There is a race condition between the smoke tests that get run because of the teardown conditions of
REST tests. By splitting them, we can avoid the unrealistic scenario/race condition.
Original commit: elastic/x-pack-elasticsearch@f95ae0e595
In order to move things from watcher to x-pack this created a notification module in x-pack.
This also means that the HTTPClient was moved up and settings have changed from
`xpack.watcher.http` to just `xpack.http`.
Further things done:
* Move http under o.e.xpack.common
* Moved secret service to o.e.xpack.common, initializing in XpackPlugin
* Moved text template to o.e.xpack.common.text
* Moved http client initialization into xpack plugin
* Renamed xpack.watcher.encrypt_sensitive_data setting, moved into Watch class
* Moved script service proxy to common
Original commit: elastic/x-pack-elasticsearch@41eb6e6946
This refactors the org.elasticsearch.watcher over to
org.elasticsearch.xpack.watcher
This also adds all watcher actions to the KnownActionsTests,
as watcher actions had not been taken care of until here.
Original commit: elastic/x-pack-elasticsearch@a046dc7c6a
This commit adds the necessary changes to make SSL work on the transport layer by default. A large
portion of the SSL configuration/settings was re-worked with this change. Some notable highlights
include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and
separate LDAP configuration.
The following is a list of specific items addressed:
* `SSLSettings` renamed to `SSLConfiguration`
* `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null)
* Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback
* JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting.
* We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting
* LDAP realms can now have their own SSL configurations
* HTTP can now have its own SSL configuration
* SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names.
* `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled`
* added Bouncy Castle info to NOTICE
* consolidated NOTICE and LICENSE files
Closeselastic/elasticsearch#14Closeselastic/elasticsearch#34Closeselastic/elasticsearch#1483Closeselastic/elasticsearch#1933
Addresses security portion of elastic/elasticsearch#673
Original commit: elastic/x-pack-elasticsearch@7c359db90b
This commit removes duplicated code in the authentication service by combining
the authentication logic for rest and transport requests. As part of this we no longer
cache the authentication token since we put the user in the context and serialize the
user.
Additionally we now pass the thread context to the AuthenticationFailureHandler to
restore access to the headers and context.
Original commit: elastic/x-pack-elasticsearch@79e2375a13
This mainly moves packages over to the x-pack directory and renames the settings
from `xpack.watcher.actions.` to `xpack.notification.`
Moved services include pagerduty, hipchat, slack and email.
Closeselastic/elasticsearch#1998
Original commit: elastic/x-pack-elasticsearch@40c16fe123
Our documentation states that we have default attributes for
message.format and message.color, which in fact we do not have
as an NPE was triggered in that case.
This commit falls back to unset defaults and allows for hipchat messages
to be sent without having to configure color/format in the action
or the account.
Closeselastic/elasticsearch#1666
Original commit: elastic/x-pack-elasticsearch@bfb7e35112
This removes the old usage of NetworkAddress.formatAddress in favor of the updated version, which is just
the method renamed to NetworkAddress.format (replacing the old version of that method).
There is no impact to x-plugins beyond making the build work because all places were currently using that
method variant already.
Original commit: elastic/x-pack-elasticsearch@05f0dcfa90
This commit adds support for the change in elasticsearch where the `/` rest
endpoint now delegates to an action and can be authorized.
Original commit: elastic/x-pack-elasticsearch@8ef38ce50f
This commit adds reserved or built-in user and role support to x-pack. The reserved roles
cannot be modified by users. The reserved users also cannot be modified with the exception
of changing the password for a user.
In order to change the password for a user, a new API has been added. This API only supports
changing passwords for native and reserved users.
To support allowing a user to change their own password, a default role has been added to grant
access. This default role only grants access to user operations that pertain to the user that is
being authorized. In other words, the default role grants `joe` the ability to change their own password
but does not allow them to change the password of a different user.
Additionally, the authenticate API was made a transport action and is granted by the default role.
