Commit Graph

244 Commits

Author SHA1 Message Date
jaymode de72f4aeee security: change DLS behavior to OR queries together
This commit changes the behavior of combining multiple document level security queries
from an AND operation to an OR operation.

Additionally, the behavior is also changed when evaluating the combination of roles that
have document level security and roles that do not have document level security. Previously
when the permissions for these roles were combined, the queries from the roles with document
level security were still being applied, even though the user had access to all the documents.
This change now grants the user access to all documents in this scenario and the same applies
for field level security.

Closes elastic/elasticsearch#1074

Original commit: elastic/x-pack-elasticsearch@291107ec27
2016-03-01 07:03:38 -05:00
javanna 0be2b6cbbc Adapt to SearchServiceTransportAction rename
Original commit: elastic/x-pack-elasticsearch@b154325787
2016-03-01 12:58:53 +01:00
uboness 2a1b3250db Cleanup Security Roles
- Renamed `AddRoleAction/Request/Response` to `PutRoleAction/Request/Response`
- also renamed the user/roles rest actions
- Changed the returned format for `RestGetRoleAction`. Previously this endpoint returned an array of role descriptor. Now it returns an object where the role names serve as the keys for the role objects. This is aligned with other APIs in ES (e.g. index templates).
- When `RestGetRoleAction` cannot find all the requested roles, it'll return an empty object and a 404 response status
- Also cleaned up `RoleDescriptor`

Original commit: elastic/x-pack-elasticsearch@742f6e0020
2016-03-01 05:47:22 -05:00
Boaz Leskes 3ddbd77090 Remove DiscoveryService and reduce guice to just Discovery elastic/elasticsearch#1571
DiscoveryService was a bridge into the discovery universe. This is unneeded and we can just access discovery directly or do things in a different way.

This is a complement to elastic/elasticsearchelastic/elasticsearch#16821

Closes elastic/elasticsearch#1571

Original commit: elastic/x-pack-elasticsearch@496f0c4081
2016-02-29 20:26:38 +01:00
jaymode 03be6e3a62 change shield in log messages to security
Original commit: elastic/x-pack-elasticsearch@9c5acc488a
2016-02-29 10:26:48 -05:00
uboness 759d99de9c changed the User API
- Now it's more aligned with other APIs in ES (e.g. index template API)
- the "get user" API now returns an object as a response. The users are keyed by their username. If none of the requested users is found, an empty object will be returned with a 404 response status.
- the body of "put user" request doesn't require "username" anymore (as it's defined as part of the URL)

Original commit: elastic/x-pack-elasticsearch@f7c12648b1
2016-02-29 09:47:39 -05:00
Alexander Reelsen 1f113e07f4 Watcher: Fail email action on attachment download issues
In case that a single email attachment cannot be downloaded, this ensures
that the whole action fails with a correct Action.Failure.

This also fixes an NPE that would occur otherwise.

Original commit: elastic/x-pack-elasticsearch@7bb042a719
2016-02-28 21:07:23 -08:00
Alexander Reelsen cc8109bc87 Watcher: Fix naming of data attachments to use id in email attachments
This is a small fix to use specified id when sending data attachments.
The current solution always used "data".

Also a minor refactoring was made to include get the different parser impls
from the EmailAttachmentsParser instead of specifying them twice in the
EmailAction.

Closes elastic/elasticsearch#1503

Original commit: elastic/x-pack-elasticsearch@9354e83c8b
2016-02-28 20:22:45 -08:00
Nik Everett d7170197f6 Handle core's log refactoring
Original commit: elastic/x-pack-elasticsearch@9e2e41db90
2016-02-26 16:06:31 -05:00
jaymode 06fc60c2f6 shield: handle null tokens when parsing roles
The roles parsing does not currently handle null tokens since the YAML parser
was not emitting them. With the upgrade to Jackson 2.7.1, the parser is now
emitting the null token value.

Original commit: elastic/x-pack-elasticsearch@abcad633ad
2016-02-26 15:03:56 -05:00
Alexander Reelsen 47f1c2daa5 Watcher: Throw exception when empty URL is handed in http requests
This ensures that invalid watches are not even added and rejected on
index time.

Closes elastic/elasticsearch#1510

Original commit: elastic/x-pack-elasticsearch@d18e0c8ef6
2016-02-25 17:31:11 -08:00
Alexander Reelsen b97fea44d7 Watcher: Fix SSL default port when using request.fromUrl
If no port was specified, port 80 was assumed, even if https was specified
was the protocol. This lead to weird failures in the logs and trying to use
SSL on port 80.

