From 4ab16c67115342e47d1ae9138f90c579140f3b5e Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 10 Feb 2020 09:12:52 +1100 Subject: [PATCH] Add enterprise mode and refactor license check (#51864) Add enterprise operation mode to properly map enterprise license. Aslo refactor XPackLicenstate class to consolidate license status and mode checks. This class has many sychronised methods to check basically three things: * Minimum operation mode required * Whether security is enabled * Whether current license needs to be active Depends on the actual feature, either 1, 2 or all of above checks are performed. These are now consolidated in to 3 helper methods (2 of them are new). The synchronization is pushed down to the helper methods so actual checking methods no longer need to worry about it. resolves: #51081 --- .../xpack/ccr/CcrLicenseChecker.java | 4 +- .../org/elasticsearch/license/License.java | 6 +- .../elasticsearch/license/LicenseService.java | 1 + .../license/RemoteClusterLicenseChecker.java | 4 +- .../license/XPackLicenseState.java | 281 +++++++----------- .../core/ml/inference/TrainedModelConfig.java | 3 +- .../license/LicenseOperationModeTests.java | 6 +- .../RemoteClusterLicenseCheckerTests.java | 24 +- .../org/elasticsearch/license/TestUtils.java | 5 + .../license/XPackLicenseStateTests.java | 24 +- .../validation/SourceDestValidatorTests.java | 18 +- .../ml/inference/TrainedModelConfigTests.java | 18 ++ .../ssl/TLSLicenseBootstrapCheckTests.java | 4 +- .../action/TransportStartDatafeedAction.java | 2 +- .../MachineLearningLicensingTests.java | 2 +- .../cluster/ClusterStatsCollectorTests.java | 1 + .../xpack/security/Security.java | 3 +- .../elasticsearch/license/LicensingTests.java | 5 +- .../xpack/security/SecurityTests.java | 7 +- .../authz/store/CompositeRolesStoreTests.java | 4 +- .../action/saml/SamlBaseRestHandlerTests.java | 3 +- 21 files changed, 205 insertions(+), 220 deletions(-) diff --git a/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java b/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java index a693cc57b5229..2b65242949dc4 100644 --- a/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java +++ b/x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/CcrLicenseChecker.java @@ -412,7 +412,7 @@ private static ElasticsearchStatusException indexMetadataNonCompliantRemoteLicen RemoteClusterLicenseChecker.buildErrorMessage( "ccr", licenseCheck.remoteClusterLicenseInfo(), - RemoteClusterLicenseChecker::isLicensePlatinumOrTrial)); + RemoteClusterLicenseChecker::isAllowedByLicense)); return new ElasticsearchStatusException(message, RestStatus.BAD_REQUEST); } @@ -426,7 +426,7 @@ private static ElasticsearchStatusException clusterStateNonCompliantRemoteLicens RemoteClusterLicenseChecker.buildErrorMessage( "ccr", licenseCheck.remoteClusterLicenseInfo(), - RemoteClusterLicenseChecker::isLicensePlatinumOrTrial)); + RemoteClusterLicenseChecker::isAllowedByLicense)); return new ElasticsearchStatusException(message, RestStatus.BAD_REQUEST); } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/License.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/License.java index 210beaaedecaf..1c14e8df63c8c 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/License.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/License.java @@ -175,7 +175,8 @@ public enum OperationMode { BASIC((byte) 2), STANDARD((byte) 3), GOLD((byte) 4), - PLATINUM((byte) 5); + PLATINUM((byte) 5), + ENTERPRISE((byte) 6); private final byte id; @@ -208,8 +209,9 @@ public static OperationMode resolve(LicenseType type) { case GOLD: return GOLD; case PLATINUM: - case ENTERPRISE: // TODO Add an explicit enterprise operating mode return PLATINUM; + case ENTERPRISE: + return ENTERPRISE; case TRIAL: return TRIAL; default: diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java index 515f8462f98aa..484f97f4a26ae 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java @@ -256,6 +256,7 @@ && isProductionMode(settings, clusterService.localNode())) { "] license unless TLS is configured or security is disabled"); } else if (XPackSettings.FIPS_MODE_ENABLED.get(settings) && newLicense.operationMode() != License.OperationMode.PLATINUM + && newLicense.operationMode() != License.OperationMode.ENTERPRISE && newLicense.operationMode() != License.OperationMode.TRIAL) { throw new IllegalStateException("Cannot install a [" + newLicense.operationMode() + "] license unless FIPS mode is disabled"); diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/RemoteClusterLicenseChecker.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/RemoteClusterLicenseChecker.java index fc7d44c191601..b4abf6e88c82a 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/RemoteClusterLicenseChecker.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/RemoteClusterLicenseChecker.java @@ -138,9 +138,9 @@ public RemoteClusterLicenseChecker(final Client client, final Predicate FIPS_ALLOWED_LICENSE_OPERATION_MODES = - EnumSet.of(License.OperationMode.PLATINUM, License.OperationMode.TRIAL); - /** Messages for each feature which are printed when the license expires. */ static final Map EXPIRATION_MESSAGES; static { @@ -114,6 +109,7 @@ private static String[] securityAcknowledgementMessages(OperationMode currentMod case TRIAL: case GOLD: case PLATINUM: + case ENTERPRISE: return new String[] { "Security will default to disabled (set " + XPackSettings.SECURITY_ENABLED.getKey() + " to enable security).", "Authentication will be limited to the native and file realms.", @@ -132,6 +128,7 @@ private static String[] securityAcknowledgementMessages(OperationMode currentMod // ^^ though technically it was already disabled, it's not bad to remind them case TRIAL: case PLATINUM: + case ENTERPRISE: return new String[] { "Field and document level access control will be disabled.", "Custom realms will be ignored.", @@ -145,6 +142,7 @@ private static String[] securityAcknowledgementMessages(OperationMode currentMod // ^^ though technically it doesn't change the feature set, it's not bad to remind them case GOLD: case PLATINUM: + case ENTERPRISE: case TRIAL: return new String[] { "Authentication will be limited to the native realms.", @@ -166,6 +164,7 @@ private static String[] watcherAcknowledgementMessages(OperationMode currentMode case STANDARD: case GOLD: case PLATINUM: + case ENTERPRISE: return new String[] { "Watcher will be disabled" }; } break; @@ -181,6 +180,7 @@ private static String[] monitoringAcknowledgementMessages(OperationMode currentM case STANDARD: case GOLD: case PLATINUM: + case ENTERPRISE: return new String[] { LoggerMessageFormat.format( "Multi-cluster support is disabled for clusters with [{}] license. If you