From 3b0b7941ae031e340df7521a75432bd6c6dbc2e3 Mon Sep 17 00:00:00 2001 From: Lyudmila Fokina <35386883+BigPandaToo@users.noreply.github.com> Date: Tue, 13 Apr 2021 18:33:41 +0200 Subject: [PATCH] Warn users if security is implicitly disabled (#70114) * Warn users if security is implicitly disabled Elasticsearch has security features implicitly disabled by default for Basic and Trial licenses, unless explicitly set in the configuration file. This may be good for onboarding, but it also lead to unintended insecure clusters. This change introduces clear warnings when security features are implicitly disabled. - a warning header in each REST response if security is implicitly disabled; - a log message during cluster boot. --- .../docker/test/DockerYmlTestSuiteIT.java | 22 --------- docs/build.gradle | 1 + docs/reference/rest-api/usage.asciidoc | 10 +--- .../qa/file-based-update/build.gradle | 2 + .../ingest/geoip/UpdateDatabasesIT.java | 11 +++++ .../examples/painless-whitelist/build.gradle | 1 + .../build.gradle | 2 + qa/ccs-unavailable-clusters/build.gradle | 5 ++ ...rossClusterSearchUnavailableClusterIT.java | 10 ++++ qa/die-with-dignity/build.gradle | 2 + .../qa/die_with_dignity/DieWithDignityIT.java | 5 +- qa/full-cluster-restart/build.gradle | 3 +- qa/logging-config/build.gradle | 4 ++ qa/mixed-cluster/build.gradle | 1 + qa/multi-cluster-search/build.gradle | 2 + .../AbstractMultiClusterRemoteTestCase.java | 22 --------- qa/repository-multi-version/build.gradle | 3 +- qa/rolling-upgrade/build.gradle | 1 + qa/smoke-test-http/build.gradle | 4 ++ qa/smoke-test-ingest-disabled/build.gradle | 4 ++ .../build.gradle | 4 ++ qa/smoke-test-multinode/build.gradle | 4 ++ qa/smoke-test-plugins/build.gradle | 1 + qa/unconfigured-node-name/build.gradle | 6 ++- qa/verify-version-constants/build.gradle | 2 + .../VerifyVersionConstantsIT.java | 11 +++++ .../test/rest/ESRestTestCase.java | 26 +++++++++++ .../downgrade-to-basic-license/build.gradle | 7 ++- .../xpack/ccr/FollowIndexIT.java | 11 +++++ .../plugin/ccr/qa/multi-cluster/build.gradle | 6 +++ .../elasticsearch/xpack/ccr/AutoFollowIT.java | 12 ++++- .../org/elasticsearch/xpack/ccr/ChainIT.java | 10 ++++ .../xpack/ccr/FollowIndexIT.java | 10 ++++ .../elasticsearch/xpack/ccr/XPackUsageIT.java | 11 +++++ .../ccr/qa/non-compliant-license/build.gradle | 4 ++ .../xpack/ccr/CcrMultiClusterLicenseIT.java | 10 ++++ x-pack/plugin/ccr/qa/restart/build.gradle | 4 ++ .../elasticsearch/xpack/ccr/RestartIT.java | 10 ++++ .../xpack/ccr/FollowIndexSecurityIT.java | 1 - .../XPackCoreClientYamlTestSuiteIT.java | 2 - .../plugin/data-streams/qa/rest/build.gradle | 1 + x-pack/plugin/enrich/qa/common/build.gradle | 6 +++ .../enrich/EnrichAdvancedSecurityIT.java | 1 - x-pack/plugin/enrich/qa/rest/build.gradle | 1 + .../test/eql/stats/EqlUsageRestTestCase.java | 11 +++++ x-pack/plugin/eql/qa/correctness/build.gradle | 2 + .../xpack/eql/EsEQLCorrectnessIT.java | 8 ++++ x-pack/plugin/eql/qa/mixed-node/build.gradle | 2 +- x-pack/plugin/eql/qa/rest/build.gradle | 1 + .../elasticsearch/xpack/eql/EqlRestIT.java | 11 +++++ x-pack/plugin/fleet/build.gradle | 2 + .../xpack/security/PermissionsIT.java | 1 - x-pack/plugin/logstash/build.gradle | 2 + .../repositories-metering-api/build.gradle | 6 ++- .../qa/azure/build.gradle | 4 ++ .../qa/gcs/build.gradle | 4 ++ .../qa/s3/build.gradle | 1 + x-pack/plugin/rollup/qa/rest/build.gradle | 1 + .../qa/azure/build.gradle | 1 + .../searchable-snapshots/qa/gcs/build.gradle | 2 + .../searchable-snapshots/qa/hdfs/build.gradle | 2 + .../qa/minio/build.gradle | 2 + .../searchable-snapshots/qa/rest/build.gradle | 2 + .../searchable-snapshots/qa/s3/build.gradle | 2 + .../searchable-snapshots/qa/url/build.gradle | 2 + .../qa/basic-enable-security/build.gradle | 16 +++++-- .../EnableSecurityOnBasicLicenseIT.java | 46 +++++++++++++++++-- .../qa/security-not-enabled/build.gradle | 1 + .../test/rest/CatIndicesWithSecurityIT.java | 1 - .../plugin/security/qa/tls-basic/build.gradle | 2 + .../xpack/security/TlsWithBasicLicenseIT.java | 4 ++ .../security/rest/SecurityRestFilter.java | 7 +++ .../support/SecurityStatusChangeListener.java | 6 +++ .../rest/SecurityRestFilterTests.java | 4 ++ .../SecurityStatusChangeListenerTests.java | 18 +++++++- .../shutdown/qa/multi-node/build.gradle | 2 + .../xpack/shutdown/NodeShutdownIT.java | 12 +++++ .../qa/azure/build.gradle | 4 ++ .../qa/gcs/build.gradle | 1 + .../qa/minio/build.gradle | 2 + .../qa/rest/build.gradle | 1 + .../snapshot-repo-test-kit/qa/s3/build.gradle | 1 + x-pack/plugin/spatial/build.gradle | 1 + .../qa/jdbc/security/JdbcConnectionIT.java | 2 - x-pack/plugin/sql/qa/mixed-node/build.gradle | 4 ++ .../xpack/sql/qa/security/RestSqlIT.java | 2 - .../integration/TransformRestTestCase.java | 1 - .../SmokeTestWatcherTestSuiteIT.java | 1 - .../SmokeTestWatcherWithSecurityIT.java | 1 - ...cherWithSecurityClientYamlTestSuiteIT.java | 3 -- ...CoreWithSecurityClientYamlTestSuiteIT.java | 2 - ...sterSearchWithSecurityYamlTestSuiteIT.java | 2 - .../MultiClusterYamlTestSuiteIT.java | 2 - .../GlobalCheckpointSyncActionIT.java | 1 - .../elasticsearch/multi_node/RollupIT.java | 1 - ...ndexWithSecurityClientYamlTestSuiteIT.java | 2 - .../xpack/security/ReindexWithSecurityIT.java | 1 - .../upgrades/AbstractUpgradeTestCase.java | 5 +- x-pack/qa/runtime-fields/build.gradle | 1 + .../xpack/security/PermissionsIT.java | 2 - ...SmokeTestPluginsClientYamlTestSuiteIT.java | 2 - ...rityWithMustacheClientYamlTestSuiteIT.java | 2 - 102 files changed, 404 insertions(+), 107 deletions(-) diff --git a/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java b/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java index d3e475278c3f..7ce27f90d9b0 100644 --- a/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java +++ b/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java @@ -10,7 +10,6 @@ package org.elasticsearch.docker.test; import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.client.Request; -import org.elasticsearch.common.CharArrays; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; @@ -24,11 +23,8 @@ import org.junit.BeforeClass; import java.io.IOException; import java.net.URISyntaxException; -import java.nio.CharBuffer; import java.nio.file.Files; import java.nio.file.Path; -import java.util.Arrays; -import java.util.Base64; public class DockerYmlTestSuiteIT extends ESClientYamlSuiteTestCase { @@ -130,22 +126,4 @@ public class DockerYmlTestSuiteIT extends ESClientYamlSuiteTestCase { } return "https"; } - - private static String basicAuthHeaderValue(String username, SecureString passwd) { - CharBuffer chars = CharBuffer.allocate(username.length() + passwd.length() + 1); - byte[] charBytes = null; - try { - chars.put(username).put(':').put(passwd.getChars()); - charBytes = CharArrays.toUtf8Bytes(chars.array()); - - //TODO we still have passwords in Strings in headers. Maybe we can look into using a CharSequence? - String basicToken = Base64.getEncoder().encodeToString(charBytes); - return "Basic " + basicToken; - } finally { - Arrays.fill(chars.array(), (char) 0); - if (charBytes != null) { - Arrays.fill(charBytes, (byte) 0); - } - } - } } diff --git a/docs/build.gradle b/docs/build.gradle index 8a52802d527f..7e228b63df58 100644 --- a/docs/build.gradle +++ b/docs/build.gradle @@ -68,6 +68,7 @@ testClusters.matching { it.name == "integTest"}.configureEach { // enable regexes in painless so our tests don't complain about example snippets that use them setting 'script.painless.regex.enabled', 'true' + setting 'xpack.security.enabled', 'false' setting 'path.repo', "${buildDir}/cluster/shared/repo" Closure configFile = { extraConfigFile it, file("src/test/cluster/config/$it") diff --git a/docs/reference/rest-api/usage.asciidoc b/docs/reference/rest-api/usage.asciidoc index d68a1def4e3b..1f98b2ffa0c9 100644 --- a/docs/reference/rest-api/usage.asciidoc +++ b/docs/reference/rest-api/usage.asciidoc @@ -48,15 +48,7 @@ GET /_xpack/usage { "security" : { "available" : true, - "enabled" : false, - "ssl" : { - "http" : { - "enabled" : false - }, - "transport" : { - "enabled" : false - } - } + "enabled" : false }, "monitoring" : { "available" : true, diff --git a/modules/ingest-geoip/qa/file-based-update/build.gradle b/modules/ingest-geoip/qa/file-based-update/build.gradle index 4f2ed2e30a54..507715e703b2 100644 --- a/modules/ingest-geoip/qa/file-based-update/build.gradle +++ b/modules/ingest-geoip/qa/file-based-update/build.gradle @@ -12,6 +12,8 @@ apply plugin: 'elasticsearch.rest-test' testClusters.all { testDistribution = 'DEFAULT' setting 'resource.reload.interval.high', '100ms' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } tasks.named("integTest").configure { diff --git a/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java b/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java index 9179fe701023..918266ff78df 100644 --- a/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java +++ b/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java @@ -11,6 +11,9 @@ import org.apache.http.util.EntityUtils; import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.ObjectPath; import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.json.JsonXContent; @@ -53,4 +56,12 @@ public class UpdateDatabasesIT extends ESRestTestCase { return XContentHelper.convertToMap(JsonXContent.jsonXContent, EntityUtils.toString(response.getEntity()), false); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/plugins/examples/painless-whitelist/build.gradle b/plugins/examples/painless-whitelist/build.gradle index 9cd57a2d6479..4728919d271b 100644 --- a/plugins/examples/painless-whitelist/build.gradle +++ b/plugins/examples/painless-whitelist/build.gradle @@ -23,6 +23,7 @@ dependencies { testClusters.all { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'false' } tasks.named("test").configure { enabled = false } diff --git a/qa/ccs-rolling-upgrade-remote-cluster/build.gradle b/qa/ccs-rolling-upgrade-remote-cluster/build.gradle index 47f0480f8c60..79507e080da3 100644 --- a/qa/ccs-rolling-upgrade-remote-cluster/build.gradle +++ b/qa/ccs-rolling-upgrade-remote-cluster/build.gradle @@ -35,12 +35,14 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { numberOfNodes = 2 versions = [bwcVersionStr, project.version] setting 'cluster.remote.node.attr', 'gateway' + setting 'xpack.security.enabled', 'false' } "${baseName}-remote" { numberOfNodes = 3 versions = [bwcVersionStr, project.version] firstNode.setting 'node.attr.gateway', 'true' lastNode.setting 'node.attr.gateway', 'true' + setting 'xpack.security.enabled', 'false' } } diff --git a/qa/ccs-unavailable-clusters/build.gradle b/qa/ccs-unavailable-clusters/build.gradle index 5f24db03aed0..6f6f08f4eb55 100644 --- a/qa/ccs-unavailable-clusters/build.gradle +++ b/qa/ccs-unavailable-clusters/build.gradle @@ -10,6 +10,11 @@ apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' apply plugin: 'elasticsearch.test-with-dependencies' +testClusters.matching { it.name == "integTest" }.configureEach { + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' +} + dependencies { testImplementation project(":client:rest-high-level") } diff --git a/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java b/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java index 6ee4423c7c66..00f0fb99f6c4 100644 --- a/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java +++ b/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java @@ -38,7 +38,9 @@ import org.elasticsearch.cluster.ClusterState; import org.elasticsearch.cluster.node.DiscoveryNode; import org.elasticsearch.cluster.node.DiscoveryNodes; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.json.JsonXContent; import org.elasticsearch.search.aggregations.InternalAggregations; @@ -327,4 +329,12 @@ public class CrossClusterSearchUnavailableClusterIT extends ESRestTestCase { super(restClient, (client) -> {}, Collections.emptyList()); } } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/qa/die-with-dignity/build.gradle b/qa/die-with-dignity/build.gradle index dc536c69f570..5d655968c43d 100644 --- a/qa/die-with-dignity/build.gradle +++ b/qa/die-with-dignity/build.gradle @@ -21,6 +21,8 @@ tasks.named("javaRestTest").configure { testClusters.matching { it.name == "javaRestTest" }.configureEach { systemProperty "die.with.dignity.test", "whatever" + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } tasks.named("test").configure { diff --git a/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java b/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java index d65781238230..a42d6b5a43e0 100644 --- a/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java +++ b/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java @@ -10,7 +10,9 @@ package org.elasticsearch.qa.die_with_dignity; import org.elasticsearch.client.Request; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import java.io.BufferedReader; @@ -99,13 +101,14 @@ public class DieWithDignityIT extends ESRestTestCase { @Override protected final Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); return Settings.builder() .put(super.restClientSettings()) + .put(ThreadContext.PREFIX + ".Authorization", token) // increase the timeout here to 90 seconds to handle long waits for a green // cluster health. the waits for green need to be longer than a minute to // account for delayed shards .put(ESRestTestCase.CLIENT_SOCKET_TIMEOUT, "1s") .build(); } - } diff --git a/qa/full-cluster-restart/build.gradle b/qa/full-cluster-restart/build.gradle index a87fa65d31c4..ce45f33e5ec0 100644 --- a/qa/full-cluster-restart/build.gradle +++ b/qa/full-cluster-restart/build.gradle @@ -26,6 +26,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { // some tests rely on the translog not being flushed setting 'indices.memory.shard_inactive_time', '60m' setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' } } @@ -59,4 +60,4 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { tasks.register(bwcTaskName(bwcVersion)) { dependsOn tasks.named("${baseName}#upgradedClusterTest") } -} \ No newline at end of file +} diff --git a/qa/logging-config/build.gradle b/qa/logging-config/build.gradle index 9efa4b8ab8ed..e31834f68345 100644 --- a/qa/logging-config/build.gradle +++ b/qa/logging-config/build.gradle @@ -11,6 +11,10 @@ apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' apply plugin: 'elasticsearch.standalone-test' +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + testClusters.matching { it.name == "integTest" }.configureEach { /** * Provide a custom log4j configuration where layout is an old style pattern and confirm that Elasticsearch diff --git a/qa/mixed-cluster/build.gradle b/qa/mixed-cluster/build.gradle index 4995db6bbeb8..c214efcb7ecb 100644 --- a/qa/mixed-cluster/build.gradle +++ b/qa/mixed-cluster/build.gradle @@ -38,6 +38,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { numberOfNodes = 4 setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' } } diff --git a/qa/multi-cluster-search/build.gradle b/qa/multi-cluster-search/build.gradle index dcc8a89071ad..e59ed02d63d7 100644 --- a/qa/multi-cluster-search/build.gradle +++ b/qa/multi-cluster-search/build.gradle @@ -25,6 +25,7 @@ testClusters { 'remote-cluster' { numberOfNodes = 2 setting 'node.roles', '[data,ingest,master]' + setting 'xpack.security.enabled', 'false' } } @@ -38,6 +39,7 @@ testClusters.matching { it.name == "mixedClusterTest"}.configureEach { setting 'cluster.remote.my_remote_cluster.seeds', { "\"${testClusters.'remote-cluster'.getAllTransportPortURI().get(0)}\"" } setting 'cluster.remote.connections_per_cluster', '1' + setting 'xpack.security.enabled', 'false' } tasks.register("integTest") { diff --git a/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java b/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java index 77b8ed5c3ca0..0ae59b4f0416 100644 --- a/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java +++ b/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java @@ -13,7 +13,6 @@ import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest; import org.elasticsearch.client.RequestOptions; import org.elasticsearch.client.RestClient; import org.elasticsearch.client.RestHighLevelClient; -import org.elasticsearch.common.CharArrays; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; @@ -26,11 +25,8 @@ import org.junit.BeforeClass; import java.io.IOException; import java.net.URISyntaxException; -import java.nio.CharBuffer; import java.nio.file.Files; import java.nio.file.Path; -import java.util.Arrays; -import java.util.Base64; import java.util.Collections; public abstract class AbstractMultiClusterRemoteTestCase extends ESRestTestCase { @@ -150,24 +146,6 @@ public abstract class AbstractMultiClusterRemoteTestCase extends ESRestTestCase return "https"; } - private static String basicAuthHeaderValue(String username, SecureString passwd) { - CharBuffer chars = CharBuffer.allocate(username.length() + passwd.length() + 1); - byte[] charBytes = null; - try { - chars.put(username).put(':').put(passwd.getChars()); - charBytes = CharArrays.toUtf8Bytes(chars.array()); - - //TODO we still have passwords in Strings in headers. Maybe we can look into using a CharSequence? - String basicToken = Base64.getEncoder().encodeToString(charBytes); - return "Basic " + basicToken; - } finally { - Arrays.fill(chars.array(), (char) 0); - if (charBytes != null) { - Arrays.fill(charBytes, (byte) 0); - } - } - } - private String getProperty(String key) { String value = System.getProperty(key); if (value == null) { diff --git a/qa/repository-multi-version/build.gradle b/qa/repository-multi-version/build.gradle index 19f2d656c5f0..05bedf0bbd38 100644 --- a/qa/repository-multi-version/build.gradle +++ b/qa/repository-multi-version/build.gradle @@ -30,6 +30,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { version = v numberOfNodes = 2 setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' } } @@ -76,4 +77,4 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { tasks.register(bwcTaskName(bwcVersion)) { dependsOn tasks.named("${baseName}#Step4NewClusterTest") } -} \ No newline at end of file +} diff --git a/qa/rolling-upgrade/build.gradle b/qa/rolling-upgrade/build.gradle index 2ee07f94ae3d..e2b4abc5a7aa 100644 --- a/qa/rolling-upgrade/build.gradle +++ b/qa/rolling-upgrade/build.gradle @@ -38,6 +38,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { setting 'repositories.url.allowed_urls', 'http://snapshot.test*' setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' } } diff --git a/qa/smoke-test-http/build.gradle b/qa/smoke-test-http/build.gradle index 4cd966f8dfad..28008876e14d 100644 --- a/qa/smoke-test-http/build.gradle +++ b/qa/smoke-test-http/build.gradle @@ -17,6 +17,10 @@ dependencies { testImplementation project(':plugins:transport-nio') // for http } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest").configure { /* * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each diff --git a/qa/smoke-test-ingest-disabled/build.gradle b/qa/smoke-test-ingest-disabled/build.gradle index 87b5916a89bf..268254d3288c 100644 --- a/qa/smoke-test-ingest-disabled/build.gradle +++ b/qa/smoke-test-ingest-disabled/build.gradle @@ -15,6 +15,10 @@ dependencies { testImplementation project(':modules:ingest-common') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + testClusters.matching { it.name == "integTest" }.configureEach { setting 'node.roles', '[data,master,remote_cluster_client]' } diff --git a/qa/smoke-test-ingest-with-all-dependencies/build.gradle b/qa/smoke-test-ingest-with-all-dependencies/build.gradle index c31b31e41119..b7a8df8cc2e1 100644 --- a/qa/smoke-test-ingest-with-all-dependencies/build.gradle +++ b/qa/smoke-test-ingest-with-all-dependencies/build.gradle @@ -19,6 +19,10 @@ dependencies { testImplementation project(':modules:reindex') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("testingConventions").configure { naming { IT { diff --git a/qa/smoke-test-multinode/build.gradle b/qa/smoke-test-multinode/build.gradle index 5e1a97e3a1d5..5dc166c66bf8 100644 --- a/qa/smoke-test-multinode/build.gradle +++ b/qa/smoke-test-multinode/build.gradle @@ -23,6 +23,10 @@ testClusters.matching { it.name == "integTest" }.configureEach { setting 'path.repo', repo.absolutePath } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest").configure { doFirst { project.delete(repo) diff --git a/qa/smoke-test-plugins/build.gradle b/qa/smoke-test-plugins/build.gradle index 740e91318928..67a54372e67e 100644 --- a/qa/smoke-test-plugins/build.gradle +++ b/qa/smoke-test-plugins/build.gradle @@ -27,6 +27,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { pluginPaths.each { pluginPath -> plugin pluginPath } + setting 'xpack.security.enabled', 'false' } ext.expansions = [ diff --git a/qa/unconfigured-node-name/build.gradle b/qa/unconfigured-node-name/build.gradle index a98aa7a0b960..1196c6a88603 100644 --- a/qa/unconfigured-node-name/build.gradle +++ b/qa/unconfigured-node-name/build.gradle @@ -1,5 +1,3 @@ -import org.elasticsearch.gradle.OS - /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License @@ -12,6 +10,10 @@ apply plugin: 'elasticsearch.testclusters' apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + testClusters.matching { it.name == "integTest" }.configureEach { nameCustomization = { null } } diff --git a/qa/verify-version-constants/build.gradle b/qa/verify-version-constants/build.gradle index 02d386c78152..8f9f1527b3eb 100644 --- a/qa/verify-version-constants/build.gradle +++ b/qa/verify-version-constants/build.gradle @@ -21,6 +21,8 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { testClusters { "${baseName}" { version = bwcVersion.toString() + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } } diff --git a/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java b/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java index a883a5e137c7..ee9e922e6687 100644 --- a/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java +++ b/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java @@ -11,6 +11,9 @@ package org.elasticsearch.qa.verify_version_constants; import org.elasticsearch.Version; import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.yaml.ObjectPath; @@ -42,4 +45,12 @@ public class VerifyVersionConstantsIT extends ESRestTestCase { */ return true; } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index 1c26850ee297..9633a96767cd 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -33,10 +33,12 @@ import org.elasticsearch.client.ResponseException; import org.elasticsearch.client.RestClient; import org.elasticsearch.client.RestClientBuilder; import org.elasticsearch.client.WarningsHandler; +import org.elasticsearch.common.CharArrays; import org.elasticsearch.common.CheckedRunnable; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.Strings; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.ssl.PemUtils; import org.elasticsearch.common.unit.TimeValue; @@ -67,6 +69,7 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.nio.CharBuffer; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; @@ -80,6 +83,7 @@ import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Arrays; +import java.util.Base64; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -299,6 +303,28 @@ public abstract class ESRestTestCase extends ESTestCase { return expectVersionSpecificWarnings(consumer -> consumer.current(warnings)); } + /** + * Construct a Basic auth header + * @param username user name + * @param passwd user password + */ + public static String basicAuthHeaderValue(String username, SecureString passwd) { + CharBuffer chars = CharBuffer.allocate(username.length() + passwd.length() + 1); + byte[] charBytes = null; + try { + chars.put(username).put(':').put(passwd.getChars()); + charBytes = CharArrays.toUtf8Bytes(chars.array()); + + String basicToken = Base64.getEncoder().encodeToString(charBytes); + return "Basic " + basicToken; + } finally { + Arrays.fill(chars.array(), (char) 0); + if (charBytes != null) { + Arrays.fill(charBytes, (byte) 0); + } + } + } + /** * Construct an HttpHost from the given host and port */ diff --git a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle index f0af6a5fe7f1..355df38be0a3 100644 --- a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle +++ b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle @@ -15,13 +15,18 @@ testClusters { "leader-cluster" { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } "follow-cluster" { testDistribution = 'DEFAULT' setting 'xpack.monitoring.collection.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' - setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters."leader-cluster".getAllTransportPortURI().join(",")}\"" } + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' + setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters."leader-cluster".getAllTransportPortURI().join(",")}\"" + } } } diff --git a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java index 51547abf627b..049eeb37134a 100644 --- a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java +++ b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java @@ -13,6 +13,9 @@ import org.elasticsearch.client.RestClient; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.logging.JsonLogLine; import org.elasticsearch.common.logging.JsonLogsStream; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.hamcrest.FeatureMatcher; import org.hamcrest.Matcher; import org.hamcrest.Matchers; @@ -125,4 +128,12 @@ public class FollowIndexIT extends ESCCRRestTestCase { } } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/build.gradle b/x-pack/plugin/ccr/qa/multi-cluster/build.gradle index d33401c3db27..0a13e84eeed0 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/build.gradle +++ b/x-pack/plugin/ccr/qa/multi-cluster/build.gradle @@ -13,11 +13,15 @@ testClusters { 'leader-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'path.repo', "${buildDir}/cluster/shared/repo/leader-cluster" } 'middle-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.named('leader-cluster').get().getAllTransportPortURI().join(",")}\"" } } @@ -55,6 +59,8 @@ testClusters.matching { it.name == "follow-cluster" }.configureEach { testDistribution = 'DEFAULT' setting 'xpack.monitoring.collection.