Commit Graph

5837 Commits

Author SHA1 Message Date
Chris Earle c356074606 [Test] Rolling Upgrade should preserve templates (elastic/x-pack-elasticsearch#1687)
Real upgrades will have preserved their templates, so rolling upgrade tests should preserve them as well and internal services should be expected to replace them as needed.

Original commit: elastic/x-pack-elasticsearch@93a155951e
2017-06-09 13:41:22 -04:00
jaymode 9b3ee9f96c Remove security trace logging from rolling uprade tests
Original commit: elastic/x-pack-elasticsearch@b0ecb80816
2017-06-09 10:02:44 -06:00
jaymode 741bf85fbf Remove incorrect bwc branch logic from master
Commit elastic/x-pack-elasticsearch@b07aa78a7b was a forward port of logic needed in 5.x to get
the correct bwc branch. However, other changes on master meant that this forward port was not
needed and actually broke the bwc tests. This change removes the incorrect if statement and project name.

Original commit: elastic/x-pack-elasticsearch@9a77269fa6
2017-06-09 10:02:43 -06:00
Alexander Reelsen 709ed7d50e Watcher: Only try to load triggered watches index, if it exists (elastic/x-pack-elasticsearch#1569)
This is mainly a commit to reduce noise in test logfiles when going
through them. When watcher shuts down and another node takes over, it
might try to start watcher again and tries to load triggered watches.
However the triggered watches index could be gone in the meantime due to
further shutdown. This results in logging a stack trace that the index
does not exist.

This commit checks the cluster state before trying to load triggered
watches to prevent an IndexNotFoundException in the logs.

Original commit: elastic/x-pack-elasticsearch@9f26d557d0
2017-06-09 17:51:23 +02:00
Alexander Reelsen d769ee0813 Watcher: Do not pause watcher if not needed (elastic/x-pack-elasticsearch#1681)
This introduces a check to only pause the execution of watcher
when there is no metadata but there was a shard on this node before
that inside of the ClusterStateListener.

This prevents repeated logging that watcher was paused even
though it was not necessary to call anything.

Original commit: elastic/x-pack-elasticsearch@8d3a829ffb
2017-06-09 17:50:35 +02:00
Alexander Reelsen 7f48337bf6 Watcher: Remove index template configuration via cluster settings (elastic/x-pack-elasticsearch#1680)
Watcher had an undocumented feature to configure the settings of any
index template via updating the cluster settings. Instead of changing
the template one could add a setting during runtime that overwrote
what is written in the index template.

As index template are created once and not overwritten, users should
just change the index template - or the concrete index settings like
number of replicas.

This feature was not exposed in our documentation at all.

Original commit: elastic/x-pack-elasticsearch@32e1769925
2017-06-09 17:50:01 +02:00
Ryan Ernst c1a3f50e19 Convert script uses to use source/id keys (elastic/x-pack-elasticsearch#1670)
This is the xpack side of
https://github.com/elastic/elasticsearch/pull/25127

Original commit: elastic/x-pack-elasticsearch@e25bd90825
2017-06-09 08:29:36 -07:00
Lisa Cawley 15e4958d4e [DOCS] Update get datafeed statistics API output (elastic/x-pack-elasticsearch#1678)
Original commit: elastic/x-pack-elasticsearch@7e65102ac0
2017-06-09 07:48:51 -07:00
David Roberts 048ff24b79 [TEST] Wait for correct template version in rolling upgrade tests (elastic/x-pack-elasticsearch#1682)
We wait for index templates to be installed before running tests, but
these can get upgraded when the master node is upgraded.  If we don't
wait again in this case then tests can fail due to the cleanup code
being overwhelmed by pending cluster state updates that weren't waited
for before the test.