are\n" + @@ -206,6 +206,7 @@ private static String[] graphAcknowledgementMessages(OperationMode currentMode, switch (currentMode) { case TRIAL: case PLATINUM: + case ENTERPRISE: return new String[] { "Graph will be disabled" }; } break; @@ -221,6 +222,7 @@ private static String[] machineLearningAcknowledgementMessages(OperationMode cur switch (currentMode) { case TRIAL: case PLATINUM: + case ENTERPRISE: return new String[] { "Machine learning will be disabled" }; } break; @@ -258,6 +260,7 @@ private static String[] sqlAcknowledgementMessages(OperationMode currentMode, Op switch (currentMode) { case TRIAL: case PLATINUM: + case ENTERPRISE: return new String[] { "JDBC and ODBC support will be disabled, but you can continue to use SQL CLI and REST endpoint" }; } @@ -348,41 +351,22 @@ public synchronized boolean isActive() { * @return true if authentication and authorization should be enabled. this does not indicate what realms are available * @see #allowedRealmType() for the enabled realms */ - public synchronized boolean isAuthAllowed() { - OperationMode mode = status.mode; - final boolean isSecurityCurrentlyEnabled = - isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - if (isSecurityCurrentlyEnabled) { - switch (mode) { - case BASIC: - case STANDARD: - case GOLD: - case PLATINUM: - case TRIAL: - return true; - } - } - return false; + public boolean isAuthAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.BASIC, true, false, true); } /** * @return true if IP filtering should be enabled */ - public synchronized boolean isIpFilteringAllowed() { - OperationMode mode = status.mode; - final boolean isSecurityCurrentlyEnabled = - isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL); + public boolean isIpFilteringAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.GOLD, true, false, true); } /** * @return true if auditing should be enabled */ - public synchronized boolean isAuditingAllowed() { - OperationMode mode = status.mode; - final boolean isSecurityCurrentlyEnabled = - isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL); + public boolean isAuditingAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.GOLD, true, false, true); } /** @@ -391,8 +375,8 @@ public synchronized boolean isAuditingAllowed() { * * @return true if the license allows for the stats and health APIs to be used. */ - public synchronized boolean isStatsAndHealthAllowed() { - return status.active; + public boolean isStatsAndHealthAllowed() { + return isActive(); } /** @@ -407,11 +391,8 @@ public synchronized boolean isStatsAndHealthAllowed() { * * @return {@code true} to enable DLS and FLS. Otherwise {@code false}. */ - public synchronized boolean isDocumentAndFieldLevelSecurityAllowed() { - OperationMode mode = status.mode; - final boolean isSecurityCurrentlyEnabled = - isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (mode == OperationMode.TRIAL || mode == OperationMode.PLATINUM); + public boolean isDocumentAndFieldLevelSecurityAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, true, false, true); } /** Classes of realms that may be available based on the license type. */ @@ -431,6 +412,7 @@ public synchronized AllowedRealmType allowedRealmType() { if (isSecurityCurrentlyEnabled) { switch (status.mode) { case PLATINUM: + case ENTERPRISE: case TRIAL: return AllowedRealmType.ALL; case GOLD: @@ -449,51 +431,38 @@ public synchronized AllowedRealmType allowedRealmType() { /** * @return whether custom role providers are allowed based on the license {@link OperationMode} */ - public synchronized boolean isCustomRoleProvidersAllowed() { - final boolean isSecurityCurrentlyEnabled = - isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL) - && status.active; + public boolean isCustomRoleProvidersAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, true, true, true); } /** * @return whether the Elasticsearch {@code TokenService} is allowed based on the license {@link OperationMode} */ - public synchronized boolean isTokenServiceAllowed() { - final OperationMode mode = status.mode; - final boolean isSecurityCurrentlyEnabled = isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL); + public boolean isTokenServiceAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.GOLD, true, false, true); } /** * @return whether the Elasticsearch {@code ApiKeyService} is allowed based on the current node/cluster state */ - public synchronized boolean isApiKeyServiceAllowed() { - final OperationMode mode = status.mode; - final boolean isSecurityCurrentlyEnabled = isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled; + public boolean isApiKeyServiceAllowed() { + return isAllowedBySecurity(); } /** * @return whether "authorization_realms" are allowed based on the license {@link OperationMode} * @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings */ - public synchronized boolean isAuthorizationRealmAllowed() { - final boolean isSecurityCurrentlyEnabled = - isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL) - && status.active; + public boolean isAuthorizationRealmAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, true, true, true); } /** * @return whether a custom authorization engine is allowed based on the license {@link OperationMode} * @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings */ - public synchronized boolean isAuthorizationEngineAllowed() { - final boolean isSecurityCurrentlyEnabled = - isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled); - return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL) - && status.active; + public boolean isAuthorizationEngineAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, true, true, true); } /** @@ -509,22 +478,8 @@ public synchronized boolean isAuthorizationEngineAllowed() { * * @return {@code true} as long as the license is valid. Otherwise {@code false}. */ - public synchronized boolean isWatcherAllowed() { - Status localStatus = status; - - if (localStatus.active == false) { - return false; - } - - switch (localStatus.mode) { - case TRIAL: - case GOLD: - case PLATINUM: - case STANDARD: - return true; - default: - return false; - } + public boolean isWatcherAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.STANDARD, false, true, true); } /** @@ -532,8 +487,8 @@ public synchronized boolean isWatcherAllowed() { * * @return true if the license is active */ - public synchronized boolean isMonitoringAllowed() { - return status.active; + public boolean isMonitoringAllowed() { + return isActive(); } /** @@ -542,7 +497,7 @@ public synchronized boolean isMonitoringAllowed() { * @return {@link #isWatcherAllowed()} * @see #isWatcherAllowed() */ - public synchronized boolean isMonitoringClusterAlertsAllowed() { + public