Relates elastic/elasticsearch#1567

Original commit: elastic/x-pack-elasticsearch@0ea11d612e
2016-02-25 16:26:53 -08:00
Alexander Reelsen 47ef39037b Watcher: Fix latch await in timeout tests
The awaiting latch was not waiting as long as the sleep in the code
causing the latch to fail and the test to fail.

This code aligns the time to wait for the latch and the sleep code
in the mock http server.

Original commit: elastic/x-pack-elasticsearch@8a2cc61204
2016-02-25 15:56:30 -08:00
uboness eb8dbfb998 Renamed `.shield` index to `.security`
Going forward (from 5.0 on) we'll remove all occurrences of the "shield" name/word from the code base. For this reason we want to already start using `.security` index in 2.3 such that we won't need to migrate it to a `.security` index later on.

Original commit: elastic/x-pack-elasticsearch@74a1cbfcf2
2016-02-25 15:10:22 -08:00
Alexander Reelsen 4eef709d2e Watcher: Fix timeout tests by increasing wait timeout
The request timeout and the real time the webserver slept was 5000ms.
In case of loaded systems, there might be cases, where the request was
still received in time.

This commit increases the server side sleep time to 10 seconds, to ensure
that the client aborts the request early

Original commit: elastic/x-pack-elasticsearch@718c05519f
2016-02-25 14:23:34 -08:00
Alexander Reelsen 2daef601d4 Watcher: Fix timeout tests
The current HTTP timeout tests had two problems.

* Binding to port 9200-9300
* The first request to hit was having a delay, the other ones had not,
  so if any other component hit the test inbetween (likely in a CI env),
  the HTTP request from the test itself will not be delayed.

Both cases are fixed in this commit.

Original commit: elastic/x-pack-elasticsearch@d696e020cc
2016-02-25 12:23:46 -08:00
Nik Everett c7796d5cb7 Rename more tests to match naming conventions
Original commit: elastic/x-pack-elasticsearch@d76c217bd9
2016-02-25 15:20:41 -05:00
jaymode 0522127924 Test: remove use of network.host in smoke test ssl plugins
This removes the use of a specific address in smoke test ssl plugins and instead generates
the certificate with all of the IP addresses and DNS names of the system as subject
alternative names. This required duplication and modification of some code from core's
NetworkUtils.

Original commit: elastic/x-pack-elasticsearch@576824376f
2016-02-25 13:56:46 -05:00
Alexander Reelsen 2f088a60bc Watcher: Always get HTTP response body independent from error code
When an HTTP input returns an error body, right now we check if the
error code is below 400 and only then we include the body.

However using another method from URLConnection, the body can be
access always.

Closes elastic/elasticsearch#1550

Original commit: elastic/x-pack-elasticsearch@1743fd0a77
2016-02-25 10:25:34 -08:00
Nik Everett 08e0717f6b Make tests follow naming conventions
One test wasn't running because it didn't match!

Original commit: elastic/x-pack-elasticsearch@081c6b09e2
2016-02-25 13:14:01 -05:00
uboness 7fbf5645e2 fixed checkstyle error
Original commit: elastic/x-pack-elasticsearch@7676e988a8
2016-02-25 01:50:19 -08:00
uboness 266bf09437 Fixed build failure related to security roles APIs
- roles are now reliably parsed
- in `Put Role` API, added a double check to verify that the role name in the URL matches the role name if the body. Also, if the body doesn't have a role name, the role name in the URL will be used.

Original commit: elastic/x-pack-elasticsearch@5054ce8567
2016-02-25 01:38:04 -08:00
uboness 8ff6b93a3c Cleanup Security Roles
- Renamed `AddRoleAction/Request/Response` to `PutRoleAction/Request/Response`
- also renamed the user/roles rest actions

Original commit: elastic/x-pack-elasticsearch@ae0ccd61e5
2016-02-24 13:46:32 -08:00
Chris Earle 7e334a5e4b Renaming interval variable to include units and reordering constructor field values to ensure listener is added last
Original commit: elastic/x-pack-elasticsearch@60983f4190
2016-02-23 13:17:42 -05:00
Chris Earle ef81157c47 Add Javadocs
Also a minor fix to the phrasing in `MarvelLicensee#expirationMessages()`.

