Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 7.x] Permit API Keys on Basic License #42973

Merged
merged 1 commit into from
Jun 7, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -454,12 +454,12 @@ public synchronized boolean isTokenServiceAllowed() {
}

/**
* @return whether the Elasticsearch {@code ApiKeyService} is allowed based on the license {@link OperationMode}
* @return whether the Elasticsearch {@code ApiKeyService} is allowed based on the current node/cluster state
*/
public synchronized boolean isApiKeyServiceAllowed() {
final OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled = isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
return isSecurityCurrentlyEnabled;
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,8 @@ public void testSecurityBasicWithoutExplicitSecurityEnabled() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(false));

assertThat(licenseState.isSecurityAvailable(), is(true));
assertThat(licenseState.isSecurityDisabledByLicenseDefaults(), is(true));
Expand All @@ -124,6 +126,8 @@ public void testSecurityBasicWithExplicitSecurityEnabled() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));

assertThat(licenseState.isSecurityAvailable(), is(true));
assertThat(licenseState.isSecurityDisabledByLicenseDefaults(), is(false));
Expand All @@ -140,6 +144,8 @@ public void testSecurityDefaultBasicExpired() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
}

public void testSecurityEnabledBasicExpired() {
Expand All @@ -154,6 +160,8 @@ public void testSecurityEnabledBasicExpired() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NATIVE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
}

public void testSecurityStandard() {
Expand Down Expand Up @@ -196,6 +204,8 @@ public void testSecurityGold() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
}

public void testSecurityGoldExpired() {
Expand All @@ -210,6 +220,8 @@ public void testSecurityGoldExpired() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.DEFAULT));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
}

public void testSecurityPlatinum() {
Expand All @@ -224,6 +236,8 @@ public void testSecurityPlatinum() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
}

public void testSecurityPlatinumExpired() {
Expand All @@ -238,6 +252,8 @@ public void testSecurityPlatinumExpired() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(true));
assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
}

public void testNewTrialDefaultsSecurityOff() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,11 @@ public void testWithBasicLicense() throws Exception {
checkAuthentication();
checkHasPrivileges();
checkIndexWrite();

final Tuple<String, String> keyAndId = getApiKeyAndId();
assertAuthenticateWithApiKey(keyAndId, true);

assertFailToGetToken();
assertFailToGetApiKey();
assertAddRoleWithDLS(false);
assertAddRoleWithFLS(false);
}
Expand All @@ -79,9 +82,8 @@ public void testWithTrialLicense() throws Exception {
} finally {
revertTrial();
assertAuthenticateWithToken(accessToken, false);
assertAuthenticateWithApiKey(keyAndId, false);
assertAuthenticateWithApiKey(keyAndId, true);
assertFailToGetToken();
assertFailToGetApiKey();
assertAddRoleWithDLS(false);
assertAddRoleWithFLS(false);
}
Expand Down Expand Up @@ -199,12 +201,6 @@ private void assertFailToGetToken() {
assertThat(e.getMessage(), containsString("current license is non-compliant for [security tokens]"));
}

private void assertFailToGetApiKey() {
ResponseException e = expectThrows(ResponseException.class, () -> adminClient().performRequest(buildGetApiKeyRequest()));
assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(403));
assertThat(e.getMessage(), containsString("current license is non-compliant for [api keys]"));
}

private void assertAuthenticateWithToken(String accessToken, boolean shouldSucceed) throws IOException {
assertNotNull("access token cannot be null", accessToken);
Request request = new Request("GET", "/_security/_authenticate");
Expand Down