This change makes the default role check the authenticating realm when authorizing
a request for the current user (or run as user) where the user is trying to change their
own password. We need to do this, otherwise we open up the potential of a user in one
realm changing the password of a user in another realm.
As part of this work, the authentication service has been refactored and simplified. A
new object, Authentication, is now returned when authenticating. Currently, this object
contains the user, authenticating realm information, and if it is a run as request the
information of the realm that looked up the user.
Closeselastic/elasticsearch#2089
Original commit: elastic/x-pack-elasticsearch@3fd9c37a16
This is a companion commit to elastic/elasticsearchelastic/elasticsearch#18514, fixing issues introduced by adding dedicated master nodes to the test infra
Original commit: elastic/x-pack-elasticsearch@8c0571f2de
- if active, `file` realm size
- if active, `native` realm size
- if active, `ldap` realm size, whether SSL is used, load balance type used, user search used
- if active, `active_directory` realm size, whether SSL is used, load balance type used
`size` is scale estimation based on the local cache. Scales are: `small` (under 10 users), `medium` (under 50 users), `large` (under 250 users) and `x-large` (above 250 users).
Original commit: elastic/x-pack-elasticsearch@c6efb17aa4
Currently, license notification scheme treats no license (before trial license is auto-generated)
and a license tombstone in the cluster state in the same way. This caused a bug where licencees
were not notified of explicit license removal. Now, the notification scheme explicitly handles
license tombstone to notify the licensees and handles the case for no license in cluster state
as before.
Original commit: elastic/x-pack-elasticsearch@c90ec23398
- Introduced a `MISSING` operation mode
- now when the license is removed (and a tombstone license is placed), the licensees get notified with a `MISSING` license status
- the monitoring, security and watcher licensees were updated
Original commit: elastic/x-pack-elasticsearch@650d940666
This refactors the org.elasticsearch.watcher over to
org.elasticsearch.xpack.watcher
This also adds all watcher actions to the KnownActionsTests,
as watcher actions had not been taken care of until here.
Original commit: elastic/x-pack-elasticsearch@a046dc7c6a
This commit adds the necessary changes to make SSL work on the transport layer by default. A large
portion of the SSL configuration/settings was re-worked with this change. Some notable highlights
include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and
separate LDAP configuration.
The following is a list of specific items addressed:
* `SSLSettings` renamed to `SSLConfiguration`
* `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null)
* Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback
* JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting.
* We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting
* LDAP realms can now have their own SSL configurations
* HTTP can now have its own SSL configuration
* SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names.
* `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled`
* added Bouncy Castle info to NOTICE
* consolidated NOTICE and LICENSE files
Closeselastic/elasticsearch#14Closeselastic/elasticsearch#34Closeselastic/elasticsearch#1483Closeselastic/elasticsearch#1933
Addresses security portion of elastic/elasticsearch#673
Original commit: elastic/x-pack-elasticsearch@7c359db90b
- introduced the "Feature Set" notion - graph, security, monitoring, watcher, these are all feature sets
- each feature set can be:
- `available` - indicates whether this feature set is available under the current license
- `enabled` - indicates whether this feature set is enabled (note that the feature set can be enabled, yet unavailable under the current license)
- while at it, cleaned up the main modules of watcher, security, monitoring and graph.
Original commit: elastic/x-pack-elasticsearch@5b3e19fe8c
* The found-license project is removed since it is no longer needed
* The plugin-api classes have moved into the license-plugin since there is only one plugin
* The license/base project publishes the proper artifactId in the pom file
* The x-pack jar file is added as an artifact so that it can be installed
* The x-pack pom no longer declares the packaging as `zip`
* The x-pack pom uses the right artifactId for license-core
* Removed disabling of installing the x-plugins artifacts
* Cleaned up a use of guava in watcher (found when trying to remove guava as a compile
dependency but is needed by the HTML sanitizer)
* Removed the dependency on the mustache compiler since it is no longer necessary
Closeselastic/elasticsearch#1987
Original commit: elastic/x-pack-elasticsearch@9d3b50b054
This commit adds reserved or built-in user and role support to x-pack. The reserved roles
cannot be modified by users. The reserved users also cannot be modified with the exception
of changing the password for a user.
In order to change the password for a user, a new API has been added. This API only supports
changing passwords for native and reserved users.
To support allowing a user to change their own password, a default role has been added to grant
access. This default role only grants access to user operations that pertain to the user that is
being authorized. In other words, the default role grants `joe` the ability to change their own password
but does not allow them to change the password of a different user.
Additionally, the authenticate API was made a transport action and is granted by the default role.
Closeselastic/elasticsearch#1727Closeselastic/elasticsearch#1185Closeselastic/elasticsearch#1158
Original commit: elastic/x-pack-elasticsearch@1a6689d90f
This commit migrates all of the `shield.` settings to `xpack.security.` and makes changes to
use the new Settings infrastructure in core.
As a cleanup, this commit also renames Shield to Security since this class is only in master
and will not affect 2.x.
See elastic/elasticsearch#1441
Original commit: elastic/x-pack-elasticsearch@a5a9798b1b
Too many places are checking for enumerations when they're really more interested in a "higher" level of
information. This will help with the forthcoming addition of the STANDARD operation mode as well.
Original commit: elastic/x-pack-elasticsearch@2799c27e19
Also make logging message String constant to allow static checks
Relates to elastic/elasticsearchelastic/elasticsearch#16707
Original commit: elastic/x-pack-elasticsearch@b5bd423de4
We would previosly check if a node was a client node, we can now check it by just verifying that it is not a transport client through client_type setting.
Original commit: elastic/x-pack-elasticsearch@bddd44866e
jaymode
Simon Willnauer
Ryan Ernst
markharwood
Boaz Leskes
Areek Zillur
Adrien Grand
uboness
Alexander Reelsen
Chris Earle
javanna
David Pilato
Yannick Welsch
Nik Everett