boolean isMonitoringClusterAlertsAllowed() { return isWatcherAllowed(); } @@ -555,9 +510,8 @@ public synchronized boolean isMonitoringClusterAlertsAllowed() { * * @return {@code true} if the user is allowed to modify the retention. Otherwise {@code false}. */ - public synchronized boolean isUpdateRetentionAllowed() { - final OperationMode mode = status.mode; - return mode != OperationMode.BASIC && mode != OperationMode.MISSING; + public boolean isUpdateRetentionAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.STANDARD, false, false, true); } /** @@ -571,13 +525,8 @@ public synchronized boolean isUpdateRetentionAllowed() { * * @return {@code true} as long as the license is valid. Otherwise {@code false}. */ - public synchronized boolean isGraphAllowed() { - Status localStatus = status; - OperationMode operationMode = localStatus.mode; - - boolean licensed = operationMode == OperationMode.TRIAL || operationMode == OperationMode.PLATINUM; - - return licensed && localStatus.active; + public boolean isGraphAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, false, true, true); } /** @@ -593,13 +542,12 @@ public synchronized boolean isGraphAllowed() { * @return {@code true} as long as the license is valid. Otherwise * {@code false}. */ - public synchronized boolean isMachineLearningAllowed() { - final Status currentStatus = status; - return currentStatus.active && isMachineLearningAllowedForOperationMode(currentStatus.mode); + public boolean isMachineLearningAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, false, true, true); } public static boolean isMachineLearningAllowedForOperationMode(final OperationMode operationMode) { - return isPlatinumOrTrialOperationMode(operationMode); + return isAllowedByOperationMode(operationMode, OperationMode.PLATINUM, true); } /** @@ -607,8 +555,8 @@ public static boolean isMachineLearningAllowedForOperationMode(final OperationMo * * @return true if the license is active */ - public synchronized boolean isTransformAllowed() { - return status.active; + public boolean isTransformAllowed() { + return isActive(); } public static boolean isTransformAllowedForOperationMode(final OperationMode operationMode) { @@ -616,13 +564,17 @@ public static boolean isTransformAllowedForOperationMode(final OperationMode ope return operationMode != License.OperationMode.MISSING; } + public static boolean isFipsAllowedForOperationMode(final OperationMode operationMode) { + return isAllowedByOperationMode(operationMode, OperationMode.PLATINUM, true); + } + /** * Rollup is always available as long as there is a valid license * * @return true if the license is active */ - public synchronized boolean isRollupAllowed() { - return status.active; + public boolean isRollupAllowed() { + return isActive(); } /** @@ -630,80 +582,62 @@ public synchronized boolean isRollupAllowed() { * * @return true if the license is active */ - public synchronized boolean isVotingOnlyAllowed() { - return status.active; + public boolean isVotingOnlyAllowed() { + return isActive(); } /** * Logstash is allowed as long as there is an active license of type TRIAL, STANDARD, GOLD or PLATINUM * @return {@code true} as long as there is a valid license */ - public synchronized boolean isLogstashAllowed() { - Status localStatus = status; - return localStatus.active && (isBasic(localStatus.mode) == false); + public boolean isLogstashAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.STANDARD, false, true, true); } /** * Beats is allowed as long as there is an active license of type TRIAL, STANDARD, GOLD or PLATINUM * @return {@code true} as long as there is a valid license */ - public synchronized boolean isBeatsAllowed() { - Status localStatus = status; - return localStatus.active && (isBasic(localStatus.mode) == false); - + public boolean isBeatsAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.STANDARD, false, true, true); } /** * Deprecation APIs are always allowed as long as there is an active license * @return {@code true} as long as there is a valid license */ - public synchronized boolean isDeprecationAllowed() { - return status.active; + public boolean isDeprecationAllowed() { + return isActive(); } /** * Determine if Upgrade API should be enabled. - *

- * Upgrade API is not available in for all license types except {@link OperationMode#MISSING} * * @return {@code true} as long as the license is valid. Otherwise * {@code false}. */ - public synchronized boolean isUpgradeAllowed() { - // Should work on all active licenses - return status.active; + public boolean isUpgradeAllowed() { + return isActive(); } /** * Determine if Index Lifecycle API should be enabled. - *

- * Index Lifecycle API is available in for all license types except - * {@link OperationMode#MISSING} * * @return {@code true} as long as the license is valid. Otherwise * {@code false}. */ public boolean isIndexLifecycleAllowed() { - // status is volatile - Status localStatus = status; - // Should work on all active licenses - return localStatus.active; + return isActive(); } /** * Determine if the enrich processor and related APIs are allowed to be used. - *

- * This is available in for all license types except - * {@link OperationMode#MISSING} * * @return {@code true} as long as the license is valid. Otherwise * {@code false}. */ public boolean isEnrichAllowed() { - // status is volatile - Status localStatus = status; - // Should work on all active licenses - return localStatus.active; + return isActive(); } /** @@ -717,11 +651,9 @@ public synchronized boolean isEqlAllowed() { /** * Determine if SQL support should be enabled. - *

- * SQL is available for all license types except {@link OperationMode#MISSING} */ - public synchronized boolean isSqlAllowed() { - return status.active; + public boolean isSqlAllowed() { + return isActive(); } /** @@ -729,31 +661,22 @@ public synchronized boolean isSqlAllowed() { *

* JDBC is available only in for {@link OperationMode#PLATINUM} and {@link OperationMode#TRIAL} licences */ - public synchronized boolean isJdbcAllowed() { - Status localStatus = status; - OperationMode operationMode = localStatus.mode; - - boolean licensed = operationMode == OperationMode.TRIAL || operationMode == OperationMode.PLATINUM; - - return licensed && localStatus.active; + public boolean isJdbcAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, false, true, true); } /** * Determine if support for flattened object fields should be enabled. - *

- * Flattened fields are available for all license types except {@link OperationMode#MISSING}. */ - public synchronized boolean isFlattenedAllowed() { - return status.active; + public boolean isFlattenedAllowed() { + return isActive(); } /** * Determine if Vectors support should be enabled. - *

