From 8704060b14087e20615f5edc2b5468983365fb0c Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Thu, 8 Nov 2018 12:57:42 +1100 Subject: [PATCH] Rename RealmConfig.globalSettings() to settings() (#35330) There is no longer a concept of non-global "realm settings". All realm settings should be loaded from the node's settings using standard Setting classes. This change renames the "globalSettings" field and method to simply be "settings". --- .../core/security/authc/RealmConfig.java | 42 ++++++++++--------- .../authc/esnative/ReservedRealm.java | 8 ++-- .../authc/file/FileUserPasswdStore.java | 2 +- .../xpack/security/authc/pki/PkiRealm.java | 2 +- .../authc/saml/SamlMetadataCommand.java | 5 +-- .../xpack/security/authc/saml/SamlRealm.java | 4 +- .../DelegatedAuthorizationSupport.java | 2 +- .../security/authc/ldap/LdapRealmTests.java | 4 +- .../SessionFactoryLoadBalancingTests.java | 2 +- .../security/authc/saml/SamlRealmTests.java | 4 +- 10 files changed, 39 insertions(+), 36 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java index 67b3c63b9beb7..5de1cf3b38e03 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmConfig.java @@ -20,16 +20,15 @@ public class RealmConfig { final boolean enabled; final int order; private final Environment env; - private final Settings globalSettings; + private final Settings settings; private final ThreadContext threadContext; - public RealmConfig(RealmIdentifier identifier, Settings globalSettings, Environment env, - ThreadContext threadContext) { + public RealmConfig(RealmIdentifier identifier, Settings settings, Environment env, ThreadContext threadContext) { this.identifier = identifier; - this.globalSettings = globalSettings; + this.settings = settings; this.env = env; - enabled = getSetting(RealmSettings.ENABLED_SETTING); - order = getSetting(RealmSettings.ORDER_SETTING); + this.enabled = getSetting(RealmSettings.ENABLED_SETTING); + this.order = getSetting(RealmSettings.ORDER_SETTING); this.threadContext = threadContext; } @@ -53,8 +52,13 @@ public String type() { return identifier.type; } - public Settings globalSettings() { - return globalSettings; + /** + * @return The settings for the current node. + * This will include the settings for this realm (as well as other realms, and other non-security settings). + * @see #getConcreteSetting(Setting.AffixSetting) + */ + public Settings settings() { + return settings; } public Environment env() { @@ -95,16 +99,16 @@ public Setting getConcreteSetting(Functionconcrete through {@link #getConcreteSetting(Setting.AffixSetting)}, which is then * used to {@link Setting#get(Settings) retrieve} the setting value. */ public T getSetting(Setting.AffixSetting setting) { - return getConcreteSetting(setting).get(globalSettings); + return getConcreteSetting(setting).get(settings); } /** - * Obtain the value of the provided {@code setting} from the node's {@link #globalSettings global settings}. + * Obtain the value of the provided {@code setting} from the node's {@link #settings global settings}. * {@link #getConcreteSetting(Function)} is used to obtain a concrete setting from the provided * {@link Function}/{@link Setting.AffixSetting}, and this concrete setting is then used to * {@link Setting#get(Settings) retrieve} the setting value. @@ -114,7 +118,7 @@ public T getSetting(Function> settingFactory } /** - * Obtain the value of the provided {@code setting} from the node's {@link #globalSettings global settings}. + * Obtain the value of the provided {@code setting} from the node's {@link #settings global settings}. * {@link #getConcreteSetting(Function)} is used to obtain a concrete setting from the provided * {@link Function}/{@link Setting.AffixSetting}. * If this concrete setting {@link Setting#exists(Settings) exists} in the global settings, then its value is returned, @@ -125,7 +129,7 @@ public T getSetting(Function> settingFactory } /** - * Obtain the value of the provided {@code setting} from the node's {@link #globalSettings global