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.named('leader-cluster').get().getAllTransportPortURI().join(",")}\"" } setting 'cluster.remote.middle_cluster.seeds', diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java index 576618630444..410dd0b7f12a 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java @@ -16,7 +16,9 @@ import org.elasticsearch.client.ResponseException; import org.elasticsearch.client.RestClient; import org.elasticsearch.common.CheckedRunnable; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.ObjectPath; import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.json.JsonXContent; @@ -771,7 +773,7 @@ public class AutoFollowIT extends ESCCRRestTestCase { Request deleteTemplateRequest = new Request("DELETE", "/_data_stream/" + name); assertOK(client.performRequest(deleteTemplateRequest)); } - + private Response getAutoFollowStats() throws IOException { final Request statsRequest = new Request("GET", "/_ccr/stats"); statsRequest.addParameter("pretty", Boolean.TRUE.toString()); @@ -792,4 +794,12 @@ public class AutoFollowIT extends ESCCRRestTestCase { throw ae; } } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java index 1a1cf44b858f..5b857ebadcaa 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java @@ -8,7 +8,9 @@ package org.elasticsearch.xpack.ccr; import org.elasticsearch.client.RestClient; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; public class ChainIT extends ESCCRRestTestCase { @@ -67,4 +69,12 @@ public class ChainIT extends ESCCRRestTestCase { } } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java index 1cf27112f0a5..e0ff2a02fc6b 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java @@ -12,7 +12,9 @@ import org.elasticsearch.client.Response; import org.elasticsearch.client.ResponseException; import org.elasticsearch.client.RestClient; import org.elasticsearch.cluster.metadata.DataStream; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.repositories.fs.FsRepository; import org.elasticsearch.rest.RestStatus; @@ -232,4 +234,12 @@ public class FollowIndexIT extends ESCCRRestTestCase { assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(400)); } } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java index e41a95b957aa..8493f0be79a4 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java @@ -8,6 +8,9 @@ package org.elasticsearch.xpack.ccr; import org.elasticsearch.client.Request; import org.elasticsearch.client.RestClient; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.ObjectPath; import java.io.IOException; @@ -91,4 +94,12 @@ public class XPackUsageIT extends ESCCRRestTestCase { assertThat(followStatus, equalTo("active")); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle b/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle index 6e4a8b1ef011..a20fab7d86d6 100644 --- a/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle +++ b/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle @@ -12,11 +12,15 @@ dependencies { testClusters { 'leader-cluster' { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } 'follow-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.'leader-cluster'.getAllTransportPortURI().join(",")}\"" } } diff --git a/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java b/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java index 88c490a30bfc..7aa486d72873 100644 --- a/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java +++ b/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java @@ -9,6 +9,9 @@ package org.elasticsearch.xpack.ccr; import org.elasticsearch.client.Request; import org.elasticsearch.client.ResponseException; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import java.util.Locale; @@ -44,4 +47,11 @@ public class CcrMultiClusterLicenseIT extends ESCCRRestTestCase { assertThat(e, hasToString(containsString(expected))); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/ccr/qa/restart/build.gradle b/x-pack/plugin/ccr/qa/restart/build.gradle index 82fdb18eaa5e..f143a4fade14 100644 --- a/x-pack/plugin/ccr/qa/restart/build.gradle +++ b/x-pack/plugin/ccr/qa/restart/build.gradle @@ -12,12 +12,16 @@ testClusters { 'leader-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } 'follow-cluster' { testDistribution = 'DEFAULT' setting 'xpack.monitoring.collection.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.'leader-cluster'.getAllTransportPortURI().get(0)}\"" } nameCustomization = { 'follow' } diff --git a/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java b/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java index 858ffde006fa..efb5e7a1a86c 100644 --- a/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java +++ b/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java @@ -10,7 +10,9 @@ package org.elasticsearch.xpack.ccr; import org.elasticsearch.client.Request; import org.elasticsearch.client.RestClient; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import java.io.IOException; @@ -95,4 +97,12 @@ public class RestartIT extends ESCCRRestTestCase { }); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java b/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java index 463ee9576523..7943beca98f7 100644 --- a/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java +++ b/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java @@ -26,7 +26,6 @@ import java.util.Locale; import java.util.Map; import java.util.concurrent.TimeUnit; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasSize; diff --git a/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java b/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java index ccaa10bd1d6c..b010e6c1eb13 100644 --- a/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java +++ b/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class XPackCoreClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String BASIC_AUTH_VALUE = diff --git a/x-pack/plugin/data-streams/qa/rest/build.gradle b/x-pack/plugin/data-streams/qa/rest/build.gradle index d6d0de627b84..4dca8dca6b4f 100644 --- a/x-pack/plugin/data-streams/qa/rest/build.gradle +++ b/x-pack/plugin/data-streams/qa/rest/build.gradle @@ -20,6 +20,7 @@ testClusters.all { setting 'xpack.license.self_generated.type', 'trial' // disable ILM history, since it disturbs tests using _all setting 'indices.lifecycle.history_index_enabled', 'false' + setting 'xpack.security.enabled', 'false' } if (BuildParams.inFipsJvm){ // These fail in CI but only when run as part of checkPart2 and not individually. diff --git a/x-pack/plugin/enrich/qa/common/build.gradle b/x-pack/plugin/enrich/qa/common/build.gradle index 72cd4bba9116..d4f5f678196d 100644 --- a/x-pack/plugin/enrich/qa/common/build.gradle +++ b/x-pack/plugin/enrich/qa/common/build.gradle @@ -4,3 +4,9 @@ tasks.named("test").configure { enabled = false } dependencies { api project(':test:framework') } + +testClusters.all { + testDistribution = 'DEFAULT' + setting 'xpack.license.self_generated.type', 'basic' + setting 'xpack.security.enabled', 'false' +} diff --git a/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java b/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java index f2b4abd1274e..f0cb70b80f4a 100644 --- a/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java +++ b/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java @@ -6,7 +6,6 @@ */ package org.elasticsearch.xpack.enrich; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.nullValue; diff --git a/x-pack/plugin/enrich/qa/rest/build.gradle b/x-pack/plugin/enrich/qa/rest/build.gradle index 36ed24434925..0aaca0c6cc75 100644 --- a/x-pack/plugin/enrich/qa/rest/build.gradle +++ b/x-pack/plugin/enrich/qa/rest/build.gradle @@ -24,4 +24,5 @@ testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' setting 'xpack.monitoring.collection.enabled', 'true' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java index c77c1650c5f3..217ee338f6dc 100644 --- a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java +++ b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java @@ -9,6 +9,9 @@ package org.elasticsearch.test.eql.stats; import org.elasticsearch.client.Request; import org.elasticsearch.client.RestHighLevelClient; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.json.JsonXContent; import org.elasticsearch.test.eql.DataLoader; @@ -373,4 +376,12 @@ public abstract class EqlUsageRestTestCase extends ESRestTestCase { } return highLevelClient; } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/eql/qa/correctness/build.gradle b/x-pack/plugin/eql/qa/correctness/build.gradle index 00078b324fba..2f7fbc93d370 100644 --- a/x-pack/plugin/eql/qa/correctness/build.gradle +++ b/x-pack/plugin/eql/qa/correctness/build.gradle @@ -40,6 +40,8 @@ testClusters { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' jvmArgs '-Xms4g', '-Xmx4g' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } runTask { jvmArgs '-Xms8g', '-Xmx8g' diff --git a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java index b05d513eae76..e846ff363b4f 100644 --- a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java +++ b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java @@ -20,7 +20,9 @@ import org.elasticsearch.client.RestClientBuilder; import org.elasticsearch.client.RestHighLevelClient; import org.elasticsearch.client.eql.EqlSearchRequest; import org.elasticsearch.client.eql.EqlSearchResponse; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.junit.annotations.TestLogging; import org.elasticsearch.test.rest.ESRestTestCase; import org.junit.After; @@ -84,6 +86,12 @@ public class EsEQLCorrectnessIT extends ESRestTestCase { return true; } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build(); + } + @Override protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { RestClientBuilder builder = RestClient.builder(hosts); diff --git a/x-pack/plugin/eql/qa/mixed-node/build.gradle b/x-pack/plugin/eql/qa/mixed-node/build.gradle index 56196d10af59..e02130fe89f5 100644 --- a/x-pack/plugin/eql/qa/mixed-node/build.gradle +++ b/x-pack/plugin/eql/qa/mixed-node/build.gradle @@ -32,7 +32,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible.findAll { it.on setting 'xpack.security.enabled', 'false' setting 'xpack.watcher.enabled', 'false' setting 'xpack.ml.enabled', 'false' - setting 'xpack.eql.enabled', 'true' + setting 'xpack.eql.