Added `shield.user` setting so that the clients won't need to go through the unnatural and tedious process of configuring the `Authorization` header directly (that also requires the user to applicat the base64(username:password) logic.
Now, the user can just set the following settings to bind a user to the client:
```yaml
shield.user: 'username:password'
```
Original commit: elastic/x-pack-elasticsearch@94be3abd92
Enforcing means that cluster actions will not be evaluated (as a fallback) by Index permissions. This enables us to move what typically would be considered indices actions and put them under the cluster privileges (a good example for this are all the template management APIs... we want to enforce cluster admin privileges over them).
Original commit: elastic/x-pack-elasticsearch@ee870954f2
Also added a logstash configuration for simple performance
testing (useful for comparing different hash functions)
Original commit: elastic/x-pack-elasticsearch@c9f08fbb12
Now the passwords are hashed in-memory using SHA2 by default (instead of original bcrypt). Also, it's now possible to configure the in-memory hashing algorithm.
Original commit: elastic/x-pack-elasticsearch@e2d1b3116b
Now, there are two types of supported patters:
- wildcards (default) - simple wildcard match where `*` indicates zero or more characters and `?` indicates a single character (`\` can be used as an escape charachter)
- regular expressions - can be "enabled" by wrapping the pattern in `/` (e.g. `/foo.*/`). The regex syntax is based on lucene's regex syntax (not Java's Pattern).
Closeselastic/elasticsearch#253
Original commit: elastic/x-pack-elasticsearch@edd912122d
This lets the url be configured as a single element (the most likely usage) or as an array. This also checks that multiple urls are either all "ldaps", or all "ldap", as it is not possible to mix them.
Original commit: elastic/x-pack-elasticsearch@b5a94b1d35
The evalutation of the indices permission groups was wrong. Now, each index in the request is evaluated against all groups, such that:
1. for each index, at least one group must grant the request
2. all indices must be granted
Along the way, also changed the audit logs structures such that:
- moved the principal to "sit" next to the host
- now, if we're logging an indices request, we also log the related indices (this provides more context to the actual request)
Fixeselastic/elasticsearch#242
Original commit: elastic/x-pack-elasticsearch@95600d3148
- `BCRYPT`, `MD5`, `SHA1`, `SHA2`,
- Also removed the support for bcrypt minor version y (i.e. $2y$) as it's not supported by our BCrypt implementation
Original commit: elastic/x-pack-elasticsearch@12cf024a59
Changed URL default to ldaps and port 636. No mode now defaults to ldap.
Added miscelleneous documentation for active directory. Incorrect mode now
throws an exception
Original commit: elastic/x-pack-elasticsearch@0239380668
Having roles as the keys is more aligned with the LDAP role_mapping file and with linux's group file (where the groups serve as the keys)
Also added support for comment lines (starting with `#`) in `.users` and `.users_roles` files
Original commit: elastic/x-pack-elasticsearch@60faf7330f
This will force users to create a user via the esusers
This also adds log warning when no users are found.
Original commit: elastic/x-pack-elasticsearch@3c31f8d3b0
In order to prevent too many automata constructions (which can be expensive) all the time, the automatas are now cached per action/privilege (since there are limited number of those, we don't expect a cache explosion).
Closeselastic/elasticsearch#125
Original commit: elastic/x-pack-elasticsearch@27a4e1fdbe