From e224dec6731c39fae51f4fd598ba4812ceed7694 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Wed, 19 May 2021 13:52:43 -0700 Subject: [PATCH 01/17] Add settings class and legacy settings class --- .github/workflows/ci.yml | 2 +- .../backend/LDAPAuthorizationBackend.java | 14 +- .../util/SettingsBasedSSLConfigurator.java | 18 +- .../security/OpenSearchSecurityPlugin.java | 288 ++++++++-------- .../action/whoami/TransportWhoAmIAction.java | 4 +- .../security/auditlog/config/AuditConfig.java | 62 ++-- .../auditlog/config/ThreadPoolConfig.java | 4 +- .../auditlog/impl/AbstractAuditLog.java | 26 +- .../security/auditlog/impl/AuditCategory.java | 4 +- .../auditlog/impl/RequestResolver.java | 2 +- .../auditlog/routing/AuditMessageRouter.java | 2 +- .../security/auditlog/sink/AuditLogSink.java | 4 +- .../auditlog/sink/ExternalOpenSearchSink.java | 60 ++-- .../auditlog/sink/InternalOpenSearchSink.java | 8 +- .../security/auditlog/sink/SinkProvider.java | 10 +- .../security/auditlog/sink/WebhookSink.java | 20 +- .../security/auth/BackendRegistry.java | 16 +- .../security/auth/RolesInjector.java | 6 +- .../security/auth/UserInjector.java | 10 +- .../security/compliance/ComplianceConfig.java | 24 +- .../security/configuration/AdminDNs.java | 14 +- .../security/configuration/CompatConfig.java | 4 +- .../ConfigurationLoaderSecurity7.java | 2 +- .../ConfigurationRepository.java | 12 +- .../configuration/DlsFlsFilterLeafReader.java | 4 +- .../configuration/DlsFlsValveImpl.java | 2 +- .../security/configuration/Salt.java | 4 +- .../SecurityFlsDlsIndexSearcherWrapper.java | 8 +- .../SecurityIndexSearcherWrapper.java | 22 +- .../dlic/rest/api/AbstractApiAction.java | 22 +- .../dlic/rest/api/AccountApiAction.java | 8 +- .../dlic/rest/api/NodesDnApiAction.java | 8 +- .../dlic/rest/api/PermissionsInfoAction.java | 4 +- .../rest/api/RestApiPrivilegesEvaluator.java | 10 +- .../dlic/rest/api/SecurityConfigAction.java | 2 +- .../dlic/rest/api/WhitelistApiAction.java | 4 +- .../AbstractConfigurationValidator.java | 2 +- .../dlic/rest/validation/AuditValidator.java | 2 +- .../rest/validation/CredentialsValidator.java | 2 +- .../security/filter/SecurityFilter.java | 20 +- .../security/filter/SecurityRestFilter.java | 8 +- .../http/HTTPClientCertAuthenticator.java | 2 +- .../security/http/HTTPProxyAuthenticator.java | 2 +- .../security/http/RemoteIpDetector.java | 2 +- .../opensearch/security/http/XFFResolver.java | 2 +- .../security/privileges/DlsFlsEvaluator.java | 34 +- .../privileges/PrivilegesEvaluator.java | 14 +- .../ProtectedIndexAccessEvaluator.java | 6 +- .../SecurityIndexAccessEvaluator.java | 10 +- .../privileges/SnapshotRestoreEvaluator.java | 8 +- .../security/rest/DashboardsInfoAction.java | 2 +- .../security/rest/SecurityInfoAction.java | 8 +- .../security/rest/TenantInfoAction.java | 4 +- .../security/securityconf/ConfigModelV6.java | 2 +- .../security/securityconf/ConfigModelV7.java | 2 +- .../securityconf/DynamicConfigFactory.java | 4 +- .../security/ssl/DefaultSecurityKeyStore.java | 148 ++++---- .../ssl/ExternalSecurityKeyStore.java | 4 +- .../ssl/OpenSearchSecuritySSLPlugin.java | 152 ++++----- .../ssl/rest/SecuritySSLCertsInfoAction.java | 2 +- .../rest/SecuritySSLReloadCertsAction.java | 2 +- .../security/ssl/transport/SSLConfig.java | 6 +- .../transport/SecuritySSLNettyTransport.java | 4 +- .../security/ssl/util/SSLConfigConstants.java | 138 ++++---- .../security/ssl/util/SSLRequestHelper.java | 24 +- .../security/support/ConfigConstants.java | 286 ++++++++-------- .../security/support/HTTPHelper.java | 2 +- .../security/support/HeaderHelper.java | 8 +- .../LegacyOpenDistroConfigConstants.java | 270 +++++++++++++++ .../LegacyOpenDistroSecuritySettings.java | 289 ++++++++++++++++ .../security/support/SecuritySettings.java | 164 +++++++++ .../security/support/SecurityUtils.java | 2 +- .../security/tools/SecurityAdmin.java | 60 ++-- .../DefaultInterClusterRequestEvaluator.java | 6 +- .../transport/OIDClusterRequestEvaluator.java | 2 +- .../transport/SecurityInterceptor.java | 72 ++-- .../transport/SecurityRequestHandler.java | 64 ++-- .../dlic/auth/ldap/LdapBackendIntegTest.java | 2 +- .../auth/ldap2/LdapBackendIntegTest2.java | 2 +- .../EncryptionInTransitMigrationTests.java | 16 +- .../security/HttpIntegrationTests.java | 22 +- .../security/IndexIntegrationTests.java | 2 +- .../InitializationIntegrationTests.java | 4 +- .../opensearch/security/IntegrationTests.java | 36 +- .../security/RolesInjectorIntegTest.java | 2 +- .../security/SecurityAdminMigrationTests.java | 4 +- .../security/SecurityAdminTests.java | 2 +- .../security/SecurityRolesTests.java | 2 +- .../security/SlowIntegrationTests.java | 6 +- .../security/SystemIntegratorsTests.java | 58 ++-- .../org/opensearch/security/TracingTests.java | 4 +- .../TransportClientIntegrationTests.java | 16 +- .../TransportUserInjectorIntegTest.java | 10 +- .../org/opensearch/security/UtilTests.java | 2 +- .../compliance/ComplianceAuditlogTest.java | 96 +++--- .../compliance/ComplianceConfigTest.java | 28 +- .../RestApiComplianceAuditlogTest.java | 98 +++--- .../config/AuditConfigFilterTest.java | 34 +- .../config/AuditConfigSerializeTest.java | 6 +- .../auditlog/impl/AuditCategoryTest.java | 2 +- .../security/auditlog/impl/AuditlogTest.java | 38 +-- .../auditlog/impl/DisabledCategoriesTest.java | 12 +- .../auditlog/impl/IgnoreAuditUsersTest.java | 58 ++-- .../security/auditlog/impl/TracingTests.java | 24 +- .../integration/BasicAuditlogTest.java | 132 ++++---- .../auditlog/integration/SSLAuditlogTest.java | 50 +-- .../auditlog/routing/FallbackTest.java | 2 +- .../security/auditlog/routing/PerfTest.java | 2 +- .../security/auditlog/routing/RouterTest.java | 2 +- .../auditlog/sink/WebhookAuditLogTest.java | 48 +-- .../security/auth/RolesInjectorTest.java | 12 +- .../security/auth/UserInjectorTest.java | 6 +- .../ccstest/CrossClusterSearchTests.java | 26 +- .../security/configuration/SaltTest.java | 8 +- .../dlic/dlsfls/AbstractDlsFlsTest.java | 2 +- .../security/dlic/dlsfls/DlsDateMathTest.java | 2 +- .../dlic/rest/api/ActionGroupsApiTest.java | 10 +- .../dlic/rest/api/AuditApiActionTest.java | 2 +- .../dlic/rest/api/IndexMissingTest.java | 2 +- .../dlic/rest/api/MigrationTests.java | 16 +- .../dlic/rest/api/NodesDnApiTest.java | 24 +- .../dlic/rest/api/RoleBasedAccessTest.java | 2 +- .../security/dlic/rest/api/RolesApiTest.java | 10 +- .../dlic/rest/api/SecurityConfigApiTest.java | 2 +- .../dlic/rest/api/TenantInfoActionTest.java | 2 +- .../security/dlic/rest/api/UserApiTest.java | 4 +- .../dlic/rest/api/WhitelistApiTest.java | 16 +- .../security/filter/SecurityFilterTest.java | 4 +- .../HTTPExtendedProxyAuthenticatorTest.java | 2 +- .../security/httpclient/HttpClientTest.java | 8 +- .../multitenancy/test/MultitenancyTests.java | 2 +- .../ProtectedIndicesTests.java | 24 +- .../opensearch/security/ssl/OpenSSLTest.java | 16 +- .../org/opensearch/security/ssl/SSLTest.java | 316 +++++++++--------- .../ssl/SecuritySSLCertsInfoActionTests.java | 22 +- .../SecuritySSLReloadCertsActionTests.java | 32 +- .../system_indices/SystemIndicesTests.java | 8 +- .../test/AbstractSecurityUnitTest.java | 16 +- .../test/plugin/UserInjectorPlugin.java | 4 +- src/test/resources/action_groups.yml | 40 +-- src/test/resources/action_groups_packaged.yml | 54 +-- src/test/resources/auditlog/action_groups.yml | 34 +- src/test/resources/auditlog/roles.yml | 4 +- src/test/resources/auditlog/roles_2.yml | 8 +- src/test/resources/cache/action_groups.yml | 56 ++-- src/test/resources/cache/roles.yml | 96 +++--- src/test/resources/dlsfls/action_groups.yml | 34 +- src/test/resources/dlsfls/roles.yml | 22 +- src/test/resources/dlsfls/roles_983.yml | 2 +- src/test/resources/dlsfls/roles_ccs2.yml | 2 +- src/test/resources/ldap/action_groups.yml | 34 +- .../securityconfig_v6/action_groups.yml | 40 +-- .../resources/multitenancy/action_groups.yml | 56 ++-- src/test/resources/multitenancy/roles.yml | 96 +++--- src/test/resources/restapi/action_groups.yml | 26 +- .../resources/restapi/actiongroup_crud.json | 2 +- .../restapi/actiongroup_not_parseable.json | 2 +- .../restapi/actiongroup_readonly.json | 2 +- src/test/resources/restapi/roles.yml | 12 +- .../resources/restapi/roles_captains.json | 4 +- .../roles_captains_different_content.json | 2 +- .../restapi/roles_captains_no_tenants.json | 4 +- .../restapi/roles_captains_tenants.json | 4 +- .../restapi/roles_captains_tenants2.json | 4 +- .../roles_captains_tenants_malformed.json | 4 +- .../restapi/roles_complete_invalid.json | 4 +- .../resources/restapi/roles_invalid_keys.json | 4 +- .../resources/restapi/roles_multiple.json | 8 +- .../resources/restapi/roles_multiple_2.json | 4 +- .../resources/restapi/roles_starfleet.json | 4 +- src/test/resources/restapi/simple_role.json | 4 +- src/test/resources/roles.yml | 72 ++-- src/test/resources/roles_bs.yml | 2 +- src/test/resources/roles_composite.yml | 10 +- src/test/resources/roles_itt1635.yml | 6 +- 175 files changed, 2724 insertions(+), 2015 deletions(-) create mode 100644 src/main/java/org/opensearch/security/support/LegacyOpenDistroConfigConstants.java create mode 100644 src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java create mode 100644 src/main/java/org/opensearch/security/support/SecuritySettings.java diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 333dec6e58..b296f26eb0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,7 +57,7 @@ jobs: uses: github/codeql-action/analyze@v1 - name: Test - run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true mvn -B test + run: SECURITY_TEST_OPENSSL_OPT=true mvn -B test - name: Coverage uses: codecov/codecov-action@v1 diff --git a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java index d1cdcd1a05..bd898ec09d 100755 --- a/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java +++ b/src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java @@ -561,23 +561,23 @@ private static Map configureSSL(final