From 3c7731dd3f4a72ac691ae1909c12146c1ef8399a Mon Sep 17 00:00:00 2001 From: Lyudmila Fokina <35386883+BigPandaToo@users.noreply.github.com> Date: Tue, 13 Apr 2021 20:51:52 +0200 Subject: [PATCH] Warn users if security is implicitly disabled (#71650) * Warn users if security is implicitly disabled (#70114) Elasticsearch has security features implicitly disabled by default for Basic and Trial licenses, unless explicitly set in the configuration file. This may be good for onboarding, but it also lead to unintended insecure clusters. This change introduces clear warnings when security features are implicitly disabled. - a warning header in each REST response if security is implicitly disabled; - a log message during cluster boot. --- .../docker/test/DockerYmlTestSuiteIT.java | 22 --------- docs/build.gradle | 1 + docs/reference/rest-api/usage.asciidoc | 10 +--- .../qa/file-based-update/build.gradle | 2 + .../ingest/geoip/UpdateDatabasesIT.java | 11 +++++ .../examples/painless-whitelist/build.gradle | 1 + .../build.gradle | 2 + qa/ccs-unavailable-clusters/build.gradle | 5 ++ ...rossClusterSearchUnavailableClusterIT.java | 10 ++++ qa/die-with-dignity/build.gradle | 2 + .../qa/die_with_dignity/DieWithDignityIT.java | 5 ++ qa/full-cluster-restart/build.gradle | 3 +- qa/logging-config/build.gradle | 4 ++ qa/mixed-cluster/build.gradle | 1 + qa/multi-cluster-search/build.gradle | 2 + .../AbstractMultiClusterRemoteTestCase.java | 22 --------- qa/repository-multi-version/build.gradle | 3 +- qa/rolling-upgrade/build.gradle | 1 + qa/smoke-test-http/build.gradle | 4 ++ qa/smoke-test-ingest-disabled/build.gradle | 3 ++ .../build.gradle | 4 ++ qa/smoke-test-multinode/build.gradle | 4 ++ qa/smoke-test-plugins/build.gradle | 1 + qa/unconfigured-node-name/build.gradle | 4 ++ qa/verify-version-constants/build.gradle | 2 + .../VerifyVersionConstantsIT.java | 11 +++++ .../test/rest/ESRestTestCase.java | 26 +++++++++++ .../downgrade-to-basic-license/build.gradle | 7 ++- .../xpack/ccr/FollowIndexIT.java | 11 +++++ .../plugin/ccr/qa/multi-cluster/build.gradle | 6 +++ .../elasticsearch/xpack/ccr/AutoFollowIT.java | 12 ++++- .../org/elasticsearch/xpack/ccr/ChainIT.java | 10 ++++ .../xpack/ccr/FollowIndexIT.java | 10 ++++ .../elasticsearch/xpack/ccr/XPackUsageIT.java | 11 +++++ .../ccr/qa/non-compliant-license/build.gradle | 4 ++ .../xpack/ccr/CcrMultiClusterLicenseIT.java | 10 ++++ x-pack/plugin/ccr/qa/restart/build.gradle | 4 ++ .../elasticsearch/xpack/ccr/RestartIT.java | 10 ++++ .../xpack/ccr/FollowIndexSecurityIT.java | 1 - .../XPackCoreClientYamlTestSuiteIT.java | 2 - .../plugin/data-streams/qa/rest/build.gradle | 1 + x-pack/plugin/enrich/qa/common/build.gradle | 6 +++ .../enrich/EnrichAdvancedSecurityIT.java | 1 - x-pack/plugin/enrich/qa/rest/build.gradle | 1 + .../test/eql/stats/EqlUsageRestTestCase.java | 11 +++++ x-pack/plugin/eql/qa/correctness/build.gradle | 2 + .../xpack/eql/EsEQLCorrectnessIT.java | 8 ++++ x-pack/plugin/eql/qa/mixed-node/build.gradle | 2 +- x-pack/plugin/eql/qa/rest/build.gradle | 1 + .../elasticsearch/xpack/eql/EqlRestIT.java | 11 +++++ x-pack/plugin/fleet/build.gradle | 2 + .../xpack/security/PermissionsIT.java | 1 - x-pack/plugin/logstash/build.gradle | 2 + .../repositories-metering-api/build.gradle | 6 ++- .../qa/azure/build.gradle | 4 ++ .../qa/gcs/build.gradle | 4 ++ .../qa/s3/build.gradle | 1 + x-pack/plugin/rollup/qa/rest/build.gradle | 1 + .../qa/azure/build.gradle | 1 + .../searchable-snapshots/qa/gcs/build.gradle | 2 + .../searchable-snapshots/qa/hdfs/build.gradle | 2 + .../qa/minio/build.gradle | 2 + .../searchable-snapshots/qa/rest/build.gradle | 2 + .../searchable-snapshots/qa/s3/build.gradle | 2 + .../searchable-snapshots/qa/url/build.gradle | 2 + .../qa/basic-enable-security/build.gradle | 16 +++++-- .../EnableSecurityOnBasicLicenseIT.java | 46 +++++++++++++++++-- .../qa/security-not-enabled/build.gradle | 1 + .../test/rest/CatIndicesWithSecurityIT.java | 1 - .../plugin/security/qa/tls-basic/build.gradle | 2 + .../xpack/security/TlsWithBasicLicenseIT.java | 4 ++ .../security/rest/SecurityRestFilter.java | 7 +++ .../support/SecurityStatusChangeListener.java | 6 +++ .../rest/SecurityRestFilterTests.java | 4 ++ .../SecurityStatusChangeListenerTests.java | 18 +++++++- .../shutdown/qa/multi-node/build.gradle | 2 + .../xpack/shutdown/NodeShutdownIT.java | 12 +++++ .../qa/azure/build.gradle | 4 ++ .../qa/gcs/build.gradle | 1 + .../qa/minio/build.gradle | 2 + .../qa/rest/build.gradle | 1 + .../snapshot-repo-test-kit/qa/s3/build.gradle | 1 + x-pack/plugin/spatial/build.gradle | 1 + .../qa/jdbc/security/JdbcConnectionIT.java | 2 - x-pack/plugin/sql/qa/mixed-node/build.gradle | 4 ++ .../xpack/sql/qa/security/RestSqlIT.java | 2 - .../integration/TransformRestTestCase.java | 1 - .../SmokeTestWatcherTestSuiteIT.java | 1 - .../SmokeTestWatcherWithSecurityIT.java | 1 - ...cherWithSecurityClientYamlTestSuiteIT.java | 3 -- ...CoreWithSecurityClientYamlTestSuiteIT.java | 2 - ...sterSearchWithSecurityYamlTestSuiteIT.java | 2 - .../MultiClusterYamlTestSuiteIT.java | 2 - .../GlobalCheckpointSyncActionIT.java | 1 - .../elasticsearch/multi_node/RollupIT.java | 1 - ...ndexWithSecurityClientYamlTestSuiteIT.java | 2 - .../xpack/security/ReindexWithSecurityIT.java | 1 - .../upgrades/AbstractUpgradeTestCase.java | 5 +- x-pack/qa/runtime-fields/build.gradle | 1 + .../xpack/security/PermissionsIT.java | 2 - ...SmokeTestPluginsClientYamlTestSuiteIT.java | 2 - ...rityWithMustacheClientYamlTestSuiteIT.java | 2 - 102 files changed, 404 insertions(+), 104 deletions(-) diff --git a/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java b/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java index d3e475278c3fe..7ce27f90d9b0e 100644 --- a/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java +++ b/distribution/docker/src/test/java/org/elasticsearch/docker/test/DockerYmlTestSuiteIT.java @@ -10,7 +10,6 @@ import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.client.Request; -import org.elasticsearch.common.CharArrays; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; @@ -24,11 +23,8 @@ import java.io.IOException; import java.net.URISyntaxException; -import java.nio.CharBuffer; import java.nio.file.Files; import java.nio.file.Path; -import java.util.Arrays; -import java.util.Base64; public class DockerYmlTestSuiteIT extends ESClientYamlSuiteTestCase { @@ -130,22 +126,4 @@ protected String getProtocol() { } return "https"; } - - private static String basicAuthHeaderValue(String username, SecureString passwd) { - CharBuffer chars = CharBuffer.allocate(username.length() + passwd.length() + 1); - byte[] charBytes = null; - try { - chars.put(username).put(':').put(passwd.getChars()); - charBytes = CharArrays.toUtf8Bytes(chars.array()); - - //TODO we still have passwords in Strings in headers. Maybe we can look into using a CharSequence? - String basicToken = Base64.getEncoder().encodeToString(charBytes); - return "Basic " + basicToken; - } finally { - Arrays.fill(chars.array(), (char) 0); - if (charBytes != null) { - Arrays.fill(charBytes, (byte) 0); - } - } - } } diff --git a/docs/build.gradle b/docs/build.gradle index 41167e46a3db9..b099b8f0a1100 100644 --- a/docs/build.gradle +++ b/docs/build.gradle @@ -49,6 +49,7 @@ testClusters.integTest { // enable regexes in painless so our tests don't complain about example snippets that use them setting 'script.painless.regex.enabled', 'true' + setting 'xpack.security.enabled', 'false' setting 'path.repo', "${buildDir}/cluster/shared/repo" Closure configFile = { extraConfigFile it, file("src/test/cluster/config/$it") diff --git a/docs/reference/rest-api/usage.asciidoc b/docs/reference/rest-api/usage.asciidoc index 56233609165fc..a63e6739866a0 100644 --- a/docs/reference/rest-api/usage.asciidoc +++ b/docs/reference/rest-api/usage.asciidoc @@ -48,15 +48,7 @@ GET /_xpack/usage { "security" : { "available" : true, - "enabled" : false, - "ssl" : { - "http" : { - "enabled" : false - }, - "transport" : { - "enabled" : false - } - } + "enabled" : false }, "monitoring" : { "available" : true, diff --git a/modules/ingest-geoip/qa/file-based-update/build.gradle b/modules/ingest-geoip/qa/file-based-update/build.gradle index 4f2ed2e30a54f..507715e703b23 100644 --- a/modules/ingest-geoip/qa/file-based-update/build.gradle +++ b/modules/ingest-geoip/qa/file-based-update/build.gradle @@ -12,6 +12,8 @@ apply plugin: 'elasticsearch.rest-test' testClusters.all { testDistribution = 'DEFAULT' setting 'resource.reload.interval.high', '100ms' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } tasks.named("integTest").configure { diff --git a/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java b/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java index 9179fe7010237..918266ff78df7 100644 --- a/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java +++ b/modules/ingest-geoip/qa/file-based-update/src/test/java/org/elasticsearch/ingest/geoip/UpdateDatabasesIT.java @@ -11,6 +11,9 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.ObjectPath; import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.json.JsonXContent; @@ -53,4 +56,12 @@ private static Map toMap(Response response) throws IOException { return