Commit Graph

386 Commits

Author SHA1 Message Date
c-a-m a59b389967 [TEST] Fixes the ssl configuration of the rest tests
The rest tests were configured with transport and http settings for ssl.  This
changes that to the shield.ssl settings.

Original commit: elastic/x-pack-elasticsearch@19b96f7fa3
2014-11-18 17:00:30 -07:00
c-a-m eaac7ff250 This adds a static clear method fot LdapSSLSocketFactory for testing
This clears the LdapSSLSocketFactory "singleton" for reproducible tests.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/336

Original commit: elastic/x-pack-elasticsearch@baa3a2ce60
2014-11-18 08:07:39 -07:00
c-a-m a224b54973 Simplied SSL keystores and truststores
This puts one keystore in the SSLService.  An optional truststore can be configured but the
keystore defaults as the truststore.  This change also removed the ability to do certificate authentication with clients.

Resolves https://github.com/elasticsearch/elasticsearch-shield/issues/292

Original commit: elastic/x-pack-elasticsearch@59920db32a
2014-11-18 08:07:27 -07:00
javanna 90d4c43a6d [TEST] replaced all the TemporaryFolder rules with utils provided by the randomized runner
There is no need to use TempraryFolder rules in our tests, since we depend on randomized runner which creates a globalTempDir() whose cleaning is already managed by the infra. Any other dir or file should be created under the global temp dir by specifying also its desired duration (SUITE or TEST).

Closes elastic/elasticsearch#337

Original commit: elastic/x-pack-elasticsearch@7456882d18
2014-11-14 17:46:06 +01:00
c-a-m 7472b50144 Fix listing of users without roles
When no users have roles, esusers will now correctly list all users.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/315

Original commit: elastic/x-pack-elasticsearch@12f4c171d8
2014-11-12 17:10:07 -07:00
uboness da15a66d1e Massive refactoring to permission infrastructure
- The Permission class changed such that now there isn't a single `check` method that all permission types must implement. Instead, each permission type has its own (if at all) check method that is relevant to what the permssion is supposed to check.

- Moved the indices resolving logic outside of the indices permission class to the authorization service. Also, the authroization service has all the logic on how to check each one of the indices against a compound/merged permission view over all the user's roles. This fixes a critical bug where if a user had more than one role, its permission wouldn't be checked appropriately (they were checked separately which introduced invalid results)

- Cleaned up and got rid of unused code

- System role is no longer implementing Permission (no need for that)

- Additional tests were added with different users/roles configuration to try an capture such bugs

Fixes elastic/elasticsearch#304

Original commit: elastic/x-pack-elasticsearch@5c9a581019
2014-11-07 14:51:49 +01:00
c-a-m a655a77b3a Wrap logging in if statements. Doc cleanup
This wraps logging statements in if checks.  It also removes from the documentation specific logging examples.

Original commit: elastic/x-pack-elasticsearch@3ca7cdd4f4
2014-11-06 11:24:05 -07:00
c-a-m e526065156 ldap: Adds debugging statements and documentation
This adds debugging statements and debugging documentation to help troubleshoot problems with ldap role establishment.  This also adds ldap profiles for esvm

Original commit: elastic/x-pack-elasticsearch@a1f1cbd830
2014-11-06 11:13:50 -07:00
Alexander Reelsen eaf6636c07 Tests: Use try block to close resources and prevent thread leaks
Original commit: elastic/x-pack-elasticsearch@3c8b4f6ead
2014-11-06 18:31:12 +01:00
Alexander Reelsen 2f4fb2cf48 Dependencies: Upgrade to Elasticsearch 1.4.0
* Configuring the transport pipeline has changed due to adding profiles in 1.4
* Lots of tests needed to be changed in order to not leave thread pools around
* ApacheDs leaves a thread lingering around, thus a ThreadLeakFilter needed to be added

Original commit: elastic/x-pack-elasticsearch@de35362fc4
2014-11-06 12:03:49 +01:00
Alexander Reelsen 4903852f48 Packaging: Include build information
Also added a ShieldBuild class to return

* Shield version
* Shield build hash
* Shield build timestamp

Also added a '/_shield' endpoint which returns those fields.