settings}. + * Obtain the value of the provided {@code setting} from the node's {@link #settings global settings}. * {@link #getConcreteSetting(Setting.AffixSetting)} is used to obtain a concrete setting from the provided * {@link Setting.AffixSetting}. * If this concrete setting {@link Setting#exists(Settings) exists} in the global settings, then its value is returned, @@ -133,30 +137,30 @@ public T getSetting(Function> settingFactory */ public T getSetting(Setting.AffixSetting setting, Supplier orElse) { final Setting concrete = setting.getConcreteSettingForNamespace(name()); - if (concrete.exists(globalSettings)) { - return concrete.get(globalSettings); + if (concrete.exists(settings)) { + return concrete.get(settings); } else { return orElse.get(); } } /** - * Determines whether the provided {@code setting} has an explicit value in the node's {@link #globalSettings global settings}. + * Determines whether the provided {@code setting} has an explicit value in the node's {@link #settings global settings}. * {@link #getConcreteSetting(Function)} is used to obtain a concrete setting from the provided * {@link Function}/{@link Setting.AffixSetting}, and this concrete setting is then used to * {@link Setting#exists(Settings) check} for a value. */ public boolean hasSetting(Function> settingFactory) { - return getConcreteSetting(settingFactory).exists(globalSettings); + return getConcreteSetting(settingFactory).exists(settings); } /** - * Determines whether the provided {@code setting} has an explicit value in the node's {@link #globalSettings global settings}. + * Determines whether the provided {@code setting} has an explicit value in the node's {@link #settings global settings}. * {@link #getConcreteSetting(Setting.AffixSetting)} is used to obtain a concrete setting from the provided * {@link Setting.AffixSetting}, and this concrete setting is then used to {@link Setting#exists(Settings) check} for a value. */ public boolean hasSetting(Setting.AffixSetting setting) { - return getConcreteSetting(setting).exists(globalSettings); + return getConcreteSetting(setting).exists(settings); } /** diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java index a2d172215921b..85e25925f4547 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java @@ -87,7 +87,7 @@ public ReservedRealm(Environment env, Settings settings, NativeUsersStore native protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { if (realmEnabled == false) { listener.onResponse(AuthenticationResult.notHandled()); - } else if (ClientReservedRealm.isReserved(token.principal(), config.globalSettings()) == false) { + } else if (ClientReservedRealm.isReserved(token.principal(), config.settings()) == false) { listener.onResponse(AuthenticationResult.notHandled()); } else { getUserInfo(token.principal(), ActionListener.wrap((userInfo) -> { @@ -120,13 +120,13 @@ protected void doAuthenticate(UsernamePasswordToken token, ActionListener listener) { if (realmEnabled == false) { - if (anonymousEnabled && AnonymousUser.isAnonymousUsername(username, config.globalSettings())) { + if (anonymousEnabled && AnonymousUser.isAnonymousUsername(username, config.settings())) { listener.onResponse(anonymousUser); } listener.onResponse(null); - } else if (ClientReservedRealm.isReserved(username, config.globalSettings()) == false) { + } else if (ClientReservedRealm.isReserved(username, config.settings()) == false) { listener.onResponse(null); - } else if (AnonymousUser.isAnonymousUsername(username, config.globalSettings())) { + } else if (AnonymousUser.isAnonymousUsername(username, config.settings())) { listener.onResponse(anonymousEnabled ? anonymousUser : null); } else { getUserInfo(username, ActionListener.wrap((userInfo) -> { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java index faece90a89bcf..bbb5d77b90f4a 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStore.java @@ -56,7 +56,7 @@ public FileUserPasswdStore(RealmConfig config, ResourceWatcherService watcherSer