Commit Graph

56 Commits

Author SHA1 Message Date
Areek Zillur 26a07766f0 fix license notification test bug
Original commit: elastic/x-pack-elasticsearch@ec1257d3e1
2016-05-19 18:20:01 -04:00
Areek Zillur a2993810f9 Fix rest test to adapt to license removal behaviour
Now we explicitly install a license in rest test cluster

Original commit: elastic/x-pack-elasticsearch@59cc837d0f
2016-05-19 17:15:04 -04:00
Areek Zillur 703dfda921 Merge branch 'master' into fix/remove-license
Original commit: elastic/x-pack-elasticsearch@1e84c8431d
2016-05-18 16:16:53 -04:00
Areek Zillur 81e14c5617 Fix license log message levels
Now we log license expiry, invalid and grace message as warn and log license valid message as debug

closes elastic/elasticsearch#2230

Original commit: elastic/x-pack-elasticsearch@569c169136
2016-05-15 20:45:10 -04:00
Areek Zillur 01b3fc8768 Differentiate between null license and license tombstone in cluster state
Currently, license notification scheme treats no license (before trial license is auto-generated)
and a license tombstone in the cluster state in the same way. This caused a bug where licencees
were not notified of explicit license removal. Now, the notification scheme explicitly handles
license tombstone to notify the licensees and handles the case for no license in cluster state
as before.

Original commit: elastic/x-pack-elasticsearch@c90ec23398
2016-05-12 15:24:36 -04:00
uboness 06a0a9cbb5 [fix] Removing license did not update the Licensees
- Introduced a `MISSING` operation mode
- now when the license is removed (and a tombstone license is placed), the licensees get notified with a `MISSING` license status
- the monitoring, security and watcher licensees were updated

Original commit: elastic/x-pack-elasticsearch@650d940666
2016-05-12 15:24:36 -04:00
Areek Zillur bd04cc9d1f Extend tribe integ test infra to test on master and client nodes
Original commit: elastic/x-pack-elasticsearch@5826fb4161
2016-05-05 15:28:04 -04:00
Areek Zillur 3f0acdd70e refactor tribe integ tests to test monitoring transport actions
Original commit: elastic/x-pack-elasticsearch@4c8735d4a8
2016-05-05 15:28:04 -04:00
Areek Zillur d9e9f7dfd0 Disable licensing services and management APIs for tribe node
closes elastic/elasticsearch#1426

Original commit: elastic/x-pack-elasticsearch@d8a312b1b5
2016-05-05 15:10:05 -04:00
Alexander Reelsen 74edbe6332 Watcher: Refactoring, move to org.elasticsearch.xpack
This refactors the org.elasticsearch.watcher over to
org.elasticsearch.xpack.watcher

This also adds all watcher actions to the KnownActionsTests,
as watcher actions had not been taken care of until here.

Original commit: elastic/x-pack-elasticsearch@a046dc7c6a
2016-05-02 10:58:34 +02:00
jaymode 773876caee security: ssl by default on the transport layer
This commit adds the necessary changes to make SSL work on the transport layer by default. A large
portion of the SSL configuration/settings was re-worked with this change. Some notable highlights
include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and
separate LDAP configuration.

The following is a list of specific items addressed:

* `SSLSettings` renamed to `SSLConfiguration`
* `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null)
* Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback
* JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting.
* We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting
* LDAP realms can now have their own SSL configurations
* HTTP can now have its own SSL configuration
* SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names.
* `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled`
* added Bouncy Castle info to NOTICE
* consolidated NOTICE and LICENSE files

Closes elastic/elasticsearch#14
Closes elastic/elasticsearch#34
Closes elastic/elasticsearch#1483
Closes elastic/elasticsearch#1933
Addresses security portion of elastic/elasticsearch#673

Original commit: elastic/x-pack-elasticsearch@7c359db90b
2016-04-29 12:50:07 -04:00
uboness 5c9d96211f Extended X-Pack Info API with Features Info
- introduced the "Feature Set" notion - graph, security, monitoring, watcher, these are all feature sets
- each feature set can be:
 - `available` - indicates whether this feature set is available under the current license
 - `enabled` - indicates whether this feature set is enabled (note that the feature set can be enabled, yet unavailable under the current license)
- while at it, cleaned up the main modules of watcher, security, monitoring and graph.

