Commit Graph

386 Commits

Author SHA1 Message Date
Alexander Reelsen 2aafcf40dd Performance: Only iterate ip filter rules per profile
This is a little cleanup to only iterate IP filter rules for each
profile instead of iterating all of them and check for the profile
inside of the rule.

Original commit: elastic/x-pack-elasticsearch@6774f1f165
2014-12-04 14:16:10 +01:00
uboness 150ac97ffe Reduced audit logs
- Moved ACCESS_GRANTED logging of internal actions to TRACE level

Original commit: elastic/x-pack-elasticsearch@fe9bd3e64d
2014-12-04 10:25:40 +01:00
Alexander Reelsen 347374b56d Cleanup: Removed leftover and unused ip_filter.yml
Also fixed a minor tabbing issue

Original commit: elastic/x-pack-elasticsearch@cc761fd278
2014-12-03 15:39:52 +01:00
uboness 2bd541e40f Added EULA
Original commit: elastic/x-pack-elasticsearch@dd9ebdd082
2014-12-03 14:09:55 +01:00
javanna 847fc21def [TEST] temporarily log the default locale in REST tests
The locale is being randomized but never printed out for now (fixed upstream but we still depend on 1.4.0). We need to temporarily log it out manually to debug some test failures that might be related to the locale randomization (in combination with build machines settings).

Original commit: elastic/x-pack-elasticsearch@6f7e9625d1
2014-12-02 19:24:12 +01:00
uboness eac85eda10 [Cleanup] - FileRolesStore no longer depends on AuthorizationService
It used to be required, but since elastic/x-pack@607fabbade it's no longer needed.

Original commit: elastic/x-pack-elasticsearch@3c60798c2e
2014-12-02 19:04:25 +01:00
javanna 452851be6a [TEST] fixed tests repeatability issue
Every random call should happen all the time on all platforms (unless randomized!), otherwise tests won't reproduce on different platforms.

Original commit: elastic/x-pack-elasticsearch@d5b2d2079c
2014-12-02 18:43:43 +01:00
Alexander Reelsen 1d4422fc79 Profiles: Add client server transport filter
This PR allows to configure different ServerTransportFilters per profile.
By default there is a `server` transport filter, that does authentication
and a `client` on that rejects internal actions and shard actions.

Closes elastic/elasticsearch#312

Original commit: elastic/x-pack-elasticsearch@1ce66495a5
2014-12-02 16:59:20 +01:00
Alexander Reelsen dca9f3115e IP Filtering: Add support for having on filters on HTTP transport
In order to fix elastic/elasticsearch#378 a problem was revealed, that the ip filter for HTTP was
always the one for the default profile, which lead to failed tests (along
with wrong socket connections, which made the test go green irregularly).

This commit fixes the tests and allow to configure own HTTP ip filters, adding
the following settings

* shield.http.filter.enabled
* shield.http.filter.allow
* shield.http.filter.deny

If not specific settings are configured, the one of the default profile are used.

Closes elastic/elasticsearch#378

Original commit: elastic/x-pack-elasticsearch@89dbaefe9a
2014-12-02 16:44:15 +01:00
uboness 63a483e77e [Cleanup] - refactored out N2NAuthenticator
N2NAuthenticator was not really used. Only the ip filtering authenticator was used, and was used directory (no use for a generic interface). `IPFilteringN2NAuthenticator` is now `IPFilter` and all relevant classes were moved to `shield.transport.filter` package.

Original commit: elastic/x-pack-elasticsearch@43f6faeb4b
2014-12-02 14:27:54 +01:00
Alexander Reelsen 8bcbc690ce SSL: Re-enabling configuration option to disable client auth
In order to not require client side SSL certs for transport clients
another option was added in the profile configuration to enable
or disable client side certs. The same option has also been added
for HTTP.

Original commit: elastic/x-pack-elasticsearch@9658598bdc
2014-12-02 14:01:50 +01:00
uboness 1c54bf0d2e Added validation for esusers username, password and role name
Force validation of eusers username & password, and the role names.

role names and usernames follow the following validation rule:
```
A valid name must be at least 1 characher and no longer than 30 characters. It must begin with a letter (`a-z` or `A-Z`)
or an underscore (`_`). Subsequent characters can be letters, underscores (`_`), digits (`0-9`) or any of the following
symbols `@`, `-` or `$`
```

passwords must be at least 6 characters long.