Original commit: elastic/x-pack-elasticsearch@38928d1ef6
2014-11-05 10:28:02 +01:00
uboness df3956fafe Changed the realm authentication failure logging
Now it logs the failure on debug and on trace it also logs the full stack trace. There's no point in logging it on info as a lot of the failures that will be logged are just fine (e.g. esusers will fail to authenticate and log the failure, but LDAP will succeed). This logging should only be applied for debugging purposes... for normal logging we have the audit logs

While at it, also cleaned up the Ldap realm code... change java.lang.SecurityException to shield's LdapException

Closes elastic/elasticsearch#281

Original commit: elastic/x-pack-elasticsearch@d5f0ad2efb
2014-10-29 01:41:29 +01:00
uboness c5cbd58909 Clearing the realm caches on file updates
- Changed the behaviour of esusers realm so that whenever the `users` or the `users_roles` file are updated, the realm's cache expunges
- Changed LDAP realm such that when the `role_mapping.yml` file is updated, the realm's cache expunges

Also, cleaned up unused code (mainly around esusers and the different stores)

Original commit: elastic/x-pack-elasticsearch@3f093207da
2014-10-28 18:54:40 +01:00
uboness 3ab8f57f34 [Fix] - Return 401 on any authentication error
Fixes a bug where the wrong exception and wrong error status code (500) were returned when the user sent the wrong username/password. This fixes this beahviour to return an `AuhthenticationException` with a 401 status code.

Fixes elastic/elasticsearch#271

Original commit: elastic/x-pack-elasticsearch@0a120caeae
2014-10-28 14:39:49 +01:00
Paul Echeverri 1f540dbc50 Adds intro text to Clients page, general fixes elsewhere
Original commit: elastic/x-pack-elasticsearch@6a8bd1a4a2
2014-10-27 13:30:28 -07:00
uboness 4c2df8ff3e Cleaned up roles.xml
Also updated the default roles test (to include marvel)

Original commit: elastic/x-pack-elasticsearch@5fb320273f
2014-10-27 21:26:49 +01:00
uboness c7e927734c Fixed a bug in Cluster privileges where resolve failed for template APIs
We now moved from the logic of checking `indices:` and `cluster:` prefixes to determine whether an action is an indices or a cluster action... instead we use the index/cluster privielge `all` privilege to determine that (which is more accurate in the context of shield, as it enables us to move actions between the two categories while keeping their logical name intact)

Also updated the docs to reflect that template related actions are infact cluster actions.

Original commit: elastic/x-pack-elasticsearch@8027334105
2014-10-27 19:31:21 +01:00
Paul Echeverri 647e545c79 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Conflicts:
	docs/public/02-architecture.asciidoc
	docs/public/04-authorization.asciidoc
	docs/public/07-securing-nodes.asciidoc
	docs/public/clients/kibana.asciidoc
	docs/public/clients/logstash.asciidoc
	docs/public/clients/marvel.asciidoc

Original commit: elastic/x-pack-elasticsearch@57efef1bf6
2014-10-27 11:16:58 -07:00
uboness 25d21570d6 Better shield user configuration
Added `shield.user` setting so that the clients won't need to go through the unnatural and tedious process of configuring the `Authorization` header directly (that also requires the user to applicat the base64(username:password) logic.

Now, the user can just set the following settings to bind a user to the client:

```yaml
shield.user: 'username:password'
```

Original commit: elastic/x-pack-elasticsearch@94be3abd92
2014-10-27 18:07:36 +01:00
uboness 99ddffe510 esusers tool - added warnings when using unknown roles
When assigning roles to users, we now show a warning if the assigned roles don't exist.

Closes elastic/elasticsearch#209

Original commit: elastic/x-pack-elasticsearch@c2e9bf03eb
2014-10-26 04:11:27 +01:00
uboness 33b89301fb Enforces cluster permission checks for all cluster actions
Enforcing means that cluster actions will not be evaluated (as a fallback) by Index permissions. This enables us to move what typically would be considered indices actions and put them under the cluster privileges (a good example for this are all the template management APIs... we want to enforce cluster admin privileges over them).