Original commit: elastic/x-pack-elasticsearch@eff0b24c11
2017-06-09 15:23:15 +01:00
David Kyle 02a241bdf5 [ML] Refresh index after delete (elastic/x-pack-elasticsearch#1675)
Original commit: elastic/x-pack-elasticsearch@fbbcd0343e
2017-06-09 12:27:30 +01:00
David Kyle d64bea14dc [ML] Closing an unknown job should throw resource not found exception (elastic/x-pack-elasticsearch#1673)
Original commit: elastic/x-pack-elasticsearch@c244d2809b
2017-06-09 10:02:51 +01:00
David Kyle d6e92c19da Fix closing/stopping unassigned jobs/datafeeds (elastic/x-pack-elasticsearch#1672)
Original commit: elastic/x-pack-elasticsearch@9f032ac98f
2017-06-09 09:33:36 +01:00
Lisa Cawley e29ab36849 [DOCS] Describe how to identify active ML model snapshot (elastic/x-pack-elasticsearch#1677)
Original commit: elastic/x-pack-elasticsearch@61766d0975
2017-06-08 16:02:41 -07:00
Chris Earle b31c8e2661 [Monitoring] Remove Specific ClusterStateCollector/Resolver and Tests (elastic/x-pack-elasticsearch#1664)
This removes the Cluster State collector and resolver and moves the collection of the cluster state (and cluster health, which is already included in cluster stats).

This makes the tests a little more stable and removes an extra network hop during monitoring data collection.

Original commit: elastic/x-pack-elasticsearch@44851d2dd6
2017-06-08 15:55:23 -04:00
Chris Earle 3f5ae2d54f Always use the lower version in resource tests
Original commit: elastic/x-pack-elasticsearch@47aa744acf
2017-06-08 15:39:52 -04:00
Nik Everett b8d86682ef Rework rolling restart tests (elastic/x-pack-elasticsearch#1590)
Reworks the rolling restart tests so that all configuration
options share code. Now there is a project per configuration:
* `qa:rolling-upgrade:with-ssl-with-system-key`
* `qa:rolling-upgrade:with-ssl-without-system-key`

Original commit: elastic/x-pack-elasticsearch@5672b4a4f2
2017-06-08 12:48:41 -06:00
jaymode dad15b8d6c Fix branch logic for bwc tests in the same major version
When testing against the previous 5.x release, the bwc project incorrectly would checkout the 5.x
branch instead of the 5.5 branch as it still had the logic that applies for major versions bwc. This change adds
a check to compare the major version when making the decision on the branch to use.

Original commit: elastic/x-pack-elasticsearch@b07aa78a7b
2017-06-08 11:40:45 -06:00
David Roberts 64330ff14d Move bracket
(Matches part of a change made to 5.5/5.x that doesn't need fully forward
porting.)

Original commit: elastic/x-pack-elasticsearch@01f0837e6c
2017-06-08 18:01:58 +01:00
David Roberts 7cb1c8bd35 [TEST] Fix security test blacklist for new ML test
Original commit: elastic/x-pack-elasticsearch@b6a054a2a7
2017-06-08 10:12:33 +01:00
David Roberts f097ff906d Ensure only 1 in-flight request to create each watcher index template (elastic/x-pack-elasticsearch#1660)
The aim of this change is to prevent many identical requests to create
watcher index templates being submitted when a cluster first starts up
and many cluster state updates are happening.  Prior to this change, if
watcher's original index template creation requests queued up behind other
cluster state change requests then for each other request watcher would
re-request creation of all its index templates.  After this change it
uses a strategy similar to that used by ML to only have one creation
request per index template in the cluster state change queue at any time.

Relates elastic/x-pack-elasticsearch#1368
Relates elastic/x-pack-elasticsearch#1631
Relates elastic/x-pack-elasticsearch#1650

Original commit: elastic/x-pack-elasticsearch@ad87bf3f78
2017-06-08 10:05:39 +01:00
Tim Vernum 29c11c30f3 Settings filter should rely directly on realm settings (elastic/x-pack-elasticsearch#1669)
The security module had special cases for realm settings that should be filtered,
but since elastic/x-pack-elasticsearch@2c76a13 / elastic/elasticsearch#4311 it's possible to use the existing realm
setting objects to do that.

