The view index metadata privilege did not grant access to the shard level field mapping
action or the shard level validate query action. This caused the apis to restrict access to
the data when it should have been allowed.
Closeselastic/elasticsearch#1827
Original commit: elastic/x-pack-elasticsearch@7832699cb6
This commit synchronizes the start of the threads that are executing monitoring bulk requests concurrently
to ensure all threads are ready before starting. Without this some threads will execute requests while
other threads are still being constructed.
Original commit: elastic/x-pack-elasticsearch@e777fb5c28
This commit changes the handling in the merge method of the IndexAccessControl class to
properly handle merging IndexAccessControl objects with differing values for the granted
flag. Prior to this commit, in a scenario where the flag differed, one IndexAccessControl granted
no access to an index, and the other granted access with DLS/FLS resulted in full access
being granted to the index.
Closeselastic/elasticsearch#1821
Original commit: elastic/x-pack-elasticsearch@e403e43689
This commit removes the parsing of the username in the request body of a put user
request. Additionally, we use the name passed into the put role request builder rather
than the name from the parsed role descriptor.
Original commit: elastic/x-pack-elasticsearch@0a085d5844
This commit is the forward port of renaming the type for esusers to file. There is no
backwards compatibility maintained here. Additionally, a few other renames and
cleanups have been made:
* `esusers` commands is now `users`
* org.elasticsearch.shield.authc.esusers -> org.elasticsearch.shield.authc.file
* Validation.ESUsers -> Validation.Users
* ESUsersTool -> UsersTool
* ESUsersToolTests -> UsersToolTests
* ESNativeUsersStore -> NativeUsersStore
* ESNativeRolesStore -> NativeRolesStore.
* org.elasticsearch.shield.authz.esnative collapsed to org.elasticsearch.shield.authz.store
* ESNativeTests -> NativeRealmIntegTests
Closeselastic/elasticsearch#1793
Original commit: elastic/x-pack-elasticsearch@d2a0c136f3
Some tests [reasonably] fail due to unexpected indices appearing in the cluster due to Watcher.
- Also had to reset shieldEnabled as a static field, which makes no sense, but tests were failing unpredictably without it
- Now they're passing unpredictably with it... will investigate
Original commit: elastic/x-pack-elasticsearch@9b6ce681d8
This is required to make sure that the integration for monitoring the Watcher Threadpool is actually working.
- Also added the full property name when the assertContains check fails
- Made shieldEnabled an instance level field rather than a static one
- Added watcherEnabled field in the same fashion (including enableWatcher method that by default randomly enables it)
- Added method to locally filter the expected field names based on watcher being enabled for the failing test
Original commit: elastic/x-pack-elasticsearch@2c56e2f26f
This is needed in order to make `bin/elasticsearch-plugin install xpack`
work, as it expects the plugin in a certain path.
Original commit: elastic/x-pack-elasticsearch@252c55e5a8
This commit is the forward port of fixes made in 2.3 for the roles and users
pollers. The pollers now refresh since not all operations are guaranteed to
refresh.
The clear roles tests are also made more evil since the poller runs at different
intervals on each node and can sometimes run almost continuously. The
modification requests now randomize if they refresh or not as well.
Original commit: elastic/x-pack-elasticsearch@f61159c40a
Users running the `CleanerService` should not be able to disable it (via a `-1` as the time setting) because they'll just shoot themselves in the foot. This PR changes the behavior to allow extensive amounts via the setting (e.g., they could set it to 2 years). By doing this via the `Setting`, we can avoid a lot of boilerplate code for verification as well. If we decide to allow it to be disabled, then the setting should be explicit. I've found that users tend to not understand setting times to `-1`.
With the internal `IndicesCleaner` runnable, I have also moved the rescheduling code to `onAfter` so that it always happens, even if the license makes it temporarily invalid.
I also think that we should allow the user to dynamically set the setting regardless of it being allowed -- and warn on it. This way they can set it when it's expired or during the trial, but it will take effect when they apply the paid license. I think that this will provide a better user experience so that they do not have to remember to re-set it later.
This also removes the `LocalExporter`-specific setting that allowed it to override the global retention. If we ever add another listener, then we should add exporter-specific settings to support this kind of functionality.
Adds some tests for the settings as well as for the service, while also removing now unneeded ones.
Original commit: elastic/x-pack-elasticsearch@3abd41807e
Currently it first creates a scorer, then checks if the role bits are sparse,
and falls back to the bulk scorer if they are dense. The issue is that creating
scorers and bulk scorers is very expensive on some queries such as ranges,
prefix and terms queries. So it should rather check whether bits are sparse
first in order to decide whether to use the scorer or bulk scorer.
Original commit: elastic/x-pack-elasticsearch@067d630099
Similar to WatcherClientProxy, the elasticsearch client used in exporters must be proxied to avoid circular dependencies at Guice's injection time. This commit add a MonitoringClientProxy as well as a MonitoringClient to be used later in monitoring's transport actions.
(cherry picked from commit b70c095)
Original commit: elastic/x-pack-elasticsearch@17327cffe5
* Add XPackExtension: an api class (like Plugin in core) for what a x-pack extension can do.
* Add XPackExtensionCli: a cli tool for adding, removing and listing extensions for x-pack.
* Add XPackExtensionService: loading of jars from pluginsdir/x-pack/extensions, into child classloader.
* Add bin/x-pack/extension script, similar to plugin cli, which installs an extension into pluginsdir/x-pack/extensions.
* Add XPack extension integration test.
Fixedelastic/elasticsearch#1515
Original commit: elastic/x-pack-elasticsearch@130ba03270
This change always serializes the version with the user so that we have this information
for times when we need to make changes and deal with serialization changes. We do this
in the authentication service because the user object is also serialized as part of the get
users response and the StreamInput there will have the appropriate version set on it already
and we do not need to add it in that case.
Closeselastic/elasticsearch#1747
Original commit: elastic/x-pack-elasticsearch@a7ceece09c
Adds debug logging to try to get more information about random failures in these
tests. Also cleans up some potential issues with the code that handled the stopping
of random ldap servers to test failure cases.
See elastic/elasticsearch#1542
Original commit: elastic/x-pack-elasticsearch@573b4161dd
These privileges no longer need to be defined as a custom privilege since the
code is now consolidated into a single plugin. This also changes the manage
cluster privilege to be an alias to the all privilege.
Original commit: elastic/x-pack-elasticsearch@a7f444c898
This commit renames the security actions to not use shield in their action names. This
also includes updating the privileges as well.
Original commit: elastic/x-pack-elasticsearch@10460dffdb
This commit adds support for the privilege naming defined in elastic/elasticsearch#1342 and removes the
support for the privileges that were deprecated in 2.3. This change also includes
updates to the documentation to account for the new roles format.
Original commit: elastic/x-pack-elasticsearch@98e9afd409