- * Vectors is available for all license types except {@link OperationMode#MISSING} */ - public synchronized boolean isVectorsAllowed() { - return status.active; + public boolean isVectorsAllowed() { + return isActive(); } /** @@ -761,29 +684,18 @@ public synchronized boolean isVectorsAllowed() { *

* ODBC is available only in for {@link OperationMode#PLATINUM} and {@link OperationMode#TRIAL} licences */ - public synchronized boolean isOdbcAllowed() { - Status localStatus = status; - OperationMode operationMode = localStatus.mode; - - boolean licensed = operationMode == OperationMode.TRIAL || operationMode == OperationMode.PLATINUM; - - return licensed && localStatus.active; + public boolean isOdbcAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, false, true, true); } /** * Determine if Spatial features should be enabled. - *

- * Spatial features are available in for all license types except - * {@link OperationMode#MISSING} * * @return {@code true} as long as the license is valid. Otherwise * {@code false}. */ public boolean isSpatialAllowed() { - // status is volatile - Status localStatus = status; - // Should work on all active licenses - return localStatus.active; + return isActive(); } /** @@ -791,8 +703,8 @@ public boolean isSpatialAllowed() { * * @return true if the license is active */ - public synchronized boolean isDataScienceAllowed() { - return status.active; + public boolean isDataScienceAllowed() { + return isActive(); } public synchronized boolean isTrialLicense() { @@ -805,7 +717,7 @@ public synchronized boolean isTrialLicense() { public synchronized boolean isSecurityAvailable() { OperationMode mode = status.mode; return mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.STANDARD || - mode == OperationMode.TRIAL || mode == OperationMode.BASIC; + mode == OperationMode.TRIAL || mode == OperationMode.BASIC || mode == OperationMode.ENTERPRISE; } /** @@ -833,6 +745,7 @@ public static boolean isTransportTlsRequired(License license, Settings settings) case STANDARD: case GOLD: case PLATINUM: + case ENTERPRISE: return XPackSettings.SECURITY_ENABLED.get(settings); case BASIC: return XPackSettings.SECURITY_ENABLED.get(settings) && isSecurityExplicitlyEnabled(settings); @@ -866,17 +779,20 @@ private static boolean isSecurityEnabled(final OperationMode mode, final boolean * * @return true is the license is compatible, otherwise false */ - public synchronized boolean isCcrAllowed() { - final Status currentStatus = status; - return currentStatus.active && isCcrAllowedForOperationMode(currentStatus.mode); + public boolean isCcrAllowed() { + return isAllowedByLicenseAndSecurity(OperationMode.PLATINUM, false, true, true); } public static boolean isCcrAllowedForOperationMode(final OperationMode operationMode) { - return isPlatinumOrTrialOperationMode(operationMode); + return isAllowedByOperationMode(operationMode, OperationMode.PLATINUM, true); } - public static boolean isPlatinumOrTrialOperationMode(final OperationMode operationMode) { - return operationMode == OperationMode.PLATINUM || operationMode == OperationMode.TRIAL; + public static boolean isAllowedByOperationMode( + final OperationMode operationMode, final OperationMode minimumMode, final boolean allowTrial) { + if (allowTrial && OperationMode.TRIAL == operationMode) { + return true; + } + return operationMode.compareTo(minimumMode) >= 0; } /** @@ -889,4 +805,31 @@ public static boolean isPlatinumOrTrialOperationMode(final OperationMode operati public synchronized XPackLicenseState copyCurrentLicenseState() { return new XPackLicenseState(this); } + + private synchronized boolean isAllowedBySecurity() { + return isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled); + } + + /** + * Test whether a feature is allowed by the status of current license and security configuration. + * + * @param minimumMode The minimum license to meet or exceed + * @param needSecurity Whether security is required for feature to be allowed + * @param needActive Whether current license needs to be active + * @param allowTrial Whether the feature is allowed for trial license + * + * @return true if feature is allowed, otherwise false + */ + private synchronized boolean isAllowedByLicenseAndSecurity( + OperationMode minimumMode, boolean needSecurity, boolean needActive, boolean allowTrial) { + + if (needSecurity && false == isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled)) { + return false; + } + if (needActive && false == status.active) { + return false; + } + return isAllowedByOperationMode(status.mode, minimumMode, allowTrial); + } + } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfig.java index 9bd447319cc4a..9c49661cfc95f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfig.java @@ -243,7 +243,8 @@ public boolean isAvailableWithLicense(XPackLicenseState licenseState) { } // The model license does not matter, this is the highest licensed level - if (licenseState.isActive() && XPackLicenseState.isPlatinumOrTrialOperationMode(licenseState.getOperationMode())) { + if (licenseState.isActive() && XPackLicenseState.isAllowedByOperationMode( + licenseState.getOperationMode(), License.OperationMode.PLATINUM, true)) { return true; } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseOperationModeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseOperationModeTests.java index a1fbfbe6c6a41..2e5ae01807a00 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseOperationModeTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/LicenseOperationModeTests.java @@ -47,9 +47,9 @@ public void testResolvePlatinum() { assertResolve(OperationMode.PLATINUM, "PlAtINum", "platinum"); } - public void testResolveEnterpriseAsPlatinum() { - assertResolve(OperationMode.PLATINUM, License.LicenseType.ENTERPRISE.getTypeName()); - assertResolve(OperationMode.PLATINUM, License.LicenseType.ENTERPRISE.name()); + public void testResolveEnterprise() { + assertResolve(OperationMode.ENTERPRISE, License.LicenseType.ENTERPRISE.getTypeName()); + assertResolve(OperationMode.ENTERPRISE, License.LicenseType.ENTERPRISE.name()); } public void testResolveUnknown() { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/RemoteClusterLicenseCheckerTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/RemoteClusterLicenseCheckerTests.java index 0f512a69f92d1..1381bebedd8bc 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/RemoteClusterLicenseCheckerTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/RemoteClusterLicenseCheckerTests.java @@ -146,7 +146,8 @@ public void testCheckRemoteClusterLicensesGivenCompatibleLicenses() { responses.add(new