-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mandate X-Pack REST handler installed #71061
Conversation
Pinging @elastic/es-security (Team:Security) |
@elasticmachine run elasticsearch-ci/bwc |
@elasticmachine update branch |
@elasticmachine update branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also need to fill in the PR description
server/src/main/java/org/elasticsearch/action/ActionModule.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
Outdated
Show resolved
Hide resolved
.../plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
Outdated
Show resolved
Hide resolved
@elasticmachine update branch |
@elasticmachine update branch |
@BigPandaToo Can you please fill in the PR description. |
server/src/main/java/org/elasticsearch/action/ActionModule.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/action/ActionModule.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
Outdated
Show resolved
Hide resolved
@elasticmachine update branch |
@elasticmachine update branch |
@elasticmachine update branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
A few nits and also I don't particular like the "unit test". But they don't need to block this PR. Thanks!
if (plugin.getClass().getCanonicalName() == null || | ||
plugin.getClass().getCanonicalName().startsWith("org.elasticsearch.xpack") == false) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I probably missed the discussion about why we prefer getCanonicalName
over just getName
here. But it seems to me that getName
is more consistent since that is what we report in the error message (and also the debug log above)?
logger.error("The " + plugin.getClass().getName() + " plugin tried to install a custom REST wrapper. This " + | ||
"functionality is not available anymore."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Since an exception is thrown immediately after this and will be logged. It seems this logging is no longer necessary.
boolean extractClientCertificate = false; | ||
if (enabled && HTTP_SSL_ENABLED.get(settings)) { | ||
final SSLConfiguration httpSSLConfig = getSslService().getHttpTransportSSLConfiguration(); | ||
extractClientCertificate = getSslService().isSSLClientAuthEnabled(httpSSLConfig); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: we can save the extra finalExtractClientCertificate
variable.
boolean extractClientCertificate = false; | |
if (enabled && HTTP_SSL_ENABLED.get(settings)) { | |
final SSLConfiguration httpSSLConfig = getSslService().getHttpTransportSSLConfiguration(); | |
extractClientCertificate = getSslService().isSSLClientAuthEnabled(httpSSLConfig); | |
} | |
final boolean extractClientCertificate; | |
if (enabled && HTTP_SSL_ENABLED.get(settings)) { | |
final SSLConfiguration httpSSLConfig = getSslService().getHttpTransportSSLConfiguration(); | |
extractClientCertificate = getSslService().isSSLClientAuthEnabled(httpSSLConfig); | |
} else { | |
extractClientCertificate = false; | |
} |
.../plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
Show resolved
Hide resolved
@@ -514,6 +529,81 @@ public void testLicenseUpdateFailureHandlerUpdate() throws Exception { | |||
} | |||
} | |||
|
|||
public void testSecurityHandlerIsAlwaysInstalled() throws IllegalAccessException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The check is now relaxed to be package name. Do you think it is worth to have more unit test like tests?
Technically, even with the previous check for exact class name, it is possible to have an unit test for ActionModule
: Since ActionModule
is in a different module and does not depend on xpack security, it is possible to create a stub org.elasticsearch.xpack.security.Security
class in its test package and use that for the unit test.
@elasticmachine update branch |
merge conflict between base and head |
"functionality is not available anymore."); | ||
throw new IllegalArgumentException("The " + plugin.getClass().getName() + " plugin tried to install a custom REST " + | ||
"wrapper. This functionality is not available anymore."); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per #73329, there should be tests for this functionality in ActionModuleTests.
Core shouldn't rely on x-pack to do its testing for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved it to ActionModuleTests
} | ||
} | ||
|
||
public void test3rdPartyHandlerIsNotInstalled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This belongs in ActionModuleTests
, it's a testing the behaviour of ActionModule
, so it shouldn't be here.
@@ -514,6 +529,81 @@ public void testLicenseUpdateFailureHandlerUpdate() throws Exception { | |||
} | |||
} | |||
|
|||
public void testSecurityHandlerIsAlwaysInstalled() throws IllegalAccessException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's testing 2 things, and I think it would be better if they were split into
testSecurityPluginInstallsRestHandlerWrapperEvenIfSecurityIsDisabled
which can simply be a test thatSecurity.getRestHandlerWrapper()
returns non-null even when disabled.testSecurityRestHandlerWrapperCanBeInstalled()
which tests that ActionModule doesn't reject the wrapper installed by security (essentially this test).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but I have a couple of suggestions.
class SecPlugin implements ActionPlugin { | ||
@Override | ||
public UnaryOperator<RestHandler> getRestHandlerWrapper(ThreadContext threadContext) { | ||
return handler -> new FakeHandler(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is fine - there's no need to change it, but it would have been fine to just make this a no-op operator.
return handler -> new FakeHandler(); | |
return UnaryOperator.identity(); |
We really only care that the plugin returns something. We don't care what it does.
ActionModule actionModule = new ActionModule(settingsModule.getSettings(), | ||
TestIndexNameExpressionResolver.newInstance(threadPool.getThreadContext()), | ||
settingsModule.getIndexScopedSettings(), settingsModule.getClusterSettings(), settingsModule.getSettingsFilter(), | ||
threadPool, Arrays.asList(security), null, null, usageService, null); | ||
actionModule.initRestHandlers(null); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this needed?
I think you can skip all the ActionModule
part since this is a simple unit test on Security
In elastic#71061 we removed support for custom REST Handler Wrappers. This change adds that information to the migration guide under the "Plugin changes" section
In #71061 we removed support for custom REST Handler Wrappers. This change adds that information to the migration guide under the "Plugin changes" section
In elastic#71061 we removed support for custom REST Handler Wrappers. This change adds that information to the migration guide under the "Plugin changes" section
In elastic#71061 we removed support for custom REST Handler Wrappers. This change adds that information to the migration guide under the "Plugin changes" section
In order to provide a stronger guarantee to our solutions, that if a
cluster is running the default distribution and has security
(authentication) enabled,
then it will be provided by Elastic's security features, and users can
rely on it behaving in the ways they expect, this change mandate
that security in default distribution is provided by X-Pack by always
installing the Security Rest Filter.
Related: #70523