Also added a logstash configuration for simple performance
testing (useful for comparing different hash functions)
Original commit: elastic/x-pack-elasticsearch@c9f08fbb12
Now the passwords are hashed in-memory using SHA2 by default (instead of original bcrypt). Also, it's now possible to configure the in-memory hashing algorithm.
Original commit: elastic/x-pack-elasticsearch@e2d1b3116b
Now, there are two types of supported patters:
- wildcards (default) - simple wildcard match where `*` indicates zero or more characters and `?` indicates a single character (`\` can be used as an escape charachter)
- regular expressions - can be "enabled" by wrapping the pattern in `/` (e.g. `/foo.*/`). The regex syntax is based on lucene's regex syntax (not Java's Pattern).
Closeselastic/elasticsearch#253
Original commit: elastic/x-pack-elasticsearch@edd912122d
This lets the url be configured as a single element (the most likely usage) or as an array. This also checks that multiple urls are either all "ldaps", or all "ldap", as it is not possible to mix them.
Original commit: elastic/x-pack-elasticsearch@b5a94b1d35
The evalutation of the indices permission groups was wrong. Now, each index in the request is evaluated against all groups, such that:
1. for each index, at least one group must grant the request
2. all indices must be granted
Along the way, also changed the audit logs structures such that:
- moved the principal to "sit" next to the host
- now, if we're logging an indices request, we also log the related indices (this provides more context to the actual request)
Fixeselastic/elasticsearch#242
Original commit: elastic/x-pack-elasticsearch@95600d3148
- `BCRYPT`, `MD5`, `SHA1`, `SHA2`,
- Also removed the support for bcrypt minor version y (i.e. $2y$) as it's not supported by our BCrypt implementation
Original commit: elastic/x-pack-elasticsearch@12cf024a59
Changed URL default to ldaps and port 636. No mode now defaults to ldap.
Added miscelleneous documentation for active directory. Incorrect mode now
throws an exception
Original commit: elastic/x-pack-elasticsearch@0239380668
Having roles as the keys is more aligned with the LDAP role_mapping file and with linux's group file (where the groups serve as the keys)
Also added support for comment lines (starting with `#`) in `.users` and `.users_roles` files
Original commit: elastic/x-pack-elasticsearch@60faf7330f
This will force users to create a user via the esusers
This also adds log warning when no users are found.
Original commit: elastic/x-pack-elasticsearch@3c31f8d3b0
In order to prevent too many automata constructions (which can be expensive) all the time, the automatas are now cached per action/privilege (since there are limited number of those, we don't expect a cache explosion).
Closeselastic/elasticsearch#125
Original commit: elastic/x-pack-elasticsearch@27a4e1fdbe
Shield needs to know about all the actions that are registered in core. We now check not only the external actions, meaning the classes that implement the Action interface, exposed via java api, but also all the transport handlers registered through the transport, which will contains all shard/node level actions plus the internal actions that are not exposed via java api.
We maintain two files, one for external actions, and one for the internal ones, and we check whether actions have been added or removed to/from core, to make sure we know about those changes.
Original commit: elastic/x-pack-elasticsearch@d6b68c44ee
Modified pom.xml to do static analysis without Jenkins
'mvn -DskipTests=true -Pstatic clean compile site' to start analysis
The reports are at target/site/project-reports.html.
Original commit: elastic/x-pack-elasticsearch@ddec28e8d0
Two reasons for this:
1) automatically convert the _all to its matching indices, in the context of the current user is authorized for, instead of resolving wildcards and then throwing authorization exception because the wildcard exp matches indices that the user is not authorized for
2) this makes the wildcards resolution secure, meaning that there is a single place that resolve wildcards. If it happened in shield while authorizing and in core while actually executing the operation, there would be mismatches which would allow to execute operation on indices that the user is not authorized for, if they get created with the "right" timing.
Closeselastic/elasticsearch#54Closeselastic/elasticsearch#105
Original commit: elastic/x-pack-elasticsearch@a02c6fbccf
esvm is small commandline tool to start different cluster in a fast way.
This commit adds a preconfigured .esvmrc for starting a SSL enabled cluster
in no time.
All you need to do is to build the package and run
esvm shield
This starts a two node cluster with SSL enabled on HTTP and transport
Original commit: elastic/x-pack-elasticsearch@f701fd1134
If a user was created, but the user was not supplied roles on the commandline,
a bogus 'user:' was added to the roles file. This fix checks, if roles were
supplied when creating a user and only changes the roles file in that case.
Original commit: elastic/x-pack-elasticsearch@286951c016