ConnectionConfig config, f } else { final KeyStore trustStore = PemKeyReader.loadKeyStore( - PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, + PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, !trustAll), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); final List trustStoreAliases = settings.getAsList(ConfigConstants.LDAPS_JKS_TRUST_ALIAS, null); // for client authentication final KeyStore keyStore = PemKeyReader.loadKeyStore( - PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, + PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, configPath, enableClientAuth), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)); + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)); final String keyStorePassword = settings.get( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); final String keyStoreAlias = settings.get(ConfigConstants.LDAPS_JKS_CERT_ALIAS, null); diff --git a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java index 7daa9b5f0e..9d006d8380 100644 --- a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java +++ b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfigurator.java @@ -308,14 +308,14 @@ private void initFromKeyStore() throws SSLConfigException { try { trustStore = PemKeyReader.loadKeyStore( - PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, + PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, !isTrustAllEnabled()), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); } catch (Exception e) { throw new SSLConfigException("Error loading trust store from " - + settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH), e); + + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH), e); } effectiveTruststoreAliases = getSettingAsList(CA_ALIAS, null); @@ -324,17 +324,17 @@ private void initFromKeyStore() throws SSLConfigException { try { keyStore = PemKeyReader.loadKeyStore( - PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, + PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, configPath, enableSslClientAuth), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)); + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)); } catch (Exception e) { throw new SSLConfigException("Error loading key store from " - + settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e); + + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH), e); } - String keyStorePassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, + String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); effectiveKeyPassword = keyStorePassword == null || keyStorePassword.isEmpty() ? null : keyStorePassword.toCharArray(); diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 0b9e095ab5..7010c86644 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -62,6 +62,7 @@ import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction; import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor; +import org.opensearch.security.support.*; import org.opensearch.security.transport.SecurityInterceptor; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -166,12 +167,6 @@ import org.opensearch.security.configuration.ConfigurationRepository; import org.opensearch.security.configuration.DlsFlsRequestValve; import org.opensearch.security.ssl.http.netty.ValidatingDispatcher; -import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.support.HeaderHelper; -import org.opensearch.security.support.ModuleInfo; -import org.opensearch.security.support.ReflectionHelper; -import org.opensearch.security.support.WildcardMatcher; -import org.opensearch.security.support.SecurityUtils; import com.google.common.collect.Lists; public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin { @@ -229,7 +224,7 @@ private final SslExceptionHandler evaluateSslExceptionHandler() { } private static boolean isDisabled(final Settings settings) { - return settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_DISABLED, false); + return settings.getAsBoolean(ConfigConstants.SECURITY_DISABLED, false); } /** @@ -238,7 +233,7 @@ private static boolean isDisabled(final Settings settings) { * @return true if ssl cert reload is enabled else false */ private static boolean isSslCertReloadEnabled(final Settings settings) { - return settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, false); + return settings.getAsBoolean(ConfigConstants.SECURITY_SSL_CERT_RELOAD_ENABLED, false); } public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) { @@ -292,7 +287,7 @@ public Object run() { } }); - final String advancedModulesEnabledKey = ConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED; + final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED; if (settings.hasValue(advancedModulesEnabledKey)) { deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey); } @@ -300,7 +295,7 @@ public Object run() { log.info("Clustername: {}", settings.get("cluster.name","opensearch")); if (!transportSSLEnabled && !SSLConfig.isSslOnlyMode()) { - throw new IllegalStateException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED+" must be set to 'true'"); + throw new IllegalStateException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED+" must be set to 'true'"); } if(!client) { @@ -332,7 +327,7 @@ public List run() { } } - if(!client && !settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false)) { + if(!client && !settings.getAsBoolean(ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false)) { //check for demo certificates final List files = AccessController.doPrivileged(new PrivilegedAction>() { @Override @@ -354,7 +349,7 @@ public List run() { if(files != null) { demoCertHashes.retainAll(files); if(!demoCertHashes.isEmpty()) { - log.error("Demo certificates found but "+ConfigConstants.OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES+" is set to false."); + log.error("Demo certificates found but "+ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES+" is set to false."); throw new RuntimeException("Demo certificates found "+demoCertHashes); } } else { @@ -514,14 +509,14 @@ public void clear(String reason) { @Override public Weight doCache(Weight weight, QueryCachingPolicy policy) { final Map> allowedFlsFields = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), - ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); + ConfigConstants.SECURITY_FLS_FIELDS_HEADER); if(SecurityUtils.evalMap(allowedFlsFields, index().getName()) != null) { return weight; } else { final Map> maskedFieldsMap = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), - ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); + ConfigConstants.SECURITY_MASKED_FIELD_HEADER); if(SecurityUtils.evalMap(maskedFieldsMap, index().getName()) != null) { return weight; @@ -543,28 +538,28 @@ public void onPreQueryPhase(SearchContext context) { @Override public void onNewReaderContext(ReaderContext readerContext) { final boolean interClusterRequest = HeaderHelper.isInterClusterRequest(threadPool.getThreadContext()); - if (Origin.LOCAL.toString().equals(threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)) + if (Origin.LOCAL.toString().equals(threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_ORIGIN)) && (interClusterRequest || HeaderHelper.isDirectRequest(threadPool.getThreadContext())) ) { readerContext.putInContext("_opendistro_security_scroll_auth_local", Boolean.TRUE); } else { readerContext.putInContext("_opendistro_security_scroll_auth", threadPool.getThreadContext() - .getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER)); + .getTransient(ConfigConstants.SECURITY_USER)); } } @Override public void onNewScrollContext(ReaderContext readerContext) { final boolean interClusterRequest = HeaderHelper.isInterClusterRequest(threadPool.getThreadContext()); - if (Origin.LOCAL.toString().equals(threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)) + if (Origin.LOCAL.toString().equals(threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_ORIGIN)) && (interClusterRequest || HeaderHelper.isDirectRequest(threadPool.getThreadContext())) ) { readerContext.putInContext("_opendistro_security_scroll_auth_local", Boolean.TRUE); } else { readerContext.putInContext("_opendistro_security_scroll_auth", threadPool.getThreadContext() - .getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER)); + .getTransient(ConfigConstants.SECURITY_USER)); } } @@ -576,7 +571,7 @@ public void validateReaderContext(ReaderContext readerContext, TransportRequest if (_user != null && (_user instanceof User)) { final User scrollUser = (User) _user; final User currentUser = threadPool.getThreadContext() - .getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + .getTransient(ConfigConstants.SECURITY_USER); if (!scrollUser.equals(currentUser)) { auditLog.logMissingPrivileges(SearchScrollAction.NAME, transportRequest, null); log.error("Wrong user {} in reader context, expected {}", scrollUser, currentUser); @@ -598,7 +593,7 @@ public void onQueryPhase(SearchContext searchContext, long tookInNanos) { } final Map> maskedFieldsMap = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), - ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); + ConfigConstants.SECURITY_MASKED_FIELD_HEADER); final String maskedEval = SecurityUtils.evalMap(maskedFieldsMap, indexModule.getIndex().getName()); if (maskedEval != null) { final Set mf = maskedFieldsMap.get(maskedEval); @@ -749,7 +744,7 @@ public Collection createComponents(Client localClient, ClusterService cl final String DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = DefaultInterClusterRequestEvaluator.class.getName(); InterClusterRequestEvaluator interClusterRequestEvaluator = new DefaultInterClusterRequestEvaluator(settings); - final String className = settings.get(ConfigConstants.OPENDISTRO_SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, + final String className = settings.get(ConfigConstants.SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS); log.debug("Using {} as intercluster request evaluator class", className); if (!DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS.equals(className)) { @@ -786,7 +781,7 @@ public Collection createComponents(Client localClient, ClusterService cl sf = new SecurityFilter(localClient, settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, backendRegistry); - final String principalExtractorClass = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null); + final String principalExtractorClass = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null); if(principalExtractorClass == null) { principalExtractor = new DefaultPrincipalExtractor(); @@ -857,156 +852,147 @@ public Settings additionalSettings() { public List> getSettings() { List> settings = new ArrayList>(); settings.addAll(super.getSettings()); - - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, false, Property.NodeScope, Property.Filtered)); + settings.add(SecuritySettings.SECURITY_SSL_ONLY); // currently dual mode is supported only when ssl_only is enabled, but this stance would change in future settings.add(SSLConfig.SSL_DUAL_MODE_SETTING); // Protected index settings - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered, Property.Final)); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT, Function.identity(), Property.NodeScope, Property.Filtered, Property.Final)); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT, Function.identity(), Property.NodeScope, Property.Filtered, Property.Final)); + settings.add(SecuritySettings.SECURITY_PROTECTED_INDICES_ENABLED_KEY); + settings.add(SecuritySettings.SECURITY_PROTECTED_INDICES_KEY); + settings.add(SecuritySettings.SECURITY_PROTECTED_INDICES_ROLES_KEY); // System index settings - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered, Property.Final)); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT, Function.identity(), Property.NodeScope, Property.Filtered, Property.Final)); + settings.add(SecuritySettings.SECURITY_SYSTEM_INDICES_ENABLED_KEY); + settings.add(SecuritySettings.SECURITY_SYSTEM_INDICES_KEY); if(!SSLConfig.isSslOnlyMode()) { - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, Property.NodeScope, Property.Filtered)); - settings.add(Setting.groupSetting(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".", Property.NodeScope)); //not filtered here - - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_CERT_OID, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here + settings.add(SecuritySettings.SECURITY_AUTHCZ_ADMIN_DN); + + settings.add(SecuritySettings.SECURITY_CONFIG_INDEX_NAME); + settings.add(SecuritySettings.SECURITY_AUTHCZ_IMPERSONATION_DN); + + settings.add(SecuritySettings.SECURITY_CERT_OID); + + settings.add(SecuritySettings.SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS); + settings.add(SecuritySettings.SECURITY_NODES_DN); + + settings.add(SecuritySettings.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED); + + settings.add(SecuritySettings.SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE); + settings.add(SecuritySettings.SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES); + + settings.add(SecuritySettings.SECURITY_DISABLED); + + settings.add(SecuritySettings.SECURITY_CACHE_TTL_MINUTES); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false, Property.NodeScope));//not filtered here - - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, - Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, - Property.NodeScope, Property.Filtered)); - - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_DISABLED, false, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.intSetting(ConfigConstants.OPENDISTRO_SECURITY_CACHE_TTL_MINUTES, 60, 0, Property.NodeScope, Property.Filtered)); - //Security - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.groupSetting(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Property.NodeScope)); //not filtered here - - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT, false, Property.NodeScope, Property.Filtered)); - + settings.add(SecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED); + settings.add(SecuritySettings.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES); + settings.add(SecuritySettings.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX); + settings.add(SecuritySettings.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST); + settings.add(SecuritySettings.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS); + + settings.add(SecuritySettings.SECURITY_ROLES_MAPPING_RESOLUTION); + settings.add(SecuritySettings.SECURITY_DISABLE_ENVVAR_REPLACEMENT); + // Security - Audit - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.groupSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES + ".", Property.NodeScope)); - settings.add(Setting.groupSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS + ".", Property.NodeScope)); - settings.add(Setting.intSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_SIZE, 10, Property.NodeScope, Property.Filtered)); - settings.add(Setting.intSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, 100*1000, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true, Property.NodeScope, Property.Filtered)); - final List disabledCategories = new ArrayList(2); - disabledCategories.add("AUTHENTICATED"); - disabledCategories.add("GRANTED_PRIVILEGES"); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategories, Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategories, Function.identity(), Property.NodeScope)); //not filtered here - final List ignoredUsers = new ArrayList(2); - ignoredUsers.add("kibanaserver"); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, ignoredUsers, Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Property.NodeScope, Property.Filtered)); - - + settings.add(SecuritySettings.SECURITY_AUDIT_TYPE_DEFAULT); + settings.add(SecuritySettings.SECURITY_AUDIT_CONFIG_ROUTES); + settings.add(SecuritySettings.SECURITY_AUDIT_CONFIG_ENDPOINTS); + settings.add(SecuritySettings.SECURITY_AUDIT_THREADPOOL_SIZE); + settings.add(SecuritySettings.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN); + settings.add(SecuritySettings.SECURITY_AUDIT_LOG_REQUEST_BODY); + settings.add(SecuritySettings.SECURITY_AUDIT_RESOLVE_INDICES); + settings.add(SecuritySettings.SECURITY_AUDIT_ENABLE_REST); + settings.add(SecuritySettings.SECURITY_AUDIT_ENABLE_TRANSPORT); + settings.add(SecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES); + settings.add(SecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES); + settings.add(SecuritySettings.SECURITY_AUDIT_IGNORE_USERS); + settings.add(SecuritySettings.SECURITY_AUDIT_IGNORE_REQUESTS); + settings.add(SecuritySettings.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS); + settings.add(SecuritySettings.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS); + + // Security - Audit - Sink - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE, Property.NodeScope, Property.Filtered)); - + settings.add(SecuritySettings.SECURITY_AUDIT_OPENSEARCH_INDEX); + settings.add(SecuritySettings.SECURITY_AUDIT_OPENSEARCH_TYPE); + // External OpenSearch - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS, Lists.newArrayList("localhost:9200"), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS); //not filtered here + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS); + // Webhooks - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, Property.NodeScope, Property.Filtered)); - + settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_URL); + settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_FORMAT); + settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY); + settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH); + settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT); + // Log4j - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LOGGER_NAME, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LEVEL, Property.NodeScope, Property.Filtered)); - - + settings.add(SecuritySettings.SECURITY_AUDIT_LOG4J_LOGGER_NAME); + settings.add(SecuritySettings.SECURITY_AUDIT_LOG4J_LEVEL); + + // Kerberos - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_KERBEROS_KRB5_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL, Property.NodeScope, Property.Filtered)); - - - // OpenSearch Security - REST API - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.groupSetting(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Property.NodeScope)); - - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Property.NodeScope, Property.Filtered)); - - + settings.add(SecuritySettings.SECURITY_KERBEROS_KRB5_FILEPATH); + settings.add(SecuritySettings.SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH); + settings.add(SecuritySettings.SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL); + + + // Open Distro Security - REST API + settings.add(SecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED); + settings.add(SecuritySettings.SECURITY_RESTAPI_ENDPOINTS_DISABLED); + + settings.add(SecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX); + settings.add(SecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE); + + // Compliance - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.listSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList(), Function.identity(), Property.NodeScope)); //not filtered here - settings.add(Setting.simpleString(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, false, Property.NodeScope, - Property.Filtered)); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_IMMUTABLE_INDICES); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_SALT); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED); + + settings.add(SecuritySettings.SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS); //compat - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false, Property.NodeScope, Property.Filtered)); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY); // system integration - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false, Property.NodeScope, Property.Filtered)); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES); + settings.add(SecuritySettings.SECURITY_SSL_CERT_RELOAD_ENABLED); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG); } - + return settings; } @@ -1055,7 +1041,7 @@ public Function> getFieldFilter() { return field -> true; } final Map> allowedFlsFields = (Map>) HeaderHelper - .deserializeSafeFromHeader(threadPool.getThreadContext(), ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); + .deserializeSafeFromHeader(threadPool.getThreadContext(), ConfigConstants.SECURITY_FLS_FIELDS_HEADER); final String eval = SecurityUtils.evalMap(allowedFlsFields, index); @@ -1091,7 +1077,7 @@ public Function> getFieldFilter() { @Override public Collection getSystemIndexDescriptors(Settings settings) { - final String indexPattern = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); + final String indexPattern = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX); final SystemIndexDescriptor systemIndexDescriptor = new SystemIndexDescriptor(indexPattern, "Security index"); return Collections.singletonList(systemIndexDescriptor); } diff --git a/src/main/java/org/opensearch/security/action/whoami/TransportWhoAmIAction.java b/src/main/java/org/opensearch/security/action/whoami/TransportWhoAmIAction.java index e1db6ad8c6..f222ede628 100644 --- a/src/main/java/org/opensearch/security/action/whoami/TransportWhoAmIAction.java +++ b/src/main/java/org/opensearch/security/action/whoami/TransportWhoAmIAction.java @@ -66,8 +66,8 @@ public TransportWhoAmIAction(final Settings settings, @Override protected void doExecute(Task task, WhoAmIRequest request, ActionListener listener) { - final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - final String dn = user==null?threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL):user.getName(); + final User user = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_USER); + final String dn = user==null?threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL):user.getName(); final boolean isAdmin = adminDNs.isAdminDN(dn); final boolean isAuthenticated = isAdmin?true: user != null; final boolean isNodeCertificateRequest = HeaderHelper.isInterClusterRequest(threadPool.getThreadContext()) || diff --git a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java index c84cb0ed94..7b72af0d14 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/AuditConfig.java @@ -187,8 +187,8 @@ public static Filter from(Map properties) throws JsonProcessingE final boolean logRequestBody = getOrDefault(properties, "log_request_body", true); final boolean resolveIndices = getOrDefault(properties, "resolve_indices", true); final boolean excludeSensitiveHeaders = getOrDefault(properties, "exclude_sensitive_headers", true); - final Set disabledRestCategories = AuditCategory.parse(getOrDefault(properties,"disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); - final Set disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, "disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set disabledRestCategories = AuditCategory.parse(getOrDefault(properties,"disabled_rest_categories", ConfigConstants.SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); + final Set disabledTransportCategories = AuditCategory.parse(getOrDefault(properties, "disabled_transport_categories", ConfigConstants.SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)); final Set ignoredAuditUsers = ImmutableSet.copyOf(getOrDefault(properties, "ignore_users", DEFAULT_IGNORED_USERS)); final Set ignoreAuditRequests = ImmutableSet.copyOf(getOrDefault(properties, "ignore_requests", Collections.emptyList())); @@ -212,23 +212,23 @@ public static Filter from(Map properties) throws JsonProcessingE * @return audit configuration filter */ public static Filter from(Settings settings) { - final boolean isRestApiAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true); - final boolean isTransportAuditEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true); - final boolean resolveBulkRequests = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false); - final boolean logRequestBody = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true); - final boolean resolveIndices = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true); - final boolean excludeSensitiveHeaders = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true); - final Set disabledRestCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES); - final Set disabledTransportCategories = AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES); + final boolean isRestApiAuditEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true); + final boolean isTransportAuditEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true); + final boolean resolveBulkRequests = settings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false); + final boolean logRequestBody = settings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, true); + final boolean resolveIndices = settings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_RESOLVE_INDICES, true); + final boolean excludeSensitiveHeaders = settings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true); + final Set disabledRestCategories = AuditCategory.from(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES); + final Set disabledTransportCategories = AuditCategory.from(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES); final Set ignoredAuditUsers = ConfigConstants.getSettingAsSet( settings, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, + ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, DEFAULT_IGNORED_USERS, false); final Set ignoreAuditRequests = ImmutableSet.copyOf(settings.getAsList( - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, + ConfigConstants.SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList())); return new Filter(isRestApiAuditEnabled, @@ -376,25 +376,25 @@ public String toString() { * List of keys that are deprecated */ public static final List DEPRECATED_KEYS = ImmutableList.of( - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, - ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES + ConfigConstants.SECURITY_AUDIT_ENABLE_REST, + ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, + ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, + ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, + ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, + ConfigConstants.SECURITY_AUDIT_RESOLVE_INDICES, + ConfigConstants.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, + ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, + ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, + ConfigConstants.SECURITY_AUDIT_IGNORE_REQUESTS, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES ); public static Set getDeprecatedKeys(final Settings settings) { diff --git a/src/main/java/org/opensearch/security/auditlog/config/ThreadPoolConfig.java b/src/main/java/org/opensearch/security/auditlog/config/ThreadPoolConfig.java index 67c3da711f..ddd6db0a5f 100644 --- a/src/main/java/org/opensearch/security/auditlog/config/ThreadPoolConfig.java +++ b/src/main/java/org/opensearch/security/auditlog/config/ThreadPoolConfig.java @@ -47,8 +47,8 @@ public int getThreadPoolMaxQueueLen() { } public static ThreadPoolConfig getConfig(Settings settings) { - int threadPoolSize = settings.getAsInt(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_SIZE, DEFAULT_THREAD_POOL_SIZE); - int threadPoolMaxQueueLen = settings.getAsInt(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, DEFAULT_THREAD_POOL_MAX_QUEUE_LEN); + int threadPoolSize = settings.getAsInt(ConfigConstants.SECURITY_AUDIT_THREADPOOL_SIZE, DEFAULT_THREAD_POOL_SIZE); + int threadPoolMaxQueueLen = settings.getAsInt(ConfigConstants.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, DEFAULT_THREAD_POOL_MAX_QUEUE_LEN); return new ThreadPoolConfig(threadPoolSize, threadPoolMaxQueueLen); } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java index ec41badd34..af5b5f8489 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java @@ -109,7 +109,7 @@ protected AbstractAuditLog(Settings settings, final ThreadPool threadPool, final this.settings = settings; this.resolver = resolver; this.clusterService = clusterService; - this.securityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); + this.securityIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX); this.environment = environment; } @@ -308,12 +308,12 @@ public void logBadHeaders(RestRequest request) { @Override public void logSecurityIndexAttempt(TransportRequest request, String action, Task task) { - if(!checkTransportFilter(AuditCategory.OPENDISTRO_SECURITY_INDEX_ATTEMPT, action, getUser(), request)) { + if(!checkTransportFilter(AuditCategory.SECURITY_INDEX_ATTEMPT, action, getUser(), request)) { return; } final TransportAddress remoteAddress = getRemoteAddress(); - final List msgs = RequestResolver.resolve(AuditCategory.OPENDISTRO_SECURITY_INDEX_ATTEMPT, getOrigin(), action, null, getUser(), false, null, remoteAddress, request, getThreadContextHeaders(), task, resolver, clusterService, settings, auditConfigFilter.shouldLogRequestBody(), auditConfigFilter.shouldResolveIndices(), auditConfigFilter.shouldResolveBulkRequests(), securityIndex, auditConfigFilter.shouldExcludeSensitiveHeaders(), null); + final List msgs = RequestResolver.resolve(AuditCategory.SECURITY_INDEX_ATTEMPT, getOrigin(), action, null, getUser(), false, null, remoteAddress, request, getThreadContextHeaders(), task, resolver, clusterService, settings, auditConfigFilter.shouldLogRequestBody(), auditConfigFilter.shouldResolveIndices(), auditConfigFilter.shouldResolveBulkRequests(), securityIndex, auditConfigFilter.shouldExcludeSensitiveHeaders(), null); for(AuditMessage msg: msgs) { save(msg); @@ -361,7 +361,7 @@ public void logDocumentRead(String index, String id, ShardId shardId, Map parse(final Collection categories) { } public static Set from(final Settings