Skip to content

Commit

Permalink
Types removal security index template (#39705) (#39731)
Browse files Browse the repository at this point in the history 
As we are moving to single type indices,
we need to address this change in security-related indexes.
To address this, we are
- updating index templates to use preferred type name `_doc`
- updating the API calls to use preferred type name `_doc`

Upgrade impact:-
In case of an upgrade from 6.x, the security index has type
`doc` and this will keep working as there is a single type and `_doc`
works as an alias to an existing type. The change is handled in the
`SecurityIndexManager` when we load mappings and settings from
the template. Previously, we used to do a `PutIndexTemplateRequest`
with the mapping source JSON with the type name. This has been
modified to remove the type name from the source.
So in the case of an upgrade, the `doc` type is updated
whereas for fresh installs `_doc` is updated. This happens as
backend handles `_doc` as an alias to the existing type name.

An optional step is to `reindex` security index and update the
type to `_doc`.

Since we do not support the security audit log index,
that template has been deleted.

Relates: #38637
  • Loading branch information
@bizybot
bizybot authored Mar 6, 2019
1 parent 65b44ee commit 82540d2
Show file tree
Hide file tree
Showing 17 changed files with 116 additions and 176 deletions.
1 change: 0 additions & 1 deletion ...g/elasticsearch/xpack/core/security/authc/support/mapper/NativeRoleMappingStoreField.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ public final class NativeRoleMappingStoreField {
public static final String DOC_TYPE_FIELD = "doc_type";
public static final String DOC_TYPE_ROLE_MAPPING = "role-mapping";
public static final String ID_PREFIX = DOC_TYPE_ROLE_MAPPING + "_";
public static final String SECURITY_GENERIC_TYPE = "doc";

private NativeRoleMappingStoreField() {}
}
2 changes: 1 addition & 1 deletion x-pack/plugin/core/src/main/resources/security-index-template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
}
},
"mappings" : {
"doc" : {
"_doc" : {
"_meta": {
"security-version": "${security.template.version}"
},
Expand Down
90 changes: 0 additions & 90 deletions x-pack/plugin/core/src/main/resources/security_audit_log.json
View file

This file was deleted.

20 changes: 12 additions & 8 deletions ...k/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,15 +93,16 @@

import javax.crypto.SecretKeyFactory;

import static org.elasticsearch.index.mapper.MapperService.SINGLE_MAPPING_NAME;
import static org.elasticsearch.search.SearchService.DEFAULT_KEEPALIVE_SETTING;
import static org.elasticsearch.xpack.core.ClientHelper.SECURITY_ORIGIN;
import static org.elasticsearch.xpack.core.ClientHelper.executeAsyncWithOrigin;
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_INDEX_NAME;

public class ApiKeyService {

private static final Logger logger = LogManager.getLogger(ApiKeyService.class);
private static final DeprecationLogger deprecationLogger = new DeprecationLogger(logger);
private static final String TYPE = "doc";
static final String API_KEY_ID_KEY = "_security_api_key_id";
static final String API_KEY_ROLE_DESCRIPTORS_KEY = "_security_api_key_role_descriptors";
static final String API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY = "_security_api_key_limited_by_role_descriptors";
Expand Down Expand Up @@ -248,7 +249,7 @@ public void createApiKey(Authentication authentication, CreateApiKeyRequest requ
.endObject()
.endObject();
final IndexRequest indexRequest =
client.prepareIndex(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE)
client.prepareIndex(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME)
.setSource(builder)
.setRefreshPolicy(request.getRefreshPolicy())
.request();
Expand Down Expand Up @@ -286,8 +287,10 @@ void authenticateWithApiKeyIfPresent(ThreadContext ctx, ActionListener<Authentic
}