XPackInfoResponse(null, createPlatinumLicenseResponse(), null)); final RemoteClusterLicenseChecker licenseChecker = - new RemoteClusterLicenseChecker(client, XPackLicenseState::isPlatinumOrTrialOperationMode); + new RemoteClusterLicenseChecker(client, operationMode -> + XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)); final AtomicReference licenseCheck = new AtomicReference<>(); licenseChecker.checkRemoteClusterLicenses( @@ -188,7 +189,8 @@ public void testCheckRemoteClusterLicensesGivenIncompatibleLicense() { }).when(client).execute(same(XPackInfoAction.INSTANCE), any(), any()); final RemoteClusterLicenseChecker licenseChecker = - new RemoteClusterLicenseChecker(client, XPackLicenseState::isPlatinumOrTrialOperationMode); + new RemoteClusterLicenseChecker(client, operationMode -> + XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)); final AtomicReference licenseCheck = new AtomicReference<>(); licenseChecker.checkRemoteClusterLicenses( @@ -234,7 +236,8 @@ public void testCheckRemoteClusterLicencesGivenNonExistentCluster() { responses.add(new XPackInfoResponse(null, createPlatinumLicenseResponse(), null)); final RemoteClusterLicenseChecker licenseChecker = - new RemoteClusterLicenseChecker(client, XPackLicenseState::isPlatinumOrTrialOperationMode); + new RemoteClusterLicenseChecker(client, operationMode -> + XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)); final AtomicReference exception = new AtomicReference<>(); licenseChecker.checkRemoteClusterLicenses( @@ -274,7 +277,8 @@ public void testRemoteClusterLicenseCallUsesSystemContext() throws InterruptedEx }).when(client).execute(same(XPackInfoAction.INSTANCE), any(), any()); final RemoteClusterLicenseChecker licenseChecker = - new RemoteClusterLicenseChecker(client, XPackLicenseState::isPlatinumOrTrialOperationMode); + new RemoteClusterLicenseChecker(client, operationMode -> + XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)); final List remoteClusterAliases = Collections.singletonList("valid"); licenseChecker.checkRemoteClusterLicenses( @@ -313,7 +317,8 @@ public void testListenerIsExecutedWithCallingContext() throws InterruptedExcepti responses.add(new XPackInfoResponse(null, createPlatinumLicenseResponse(), null)); final RemoteClusterLicenseChecker licenseChecker = - new RemoteClusterLicenseChecker(client, XPackLicenseState::isPlatinumOrTrialOperationMode); + new RemoteClusterLicenseChecker(client, operationMode -> + XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)); final AtomicBoolean listenerInvoked = new AtomicBoolean(); threadPool.getThreadContext().putHeader("key", "value"); @@ -355,7 +360,7 @@ public void testBuildErrorMessageForActiveCompatibleLicense() { new RemoteClusterLicenseChecker.RemoteClusterLicenseInfo("platinum-cluster", platinumLicence); final AssertionError e = expectThrows( AssertionError.class, - () -> RemoteClusterLicenseChecker.buildErrorMessage("", info, RemoteClusterLicenseChecker::isLicensePlatinumOrTrial)); + () -> RemoteClusterLicenseChecker.buildErrorMessage("", info, RemoteClusterLicenseChecker::isAllowedByLicense)); assertThat(e, hasToString(containsString("license must be incompatible to build error message"))); } @@ -364,7 +369,7 @@ public void testBuildErrorMessageForIncompatibleLicense() { final RemoteClusterLicenseChecker.RemoteClusterLicenseInfo info = new RemoteClusterLicenseChecker.RemoteClusterLicenseInfo("basic-cluster", basicLicense); assertThat( - RemoteClusterLicenseChecker.buildErrorMessage("Feature", info, RemoteClusterLicenseChecker::isLicensePlatinumOrTrial), + RemoteClusterLicenseChecker.buildErrorMessage("Feature", info, RemoteClusterLicenseChecker::isAllowedByLicense), equalTo("the license mode [BASIC] on cluster [basic-cluster] does not enable [Feature]")); } @@ -373,7 +378,7 @@ public void testBuildErrorMessageForInactiveLicense() { final RemoteClusterLicenseChecker.RemoteClusterLicenseInfo info = new RemoteClusterLicenseChecker.RemoteClusterLicenseInfo("expired-cluster", expiredLicense); assertThat( - RemoteClusterLicenseChecker.buildErrorMessage("Feature", info, RemoteClusterLicenseChecker::isLicensePlatinumOrTrial), + RemoteClusterLicenseChecker.buildErrorMessage("Feature", info, RemoteClusterLicenseChecker::isAllowedByLicense), equalTo("the license on cluster [expired-cluster] is not active")); } @@ -388,7 +393,8 @@ public void testCheckRemoteClusterLicencesNoLicenseMetadata() { }).when(client).execute(same(XPackInfoAction.INSTANCE), any(), any()); final RemoteClusterLicenseChecker licenseChecker = - new RemoteClusterLicenseChecker(client, XPackLicenseState::isPlatinumOrTrialOperationMode); + new RemoteClusterLicenseChecker(client, operationMode -> + XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)); final AtomicReference exception = new AtomicReference<>(); licenseChecker.checkRemoteClusterLicenses( diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java index 47dad7e18eb32..75ff3e50c1232 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java @@ -282,6 +282,11 @@ public static License generateSignedLicense(String type, int version, long issue builder.subscriptionType((type != null) ? type : randomFrom("dev", "gold", "platinum", "silver")); builder.feature(randomAlphaOfLength(10)); } + if ("enterprise".equals(licenseType)) { + builder.version(License.VERSION_ENTERPRISE) + .maxResourceUnits(randomIntBetween(5, 500)) + .maxNodes(-1); + } final LicenseSigner signer = new LicenseSigner(getTestPriKeyPath(), getTestPubKeyPath()); return signer.sign(builder.build()); } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index 583de499b42f9..0becc50445fbf 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -41,7 +41,7 @@ void assertAllowed(OperationMode mode, boolean active, Predicate mode != GOLD && mode != STANDARD); - assertAckMesssages(XPackField.SECURITY, BASIC, toMode, 0); + assertAckMessages(XPackField.SECURITY, BASIC, toMode, 0); } public void testSecurityAckAnyToTrialOrPlatinum() { - assertAckMesssages(XPackField.SECURITY, randomMode(), randomTrialOrPlatinumMode(), 0); + assertAckMessages(XPackField.SECURITY, randomMode(), randomTrialOrPlatinumMode(), 0); } public void testSecurityAckTrialGoldOrPlatinumToBasic() { - assertAckMesssages(XPackField.SECURITY, randomTrialGoldOrPlatinumMode(), BASIC, 7); + assertAckMessages(XPackField.SECURITY, randomTrialGoldOrPlatinumMode(), BASIC, 7); } public void testSecurityAckStandardToBasic() { - assertAckMesssages(XPackField.SECURITY, STANDARD, BASIC, 1); + assertAckMessages(XPackField.SECURITY, STANDARD, BASIC, 1); } public void testSecurityAckAnyToStandard() { OperationMode from = randomFrom(BASIC, GOLD, PLATINUM, TRIAL); - assertAckMesssages(XPackField.SECURITY, from, STANDARD, 