Commit Graph

1456 Commits

Author SHA1 Message Date
Alexander Reelsen 9b4566b72b Testing: Fix ClusterPrivilegeTests by using jsonBuilder instead of handcrafting JSON
Original commit: elastic/x-pack-elasticsearch@07d79b0f0c
2015-01-26 16:26:31 +01:00
Alexander Reelsen 383e41d6ca Snapshot Status: Allow system privilege to execute
As Elasticsearch 1.4.2 and below do not copy the headers in
TransportSnapshotsStatusAction, we need to allow the system user
to execute this in action, in order to see snapshots being currently
in progress.

This should be removed once we support elasticsearch 1.4.3

Closes elastic/elasticsearch#640

Original commit: elastic/x-pack-elasticsearch@00adf3dacf
2015-01-26 13:50:16 +01:00
Alexander Reelsen edc0bb86dc Functional Test: Test index privileges
This test adds an amount of users with different privileges, and
then goes on to not only test if the user is allowed to execute requests
but also if other requests are rejected as intended.

Closes elasticsearch/elasticsearch-shield-qaelastic/elasticsearch#17

Original commit: elastic/x-pack-elasticsearch@213a219c78
2015-01-26 10:17:34 +01:00
Alexander Reelsen d9023abfd0 Testing: Remove randomization on osx
The randomization of the `network.host` property on OSX only
could lead to connecting to the wrong HTTP port in our functional
tests.

As this randomization is not really needed, we can simply remove it

Closes elastic/elasticsearch#586

Original commit: elastic/x-pack-elasticsearch@fb16bd8644
2015-01-26 09:55:09 +01:00
uboness a6b992b1ea [perf] changed the default realm cache hasher
Changed form `bcrypt5` to `bcrypt4`. Also added more bcrypt hash algorithms to choose from when configuring it (added `bcrypt4`, `bcrypt6`, `bcrypt8` and `bcrypt9`)

Original commit: elastic/x-pack-elasticsearch@64bc26cafe
2015-01-25 21:32:51 +01:00
uboness 4e9c7bbf68 [cleanup] a small fix - add missing final
Original commit: elastic/x-pack-elasticsearch@1d4e708e47
2015-01-25 21:32:51 +01:00
Areek Zillur 17924dee96 [TEST] add more failure logging; increase license expiry
Original commit: elastic/x-pack-elasticsearch@a1e2cc337c
2015-01-25 15:11:00 -05:00
Areek Zillur 72c614373a [TEST] ensure feature registration on same node
Original commit: elastic/x-pack-elasticsearch@434f3dff8e
2015-01-25 14:32:37 -05:00
Alexander Reelsen b61d601227 Tests: Made ShieldFilesTests check for posix support
Original commit: elastic/x-pack-elasticsearch@75bd823c9a
2015-01-25 19:59:47 +01:00
Alexander Reelsen f1bff033cc File permissions: Fixes and improvement
* Fix: `ShieldFiles.openAtomicMoveWriter()` always changed permissions to 600
  now changes back to original perms
* Fix: Required log message change by @skearns
* Improvement: When permissions change, before/after perms are now shown
* Improvement: Added more CheckFileCommand tests

Closes elastic/elasticsearch#634

Original commit: elastic/x-pack-elasticsearch@e44495aaff
2015-01-25 18:57:43 +01:00
uboness 4fb18bb65a [Perf] Introduced additional hashers
Introduced three new hasher implementations:

- `bcrypt5` - a bcrypt hasher configured with a salt generated with 5 iterations
- `bcrypt7` - a bcrypt hasher configured with a salt generated with 7 iterations
- `noop` - a hasher that doesn't hash and works with the original text

Also, due to poor performance and based on the external security audit review feedback, the default realm caching hash is now changed to `bcrypt5` (used to be `sha2`).

Original commit: elastic/x-pack-elasticsearch@53d4f40564
2015-01-24 22:59:33 +01:00
uboness b768ea9551 [Perf] Removed lazy creation of create_index action predicate
Instead of creating an automaton predicate on each request (very expensive) we now have a static create_index matcher (predicate) that is reused.