XContentHelper.convertToMap(JsonXContent.jsonXContent, EntityUtils.toString(response.getEntity()), false); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/plugins/examples/painless-whitelist/build.gradle b/plugins/examples/painless-whitelist/build.gradle index 9cd57a2d64799..4728919d271be 100644 --- a/plugins/examples/painless-whitelist/build.gradle +++ b/plugins/examples/painless-whitelist/build.gradle @@ -23,6 +23,7 @@ dependencies { testClusters.all { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'false' } tasks.named("test").configure { enabled = false } diff --git a/qa/ccs-rolling-upgrade-remote-cluster/build.gradle b/qa/ccs-rolling-upgrade-remote-cluster/build.gradle index 47f0480f8c60e..79507e080da35 100644 --- a/qa/ccs-rolling-upgrade-remote-cluster/build.gradle +++ b/qa/ccs-rolling-upgrade-remote-cluster/build.gradle @@ -35,12 +35,14 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { numberOfNodes = 2 versions = [bwcVersionStr, project.version] setting 'cluster.remote.node.attr', 'gateway' + setting 'xpack.security.enabled', 'false' } "${baseName}-remote" { numberOfNodes = 3 versions = [bwcVersionStr, project.version] firstNode.setting 'node.attr.gateway', 'true' lastNode.setting 'node.attr.gateway', 'true' + setting 'xpack.security.enabled', 'false' } } diff --git a/qa/ccs-unavailable-clusters/build.gradle b/qa/ccs-unavailable-clusters/build.gradle index 5f24db03aed06..6f6f08f4eb55f 100644 --- a/qa/ccs-unavailable-clusters/build.gradle +++ b/qa/ccs-unavailable-clusters/build.gradle @@ -10,6 +10,11 @@ apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' apply plugin: 'elasticsearch.test-with-dependencies' +testClusters.matching { it.name == "integTest" }.configureEach { + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' +} + dependencies { testImplementation project(":client:rest-high-level") } diff --git a/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java b/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java index 6ee4423c7c661..00f0fb99f6c45 100644 --- a/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java +++ b/qa/ccs-unavailable-clusters/src/test/java/org/elasticsearch/search/CrossClusterSearchUnavailableClusterIT.java @@ -38,7 +38,9 @@ import org.elasticsearch.cluster.node.DiscoveryNode; import org.elasticsearch.cluster.node.DiscoveryNodes; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.json.JsonXContent; import org.elasticsearch.search.aggregations.InternalAggregations; @@ -327,4 +329,12 @@ private HighLevelClient(RestClient restClient) { super(restClient, (client) -> {}, Collections.emptyList()); } } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/qa/die-with-dignity/build.gradle b/qa/die-with-dignity/build.gradle index 7818c2935dce3..77d9952277346 100644 --- a/qa/die-with-dignity/build.gradle +++ b/qa/die-with-dignity/build.gradle @@ -21,6 +21,8 @@ javaRestTest { testClusters.matching { it.name == "javaRestTest" }.configureEach { systemProperty "die.with.dignity.test", "whatever" + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } tasks.named("test").configure { diff --git a/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java b/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java index f53f5526a3d33..6ee6a5a67ed5f 100644 --- a/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java +++ b/qa/die-with-dignity/src/javaRestTest/java/org/elasticsearch/qa/die_with_dignity/DieWithDignityIT.java @@ -10,7 +10,9 @@ import org.elasticsearch.client.Request; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import java.io.BufferedReader; @@ -26,6 +28,7 @@ import static org.hamcrest.Matchers.not; public class DieWithDignityIT extends ESRestTestCase { + public void testDieWithDignity() throws Exception { expectThrows( IOException.class, @@ -99,7 +102,9 @@ protected boolean preserveClusterUponCompletion() { @Override protected final Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); return Settings.builder().put(super.restClientSettings()) + .put(ThreadContext.PREFIX + ".Authorization", token) // increase the timeout here to 90 seconds to handle long waits for a green // cluster health. the waits for green need to be longer than a minute to // account for delayed shards diff --git a/qa/full-cluster-restart/build.gradle b/qa/full-cluster-restart/build.gradle index 2d55b4f84b4e1..fd58f10129a13 100644 --- a/qa/full-cluster-restart/build.gradle +++ b/qa/full-cluster-restart/build.gradle @@ -27,6 +27,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { setting 'indices.memory.shard_inactive_time', '60m' setting 'http.content_type.required', 'true' setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' } } @@ -60,4 +61,4 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { tasks.register(bwcTaskName(bwcVersion)) { dependsOn tasks.named("${baseName}#upgradedClusterTest") } -} \ No newline at end of file +} diff --git a/qa/logging-config/build.gradle b/qa/logging-config/build.gradle index 9ab17185f2e17..c59f5cfb8f1b6 100644 --- a/qa/logging-config/build.gradle +++ b/qa/logging-config/build.gradle @@ -11,6 +11,10 @@ apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' apply plugin: 'elasticsearch.standalone-test' +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + testClusters.integTest { /** * Provide a custom log4j configuration where layout is an old style pattern and confirm that Elasticsearch diff --git a/qa/mixed-cluster/build.gradle b/qa/mixed-cluster/build.gradle index 4995db6bbeb8a..c214efcb7ecbc 100644 --- a/qa/mixed-cluster/build.gradle +++ b/qa/mixed-cluster/build.gradle @@ -38,6 +38,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { numberOfNodes = 4 setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' } } diff --git a/qa/multi-cluster-search/build.gradle b/qa/multi-cluster-search/build.gradle index dcc8a89071ad0..e59ed02d63d72 100644 --- a/qa/multi-cluster-search/build.gradle +++ b/qa/multi-cluster-search/build.gradle @@ -25,6 +25,7 @@ testClusters { 'remote-cluster' { numberOfNodes = 2 setting 'node.roles', '[data,ingest,master]' + setting 'xpack.security.enabled', 'false' } } @@ -38,6 +39,7 @@ testClusters.matching { it.name == "mixedClusterTest"}.configureEach { setting 'cluster.remote.my_remote_cluster.seeds', { "\"${testClusters.'remote-cluster'.getAllTransportPortURI().get(0)}\"" } setting 'cluster.remote.connections_per_cluster', '1' + setting 'xpack.security.enabled', 'false' } tasks.register("integTest") { diff --git a/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java b/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java index 77b8ed5c3ca08..0ae59b4f0416e 100644 --- a/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java +++ b/qa/remote-clusters/src/test/java/org/elasticsearch/cluster/remote/test/AbstractMultiClusterRemoteTestCase.java @@ -13,7 +13,6 @@ import org.elasticsearch.client.RequestOptions; import org.elasticsearch.client.RestClient; import org.elasticsearch.client.RestHighLevelClient; -import org.elasticsearch.common.CharArrays; import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; @@ -26,11 +25,8 @@ import java.io.IOException; import java.net.URISyntaxException; -import java.nio.CharBuffer; import java.nio.file.Files; import java.nio.file.Path; -import java.util.Arrays; -import java.util.Base64; import java.util.Collections; public abstract class AbstractMultiClusterRemoteTestCase extends ESRestTestCase { @@ -150,24 +146,6 @@ protected String getProtocol() { return "https"; } - private static String basicAuthHeaderValue(String username, SecureString passwd) { - CharBuffer chars = CharBuffer.allocate(username.length() + passwd.length() + 1); - byte[] charBytes = null; - try { - chars.put(username).put(':').put(passwd.getChars()); - charBytes = CharArrays.toUtf8Bytes(chars.array()); - - //TODO we still have passwords in Strings in headers. Maybe we can look into using a CharSequence? - String basicToken = Base64.getEncoder().encodeToString(charBytes); - return "Basic " + basicToken; - } finally { - Arrays.fill(chars.array(), (char) 0); - if (charBytes != null) { - Arrays.fill(charBytes, (byte) 0); - } - } - } - private String getProperty(String key) { String value = System.getProperty(key); if (value == null) { diff --git a/qa/repository-multi-version/build.gradle b/qa/repository-multi-version/build.gradle index 19f2d656c5f00..05bedf0bbd385 100644 --- a/qa/repository-multi-version/build.gradle +++ b/qa/repository-multi-version/build.gradle @@ -30,6 +30,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { version = v numberOfNodes = 2 setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' } } @@ -76,4 +77,4 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { tasks.register(bwcTaskName(bwcVersion)) { dependsOn tasks.named("${baseName}#Step4NewClusterTest") } -} \ No newline at end of file +} diff --git a/qa/rolling-upgrade/build.gradle b/qa/rolling-upgrade/build.gradle index 7ed63292ba1a6..acdbd279c144f 100644 --- a/qa/rolling-upgrade/build.gradle +++ b/qa/rolling-upgrade/build.gradle @@ -39,6 +39,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible) { setting 'repositories.url.allowed_urls', 'http://snapshot.test*' setting 'path.repo', "${buildDir}/cluster/shared/repo/${baseName}" + setting 