5); + assertAckMessages(XPackField.SECURITY, from, STANDARD, 5); } public void testSecurityAckBasicStandardTrialOrPlatinumToGold() { OperationMode from = randomFrom(BASIC, PLATINUM, TRIAL, STANDARD); - assertAckMesssages(XPackField.SECURITY, from, GOLD, 3); + assertAckMessages(XPackField.SECURITY, from, GOLD, 3); } public void testMonitoringAckBasicToAny() { - assertAckMesssages(XPackField.MONITORING, BASIC, randomMode(), 0); + assertAckMessages(XPackField.MONITORING, BASIC, randomMode(), 0); } public void testMonitoringAckAnyToTrialGoldOrPlatinum() { - assertAckMesssages(XPackField.MONITORING, randomMode(), randomTrialStandardGoldOrPlatinumMode(), 0); + assertAckMessages(XPackField.MONITORING, randomMode(), randomTrialStandardGoldOrPlatinumMode(), 0); } public void testMonitoringAckNotBasicToBasic() { OperationMode from = randomFrom(STANDARD, GOLD, PLATINUM, TRIAL); - assertAckMesssages(XPackField.MONITORING, from, BASIC, 2); + assertAckMessages(XPackField.MONITORING, from, BASIC, 2); } public void testMonitoringAllowed() { @@ -484,11 +484,11 @@ public void testSqlPlatinumExpired() { } public void testSqlAckAnyToTrialOrPlatinum() { - assertAckMesssages(XPackField.SQL, randomMode(), randomTrialOrPlatinumMode(), 0); + assertAckMessages(XPackField.SQL, randomMode(), randomTrialOrPlatinumMode(), 0); } public void testSqlAckTrialOrPlatinumToNotTrialOrPlatinum() { - assertAckMesssages(XPackField.SQL, randomTrialOrPlatinumMode(), randomBasicStandardOrGold(), 1); + assertAckMessages(XPackField.SQL, randomTrialOrPlatinumMode(), randomBasicStandardOrGold(), 1); } public void testTransformBasic() throws Exception { diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/common/validation/SourceDestValidatorTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/common/validation/SourceDestValidatorTests.java index 4eab68271b7e1..8b02e55bca2b4 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/common/validation/SourceDestValidatorTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/common/validation/SourceDestValidatorTests.java @@ -597,7 +597,8 @@ public void testRemoteSourcePlatinum() throws InterruptedException { CLUSTER_STATE, new IndexNameExpressionResolver(), remoteClusterService, - new RemoteClusterLicenseChecker(clientWithBasicLicense, XPackLicenseState::isPlatinumOrTrialOperationMode), + new RemoteClusterLicenseChecker(clientWithBasicLicense, + operationMode -> XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)), new String[] { REMOTE_BASIC + ":" + "SOURCE_1" }, "dest", "node_id", @@ -626,7 +627,8 @@ public void testRemoteSourcePlatinum() throws InterruptedException { CLUSTER_STATE, new IndexNameExpressionResolver(), remoteClusterService, - new RemoteClusterLicenseChecker(clientWithPlatinumLicense, XPackLicenseState::isPlatinumOrTrialOperationMode), + new RemoteClusterLicenseChecker(clientWithPlatinumLicense, + operationMode -> XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)), new String[] { REMOTE_PLATINUM + ":" + "SOURCE_1" }, "dest", "node_id", @@ -646,7 +648,8 @@ public void testRemoteSourcePlatinum() throws InterruptedException { CLUSTER_STATE, new IndexNameExpressionResolver(), remoteClusterService, - new RemoteClusterLicenseChecker(clientWithPlatinumLicense, XPackLicenseState::isPlatinumOrTrialOperationMode), + new RemoteClusterLicenseChecker(clientWithPlatinumLicense, + operationMode -> XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)), new String[] { REMOTE_PLATINUM + ":" + "SOURCE_1" }, "dest", "node_id", @@ -667,7 +670,8 @@ public void testRemoteSourcePlatinum() throws InterruptedException { CLUSTER_STATE, new IndexNameExpressionResolver(), remoteClusterService, - new RemoteClusterLicenseChecker(clientWithTrialLicense, XPackLicenseState::isPlatinumOrTrialOperationMode), + new RemoteClusterLicenseChecker(clientWithTrialLicense, + operationMode -> XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)), new String[] { REMOTE_PLATINUM + ":" + "SOURCE_1" }, "dest", "node_id", @@ -690,7 +694,8 @@ public void testRemoteSourceLicenseInActive() throws InterruptedException { CLUSTER_STATE, new IndexNameExpressionResolver(), remoteClusterService, - new RemoteClusterLicenseChecker(clientWithExpiredBasicLicense, XPackLicenseState::isPlatinumOrTrialOperationMode), + new RemoteClusterLicenseChecker(clientWithExpiredBasicLicense, + operationMode -> XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)), new String[] { REMOTE_BASIC + ":" + "SOURCE_1" }, "dest", "node_id", @@ -716,7 +721,8 @@ public void testRemoteSourceDoesNotExist() throws InterruptedException { CLUSTER_STATE, new IndexNameExpressionResolver(), remoteClusterService, - new RemoteClusterLicenseChecker(clientWithExpiredBasicLicense, XPackLicenseState::isPlatinumOrTrialOperationMode), + new RemoteClusterLicenseChecker(clientWithExpiredBasicLicense, + operationMode -> XPackLicenseState.isAllowedByOperationMode(operationMode, License.OperationMode.PLATINUM, true)), new String[] { "non_existing_remote:" + "SOURCE_1" }, "dest", "node_id", diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfigTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfigTests.java index 67b67a45500f1..3b0a19b496723 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfigTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ml/inference/TrainedModelConfigTests.java @@ -64,6 +64,7 @@ public static TrainedModelConfig.Builder createTestInstance(String modelId) { .setEstimatedHeapMemory(randomNonNegativeLong()) .setEstimatedOperations(randomNonNegativeLong()) .setLicenseLevel(randomFrom(License.OperationMode.PLATINUM.description(), + License.OperationMode.ENTERPRISE.description(), License.OperationMode.GOLD.description(), License.OperationMode.BASIC.description())) .setTags(tags); @@ -311,28 +312,45 @@ public void testIsAvailableWithLicense() { when(licenseState.isActive()).thenReturn(false); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); + assertFalse(builder.setLicenseLevel(License.OperationMode.ENTERPRISE.description()).build().isAvailableWithLicense(licenseState)); assertFalse(builder.setLicenseLevel(License.OperationMode.PLATINUM.