Enables filtering out sensitive settings from the nodes info API rest endpoint. Also provide a mechanism to filter out additional settings via a new `shield.hide_settings` setting.
Original commit: elastic/x-pack-elasticsearch@9bab5049e7
On Windows, ensureGreen times out due to some shards not being initialized so
this increases allocation logging.
Original commit: elastic/x-pack-elasticsearch@e3777a8e89
After the switch from elasticsearch.com to elastic.co, these tests started failing
due to socket connect errors. Now we will just connect to the OpenLDAP server
which should be a different machines than the ones running tests.
Original commit: elastic/x-pack-elasticsearch@7bf713a313
The resolved anonymous user was not added to the REST request context. This resulted in that when the request was "translated" to a transport request, the fallback was the `system user`. The commit fixes that.
Original commit: elastic/x-pack-elasticsearch@acea6becf1
Any exception caught during authentication is only logged if DEBUG is enabled.
This changes the behavior to log these exceptions are WARN with the exception
message only or at DEBUG with the full exception.
The user template ldap implementation could potentially cause a lot of
logging to be generated because it always prints the full exception at WARN
level. This changes it to print the message at WARN level and the exception
at DEBUG.
Original commit: elastic/x-pack-elasticsearch@c607567d88
This change filters out unsupported ciphers before setting the ciphers on the
SSLEngine. The unsupported ciphers are logged in a message at the error
level. If none of the specified ciphers are supported, then an exception will
be thrown.
Closeselastic/elasticsearch#698
Original commit: elastic/x-pack-elasticsearch@68cf47ec19
In order to be able to configure ip filtering in a dynamic way, all
the ip filter related settings have been made dynamic.
This commit also fixed a bug, as the setting shield.http.filter.enabled
was not working, but mentioned in the documentation.
Documentation has been updated along the way.
Closeselastic/elasticsearch#697
Original commit: elastic/x-pack-elasticsearch@2760c47b5b
tableizing means evaluation is strictly linear time O(inputLength),
but costs #states * alphabet in ram. alphabet here is unicode (64k) so it blows up huge.
With tableize=false, it just means evaluation is O(inputLength * log(numIntervals)).
This is plenty fast for our purposes.
For these same reasons lucene only tableizes ByteRunAutomaton (alphabet size=256)
by default, for CharRunAutomaton it defaults to false.
Ban the trappy RunAutomaton ctor that tableizes. Fix tests using it.
Closeselastic/elasticsearch#739.
Original commit: elastic/x-pack-elasticsearch@28ab66b0ee
A large number of recent test failures have been caused by failure to bind
a port in the range 32900 to 32999. The ports are now tested to see if they
can be bound by this JVM and if not tries to bind another port. This will
decrease the likelihood of a port bind failure but another application could
still bind a port before the node starts up.
Closeselastic/elasticsearch#737
Original commit: elastic/x-pack-elasticsearch@aaf098758f
REST tests that use expressions as the script language requires the
lucene-expressions library to be loaded.
Original commit: elastic/x-pack-elasticsearch@c0f2b8a4b2
This adds a second mode of operation to the ldap realm. This mode of operation
allows for single bind user to be specified. This bind user will be used to
search for user DNs starting from a base DN. The user DN will then be used to
authenticate via a bind operation. The bind user will then search for the user's
groups.
Closeselastic/elasticsearch#552Closeselastic/elasticsearch#323
Original commit: elastic/x-pack-elasticsearch@3338730a64
If tests are run on the same machine as the ldap server a bind may be
succesfull. This adds a search to the test which should take longer than
1 millisecond for the server to respond.
Original commit: elastic/x-pack-elasticsearch@f37fb912e8
This removes the logging of an exception at the default log level when a incoming request in
the http transport is unencrypted and the http transport expects traffic to be encrypted.
Closeselastic/elasticsearch#561
Original commit: elastic/x-pack-elasticsearch@0cf23e8e9d
This migrates all of the LDAP code off of JNDI and makes use of the UnboundID
SDK to perform LDAP communication. As much as possible the behavior has
remained consistent. The minimum ldap search timeout is now 1s as UnboundID
only accepts this timeout in seconds; previously a value in milliseconds could be
specified.