Original commit: elastic/x-pack-elasticsearch@ee870954f2
2014-10-25 23:17:18 +02:00
Paul Echeverri 4dc8a524f5 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Conflicts:
	docs/public/clients/java.asciidoc

Original commit: elastic/x-pack-elasticsearch@6478165c72
2014-10-24 15:10:26 -07:00
Alexander Reelsen d608fe2b60 Build: Enable resource filtering to include version
Closes elastic/elasticsearch#200

Original commit: elastic/x-pack-elasticsearch@2cbf0cecf6
2014-10-24 09:37:43 -07:00
Alexander Reelsen 2f3fe95f7e esvm: Fix roles configuration used by esvm
Original commit: elastic/x-pack-elasticsearch@7a25eff61c
2014-10-23 14:36:49 -07:00
Paul Echeverri b3789a74e4 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Conflicts:
	docs/public/04-authorization.asciidoc
	docs/public/clients/logstash.asciidoc

Original commit: elastic/x-pack-elasticsearch@699aa52379
2014-10-23 14:01:41 -07:00
Alexander Reelsen a52993db78 esvm: Added user configurations to make esvm usable again
Also added a logstash configuration for simple performance
testing (useful for comparing different hash functions)

Original commit: elastic/x-pack-elasticsearch@c9f08fbb12
2014-10-23 10:34:04 -07:00
uboness a287863ab0 Added cluster & indices monitoring privileges to System
This is required for marvel agent to collect its data.

Closes elastic/elasticsearch#137

Original commit: elastic/x-pack-elasticsearch@c1ed58aafb
2014-10-23 19:19:50 +02:00
uboness b7dac66c8a Changed the cached hashing algorithm for cached realms
Now the passwords are hashed in-memory using SHA2 by default (instead of original bcrypt). Also, it's now possible to configure the in-memory hashing algorithm.

Original commit: elastic/x-pack-elasticsearch@e2d1b3116b
2014-10-23 19:15:31 +02:00
uboness 521ebe4672 Change the way patterns are resolved in roles.yml
Now, there are two types of supported patters:

- wildcards (default) - simple wildcard match where `*` indicates zero or more characters and `?` indicates a single character (`\` can be used as an escape charachter)
- regular expressions - can be "enabled" by wrapping the pattern in `/` (e.g. `/foo.*/`). The regex syntax is based on lucene's regex syntax (not Java's Pattern).

Closes elastic/elasticsearch#253

Original commit: elastic/x-pack-elasticsearch@edd912122d
2014-10-23 19:04:01 +02:00
Paul Echeverri d46b13e4f5 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Original commit: elastic/x-pack-elasticsearch@9d1e4019e3
2014-10-23 09:21:35 -07:00
uboness 82648c240f Fixed typo in esusers help
Closes elastic/elasticsearch#216

Original commit: elastic/x-pack-elasticsearch@07b4782cdc
2014-10-23 12:42:40 +02:00
uboness 9b6823683c Added some missing logging around realms
Closes elastic/elasticsearch#214

Original commit: elastic/x-pack-elasticsearch@648410ff8f
2014-10-23 11:15:02 +02:00
uboness b2ffc1d7b9 Better error message for parsing error of role.yml
added the role name to the error message where the parsing error was encountered.

Closes elastic/elasticsearch#245

Original commit: elastic/x-pack-elasticsearch@303b932864
2014-10-23 11:02:31 +02:00
Paul Echeverri a6ba0eec2d Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Conflicts:
	docs/public/06-ldap.asciidoc
	docs/public/08-auditing.asciidoc
	docs/structured/01-introduction.asciidoc
	docs/structured/02-architecture.asciidoc

Original commit: elastic/x-pack-elasticsearch@ddf1f0d910
2014-10-22 16:34:16 -07:00
c-a-m b5b6a1093c Fixes filename case typo
This fixes a file-name case typo for LdapSslSocketFactory

Original commit: elastic/x-pack-elasticsearch@fb71a1116e
2014-10-22 17:12:46 -06:00
c-a-m 4b0f7c4379 Fixed the url settings to only call the toArray. Plus I changed one of the tests to use the single value style
Original commit: elastic/x-pack-elasticsearch@16326d2b6c
2014-10-22 17:00:55 -06:00
c-a-m f517a6a8f3 Refactors "urls" -> "url"
This lets the url be configured as a single element (the most likely usage) or as an array.  This also checks that multiple urls are either all "ldaps", or all "ldap", as it is not possible to mix them.