'xpack.security.enabled', 'false' setting 'http.content_type.required', 'true' } } diff --git a/qa/smoke-test-http/build.gradle b/qa/smoke-test-http/build.gradle index 6de9bcbb3af7e..30f0d29c22ae0 100644 --- a/qa/smoke-test-http/build.gradle +++ b/qa/smoke-test-http/build.gradle @@ -16,6 +16,10 @@ dependencies { testImplementation project(path: ':plugins:transport-nio') // for http } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest").configure { /* * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each diff --git a/qa/smoke-test-ingest-disabled/build.gradle b/qa/smoke-test-ingest-disabled/build.gradle index d657bfe78a4e6..ab992414630f1 100644 --- a/qa/smoke-test-ingest-disabled/build.gradle +++ b/qa/smoke-test-ingest-disabled/build.gradle @@ -14,6 +14,9 @@ apply plugin: 'elasticsearch.rest-resources' dependencies { testImplementation project(':modules:ingest-common') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} testClusters.integTest { setting 'node.roles', '[data,master,remote_cluster_client]' diff --git a/qa/smoke-test-ingest-with-all-dependencies/build.gradle b/qa/smoke-test-ingest-with-all-dependencies/build.gradle index c31b31e411195..b7a8df8cc2e15 100644 --- a/qa/smoke-test-ingest-with-all-dependencies/build.gradle +++ b/qa/smoke-test-ingest-with-all-dependencies/build.gradle @@ -19,6 +19,10 @@ dependencies { testImplementation project(':modules:reindex') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("testingConventions").configure { naming { IT { diff --git a/qa/smoke-test-multinode/build.gradle b/qa/smoke-test-multinode/build.gradle index 48d9e1e817b7c..0e7adfe05633e 100644 --- a/qa/smoke-test-multinode/build.gradle +++ b/qa/smoke-test-multinode/build.gradle @@ -23,6 +23,10 @@ testClusters.integTest { setting 'path.repo', repo.absolutePath } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + integTest { doFirst { project.delete(repo) diff --git a/qa/smoke-test-plugins/build.gradle b/qa/smoke-test-plugins/build.gradle index 740e913189289..67a54372e67e8 100644 --- a/qa/smoke-test-plugins/build.gradle +++ b/qa/smoke-test-plugins/build.gradle @@ -27,6 +27,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { pluginPaths.each { pluginPath -> plugin pluginPath } + setting 'xpack.security.enabled', 'false' } ext.expansions = [ diff --git a/qa/unconfigured-node-name/build.gradle b/qa/unconfigured-node-name/build.gradle index bc94289791a52..66c00eecda0d1 100644 --- a/qa/unconfigured-node-name/build.gradle +++ b/qa/unconfigured-node-name/build.gradle @@ -12,6 +12,10 @@ apply plugin: 'elasticsearch.testclusters' apply plugin: 'elasticsearch.standalone-rest-test' apply plugin: 'elasticsearch.rest-test' +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + testClusters.integTest { nameCustomization = { null } } diff --git a/qa/verify-version-constants/build.gradle b/qa/verify-version-constants/build.gradle index acc8d54902ab5..b8c8c6a879c28 100644 --- a/qa/verify-version-constants/build.gradle +++ b/qa/verify-version-constants/build.gradle @@ -22,6 +22,8 @@ for (Version bwcVersion : BuildParams.bwcVersions.indexCompatible) { "${baseName}" { version = bwcVersion.toString() setting 'http.content_type.required', 'true' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } } diff --git a/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java b/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java index a883a5e137c7c..ee9e922e66871 100644 --- a/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java +++ b/qa/verify-version-constants/src/test/java/org/elasticsearch/qa/verify_version_constants/VerifyVersionConstantsIT.java @@ -11,6 +11,9 @@ import org.elasticsearch.Version; import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.yaml.ObjectPath; @@ -42,4 +45,12 @@ public boolean preserveClusterUponCompletion() { */ return true; } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java index 80b0c545eb68d..25baa7f95d48c 100644 --- a/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java +++ b/test/framework/src/main/java/org/elasticsearch/test/rest/ESRestTestCase.java @@ -33,10 +33,12 @@ import org.elasticsearch.client.RestClient; import org.elasticsearch.client.RestClientBuilder; import org.elasticsearch.client.WarningsHandler; +import org.elasticsearch.common.CharArrays; import org.elasticsearch.common.CheckedRunnable; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.Strings; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.ssl.PemUtils; import org.elasticsearch.common.unit.TimeValue; @@ -68,6 +70,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.nio.CharBuffer; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; @@ -82,6 +85,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; +import java.util.Base64; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -302,6 +306,28 @@ public static RequestOptions expectWarnings(String... warnings) { return expectVersionSpecificWarnings(consumer -> consumer.current(warnings)); } + /** + * Construct a Basic auth header + * @param username user name + * @param passwd user password + */ + public static String basicAuthHeaderValue(String username, SecureString passwd) { + CharBuffer chars = CharBuffer.allocate(username.length() + passwd.length() + 1); + byte[] charBytes = null; + try { + chars.put(username).put(':').put(passwd.getChars()); + charBytes = CharArrays.toUtf8Bytes(chars.array()); + + String basicToken = Base64.getEncoder().encodeToString(charBytes); + return "Basic " + basicToken; + } finally { + Arrays.fill(chars.array(), (char) 0); + if (charBytes != null) { + Arrays.fill(charBytes, (byte) 0); + } + } + } + /** * Creates RequestOptions designed to ignore [types removal] warnings but nothing else * @deprecated this method is only required while we deprecate types and can be removed in 8.0 diff --git a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle index f0af6a5fe7f1d..355df38be0a30 100644 --- a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle +++ b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build.gradle @@ -15,13 +15,18 @@ testClusters { "leader-cluster" { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } "follow-cluster" { testDistribution = 'DEFAULT' setting 'xpack.monitoring.collection.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' - setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters."leader-cluster".getAllTransportPortURI().join(",")}\"" } + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' + setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters."leader-cluster".getAllTransportPortURI().join(",")}\"" + } } } diff --git a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java index 2cedcffb746ae..3782e95b33dd7 100644 --- a/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java +++ b/x-pack/plugin/ccr/qa/downgrade-to-basic-license/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java @@ -13,6 +13,9 @@ import org.elasticsearch.common.io.PathUtils; import org.elasticsearch.common.logging.JsonLogLine; import org.elasticsearch.common.logging.JsonLogsStream; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.hamcrest.FeatureMatcher; import org.hamcrest.Matcher; import org.hamcrest.Matchers; @@ -124,4 +127,12 @@ private void createNewIndexAndIndexDocs(RestClient client, String index) throws } } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/build.gradle b/x-pack/plugin/ccr/qa/multi-cluster/build.gradle index d33401c3db27f..0a13e84eeed0d 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/build.gradle +++ b/x-pack/plugin/ccr/qa/multi-cluster/build.gradle @@ -13,11 +13,15 @@ testClusters { 'leader-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'path.repo', "${buildDir}/cluster/shared/repo/leader-cluster" } 'middle-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.named('leader-cluster').get().getAllTransportPortURI().join(",")}\"" } } @@ -55,6 +59,8 @@ testClusters.matching { it.name == "follow-cluster" }.configureEach { testDistribution = 'DEFAULT' setting 'xpack.monitoring.collection.