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.BASIC.description()).build().isAvailableWithLicense(licenseState)); + when(licenseState.isActive()).thenReturn(true); + when(licenseState.getOperationMode()).thenReturn(License.OperationMode.ENTERPRISE); + assertTrue(builder.setLicenseLevel(License.OperationMode.ENTERPRISE.description()).build().isAvailableWithLicense(licenseState)); + assertTrue(builder.setLicenseLevel(License.OperationMode.PLATINUM.description()).build().isAvailableWithLicense(licenseState)); + assertTrue(builder.setLicenseLevel(License.OperationMode.BASIC.description()).build().isAvailableWithLicense(licenseState)); + assertTrue(builder.setLicenseLevel(License.OperationMode.GOLD.description()).build().isAvailableWithLicense(licenseState)); + + when(licenseState.isActive()).thenReturn(false); + assertFalse(builder.setLicenseLevel(License.OperationMode.ENTERPRISE.description()).build().isAvailableWithLicense(licenseState)); + assertFalse(builder.setLicenseLevel(License.OperationMode.PLATINUM.description()).build().isAvailableWithLicense(licenseState)); + assertTrue(builder.setLicenseLevel(License.OperationMode.BASIC.description()).build().isAvailableWithLicense(licenseState)); + assertFalse(builder.setLicenseLevel(License.OperationMode.GOLD.description()).build().isAvailableWithLicense(licenseState)); when(licenseState.isActive()).thenReturn(true); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.PLATINUM); + assertTrue(builder.setLicenseLevel(License.OperationMode.ENTERPRISE.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.PLATINUM.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.BASIC.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.GOLD.description()).build().isAvailableWithLicense(licenseState)); when(licenseState.isActive()).thenReturn(false); + assertFalse(builder.setLicenseLevel(License.OperationMode.ENTERPRISE.description()).build().isAvailableWithLicense(licenseState)); assertFalse(builder.setLicenseLevel(License.OperationMode.PLATINUM.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.BASIC.description()).build().isAvailableWithLicense(licenseState)); assertFalse(builder.setLicenseLevel(License.OperationMode.GOLD.description()).build().isAvailableWithLicense(licenseState)); when(licenseState.isActive()).thenReturn(true); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.GOLD); + assertFalse(builder.setLicenseLevel(License.OperationMode.ENTERPRISE.description()).build().isAvailableWithLicense(licenseState)); assertFalse(builder.setLicenseLevel(License.OperationMode.PLATINUM.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.BASIC.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.GOLD.description()).build().isAvailableWithLicense(licenseState)); when(licenseState.isActive()).thenReturn(false); + assertFalse(builder.setLicenseLevel(License.OperationMode.ENTERPRISE.description()).build().isAvailableWithLicense(licenseState)); assertFalse(builder.setLicenseLevel(License.OperationMode.PLATINUM.description()).build().isAvailableWithLicense(licenseState)); assertTrue(builder.setLicenseLevel(License.OperationMode.BASIC.description()).build().isAvailableWithLicense(licenseState)); assertFalse(builder.setLicenseLevel(License.OperationMode.GOLD.description()).build().isAvailableWithLicense(licenseState)); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java index 3cb14180930d3..61407d152749a 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/TLSLicenseBootstrapCheckTests.java @@ -23,7 +23,7 @@ public void testBootstrapCheckOnEmptyMetadata() { } public void testBootstrapCheckFailureOnPremiumLicense() throws Exception { - final OperationMode mode = randomFrom(OperationMode.PLATINUM, OperationMode.GOLD, OperationMode.STANDARD); + final OperationMode mode = randomFrom(OperationMode.ENTERPRISE, OperationMode.PLATINUM, OperationMode.GOLD, OperationMode.STANDARD); final Settings.Builder settings = Settings.builder(); if (randomBoolean()) { // randomise between default-false & explicit-false @@ -43,7 +43,7 @@ public void testBootstrapCheckFailureOnPremiumLicense() throws Exception { } public void testBootstrapCheckSucceedsWithTlsEnabledOnPremiumLicense() throws Exception { - final OperationMode mode = randomFrom(OperationMode.PLATINUM, OperationMode.GOLD, OperationMode.STANDARD); + final OperationMode mode = randomFrom(OperationMode.ENTERPRISE, OperationMode.PLATINUM, OperationMode.GOLD, OperationMode.STANDARD); final Settings.Builder settings = Settings.builder().put("xpack.security.transport.ssl.enabled", true); final BootstrapCheck.BootstrapCheckResult result = runBootstrapCheck(mode, settings); assertSuccess(result); diff --git a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportStartDatafeedAction.java b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportStartDatafeedAction.java index ddbd3d58966f8..80c3df26e996e 100644 --- a/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportStartDatafeedAction.java +++ b/x-pack/plugin/ml/src/main/java/org/elasticsearch/xpack/ml/action/TransportStartDatafeedAction.java @@ -342,7 +342,7 @@ private ElasticsearchStatusException createUnlicensedError( RemoteClusterLicenseChecker.buildErrorMessage( "ml", licenseCheck.remoteClusterLicenseInfo(), - RemoteClusterLicenseChecker::isLicensePlatinumOrTrial)); + RemoteClusterLicenseChecker::isAllowedByLicense)); return new ElasticsearchStatusException(message, RestStatus.BAD_REQUEST); } diff --git a/x-pack/plugin/ml/src/test/java/org/elasticsearch/license/MachineLearningLicensingTests.java b/x-pack/plugin/ml/src/test/java/org/elasticsearch/license/MachineLearningLicensingTests.java index a80e8ed709673..0925d252e2019 100644 --- a/x-pack/plugin/ml/src/test/java/org/elasticsearch/license/MachineLearningLicensingTests.java +++ b/x-pack/plugin/ml/src/test/java/org/elasticsearch/license/MachineLearningLicensingTests.java @@ -689,7 +689,7 @@ private static OperationMode randomInvalidLicenseType() { } private static OperationMode randomValidLicenseType() { - return randomFrom(License.OperationMode.TRIAL, License.OperationMode.PLATINUM); + return randomFrom(License.OperationMode.TRIAL, License.OperationMode.PLATINUM, OperationMode.ENTERPRISE); } private static OperationMode randomLicenseType() { diff --git a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollectorTests.java b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollectorTests.java index 49355d51495ec..054b1880b6b50 100644 --- a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollectorTests.java +++ b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollectorTests.java @@ -131,6 +131,7 @@ public void testDoCollect() throws Exception { case STANDARD: case GOLD: case PLATINUM: + case ENTERPRISE: transportTLSEnabled = true; break; default: diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 3a82a7d0d9f31..0d2b06b1d425b 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -267,7 +267,6 @@ import static java.util.Collections.emptyList; import static java.util.Collections.singletonList; import static org.elasticsearch.cluster.metadata.IndexMetaData.INDEX_FORMAT_SETTING; -import static org.elasticsearch.license.XPackLicenseState.FIPS_ALLOWED_LICENSE_OPERATION_MODES; import static org.elasticsearch.xpack.core.XPackSettings.API_KEY_SERVICE_ENABLED_SETTING; import