Original commit: elastic/x-pack-elasticsearch@f70dae13ac
2015-01-24 20:26:00 +01:00
uboness ac6b82ef7c Updated licensing behaviour
- on license expiration, we only block cluster stats/health and indices stats.
- depend on the latest snapshot of the licensing plugin that supports registrations of expiration callbacks
- registering expiration callbacks to periodically log and warn about license expiration (pre and post expiration)

Original commit: elastic/x-pack-elasticsearch@5aee30fac4
2015-01-24 00:25:06 +01:00
Areek Zillur 0325d169e9 [TEST] increase license expiry duration
Original commit: elastic/x-pack-elasticsearch@988389397f
2015-01-23 16:22:22 -05:00
Areek Zillur 5387741df2 [ENHANCEMENT] clear out finished notifications on cluster change
Original commit: elastic/x-pack-elasticsearch@22e31ff0a3
2015-01-23 13:40:53 -05:00
uboness 27fd142e0c Fixed version back to SNAPSHOT
Original commit: elastic/x-pack-elasticsearch@81b4d4cd09
2015-01-23 19:38:35 +01:00
uboness d9fa7bec0f Updated the pom.xml
removed the `artifactory-private` and `deploy-public` profile. We only need to keep the `deploy-internal` profile as the license jar is not required by any client publicly.

Original commit: elastic/x-pack-elasticsearch@7695cfc2b6
2015-01-23 19:03:38 +01:00
Areek Zillur 1d3457427c [TEST] Restructure notification; Increase logging; Add back tests
Original commit: elastic/x-pack-elasticsearch@eed6bdfa11
2015-01-23 12:25:02 -05:00
c-a-m fd36c758b7 test: updated esvm for marvel and license plugins
This updates .esvmrc to get the latest license plugin, marvel, and reflects the latest configuration.
This sets the bind host and publish host to 127.0.0.1 so that hostname verification succeeds.

Original commit: elastic/x-pack-elasticsearch@a51046d130
2015-01-23 10:02:32 -07:00
uboness 8b95d0f71c Updated pom.xml
Changes reflect the restructuring of elasticsearch maven repo

- changed the repository names (for consistency sake)
- elasticsearch repositories now point to `/releases` and `/snapshots`
- added `deploy-internal` and `deploy-public` profiles

Original commit: elastic/x-pack-elasticsearch@92709ce38a
2015-01-23 15:10:18 +01:00
uboness 78f3e28cb8 Cleanup
- descriptive authentication messages
 - cleaned up a bit the `InternalAuthorizationService`

Original commit: elastic/x-pack-elasticsearch@47f485f1bc
2015-01-23 14:46:11 +01:00
Areek Zillur 83651e3314 [TEST] ignore flacky test
Original commit: elastic/x-pack-elasticsearch@61000d13b6
2015-01-23 01:32:06 -05:00
Areek Zillur 246879aebf [TEST] change notification event time
Original commit: elastic/x-pack-elasticsearch@41d038e074
2015-01-23 01:13:55 -05:00
Areek Zillur e45d6364ea [TEST] re-structure notification event test
Original commit: elastic/x-pack-elasticsearch@1270f14571
2015-01-23 00:55:59 -05:00
Areek Zillur c12bc0ac3d [TEST] increase license expiry
Original commit: elastic/x-pack-elasticsearch@ade53101db
2015-01-23 00:38:28 -05:00
Areek Zillur f32d49369c [TEST] increase trial license expiry
Original commit: elastic/x-pack-elasticsearch@dff2b30197
2015-01-23 00:23:58 -05:00
Areek Zillur 57ec891db0 [TEST] : take into account inclusive range in Pre/Post ExpirationCallbacks
Original commit: elastic/x-pack-elasticsearch@346b9f3b4c
2015-01-23 00:01:03 -05:00
uboness 91881f8c04 Updated the pom.xml
Added the new profiles with the new distribution management

Original commit: elastic/x-pack-elasticsearch@879e02211a
2015-01-23 05:41:13 +01:00
Areek Zillur 5be5b1915b Add support for License Expiration event triggers
This enhancement allows consumer plugins to configure event notifications from the licensing plugin relative to its license expiry.

Original commit: elastic/x-pack-elasticsearch@11b53dd78d
2015-01-22 23:17:34 -05:00
uboness dd4a66bd6c Changed search and get privileges
- separated `get` privilege from `search`. This should make it simpler for users to only allow search (and not get) when working with filtered aliases
- added multi search under the `search` privilege
- added the multi get under the `get` privilege

Original commit: elastic/x-pack-elasticsearch@6fafb08a2c
2015-01-22 21:10:54 +01:00
uboness a25d603b93 Adds SUGGEST index privilege
The `suggest` action was also added to the `SEARCH` privilege as one can execute suggestions under the `_search` API as well.