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.named('leader-cluster').get().getAllTransportPortURI().join(",")}\"" } setting 'cluster.remote.middle_cluster.seeds', diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java index 267f8c486a659..12224700490ca 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/AutoFollowIT.java @@ -16,7 +16,9 @@ import org.elasticsearch.client.RestClient; import org.elasticsearch.common.CheckedRunnable; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.ObjectPath; import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.json.JsonXContent; @@ -771,7 +773,7 @@ private void deleteDataStream(RestClient client, String name) throws IOException Request deleteTemplateRequest = new Request("DELETE", "/_data_stream/" + name); assertOK(client.performRequest(deleteTemplateRequest)); } - + private Response getAutoFollowStats() throws IOException { final Request statsRequest = new Request("GET", "/_ccr/stats"); statsRequest.addParameter("pretty", Boolean.TRUE.toString()); @@ -792,4 +794,12 @@ private void assertLongBusy(CheckedRunnable runnable) throws Exceptio throw ae; } } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java index 1a1cf44b858fd..5b857ebadcaad 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/ChainIT.java @@ -8,7 +8,9 @@ package org.elasticsearch.xpack.ccr; import org.elasticsearch.client.RestClient; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; public class ChainIT extends ESCCRRestTestCase { @@ -67,4 +69,12 @@ public void testFollowIndex() throws Exception { } } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java index 1cf27112f0a56..e0ff2a02fc6bf 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexIT.java @@ -12,7 +12,9 @@ import org.elasticsearch.client.ResponseException; import org.elasticsearch.client.RestClient; import org.elasticsearch.cluster.metadata.DataStream; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.repositories.fs.FsRepository; import org.elasticsearch.rest.RestStatus; @@ -232,4 +234,12 @@ public void testFollowSearchableSnapshotsFails() throws Exception { assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(400)); } } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java index e41a95b957aaa..8493f0be79a44 100644 --- a/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java +++ b/x-pack/plugin/ccr/qa/multi-cluster/src/test/java/org/elasticsearch/xpack/ccr/XPackUsageIT.java @@ -8,6 +8,9 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.RestClient; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.ObjectPath; import java.io.IOException; @@ -91,4 +94,12 @@ private void assertIndexFollowingActive(String expectedFollowerIndex) throws IOE assertThat(followStatus, equalTo("active")); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle b/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle index 6e4a8b1ef0114..a20fab7d86d65 100644 --- a/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle +++ b/x-pack/plugin/ccr/qa/non-compliant-license/build.gradle @@ -12,11 +12,15 @@ dependencies { testClusters { 'leader-cluster' { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } 'follow-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.'leader-cluster'.getAllTransportPortURI().join(",")}\"" } } diff --git a/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java b/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java index 88c490a30bfc4..7aa486d728737 100644 --- a/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java +++ b/x-pack/plugin/ccr/qa/non-compliant-license/src/test/java/org/elasticsearch/xpack/ccr/CcrMultiClusterLicenseIT.java @@ -9,6 +9,9 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.ResponseException; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import java.util.Locale; @@ -44,4 +47,11 @@ private static void assertNonCompliantLicense(final Request request, final Strin assertThat(e, hasToString(containsString(expected))); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/ccr/qa/restart/build.gradle b/x-pack/plugin/ccr/qa/restart/build.gradle index 82fdb18eaa5e2..f143a4fade14d 100644 --- a/x-pack/plugin/ccr/qa/restart/build.gradle +++ b/x-pack/plugin/ccr/qa/restart/build.gradle @@ -12,12 +12,16 @@ testClusters { 'leader-cluster' { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } 'follow-cluster' { testDistribution = 'DEFAULT' setting 'xpack.monitoring.collection.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' setting 'cluster.remote.leader_cluster.seeds', { "\"${testClusters.'leader-cluster'.getAllTransportPortURI().get(0)}\"" } nameCustomization = { 'follow' } diff --git a/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java b/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java index 858ffde006fa3..efb5e7a1a86cf 100644 --- a/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java +++ b/x-pack/plugin/ccr/qa/restart/src/test/java/org/elasticsearch/xpack/ccr/RestartIT.java @@ -10,7 +10,9 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.RestClient; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import java.io.IOException; @@ -95,4 +97,12 @@ private void verifyFollower(final String index, final int numberOfDocuments, fin }); } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } + } diff --git a/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java b/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java index cc71e67daa26b..4b5788ceb5dd6 100644 --- a/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java +++ b/x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java @@ -26,7 +26,6 @@ import java.util.Map; import java.util.concurrent.TimeUnit; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.hasSize; diff --git a/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java b/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java index ccaa10bd1d6c3..b010e6c1eb133 100644 --- a/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java +++ b/x-pack/plugin/core/src/yamlRestTest/java/org/elasticsearch/license/XPackCoreClientYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class XPackCoreClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String BASIC_AUTH_VALUE = diff --git a/x-pack/plugin/data-streams/qa/rest/build.gradle b/x-pack/plugin/data-streams/qa/rest/build.gradle index 204e5d9d1201c..bf18f2a8c071d 100644 --- a/x-pack/plugin/data-streams/qa/rest/build.gradle +++ b/x-pack/plugin/data-streams/qa/rest/build.gradle @@ -19,6 +19,7 @@ testClusters.all { setting 'xpack.license.self_generated.type', 'trial' // disable ILM history, since it disturbs tests using _all setting 'indices.lifecycle.history_index_enabled', 'false' + setting 'xpack.security.enabled', 'false' } if (BuildParams.inFipsJvm){ // These fail in CI but only when run as part of checkPart2 and not individually. diff --git a/x-pack/plugin/enrich/qa/common/build.gradle b/x-pack/plugin/enrich/qa/common/build.gradle index 72cd4bba91169..d4f5f678196d1 100644 --- a/x-pack/plugin/enrich/qa/common/build.gradle +++ b/x-pack/plugin/enrich/qa/common/build.gradle @@ -4,3 +4,9 @@ tasks.named("test").configure { enabled = false } dependencies { api project(':test:framework') } + +testClusters.all { + testDistribution = 'DEFAULT' + setting 'xpack.license.self_generated.type', 'basic' + setting 'xpack.security.enabled', 'false' +} diff --git a/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java b/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java index f2b4abd1274e8..f0cb70b80f4a6 100644 --- a/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java +++ b/x-pack/plugin/enrich/qa/rest-with-advanced-security/src/javaRestTest/java/org/elasticsearch/xpack/enrich/EnrichAdvancedSecurityIT.java @@ -6,7 +6,6 @@ */ package org.elasticsearch.xpack.enrich; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.nullValue; diff --git a/x-pack/plugin/enrich/qa/rest/build.gradle b/x-pack/plugin/enrich/qa/rest/build.gradle index 33c7c294727a6..99d2e43ac60d5 100644 --- a/x-pack/plugin/enrich/qa/rest/build.gradle +++ b/x-pack/plugin/enrich/qa/rest/build.gradle @@ -23,4 +23,5 @@ testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' setting 'xpack.monitoring.collection.enabled', 'true' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java index 0be63e25274a5..d64543c91d4a6 100644 --- a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java +++ b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java @@ -9,6 +9,9 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.RestHighLevelClient; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.xcontent.XContentHelper; import org.elasticsearch.common.xcontent.json.JsonXContent; import org.elasticsearch.test.eql.DataLoader; @@ -380,4 +383,12 @@ private RestHighLevelClient highLevelClient() { } return highLevelClient; } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/eql/qa/correctness/build.gradle b/x-pack/plugin/eql/qa/correctness/build.gradle index 00078b324fba2..2f7fbc93d3702 100644 --- a/x-pack/plugin/eql/qa/correctness/build.gradle +++ b/x-pack/plugin/eql/qa/correctness/build.gradle @@ -40,6 +40,8 @@ testClusters { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' jvmArgs '-Xms4g', '-Xmx4g' + setting 'xpack.security.enabled', 'true' + user username: 'admin', password: 'admin-password', role: 'superuser' } runTask { jvmArgs '-Xms8g', '-Xmx8g' diff --git a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java index b05d513eae76d..e846ff363b4f3 100644 --- a/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java +++ b/x-pack/plugin/eql/qa/correctness/src/javaRestTest/java/org/elasticsearch/xpack/eql/EsEQLCorrectnessIT.java @@ -20,7 +20,9 @@ import org.elasticsearch.client.RestHighLevelClient; import org.elasticsearch.client.eql.EqlSearchRequest; import org.elasticsearch.client.eql.EqlSearchResponse; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.junit.annotations.TestLogging; import org.elasticsearch.test.rest.ESRestTestCase; import org.junit.After; @@ -84,6 +86,12 @@ protected boolean preserveClusterUponCompletion() { return true; } + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build(); + } + @Override protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { RestClientBuilder builder = RestClient.builder(hosts); diff --git a/x-pack/plugin/eql/qa/mixed-node/build.gradle b/x-pack/plugin/eql/qa/mixed-node/build.gradle index 56196d10af594..e02130fe89f52 100644 --- a/x-pack/plugin/eql/qa/mixed-node/build.gradle +++ b/x-pack/plugin/eql/qa/mixed-node/build.gradle @@ -32,7 +32,7 @@ for (Version bwcVersion : BuildParams.bwcVersions.wireCompatible.findAll { it.on setting 'xpack.security.enabled', 'false' setting 'xpack.watcher.enabled', 'false' setting 'xpack.ml.enabled', 'false' - setting 'xpack.eql.enabled', 'true' + setting 'xpack.eql.enabled', 'true' setting 'xpack.license.self_generated.type', 'trial' // for debugging purposes // setting 'logger.org.elasticsearch.xpack.eql.plugin.TransportEqlSearchAction', 'TRACE' diff --git a/x-pack/plugin/eql/qa/rest/build.gradle b/x-pack/plugin/eql/qa/rest/build.gradle index a4df7fd11736e..bd817f97ccbd5 100644 --- a/x-pack/plugin/eql/qa/rest/build.gradle +++ b/x-pack/plugin/eql/qa/rest/build.gradle @@ -22,4 +22,5 @@ testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' setting 'xpack.monitoring.collection.enabled', 'true' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java b/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java index 14150a830dccd..63158dcc501d9 100644 --- a/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java +++ b/x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlRestIT.java @@ -7,7 +7,18 @@ package org.elasticsearch.xpack.eql; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.eql.EqlRestTestCase; public class EqlRestIT extends EqlRestTestCase { + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .build(); + } } diff --git a/x-pack/plugin/fleet/build.gradle b/x-pack/plugin/fleet/build.gradle index bc135af76077c..b1abb6eb58675 100644 --- a/x-pack/plugin/fleet/build.gradle +++ b/x-pack/plugin/fleet/build.gradle @@ -24,4 +24,6 @@ dependencies { testClusters.all { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'true' + user username: 'x_pack_rest_user', password: 'x-pack-test-password', role: 'superuser' } diff --git a/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java b/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java index 19810778eeac4..4cdca0674c63a 100644 --- a/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java +++ b/x-pack/plugin/ilm/qa/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java @@ -62,7 +62,6 @@ import static java.util.Collections.singletonMap; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.greaterThanOrEqualTo; diff --git a/x-pack/plugin/logstash/build.gradle b/x-pack/plugin/logstash/build.gradle index d7ba5b977d209..9a3649b2e3b0d 100644 --- a/x-pack/plugin/logstash/build.gradle +++ b/x-pack/plugin/logstash/build.gradle @@ -19,4 +19,6 @@ dependencies { testClusters.all { testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'true' + user username: 'x_pack_rest_user', password: 'x-pack-test-password', role: 'superuser' } diff --git a/x-pack/plugin/repositories-metering-api/build.gradle b/x-pack/plugin/repositories-metering-api/build.gradle index 37e325d6c0dbf..620b3e79a2b9e 100644 --- a/x-pack/plugin/repositories-metering-api/build.gradle +++ b/x-pack/plugin/repositories-metering-api/build.gradle @@ -14,4 +14,8 @@ dependencies { testImplementation(testArtifact(project(xpackModule('core')))) } -addQaCheckDependencies() \ No newline at end of file +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + +addQaCheckDependencies() diff --git a/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle b/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle index b48c1c8e74683..05dfa2dd82b47 100644 --- a/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/azure/build.gradle @@ -48,6 +48,10 @@ if (useFixture) { testFixtures.useFixture(fixture.path, 'azure-fixture-repositories-metering') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest") { dependsOn ":plugins:repository-azure:bundlePlugin" systemProperty 'test.azure.container', azureContainer diff --git a/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle b/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle index 6647e7a370ab2..7f9996af0257c 100644 --- a/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/gcs/build.gradle @@ -50,6 +50,10 @@ if (!gcsServiceAccount && !gcsBucket && !gcsBasePath) { serviceAccountFile = new File(gcsServiceAccount) } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + /** A service account file that points to the Google Cloud Storage service emulated by the fixture **/ tasks.register("createServiceAccountFile") { doLast { diff --git a/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle b/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle index 8bdf19b7cbca4..d6d0b7f49ba8f 100644 --- a/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle +++ b/x-pack/plugin/repositories-metering-api/qa/s3/build.gradle @@ -67,6 +67,7 @@ testClusters.integTest { } else { println "Using an external service to test " + project.name } + setting 'xpack.security.enabled', 'false' } tasks.register("s3ThirdPartyTest").configure { diff --git a/x-pack/plugin/rollup/qa/rest/build.gradle b/x-pack/plugin/rollup/qa/rest/build.gradle index 3a49955e93fe5..370a279d3779a 100644 --- a/x-pack/plugin/rollup/qa/rest/build.gradle +++ b/x-pack/plugin/rollup/qa/rest/build.gradle @@ -23,6 +23,7 @@ testClusters.all { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'basic' systemProperty 'es.rollup_v2_feature_flag_enabled', 'true' + setting 'xpack.security.enabled', 'false' } tasks.named("test").configure{enabled = false } diff --git a/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle b/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle index a6fbfcea0582e..b19a08ed061f3 100644 --- a/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/azure/build.gradle @@ -59,6 +59,7 @@ testClusters.integTest { } setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'false' if (useFixture) { def fixtureAddress = { fixtureName -> diff --git a/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle b/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle index 67ceaec677161..c04c11323b2c6 100644 --- a/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/gcs/build.gradle @@ -111,6 +111,8 @@ testClusters.integTest { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle b/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle index ca13e7290965f..5e514d71e81b7 100644 --- a/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/hdfs/build.gradle @@ -134,6 +134,8 @@ testClusters.configureEach { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } testClusters.matching { it.name == "integTestSecure" }.configureEach { diff --git a/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle b/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle index cd95df231e0ee..1c9f08327a383 100644 --- a/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/minio/build.gradle @@ -43,5 +43,7 @@ testClusters.integTest { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle b/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle index d3d83808ad3ed..99c0dacab4414 100644 --- a/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/rest/build.gradle @@ -24,4 +24,6 @@ testClusters.all { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle b/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle index 3258284d3a593..f2676e3e86d38 100644 --- a/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/s3/build.gradle @@ -70,6 +70,8 @@ testClusters.integTest { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } tasks.register("s3ThirdPartyTest") { diff --git a/x-pack/plugin/searchable-snapshots/qa/url/build.gradle b/x-pack/plugin/searchable-snapshots/qa/url/build.gradle index 9ff963715a0a4..e4ffce305b8df 100644 --- a/x-pack/plugin/searchable-snapshots/qa/url/build.gradle +++ b/x-pack/plugin/searchable-snapshots/qa/url/build.gradle @@ -43,4 +43,6 @@ testClusters.matching { it.name == "integTest" }.configureEach { setting 'xpack.searchable.snapshot.shared_cache.size', '16MB' setting 'xpack.searchable.snapshot.shared_cache.region_size', '256KB' + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/security/qa/basic-enable-security/build.gradle b/x-pack/plugin/security/qa/basic-enable-security/build.gradle index 5d710ceffdc10..99afa12a831a8 100644 --- a/x-pack/plugin/security/qa/basic-enable-security/build.gradle +++ b/x-pack/plugin/security/qa/basic-enable-security/build.gradle @@ -4,6 +4,9 @@ import org.elasticsearch.gradle.info.BuildParams apply plugin: 'elasticsearch.java-rest-test' +//randomise between implicitly and explicitly disabled security +boolean implicitlyDisabledSecurity = (new Random(Long.parseUnsignedLong(BuildParams.testSeed.tokenize(':').get(0), 16))).nextBoolean() + dependencies { javaRestTestImplementation(testArtifact(project(xpackModule('security')))) javaRestTestImplementation(testArtifact(project(xpackModule('core')))) @@ -11,7 +14,9 @@ dependencies { tasks.named("javaRestTest").configure { description = "Run tests against a cluster that doesn't have security" - systemProperty 'tests.has_security', 'false' + if (!implicitlyDisabledSecurity) { + systemProperty 'tests.has_security', 'false' + } } if (BuildParams.inFipsJvm){ @@ -25,11 +30,14 @@ testClusters { numberOfNodes = 2 setting 'xpack.ml.enabled', 'false' setting 'xpack.license.self_generated.type', 'basic' - setting 'xpack.security.enabled', 'false' + if (!implicitlyDisabledSecurity) { + setting 