if (credentials != null) {
final GetRequest getRequest = client.prepareGet(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE, credentials.getId())
.setFetchSource(true).request();
final GetRequest getRequest = client
.prepareGet(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME, credentials.getId())
.setFetchSource(true)
.request();
executeAsyncWithOrigin(ctx, SECURITY_ORIGIN, getRequest, ActionListener.<GetResponse>wrap(response -> {
if (response.isExists()) {
try (ApiKeyCredentials ignore = credentials) {
Expand Down Expand Up @@ -693,7 +696,7 @@ private void findApiKeys(final BoolQueryBuilder boolQuery, boolean filterOutInva
expiredQuery.should(QueryBuilders.boolQuery().mustNot(QueryBuilders.existsQuery("expiration_time")));
boolQuery.filter(expiredQuery);
}
final SearchRequest request = client.prepareSearch(SecurityIndexManager.SECURITY_INDEX_NAME)
final SearchRequest request = client.prepareSearch(SECURITY_INDEX_NAME)
.setScroll(DEFAULT_KEEPALIVE_SETTING.get(settings))
.setQuery(boolQuery)
.setVersion(false)
Expand Down Expand Up @@ -766,9 +769,10 @@ private void indexInvalidation(Collection<String> apiKeyIds, ActionListener<Inva
} else {
BulkRequestBuilder bulkRequestBuilder = client.prepareBulk();
for (String apiKeyId : apiKeyIds) {
UpdateRequest request = client.prepareUpdate(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE, apiKeyId)
.setDoc(Collections.singletonMap("api_key_invalidated", true))
.request();
UpdateRequest request = client
.prepareUpdate(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME, apiKeyId)
.setDoc(Collections.singletonMap("api_key_invalidated", true))
.request();
bulkRequestBuilder.add(request);
}
bulkRequestBuilder.setRefreshPolicy(RefreshPolicy.WAIT_UNTIL);
Expand Down
28 changes: 15 additions & 13 deletions ...ck/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,9 +126,11 @@

import static org.elasticsearch.action.support.TransportActions.isShardNotAvailableException;
import static org.elasticsearch.gateway.GatewayService.STATE_NOT_RECOVERED_BLOCK;
import static org.elasticsearch.index.mapper.MapperService.SINGLE_MAPPING_NAME;
import static org.elasticsearch.search.SearchService.DEFAULT_KEEPALIVE_SETTING;
import static org.elasticsearch.xpack.core.ClientHelper.SECURITY_ORIGIN;
import static org.elasticsearch.xpack.core.ClientHelper.executeAsyncWithOrigin;
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_INDEX_NAME;

/**
* Service responsible for the creation, validation, and other management of {@link UserToken}
Expand All @@ -154,7 +156,6 @@ public final class TokenService {
"\", error=\"invalid_token\", error_description=\"The access token expired\"";
private static final String MALFORMED_TOKEN_WWW_AUTH_VALUE = "Bearer realm=\"" + XPackField.SECURITY +
"\", error=\"invalid_token\", error_description=\"The access token is malformed\"";
private static final String TYPE = "doc";