settings, final String key) { - return parse(ConfigConstants.getSettingAsSet(settings, key, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT, true)); + return parse(ConfigConstants.getSettingAsSet(settings, key, ConfigConstants.SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT, true)); } } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java b/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java index 617152d2fb..3b4d1917a7 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/RequestResolver.java @@ -127,7 +127,7 @@ public static List resolve( if(category != AuditCategory.FAILED_LOGIN && category != AuditCategory.MISSING_PRIVILEGES - && category != AuditCategory.OPENDISTRO_SECURITY_INDEX_ATTEMPT) { + && category != AuditCategory.SECURITY_INDEX_ATTEMPT) { return Collections.emptyList(); } diff --git a/src/main/java/org/opensearch/security/auditlog/routing/AuditMessageRouter.java b/src/main/java/org/opensearch/security/auditlog/routing/AuditMessageRouter.java index 277c9ddd98..df1d26ff65 100644 --- a/src/main/java/org/opensearch/security/auditlog/routing/AuditMessageRouter.java +++ b/src/main/java/org/opensearch/security/auditlog/routing/AuditMessageRouter.java @@ -110,7 +110,7 @@ public final void enableRoutes(Settings settings) { if (categorySinks != null) { return; } - Map routesConfiguration = Utils.convertJsonToxToStructuredMap(settings.getAsSettings(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES)); + Map routesConfiguration = Utils.convertJsonToxToStructuredMap(settings.getAsSettings(ConfigConstants.SECURITY_AUDIT_CONFIG_ROUTES)); EnumSet presentAuditCategory = EnumSet.noneOf(AuditCategory.class); categorySinks = routesConfiguration.entrySet().stream() .peek(entry -> log.trace("Setting up routes for endpoint {}, configuration is {}", entry.getKey(), entry.getValue())) diff --git a/src/main/java/org/opensearch/security/auditlog/sink/AuditLogSink.java b/src/main/java/org/opensearch/security/auditlog/sink/AuditLogSink.java index dc62cdd177..e841b1bc69 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/AuditLogSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/AuditLogSink.java @@ -46,8 +46,8 @@ protected AuditLogSink(String name, Settings settings, String settingsPrefix, Au this.settingsPrefix = settingsPrefix; this.fallbackSink = fallbackSink; - retryCount = settings.getAsInt(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RETRY_COUNT, 0); - delayMs = settings.getAsLong(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RETRY_DELAY_MS, 1000L); + retryCount = settings.getAsInt(ConfigConstants.SECURITY_AUDIT_RETRY_COUNT, 0); + delayMs = settings.getAsLong(ConfigConstants.SECURITY_AUDIT_RETRY_DELAY_MS, 1000L); } public boolean isHandlingBackpressure() { diff --git a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java index d75ad8f8dc..dd23ba8711 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java @@ -51,13 +51,13 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final super(name, settings, settingPrefix, fallbackSink); Settings sinkSettings = settings.getAsSettings(settingPrefix); - servers = sinkSettings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS); + servers = sinkSettings.getAsList(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS); if (servers == null || servers.size() == 0) { log.error("No http endpoints configured for external OpenSearch endpoint '{}', falling back to localhost.", name); servers = Collections.singletonList("localhost:9200"); } - this.index = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, "'security-auditlog-'YYYY.MM.dd"); + this.index = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, "'security-auditlog-'YYYY.MM.dd"); try { this.indexPattern = DateTimeFormat.forPattern(index); @@ -66,19 +66,19 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final + "If you have no date pattern configured you can safely ignore this message", e.getMessage()); } - this.type = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE, null); - final boolean verifyHostnames = sinkSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, true); - final boolean enableSsl = sinkSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, false); - final boolean enableSslClientAuth = sinkSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH , ConfigConstants.OPENDISTRO_SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT); - final String user = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME); - final String password = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD); + this.type = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_OPENSEARCH_TYPE, null); + final boolean verifyHostnames = sinkSettings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, true); + final boolean enableSsl = sinkSettings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, false); + final boolean enableSslClientAuth = sinkSettings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH , ConfigConstants.SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT); + final String user = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME); + final String password = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD); final HttpClientBuilder builder = HttpClient.builder(servers.toArray(new String[0])); if (enableSsl) { - final boolean pem = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, null) != null - || sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, null) != null; + final boolean pem = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, null) != null + || sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, null) != null; KeyStore effectiveTruststore; KeyStore effectiveKeystore; @@ -88,26 +88,26 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final final boolean isDebugEnabled = log.isDebugEnabled(); if(pem) { - X509Certificate[] trustCertificates = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, sinkSettings)); + X509Certificate[] trustCertificates = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, sinkSettings)); if(trustCertificates == null) { - String path = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH); - trustCertificates = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(path, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, settings, configPath, true)); + String path = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH); + trustCertificates = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(path, ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, settings, configPath, true)); } //for client authentication - X509Certificate[] authenticationCertificate = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, sinkSettings)); + X509Certificate[] authenticationCertificate = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, sinkSettings)); if(authenticationCertificate == null) { - String path = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH); - authenticationCertificate = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(path, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, settings, configPath, enableSslClientAuth)); + String path = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH); + authenticationCertificate = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(path, ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, settings, configPath, enableSslClientAuth)); } - PrivateKey authenticationKey = PemKeyReader.loadKeyFromStream(sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD), PemKeyReader.resolveStream(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, sinkSettings)); + PrivateKey authenticationKey = PemKeyReader.loadKeyFromStream(sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD), PemKeyReader.resolveStream(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, sinkSettings)); if(authenticationKey == null) { - String path = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH); - authenticationKey = PemKeyReader.loadKeyFromFile(sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD), PemKeyReader.resolve(path, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, settings, configPath, enableSslClientAuth)); + String path = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH); + authenticationKey = PemKeyReader.loadKeyFromFile(sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD), PemKeyReader.resolve(path, ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, settings, configPath, enableSslClientAuth)); } effectiveKeyPassword = PemKeyReader.randomChars(12); @@ -120,20 +120,20 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final } } else { - final KeyStore trustStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, true) - , settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD) - , settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); + final KeyStore trustStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, true) + , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD) + , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); //for client authentication - final KeyStore keyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, configPath, enableSslClientAuth) - , settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD) - , settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)); - final String keyStorePassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); + final KeyStore keyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings, configPath, enableSslClientAuth) + , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD) + , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE)); + final String keyStorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); effectiveKeyPassword = keyStorePassword==null||keyStorePassword.isEmpty()?null:keyStorePassword.toCharArray(); - effectiveKeyAlias = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, null); + effectiveKeyAlias = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, null); if(enableSslClientAuth && effectiveKeyAlias == null) { - throw new IllegalArgumentException(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS+" not given"); + throw new IllegalArgumentException(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS+" not given"); } effectiveTruststore = trustStore; @@ -146,8 +146,8 @@ public ExternalOpenSearchSink(final String name, final Settings settings, final } - final List enabledCipherSuites = sinkSettings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, null); - final List enabledProtocols = sinkSettings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, DEFAULT_TLS_PROTOCOLS); + final List enabledCipherSuites = sinkSettings.getAsList(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, null); + final List enabledProtocols = sinkSettings.getAsList(ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, DEFAULT_TLS_PROTOCOLS); builder.setSupportedCipherSuites(enabledCipherSuites==null?null:enabledCipherSuites.toArray(new String[0])); builder.setSupportedProtocols(enabledProtocols.toArray(new String[0])); diff --git a/src/main/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSink.java b/src/main/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSink.java index f20239e3ad..99a893a7cb 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/InternalOpenSearchSink.java @@ -45,8 +45,8 @@ public InternalOpenSearchSink(final String name, final Settings settings, final this.clientProvider = clientProvider; Settings sinkSettings = getSinkSettings(settingsPrefix); - this.index = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, "'security-auditlog-'YYYY.MM.dd"); - this.type = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE, null); + this.index = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, "'security-auditlog-'YYYY.MM.dd"); + this.type = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_OPENSEARCH_TYPE, null); this.threadPool = threadPool; try { @@ -63,7 +63,7 @@ public void close() throws IOException { public boolean doStore(final AuditMessage msg) { - if (Boolean.parseBoolean((String) HeaderHelper.getSafeFromHeader(threadPool.getThreadContext(), ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER))) { + if (Boolean.parseBoolean((String) HeaderHelper.getSafeFromHeader(threadPool.getThreadContext(), ConfigConstants.SECURITY_CONF_REQUEST_HEADER))) { if (log.isTraceEnabled()) { log.trace("audit log of audit log will not be executed"); } @@ -73,7 +73,7 @@ public boolean doStore(final AuditMessage msg) { try (StoredContext ctx = threadPool.getThreadContext().stashContext()) { try { final IndexRequestBuilder irb = clientProvider.prepareIndex(getExpandedIndexName(indexPattern, index), type).setRefreshPolicy(RefreshPolicy.IMMEDIATE).setSource(msg.getAsMap()); - threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true"); + threadPool.getThreadContext().putHeader(ConfigConstants.SECURITY_CONF_REQUEST_HEADER, "true"); irb.setTimeout(TimeValue.timeValueMinutes(1)); irb.execute().actionGet(); return true; diff --git a/src/main/java/org/opensearch/security/auditlog/sink/SinkProvider.java b/src/main/java/org/opensearch/security/auditlog/sink/SinkProvider.java index fa96255453..ce6f63e8b7 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/SinkProvider.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/SinkProvider.java @@ -49,7 +49,7 @@ public SinkProvider(final Settings settings, final Client clientProvider, Thread this.configPath = configPath; // fall back sink, make sure we don't lose messages - String fallbackConfigPrefix = ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS + "." + FALLBACKSINK_NAME; + String fallbackConfigPrefix = ConfigConstants.SECURITY_AUDIT_CONFIG_ENDPOINTS + "." + FALLBACKSINK_NAME; Settings fallbackSinkSettings = settings.getAsSettings(fallbackConfigPrefix); if(!fallbackSinkSettings.isEmpty()) { this.fallbackSink = createSink(FALLBACKSINK_NAME, fallbackSinkSettings.get("type"), settings, fallbackConfigPrefix+".config"); @@ -63,7 +63,7 @@ public SinkProvider(final Settings settings, final Client clientProvider, Thread allSinks.put(FALLBACKSINK_NAME, this.fallbackSink); // create default sink - defaultSink = this.createSink(DEFAULTSINK_NAME, settings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT), settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT); + defaultSink = this.createSink(DEFAULTSINK_NAME, settings.get(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT), settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT); if (defaultSink == null) { log.error("Default endpoint could not be created, auditlog will not work properly."); return; @@ -72,7 +72,7 @@ public SinkProvider(final Settings settings, final Client clientProvider, Thread allSinks.put(DEFAULTSINK_NAME, defaultSink); // create all other sinks - Map sinkSettingsMap = Utils.convertJsonToxToStructuredMap(settings.getAsSettings(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS)); + Map sinkSettingsMap = Utils.convertJsonToxToStructuredMap(settings.getAsSettings(ConfigConstants.SECURITY_AUDIT_CONFIG_ENDPOINTS)); for (Entry sinkEntry : sinkSettingsMap.entrySet()) { String sinkName = sinkEntry.getKey(); @@ -80,12 +80,12 @@ public SinkProvider(final Settings settings, final Client clientProvider, Thread if(sinkName.equalsIgnoreCase(FALLBACKSINK_NAME)) { continue; } - String type = settings.getAsSettings(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS + "." + sinkName).get("type"); + String type = settings.getAsSettings(ConfigConstants.SECURITY_AUDIT_CONFIG_ENDPOINTS + "." + sinkName).get("type"); if (type == null) { log.error("No type defined for endpoint {}.", sinkName); continue; } - AuditLogSink sink = createSink(sinkName, type, this.settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS + "." + sinkName + ".config"); + AuditLogSink sink = createSink(sinkName, type, this.settings, ConfigConstants.SECURITY_AUDIT_CONFIG_ENDPOINTS + "." + sinkName + ".config"); if (sink == null) { log.error("Endpoint '{}' could not be created, check log file for further information.", sinkName); continue; diff --git a/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java b/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java index 3adb4671a7..05e214c427 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java @@ -64,10 +64,10 @@ public WebhookSink(final String name, final Settings settings, final String sett this.effectiveTruststore = getEffectiveKeyStore(configPath); - final String webhookUrl = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL); - final String format = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT); + final String webhookUrl = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_WEBHOOK_URL); + final String format = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_WEBHOOK_FORMAT); - verifySSL = sinkSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, true); + verifySSL = sinkSettings.getAsBoolean(ConfigConstants.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, true); httpClient = getHttpClient(); if(httpClient == null) { @@ -308,14 +308,14 @@ public KeyStore run() { try { Settings sinkSettings = settings.getAsSettings(settingsPrefix); - final boolean pem = sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, null) != null - || sinkSettings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, null) != null; + final boolean pem = sinkSettings.get(ConfigConstants.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, null) != null + || sinkSettings.get(ConfigConstants.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, null) != null; if(pem) { - X509Certificate[] trustCertificates = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, sinkSettings)); + X509Certificate[] trustCertificates = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(ConfigConstants.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, sinkSettings)); if(trustCertificates == null) { - String fullPath = settingsPrefix + "." + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH; + String fullPath = settingsPrefix + "." + ConfigConstants.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH; trustCertificates = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(fullPath, settings, configPath, false)); } @@ -323,9 +323,9 @@ public KeyStore run() { } else { - return PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, false) - , settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD) - , settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); + return PemKeyReader.loadKeyStore(PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings, configPath, false) + , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD) + , settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE)); } } catch(Exception ex) { log.error("Could not load key material. Make sure your certificates are located relative to the config directory", ex); diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 5613cc391f..cdd1f96200 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -183,10 +183,10 @@ public BackendRegistry(final Settings settings, final AdminDNs adminDns, this.userInjector = new UserInjector(settings, threadPool, auditLog, xffResolver); - this.ttlInMin = settings.getAsInt(ConfigConstants.OPENDISTRO_SECURITY_CACHE_TTL_MINUTES, 60); + this.ttlInMin = settings.getAsInt(ConfigConstants.SECURITY_CACHE_TTL_MINUTES, 60); // This is going to be defined in the opensearch.yml, so it's best suited to be initialized once. - this.injectedUserEnabled = opensearchSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED,false); + this.injectedUserEnabled = opensearchSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED,false); createCaches(); } @@ -211,7 +211,7 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) { invalidateCache(); transportUsernameAttribute = dcm.getTransportUsernameAttribute();// config.dynamic.transport_userrname_attribute; anonymousAuthEnabled = dcm.isAnonymousAuthenticationEnabled()//config.dynamic.http.anonymous_auth_enabled - && !opensearchSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false); + && !opensearchSettings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false); restAuthDomains = Collections.unmodifiableSortedSet(dcm.getRestAuthDomains()); transportAuthDomains = Collections.unmodifiableSortedSet(dcm.getTransportAuthDomains()); @@ -363,11 +363,11 @@ public boolean authenticate(final RestRequest request, final RestChannel channel return false; } - final String sslPrincipal = (String) threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL); + final String sslPrincipal = (String) threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_SSL_PRINCIPAL); if(adminDns.isAdminDN(sslPrincipal)) { //PKI authenticated REST call - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, new User(sslPrincipal)); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_USER, new User(sslPrincipal)); auditLog.logSucceededLogin(sslPrincipal, true, null, request); return true; } @@ -390,7 +390,7 @@ public boolean authenticate(final RestRequest request, final RestChannel channel log.trace("Rest authentication request from {} [original: {}]", remoteAddress, request.getHttpChannel().getRemoteAddress()); } - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, remoteAddress); + threadContext.putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, remoteAddress); boolean authenticated = false; @@ -505,7 +505,7 @@ public boolean authenticate(final RestRequest request, final RestChannel channel if(authenticated) { final User impersonatedUser = impersonate(request, authenticatedUser); - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, impersonatedUser==null?authenticatedUser:impersonatedUser); + threadContext.putTransient(ConfigConstants.SECURITY_USER, impersonatedUser==null?authenticatedUser:impersonatedUser); auditLog.logSucceededLogin((impersonatedUser == null ? authenticatedUser : impersonatedUser).getName(), false, authenticatedUser.getName(), request); } else { @@ -514,7 +514,7 @@ public boolean authenticate(final RestRequest request, final RestChannel channel } if(authCredenetials == null && anonymousAuthEnabled) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, User.ANONYMOUS); + threadContext.putTransient(ConfigConstants.SECURITY_USER, User.ANONYMOUS); auditLog.logSucceededLogin(User.ANONYMOUS.getName(), false, null, request); if (isDebugEnabled) { log.debug("Anonymous User is authenticated"); diff --git a/src/main/java/org/opensearch/security/auth/RolesInjector.java b/src/main/java/org/opensearch/security/auth/RolesInjector.java index 1b1e3b8c2a..7560b9ffbc 100644 --- a/src/main/java/org/opensearch/security/auth/RolesInjector.java +++ b/src/main/java/org/opensearch/security/auth/RolesInjector.java @@ -41,7 +41,7 @@ public RolesInjector() { } public Set injectUserAndRoles(final ThreadContext ctx) { - final String injectedUserAndRoles = ctx.getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES); + final String injectedUserAndRoles = ctx.getTransient(ConfigConstants.SECURITY_INJECTED_ROLES); if (injectedUserAndRoles == null) { return null; } @@ -73,9 +73,9 @@ public Set injectUserAndRoles(final ThreadContext ctx) { } private void addUser(final User user, final ThreadContext threadContext) { - if(threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER) != null) + if(threadContext.getTransient(ConfigConstants.SECURITY_USER) != null) return; - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); + threadContext.putTransient(ConfigConstants.SECURITY_USER, user); } } diff --git a/src/main/java/org/opensearch/security/auth/UserInjector.java b/src/main/java/org/opensearch/security/auth/UserInjector.java index 02188e218a..5ab173948c 100644 --- a/src/main/java/org/opensearch/security/auth/UserInjector.java +++ b/src/main/java/org/opensearch/security/auth/UserInjector.java @@ -63,7 +63,7 @@ public class UserInjector { this.threadPool = threadPool; this.auditLog = auditLog; this.xffResolver = xffResolver; - this.injectUserEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false); + this.injectUserEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false); } @@ -107,7 +107,7 @@ InjectedUser getInjectedUser() { return null; } - String injectedUserString = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER); + String injectedUserString = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_INJECTED_USER); if (log.isDebugEnabled()) { log.debug("Injected user string: {}", injectedUserString); @@ -185,12 +185,12 @@ boolean injectUser(RestRequest request) { // Set remote address into the thread context if (injectedUser.getTransportAddress() != null) { - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, injectedUser.getTransportAddress()); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, injectedUser.getTransportAddress()); } else { - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, xffResolver.resolve(request)); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, xffResolver.resolve(request)); } - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, injectedUser); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_USER, injectedUser); auditLog.logSucceededLogin(injectedUser.getName(), true, null, request); return true; diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java index 2a32aa1cfb..c8bf03474c 100644 --- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java +++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java @@ -195,9 +195,9 @@ public ComplianceConfig( logDiffsForWrite, watchedWriteIndicesPatterns, ignoredComplianceUsersForWrite, - settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX), - settings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, null), - settings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, "'security-auditlog-'YYYY.MM.dd") + settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX), + settings.get(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, null), + settings.get(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, "'security-auditlog-'YYYY.MM.dd") ); } @@ -254,12 +254,12 @@ public static ComplianceConfig from(Map properties, @JacksonInje * @return compliance configuration */ public static ComplianceConfig from(Settings settings) { - final boolean logExternalConfig = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false); - final boolean logInternalConfig = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false); - final boolean logReadMetadataOnly = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false); - final boolean logWriteMetadataOnly = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false); - final boolean logDiffsForWrite = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false); - final List watchedReadFields = settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, + final boolean logExternalConfig = settings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false); + final boolean logInternalConfig = settings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false); + final boolean logReadMetadataOnly = settings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false); + final boolean logWriteMetadataOnly = settings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false); + final boolean logDiffsForWrite = settings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false); + final List watchedReadFields = settings.getAsList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), false); //opendistro_security.compliance.pii_fields: // - indexpattern,fieldpattern,fieldpattern,.... @@ -271,15 +271,15 @@ public static ComplianceConfig from(Settings settings) { split -> split.length == 1 ? ImmutableList.of("*") : Arrays.stream(split).skip(1).collect(ImmutableList.toImmutableList()) )); - final List watchedWriteIndices = settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList()); + final List watchedWriteIndices = settings.getAsList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList()); final Set ignoredComplianceUsersForRead = ConfigConstants.getSettingAsSet( settings, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, AuditConfig.DEFAULT_IGNORED_USERS, false); final Set ignoredComplianceUsersForWrite = ConfigConstants.getSettingAsSet( settings, - ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, + ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, AuditConfig.DEFAULT_IGNORED_USERS, false); diff --git a/src/main/java/org/opensearch/security/configuration/AdminDNs.java b/src/main/java/org/opensearch/security/configuration/AdminDNs.java index fbefc893ae..44333d7c8e 100644 --- a/src/main/java/org/opensearch/security/configuration/AdminDNs.java +++ b/src/main/java/org/opensearch/security/configuration/AdminDNs.java @@ -63,10 +63,10 @@ public class AdminDNs { public AdminDNs(final Settings settings) { - this.injectUserEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false); - this.injectAdminUserEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, false); + this.injectUserEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false); + this.injectAdminUserEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, false); - final List adminDnsA = settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList()); + final List adminDnsA = settings.getAsList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList()); for (String dn:adminDnsA) { try { @@ -87,7 +87,7 @@ public AdminDNs(final Settings settings) { log.debug("Loaded {} admin DN's {}",adminDn.size(), adminDn); - final Settings impersonationDns = settings.getByPrefix(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+"."); + final Settings impersonationDns = settings.getByPrefix(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN+"."); allowedDnsImpersonations = impersonationDns.keySet().stream() .map(this::toLdapName) @@ -95,19 +95,19 @@ public AdminDNs(final Settings settings) { .collect( ImmutableMap.toImmutableMap( Function.identity(), - ldapName -> WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN + "." + ldapName)) + ldapName -> WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN + "." + ldapName)) ) ); log.debug("Loaded {} impersonation DN's {}", allowedDnsImpersonations.size(), allowedDnsImpersonations); - final Settings impersonationUsersRest = settings.getByPrefix(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+"."); + final Settings impersonationUsersRest = settings.getByPrefix(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+"."); allowedRestImpersonations = impersonationUsersRest.keySet().stream() .collect( ImmutableMap.toImmutableMap( Function.identity(), - user -> WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+"."