'xpack.security.enabled', 'false' + } } } -tasks.register("javaRestTestWithSecurity", StandaloneRestIntegTestTask) { +tasks.register("javaRestTestWithSecurityEnabled", StandaloneRestIntegTestTask) { + mustRunAfter("javaRestTest") description = "Run tests against a cluster that has security enabled" dependsOn "javaRestTest" useCluster testClusters.javaRestTest @@ -64,5 +72,5 @@ tasks.register("javaRestTestWithSecurity", StandaloneRestIntegTestTask) { nonInputProperties.systemProperty 'tests.rest.cluster', "${-> testClusters.javaRestTest.getAllHttpSocketURI().join(",")}" } } -tasks.named("check").configure { dependsOn("javaRestTestWithSecurity") } +tasks.named("check").configure { dependsOn("javaRestTestWithSecurityEnabled") } diff --git a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java index f43e2f7c75a2a..69e1c0bd91d32 100644 --- a/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java +++ b/x-pack/plugin/security/qa/basic-enable-security/src/javaRestTest/java/org/elasticsearch/xpack/security/EnableSecurityOnBasicLicenseIT.java @@ -6,10 +6,14 @@ */ package org.elasticsearch.xpack.security; +import org.apache.http.HttpHost; import org.apache.http.util.EntityUtils; +import org.elasticsearch.Version; import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; import org.elasticsearch.client.ResponseException; +import org.elasticsearch.client.RestClient; +import org.elasticsearch.client.RestClientBuilder; import org.elasticsearch.common.Booleans; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; @@ -17,14 +21,15 @@ import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.yaml.ObjectPath; import org.elasticsearch.xpack.security.authc.InternalRealms; +import org.hamcrest.Matchers; import org.junit.BeforeClass; import java.io.IOException; import java.util.Arrays; +import java.util.List; import java.util.Locale; import java.util.Map; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; @@ -33,11 +38,13 @@ public class EnableSecurityOnBasicLicenseIT extends ESRestTestCase { private static boolean securityEnabled; + private static boolean securityExplicitlySet; @BeforeClass public static void checkTestMode() { final String hasSecurity = System.getProperty("tests.has_security"); - securityEnabled = Booleans.parseBoolean(hasSecurity); + securityExplicitlySet = hasSecurity != null; + securityEnabled = hasSecurity == null ? false : Booleans.parseBoolean(hasSecurity); } @Override @@ -58,10 +65,24 @@ protected Settings restClientSettings() { @Override protected boolean preserveClusterUponCompletion() { - // If this is the first run (security not yet enabled), then don't clean up afterwards because we want to test restart with data + // If this is one of the first two runs (security not yet enabled), then don't clean up afterwards because we want to test restart + // with data return securityEnabled == false; } + @Override + protected RestClient buildClient(Settings settings, HttpHost[] hosts) throws IOException { + RestClientBuilder builder = RestClient.builder(hosts); + configureClient(builder, settings); + if (System.getProperty("tests.has_security") != null) { + builder.setStrictDeprecationMode(true); + } else { + builder.setStrictDeprecationMode(false); + } + return builder.build(); + } + + public void testSecuritySetup() throws Exception { logger.info("Security status: {}", securityEnabled); logger.info("Cluster:\n{}", getClusterInfo()); @@ -74,7 +95,8 @@ public void testSecuritySetup() throws Exception { } checkAllowedWrite("index_allowed"); - // Security runs second, and should see the doc from the first (non-security) run + // Security runs third, and should see the docs from the first two (non-security) runs + // Security explicitly disabled runs second and should see the doc from the first (implicitly disabled) run final int expectedIndexCount = securityEnabled ? 2 : 1; checkIndexCount("index_allowed", expectedIndexCount); @@ -84,6 +106,22 @@ public void testSecuritySetup() throws Exception { } else { checkAllowedWrite(otherIndex); } + checkSecurityDisabledWarning(); + } + + public void checkSecurityDisabledWarning() throws Exception { + final Request request = new Request("GET", "/_cat/indices"); + Response response = client().performRequest(request); + List warningHeaders = response.getWarnings(); + if (securityExplicitlySet) { + assertThat (warningHeaders, Matchers.empty()); + } else { + assertThat (warningHeaders, Matchers.hasSize(1)); + assertThat (warningHeaders.get(0), + containsString("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + + "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security.")); + } } private String getClusterInfo() throws IOException { diff --git a/x-pack/plugin/security/qa/security-not-enabled/build.gradle b/x-pack/plugin/security/qa/security-not-enabled/build.gradle index 4526d44576e9f..9b9ba98f53f8a 100644 --- a/x-pack/plugin/security/qa/security-not-enabled/build.gradle +++ b/x-pack/plugin/security/qa/security-not-enabled/build.gradle @@ -21,4 +21,5 @@ testClusters.all { // We run with a trial license, but do not enable security. // This means the security plugin is loaded and all feature are permitted, but they are not enabled setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java index 4ca468619d1ac..c26804c9d1122 100644 --- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java +++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/test/rest/CatIndicesWithSecurityIT.java @@ -18,7 +18,6 @@ import java.io.IOException; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.matchesRegex; public class CatIndicesWithSecurityIT extends ESRestTestCase { diff --git a/x-pack/plugin/security/qa/tls-basic/build.gradle b/x-pack/plugin/security/qa/tls-basic/build.gradle index a23784471b0b4..95dbe11249b0c 100644 --- a/x-pack/plugin/security/qa/tls-basic/build.gradle +++ b/x-pack/plugin/security/qa/tls-basic/build.gradle @@ -24,6 +24,7 @@ testClusters.javaRestTest { setting 'xpack.ml.enabled', 'false' setting 'xpack.license.self_generated.type', 'basic' + setting 'xpack.security.enabled', 'true' setting 'xpack.security.http.ssl.enabled', 'true' setting 'xpack.security.http.ssl.certificate', 'http.crt' setting 'xpack.security.http.ssl.key', 'http.key' @@ -34,5 +35,6 @@ testClusters.javaRestTest { setting 'xpack.security.transport.ssl.key', 'transport.key' setting 'xpack.security.transport.ssl.key_passphrase', 'transport-password' setting 'xpack.security.transport.ssl.certificate_authorities', 'ca.crt' + user username: 'admin', password: 'admin-password', role: 'superuser' } diff --git a/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java b/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java index b08265a16965c..5f76628accf73 100644 --- a/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java +++ b/x-pack/plugin/security/qa/tls-basic/src/javaRestTest/java/org/elasticsearch/xpack/security/TlsWithBasicLicenseIT.java @@ -10,7 +10,9 @@ import org.elasticsearch.client.Response; import org.elasticsearch.client.ResponseException; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import org.elasticsearch.test.rest.yaml.ObjectPath; import org.junit.AfterClass; @@ -55,7 +57,9 @@ protected String getProtocol() { @Override protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin", new SecureString("admin-password".toCharArray())); return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) .put(TRUSTSTORE_PATH, httpTrustStore) .put(TRUSTSTORE_PASSWORD, "password") .build(); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java index 1b996539463a9..6e4dccd2a69f6 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java @@ -11,8 +11,10 @@ import org.apache.logging.log4j.message.ParameterizedMessage; import org.apache.logging.log4j.util.Supplier; import org.elasticsearch.ExceptionsHelper; +import org.elasticsearch.Version; import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; +import org.elasticsearch.common.logging.HeaderWarning; import org.elasticsearch.common.util.Maps; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.http.HttpChannel; @@ -88,6 +90,11 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c e -> handleException("Secondary authentication", request, channel, e))); }, e -> handleException("Authentication", request, channel, e))); } else { + if (request.method() != Method.OPTIONS) { + HeaderWarning.addWarning("Elasticsearch built-in security features are not enabled. Without authentication, your cluster " + + "could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); + } restHandler.handleRequest(request, channel, client); } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java index b42fdf26891de..da71f41bb8604 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java @@ -9,6 +9,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.Version; import org.elasticsearch.license.LicenseStateListener; import org.elasticsearch.license.XPackLicenseState; @@ -40,6 +41,11 @@ public synchronized void licenseStateChanged() { // old state might be null (undefined) so do Object comparison if (Objects.equals(newState, securityEnabled) == false) { logger.info("Active license is now [{}]; Security is {}", licenseState.getOperationMode(), newState ? "enabled" : "disabled"); + if (newState == false) { + logger.warn("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + + "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); + } this.securityEnabled = newState; } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java index bea79cd15d3ec..3df9881e3070a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java @@ -9,6 +9,7 @@ import com.nimbusds.jose.util.StandardCharset; import org.apache.lucene.util.SetOnce; import org.elasticsearch.ElasticsearchException; +import org.elasticsearch.Version; import org.elasticsearch.action.ActionListener; import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.bytes.BytesArray; @@ -144,6 +145,9 @@ public void testProcessBasicLicense() throws Exception { RestRequest request = mock(RestRequest.class); when(licenseState.isSecurityEnabled()).thenReturn(false); filter.handleRequest(request, channel, null); + assertWarnings("Elasticsearch built-in security features are not enabled. Without authentication, your cluster " + + "could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); verify(restHandler).handleRequest(request, channel, null); verifyZeroInteractions(channel, authcService); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index d28eecad35ec7..4dffe7b93e4cf 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -10,6 +10,7 @@ import org.apache.logging.log4j.Level; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.elasticsearch.Version; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; @@ -63,7 +64,14 @@ public void testSecurityEnabledToDisabled() { Level.INFO, "Active license is now [PLATINUM]; Security is enabled" )); - + logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( + "built-in security features are not enabled", + listener.getClass().getName(), + Level.WARN, + "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible " + + "to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security." + )); when(licenseState.isSecurityEnabled()).thenReturn(false); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( @@ -87,6 +95,14 @@ public void testSecurityDisabledToEnabled() { Level.INFO, "Active license is now [TRIAL]; Security is disabled" )); + logAppender.addExpectation(new MockLogAppender.SeenEventExpectation( + "built-in security features are not enabled", + listener.getClass().getName(), + Level.WARN, + "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible " + + "to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security." + )); listener.licenseStateChanged(); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); diff --git a/x-pack/plugin/shutdown/qa/multi-node/build.gradle b/x-pack/plugin/shutdown/qa/multi-node/build.gradle index 40205e8aa6a01..8e2a374637865 100644 --- a/x-pack/plugin/shutdown/qa/multi-node/build.gradle +++ b/x-pack/plugin/shutdown/qa/multi-node/build.gradle @@ -17,4 +17,6 @@ testClusters.all { numberOfNodes = 4 systemProperty 'es.shutdown_feature_flag_enabled', 'true' + setting 'xpack.security.enabled', 'true' + user username: clusterCredentials.username, password: clusterCredentials.password, role: 'superuser' } diff --git a/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java b/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java index ad88b24ae2844..b99571e69db75 100644 --- a/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java +++ b/x-pack/plugin/shutdown/qa/multi-node/src/javaRestTest/java/org/elasticsearch/xpack/shutdown/NodeShutdownIT.java @@ -8,6 +8,9 @@ package org.elasticsearch.xpack.shutdown; import org.elasticsearch.client.Request; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; import java.io.IOException; @@ -62,4 +65,13 @@ private void assertNoShuttingDownNodes(String nodeIdToShutdown) throws IOExcepti List> nodesArray = (List>) statusResponse.get("nodes"); assertThat(nodesArray, empty()); } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue( + System.getProperty("tests.rest.cluster.username"), + new SecureString(System.getProperty("tests.rest.cluster.password").toCharArray()) + ); + return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build(); + } } diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle index e946c825c435a..a568112ea190f 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/azure/build.gradle @@ -48,6 +48,10 @@ if (useFixture) { testFixtures.useFixture(fixture.path, 'azure-fixture-repository-test-kit') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest").configure { systemProperty 'test.azure.container', azureContainer nonInputProperties.systemProperty 'test.azure.base_path', azureBasePath + "_repository_test_kit_tests_" + BuildParams.testSeed diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle index df678b3673b28..dd5dcdab36e42 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/gcs/build.gradle @@ -107,6 +107,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { } else { println "Using an external service to test " + project.name } + setting 'xpack.security.enabled', 'false' } tasks.register("gcsThirdPartyTest") { diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle index 0f73503021d28..f248fd778ddb1 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/minio/build.gradle @@ -46,5 +46,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { keystore 's3.client.repository_test_kit.secret_key', 's3_test_secret_key' setting 's3.client.repository_test_kit.protocol', 'http' setting 's3.client.repository_test_kit.endpoint', { "${-> fixtureAddress()}" }, IGNORE_VALUE + + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle index 7b11e8637f61a..9572362314f77 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/rest/build.gradle @@ -17,6 +17,7 @@ tasks.named("integTest").configure { testClusters.matching { it.name == "integTest" }.configureEach { testDistribution = 'DEFAULT' setting 'path.repo', repoDir.absolutePath + setting 'xpack.security.enabled', 'false' } restResources { diff --git a/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle b/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle index 33b65606b7624..0d18dbd98e305 100644 --- a/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle +++ b/x-pack/plugin/snapshot-repo-test-kit/qa/s3/build.gradle @@ -72,6 +72,7 @@ testClusters.matching { it.name == "integTest" }.configureEach { } else { println "Using an external service to test " + project.name } + setting 'xpack.security.enabled', 'false' } tasks.register("s3ThirdPartyTest") { diff --git a/x-pack/plugin/spatial/build.gradle b/x-pack/plugin/spatial/build.gradle index 8a196b50b9cb9..5eb9b0b403105 100644 --- a/x-pack/plugin/spatial/build.gradle +++ b/x-pack/plugin/spatial/build.gradle @@ -29,4 +29,5 @@ restResources { testClusters.all { setting 'xpack.license.self_generated.type', 'trial' testDistribution = 'DEFAULT' + setting 'xpack.security.enabled', 'false' } diff --git a/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java b/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java index 520c981c5eedd..b26b9bbeea297 100644 --- a/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java +++ b/x-pack/plugin/sql/qa/jdbc/security/src/test/java/org/elasticsearch/xpack/sql/qa/jdbc/security/JdbcConnectionIT.java @@ -19,8 +19,6 @@ import java.nio.file.Path; import java.util.Properties; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class JdbcConnectionIT extends ConnectionTestCase { static final boolean SSL_ENABLED = Booleans.parseBoolean(System.getProperty("tests.ssl.enabled"), false); diff --git a/x-pack/plugin/sql/qa/mixed-node/build.gradle b/x-pack/plugin/sql/qa/mixed-node/build.gradle index ef0b27d7b351f..47f6592156183 100644 --- a/x-pack/plugin/sql/qa/mixed-node/build.gradle +++ b/x-pack/plugin/sql/qa/mixed-node/build.gradle @@ -14,6 +14,10 @@ dependencies { testImplementation project(path: xpackModule('sql'), configuration: 'default') } +testClusters.all { + setting 'xpack.security.enabled', 'false' +} + tasks.named("integTest").configure{ enabled = false} // A bug (https://github.com/elastic/elasticsearch/issues/68439) limits us to perform tests with versions from 7.10.3 onwards diff --git a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java index 936356a602b70..4937b8e4a72ea 100644 --- a/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java +++ b/x-pack/plugin/sql/qa/server/security/src/test/java/org/elasticsearch/xpack/sql/qa/security/RestSqlIT.java @@ -18,8 +18,6 @@ import java.nio.file.Files; import java.nio.file.Path; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - /** * Integration test for the rest sql action. The one that speaks json directly to a * user rather than to the JDBC driver or CLI. diff --git a/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java b/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java index 2a9ea04d885c8..ae98a220aebb5 100644 --- a/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java +++ b/x-pack/plugin/transform/qa/single-node-tests/src/javaRestTest/java/org/elasticsearch/xpack/transform/integration/TransformRestTestCase.java @@ -41,7 +41,6 @@ import java.util.stream.Collectors; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; public abstract class TransformRestTestCase extends ESRestTestCase { diff --git a/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java