 Closes elastic/elasticsearch#24

Original commit: elastic/x-pack-elasticsearch@672809e199
2015-01-22 19:39:12 +01:00
jaymode 97f229f667 SSL/TLS: Do not require keystore or truststore on for clients
This commit removes the requirement that a client using the SSLService must
have defined a keystore. Now for clients both the keystore and truststore are
optional; if neither are defined the system default trust managers will be used.

Closes elastic/elasticsearch#613

Original commit: elastic/x-pack-elasticsearch@1055a9666a
2015-01-22 13:22:22 -05:00
Alexander Reelsen 2986502984 CLI Tools: Add command to check for same permissions and owners after run
In case the creation of files changed the owner, group or the permissions, this command
will write an error message to the console.

Relates elastic/elasticsearch#517

Original commit: elastic/x-pack-elasticsearch@49aab5f712
2015-01-22 19:13:45 +01:00
jaymode c5028f7384 SSL/TLS: Allow control of SSL per profile
SSL can now be enabled or disabled per profile. This allows to have both
secured and unsecured client connections.

Closes elastic/elasticsearch#612

Original commit: elastic/x-pack-elasticsearch@53a7efa5b1
2015-01-22 07:39:37 -05:00
uboness 2c55d85aa5 [Audit] Changed the log entry prefix configuration
Prepended `emit_` to each of the settings to make it clearer what they're all about.

Original commit: elastic/x-pack-elasticsearch@8e648eee23
2015-01-22 02:57:05 +01:00
uboness 2c687271d4 [Audit] Renamed anonymous_access to anonymous_access_denied
- The `anonymous_access_denied` clearly indicates that the requests were denied.
- In the future, if/when we add anonymous realm, we'll add another event type - `anonymous_access_granted` - plays nice with this change

Original commit: elastic/x-pack-elasticsearch@1fead24a0d
2015-01-22 02:29:11 +01:00
javanna 14699d6610 Indices resolution: empty aliases to be treated same as _all in GetAliasesRequest
While IndicesAliasesRequest doesn't support empty aliases, thus only explicit _all needs to resolved to all existing authorized aliases, GetAliasesRequest does support empty aliases, thus we have to treat them the same as _all.

Closes elastic/elasticsearch#606

Original commit: elastic/x-pack-elasticsearch@3e993ea2bd
2015-01-21 23:45:07 +01:00
c-a-m a01c271460 ldap: changes default AD URL to be clear-text
If no URL is set, it is derived from the URL.  Now it will default to clear-text and port 389

Original commit: elastic/x-pack-elasticsearch@6d1b9d3e42
2015-01-21 14:15:25 -07:00
c-a-m b3630c7ea9 tests: Ldap unit tests for GroupResolvers
This adds unit tests for the three new GroupResolvers.

Original commit: elastic/x-pack-elasticsearch@d303388696
2015-01-21 13:46:53 -07:00
javanna 4a7731099b [TEST] Remove current locale log line from ShieldRestTests
Original commit: elastic/x-pack-elasticsearch@b26badd740
2015-01-21 19:14:52 +01:00
jaymode e8a17d9ccd SSL/TLS: Add options to configure session cache size and timeout
The default settings for the SSL session cache is unbounded with a timeout of
24 hours. This can lead to memory issues when clients do not resume connections.
This adds a default limit of 1000 sessions in the cache in addition to exposing
settings to control these values.

Closes elastic/elasticsearch#602

Original commit: elastic/x-pack-elasticsearch@9cdc7b613c
2015-01-21 12:05:57 -05:00
Luca Cavanna 9fed91b795 Indices resolution: special treatment for get aliases request
GetAliasesRequest is the Java api request class behind the get alias and alias exists api. It allows for replacing its indices, as it implements IndicesRequest.Replaceable, but its authorization is only based on the indices specified on the request, the aliases are ignored.

This commit makes sure that the aliases are taken into account. Also get aliases is now part of the manage_aliases privilege and wildcards expression within aliases are replaced too with matching aliases that the current user is authorized for.