Original commit: elastic/x-pack-elasticsearch@5b3e19fe8c
2016-04-20 14:30:48 -07:00
uboness 8aa48ffaff Introduced the X-Pack Info API
- Removed Shield's Info API
- Removed Watcher's Info API

Closes elastic/elasticsearch#2014

Original commit: elastic/x-pack-elasticsearch@6910cb1d6e
2016-04-17 13:38:19 +02:00
jaymode 0cce436641 build: fix x-pack pom and allow installation
* The found-license project is removed since it is no longer needed
* The plugin-api classes have moved into the license-plugin since there is only one plugin
* The license/base project publishes the proper artifactId in the pom file
* The x-pack jar file is added as an artifact so that it can be installed
* The x-pack pom no longer declares the packaging as `zip`
* The x-pack pom uses the right artifactId for license-core
* Removed disabling of installing the x-plugins artifacts
* Cleaned up a use of guava in watcher (found when trying to remove guava as a compile
dependency but is needed by the HTML sanitizer)
* Removed the dependency on the mustache compiler since it is no longer necessary

Closes elastic/elasticsearch#1987

Original commit: elastic/x-pack-elasticsearch@9d3b50b054
2016-04-15 11:31:09 -04:00
Areek Zillur e5c2a44d5d Return 404 status code when no license is installed
closes elastic/elasticsearch#2000

Original commit: elastic/x-pack-elasticsearch@3bd4193cf8
2016-04-14 16:51:39 -04:00
Adrien Grand 5b57727b34 Replace usage of settingsBuilder with just builder.
Original commit: elastic/x-pack-elasticsearch@fe038bbc49
2016-04-08 18:09:02 +02:00
jaymode d08446e221 security: add reserved roles and users
This commit adds reserved or built-in user and role support to x-pack. The reserved roles
cannot be modified by users. The reserved users also cannot be modified with the exception
of changing the password for a user.

In order to change the password for a user, a new API has been added. This API only supports
changing passwords for native and reserved users.

To support allowing a user to change their own password, a default role has been added to grant
access. This default role only grants access to user operations that pertain to the user that is
being authorized. In other words, the default role grants `joe` the ability to change their own password
but does not allow them to change the password of a different user.

Additionally, the authenticate API was made a transport action and is granted by the default role.

Closes elastic/elasticsearch#1727
Closes elastic/elasticsearch#1185
Closes elastic/elasticsearch#1158

Original commit: elastic/x-pack-elasticsearch@1a6689d90f
2016-04-06 18:23:18 -04:00
jaymode f888082ce6 security: remove the use of shield in settings
This commit migrates all of the `shield.` settings to `xpack.security.` and makes changes to
use the new Settings infrastructure in core.

As a cleanup, this commit also renames Shield to Security since this class is only in master
and will not affect 2.x.

See elastic/elasticsearch#1441

Original commit: elastic/x-pack-elasticsearch@a5a9798b1b
2016-04-06 14:00:46 -04:00
Chris Earle aa9f516655 Fix deserializing license response
Original commit: elastic/x-pack-elasticsearch@dae5e6f545
2016-04-04 18:45:15 -04:00
Chris Earle 3126fcb856 Improved tests with better error message
Original commit: elastic/x-pack-elasticsearch@cb79988dc3
2016-04-01 14:20:03 -04:00
Chris Earle 86ed96b83b Adding support for STANDARD license
Original commit: elastic/x-pack-elasticsearch@1671d8ade3
2016-04-01 12:49:05 -04:00
Chris Earle 55b9569f7b Removing isPaid, allFeaturesEnabled, and isActive methods from enums.
Original commit: elastic/x-pack-elasticsearch@8b8c7792c7
2016-04-01 12:49:05 -04:00
Chris Earle 5e81beabf9 Simplifying License Checks
Too many places are checking for enumerations when they're really more interested in a "higher" level of
information. This will help with the forthcoming addition of the STANDARD operation mode as well.