b/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java index 8d42b98dbfdd5..794428c6707e4 100644 --- a/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java +++ b/x-pack/plugin/watcher/qa/rest/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherTestSuiteIT.java @@ -24,7 +24,6 @@ import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; import static org.elasticsearch.rest.action.search.RestSearchAction.TOTAL_HITS_AS_INT_PARAM; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.greaterThanOrEqualTo; import static org.hamcrest.Matchers.hasEntry; import static org.hamcrest.Matchers.is; diff --git a/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java b/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java index 70c98f0247340..84b09372433d0 100644 --- a/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java +++ b/x-pack/plugin/watcher/qa/with-security/src/javaRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityIT.java @@ -25,7 +25,6 @@ import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; import static org.elasticsearch.rest.action.search.RestSearchAction.TOTAL_HITS_AS_INT_PARAM; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.greaterThanOrEqualTo; import static org.hamcrest.Matchers.hasEntry; import static org.hamcrest.Matchers.is; diff --git a/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java b/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java index b9b21e5219c91..8f07ee64a63f8 100644 --- a/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java +++ b/x-pack/plugin/watcher/qa/with-security/src/yamlRestTest/java/org/elasticsearch/smoketest/SmokeTestWatcherWithSecurityClientYamlTestSuiteIT.java @@ -13,12 +13,9 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; -import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; import org.elasticsearch.xpack.watcher.WatcherYamlSuiteTestCase; import org.junit.Before; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class SmokeTestWatcherWithSecurityClientYamlTestSuiteIT extends WatcherYamlSuiteTestCase { private static final String TEST_ADMIN_USERNAME = "test_admin"; diff --git a/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java b/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java index 14e9fbc250b0a..ea509a3c1fb04 100644 --- a/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java +++ b/x-pack/qa/core-rest-tests-with-security/src/test/java/org/elasticsearch/xpack/security/CoreWithSecurityClientYamlTestSuiteIT.java @@ -19,8 +19,6 @@ import java.util.Objects; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - @TimeoutSuite(millis = 30 * TimeUnits.MINUTE) // as default timeout seems not enough on the jenkins VMs public class CoreWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { diff --git a/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java b/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java index 60070d8b9853c..e4f08aecb60bc 100644 --- a/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java +++ b/x-pack/qa/multi-cluster-search-security/src/test/java/org/elasticsearch/xpack/security/MultiClusterSearchWithSecurityYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class MultiClusterSearchWithSecurityYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String USER = "test_user"; diff --git a/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java b/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java index ca7fd7d588e6e..c08e331f90997 100644 --- a/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java +++ b/x-pack/qa/multi-cluster-tests-with-security/src/test/java/org/elasticsearch/multi_cluster/MultiClusterYamlTestSuiteIT.java @@ -18,8 +18,6 @@ import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - @TimeoutSuite(millis = 5 * TimeUnits.MINUTE) // to account for slow as hell VMs public class MultiClusterYamlTestSuiteIT extends ESClientYamlSuiteTestCase { diff --git a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java index 5a950088a1af2..52b62687db27e 100644 --- a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java +++ b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/GlobalCheckpointSyncActionIT.java @@ -17,7 +17,6 @@ import org.elasticsearch.test.rest.yaml.ObjectPath; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; public class GlobalCheckpointSyncActionIT extends ESRestTestCase { diff --git a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java index 3dba00afe9735..e70e27a7803c7 100644 --- a/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java +++ b/x-pack/qa/multi-node/src/test/java/org/elasticsearch/multi_node/RollupIT.java @@ -33,7 +33,6 @@ import java.util.concurrent.TimeUnit; import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.oneOf; diff --git a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java index c971306f4172f..46b0fbedd6af5 100644 --- a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java +++ b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityClientYamlTestSuiteIT.java @@ -21,8 +21,6 @@ import java.net.URL; import java.nio.file.Path; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class ReindexWithSecurityClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String USER = "test_admin"; private static final String PASS = "x-pack-test-password"; diff --git a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java index 61d33d5c9d6bc..b5d6f60815fc1 100644 --- a/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java +++ b/x-pack/qa/reindex-tests-with-security/src/test/java/org/elasticsearch/xpack/security/ReindexWithSecurityIT.java @@ -21,7 +21,6 @@ import org.elasticsearch.xpack.core.security.SecurityField; - public class ReindexWithSecurityIT extends SecurityIntegTestCase { @Override diff --git a/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java b/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java index 72bc13e24b5e8..b78a73c9972f8 100644 --- a/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java +++ b/x-pack/qa/rolling-upgrade/src/test/java/org/elasticsearch/upgrades/AbstractUpgradeTestCase.java @@ -10,6 +10,7 @@ import org.elasticsearch.client.Request; import org.elasticsearch.client.Response; import org.elasticsearch.common.io.Streams; +import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.test.rest.ESRestTestCase; @@ -21,12 +22,10 @@ import java.util.List; import java.util.stream.Collectors; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public abstract class AbstractUpgradeTestCase extends ESRestTestCase { private static final String BASIC_AUTH_VALUE = - basicAuthHeaderValue("test_user", SecuritySettingsSourceField.TEST_PASSWORD); + basicAuthHeaderValue("test_user", new SecureString(SecuritySettingsSourceField.TEST_PASSWORD)); protected static final Version UPGRADE_FROM_VERSION = Version.fromString(System.getProperty("tests.upgrade_from_version")); diff --git a/x-pack/qa/runtime-fields/build.gradle b/x-pack/qa/runtime-fields/build.gradle index 03607229af80f..46b439f622680 100644 --- a/x-pack/qa/runtime-fields/build.gradle +++ b/x-pack/qa/runtime-fields/build.gradle @@ -29,6 +29,7 @@ subprojects { testClusters.matching { it.name == "yamlRestTest" }.configureEach { testDistribution = 'DEFAULT' setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'false' } tasks.named("yamlRestTest").configure { diff --git a/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java b/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java index c1dd3129aa76f..44718bd5cad0d 100644 --- a/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java +++ b/x-pack/qa/runtime-fields/with-security/src/javaRestTest/java/org/elasticsearch/xpack/security/PermissionsIT.java @@ -29,8 +29,6 @@ import java.util.Collections; import java.util.Map; -import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; - public class PermissionsIT extends ESRestTestCase { private static HighLevelClient highLevelClient; diff --git a/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java b/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java index acb0d01b7a085..5f43aec0f24a4 100644 --- a/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java +++ b/x-pack/qa/smoke-test-plugins/src/test/java/org/elasticsearch/smoketest/XSmokeTestPluginsClientYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class XSmokeTestPluginsClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String USER = "test_user"; diff --git a/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java b/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java index 4aabba22733be..343cdb931542a 100644 --- a/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java +++ b/x-pack/qa/smoke-test-security-with-mustache/src/test/java/org/elasticsearch/smoketest/SmokeTestSecurityWithMustacheClientYamlTestSuiteIT.java @@ -15,8 +15,6 @@ import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate; import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase; -import static org.elasticsearch.xpack.test.SecuritySettingsSourceField.basicAuthHeaderValue; - public class SmokeTestSecurityWithMustacheClientYamlTestSuiteIT extends ESClientYamlSuiteTestCase { private static final String BASIC_AUTH_VALUE = basicAuthHeaderValue("test_admin",