mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-09 14:34:43 +00:00
6087480368
Now, on first successful authentication, we put the user in the message header so it'll be send with any subsequent cluster internal requests (e.g. shard level search) to avoid re-authentication on every node in the cluster. We can do that now, as with multi-binding transport we can guarantee isolation of the internal cluster from client communication. While it's generally safe for transmission, the user header that is sent between the nodes is still signed using the `system_key` as yet another security layer. As part of this change, also added/changed: - A new audit log entry - anonymous access for Rest request. - Changed how system user is assumed. Previously, system user was assumed on the receiving node when no user was associated with the request. Now the system user is assumed on the sending node, meaning, when a node sends a system originated request, initially this request won't be associated with a user. Shield now picks those requests up and attaches the system user to the role and then sends it together with the request. This has two advantages: 1) it's safer to assume system locally where the requests originate from. 2) this will prevent nodes without shield from connecting to nodes with shield. (currently, the attached users are signed using the system key for safety, though this behaviour may be disabled in the settings). - System realm is now removed (no need for that as the system user itself is serialized/attached to the requests) - Fixed some bugs in the tests Closes elastic/elasticsearch#215 Original commit: elastic/x-pack-elasticsearch@3172f5d126
= Elasticsearch Security Plugin This plugins adds security features to elasticsearch You can build the plugin with `mvn package`. The documentation is put in the `docs/` directory.