucene index, which makes these operations compatible with field level security, but there aren't realtime.
*  If user with role A executes first and the result gets cached and then a user with role B executes the same query results from the query executed with role A would be returned. This is bad and therefore the query cache is disabled.
* For the same reason the request cache is also disabled.
* The update API is blocked. An update request needs to be executed via a role that doesn't have field level security enabled.

Document level security can be enabled by adding the `query` option to a role in the `role.yml` file:
```yaml
customer_care:
  indices:
    '*':
      privileges: read
      query:
        term:
         department_id: 12
```

Document level security is implemented as a filter that filters out documents there don't match with the query. This is like index aliases, but better, because the role query is embedded on the lowest level possible in ES (Engine level) and on all places the acquire an IndexSearcher the role query will always be included. While alias filters are applied at a higher level (after the searcher has been acquired)

Document level security can be setup per index group.

Right now like alias filters the document level security isn't applied on all APIs. Like for example the get api, term vector api, which ignore the alias filter. These apis do acquire an IndexSearcher, but don't use the IndexSearcher itself and directly use the index reader to access the inverted index and there for bypassing the role query. If it is required to these apis need document level security too the the implementation for document level security needs to change.

Closes elastic/elasticsearch#341

Original commit: elastic/x-pack-elasticsearch@fac085dca6
2015-08-27 17:54:50 +02:00
jaymode 693d16777c correct the shield offline download links
Closes elastic/elasticsearch#499

Original commit: elastic/x-pack-elasticsearch@86a8015132
2015-08-25 10:00:58 -04:00