Original commit: elastic/x-pack-elasticsearch@2799c27e19
2016-04-01 12:49:05 -04:00
javanna 9461dde896 Remove DiscoveryNodes#masterNode in favour of existing DiscoveryNodes#getMasterNode
Original commit: elastic/x-pack-elasticsearch@070850c49f
2016-03-30 15:40:23 +02:00
javanna be01a18b35 Rename static DiscoveryNode#masterNode(Settings) to isMasterNode
Original commit: elastic/x-pack-elasticsearch@7b9ec10675
2016-03-30 15:39:39 +02:00
javanna ac1ec748a6 use TransportClient.CLIENT_TYPE constants for comparisons
Original commit: elastic/x-pack-elasticsearch@d2556e8d3d
2016-03-29 18:36:59 +02:00
javanna 25847038ee Merge branch 'master' into enhancement/node_client_setting_removal
Original commit: elastic/x-pack-elasticsearch@b36411e98f
2016-03-21 17:22:47 +01:00
Boaz Leskes d939289825 Change ClusterService package
As a result of ESelastic/elasticsearch#17183

Closes elastic/elasticsearch#1751

Original commit: elastic/x-pack-elasticsearch@1e553855f0
2016-03-21 13:55:48 +01:00
Areek Zillur 8817d2a3c0 rename license API actions
GetLicenseAction: cluster:admin/plugin/license/get --> cluster:monitor/xpack/license/get
PutLicenseAction: cluster:admin/plugin/license/put --> cluster:admin/xpack/license/put
DeleteLicenseAction: cluster:admin/plugin/license/delete --> cluster:admin/xpack/license/delete

closes elastic/elasticsearch#1717

Original commit: elastic/x-pack-elasticsearch@fe3f07cd69
2016-03-16 14:21:14 -04:00
David Pilato 5a1fbe6d62 Update Setting according to changes in master
We changed Setting signatures in master branch of elasticsearch.
We need to adapt x-plugins to the new code.

See https://github.com/elastic/elasticsearch/pull/16629.

Closes elastic/elasticsearch#1684.

Original commit: elastic/x-pack-elasticsearch@c911aaca69
2016-03-13 20:34:15 +01:00
markharwood 925afa3cab Graph - port of 2.x graph API and kibana UI plugin
Closes X-plugins issue 518

Original commit: elastic/x-pack-elasticsearch@6c6371ed74
2016-03-11 14:22:31 +00:00
Yannick Welsch 970efba3a3 Fix wrong placeholder usage in logging statements
Also make logging message String constant to allow static checks

Relates to elastic/elasticsearchelastic/elasticsearch#16707

Original commit: elastic/x-pack-elasticsearch@b5bd423de4
2016-03-10 20:18:07 +01:00
javanna 30a7ff1daa Adapt to node.client setting removal
We would previosly check if a node was a client node, we can now check it by just verifying that it is not a transport client through client_type setting.

Original commit: elastic/x-pack-elasticsearch@bddd44866e
2016-03-04 20:41:13 +01:00
Nik Everett d7170197f6 Handle core's log refactoring
Original commit: elastic/x-pack-elasticsearch@9e2e41db90
2016-02-26 16:06:31 -05:00
Nik Everett 08e0717f6b Make tests follow naming conventions
One test wasn't running because it didn't match!

Original commit: elastic/x-pack-elasticsearch@081c6b09e2
2016-02-25 13:14:01 -05:00
jaymode d9ca4e0ce3 fix shield settings to not rely on iteration order
This removes the use of group setting for `shield.` and introduces some individual settings
and some group settings that should not overlap and cause issues when iteration order
changes.

See elastic/elasticsearch#1520

Original commit: elastic/x-pack-elasticsearch@193e937193
2016-02-21 10:10:52 -08:00
uboness 42c9eead60 Refactoring for 5.0 - phase 4
- renaming `ShieldPlugin` to `Shield` (it's no longer a plugin)
 - renaming `WatcherPlugin` to `Watcher` (it's no longer a plugin)
 - renaming `MarvelPlugin` to `Marvel` (it's no longer a plugin)
 - renaming `LicensePlugin` to `Licensing` (it's no longer a plugin)
 - renamed setting:`watcher.enabled` -> `xpack.watcher.enabled`
 - renamed setting:`marvel.enabled` -> `xpack.marvel.enabled`

Original commit: elastic/x-pack-elasticsearch@35a6540b11
2016-02-10 11:15:35 +01:00
Alexander Reelsen e6784d5c7d Checkstyle: Adhere to checkstyle in all xpack .java files
In elastic/elasticsearch#1442 checkstyle checks were added, but also some files were freed from this.
If we have support for checkstyle, we should check this for all files and not allow
exceptions. This commit removes the file list to ignore any files and fixes all the
java files.