public static final String THREAD_POOL_NAME = XPackField.SECURITY + "-token-key";
public static final Setting<TimeValue> TOKEN_EXPIRATION = Setting.timeSetting("xpack.security.authc.token.timeout",
Expand Down Expand Up @@ -266,7 +267,7 @@ public void createUserToken(Authentication authentication, Authentication origin
builder.endObject();
final String documentId = getTokenDocumentId(userToken);
IndexRequest request =
client.prepareIndex(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE, documentId)
client.prepareIndex(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME, documentId)
.setOpType(OpType.CREATE)
.setSource(builder)
.setRefreshPolicy(RefreshPolicy.WAIT_UNTIL)
Expand Down Expand Up @@ -362,7 +363,7 @@ void decodeToken(String token, ActionListener<UserToken> listener) throws IOExce
securityIndex.checkIndexVersionThenExecute(
ex -> listener.onFailure(traceLog("prepare security index", tokenId, ex)),
() -> {
final GetRequest getRequest = client.prepareGet(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE,
final GetRequest getRequest = client.prepareGet(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME,
getTokenDocumentId(tokenId)).request();
Consumer<Exception> onFailure = ex -> listener.onFailure(traceLog("decode token", tokenId, ex));
executeAsyncWithOrigin(client.threadPool().getThreadContext(), SECURITY_ORIGIN, getRequest,
Expand Down Expand Up @@ -586,10 +587,11 @@ private void indexInvalidation(Collection<String> tokenIds, ActionListener<Token
} else {
BulkRequestBuilder bulkRequestBuilder = client.prepareBulk();
for (String tokenId : tokenIds) {
UpdateRequest request = client.prepareUpdate(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE, getTokenDocumentId(tokenId))
.setDoc(srcPrefix, Collections.singletonMap("invalidated", true))
.setFetchSource(srcPrefix, null)
.request();
UpdateRequest request = client
.prepareUpdate(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME, getTokenDocumentId(tokenId))
.setDoc(srcPrefix, Collections.singletonMap("invalidated", true))
.setFetchSource(srcPrefix, null)
.request();
bulkRequestBuilder.add(request);
}
bulkRequestBuilder.setRefreshPolicy(RefreshPolicy.WAIT_UNTIL);
Expand Down Expand Up @@ -726,7 +728,7 @@ private void innerRefresh(String tokenDocId, Authentication userAuth, ActionList
listener.onFailure(invalidGrantException("could not refresh the requested token"));
} else {
Consumer<Exception> onFailure = ex -> listener.onFailure(traceLog("refresh token", tokenDocId, ex));
GetRequest getRequest = client.prepareGet(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE, tokenDocId).request();
GetRequest getRequest = client.prepareGet(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME, tokenDocId).request();
executeAsyncWithOrigin(client.threadPool().getThreadContext(), SECURITY_ORIGIN, getRequest,
ActionListener.<GetResponse>wrap(response -> {
if (response.isExists()) {
Expand All @@ -747,7 +749,7 @@ private void innerRefresh(String tokenDocId, Authentication userAuth, ActionList
in.setVersion(authVersion);
Authentication authentication = new Authentication(in);
UpdateRequestBuilder updateRequest =
client.prepareUpdate(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE, tokenDocId)
client.prepareUpdate(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME, tokenDocId)
.setDoc("refresh_token", Collections.singletonMap("refreshed", true))
.setRefreshPolicy(RefreshPolicy.WAIT_UNTIL);
updateRequest.setIfSeqNo(response.getSeqNo());
Expand Down Expand Up @@ -872,7 +874,7 @@ public void findActiveTokensForRealm(String realmName, ActionListener<Collection
)
);

final SearchRequest request = client.prepareSearch(SecurityIndexManager.SECURITY_INDEX_NAME)
final SearchRequest request = client.prepareSearch(SECURITY_INDEX_NAME)
.setScroll(DEFAULT_KEEPALIVE_SETTING.get(settings))
.setQuery(boolQuery)
.setVersion(false)
Expand Down Expand Up @@ -916,7 +918,7 @@ public void findActiveTokensForUser(String username, ActionListener<Collection<T
)
);

final SearchRequest request = client.prepareSearch(SecurityIndexManager.SECURITY_INDEX_NAME)
final SearchRequest request = client.prepareSearch(SECURITY_INDEX_NAME)
.setScroll(DEFAULT_KEEPALIVE_SETTING.get(settings))
.setQuery(boolQuery)
.setVersion(false)
Expand Down Expand Up @@ -1025,8 +1027,8 @@ private void checkIfTokenIsValid(UserToken userToken, ActionListener<UserToken>
listener.onResponse(null);
} else {
securityIndex.checkIndexVersionThenExecute(listener::onFailure, () -> {
final GetRequest getRequest = client.prepareGet(SecurityIndexManager.SECURITY_INDEX_NAME, TYPE,
getTokenDocumentId(userToken)).request();
final GetRequest getRequest = client.prepareGet(SECURITY_INDEX_NAME, SINGLE_MAPPING_NAME, getTokenDocumentId(userToken))
.request();
Consumer<Exception> onFailure = ex -> listener.onFailure(traceLog("check token state", userToken.getId(), ex));
executeAsyncWithOrigin(client.threadPool().getThreadContext(), SECURITY_ORIGIN, getRequest,
ActionListener.<GetResponse>wrap(response -> {
Expand Down
Loading

0 comments on commit 82540d2

Please sign in to comment.