Closeselastic/elasticsearch#1727Closeselastic/elasticsearch#1185Closeselastic/elasticsearch#1158
Original commit: elastic/x-pack-elasticsearch@1a6689d90f
This commit migrates all of the `shield.` settings to `xpack.security.` and makes changes to
use the new Settings infrastructure in core.
As a cleanup, this commit also renames Shield to Security since this class is only in master
and will not affect 2.x.
See elastic/elasticsearch#1441
Original commit: elastic/x-pack-elasticsearch@a5a9798b1b
This commit fixes an issue in synchronization in Exporters class. The export() method is synchronized and when used with LocalExport can provoke a deadlock. LocalExporter exports data locally using bulk requests that can trigger cluster state updates for mapping updates. If a exporters settings update sneaks in, the settings update waits for the export to terminate but the export waits for the settings to be updated... and boom.
This commit removes the synchronized and refactor Exporters/LocalExporter to use state and dedicated instance of LocalBulk for each export so that synchronizing methods is not necessary anymore.
It also lower down some random settings in MonitoringBulkTests because the previous settings almost always fill the bulk thread pool.
closeselastic/elasticsearch#1769
Original commit: elastic/x-pack-elasticsearch@f50c916f8b
This commit is the forward port of renaming the type for esusers to file. There is no
backwards compatibility maintained here. Additionally, a few other renames and
cleanups have been made:
* `esusers` commands is now `users`
* org.elasticsearch.shield.authc.esusers -> org.elasticsearch.shield.authc.file
* Validation.ESUsers -> Validation.Users
* ESUsersTool -> UsersTool
* ESUsersToolTests -> UsersToolTests
* ESNativeUsersStore -> NativeUsersStore
* ESNativeRolesStore -> NativeRolesStore.
* org.elasticsearch.shield.authz.esnative collapsed to org.elasticsearch.shield.authz.store
* ESNativeTests -> NativeRealmIntegTests
Closeselastic/elasticsearch#1793
Original commit: elastic/x-pack-elasticsearch@d2a0c136f3
* Add XPackExtension: an api class (like Plugin in core) for what a x-pack extension can do.
* Add XPackExtensionCli: a cli tool for adding, removing and listing extensions for x-pack.
* Add XPackExtensionService: loading of jars from pluginsdir/x-pack/extensions, into child classloader.
* Add bin/x-pack/extension script, similar to plugin cli, which installs an extension into pluginsdir/x-pack/extensions.
* Add XPack extension integration test.
Fixedelastic/elasticsearch#1515
Original commit: elastic/x-pack-elasticsearch@130ba03270
This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the
support for the privileges that were deprecated in 2.3. This change also includes
updates to the documentation to account for the new roles format.
Original commit: elastic/x-pack-elasticsearch@98e9afd409
This commit remove the pre-existing file parsing code and replaces it with the updated
code in the RoleDescriptor class. This unifies the parsing for the files and API for roles.
Closeselastic/elasticsearch#1596
Original commit: elastic/x-pack-elasticsearch@9e0b58fcf1
As part of the search refactoring effort, we need to pass a Suggester
to the methods that parse X-Content to a SuggestBuilder in every
instance where we are parsing search/suggest requests.
Original commit: elastic/x-pack-elasticsearch@7f815c617a
This commit modifies using system properties to configure an integration
test cluster and instead use settings in the generated Elasticsearch
config file.
Original commit: elastic/x-pack-elasticsearch@65211b93d0
The san string used by certificate generation for ssl tests currently
runs at gradle configuration time. This takes several seconds, and
significantly slows down gradle configuration on every invocation.
This change wraps the code into a lazy evaluator that will be invoked at
runtime, and cache the string once it is generated.
Original commit: elastic/x-pack-elasticsearch@812036f416
jaymode
Tanguy Leroux
Chris Earle
Lee Hinman
Robert Muir
Alexander Reelsen
Martijn van Groningen
uboness
Nik Everett
Adrien Grand
javanna
Jim Ferenczi
Ali Beyad
Jason Tedor
Ryan Ernst