Closes elastic/elasticsearch#399

Original commit: elastic/x-pack-elasticsearch@e6be51b357
2014-12-02 12:49:10 +01:00
javanna d7478b188e [TEST] restored `gateway: local` settings in ClusterDiscoveryConfiguration fork and clarify version assert (now for real)
Local gateway has been removed in core, but it's a master only change. If we don't set it to local in our settings, we end up using the none gateway and KnownActionsTests fails because the local gateway endpoint are not registered to core.

Original commit: elastic/x-pack-elasticsearch@9bb550329f
2014-12-02 11:07:05 +01:00
javanna 731feff48f [TEST] restored `gateway: local` settings in ClusterDiscoveryConfiguration fork and clarify version assert
Local gateway has been removed in core, but it's a master only change. If we don't set it to local in our settings, we end up using the none gateway and KnownActionsTests fails because the local gateway endpoint are not registered to core.

Original commit: elastic/x-pack-elasticsearch@c3bc37df4b
2014-12-02 11:06:29 +01:00
javanna 16929a0da7 [TEST] sync our fork of ClusterDiscoveryConfiguration with core
This class will be deleted when we'll depend on the next version, for now we forked it and we have to keep it up-to-date

Original commit: elastic/x-pack-elasticsearch@0d7cfdfe3d
2014-12-02 10:33:23 +01:00
javanna 45f5bd1967 [TEST] randomly enable/disable ssl on the transport layer
We currently run with ssl always on on the transport layer, which means that we never test with ssl off. We found bugs in the past caused by the ssl classes being loaded even when ssl was disabled, those should be caught by this new randomization.

Added method to override whether ssl is enabled or not for SUITE and TEST tests, called sslTransportEnabled(). A couple of tests do require ssl always on, thus they enable it through that method, which means that both nodes and transport client will have the keystore configured and ssl enabled on the transport.

Note that ssl on http is not touched here, that stays off by default unless enabled specifically in SUITE or TEST tests.

Closes elastic/elasticsearch#396

Original commit: elastic/x-pack-elasticsearch@63061b97ff
2014-12-02 09:52:35 +01:00
jaymode 7a6a3d072f Fix password comparison in UsernamePasswordToken.equals
The password comparison in the UsernamePasswordToken compares the
instances password to itself instead of the other instances password.

Closes elastic/elasticsearch#405

Original commit: elastic/x-pack-elasticsearch@3cb5658edf
2014-12-01 19:08:35 -05:00
jaymode c1cac5887a Add ip filtering output to the audit trail
This replaces the use of the logger in the IPFilteringN2NAuthenticator with the
AuditTrail, so that the connection granted or denied messages will now be seen
with the rest of the audit output.

Closes elastic/elasticsearch#101

Original commit: elastic/x-pack-elasticsearch@10218a45a9
2014-12-01 18:27:23 -05:00
uboness da430a5143 Fixes lazy loading issues in the codebase
- SSLService needs to be lazy loaded (only loaded when required). Guice provider doesn't seem to work as all singleton bindings are forced to be loaded eagerly. For this reason, a new `SSLServiceProvider` is introduced and is injected wherever the SSLService might be needed (SSLService is never injected directly)

 - `IPFilteringN2NAuthenticator` is now always injected and used. enabling/disabling the filtering is handled within the `IPFilteringN2NAuthenticator` and the `SecuredMessageChannelHandler` on the transport is always set. Although we add another handler to netty's event chain (even while having ip filtering disabled), the overhead of this handler is negligible and this will also enabled enabling/disabling filtering at runtime (if we choose to support it) via API later on.

Original commit: elastic/x-pack-elasticsearch@cd44ecd6ac
2014-12-01 11:21:56 -08:00
javanna 123d577a88 Remove benchmark privileges and actions from codebase and docs
Closes elastic/elasticsearch#384

Original commit: elastic/x-pack-elasticsearch@13cdefd585
2014-11-28 13:41:51 +01:00
javanna ac2b30f150 [TEST] delete the temp folder if already existing (this time for real)
Original commit: elastic/x-pack-elasticsearch@618fcd4dbd
2014-11-28 10:11:38 +01:00
javanna 8c1fcb52ea [TEST] delete and recreate config dir if already existing
Original commit: elastic/x-pack-elasticsearch@90af42b95d
2014-11-27 12:34:34 +01:00
javanna a995ed9cca [TEST] allow to configure tests.timezone and tests.locale
tests.timezone and tests.locale are values that gets randomized all the time (even without configuring them). They don't get printed yet out with shield failures as this was only recently added to es core, but it makes sense to get ready and allow to configure them for better test repeatability.

