This commit adds checks to the TribeWithSecurityIT tests to ensure that the security index is
writeable before making modification operations. Otherwise, we hit errors in tests that are not
always reproducible.
relates elastic/x-pack-elasticsearch#2977
Original commit: elastic/x-pack-elasticsearch@c29bdff7ae
In elastic/x-pack-elasticsearch#2901, the dependency on the tribe module was removed but a few leftover references were missed
in the build.gradle file of the x-pack-elasticsearch plugin. This commit removes these leftover
references.
Original commit: elastic/x-pack-elasticsearch@03f1cae1f5
and add warning for Windows users not using
PowerShell (e.g. `cmd.exe`) to remove the `\` character and join
lines.
Also fix trailing whitespace character in link back to `docker.asciidoc`.
Relates elastic/x-pack-elasticsearch#2999
Original commit: elastic/x-pack-elasticsearch@fe1c5dbc11
In order to prepare for separate source directories, this commit moves
a few packages back into the watcher namespaces. A few of them have been
moved out previously as we thought that it might make sense to have a
dedicated notification API. This wont be the case for watcher on ES
anymore, so we can safely move those back into the watcher space.
Packages affected by this move:
* org.elasticsearch.xpack.common.http
* org.elasticsearch.xpack.common.text
* org.elasticsearch.xpack.common.secret
* org.elasticsearch.xpack.common.stats
* org.elasticsearch.xpack.support
* org.elasticsearch.xpack.notification
Tests have been moved accordingly.
The class `XContentUtils` has been split into one implementation for
watcher and one for security as different methods were used.
Relates elastic/x-pack-elasticsearch#2925
Original commit: elastic/x-pack-elasticsearch@0aec64a7e2
Our tests currently rely on waiting for the security index to be available in some cases and in
CI, these checks have been timing out. This commit increases the amount of time that we will wait
for the index before failing to account for slow machines.
Original commit: elastic/x-pack-elasticsearch@639dccd5cb
This checks if `apm-*` indices exist in the cluster to try to determine if APM is in use on the Elasticsearch cluster.
Original commit: elastic/x-pack-elasticsearch@7f9a9a4eee
* [DOCS] Add docker TLS configuration info
* [DOCS] Updated layout of TLS docker page
* [DOCS] Clean up docker TLS pages
* [DOCS] Changed nesting of TLS docker info
* [DOCS] More small updates to TLS docker page
Original commit: elastic/x-pack-elasticsearch@2b0504632a
On Windows, log4cxx always writes to stderr in UTF-16, and we get the
logs from C++ to Java by redirecting stderr to our named pipe. Hence
the log handler in Java needs to tolerate the log stream it's reading
being either UTF-16 (for Windows) or UTF-8 (for other platforms).
Fixeselastic/machine-learning-cpp#385
Original commit: elastic/x-pack-elasticsearch@89237d7125
This kind of sucks, because we shouldn't have to wait that long for tests to run.
But they're failing CI with some regularity, and we rely on these integration tests.
Original commit: elastic/x-pack-elasticsearch@3f4acb2a32
This is a forward-port of elastic/x-pack-elasticsearch/pull/2921.
original commit message:
Before this commit, a cluster with security enabled and backed by
native-realm user permissions allowed rolled upgrades to clusters without
upgrading the `.security` index. This resulted in the newly established
6.0 cluster not able to register the native-realm users previously established
in the `.security` index. In order to fix this, one would have to rely on file-based
users to re-configure and upgrade the `.security` index. Since this state is easily
avoidable with an upgrade, this commit rejects the joining of upgraded nodes without
upgrading the security index beforehand.
modifications:
Test with 7.x vs 6.x nodes.
Original commit: elastic/x-pack-elasticsearch@56f81bfb20
This commit updates the logic for determining which branch to use to make it consistent with the
logic in elasticsearch. This change means that testing BWC within the same major picks the correct
branch.
Original commit: elastic/x-pack-elasticsearch@2d75d15c41
This adds a rolling upgrade test for X-Pack monitoring. It works by using the `_xpack/monitoring/_bulk` endpoint to send arbitrary data, then verify that it exists.
This forces a few things to happen, thereby testing the behavior:
1. The templates must exist.
2. The elected master node must be "ready" to work (hence the first
point).
3. The same "system_api_version" is accepted by every version of ES.
Original commit: elastic/x-pack-elasticsearch@012e5738bb
The action condition feature was carefully hidden in an example.
This commit creates an own paragraph to highlight this feature better.
Original commit: elastic/x-pack-elasticsearch@006318787b
Improving logging for unexpected autodetect termination (crash, oom). Output to the log pipe not conforming to the json log output format are treated as fatal error and logged, so that the crash as well as a proper error message if available gets logged.