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' // for debugging purposes // setting 'logger.org.elasticsearch.xpack.eql.plugin.TransportEqlSearchAction', 'TRACE' diff --git a/x-pack/plugin/eql/qa/rest/build.gradle b/x-pack/plugin/eql/qa/rest/build.gradle index 94094e61e301..2cef8e06e372 100644 --- a/x-pack/plugin/eql/qa/rest/build.gradle +++ b/x-pack/plugin/eql/qa/rest/build.gradle @@ -23,4 +23,5 @@ testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' setting 'xpack.monitoring.collection.enabled', 'true' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java b/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java index 14150a830dcc..63158dcc501d 100644 --- a/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java +++ b/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java @@ -7,7 +7,18 @@ package org.elasticsearch.xpack.eql; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.eql.EqlRestTestCase; public class EqlRestIT extends EqlRestTestCase { + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/fleet/build.gradle b/x-pack/plugin/fleet/build.gradle index bc135af76077..b1abb6eb5867 100644 --- a/x-pack/plugin/fleet/build.gradle +++ b/x-pack/plugin/fleet/build.gradle @@ -24,4 +24,6 @@ dependencies { testClusters.all { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'true' + user username: 'x_pack_rest_user', password: 'x-pack-test-password', role: 'superuser' } diff --git a/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java b/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java index a08c509530bd..54d825c4320b 100644 --- a/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java +++ b/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java @@ -62,7 +62,6 @@ import java.util.concurrent.TimeUnit; import static java.util.Collections.singletonMap; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.greaterThanOrEqualTo; diff --git a/x-pack/plugin/logstash/build.gradle b/x-pack/plugin/logstash/build.gradle index d7ba5b977d20..9a3649b2e3b0 100644 --- a/x-pack/plugin/logstash/build.gradle +++ b/x-pack/plugin/logstash/build.gradle @@ -19,4 +19,6 @@ dependencies { testClusters.all { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'true' + user username: 'x_pack_rest_user', password: 'x-pack-test-password', role: 'superuser' } diff --git a/x-pack/plugin/repositories-metering-api/build.gradle b/x-pack/plugin/repositories-metering-api/build.gradle index 37e325d6c0db..620b3e79a2b9 100644 --- a/x-pack/plugin/repositories-metering-api/build.gradle +++ b/x-pack/plugin/repositories-metering-api/build.gradle @@ -14,4 +14,8 @@ dependencies { testImplementation(testArtifact(project(xpackModule('core')))) } -addQaCheckDependencies() \ No newline at end of file +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + +addQaCheckDependencies() diff --git a/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle b/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle index 3c4e7713d4ec..9fb21a521a6f 100644 --- a/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle @@ -48,6 +48,10 @@ if (useFixture) { testFixtures.useFixture(fixture.path, 'azure-fixture-repositories-metering') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest") { dependsOn ":plugins:repository-azure:bundlePlugin" systemProperty 'test.azure.container', azureContainer diff --git a/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle b/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle index 0621318711a8..4341df5cc8d1 100644 --- a/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle @@ -50,6 +50,10 @@ if (!gcsServiceAccount && !gcsBucket && !gcsBasePath) { serviceAccountFile = new File(gcsServiceAccount) } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + /** A service account file that points to the Google Cloud Storage service emulated by the fixture **/ tasks.register("createServiceAccountFile") { doLast { diff --git a/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle b/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle index 613cb3f34cc2..7e4fdf19e80b 100644 --- a/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle @@ -67,6 +67,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { } else { println "Using an external service to test " + project.name } + setting 'xpack.security.enabled', 'false' } tasks.register("s3ThirdPartyTest").configure { diff --git a/x-pack/plugin/rollup/qa/rest/build.gradle b/x-pack/plugin/rollup/qa/rest/build.gradle index f185a194681d..29a02e1f8323 100644 --- a/x-pack/plugin/rollup/qa/rest/build.gradle +++ b/x-pack/plugin/rollup/qa/rest/build.gradle @@ -23,6 +23,7 @@ testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' systemProperty 'es.rollup_v2_feature_flag_enabled', 'true' + setting 'xpack.security.enabled', 'false' } tasks.named("test").configure{enabled = false } diff --git a/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle b/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle index 421b72f127dd..983bc4a5f66d 100644 --- a/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle @@ -59,6 +59,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { } setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'false' if (useFixture) { def fixtureAddress = { fixtureName -> diff --git a/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle b/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle index 125edf8f4800..4fd000131768 100644 --- a/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle @@ -111,6 +111,8 @@ testClusters.matching { it.name == "integTest" }.configureEach { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle b/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle index f93962b5a617..282dc905f1a6 100644 --- a/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle @@ -134,6 +134,8 @@ testClusters.configureEach { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } testClusters.matching { it.name == "integTestSecure" }.configureEach { diff --git a/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle b/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle index 3669b0aa9f9f..d3217f791c28 100644 --- a/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle @@ -43,5 +43,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle b/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle index e0536ef86232..c80fbe9dee4e 100644 --- a/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle @@ -25,4 +25,6 @@ testClusters.all { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle b/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle index 5c0854da74a5..5cdd86299ff9 100644 --- a/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle @@ -70,6 +70,8 @@ testClusters.matching { it.name == "integTest" }.configureEach { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } tasks.register("s3ThirdPartyTest") { diff --git a/x-pack/plugin/searchable-snapshots/qa/url/build.gradle b/x-pack/plugin/searchable-snapshots/qa/url/build.gradle index 9ff963715a0a..e4ffce305b8d 100644 --- a/x-pack/plugin/searchable-snapshots/qa/url/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/url/build.gradle @@ -43,4 +43,6 @@ testClusters.matching { it.name == "integTest" }.configureEach { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/security/qa/basic-enable-security/build.gradle b/x-pack/plugin/security/qa/basic-enable-security/build.gradle index 5d710ceffdc1..99afa12a831a 100644 --- a/x-pack/plugin/security/qa/basic-enable-security/build.gradle +++ b/x-pack/plugin/security/qa/basic-enable-security/build.gradle @@ -4,6 +4,9 @@ import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.java-rest-test' +//randomise between implicitly and explicitly disabled security +boolean implicitlyDisabledSecurity = (new Random(Long.parseUnsignedLong(BuildParams.testSeed.tokenize(':').get(0), 16))).nextBoolean() + dependencies { javaRestTestImplementation(testArtifact(project(xpackModule('security')))) javaRestTestImplementation(testArtifact(project(xpackModule('core')))) @@ -11,7 +14,9 @@ dependencies { tasks.named("javaRestTest").configure { description = "Run tests against a cluster that doesn't have security" - systemProperty 'tests.has_security', 'false' + if (!implicitlyDisabledSecurity) { + systemProperty 'tests.has_security', 'false' + } } if (BuildParams.inFipsJvm){ @@ -25,11 +30,14 @@ testClusters { numberOfNodes = 2 setting 'xpack.ml.enabled', 'false' setting 'xpack.license.self_generated.type', 'basic' - setting 'xpack.security.enabled', 'false' + if (!implicitlyDisabledSecurity) { + setting 'xpack.security.enabled', 'false' + } } } -tasks.register("javaRestTestWithSecurity", StandaloneRestIntegTestTask) { +tasks.register("javaRestTestWithSecurityEnabled", StandaloneRestIntegTestTask) { + mustRunAfter("javaRestTest") description = "Run tests against a cluster that has security enabled" dependsOn "javaRestTest" useCluster testClusters.javaRestTest @@ -64,5 +72,5 @@ tasks.register("javaRestTestWithSecurity", StandaloneRestIntegTestTask) { nonInputProperties.systemProperty 'tests.rest.cluster', "${-> testClusters.javaRestTest.getAllHttpSocketURI().join(",")}" } } -tasks.named("check").configure { dependsOn("javaRestTestWithSecurity") } +tasks.named("check").configure { dependsOn("javaRestTestWithSecurityEnabled") } diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java index f43e2f7c75a2..69e1c0bd91d3 100644 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java @@ -6,10 +6,14 @@ */ package org.elasticsearch.xpack.security; +import org.apache.http.HttpHost; import org.apache.http.util.EntityUtils; +import org.elasticsearch.Version; import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; import org.elasticsearch.client.ResponseException; +import org.elasticsearch.client.RestClient; +import org.elasticsearch.client.RestClientBuilder; import org.elasticsearch.common.Booleans; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; @@ -17,14 +21,15 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.yaml.ObjectPath; import org.elasticsearch.xpack.security.authc.InternalRealms; +import org.hamcrest.Matchers; import org.junit.BeforeClass; import java.io.IOException; import java.util.Arrays; +import java.util.List; import java.util.Locale; import java.util.Map; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -33,11 +38,13 @@ import static org.hamcrest.Matchers.notNullValue; public class EnableSecurityOnBasicLicenseIT extends ESRestTestCase { private static boolean securityEnabled; + private static boolean securityExplicitlySet; @BeforeClass public static void checkTestMode() { final String hasSecurity = System.getProperty("tests.has_security"); - securityEnabled = Booleans.parseBoolean(hasSecurity); + securityExplicitlySet = hasSecurity != null; + securityEnabled = hasSecurity == null ? false : Booleans.parseBoolean(hasSecurity); } @Override @@ -58,10 +65,24 @@ public class EnableSecurityOnBasicLicenseIT extends ESRestTestCase { @Override protected boolean preserveClusterUponCompletion() { - // If this is the first run (security not yet enabled), then don't clean up afterwards because we want to test restart with data + // If this is one of the first two runs (security not yet enabled), then don't clean up afterwards because we want to test restart + // with data return securityEnabled == false; } + @Override + protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { + RestClientBuilder builder = RestClient.builder(hosts); + configureClient(builder, settings); + if (System.getProperty("tests.has_security") != null) { + builder.setStrictDeprecationMode(true); + } else { + builder.setStrictDeprecationMode(false); + } + return builder.build(); + } + + public void testSecuritySetup() throws Exception { logger.info("Security status: {}", securityEnabled); logger.info("Cluster:\n{}", getClusterInfo()); @@ -74,7 +95,8 @@ public class EnableSecurityOnBasicLicenseIT extends ESRestTestCase { } checkAllowedWrite("index_allowed"); - // Security runs second, and should see the doc from the first (non-security) run + // Security runs third, and should see the docs from the first two (non-security) runs + // Security explicitly disabled runs second and should see the doc from the first (implicitly disabled) run final int expectedIndexCount = securityEnabled ? 2 : 1; checkIndexCount("index_allowed", expectedIndexCount); @@ -84,6 +106,22 @@ public class EnableSecurityOnBasicLicenseIT extends ESRestTestCase { } else { checkAllowedWrite(otherIndex); } + checkSecurityDisabledWarning(); + } + + public void checkSecurityDisabledWarning() throws Exception { + final Request request = new Request("GET", "/_cat/indices"); + Response response = client().performRequest(request); + List warningHeaders = response.getWarnings(); + if (securityExplicitlySet) { + assertThat (warningHeaders, Matchers.empty()); + } else { + assertThat (warningHeaders, Matchers.hasSize(1)); + assertThat (warningHeaders.get(0), + containsString("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + + "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security.")); + } } private String getClusterInfo() throws IOException { diff --git a/x-pack/plugin/security/qa/security-not-enabled/build.gradle b/x-pack/plugin/security/qa/security-not-enabled/build.gradle index 4526d44576e9..9b9ba98f53f8 100644 --- a/x-pack/plugin/security/qa/security-not-enabled/build.gradle +++ b/x-pack/plugin/security/qa/security-not-enabled/build.gradle @@ -21,4 +21,5 @@ testClusters.all { // We run with a trial license, but do not enable security. // This means the security plugin is loaded and all feature are permitted, but they are not enabled setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java index 4ca468619d1a..c26804c9d112 100644 --- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java +++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java @@ -18,7 +18,6 @@ import org.elasticsearch.test.rest.ESRestTestCase; import java.io.IOException; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.matchesRegex; public class CatIndicesWithSecurityIT extends ESRestTestCase { diff --git a/x-pack/plugin/security/qa/tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle index 951488c246f7..4e65c0e4472c 100644 --- a/x-pack/plugin/security/qa/tls-basic/build.gradle +++ b/x-pack/plugin/security/qa/tls-basic/build.gradle @@ -24,6 +24,7 @@ testClusters.javaRestTest { setting 'xpack.ml.enabled', 'false' setting 'xpack.license.self_generated.type', 'basic' + setting 'xpack.security.enabled', 'true' setting 'xpack.security.http.ssl.enabled', 'true' setting 'xpack.security.http.ssl.certificate', 'http.crt' setting 'xpack.security.http.ssl.key', 'http.key' @@ -34,4 +35,5 @@ testClusters.javaRestTest { setting 'xpack.security.transport.ssl.key', 'transport.key' setting 'xpack.security.transport.ssl.key_passphrase', 'transport-password' setting 'xpack.security.transport.ssl.certificate_authorities', 'ca.crt' + user username: 'admin', password: 'admin-password', role: 'superuser' } diff --git a/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java b/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java index b08265a16965..5f76628accf7 100644 --- a/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java +++ b/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java @@ -10,7 +10,9 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; import org.elasticsearch.client.ResponseException; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.yaml.ObjectPath; import org.junit.AfterClass; @@ -55,7 +57,9 @@ public class TlsWithBasicLicenseIT extends ESRestTestCase { @Override protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) .put(TRUSTSTORE_PATH, httpTrustStore) .put(TRUSTSTORE_PASSWORD, "password") .build(); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java index d425200e79e1..643e7562ea8a 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java @@ -11,8 +11,10 @@ import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.message.ParameterizedMessage; import org.apache.logging.log4j.util.Supplier; import org.elasticsearch.ExceptionsHelper; +import org.elasticsearch.Version; import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; +import org.elasticsearch.common.logging.HeaderWarning; import org.elasticsearch.common.util.Maps; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.MediaType; @@ -88,6 +90,11 @@ public class SecurityRestFilter implements RestHandler { e -> handleException("Secondary authentication", request, channel, e))); }, e -> handleException("Authentication", request, channel, e))); } else { + if (request.method() != Method.OPTIONS) { + HeaderWarning.addWarning("Elasticsearch built-in security features are not enabled. Without authentication, your