Original commit: elastic/x-pack-elasticsearch@9366c07930
2016-02-22 15:56:19 -05:00
Chris Earle 0b0ca8f2a6 Removing unused imports
Original commit: elastic/x-pack-elasticsearch@40c094af91
2016-02-22 15:56:19 -05:00
Chris Earle df99174122 Removing duplicated import
Original commit: elastic/x-pack-elasticsearch@1618ec79d4
2016-02-22 15:56:19 -05:00
uboness 18b08c82ca Introducing user full name, email and metadata.
- `full_name` and `email` are optional user fields
- `metadata` is an optional arbitrary meta data that can be associated with the user
- cleaned up the user actions - consistent naming (e.g. `PutUserAction` vs. `AddUserAction`)
- moved source parsing from the `PutUserRequest` to the `PutUserRequestBuilder`
- renamed`WatcherXContentUtils` to `XContentUtils` and moved it to sit under `o.e.xpack.commons.xcontent`

Closes elastic/elasticsearch#412

Original commit: elastic/x-pack-elasticsearch@5460e3caf7
2016-02-22 10:22:36 -08:00
Alexander Reelsen 6d0d09468b Watcher/Shield: Ensure only one .in.bat file exists
This was a leftover from watcher/shield being different plugins.

Closes elastic/elasticsearch#1530

Original commit: elastic/x-pack-elasticsearch@521b4bad14
2016-02-21 15:20:24 -08:00
Tanguy Leroux a27d2bcc50 Fix line length
Original commit: elastic/x-pack-elasticsearch@bbf883437f
2016-02-21 15:19:52 -08:00
Tanguy Leroux b5f40adb12 Marvel: Add stats for primary shards
closes elastic/elasticsearch#1198

Original commit: elastic/x-pack-elasticsearch@e823d01397
2016-02-21 14:39:52 -08:00
jaymode e3f53be3ef test: disable marvel for watcher disabled tests
We shouldn't have marvel enabled for these tests because we get false test failures
due to marvel indices existing and failing to lock the shard.

Original commit: elastic/x-pack-elasticsearch@11123bb660
2016-02-21 14:11:43 -08:00
jaymode d9ca4e0ce3 fix shield settings to not rely on iteration order
This removes the use of group setting for `shield.` and introduces some individual settings
and some group settings that should not overlap and cause issues when iteration order
changes.

See elastic/elasticsearch#1520

Original commit: elastic/x-pack-elasticsearch@193e937193
2016-02-21 10:10:52 -08:00
Simon Willnauer 64e4ccf9a0 Update x-pack to elastic/elasticsearchelastic/elasticsearch#16740
Original commit: elastic/x-pack-elasticsearch@63a3f49730
2016-02-20 17:21:47 -08:00
Adrien Grand 7b2fae3982 Unmute DynamicIndexNameIntegrationTests.
Closes elastic/elasticsearch#1527

Original commit: elastic/x-pack-elasticsearch@4ba9fe5f08
2016-02-15 16:12:57 +01:00
Colin Goodheart-Smithe 77ffdbcbb4 Merge pull request elastic/elasticsearch#1519 from colings86/refactor/aggRefactoringChanges
X-Plugin changes due to the changes in the Aggregations Java API

Original commit: elastic/x-pack-elasticsearch@524be093de
2016-02-15 11:33:42 +00:00
Adrien Grand 026c26db54 Mute DynamicIndexNameIntegrationTests.
Original commit: elastic/x-pack-elasticsearch@1795d24800
2016-02-15 12:07:40 +01:00
javanna 4482cd4f6c Adapt to removal of unused generics type from TransportMessage
followup of elastic/elasticsearch#15776, the type is not needed anymore.

Original commit: elastic/x-pack-elasticsearch@3f96dc552d
2016-02-12 17:21:28 +01:00
jaymode 8337832405 test: skip discovery ec2 in smoke-test-plugins*
Until we can fix the shield settings, we have bugs where we depend on the iteration
order of a map and discovery ec2 settings provoke this (most likely through a map
resize).