Also removed support for es.node.mode and es.node.local as we always use network since we test with unicast discovery only.

Original commit: elastic/x-pack-elasticsearch@d03fa0c162
2014-11-27 11:40:13 +01:00
Paul Echeverri fff49d9e53 Merge branch 'doc-295' of https://github.com/palecur/elasticsearch-shield
Original commit: elastic/x-pack-elasticsearch@e63e3db412
2014-11-26 11:54:27 -08:00
uboness af74f43aea Introduced realms factories
Today it is possible to configure 3 realms in shield - `esusers`, `ldap` and `active_directory`. These realms are created once based on the configuration. There are several problems with this approach:

- Taking `ldap` as an example, it is currently not possible to have multiple `ldap` realms configured (where one serving as a fallback for the other). While the `ldap` realm itself enables defining multiple ldap URLs, it has the limitation that the fallback LDAP must have the exact same configuration as the primary LDAP (+ there's the limitation that all URLs must either us SSL or not... there cannot be a mix of SSL URL and a normal URL)

- The realms are created and bound internally by guice. This will limit the configurability at runtime of the realms which we might want to introduce in shield 2.0.

This commit changes the way realms are managed & configured. Instead of having guice bind the realms themselves. A new realm factory construct will be introduced. The realm factory will represent a realm type and guice will bind these factories. At load time, we'll read the configuration and based on the types of the configured realms, the relevant factories will create the realms based on the settings. This means that potentially we can expose the realms as a dynamic configuration and rebuild the realm chain at runtime.

A nice side effect of this approach is that the multiple URLs feature that is currently supported by both `ldap` and `active_directory` can be dropped. Instead, the users will just need to configure multiple `ldap`/`active_directory` realms.

Closes: elastic/elasticsearch#370

Original commit: elastic/x-pack-elasticsearch@3232f153bb
2014-11-25 14:31:51 -08:00
Paul Echeverri f178575625 Adds Shield's requirement for disabling multicast discovery and links to the
main ES discovery docs.

Original commit: elastic/x-pack-elasticsearch@1d9742c0ae
2014-11-25 13:59:45 -08:00
Paul Echeverri b2949d76c8 Adds sample logging output to verify a functional Shield installation to Getting Started section.
Original commit: elastic/x-pack-elasticsearch@1b5505090d
2014-11-25 13:54:14 -08:00
javanna 706a8fd38d [TEST] move integration tests to use the global cluster and run against multiple nodes
Every test class was previously running against its own SUITE cluster composed of a single node due to misconfiguration.
Also there were some repetitions and bugs in the settings: first of all unicast wasn't properly configured, also the plugin wasn't registered properly in the transport client, thus the "shield.user" settings wasn't properly converted into the basic auth header. For the very same reason the settings used for authc wasn't randomized for transport client.

Extracted out all the needed configuration to the `ShieldSettingsSource` class, that takes care of the unicast configuration, loading of the plugin and all of the configuration files and parameters.
Used the global cluster whenever possible, that has the following characteristics:
- unicast discovery
- ssl configured and enabled at the transport level
- ssl configured but disabled at the http level (REST tests use the same cluster and don't support SSL at this time)
- single user configured with an allow_all role
- auditing enabled or not is randomized
- the setting used to do basic auth is randomized between reuest.headers.Authorization and our own shield.user for both node and transport client

Test classes that need to override defaults settings can do so by declaring scope=SUITE and overriding the nodeSettings method. Also roles, users and users_roles have specialized methods to be overridden that just return the content of the whole file if it differs from the default. Note that given that ssl is properly configured although disabled for http, tests that need it on can just enable it without any additional configuration.

Closes elastic/elasticsearch#31

Original commit: elastic/x-pack-elasticsearch@fa6f162497
2014-11-25 17:34:10 +01:00
javanna a62a11f430 Internal: remove static assert that will trip once we upgrade to 1.4.1 or any new version
Although it is nice to be alerted through assert as soon as we upgrade the es core dependency, this can be done only in test code, in production code it prevents us from supporting any future version once the code gets released.

Replaced the assert with a TODO.