Closes elastic/elasticsearch#558
Closes elastic/elasticsearch#595

Original commit: elastic/x-pack-elasticsearch@b40b4cccc6
2015-01-21 16:14:58 +01:00
uboness 3bf687e726 [Cleanup] Removed redundant Inject annotations
Also removed unused constructors

Original commit: elastic/x-pack-elasticsearch@1d1d2dcbad
2015-01-21 13:44:54 +01:00
javanna fb7c731bd1 Tribe node: add support for tribe node in shield
Disabled license check on the tribe node to make sure that the tribe node can start, otherwise license plugin would try to generate a new trial license which is not possible since the node has no master. License check still happens for tribes though. This will be improved once es core supports merging cluster level custom metadata, then the tribe node will see some license coming from its tribes and won't require any additional license.

Added integration test to verify basic functionality against a tribe node, which also validates the settings needed on the tribes.

Made sure that shield is loaded and enabled on very tribe if loaded and enabled on the tribe node. We want to make sure that nobody manages to use shield on the tribe node only for free (since we disabled liccensing there), with no shield on the tribes. If we forcibly enable and make the shield plugin mandatory on the tribe clients, it means that they will not be able to join their corresponding clusters unless they have shield loaded and enabled too. As a result, shield is supported in the tribe node as long as all the tribes have shield loaded and enabled too.

Relates to elastic/elasticsearch#311
Closes elastic/elasticsearch#584

Original commit: elastic/x-pack-elasticsearch@317add553f
2015-01-21 12:27:30 +01:00
uboness 82fdf377a5 [Cleanup] removed FileRolesStore.Listener in favour of RefreshListener
Original commit: elastic/x-pack-elasticsearch@0c1a020dbb
2015-01-21 12:16:28 +01:00
jaymode ef979e4939 SSL/TLS: Only use TLS protocols by default
Only enables TLSv1, TLSv1.1, and TLSv1.2 protocols for transport, http, and ldaps. The supported
protocols are configurable in case one of these protocols is found to be insecure in the future.

Closes elastic/elasticsearch#594

Original commit: elastic/x-pack-elasticsearch@d4556091ef
2015-01-20 16:45:07 -05:00
c-a-m 1f8189fa12 LDAP: Adds SearchScope.Base tests and group.search settings for AD
Previously, AD group search used the user search dn so this adds configuration to separate the group search from the user search

 This adds tests for the newly introduced SearchScope.Base and includes general test cleanup.

Original commit: elastic/x-pack-elasticsearch@6ed1114b29
2015-01-20 13:53:25 -07:00
uboness da5299e4c5 LDAP refactoring
- Introduced a strategy for group search. This is applied on the `AbstractLdapConnection` level.
- The `LdapConnection` and `ActiveDirectoryConnection` are now clean of logic
- The `AbstractLdapConnection` holds a timeout
- Introduced `SearchScope` for better settings support.
- fixed a bug in `LdapConnectionFactory:74`... `settings.getAsArray` will never return `null`

Original commit: elastic/x-pack-elasticsearch@1f4a43d037
2015-01-20 13:53:25 -07:00
c-a-m 79d4b1e208 LDAP: Add configurable filters to LDAP group search and AD user search
This lets the user configure custom filters for group searches in LDAP, and user searches in AD

changed configuration in this commit:
group_search.group_search_dn -> group_search.base_dn
group_search.subtree_search -> group_search.subtree

added for LDAP:
group_search.filter
group_search.user_attribute

added for AD:
user_search.base_dn
user_search.filter
user_search.subtree

This also changes group_search.subtree to be true by default.
This fixes elastic/elasticsearch#567 and fixes elastic/elasticsearch#553

Original commit: elastic/x-pack-elasticsearch@8a1246aefd
2015-01-20 13:53:25 -07:00
Luca Cavanna f29cc62829 Authorization: split analyze api into cluster level action and original indices action
The analyze api allows to specify an index, to retrieve analyzers or token filters from a specific index. That is why it is categorized as indices level action. That said the index is optional and when not specified the action is executed at the cluster level. We have to remap the name of the action in that case, to make sure that it requires a different privilege under cluster: cluster:admin/analyze instead of indices:admin/analyze .

Closes elastic/elasticsearch#566
Closes elastic/elasticsearch#565
Closes elastic/elasticsearch#592

Original commit: elastic/x-pack-elasticsearch@9073b30d08
2015-01-20 18:33:49 +01:00