cluster " + + "could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); + } restHandler.handleRequest(request, channel, client); } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java index b42fdf26891d..da71f41bb860 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java @@ -9,6 +9,7 @@ package org.elasticsearch.xpack.security.support; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.Version; import org.elasticsearch.license.LicenseStateListener; import org.elasticsearch.license.XPackLicenseState; @@ -40,6 +41,11 @@ public class SecurityStatusChangeListener implements LicenseStateListener { // old state might be null (undefined) so do Object comparison if (Objects.equals(newState, securityEnabled) == false) { logger.info("Active license is now [{}]; Security is {}", licenseState.getOperationMode(), newState ? "enabled" : "disabled"); + if (newState == false) { + logger.warn("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + + "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); + } this.securityEnabled = newState; } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java index cac1b0395d9f..fb4f37018954 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java @@ -9,6 +9,7 @@ package org.elasticsearch.xpack.security.rest; import com.nimbusds.jose.util.StandardCharset; import org.apache.lucene.util.SetOnce; import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.Version; import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.bytes.BytesArray; @@ -143,6 +144,9 @@ public class SecurityRestFilterTests extends ESTestCase { RestRequest request = mock(RestRequest.class); when(licenseState.isSecurityEnabled()).thenReturn(false); filter.handleRequest(request, channel, null); + assertWarnings("Elasticsearch built-in security features are not enabled. Without authentication, your cluster " + + "could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); verify(restHandler).handleRequest(request, channel, null); verifyZeroInteractions(channel, authcService); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index d28eecad35ec..4dffe7b93e4c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -10,6 +10,7 @@ package org.elasticsearch.xpack.security.support; import org.apache.logging.log4j.Level; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.Version; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; @@ -63,7 +64,14 @@ public class SecurityStatusChangeListenerTests extends ESTestCase { Level.INFO, "Active license is now [PLATINUM]; Security is enabled" )); - + logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( + "built-in security features are not enabled", + listener.getClass().getName(), + Level.WARN, + "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible " + + "to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security." + )); when(licenseState.isSecurityEnabled()).thenReturn(false); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( @@ -87,6 +95,14 @@ public class SecurityStatusChangeListenerTests extends ESTestCase { Level.INFO, "Active license is now [TRIAL]; Security is disabled" )); + logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( + "built-in security features are not enabled", + listener.getClass().getName(), + Level.WARN, + "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible " + + "to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security." + )); listener.licenseStateChanged(); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); diff --git a/x-pack/plugin/shutdown/qa/multi-node/build.gradle b/x-pack/plugin/shutdown/qa/multi-node/build.gradle index 40205e8aa6a0..8e2a37463786 100644 --- a/x-pack/plugin/shutdown/qa/multi-node/build.gradle +++ b/x-pack/plugin/shutdown/qa/multi-node/build.gradle @@ -17,4 +17,6 @@ testClusters.all { numberOfNodes = 4 systemProperty 'es.shutdown_feature_flag_enabled', 'true' + setting 'xpack.security.enabled', 'true' + user username: clusterCredentials.username, password: clusterCredentials.password, role: 'superuser' } diff --git a/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java b/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java index ad88b24ae284..b99571e69db7 100644 --- a/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java +++ b/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java @@ -8,6 +8,9 @@ package org.elasticsearch.xpack.shutdown; import org.elasticsearch.client.Request; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import java.io.IOException; @@ -62,4 +65,13 @@ public class NodeShutdownIT extends ESRestTestCase { List> nodesArray = (List>) statusResponse.get("nodes"); assertThat(nodesArray, empty()); } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue( + System.getProperty("tests.rest.cluster.username"), + new SecureString(System.getProperty("tests.rest.cluster.password").toCharArray()) + ); + return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build(); + } } diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle index e946c825c435..a568112ea190 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle @@ -48,6 +48,10 @@ if (useFixture) { testFixtures.useFixture(fixture.path, 'azure-fixture-repository-test-kit') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest").configure { systemProperty 'test.azure.container', azureContainer nonInputProperties.systemProperty 'test.azure.base_path', azureBasePath + "_repository_test_kit_tests_" + BuildParams.testSeed diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle index df678b3673b2..dd5dcdab36e4 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle @@ -107,6 +107,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { } else { println "Using an external service to test " + project.name } + setting 'xpack.security.enabled', 'false' } tasks.register("gcsThirdPartyTest") { diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle index 0f73503021d2..f248fd778ddb 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle @@ -46,5 +46,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { keystore 's3.client.repository_test_kit.secret_key', 's3_test_secret_key' setting 's3.client.repository_test_kit.protocol', 'http' setting 's3.client.repository_test_kit.endpoint', { "${-> fixtureAddress()}" }, IGNORE_VALUE + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle index 7b11e8637f61..9572362314f7 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle @@ -17,6 +17,7 @@ tasks.named("integTest").configure { testClusters.matching { it.name == "integTest" }.configureEach { testDistribution = 'DEFAULT' setting 'path.repo', repoDir.absolutePath + setting 'xpack.security.enabled', 'false' } restResources { diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle index 33b65606b762..0d18dbd98e30 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle @@ -72,6 +72,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { } else { println "Using an external service to test " + project.name } + setting 'xpack.security.enabled', 'false' } tasks.register("s3ThirdPartyTest") { diff --git a/x-pack/plugin/spatial/build.gradle b/x-pack/plugin/spatial/build.gradle index 5d9dfc5056fd..ca9ddaa37ac4 100644 --- a/x-pack/plugin/spatial/build.gradle +++ b/x-pack/plugin/spatial/build.gradle @@ -30,4 +30,5 @@ restResources { testClusters.all { setting 'xpack.license.self_generated.type', 'trial' testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java b/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java index 520c981c5eed..b26b9bbeea29 100644 --- a/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java +++ b/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java @@ -19,8 +19,6 @@ import java.nio.file.Files; import java.nio.file.Path; import java.util.Properties; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class JdbcConnectionIT extends ConnectionTestCase { static final boolean SSL_ENABLED = Booleans.parseBoolean(System.getProperty("tests.ssl.enabled"), false); diff --git a/x-pack/plugin/sql/qa/mixed-node/build.gradle b/x-pack/plugin/sql/qa/mixed-node/build.gradle index f2cdea359902..5314e78663e0 100644 --- a/x-pack/plugin/sql/qa/mixed-node/build.gradle +++ b/x-pack/plugin/sql/qa/mixed-node/build.gradle @@ -14,6 +14,10 @@ dependencies { testImplementation project(xpackModule('sql')) } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest").configure{ enabled = false} // A bug (https://github.com/elastic/elasticsearch/issues/68439) limits us to perform tests with versions from 7.10.3 onwards diff --git a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java index 936356a602b7..4937b8e4a72e 100644 --- a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java +++ b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java @@ -18,8 +18,6 @@ import java.net.URISyntaxException; import java.nio.file.Files; import java.nio.file.Path; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - /** * Integration