Closeselastic/elasticsearch#694
Original commit: elastic/x-pack-elasticsearch@dd1c92bf91
If a Global permission is encountered that has no indices the iterator would not continue
to the rest of the entries. This change fixes the iterator to check if a Global has indices and
if not continues to look for a Global with indices permissions.
Closeselastic/elasticsearch#701
Original commit: elastic/x-pack-elasticsearch@5fbe318046
JNDI will throw a NullPointerException when base_dn is not specified.
This should always be a non-null value that points to at least the base
of the directory or higher.
Closeselastic/elasticsearch#703
Original commit: elastic/x-pack-elasticsearch@825afcdd78
This adds a few tests using the Java default truststore (cacerts) to SslMultiPortTests
and validates that when using that truststore, the client cannot connect to a node
that is using a self signed certificate.
Original commit: elastic/x-pack-elasticsearch@d7c2eaa16b
Separates the SSLService into a ClientSSLService and a ServerSSLService. The ClientSSLService
should be used for client connections and removes the requirement for setting a keystore or a
truststore. The ServerSSLService maintains the existing requirement to have a keystore. Also, fixed
a small issue where the HandshakeWaitingHandlerTests called handshake more than once.
Closeselastic/elasticsearch#622
Original commit: elastic/x-pack-elasticsearch@67b6121b04
When a request (rest/transport) that arrives to elasticsearch, and that has no authentication token associated with it, the request is then considered to be sent by an anonymous user. By default, we disallow anonymous requests and fail it by returning an authentication error.
Anonymous access can be enabled by configuring the `shield.authc.anonymous.roles` setting in `elasticsearch.yml` file. When set, an anonymous request will be associated with an `anonymous` user that holds the configured roles. From there on, authorization will continue as usual, and will try to authorize the request based on these roles.
Closeselastic/elasticsearch#376
Original commit: elastic/x-pack-elasticsearch@028b3a380b
mostly renamed `Secured....` classes to `Shield...` classes. applied to construct that replace other similar constructs either in es core or in other libraries. This will make it clear that the new constructs are coming from shield (in the logs). Also no need to call it "secured" as if shield replaces them, it's very likely they relate to security in one way or another :)
Original commit: elastic/x-pack-elasticsearch@f528a10b14
Two aliases were supposed to be created, while only one was, which was also associated with a broken filter.
Original commit: elastic/x-pack-elasticsearch@695acbd668
make the download URL consistent:
- changed from elasticsearch-license to just license.
- file name will be "shield-{version}.zip".
- download location will be https://download.elasticsearch.org/elasticsearch/shield/{filename}
- update URL for license download.
- update esvmrc to account for license plugin name change
- update error message for license plugin name change
Original commit: elastic/x-pack-elasticsearch@bebde15b4f
We need to assume the license is enabled until we're told otherwise by the license plugin. It's required as we should allow the execution of APIs (like cluster health) on a node that just started and didn't receive the cluster state yet.
Original commit: elastic/x-pack-elasticsearch@ce5fa68bfa
A NullPointerException was triggered in InternalAuthenticationService
in case a user did not exist because of trying to access the non-existing user.
While fixing this, a test added in IndexPrivilegeTests uncovered lots of wrong
assumptions about HTTP error codes, which have been fixed as well (a successful
operation now is expected to have a non 4XX/5XX HTTP return code). Also made sure
that certain preconditions are fulfilled before going on.
Fixeselastic/elasticsearch#646
Original commit: elastic/x-pack-elasticsearch@c4ed759e16
As Elasticsearch 1.4.2 and below do not copy the headers in
TransportSnapshotsStatusAction, we need to allow the system user
to execute this in action, in order to see snapshots being currently
in progress.
This should be removed once we support elasticsearch 1.4.3
Closeselastic/elasticsearch#640
Original commit: elastic/x-pack-elasticsearch@00adf3dacf
jaymode
uboness
Alexander Reelsen
Robert Muir
javanna
Kevin Kluge