From 4df66774041657f8d639d3929f60e638a2b3df8e Mon Sep 17 00:00:00 2001 From: Sujith Vadakkepat Date: Wed, 3 Feb 2021 18:36:00 -0800 Subject: [PATCH] =?UTF-8?q?Cleanup=20reflection=20helper=20and=20advanced?= =?UTF-8?q?=20modules=20enabled=20/=20dls=20fls=20enab=E2=80=A6=20(#1001)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Cleanup reflection helper and advanced modules enabled / dls fls enabled properties --- .../security/OpenDistroSecurityPlugin.java | 150 ++++++------- .../security/auditlog/impl/AuditLogImpl.java | 14 +- .../privileges/PrivilegesEvaluator.java | 8 +- .../securityconf/DynamicConfigModelV6.java | 9 +- .../securityconf/DynamicConfigModelV7.java | 9 +- .../security/support/ReflectionHelper.java | 208 +----------------- .../security/IndexIntegrationTests.java | 24 -- 7 files changed, 85 insertions(+), 337 deletions(-) diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java index 0fdc9eec3f..42adff1243 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java @@ -48,11 +48,17 @@ import java.util.stream.Stream; import com.amazon.opendistroforelasticsearch.security.auditlog.NullAuditLog; +import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditLogImpl; +import com.amazon.opendistroforelasticsearch.security.compliance.ComplianceIndexingOperationListenerImpl; +import com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsValveImpl; import com.amazon.opendistroforelasticsearch.security.configuration.OpenDistroSecurityFlsDlsIndexSearcherWrapper; +import com.amazon.opendistroforelasticsearch.security.configuration.PrivilegesInterceptorImpl; import com.amazon.opendistroforelasticsearch.security.configuration.Salt; +import com.amazon.opendistroforelasticsearch.security.dlic.rest.api.OpenDistroSecurityRestApiActions; import com.amazon.opendistroforelasticsearch.security.ssl.rest.OpenDistroSecuritySSLReloadCertsAction; import com.amazon.opendistroforelasticsearch.security.ssl.rest.OpenDistroSecuritySSLCertsInfoAction; +import com.amazon.opendistroforelasticsearch.security.ssl.transport.DefaultPrincipalExtractor; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSSLConfig; @@ -76,6 +82,7 @@ import org.elasticsearch.common.component.LifecycleListener; import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.io.stream.NamedWriteableRegistry; +import org.elasticsearch.common.logging.DeprecationLogger; import org.elasticsearch.common.network.NetworkModule; import org.elasticsearch.common.network.NetworkService; import org.elasticsearch.common.settings.ClusterSettings; @@ -138,7 +145,6 @@ import com.amazon.opendistroforelasticsearch.security.configuration.CompatConfig; import com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository; import com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsRequestValve; -import com.amazon.opendistroforelasticsearch.security.configuration.OpenDistroSecurityIndexSearcherWrapper; import com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityFilter; import com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter; import com.amazon.opendistroforelasticsearch.security.http.OpenDistroSecurityHttpServerTransport; @@ -173,8 +179,8 @@ public final class OpenDistroSecurityPlugin extends OpenDistroSecuritySSLPlugin private static final String KEYWORD = ".keyword"; private static final Logger actionTrace = LogManager.getLogger("opendistro_security_action_trace"); + private static final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(OpenDistroSecurityPlugin.class); - private final boolean dlsFlsAvailable; private boolean sslCertReloadEnabled; private volatile OpenDistroSecurityRestFilter securityRestHandler; private volatile OpenDistroSecurityInterceptor odsi; @@ -188,7 +194,6 @@ public final class OpenDistroSecurityPlugin extends OpenDistroSecuritySSLPlugin private volatile SslExceptionHandler sslExceptionHandler; private volatile Client localClient; private final boolean disabled; - private final boolean advancedModulesEnabled; private final List demoCertHashes = new ArrayList(3); private volatile OpenDistroSecurityFilter odsf; private volatile IndexResolverReplacer irr; @@ -227,7 +232,7 @@ private final SslExceptionHandler evaluateSslExceptionHandler() { private static boolean isDisabled(final