From 090d42d3e6c2181d12a92e856ee818dbdef0259a Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Fri, 7 Jun 2019 14:18:05 +1000 Subject: [PATCH] Permit API Keys on Basic License (#42973) Kibana alerting is going to be built using API Keys, and should be permitted on a basic license. This commit moves API Keys (but not Tokens) to the Basic license Relates: elastic/kibana#36836 Backport of: #42787 --- .../elasticsearch/license/XPackLicenseState.java | 4 ++-- .../license/XPackLicenseStateTests.java | 16 ++++++++++++++++ .../security/SecurityWithBasicLicenseIT.java | 14 +++++--------- 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java index e206ed3db5149..32f163a773a8e 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java @@ -454,12 +454,12 @@ public synchronized boolean isTokenServiceAllowed() { } /** - * @return whether the Elasticsearch {@code ApiKeyService} is allowed based on the license {@link OperationMode} + * @return whether the Elasticsearch {@code ApiKeyService} is allowed based on the current node/cluster state */ public synchronized boolean isApiKeyServiceAllowed() { final OperationMode mode = status.mode; final boolean isSecurityCurrentlyEnabled = isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL); + return isSecurityCurrentlyEnabled; } /** diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index bc8d7817f4d69..9fa22b82a8e7a 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -107,6 +107,8 @@ public void testSecurityBasicWithoutExplicitSecurityEnabled() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); + assertThat(licenseState.isTokenServiceAllowed(), is(false)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(false)); assertThat(licenseState.isSecurityAvailable(), is(true)); assertThat(licenseState.isSecurityDisabledByLicenseDefaults(), is(true)); @@ -124,6 +126,8 @@ public void testSecurityBasicWithExplicitSecurityEnabled() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); + assertThat(licenseState.isTokenServiceAllowed(), is(false)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(true)); assertThat(licenseState.isSecurityAvailable(), is(true)); assertThat(licenseState.isSecurityDisabledByLicenseDefaults(), is(false)); @@ -140,6 +144,8 @@ public void testSecurityDefaultBasicExpired() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); + assertThat(licenseState.isTokenServiceAllowed(), is(false)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(false)); } public void testSecurityEnabledBasicExpired() { @@ -154,6 +160,8 @@ public void testSecurityEnabledBasicExpired() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); + assertThat(licenseState.isTokenServiceAllowed(), is(false)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(true)); } public void testSecurityStandard() { @@ -196,6 +204,8 @@ public void testSecurityGold() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); + assertThat(licenseState.isTokenServiceAllowed(), is(true)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(true)); } public void testSecurityGoldExpired() { @@ -210,6 +220,8 @@ public void testSecurityGoldExpired() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); + assertThat(licenseState.isTokenServiceAllowed(), is(true)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(true)); } public void testSecurityPlatinum() { @@ -224,6 +236,8 @@ public void testSecurityPlatinum() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true)); + assertThat(licenseState.isTokenServiceAllowed(), is(true)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(true)); } public void testSecurityPlatinumExpired() { @@ -238,6 +252,8 @@ public void testSecurityPlatinumExpired() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); + assertThat(licenseState.isTokenServiceAllowed(), is(true)); + assertThat(licenseState.isApiKeyServiceAllowed(), is(true)); } public void testNewTrialDefaultsSecurityOff() { diff --git a/x-pack/plugin/security/qa/security-basic/src/test/java/org/elasticsearch/xpack/security/SecurityWithBasicLicenseIT.java b/x-pack/plugin/security/qa/security-basic/src/test/java/org/elasticsearch/xpack/security/SecurityWithBasicLicenseIT.java index 837c9ac4d8ded..837421f6000d5 100644 --- a/x-pack/plugin/security/qa/security-basic/src/test/java/org/elasticsearch/xpack/security/SecurityWithBasicLicenseIT.java +++ b/x-pack/plugin/security/qa/security-basic/src/test/java/org/elasticsearch/xpack/security/SecurityWithBasicLicenseIT.java @@ -54,8 +54,11 @@ public void testWithBasicLicense() throws Exception { checkAuthentication(); checkHasPrivileges(); checkIndexWrite(); + + final Tuple keyAndId = getApiKeyAndId(); + assertAuthenticateWithApiKey(keyAndId, true); + assertFailToGetToken(); - assertFailToGetApiKey(); assertAddRoleWithDLS(false); assertAddRoleWithFLS(false); } @@ -79,9 +82,8 @@ public void testWithTrialLicense() throws Exception { } finally { revertTrial(); assertAuthenticateWithToken(accessToken, false); - assertAuthenticateWithApiKey(keyAndId, false); + assertAuthenticateWithApiKey(keyAndId, true); assertFailToGetToken(); - assertFailToGetApiKey(); assertAddRoleWithDLS(false); assertAddRoleWithFLS(false); } @@ -199,12 +201,6 @@ private void assertFailToGetToken() { assertThat(e.getMessage(), containsString("current license is non-compliant for [security tokens]")); } - private void assertFailToGetApiKey() { - ResponseException e = expectThrows(ResponseException.class, () -> adminClient().performRequest(buildGetApiKeyRequest())); - assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(403)); - assertThat(e.getMessage(), containsString("current license is non-compliant for [api keys]")); - } - private void assertAuthenticateWithToken(String accessToken, boolean shouldSucceed) throws IOException { assertNotNull("access token cannot be null", accessToken); Request request = new Request("GET", "/_security/_authenticate");