Original commit: elastic/x-pack-elasticsearch@ae5d792d3f
This change should have been made in elastic/x-pack-elasticsearch#2913. Now we hold the process
context lock throughout the job close procedure, the timeout for trying
to lock it should be the timeout used for job open/close rather than the
timeout for connecting named pipes.
Original commit: elastic/x-pack-elasticsearch@79672b0825
This change removes the xpack plugin's dependency on the tribe module, which is not a published
artifact. For the most part this just involves moving some test classes around, but for the
security and tribe integration the usage of constant settings was removed and replaced with the
string names. This is a bit unfortunate, but a test was added in a QA project that depends on tribe
that will alert us if a new setting is added that we need to be aware of.
relates elastic/x-pack-elasticsearch#2656
Original commit: elastic/x-pack-elasticsearch@649a8033e4
Halt OpenLDAP fixture after :x-pack-elasticsearch:qa:openldap-tests:test
Currently the OpenLDAP vagrant fixture is not halted.
Reruning the test will fail because the new fixture instance will try to bind to
the same host ports. Project :x-pack-elasticsearch:qa:openldap-tests:test is
the only one using the OpenLDAP fixture from
:x-pack-elasticsearch:test:openldap-fixture.
relates elastic/x-pack-elasticsearch#2619
Original commit: elastic/x-pack-elasticsearch@bea2f81b76
This change fixes the check for the version of the security template after the template updater was
changed to only run on the master node in elastic/elasticsearch#27294. Additionally, the wait time
for the cluster to have a yellow status has been increased to account for delayed shards and slower
machines.
Original commit: elastic/x-pack-elasticsearch@a2e72bed12
I imagine this needless indirection arose from accepting the wrong
IntelliJ suggestion for an import.
Original commit: elastic/x-pack-elasticsearch@54d7e854d3
The 5.6 Upgrade API will reindex .security to .security-6 and create a .security alias.
But the 6.0 default was to create a .security-v6 index and a .security alias if none existed (e.g. fresh x-pack install)
Having two different index names based on the method of install/upgrade complicates the code and testing, so we're unifying on the .security-6 index name that already exists in the wild.
Original commit: elastic/x-pack-elasticsearch@d78f569c5f
When simultaneous close requests were made for the same job it was possible
that one of the requests would inappropriately log error messages about the
job having failed. This change prevents that problem, whilst continuing to
adhere to the requirement that close requests for already closing jobs do not
return until the close request that is doing the work completes.
relates elastic/x-pack-elasticsearch#2912
Original commit: elastic/x-pack-elasticsearch@513b7fa1d6
The default internal XPack user no longer has access to the security index, but it should have read-only access to the audit log so that watches can be triggered based on audit events (but cannot write audit records)
Original commit: elastic/x-pack-elasticsearch@5c37720dad
This commit changes the handling of exceptions when retrieving roles from the native roles store.
Previously, exceptions would have caused the request to terminate and the exception would be
sent back to the user. This makes for a bad experience when a cluster hasn't been upgraded to the
latest index format and anonymous access is enabled with a native role as all requests without
preemptive basic authentication would result in an exception. The change here is to allow the
request to continue processing. Once the security index is up to date, the roles cache is cleared
so that the native roles can be picked up.
relates elastic/x-pack-elasticsearch#2686
Original commit: elastic/x-pack-elasticsearch@ef5149140f
Certgen was generating "other name" SANs without the explicit [0] tag that is required.
This was masked by the fact that the JRE X.509 classes always wrap the "other name" name-value in a [0] tag (even if it already has one)
Also switched to a UTF8 String from an IA5 string to match the configuration being used for testing in openssl.
Original commit: elastic/x-pack-elasticsearch@1b87964ec7
This is the X-Pack side of elastic/elasticsearch#27235. To force people
who construct an Environment object in production code to think about the
correct setting of configPath there is no longer a single argument
constructor in the Environment class. Instead there is a factory method
in the test framework to replace it. Having this in the test framework
ensures that there is no way to use it in production code.
Original commit: elastic/x-pack-elasticsearch@4860e92d90
We should not be constructing a temporary Environment object in production
code. This currently isn't causing any problems, but it might in the future
if elastic/elasticsearch#27144 or something similar is ever merged. Instead
the master Environment of the node should always be used.
Original commit: elastic/x-pack-elasticsearch@6276a54a45
This adds the data necessary to add a warning to the alerts UI representing each cluster when xpack.security.transport.tls.enabled is not set to true for a trial licensed cluster running with
xpack.security.enabled.
Original commit: elastic/x-pack-elasticsearch@28fe8bad76