Original commit: elastic/x-pack-elasticsearch@0651afe987
2017-06-08 18:05:02 +10:00
David Roberts 7aa1114eca [ML] Make get_job_stats robust to missing results indices (elastic/x-pack-elasticsearch#1662)
Although the job stats for jobs with missing results indices are clearly
ruined, it's better to provide zeroes for the missing values and show the
stats for other jobs than to fail the whole request. This means the UI
can continue to function.

relates elastic/x-pack-elasticsearch#1656

Original commit: elastic/x-pack-elasticsearch@a06fa994a5
2017-06-08 08:33:06 +01:00
Jack Conradson d7658bd9a2 Generate Painless Factory for Creating Script Instances. (elastic/x-pack-elasticsearch#1667)
Original commit: elastic/x-pack-elasticsearch@bda1668eec
2017-06-07 16:06:30 -07:00
Chris Earle adc82e7323 make racey test a bit more flexible
Original commit: elastic/x-pack-elasticsearch@6d5c1110bf
2017-06-07 11:03:44 -04:00
David Kyle ba3e258470 [ML] Wait for job deletion if it is in the deleting state (elastic/x-pack-elasticsearch#1651)
* Wait for job deletion if it is in the deleting  state

* Tolerate errors if multiple force delete requests

Original commit: elastic/x-pack-elasticsearch@1f0c9fbb86
2017-06-07 15:41:29 +01:00
David Roberts f865755259 [ML] Tolerate InternalAssumptionViolatedException in overridden test (elastic/x-pack-elasticsearch#1657)
In order for elastic/elasticsearch#25100 to work, overridden test()
methods that call ESClientYamlSuiteTestCase.test() must not consume
any InternalAssumptionViolatedException that
ESClientYamlSuiteTestCase.test() throws.

Relates elastic/x-pack-elasticsearch#1650

Original commit: elastic/x-pack-elasticsearch@081ccaa0a6
2017-06-07 14:22:05 +01:00
Alexander Reelsen 887538d6bc Watcher: Fix BWC tests, disable test requiring upgrade API
Original commit: elastic/x-pack-elasticsearch@e8de71cdf7
2017-06-07 11:09:31 +02:00
David Kyle ae299f633e [ML] Validate initial job settings (elastic/x-pack-elasticsearch#1646)
* [ML] Validate initial job settings

* Add same job creation checks to the validate endpoint

Original commit: elastic/x-pack-elasticsearch@ab76cf9ea2
2017-06-07 09:34:58 +01:00
Alexander Reelsen 87edc4bfdd Watcher: Only delete triggered watch if watch was known (elastic/x-pack-elasticsearch#1562)
When a user executes a watch and specifies it as part of the
execute watch API, no triggered watch is created, as the watch
cannot be picked up anymore (it only leaves for the duration of
the request).

However until now the TriggeredWatchStore was invoked and tried
to delete this non-existing triggered watch, resulting in some
log cluttering.

This commit removes this try to delete a non-existing triggered
watch.

Original commit: elastic/x-pack-elasticsearch@3db125cea2
2017-06-07 09:19:24 +02:00
Chris Earle 4b2d4a1e3b Simplify ClusterStateTests until resolvers are removed to make less racey
Original commit: elastic/x-pack-elasticsearch@bd44bf6a3b
2017-06-07 00:37:27 -04:00
Chris Earle b7c9fd7c93 Remove monitoring index checks until they exist without timing related issues elastic/x-pack-elasticsearch#1574
Original commit: elastic/x-pack-elasticsearch@97e44e4679
2017-06-07 00:32:10 -04:00
Jason Tedor 4517892951 Remove uses of unnecessary callback interface
This commit removes uses of a callback interface that is unnecessary in
core as we can use java.util.function.Consumer instead.

Relates elastic/x-pack-elasticsearch#1654

Original commit: elastic/x-pack-elasticsearch@21f470e974
2017-06-06 20:50:16 -04:00
Chris Earle a357c97aaf Wait explicitly for .monitoring-es-* instead of the more generic wait
Original commit: elastic/x-pack-elasticsearch@4e1e4e379a
2017-06-06 18:24:17 -04:00
Chris Earle 3436ba6ecb With .monitoring-data-N index gone, we no longer want to wait for it
Original commit: elastic/x-pack-elasticsearch@312f1341ae
2017-06-06 18:22:00 -04:00
Lisa Cawley 63138f02c5 [DOCS] Move ML APIs up a level in TOC (elastic/x-pack-elasticsearch#1644)
Original commit: elastic/x-pack-elasticsearch@6048721806
2017-06-06 13:42:47 -07:00
Igor Motov 55a8bc87e4 Add missed action to KnownActionsTests (elastic/x-pack-elasticsearch#1633)
Patching KnownActionsTests for now until we can decided what we want to do with it in a long term in elastic/x-pack-elasticsearch#1489