FileUserPasswdStore(RealmConfig config, ResourceWatcherService watcherService, Runnable listener) { file = resolveFile(config.env()); - settings = config.globalSettings(); + settings = config.settings(); users = parseFileLenient(file, logger, settings); listeners = new CopyOnWriteArrayList<>(Collections.singletonList(listener)); FileWatcher watcher = new FileWatcher(file.getParent()); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java index 942e328824fc3..a6488916d7e1e 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java @@ -249,7 +249,7 @@ private static X509TrustManager trustManagersFromTruststore(String truststorePat try (SecureString password = realmConfig.getSetting(PkiRealmSettings.TRUST_STORE_PASSWORD)) { String trustStoreAlgorithm = realmConfig.getSetting(PkiRealmSettings.TRUST_STORE_ALGORITHM); String trustStoreType = SSLConfigurationSettings.getKeyStoreType( - realmConfig.getConcreteSetting(PkiRealmSettings.TRUST_STORE_TYPE), realmConfig.globalSettings(), + realmConfig.getConcreteSetting(PkiRealmSettings.TRUST_STORE_TYPE), realmConfig.settings(), truststorePath); try { return CertParsingUtils.trustManager(truststorePath, trustStoreType, password.getChars(), trustStoreAlgorithm, realmConfig diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java index f5935b4477c76..6fa59269ac7e6 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java @@ -32,7 +32,6 @@ import org.apache.logging.log4j.Level; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.LogManager; import org.elasticsearch.cli.EnvironmentAwareCommand; import org.elasticsearch.cli.ExitCodes; import org.elasticsearch.cli.SuppressForbidden; @@ -158,7 +157,7 @@ EntityDescriptor buildEntityDescriptor(Terminal terminal, OptionSet options, Env final boolean batch = options.has(batchSpec); final RealmConfig realm = findRealm(terminal, options, env); - final Settings realmSettings = realm.globalSettings().getByPrefix(RealmSettings.realmSettingPrefix(realm.identifier())); + final Settings realmSettings = realm.settings().getByPrefix(RealmSettings.realmSettingPrefix(realm.identifier())); terminal.println(Terminal.Verbosity.VERBOSE, "Using realm configuration\n=====\n" + realmSettings.toDelimitedString('\n') + "====="); final Locale locale = findLocale(options); @@ -399,7 +398,7 @@ private Map getAttributeNames(OptionSet options, RealmConfig rea attributes.put(a, null); } final String prefix = RealmSettings.realmSettingPrefix(realm.identifier()) + SamlRealmSettings.AttributeSetting.ATTRIBUTES_PREFIX; - final Settings attributeSettings = realm.globalSettings().getByPrefix(prefix); + final Settings attributeSettings = realm.settings().getByPrefix(prefix); for (String key : sorted(attributeSettings.keySet())) { final String attr = attributeSettings.get(key); attributes.put(attr, key); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java index b2a1001aef9c6..e93d1aa8f1491 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java @@ -179,7 +179,7 @@ public static SamlRealm create(RealmConfig config, SSLService sslService, Resour UserRoleMapper roleMapper) throws Exception { SamlUtils.initialize(logger); - if (TokenService.isTokenServiceEnabled(config.globalSettings()) == false) { + if (TokenService.isTokenServiceEnabled(config.settings()) == false) { throw new IllegalStateException("SAML requires that the token service be enabled (" + XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey() + ")"); } @@ -317,7 +317,7 @@ static SigningConfiguration buildSigningConfiguration(RealmConfig config) throws private static List buildCredential(RealmConfig config, String prefix, Setting.AffixSetting aliasSetting, boolean allowMultiple) { final X509KeyPairSettings keyPairSettings = X509KeyPairSettings.withPrefix(prefix, false); - final X509KeyManager keyManager = CertParsingUtils.getKeyManager(keyPairSettings, config.globalSettings(), null, config.env()); + final X509KeyManager keyManager = CertParsingUtils.getKeyManager(keyPairSettings, config.settings(), null, config.env()); if (keyManager == null) { return null; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java index 8ce2805d23059..1c76c11676d27 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java @@ -46,7 +46,7 @@ public class DelegatedAuthorizationSupport { * {@link #DelegatedAuthorizationSupport(Iterable, List, Settings, ThreadContext, XPackLicenseState)} */ public DelegatedAuthorizationSupport(Iterable allRealms, RealmConfig config, XPackLicenseState licenseState) { - this(allRealms, config.getSetting(AUTHZ_REALMS), config.globalSettings(), config.threadContext(), + this(allRealms, config.getSetting(AUTHZ_REALMS), config.settings(), config.threadContext(), licenseState); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java index 3e63fe1f870f1..8b381da08e1b0 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealmTests.java @@ -314,7 +314,7 @@ public void testLdapRealmSelectsLdapUserSearchSessionFactory() throws Exception .put(getFullSettingKey(identifier, SSLConfigurationSettings.VERIFICATION_MODE_SETTING_REALM), VerificationMode.CERTIFICATE) .build(); final RealmConfig config = getRealmConfig(identifier, settings); - SessionFactory sessionFactory = LdapRealm.sessionFactory(config, new SSLService(config.globalSettings(), config.env()), threadPool); + SessionFactory sessionFactory = LdapRealm.sessionFactory(config, new SSLService(config.settings(), config.env()), threadPool); try { assertThat(sessionFactory, is(instanceOf(LdapUserSearchSessionFactory.class))); } finally { @@ -435,7 +435,7 @@ public void testUsageStats() throws Exception { RealmConfig config = getRealmConfig(identifier, settings.build()); - LdapSessionFactory ldapFactory = new LdapSessionFactory(config, new SSLService(config.globalSettings(), config.env()), threadPool); + LdapSessionFactory ldapFactory = new LdapSessionFactory(config, new SSLService(config.settings(), config.env()), threadPool); LdapRealm realm = new LdapRealm(config, ldapFactory, new DnRoleMapper(config, resourceWatcherService), threadPool); realm.initialize(Collections.singleton(realm), licenseState); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java index 11d1e4889b823..87cc73d9a137e 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java @@ -240,7 +240,7 @@ private TestSessionFactory createSessionFactory(LdapLoadBalancing loadBalancing) Settings globalSettings = Settings.builder().put("path.home", createTempDir()).put(settings).build(); RealmConfig config = new RealmConfig(REALM_IDENTIFIER, globalSettings, TestEnvironment.newEnvironment(globalSettings), new ThreadContext(Settings.EMPTY)); - return new TestSessionFactory(config, new SSLService(Settings.EMPTY, TestEnvironment.newEnvironment(config.globalSettings())), + return new TestSessionFactory(config, new SSLService(Settings.EMPTY, TestEnvironment.newEnvironment(config.settings())), threadPool); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 817cda5b0f0f5..03423b5a06797 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -140,7 +140,7 @@ public void testReadIdpMetadataFromHttps() throws Exception { assertEquals(0, proxyServer.requests().size()); Tuple config = buildConfig("https://localhost:" + proxyServer.getPort()); - logger.info("Settings\n{}", config.v1().globalSettings().toDelimitedString('\n')); + logger.info("Settings\n{}", config.v1().settings().toDelimitedString('\n')); final ResourceWatcherService watcherService = mock(ResourceWatcherService.class); Tuple> tuple = SamlRealm.initializeResolver(logger, config.v1(), config.v2(), watcherService); @@ -284,7 +284,7 @@ public SamlRealm buildRealm(RealmConfig config, UserRoleMapper roleMapper, SamlA try { return new SamlRealm(config, roleMapper, authenticator, logoutHandler, () -> idp, sp); } catch (SettingsException e) { - logger.info(new ParameterizedMessage("Settings are invalid:\n{}", config.globalSettings().toDelimitedString('\n')), e); + logger.info(new ParameterizedMessage("Settings are invalid:\n{}", config.settings().toDelimitedString('\n')), e); throw e; } }