Original commit: elastic/x-pack-elasticsearch@b5a94b1d35
2014-10-22 17:00:55 -06:00
uboness 0777e8d94f Fixed a bug in Permissions with multiple indices permission groups
The evalutation of the indices permission groups was wrong. Now, each index in the request is evaluated against all groups, such that:
  1. for each index, at least one group must grant the request
  2. all indices must be granted

  Along the way, also changed the audit logs structures such that:
  - moved the principal to "sit" next to the host
  - now, if we're logging an indices request, we also log the related indices (this provides more context to the actual request)

  Fixes elastic/elasticsearch#242

Original commit: elastic/x-pack-elasticsearch@95600d3148
2014-10-23 00:46:56 +02:00
Paul Echeverri 1f390cc654 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Original commit: elastic/x-pack-elasticsearch@1dc6bee15d
2014-10-22 15:46:54 -07:00
Paul Echeverri df7eba437e Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Original commit: elastic/x-pack-elasticsearch@4f890b59f6
2014-10-22 13:49:15 -07:00
Paul Echeverri d34c7cddf3 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Conflicts:
	docs/structured/03-getting-started.asciidoc
	docs/structured/06-ldap.asciidoc
	docs/structured/authentication/message-authentication.asciidoc

Original commit: elastic/x-pack-elasticsearch@642beb53ca
2014-10-22 12:02:29 -07:00
uboness fa48c46813 Skip authentication for rest OPTIONS call
this is required by CORS for unauthenticated pre-flight OPTIONS requests

Closes elastic/elasticsearch#234

Original commit: elastic/x-pack-elasticsearch@c368b2cf27
2014-10-22 19:29:20 +02:00
uboness 3d71356596 Fixes Transport Client that start up with shield in the classpath
Now a NOOP transport filter is bound by to the secured transport service in a transport client

Fixes elastic/elasticsearch#165

Original commit: elastic/x-pack-elasticsearch@7268bd445c
2014-10-22 06:18:59 +02:00
Paul Echeverri afbb81fe53 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Original commit: elastic/x-pack-elasticsearch@83e163e463
2014-10-21 12:47:00 -07:00
Paul Echeverri 45858f33c5 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Original commit: elastic/x-pack-elasticsearch@31b0cf72db
2014-10-21 12:27:50 -07:00
Paul Echeverri 59e66bd373 Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Original commit: elastic/x-pack-elasticsearch@453d353111
2014-10-21 12:26:55 -07:00
Suyog Rao ce6646df2b Fix typo in esusers help description
Closes elastic/elasticsearch#222

Original commit: elastic/x-pack-elasticsearch@6c513be2aa
2014-10-20 22:44:06 -07:00
Paul Echeverri 21dfc7bfed Merge branch 'master' of https://github.com/elasticsearch/elasticsearch-shield into doc-feedback
Original commit: elastic/x-pack-elasticsearch@f7a6f816b8
2014-10-20 13:47:26 -07:00
c-a-m 229c9c6c7d Truststore not needed when client auth is off
With this change the truststore is loaded only if client-auth is turned on.  This is causing problems
because we never expect the http endpoint to have client auth, but it still requires us to have a truststore

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/221

Original commit: elastic/x-pack-elasticsearch@40e2dc4de6
2014-10-17 18:24:16 -07:00
c-a-m 91bbc5b2ea Fixes default ldap group to role mapping file
Description: This fixes the name of the default file for group to role mapping.  It was missing the extension

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/223

Original commit: elastic/x-pack-elasticsearch@9ffcafd41e
2014-10-17 18:11:51 -07:00