test for the rest sql action. The one that speaks json directly to a * user rather than to the JDBC driver or CLI. diff --git a/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java b/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java index 2a9ea04d885c..ae98a220aebb 100644 --- a/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java +++ b/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java @@ -41,7 +41,6 @@ import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; public abstract class TransformRestTestCase extends ESRestTestCase { diff --git a/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java b/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java index 5b8a493aadc3..4686eb7d935e 100644 --- a/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java +++ b/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java @@ -24,7 +24,6 @@ import java.util.concurrent.atomic.AtomicReference; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; import static org.elasticsearch.rest.action.search.RestSearchAction.TOTAL_HITS_AS_INT_PARAM; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.greaterThanOrEqualTo; import static org.hamcrest.Matchers.hasEntry; import static org.hamcrest.Matchers.is; diff --git a/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java b/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java index a02c3a0651f0..bf8f076f0eee 100644 --- a/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java +++ b/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java @@ -25,7 +25,6 @@ import java.util.concurrent.atomic.AtomicReference; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; import static org.elasticsearch.rest.action.search.RestSearchAction.TOTAL_HITS_AS_INT_PARAM; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.greaterThanOrEqualTo; import static org.hamcrest.Matchers.hasEntry; import static org.hamcrest.Matchers.is; diff --git a/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java b/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java index b9b21e5219c9..8f07ee64a63f 100644 --- a/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java +++ b/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java @@ -13,12 +13,9 @@ import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; -import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; import org.elasticsearch.xpack.watcher.WatcherYamlSuiteTestCase; import org.junit.Before; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class SmokeTestWatcherWithSecurityClientYamlTestSuiteIT extends WatcherYamlSuiteTestCase { private static final String TEST_ADMIN_USERNAME = "test_admin"; diff --git a/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java b/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java index 14e9fbc250b0..ea509a3c1fb0 100644 --- a/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java +++ b/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java @@ -19,8 +19,6 @@ import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; import java.util.Objects; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - @TimeoutSuite(millis = 30 * TimeUnits.MINUTE) // as default timeout seems not enough on the jenkins VMs public class CoreWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { diff --git a/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java b/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java index 60070d8b9853..e4f08aecb60b 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java +++ b/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class MultiClusterSearchWithSecurityYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String USER = "test_user"; diff --git a/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java b/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java index ca7fd7d588e6..c08e331f9099 100644 --- a/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java +++ b/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java @@ -18,8 +18,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - @TimeoutSuite(millis = 5 * TimeUnits.MINUTE) // to account for slow as hell VMs public class MultiClusterYamlTestSuiteIT extends ESClientYamlSuiteTestCase { diff --git a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java index 5a950088a1af..52b62687db27 100644 --- a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java +++ b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java @@ -17,7 +17,6 @@ import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.yaml.ObjectPath; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; public class GlobalCheckpointSyncActionIT extends ESRestTestCase { diff --git a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java index ff3fde8893d9..b8d0aff1e783 100644 --- a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java +++ b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java @@ -33,7 +33,6 @@ import java.util.Map; import java.util.concurrent.TimeUnit; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.oneOf; diff --git a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java index c971306f4172..46b0fbedd6af 100644 --- a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java +++ b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java @@ -21,8 +21,6 @@ import java.io.FileNotFoundException; import java.net.URL; import java.nio.file.Path; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class ReindexWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String USER = "test_admin"; private static final String PASS = "x-pack-test-password"; diff --git a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java index 2daff698ed4f..b07cd7396c3c 100644 --- a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java +++ b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java @@ -33,7 +33,6 @@ import java.net.URL; import java.nio.file.Path; import java.util.Collections; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; diff --git a/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java b/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java index 72bc13e24b5e..b78a73c9972f 100644 --- a/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java +++ b/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java @@ -10,6 +10,7 @@ import org.elasticsearch.Version; import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; import org.elasticsearch.common.io.Streams; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; @@ -21,12 +22,10 @@ import java.util.Collections; import java.util.List; import java.util.stream.Collectors; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public abstract class AbstractUpgradeTestCase extends ESRestTestCase { private static final String BASIC_AUTH_VALUE = - basicAuthHeaderValue("test_user", SecuritySettingsSourceField.TEST_PASSWORD); + basicAuthHeaderValue("test_user", new SecureString(SecuritySettingsSourceField.TEST_PASSWORD)); protected static final Version UPGRADE_FROM_VERSION = Version.fromString(System.getProperty("tests.upgrade_from_version")); diff --git a/x-pack/qa/runtime-fields/build.gradle b/x-pack/qa/runtime-fields/build.gradle index 077b05a8e349..550f8df95ba2 100644 --- a/x-pack/qa/runtime-fields/build.gradle +++ b/x-pack/qa/runtime-fields/build.gradle @@ -29,6 +29,7 @@ subprojects { testClusters.matching { it.name == "yamlRestTest" }.configureEach { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'false' } tasks.named("yamlRestTest").configure { diff --git a/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java b/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java index c1dd3129aa76..44718bd5cad0 100644 --- a/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java +++ b/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java @@ -29,8 +29,6 @@ import java.io.IOException; import java.util.Collections; import java.util.Map; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class PermissionsIT extends ESRestTestCase { private static HighLevelClient highLevelClient; diff --git a/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java b/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java index acb0d01b7a08..5f43aec0f24a 100644 --- a/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java +++ b/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class XSmokeTestPluginsClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String USER = "test_user"; diff --git a/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java b/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java index 4aabba22733b..343cdb931542 100644 --- a/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java +++ b/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class SmokeTestSecurityWithMustacheClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String BASIC_AUTH_VALUE = basicAuthHeaderValue("test_admin",