Settings settings) { return settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_DISABLED, false); } - + /** * SSL Cert Reload will be enabled only if security is not disabled and not in we are not using sslOnly mode. * @param settings Elastic configuration settings @@ -244,21 +249,17 @@ public OpenDistroSecurityPlugin(final Settings settings, final Path configPath) sslCertReloadEnabled = isSslCertReloadEnabled(settings); if (disabled) { - this.dlsFlsAvailable = false; - this.advancedModulesEnabled = false; this.sslCertReloadEnabled = false; log.warn("Open Distro Security plugin installed but disabled. This can expose your configuration (including passwords) to the public."); return; } - + if (openDistroSSLConfig.isSslOnlyMode()) { - this.dlsFlsAvailable = false; - this.advancedModulesEnabled = false; this.sslCertReloadEnabled = false; log.warn("Open Distro Security plugin run in ssl only mode. No authentication or authorization is performed"); return; } - + demoCertHashes.add("54a92508de7a39d06242a0ffbf59414d7eb478633c719e6af03938daf6de8a1a"); demoCertHashes.add("742e4659c79d7cad89ea86aab70aea490f23bbfc7e72abd5f0a5d3fb4c84d212"); @@ -292,10 +293,10 @@ public Object run() { } }); - advancedModulesEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED, true); - ReflectionHelper.init(advancedModulesEnabled); - - ReflectionHelper.registerMngtRestApiHandler(settings); + final String advancedModulesEnabledKey = ConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED; + if (settings.hasValue(advancedModulesEnabledKey)) { + deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey); + } log.info("Clustername: {}", settings.get("cluster.name","elasticsearch")); @@ -303,8 +304,6 @@ public Object run() { throw new IllegalStateException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED+" must be set to 'true'"); } - dlsFlsAvailable = !client && advancedModulesEnabled; - if(!client) { final List filesWithWrongPermissions = AccessController.doPrivileged(new PrivilegedAction>() { @Override @@ -371,7 +370,7 @@ private String sha256(Path p) { if(!Files.isRegularFile(p, LinkOption.NOFOLLOW_LINKS)) { return ""; } - + if(!Files.isReadable(p)) { log.debug("Unreadable file "+p+" found"); return ""; @@ -456,10 +455,9 @@ public List getRestHandlers(Settings settings, RestController restC if (sslCertReloadEnabled) { handlers.add(new OpenDistroSecuritySSLReloadCertsAction(settings, restController, odsks, Objects.requireNonNull(threadPool), Objects.requireNonNull(adminDns))); } - Collection apiHandler = ReflectionHelper - .instantiateMngtRestApiHandler(settings, configPath, restController, localClient, adminDns, cr, cs, Objects.requireNonNull(principalExtractor), evaluator, threadPool, Objects.requireNonNull(auditLog)); - handlers.addAll(apiHandler); - log.debug("Added {} management rest handler(s)", apiHandler.size()); + final Collection apiHandlers = OpenDistroSecurityRestApiActions.getHandler(settings, configPath, restController, localClient, adminDns, cr, cs, principalExtractor, evaluator, threadPool, Objects.requireNonNull(auditLog)); + handlers.addAll(apiHandlers); + log.debug("Added {} management rest handler(s)", apiHandlers.size()); } } @@ -491,63 +489,56 @@ public void onIndexModule(IndexModule indexModule) { //called for every index! if (!disabled && !client && !openDistroSSLConfig.isSslOnlyMode()) { - log.debug("Handle dlsFlsAvailable: "+dlsFlsAvailable+"/auditLog="+auditLog.getClass()+" for onIndexModule() of index "+indexModule.getIndex().getName()); - if (dlsFlsAvailable) { + log.debug("Handle auditLog {} for onIndexModule() of index {}", auditLog.getClass(), indexModule.getIndex().getName()); - final ComplianceIndexingOperationListener ciol = ReflectionHelper.instantiateComplianceListener(Objects.requireNonNull(auditLog)); - indexModule.addIndexOperationListener(ciol); + final ComplianceIndexingOperationListener ciol = new ComplianceIndexingOperationListenerImpl(auditLog); + indexModule.addIndexOperationListener(ciol); - indexModule.setReaderWrapper(indexService -> new OpenDistroSecurityFlsDlsIndexSearcherWrapper(indexService, settings, adminDns, cs, auditLog, ciol, evaluator, salt)); - indexModule.forceQueryCacheProvider((indexSettings,nodeCache)->new