Original commit: elastic/x-pack-elasticsearch@99e6cbc5be
2016-02-05 16:57:41 +01:00
Simon Willnauer 422163445e Converte to strict settings infrastructure elastic/elasticsearchelastic/elasticsearch#16365
Original commit: elastic/x-pack-elasticsearch@c877a21e2d
2016-02-03 11:28:17 +01:00
uboness e039ef412f Shield refactoring for 5.0
- Consolidated `InternalMarvelUser`, `InternalWatcherUser` and `InternalShieldUser` into a single `XPackUser` - this is the single internal user for xpack that has all the permissions internally required by xpack (for marvel, watcher and shield)

 - Renamed `InternalSystemUser` to `SystemUser`

 - Removed the notion of "reserved roles". Now that we have a single internal user we know its role. The authz service now checks to see if the current user is the internal xpack user, and if so, it just uses its role (and not trying to resolve it from the role store). With this model, it's no longer possible for outside users to use the internal role (it's fully internal)

 - Consolidated the notion of an `InternalClient` (in Marvel it was knows as the `SecuredClient`). This is an ES client that xpack is using to manage itself. If shield is enabled, it will execute all request on behalf of the internal xpack user.

 - Removed the verification of the license plugin on plugin installation - no need to do it anymore as the license plugin is part of the distribution.

Original commit: elastic/x-pack-elasticsearch@c851410f93
2016-02-02 18:05:01 +01:00
jaymode c3b6146a72 shield: clean up hack to force switching to the system user for internal action
This commit cleans up the hack we had forcefully switching the request to execute under the system
user when a internal action gets triggered from a system request. The authorization service now tracks
the originating request in the context to allow us to validate if the request should be run as the system
user.

The system user should be used only when a user action causes an internal action, which needs to
be run by the system user.

Closes elastic/elasticsearch#1403

Original commit: elastic/x-pack-elasticsearch@4972df459f
2016-02-01 14:07:15 -05:00
Jason Tedor e13a5e695a Uppercase ells ('L') in long literals
This commit removes all lowercase ells ('l') in long literals because
they are often hard to distinguish from the digit representing one
('1').

Closes elastic/elasticsearch#1414

Original commit: elastic/x-pack-elasticsearch@98b38705fb
2016-01-30 22:18:02 -05:00
jaymode dcf9074c4f fix compile after change to Client settings in core
Original commit: elastic/x-pack-elasticsearch@ab069484a6
2016-01-27 12:33:35 -05:00
jaymode e82c969959 migrate from ContextAndHeaders to ThreadContext
This change migrates all of the xpack code to use the new ThreadContext when
dealing with headers and context data. For the most part this is a simple
cutover, but there are some things that required special casing. The internal
actions that executed by a user's requests need to forcefully drop the context
and set the system user. The workaround for this will be improved in a followup.
Additionally, the RequestContext still lives on due to the OptOutQueryCache,
which requires some core changes to fix this issue.

Original commit: elastic/x-pack-elasticsearch@87d2966d93
2016-01-27 08:02:01 -05:00
Areek Zillur 4586ca2e06 [TEST] ensure later license issue date
Original commit: elastic/x-pack-elasticsearch@fcedb7ae18
2016-01-26 15:49:01 -05:00
markharwood 03944c9a95 Settings - change over to o.e.common.settings.Setting for http.enabled setting
Original commit: elastic/x-pack-elasticsearch@3b551a6fb6
2016-01-22 14:56:38 +00:00
uboness 617c51cc86 fix build (settings cannot be prefixed with `.`)
Original commit: elastic/x-pack-elasticsearch@62178e1e82
2016-01-21 11:50:53 +01:00
Adrien Grand fbe777005b Use currentName instead of text() to parse field names.
Original commit: elastic/x-pack-elasticsearch@f4b75c3f2d
2015-12-28 16:44:16 +01:00
Yannick Welsch 4ddd7af334 Fix issue where license metadata deserialization swallows other custom metadata
Closes elastic/elasticsearch#1190

Original commit: elastic/x-pack-elasticsearch@5c5280fee5
2015-12-22 15:49:25 +01:00
Ryan Ernst c86e8b9c2e Remove wildcard imports
Original commit: elastic/x-pack-elasticsearch@65b2fee336
2015-12-18 14:15:06 -08:00