Original commit: elastic/x-pack-elasticsearch@9f9288c0e2
2017-06-06 16:42:00 -04:00
jaymode 48c34ec8ac Update version for signing scrolls after backport
This commit updates the version in security that we use to check a version that needs a signed
scroll id. After backporting we can talk to 5.5 without signing.

Relates elastic/x-pack-elasticsearch#1416

Original commit: elastic/x-pack-elasticsearch@8653fce1e5
2017-06-06 13:55:36 -06:00
Chris Earle e5ee80c292 [Monitoring] Upgrade Indices to remove usage of _type (elastic/x-pack-elasticsearch#1616)
This is just the culmination of all of the minor PRs associated with 1068. It will:

- Drop the `.monitoring-data-N` index
- Drop use of `_type` in all cases (replaced by `doc` and a new `type` field)
- Drop the API version from the template name (e.g., instead of `.monitoring-es-6` we now use `.monitoring-es`).
- Change API version to `-6-` from `-2-`.
- Both exporters handle versioned resources (templates, pipelines, and watches)
- HTTP exporters will optionally (true by default) publish placeholders for the old, `-2` templates.

When this is backported, it will need to:

- Change `index_patterns` to `template` within the templates.
- Downgrade the version requirements for the templates, pipeline, and watches _and_ the HTTP exporter itself (all require 6.0)

This is a companion to the feature branch in X-Pack Kibana elastic/x-pack-kibana/pull/1318 and they need to be merged at the same time.

Original commit: elastic/x-pack-elasticsearch@6031cfffa4
2017-06-06 14:29:52 -04:00
Jay Modi 2d893df7e9 Add better authorization for scroll requests and remove signing (elastic/x-pack-elasticsearch#1416)
This commit adds better security for scroll requests in that they are now tied to a single user as
we only authorize the request that creates the scroll. This is accomplished by adding a
SearchOperationListener that listens for new scroll contexts and stores the authentication on the
ScrollContext. Then upon
retrieval of the search context for a query or fetch, the current authentication is compared to the
authentication that was present when the scroll context was created. If the current authentication
belongs to a different user, then a SearchContextMissingException will be thrown to prevent leaking
a valid vs invalid scroll id.

Additionally, signing of a scroll id is only performed when there is a older node in the cluster
that would expect the scroll id to be signed. Once this is backported to 5.x, we can remove this
bwc layer for 6.0/master.

Original commit: elastic/x-pack-elasticsearch@0e5dcafd32
2017-06-06 10:23:18 -06:00
Martijn van Groningen 15022670e2 security: Add FLS & DLS tests for join field
Original commit: elastic/x-pack-elasticsearch@3a35743ccc
2017-06-06 16:44:19 +02:00
Dimitris Athanasiou 3f6e640f90 [ML] Add force delete datafeed action (elastic/x-pack-elasticsearch#1623)
When a user or client intend to delete a datafeed
and its job, there is benefit into ensuring the
datafeed has gracefully stopped (ie no data loss).
In constrast, the desired behaviour is to stop and
delete the datafeed as quickly as possible.

This change adds a force option to the delete
datafeed action. When the delete is forced,
the datafeed is isolated, its task removed and,
finally, the datafeed itself is removed from the
metadata.

relates elastic/x-pack-elasticsearch#1533

Original commit: elastic/x-pack-elasticsearch@5ae0168bf2
2017-06-06 13:39:36 +01:00
David Roberts c2575288d8 [ML] Account for the possibility of no ML metadata existing (elastic/x-pack-elasticsearch#1648)
We try to install empty ML metadata as soon as possible after startup
if none exists.  However, this still leaves a short gap when the cluster
is active with no ML metadata.  To avoid problems, functions that use
the ML metadata should treat this situation as equivalent to having
empty ML metadata.