QueryCache() { + indexModule.setReaderWrapper(indexService -> new OpenDistroSecurityFlsDlsIndexSearcherWrapper(indexService, settings, adminDns, cs, auditLog, ciol, evaluator, salt)); + indexModule.forceQueryCacheProvider((indexSettings,nodeCache)->new QueryCache() { - @Override - public Index index() { - return indexSettings.getIndex(); - } + @Override + public Index index() { + return indexSettings.getIndex(); + } - @Override - public void close() throws ElasticsearchException { - clear("close"); - } + @Override + public void close() throws ElasticsearchException { + clear("close"); + } - @Override - public void clear(String reason) { - nodeCache.clearIndex(index().getName()); - } + @Override + public void clear(String reason) { + nodeCache.clearIndex(index().getName()); + } + + @Override + public Weight doCache(Weight weight, QueryCachingPolicy policy) { + final Map> allowedFlsFields = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), + ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); + + if(OpenDistroSecurityUtils.evalMap(allowedFlsFields, index().getName()) != null) { + return weight; + } else { + + final Map> maskedFieldsMap = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), + ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); - @Override - public Weight doCache(Weight weight, QueryCachingPolicy policy) { - final Map> allowedFlsFields = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), - ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); - - if(OpenDistroSecurityUtils.evalMap(allowedFlsFields, index().getName()) != null) { + if(OpenDistroSecurityUtils.evalMap(maskedFieldsMap, index().getName()) != null) { return weight; } else { - - final Map> maskedFieldsMap = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), - ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); - - if(OpenDistroSecurityUtils.evalMap(maskedFieldsMap, index().getName()) != null) { - return weight; - } else { - return nodeCache.doCache(weight, policy); - } + return nodeCache.doCache(weight, policy); } - } - }); - } else { - indexModule.setReaderWrapper( - indexService -> new OpenDistroSecurityIndexSearcherWrapper(indexService, settings, Objects.requireNonNull(adminDns), Objects.requireNonNull(evaluator))); - } + + } + }); indexModule.addSearchOperationListener(new SearchOperationListener() { @Override public void onPreQueryPhase(SearchContext context) { - if(advancedModulesEnabled) { - dlsFlsValve.handleSearchContext(context, threadPool, namedXContentRegistry); - } + dlsFlsValve.handleSearchContext(context, threadPool, namedXContentRegistry); } @Override @@ -673,11 +664,11 @@ public void sendRequest(Connection connection, Str public Map> getTransports(Settings settings, ThreadPool threadPool, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) { Map> transports = new HashMap>(); - + if(openDistroSSLConfig.isSslOnlyMode()) { return super.getTransports(settings, threadPool, pageCacheRecycler, circuitBreakerService, namedWriteableRegistry, networkService); } - + if (transportSSLEnabled) { transports.put("com.amazon.opendistroforelasticsearch.security.ssl.http.netty.OpenDistroSecuritySSLNettyTransport", () -> new OpenDistroSecuritySSLNettyTransport(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, @@ -695,7 +686,7 @@ public Map> getHttpTransports(Settings set return super.getHttpTransports(settings, threadPool, bigArrays, pageCacheRecycler, circuitBreakerService, xContentRegistry, networkService, dispatcher, clusterSettings); } - + if(!disabled) { if (!client && httpSSLEnabled) { @@ -739,7 +730,7 @@ public Collection createComponents(Client localClient, ClusterService cl repositoriesServiceSupplier ); } - + this.threadPool = threadPool; this.cs = clusterService; this.localClient = localClient; @@ -752,18 +743,13 @@ public Collection createComponents(Client localClient, ClusterService cl final ClusterInfoHolder cih = new ClusterInfoHolder(); this.cs.addListener(cih); this.salt = Salt.from(settings); - dlsFlsValve = ReflectionHelper.instantiateDlsFlsValve(); final IndexNameExpressionResolver resolver = new IndexNameExpressionResolver(threadPool.getThreadContext()); irr = new IndexResolverReplacer(resolver, clusterService, cih); - auditLog = ReflectionHelper.instantiateAuditLog(settings, configPath, localClient, threadPool, resolver, clusterService, dlsFlsAvailable, environment); - - sslExceptionHandler = new AuditLogSslExceptionHandler(auditLog); final String DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = DefaultInterClusterRequestEvaluator.class.getName(); InterClusterRequestEvaluator interClusterRequestEvaluator = new DefaultInterClusterRequestEvaluator(settings); - final String className = settings.get(ConfigConstants.OPENDISTRO_SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS); log.debug("Using {} as intercluster request evaluator class", className); @@ -771,7 +757,19 @@ public Collection createComponents(Client localClient, ClusterService cl interClusterRequestEvaluator = ReflectionHelper.instantiateInterClusterRequestEvaluator(className, settings); } - final PrivilegesInterceptor privilegesInterceptor = ReflectionHelper.instantiatePrivilegesInterceptorImpl(resolver, clusterService, localClient, threadPool); + final PrivilegesInterceptor privilegesInterceptor; + + if (openDistroSSLConfig.isSslOnlyMode()) { + dlsFlsValve = new DlsFlsRequestValve.NoopDlsFlsRequestValve(); + auditLog = new NullAuditLog(); + privilegesInterceptor = new PrivilegesInterceptor(resolver, clusterService, localClient, threadPool); + } else { + dlsFlsValve = new DlsFlsValveImpl(); + auditLog = new AuditLogImpl(settings, configPath, localClient, threadPool, resolver, clusterService, environment); + privilegesInterceptor = new PrivilegesInterceptorImpl(resolver, clusterService, localClient, threadPool); + } + + sslExceptionHandler = new AuditLogSslExceptionHandler(auditLog); adminDns = new AdminDNs(settings); @@ -782,15 +780,17 @@ public Collection createComponents(Client localClient, ClusterService cl final CompatConfig compatConfig = new CompatConfig(environment); + // DLS-FLS is enabled if not client and not disabled and not SSL only. + final boolean dlsFlsEnabled = !openDistroSSLConfig.isSslOnlyMode(); evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, resolver, auditLog, - settings, privilegesInterceptor, cih, irr, advancedModulesEnabled); + settings, privilegesInterceptor, cih, irr, dlsFlsEnabled); odsf = new OpenDistroSecurityFilter(localClient, settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, backendRegistry); final String principalExtractorClass = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null); if(principalExtractorClass == null) { - principalExtractor = new com.amazon.opendistroforelasticsearch.security.ssl.transport.DefaultPrincipalExtractor(); + principalExtractor = new DefaultPrincipalExtractor(); } else { principalExtractor = ReflectionHelper.instantiatePrincipalExtractor(principalExtractorClass); } diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/AuditLogImpl.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/AuditLogImpl.java index dfa6433714..69e966b682 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/AuditLogImpl.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/AuditLogImpl.java @@ -46,7 +46,6 @@ public final class AuditLogImpl extends AbstractAuditLog { private final AuditMessageRouter messageRouter; private final Settings settings; - private final boolean dlsFlsAvailable; private final boolean messageRouterEnabled; private volatile boolean enabled; private final Thread shutdownHook; @@ -57,7 +56,7 @@ public AuditLogImpl(final Settings settings, final ThreadPool threadPool, final IndexNameExpressionResolver resolver, final ClusterService clusterService) { - this(settings, configPath, clientProvider, threadPool, resolver, clusterService, null, true); + this(settings, configPath, clientProvider, threadPool, resolver, clusterService, null); } public AuditLogImpl(final Settings settings, @@ -66,14 +65,9 @@ public AuditLogImpl(final Settings settings, final ThreadPool threadPool, final IndexNameExpressionResolver resolver, final ClusterService clusterService, - final Environment environment, - final boolean dlsFlsAvailable) { + final Environment environment) { super(settings, threadPool, resolver, clusterService, environment); this.settings = settings; - this.dlsFlsAvailable = dlsFlsAvailable; - if (!dlsFlsAvailable) { - log.debug("Changes to Compliance