static org.elasticsearch.xpack.core.XPackSettings.HTTP_SSL_ENABLED; import static org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames.SECURITY_MAIN_ALIAS; @@ -1045,7 +1044,7 @@ public void accept(DiscoveryNode node, ClusterState state) { if (inFipsMode) { License license = LicenseService.getLicense(state.metaData()); if (license != null && - FIPS_ALLOWED_LICENSE_OPERATION_MODES.contains(license.operationMode()) == false) { + XPackLicenseState.isFipsAllowedForOperationMode(license.operationMode()) == false) { throw new IllegalStateException("FIPS mode cannot be used with a [" + license.operationMode() + "] license. It is only allowed with a Platinum or Trial license."); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/license/LicensingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/license/LicensingTests.java index bddbfb6b6d7f7..78bb56aa4953b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/license/LicensingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/license/LicensingTests.java @@ -180,7 +180,7 @@ public void testRestAuthenticationByLicenseType() throws Exception { // generate a new license with a mode that enables auth License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.TRIAL, - License.OperationMode.PLATINUM, License.OperationMode.STANDARD); + License.OperationMode.PLATINUM, License.OperationMode.STANDARD, License.OperationMode.ENTERPRISE); enableLicensing(mode); e = expectThrows(ResponseException.class, () -> getRestClient().performRequest(new Request("GET", "/"))); assertThat(e.getResponse().getStatusLine().getStatusCode(), is(401)); @@ -204,7 +204,8 @@ public void testRestAuthenticationByLicenseType() throws Exception { } public void testNodeJoinWithoutSecurityExplicitlyEnabled() throws Exception { - License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.PLATINUM, License.OperationMode.STANDARD); + License.OperationMode mode = randomFrom(License.OperationMode.GOLD, License.OperationMode.PLATINUM, + License.OperationMode.ENTERPRISE, License.OperationMode.STANDARD); enableLicensing(mode); final List seedHosts = internalCluster().masterClient().admin().cluster().nodesInfo(new NodesInfoRequest()).get() diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java index 6dff631adc462..c3c39b5a5685b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityTests.java @@ -65,7 +65,6 @@ import java.util.stream.Collectors; import static org.elasticsearch.cluster.metadata.IndexMetaData.INDEX_FORMAT_SETTING; -import static org.elasticsearch.license.XPackLicenseState.FIPS_ALLOWED_LICENSE_OPERATION_MODES; import static org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames.SECURITY_MAIN_ALIAS; import static org.elasticsearch.xpack.security.support.SecurityIndexManager.INTERNAL_MAIN_INDEX_FORMAT; import static org.hamcrest.Matchers.containsString; @@ -245,7 +244,9 @@ public void testJoinValidatorForFIPSOnAllowedLicense() throws Exception { VersionUtils.randomVersionBetween(random(), null, Version.CURRENT)); MetaData.Builder builder = MetaData.builder(); License license = - TestUtils.generateSignedLicense(randomFrom(FIPS_ALLOWED_LICENSE_OPERATION_MODES).toString(), TimeValue.timeValueHours(24)); + TestUtils.generateSignedLicense( + randomFrom(License.OperationMode.ENTERPRISE, License.OperationMode.PLATINUM, License.OperationMode.TRIAL).toString(), + TimeValue.timeValueHours(24)); TestUtils.putLicense(builder, license); ClusterState state = ClusterState.builder(ClusterName.DEFAULT).metaData(builder.build()).build(); new Security.ValidateLicenseForFIPS(false).accept(node, state); @@ -260,7 +261,7 @@ public void testJoinValidatorForFIPSOnForbiddenLicense() throws Exception { MetaData.Builder builder = MetaData.builder(); final String forbiddenLicenseType = randomFrom(List.of(License.OperationMode.values()).stream() - .filter(l -> FIPS_ALLOWED_LICENSE_OPERATION_MODES.contains(l) == false).collect(Collectors.toList())).toString(); + .filter(l -> XPackLicenseState.isFipsAllowedForOperationMode(l) == false).collect(Collectors.toList())).toString(); License license = TestUtils.generateSignedLicense(forbiddenLicenseType, TimeValue.timeValueHours(24)); TestUtils.putLicense(builder, license); ClusterState state = ClusterState.builder(ClusterName.DEFAULT).metaData(builder.build()).build(); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java index 4b453c77691b2..695aa36640d4a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java @@ -758,7 +758,7 @@ Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(Nativ Arrays.asList(inMemoryProvider), new ThreadContext(Settings.EMPTY), xPackLicenseState, cache, mock(ApiKeyService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); // these licenses allow custom role providers - xPackLicenseState.update(randomFrom(OperationMode.PLATINUM, OperationMode.TRIAL), true, null); + xPackLicenseState.update(randomFrom(OperationMode.PLATINUM, OperationMode.ENTERPRISE, OperationMode.TRIAL), true, null); roleNames = Sets.newHashSet("roleA"); future = new PlainActionFuture<>(); compositeRolesStore.roles(roleNames, future); @@ -774,7 +774,7 @@ Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(Nativ Settings.EMPTY, fileRolesStore, nativeRolesStore, reservedRolesStore, mock(NativePrivilegeStore.class), Arrays.asList(inMemoryProvider), new ThreadContext(Settings.EMPTY), xPackLicenseState, cache, mock(ApiKeyService.class), documentSubsetBitsetCache, rds -> effectiveRoleDescriptors.set(rds)); - xPackLicenseState.update(randomFrom(OperationMode.PLATINUM, OperationMode.TRIAL), false, null); + xPackLicenseState.update(randomFrom(OperationMode.PLATINUM, OperationMode.ENTERPRISE, OperationMode.TRIAL), false, null); roleNames = Sets.newHashSet("roleA"); future = new PlainActionFuture<>(); compositeRolesStore.roles(roleNames, future); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/saml/SamlBaseRestHandlerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/saml/SamlBaseRestHandlerTests.java index 66993c2269dfd..2e4d5dcd401fd 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/saml/SamlBaseRestHandlerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/action/saml/SamlBaseRestHandlerTests.java @@ -23,7 +23,8 @@ public class SamlBaseRestHandlerTests extends ESTestCase { public void testSamlAvailableOnTrialAndPlatinum() { - final SamlBaseRestHandler handler = buildHandler(randomFrom(License.OperationMode.TRIAL, License.OperationMode.PLATINUM)); + final SamlBaseRestHandler handler = buildHandler(randomFrom( + License.OperationMode.TRIAL, License.OperationMode.PLATINUM, License.OperationMode.ENTERPRISE)); assertThat(handler.checkFeatureAvailable(new FakeRestRequest()), Matchers.nullValue()); }