Original commit: elastic/x-pack-elasticsearch@b0d59c2fd3
2014-11-25 16:55:39 +01:00
javanna 22eabc19b2 [TEST] Remove SSLRequireAuthTests as the tested functionality (ssl client auth and settings) was removed
Original commit: elastic/x-pack-elasticsearch@0b646606aa
2014-11-25 12:28:30 +01:00
javanna 2eaa1cb969 Internal: resolve a few compiler warnings
@NotThreadSafe is not a valid standard java annotation. Removed unused method and empty @param javadoc annotation

Original commit: elastic/x-pack-elasticsearch@3583bcfa66
2014-11-25 12:17:28 +01:00
javanna 68e4876915 [DOCS] hopefully fixed formatting of TESTING.asciidoc
Original commit: elastic/x-pack-elasticsearch@516db83599
2014-11-24 11:55:25 +01:00
javanna e25f189fc2 [TEST] Added TESTING.asciidoc with some info on testing
The goal of TESTING.asciidoc is not to repeat what's already in the elasticsearch core test cheatsheet, but only add what is different in shield.

Original commit: elastic/x-pack-elasticsearch@51ad3894d2
2014-11-24 11:52:41 +01:00
javanna 48002d0d45 Internal: don't override user in the context if already existing
This bug was caused by the fact that we serialize the user and don't re-authenticate on each node anymore. With auto create index, we ended up overriding the user in the context with system due to wrong checks (we would check the headers instead of the context). This bug was revealed by our REST tests.

Also refactored the method for readability and removed check for token.

Original commit: elastic/x-pack-elasticsearch@2aa260b46c
2014-11-24 11:31:00 +01:00
Alexander Reelsen f1e5de40f5 Ip filtering: Use settings file instead of own configuration
This will allow in the future to make this a dynamic setting,
which can also be shared accress the cluster instead of having
to use (and distribute) files.

Another change is, that the order of `deny` and `allow` now does not matter
anymore. Allow will win over deny.

The last change is that `all` now is `_all` in order to align with the
rest of Elasticsearch

Documentation has been updated accordingly.

Original commit: elastic/x-pack-elasticsearch@daa0b18343
2014-11-24 10:46:15 +01:00
uboness b31beb1e36 [Cleanup] - renamed KeyService/KeyModule to SignatureService/SignatureModule
Also moved to appropriate package

Original commit: elastic/x-pack-elasticsearch@cb373314b8
2014-11-22 21:46:13 +01:00
uboness 22eea8aba0 [Cleanup] - Refactored security filter
Nuked the security filter and separated the different filter to their own constructs:

- Added a shield action package & module that is responsible for binding the shield action filter (and later will hold all shield actions)
- Added a shield rest package & module that is responsible for binding the shield rest filter and registering all the rest actions
- Moved the client & server transport filters to the transport package

General cleanup:

- Code formatting
- moved `ShieldPlugin` to the top level package `org.elasticsearch.shield`

Original commit: elastic/x-pack-elasticsearch@d652041860
2014-11-22 05:31:03 +01:00
uboness 6087480368 Avoid re-authenticating on in-cluster requests
Now, on first successful authentication, we put the user in the message header so it'll be send with any subsequent cluster internal requests (e.g. shard level search) to avoid re-authentication on every node in the cluster. We can do that now, as with multi-binding transport we can guarantee isolation of the internal cluster from client communication. While it's generally safe for transmission, the user header that is sent between the nodes is still signed using the `system_key` as yet another security layer.

As part of this change, also added/changed:

 - A new audit log entry - anonymous access for Rest request.
 - Changed how system user is assumed. Previously, system user was assumed on the receiving node when no user was associated with the request. Now the system user is assumed on the sending node, meaning, when a node sends a system originated request, initially this request won't be associated with a user. Shield now picks those requests up and attaches the system user to the role and then sends it together with the request. This has two advantages: 1) it's safer to assume system locally where the requests originate from. 2) this will prevent nodes without shield from connecting to nodes with shield. (currently, the attached users are signed using the system key for safety, though this behaviour may be disabled in the settings).

 - System realm is now removed (no need for that as the system user itself is serialized/attached to the requests)

 - Fixed some bugs in the tests

 Closes elastic/elasticsearch#215

Original commit: elastic/x-pack-elasticsearch@3172f5d126
2014-11-21 21:42:15 +01:00
Alexander Reelsen 2b108203fb SSL/TLS: Added support for different certs per profile
In order to run on different certs per port, we needed to adapt
the logic of starting up.