config will ignored because DLS-FLS is not available."); - } this.messageRouter = new AuditMessageRouter(settings, clientProvider, threadPool, configPath); this.messageRouterEnabled = this.messageRouter.isEnabled(); @@ -88,9 +82,7 @@ public AuditLogImpl(final Settings settings, public void setConfig(final AuditConfig auditConfig) { enabled = auditConfig.isEnabled() && messageRouterEnabled; onAuditConfigFilterChanged(auditConfig.getFilter()); - if (dlsFlsAvailable) { - onComplianceConfigChanged(auditConfig.getCompliance()); - } + onComplianceConfigChanged(auditConfig.getCompliance()); } @Override diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluator.java index 1f23251ad1..7aae0ad854 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluator.java @@ -125,13 +125,13 @@ public class PrivilegesEvaluator { private final DlsFlsEvaluator dlsFlsEvaluator; - private final boolean advancedModulesEnabled; + private final boolean dlsFlsEnabled; private DynamicConfigModel dcm; public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool threadPool, final ConfigurationRepository configurationRepository, final IndexNameExpressionResolver resolver, AuditLog auditLog, final Settings settings, final PrivilegesInterceptor privilegesInterceptor, final ClusterInfoHolder clusterInfoHolder, - final IndexResolverReplacer irr, boolean advancedModulesEnabled) { + final IndexResolverReplacer irr, boolean dlsFlsEnabled) { super(); this.clusterService = clusterService; @@ -152,7 +152,7 @@ public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool protectedIndexAccessEvaluator = new OpenDistroProtectedIndexAccessEvaluator(settings, auditLog); dlsFlsEvaluator = new DlsFlsEvaluator(settings, threadPool); termsAggregationEvaluator = new TermsAggregationEvaluator(); - this.advancedModulesEnabled = advancedModulesEnabled; + this.dlsFlsEnabled = dlsFlsEnabled; } @Subscribe @@ -245,7 +245,7 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin // check dlsfls - if (advancedModulesEnabled + if (dlsFlsEnabled //&& (action0.startsWith("indices:data/read") || action0.equals(ClusterSearchShardsAction.NAME)) && dlsFlsEvaluator.evaluate(request, clusterService, resolver, requestedResolved, user, securityRoles, presponse).isComplete()) { return presponse; diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV6.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV6.java index 438a6029a4..8068cc8e85 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV6.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV6.java @@ -355,19 +355,12 @@ private void destroyDestroyables(List destroyableComponents) { private T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) { String clazz = clazzOrShortcut; - boolean isEnterprise = false; if(authImplMap.containsKey(clazz+"_"+type)) { clazz = authImplMap.get(clazz+"_"+type); - } else { - isEnterprise = true; - } - - if(ReflectionHelper.isAdvancedModuleAAAModule(clazz)) { - isEnterprise = true; } - return ReflectionHelper.instantiateAAA(clazz, settings, configPath, isEnterprise); + return ReflectionHelper.instantiateAAA(clazz, settings, configPath); } private String translateShortcutToClassName(final String clazzOrShortcut, final String type) { diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV7.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV7.java index 10b75255ec..16aca8c6da 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV7.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/securityconf/DynamicConfigModelV7.java @@ -354,19 +354,12 @@ private void destroyDestroyables(List destroyableComponents) { private T newInstance(final String clazzOrShortcut, String type, final Settings settings, final Path configPath) { String clazz = clazzOrShortcut; - boolean isEnterprise = false; if(authImplMap.containsKey(clazz+"_"+type)) { clazz = authImplMap.get(clazz+"_"+type); - } else { - isEnterprise = true; - } - - if(ReflectionHelper.isAdvancedModuleAAAModule(clazz)) { - isEnterprise = true; } - return ReflectionHelper.instantiateAAA(clazz, settings, configPath, isEnterprise); + return ReflectionHelper.instantiateAAA(clazz, settings, configPath); } private String translateShortcutToClassName(final String clazzOrShortcut, final String type) { diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/support/ReflectionHelper.