See elastic/elasticsearch#1520

Original commit: elastic/x-pack-elasticsearch@fbc32cf069
2016-02-12 10:40:27 -05:00
Colin Goodheart-Smithe 197b8fe56f X-Plugin changes due to the changes in the Aggregations Java API
Original commit: elastic/x-pack-elasticsearch@b983d0a00f
2016-02-12 12:06:06 +00:00
Simon Willnauer ec76d3bce0 Fix imports
Original commit: elastic/x-pack-elasticsearch@79e4535040
2016-02-12 10:52:48 +01:00
uboness ffe339ae31 Refactoring for 5.0 - phase 5
- Moved all settings in Marvel from `marvel.*` to `xpack.monitoring.*`
- Cleaned up marvel settings in general - they're all now under `MarvelSettings` class
- fixed some integration tests along the way (they were configured wrong and never actually tested anything)
- Updated the docs accordingly
- Added `migration-5_0.asciidoc` under the Marvel docs to explain how to migrate from Marvel 2.x to XPack 5.0.
- Replaced all `marvel` mentions in the logs to `monitoring`
- Removed the `xpack.monitoring.template.version` setting from the templates
- renamed the templates to `monitoring-es-data.json` and `monitoring-es.json`
- monitoring indices are now `.monitoring-es-<version>-data` and `.monitoring-es-<version>-<timestamp>`

Original commit: elastic/x-pack-elasticsearch@17f2abe17d
2016-02-11 21:34:38 +01:00
jaymode 95a8f77146 shield: do not throw exception if authorization header is not a basic token
Custom realms may enable the use of other authorization schemes than just basic authentication
and these schemes should work in addition to our built in realms. However, our built in realms use
the UsernamePasswordToken class to parse the Authorization header, which had a check to ensure
the token was for basic authentication and if not, an exception was thrown. The throwing of the
exception stops the authentication process and prevents custom realms from evaluating the header
if they come later in the ordering of realms.

This change removes the throwing of the exception unless the header starts with 'Basic ' and is invalid.

Original commit: elastic/x-pack-elasticsearch@fd438ded95
2016-02-11 09:59:35 -05:00
uboness 42c9eead60 Refactoring for 5.0 - phase 4
- renaming `ShieldPlugin` to `Shield` (it's no longer a plugin)
 - renaming `WatcherPlugin` to `Watcher` (it's no longer a plugin)
 - renaming `MarvelPlugin` to `Marvel` (it's no longer a plugin)
 - renaming `LicensePlugin` to `Licensing` (it's no longer a plugin)
 - renamed setting:`watcher.enabled` -> `xpack.watcher.enabled`
 - renamed setting:`marvel.enabled` -> `xpack.marvel.enabled`

Original commit: elastic/x-pack-elasticsearch@35a6540b11
2016-02-10 11:15:35 +01:00
Igor Motov dbff0e1144 Add task cancellation mechanism
See elastic/elasticsearchelastic/elasticsearch#16320 for more information

Original commit: elastic/x-pack-elasticsearch@4f8a9b1258
2016-02-09 22:31:08 -05:00
Nik Everett 97e8cdc5f0 Remove suppression and implement hashCode
Original commit: elastic/x-pack-elasticsearch@0505f28e78
2016-02-09 21:49:13 -05:00
Nik Everett 390bbecf4b Suppress EqualsHashCode check where it fails
Original commit: elastic/x-pack-elasticsearch@eb5243a652
2016-02-09 21:32:23 -05:00
Jason Tedor 602f67d7c6 Use MessageDigests abstraction in core
This commit removes the message digest providers in x-plugins by using
the MessageDigests abstraction in core. In particular, this permits the
removal of the use of MessageDigest#clone in x-plugins.

Closes elastic/elasticsearch#1489

Original commit: elastic/x-pack-elasticsearch@6868e6e8ed
2016-02-09 10:18:00 -05:00
uboness 3a6a1d5dc2 Shield refactoring for 5.0 - phase 3
- Consolidated the `bin` and `config` directories of watcher, shield and marvel under a single `config/xpack` and `bin/xpack` directories.

 - updated docs accordingly

Original commit: elastic/x-pack-elasticsearch@c2aa6132fa
2016-02-09 16:06:49 +01:00
uboness 92f027159a Shield refactoring for 5.0 - phase 2
- Started to move configuration under the `xpack` name
 - Cleaned up `ShieldPlugin`
 - renamed `ShieldClient` to `SecurityClient`
 - Introduced `XPackClient` that wraps security and watcher clients

Original commit: elastic/x-pack-elasticsearch@f05be0c180
2016-02-09 14:32:33 +01:00