Also different profiles can now be applied to the N2NAuthenticator, so that
a different profile can allow/deny different hosts.

In addition minor refactorings have been done
* Group keystore/truststore settings instead of using underscores
* Change to transport profile settings instead of using specific shield ones

Documentation has been updated as well

Closes elastic/elasticsearch#290

Original commit: elastic/x-pack-elasticsearch@ad1ab974ea
2014-11-21 17:02:58 +01:00
javanna f2abfb35f9 Work around circular dependency in core
There is a circular dependency in core 1.4.0 that cause plugins to fail depending on their constructors injection. We have ClusterService in InternalAuthorizationService that triggers this problem, solved for now replacing the dependency with a Provider. The original bug is already fixed in core: https://github.com/elasticsearch/elasticsearch/pull/8415 .

The problem manifested when enablieng a tribe node having shield installed on that node at the same time.

Closes elastic/elasticsearch#363

Original commit: elastic/x-pack-elasticsearch@ac339ef247
2014-11-21 10:45:39 +01:00
c-a-m 8397112422 Documentation updates for Active Directory Realm. Also replaces empty string arrays with Strings.EMPTY_ARRAY
Original commit: elastic/x-pack-elasticsearch@3f02d89a20
2014-11-20 16:26:57 -07:00
c-a-m 350665bb26 Changed from code-review feedback
Original commit: elastic/x-pack-elasticsearch@356c829f5a
2014-11-20 16:26:57 -07:00
c-a-m 32f0f621d5 LDAP: splitting AD and LDAP realm
This splits the realm into two so that configuration for both are separate.

Original commit: elastic/x-pack-elasticsearch@782997d54b
2014-11-20 16:26:57 -07:00
c-a-m e8119ec933 LDAP: Changed AD group lookup to include nested groups
This expands the ActiveDirectoryConnectionFactory to lookup nested groups, in a non standard way.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/286

Original commit: elastic/x-pack-elasticsearch@7a3c5643f6
2014-11-20 16:26:57 -07:00
c-a-m 852529bf53 LDAP: Changed AD group lookup to include nested groups
This expands the ActiveDirectoryConnectionFactory to lookup nested groups, in a non standard way.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/286

Original commit: elastic/x-pack-elasticsearch@01781a8305
2014-11-20 16:26:57 -07:00
javanna 34a69cd1cf SSL: make sure SSLService is loaded only when needed
Our two transport impls depend on the SSLService at this point. Although we bind the SSLService only if ssl is enabled, it gets loaded anyway as it's a required dependency for the transports. We need to declare the dependency nullable and bind a null service manually when ssl is off.

Also resolved a couple of compiler warnings in SSLService and renamed some of its variables for better readability.

Closes elastic/elasticsearch#359

Original commit: elastic/x-pack-elasticsearch@2c99b2052e
2014-11-19 16:02:54 +01:00
uboness 50556c120c [Cleanup] - Added SSLModule
Moved the SSLService binding to its own module

Original commit: elastic/x-pack-elasticsearch@b08662c680
2014-11-19 14:08:53 +01:00
uboness 8783abcc6f Empty list of privileges should be skipped
When a role is configured with an entry with an empty list of privileges (cluster or indices), the entry should be skipped.

Fixes elastic/elasticsearch#339

Original commit: elastic/x-pack-elasticsearch@44d957529e
2014-11-19 14:05:02 +01:00
Alexander Reelsen f004275641 Refactoring: Make TransportFilter work for inbound connections only
As netty uses different bootstraps for sending/receiving requests, having a
single interface for filtering incoming/outgoing messages does not make a
lot of sense.

This commit changes from a TransportFilter interface to a InboundTransportFilter
interface, which is only able to filter incoming messages - which is all we do
anyway right now.

Original commit: elastic/x-pack-elasticsearch@545ff24136
2014-11-19 13:56:28 +01:00
jaymode 17d2d0b1f9 Print message when attempting to delete a user that doesn't exist
Previously the userdel command always returned success regardless
of whether the user exists or not. When the user does not exist, a
message is now shown indicating that the user was not found.

Closes elastic/elasticsearch#346

Original commit: elastic/x-pack-elasticsearch@fb45d844ca
2014-11-19 06:29:43 -05:00