mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-09 22:45:04 +00:00
fe36861ada
X-Pack security supports built-in authentication service `token-service` that allows access tokens to be used to access Elasticsearch without using Basic authentication. The tokens are generated by `token-service` based on OAuth2 spec. The access token is a short-lived token (defaults to 20m) and refresh token with a lifetime of 24 hours, making them unsuitable for long-lived or recurring tasks where the system might go offline thereby failing refresh of tokens. This commit introduces a built-in authentication service `api-key-service` that adds support for long-lived tokens aka API keys to access Elasticsearch. The `api-key-service` is consulted after `token-service` in the authentication chain. By default, if TLS is enabled then `api-key-service` is also enabled. The service can be disabled using the configuration setting. The API keys:- - by default do not have an expiration but expiration can be configured where the API keys need to be expired after a certain amount of time. - when generated will keep authentication information of the user that generated them. - can be defined with a role describing the privileges for accessing Elasticsearch and will be limited by the role of the user that generated them - can be invalidated via invalidation API - information can be retrieved via a get API - that have been expired or invalidated will be retained for 1 week before being deleted. The expired API keys remover task handles this. Following are the API key management APIs:- 1. Create API Key - `PUT/POST /_security/api_key` 2. Get API key(s) - `GET /_security/api_key` 3. Invalidate API Key(s) `DELETE /_security/api_key` The API keys can be used to access Elasticsearch using `Authorization` header, where the auth scheme is `ApiKey` and the credentials, is the base64 encoding of API key Id and API key separated by a colon. Example:- ``` curl -H "Authorization: ApiKey YXBpLWtleS1pZDphcGkta2V5" http://localhost:9200/_cluster/health ``` Closes #34383
131 lines
5.1 KiB
Groovy
131 lines
5.1 KiB
Groovy
/*
|
|
* Licensed to Elasticsearch under one or more contributor
|
|
* license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright
|
|
* ownership. Elasticsearch licenses this file to you under
|
|
* the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing,
|
|
* software distributed under the License is distributed on an
|
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
* KIND, either express or implied. See the License for the
|
|
* specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
apply plugin: 'elasticsearch.build'
|
|
apply plugin: 'elasticsearch.rest-test'
|
|
apply plugin: 'nebula.maven-base-publish'
|
|
apply plugin: 'nebula.maven-scm'
|
|
apply plugin: 'com.github.johnrengelman.shadow'
|
|
|
|
group = 'org.elasticsearch.client'
|
|
archivesBaseName = 'elasticsearch-rest-high-level-client'
|
|
|
|
publishing {
|
|
publications {
|
|
nebula {
|
|
artifactId = archivesBaseName
|
|
}
|
|
}
|
|
}
|
|
|
|
configurations {
|
|
restSpec
|
|
}
|
|
|
|
idea {
|
|
module {
|
|
if (scopes.TEST != null) {
|
|
scopes.TEST.plus.add(project.configurations.restSpec)
|
|
}
|
|
}
|
|
}
|
|
|
|
dependencies {
|
|
/*
|
|
* Everything in the "shadow" configuration is *not* copied into the
|
|
* shadowJar.
|
|
*/
|
|
compile "org.elasticsearch:elasticsearch:${version}"
|
|
compile "org.elasticsearch.client:elasticsearch-rest-client:${version}"
|
|
compile "org.elasticsearch.plugin:parent-join-client:${version}"
|
|
compile "org.elasticsearch.plugin:aggs-matrix-stats-client:${version}"
|
|
compile "org.elasticsearch.plugin:rank-eval-client:${version}"
|
|
compile "org.elasticsearch.plugin:lang-mustache-client:${version}"
|
|
|
|
testCompile "org.elasticsearch.client:test:${version}"
|
|
testCompile "org.elasticsearch.test:framework:${version}"
|
|
testCompile "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
|
|
testCompile "junit:junit:${versions.junit}"
|
|
testCompile "org.hamcrest:hamcrest-all:${versions.hamcrest}"
|
|
//this is needed to make RestHighLevelClientTests#testApiNamingConventions work from IDEs
|
|
testCompile "org.elasticsearch:rest-api-spec:${version}"
|
|
|
|
restSpec "org.elasticsearch:rest-api-spec:${version}"
|
|
}
|
|
|
|
//we need to copy the yaml spec so we can check naming (see RestHighlevelClientTests#testApiNamingConventions)
|
|
processTestResources {
|
|
dependsOn jar // so that configurations resolve
|
|
from({ zipTree(configurations.restSpec.singleFile) }) {
|
|
include 'rest-api-spec/api/**'
|
|
}
|
|
}
|
|
|
|
dependencyLicenses {
|
|
// Don't check licenses for dependency that are part of the elasticsearch project
|
|
// But any other dependency should have its license/notice/sha1
|
|
dependencies = project.configurations.runtime.fileCollection {
|
|
it.group.startsWith('org.elasticsearch') == false
|
|
}
|
|
}
|
|
|
|
forbiddenApisMain {
|
|
// core does not depend on the httpclient for compile so we add the signatures here. We don't add them for test as they are already
|
|
// specified
|
|
addSignatureFiles 'http-signatures'
|
|
signaturesFiles += files('src/main/resources/forbidden/rest-high-level-signatures.txt')
|
|
}
|
|
File nodeCert = file("./testnode.crt")
|
|
File nodeTrustStore = file("./testnode.jks")
|
|
|
|
integTestRunner {
|
|
systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user')
|
|
systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-password')
|
|
}
|
|
|
|
integTestCluster {
|
|
systemProperty 'es.scripting.update.ctx_in_params', 'false'
|
|
setting 'reindex.remote.whitelist', ['"[::1]:*"', '"127.0.0.1:*"']
|
|
setting 'xpack.license.self_generated.type', 'trial'
|
|
setting 'xpack.security.enabled', 'true'
|
|
setting 'xpack.security.authc.token.enabled', 'true'
|
|
setting 'xpack.security.authc.api_key.enabled', 'true'
|
|
// Truststore settings are not used since TLS is not enabled. Included for testing the get certificates API
|
|
setting 'xpack.security.http.ssl.certificate_authorities', 'testnode.crt'
|
|
setting 'xpack.security.transport.ssl.truststore.path', 'testnode.jks'
|
|
setting 'indices.lifecycle.poll_interval', '1000ms'
|
|
keystoreSetting 'xpack.security.transport.ssl.truststore.secure_password', 'testnode'
|
|
setupCommand 'setupDummyUser',
|
|
'bin/elasticsearch-users',
|
|
'useradd', System.getProperty('tests.rest.cluster.username', 'test_user'),
|
|
'-p', System.getProperty('tests.rest.cluster.password', 'test-password'),
|
|
'-r', 'superuser'
|
|
extraConfigFile nodeCert.name, nodeCert
|
|
extraConfigFile nodeTrustStore.name, nodeTrustStore
|
|
waitCondition = { node, ant ->
|
|
File tmpFile = new File(node.cwd, 'wait.success')
|
|
ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
|
|
dest: tmpFile.toString(),
|
|
username: System.getProperty('tests.rest.cluster.username', 'test_user'),
|
|
password: System.getProperty('tests.rest.cluster.password', 'test-password'),
|
|
ignoreerrors: true,
|
|
retries: 10)
|
|
return tmpFile.exists()
|
|
}
|
|
}
|