relates elastic/x-pack-elasticsearch#1643

Original commit: elastic/x-pack-elasticsearch@8f0e00cda8
2017-06-06 13:27:23 +01:00
David Roberts 0d2b127fd7 [TEST] Wait for stable cluster to avoid spurious test failures
Original commit: elastic/x-pack-elasticsearch@4c0d9a0fac
2017-06-06 10:23:54 +01:00
Luca Cavanna f09ccbc6cb Adapt indices resolution to new ignoreAliases index option (elastic/x-pack-elasticsearch#1622)
ignoreAliases allows to resolve index expressions against concrete indices only, rather than against indices and aliases. It is used for now only in IndicesAliasesRequest and the indices resolution code in the security plugin needs to be adapted accordingly.

Original commit: elastic/x-pack-elasticsearch@ae964eade9
2017-06-06 11:02:07 +02:00
David Roberts 41ef0b827f [ML] Add a write alias for persisting job results (elastic/x-pack-elasticsearch#1636)
This commit switches over to two index aliases per job: one for reading
and one for writing.  In the future this will allow the addition of a
rollover endpoint for ML results indices.  (Rollover is still not possible
following this change, but the change to make it possible in the future
should not be a breaking change now.)

Relates elastic/x-pack-elasticsearch#1599
relates elastic/x-pack-elasticsearch#827

Original commit: elastic/x-pack-elasticsearch@d648f4631f
2017-06-06 09:44:11 +01:00
David Kyle ce0315abc4 [ML] Add force delete job option (elastic/x-pack-elasticsearch#1612)
* Add force delete job option

* Can’t kill a process on a 5.4 node

* Address review comments

* Rename KillAutodetectAction -> KillProcessAction

* Review comments

* Cancelling task is superfluous after it has been killed

* Update docs

* Revert "Cancelling task is superfluous after it has been killed"

This reverts commit 576950e2e1ee095b38174d8b71de353c082ae953.

* Remove unnecessary TODOs and logic that doesn't alwasys force close

Original commit: elastic/x-pack-elasticsearch@f8c8b38217
2017-06-06 09:41:33 +01:00
Tim Vernum a12b384906 [TEST] Force LDAP connection to close at end of test (elastic/x-pack-elasticsearch#1620)
This test would sometime leak threads.
The "Timer thread for LDAPConnection" is created by the unboundid SDK - closing the connection should force the thread to terminate

Original commit: elastic/x-pack-elasticsearch@bd58a17a59
2017-06-06 17:47:28 +10:00
Alexander Reelsen 376c9be6fa Watcher: Ensure reloading happens based on watch index instead of alias (elastic/x-pack-elasticsearch#1544)
The cluster state listener to decide if watcher should be reloaded was
assuming that no aliases could be used and thus wrongly could trigger
a reload, which could have lead to wrong test results.

During debugging I also added a reason for reloading and fixed another
wrong test assumption.

Also the listener does not rely on previous cluster state, but stores this
in instance variable, as we need to compare with local state and not the
previous cluster state.

Original commit: elastic/x-pack-elasticsearch@582783a66d
2017-06-06 09:39:11 +02:00
Tim Vernum fe37109c3f [DOCS] [Security] Documentation for Role Mapping API (elastic/x-pack-elasticsearch#1474)
Includes:
- Extensive changes to "mapping roles" section
- New section for role mapping API
- Updates to LDAP/AD/PKI realms to refer to API based role mapping 
- Updates to LDAP/AD realms: `unmapped_groups_as_roles` only looks at file-based mappings 
- Updates to LDAP/AD realms: new setting for "metadata"

Original commit: elastic/x-pack-elasticsearch@6349f665f5
2017-06-06 14:12:31 +10:00
Tim Vernum 6e7102845b [TESTS] run-as in SecurityServerTransportInterceptorTests (elastic/x-pack-elasticsearch#1475)
Changed existing tests to randomly include a separate "authenticating-user" to verify that the behaviours are correct when run-as is used.
Also includes random roles to completeness.

Related to: elastic/x-pack-elasticsearch@637a865 elastic/x-pack-elasticsearch#1391

Original commit: elastic/x-pack-elasticsearch@e4006bc80a
2017-06-06 14:08:14 +10:00