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/support/ReflectionHelper.java index ad45fa1bc5..6d8fd7369a 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/support/ReflectionHelper.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/support/ReflectionHelper.java @@ -31,38 +31,19 @@ package com.amazon.opendistroforelasticsearch.security.support; import java.io.InputStream; -import java.lang.reflect.Constructor; import java.net.URL; import java.nio.file.Path; -import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.Set; import java.util.jar.Attributes; import java.util.jar.Manifest; -import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditLogImpl; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.elasticsearch.ElasticsearchException; -import org.elasticsearch.client.Client; -import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver; -import org.elasticsearch.cluster.service.ClusterService; import org.elasticsearch.common.settings.Settings; -import org.elasticsearch.env.Environment; -import org.elasticsearch.index.IndexService; -import org.elasticsearch.rest.RestController; -import org.elasticsearch.rest.RestHandler; -import org.elasticsearch.threadpool.ThreadPool; -import com.amazon.opendistroforelasticsearch.security.auditlog.AuditLog; -import com.amazon.opendistroforelasticsearch.security.auditlog.NullAuditLog; -import com.amazon.opendistroforelasticsearch.security.compliance.ComplianceIndexingOperationListener; -import com.amazon.opendistroforelasticsearch.security.configuration.AdminDNs; -import com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsRequestValve; -import com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository; -import com.amazon.opendistroforelasticsearch.security.privileges.PrivilegesEvaluator; -import com.amazon.opendistroforelasticsearch.security.privileges.PrivilegesInterceptor; import com.amazon.opendistroforelasticsearch.security.ssl.transport.DefaultPrincipalExtractor; import com.amazon.opendistroforelasticsearch.security.ssl.transport.PrincipalExtractor; import com.amazon.opendistroforelasticsearch.security.transport.DefaultInterClusterRequestEvaluator; @@ -78,156 +59,8 @@ public static Set getModulesLoaded() { return Collections.unmodifiableSet(modulesLoaded); } - private static boolean advancedModulesDisabled() { - return !advancedModulesEnabled; - } - - public static void registerMngtRestApiHandler(final Settings settings) { - - if (advancedModulesDisabled()) { - return; - } - - if(!settings.getAsBoolean("http.enabled", true)) { - - try { - final Class clazz = Class.forName("com.amazon.opendistroforelasticsearch.security.dlic.rest.api.OpenDistroSecurityRestApiActions"); - //addLoadedModule(clazz); - //no addLoadedModule(clazz) here because its not a typical module - //and it is not loaded in every case/on every node - } catch (final Throwable e) { - log.warn("Unable to register Rest Management Api Module due to {}", e.toString()); - if(log.isDebugEnabled()) { - log.debug("Stacktrace: ",e); - } - } - } - } - @SuppressWarnings("unchecked") - public static Collection instantiateMngtRestApiHandler(final Settings settings, final Path configPath, final RestController restController, - final Client localClient, final AdminDNs adminDns, final ConfigurationRepository cr, final ClusterService cs, final PrincipalExtractor principalExtractor, - final PrivilegesEvaluator evaluator, final ThreadPool threadPool, final AuditLog auditlog) { - - if (advancedModulesDisabled()) { - return Collections.emptyList(); - } - - try { - final Class clazz = Class.forName("com.amazon.opendistroforelasticsearch.security.dlic.rest.api.OpenDistroSecurityRestApiActions"); - final Collection ret = (Collection) clazz - .getDeclaredMethod("getHandler", Settings.class, Path.class, RestController.class, Client.class, AdminDNs.class, ConfigurationRepository.class, - ClusterService.class, PrincipalExtractor.class, PrivilegesEvaluator.class, ThreadPool.class, AuditLog.class) - .invoke(null, settings, configPath, restController, localClient, adminDns, cr, cs, principalExtractor, evaluator, threadPool, auditlog); - addLoadedModule(clazz); - return ret; - } catch (final Throwable e) { - log.warn("Unable to enable Rest Management Api Module due to {}", e.toString()); - if(log.isDebugEnabled()) { - log.debug("Stacktrace: ",e); - } - return Collections.emptyList(); - } - } - - public static DlsFlsRequestValve instantiateDlsFlsValve() { - - if (advancedModulesDisabled()) { - return new DlsFlsRequestValve.NoopDlsFlsRequestValve(); - } - - try { - final Class clazz = Class.forName("com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsValveImpl"); - final DlsFlsRequestValve ret = (DlsFlsRequestValve) clazz.newInstance(); - return ret; - } catch (final Throwable e) { - log.warn("Unable to enable DLS/FLS Valve Module due to {}", e.toString()); - if(log.isDebugEnabled()) { - log.debug("Stacktrace: ",e); - } - return new DlsFlsRequestValve.NoopDlsFlsRequestValve(); - } - } - - public static AuditLog instantiateAuditLog(final Settings settings, final Path configPath, final Client localClient, final ThreadPool threadPool, final IndexNameExpressionResolver resolver, final ClusterService clusterService, final boolean dlsFlsAvailable, final Environment environment) { - - if (advancedModulesDisabled()) { - return new NullAuditLog(); - } - - try { - final AuditLog impl = new AuditLogImpl(settings, configPath, localClient, threadPool, resolver, clusterService, environment, dlsFlsAvailable); - addLoadedModule(AuditLogImpl.class); - return impl; - } catch (final Throwable e) { - log.warn("Unable to enable Auditlog Module due to {}", e.toString()); - if(log.isDebugEnabled()) { - log.debug("Stacktrace: ",e); - } - return new NullAuditLog(); - } - } - - public static ComplianceIndexingOperationListener instantiateComplianceListener(AuditLog auditlog) { - - if (advancedModulesDisabled()) { - return new ComplianceIndexingOperationListener(); - } - - try { - final Class clazz = Class.forName("com.amazon.opendistroforelasticsearch.security.compliance.ComplianceIndexingOperationListenerImpl"); - final ComplianceIndexingOperationListener impl = (ComplianceIndexingOperationListener) clazz - .getConstructor(AuditLog.class) - .newInstance(auditlog); - addLoadedModule(clazz); - return impl; - } catch (final ClassNotFoundException e) { - //TODO produce a single warn msg, this here is issued for every index - log.debug("Unable to enable Compliance Module due to {}", e.toString()); - if(log.isDebugEnabled()) { - log.debug("Stacktrace: ",e); - } - return new ComplianceIndexingOperationListener(); - } catch (final Throwable e) { - log.error("Unable to enable Compliance Module due to {}", e.toString()); - if(log.isDebugEnabled()) { - log.debug("Stacktrace: ",e); - } - return new ComplianceIndexingOperationListener(); - } - } - - public static PrivilegesInterceptor instantiatePrivilegesInterceptorImpl(final IndexNameExpressionResolver resolver, final ClusterService clusterService, - final Client localClient, final ThreadPool threadPool) { - - final PrivilegesInterceptor noop = new PrivilegesInterceptor(resolver, clusterService, localClient, threadPool); - - if (advancedModulesDisabled()) { - return noop; - } - - try { - final Class clazz = Class.forName("com.amazon.opendistroforelasticsearch.security.configuration.PrivilegesInterceptorImpl"); - final PrivilegesInterceptor ret = (PrivilegesInterceptor) clazz.getConstructor(IndexNameExpressionResolver.class, ClusterService.class, Client.class, ThreadPool.class) - .newInstance(resolver, clusterService, localClient, threadPool); - addLoadedModule(clazz); - return ret; - } catch (final Throwable e) { - log.warn("Unable to enable Kibana Module due to {}", e.toString()); - if(log.isDebugEnabled()) { - log.debug("Stacktrace: ",e); - } - return noop; - } - } - - @SuppressWarnings("unchecked") - public static T instantiateAAA(final String clazz, final Settings settings, final Path configPath, final boolean checkEnterprise) { - - if (advancedModulesDisabled()) { - throw new ElasticsearchException("Can not load '{}' because advanced modules are disabled", clazz); - } - + public static T instantiateAAA(final String clazz, final Settings settings, final Path configPath) { try { final Class clazz0 = Class.forName(clazz); final T ret = (T) clazz0.getConstructor(Settings.class, Path.class).newInstance(settings, configPath); @@ -246,7 +79,6 @@ public static T instantiateAAA(final String clazz, final Settings settings, } public static InterClusterRequestEvaluator instantiateInterClusterRequestEvaluator(final String clazz, final Settings settings) { - try { final Class clazz0 = Class.forName(clazz); final InterClusterRequestEvaluator ret = (InterClusterRequestEvaluator) clazz0.getConstructor(Settings.class).newInstance(settings); @@ -262,7 +94,6 @@ public static InterClusterRequestEvaluator instantiateInterClusterRequestEvaluat } public static PrincipalExtractor instantiatePrincipalExtractor(final String clazz) { - try { final Class clazz0 = Class.forName(clazz); final PrincipalExtractor ret = (PrincipalExtractor) clazz0.newInstance(); @@ -277,36 +108,6 @@ public static PrincipalExtractor instantiatePrincipalExtractor(final String claz } } - public static boolean isAdvancedModuleAAAModule(final String clazz) { - boolean advancedModuleInstalled = false; - - if (clazz.equalsIgnoreCase("com.amazon.dlic.auth.ldap.backend.LDAPAuthorizationBackend")) { - advancedModuleInstalled = true; - } - - if (clazz.equalsIgnoreCase("com.amazon.dlic.auth.ldap.backend.LDAPAuthenticationBackend")) { - advancedModuleInstalled = true; - } - - if (clazz.equalsIgnoreCase("com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator")) { - advancedModuleInstalled = true; - } - - if (clazz.equalsIgnoreCase("com.amazon.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator")) { - advancedModuleInstalled = true; - } - - if (clazz.equalsIgnoreCase("com.amazon.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator")) { - advancedModuleInstalled = true; - } - - if (clazz.equalsIgnoreCase("com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator")) { - advancedModuleInstalled = true; - } - - return advancedModuleInstalled; - } - public static boolean addLoadedModule(Class clazz) { ModuleInfo moduleInfo = getModuleInfo(clazz); if (log.isDebugEnabled()) { @@ -315,13 +116,6 @@ public static boolean addLoadedModule(Class clazz) { return modulesLoaded.add(moduleInfo); } - private static boolean advancedModulesEnabled; - - // TODO static hack - public static void init(final boolean advancedModulesEnabled) { - ReflectionHelper.advancedModulesEnabled = advancedModulesEnabled; - } - private static ModuleInfo getModuleInfo(final Class impl) { ModuleType moduleType = ModuleType.getByDefaultImplClass(impl); diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java index 966d78d66b..d9758a7226 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java @@ -434,30 +434,6 @@ public void testAliases() throws Exception { Assert.assertEquals(HttpStatus.SC_FORBIDDEN, (res = rh.executePutRequest("/beats-withalias", alias,encodeBasicHeader("aliasmngt", "nagilum"))).getStatusCode()); } - @Test - public void testAliasResolution() throws Exception { - - final Settings settings = Settings.builder() - .put(OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED, false) - .build(); - setup(settings); - final RestHelper rh = nonSslRestHelper(); - - try (TransportClient tc = getInternalTransportClient()) { - tc.index(new IndexRequest("concreteindex-1").type("doc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices("concreteindex-1").alias("calias-1"))).actionGet(); - tc.index(new IndexRequest(".kibana-6").type("doc").setRefreshPolicy(RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet(); - tc.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(AliasActions.add().indices(".kibana-6").alias(".kibana"))).actionGet(); - - } - - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("calias-1/_search?pretty", encodeBasicHeader("aliastest", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("calias-*/_search?pretty", encodeBasicHeader("aliastest", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("*kibana/_search?pretty", encodeBasicHeader("aliastest", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest(".ki*ana/_search?pretty", encodeBasicHeader("aliastest", "nagilum")).getStatusCode()); - Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest(".kibana/_search?pretty", encodeBasicHeader("aliastest", "nagilum")).getStatusCode()); - } - @Test public void testIndexResolveInvalidIndexName() throws Exception { setup();