+user)) + user -> WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+"."+user)) ) ); diff --git a/src/main/java/org/opensearch/security/configuration/CompatConfig.java b/src/main/java/org/opensearch/security/configuration/CompatConfig.java index 551c838c8d..1cbd1100ea 100644 --- a/src/main/java/org/opensearch/security/configuration/CompatConfig.java +++ b/src/main/java/org/opensearch/security/configuration/CompatConfig.java @@ -58,7 +58,7 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) { //true is default public boolean restAuthEnabled() { - final boolean restInitiallyDisabled = staticSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false); + final boolean restInitiallyDisabled = staticSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false); final boolean isTraceEnabled = log.isTraceEnabled(); if(restInitiallyDisabled) { if(dcm == null) { @@ -81,7 +81,7 @@ public boolean restAuthEnabled() { //true is default public boolean transportInterClusterAuthEnabled() { - final boolean interClusterAuthInitiallyDisabled = staticSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false); + final boolean interClusterAuthInitiallyDisabled = staticSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false); final boolean isTraceEnabled = log.isTraceEnabled(); if(interClusterAuthInitiallyDisabled) { if(dcm == null) { diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java b/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java index 9fd6f500a4..4ce42bc8ae 100644 --- a/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java +++ b/src/main/java/org/opensearch/security/configuration/ConfigurationLoaderSecurity7.java @@ -82,7 +82,7 @@ public class ConfigurationLoaderSecurity7 { super(); this.client = client; this.settings = settings; - this.securityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); + this.securityIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX); this.cs = cs; log.debug("Index is: {}", securityIndex); } diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java index b22bd384d4..043a884a5e 100644 --- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java +++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java @@ -99,14 +99,14 @@ public class ConfigurationRepository { private ConfigurationRepository(Settings settings, final Path configPath, ThreadPool threadPool, Client client, ClusterService clusterService, AuditLog auditLog) { - this.securityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); + this.securityIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX); this.settings = settings; this.client = client; this.threadPool = threadPool; this.clusterService = clusterService; this.auditLog = auditLog; this.configurationChangedListener = new ArrayList<>(); - this.acceptInvalid = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false); + this.acceptInvalid = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false); cl = new ConfigurationLoaderSecurity7(client, threadPool, settings, clusterService); configCache = CacheBuilder @@ -129,7 +129,7 @@ public void run() { if(confFile.exists()) { final ThreadContext threadContext = threadPool.getThreadContext(); try(StoredContext ctx = threadContext.stashContext()) { - threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true"); + threadContext.putHeader(ConfigConstants.SECURITY_CONF_REQUEST_HEADER, "true"); createSecurityIndexIfAbsent(); waitForSecurityIndexToBeAtLeastYellow(); @@ -252,11 +252,11 @@ private void waitForSecurityIndexToBeAtLeastYellow() { public void initOnNodeStart() { try { - if (settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false)) { + if (settings.getAsBoolean(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false)) { LOGGER.info("Will attempt to create index {} and default configs if they are absent", securityIndex); installDefaultConfig.set(true); bgThread.start(); - } else if (settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true)){ + } else if (settings.getAsBoolean(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true)){ LOGGER.info("Will not attempt to create index {} and default configs if they are absent. Use securityadmin to initialize cluster", securityIndex); bgThread.start(); @@ -355,7 +355,7 @@ public Map> getConfigurationsFromIndex(Co final Map> retVal = new HashMap<>(); try(StoredContext ctx = threadContext.stashContext()) { - threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true"); + threadContext.putHeader(ConfigConstants.SECURITY_CONF_REQUEST_HEADER, "true"); IndexMetadata securityMetadata = clusterService.state().metadata().index(this.securityIndex); MappingMetadata mappingMetadata = securityMetadata==null?null:securityMetadata.mapping(); diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java index 7278090472..05483a8bcb 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java @@ -1154,7 +1154,7 @@ public boolean hasDeletions() { @SuppressWarnings("unchecked") private MaskedFieldsMap getRuntimeMaskedFieldInfo() { final Map> maskedFieldsMap = (Map>) HeaderHelper.deserializeSafeFromHeader(threadContext, - ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); + ConfigConstants.SECURITY_MASKED_FIELD_HEADER); final String maskedEval = SecurityUtils.evalMap(maskedFieldsMap, indexService.index().getName()); if(maskedEval != null) { @@ -1255,7 +1255,7 @@ public TermState termState() throws IOException { private String getRuntimeActionName() { - return (String) threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ACTION_NAME); + return (String) threadContext.getTransient(ConfigConstants.SECURITY_ACTION_NAME); } private boolean isSuggest() { diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java index c692b127a6..64bdafbd36 100644 --- a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java +++ b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java @@ -139,7 +139,7 @@ public boolean invoke(final ActionRequest request, final ActionListener liste public void handleSearchContext(SearchContext context, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry) { try { final Map> queries = (Map>) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), - ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER); + ConfigConstants.SECURITY_DLS_QUERY_HEADER); final String dlsEval = SecurityUtils.evalMap(queries, context.indexShard().indexSettings().getIndex().getName()); diff --git a/src/main/java/org/opensearch/security/configuration/Salt.java b/src/main/java/org/opensearch/security/configuration/Salt.java index 7cdcd95d6a..8d2e72402a 100644 --- a/src/main/java/org/opensearch/security/configuration/Salt.java +++ b/src/main/java/org/opensearch/security/configuration/Salt.java @@ -47,7 +47,7 @@ public Salt(final byte[] salt) { private Salt(final String saltAsString) { this.salt16 = new byte[SALT_SIZE]; - if (saltAsString.equals(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT_DEFAULT)) { + if (saltAsString.equals(ConfigConstants.SECURITY_COMPLIANCE_SALT_DEFAULT)) { log.warn("If you plan to use field masking pls configure compliance salt {} to be a random string of 16 chars length identical on all nodes", saltAsString); } try { @@ -76,7 +76,7 @@ byte[] getSalt16() { * @return configuration */ public static Salt from(final Settings settings) { - final String saltAsString = settings.get(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT_DEFAULT); + final String saltAsString = settings.get(ConfigConstants.SECURITY_COMPLIANCE_SALT, ConfigConstants.SECURITY_COMPLIANCE_SALT_DEFAULT); return new Salt(saltAsString); } } diff --git a/src/main/java/org/opensearch/security/configuration/SecurityFlsDlsIndexSearcherWrapper.java b/src/main/java/org/opensearch/security/configuration/SecurityFlsDlsIndexSearcherWrapper.java index b4468a9890..aa335c5ea7 100644 --- a/src/main/java/org/opensearch/security/configuration/SecurityFlsDlsIndexSearcherWrapper.java +++ b/src/main/java/org/opensearch/security/configuration/SecurityFlsDlsIndexSearcherWrapper.java @@ -61,7 +61,7 @@ public SecurityFlsDlsIndexSearcherWrapper(final IndexService indexService, final this.clusterService = clusterService; this.indexService = indexService; this.auditlog = auditlog; - final boolean allowNowinDlsQueries = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, false); + final boolean allowNowinDlsQueries = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, false); if (allowNowinDlsQueries) { nowInMillis = () -> System.currentTimeMillis(); } else { @@ -84,11 +84,11 @@ protected DirectoryReader dlsFlsWrap(final DirectoryReader reader, boolean isAdm if(!isAdmin) { final Map> allowedFlsFields = (Map>) HeaderHelper.deserializeSafeFromHeader(threadContext, - ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); + ConfigConstants.SECURITY_FLS_FIELDS_HEADER); final Map> queries = (Map>) HeaderHelper.deserializeSafeFromHeader(threadContext, - ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER); + ConfigConstants.SECURITY_DLS_QUERY_HEADER); final Map> maskedFieldsMap = (Map>) HeaderHelper.deserializeSafeFromHeader(threadContext, - ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); + ConfigConstants.SECURITY_MASKED_FIELD_HEADER); final String flsEval = SecurityUtils.evalMap(allowedFlsFields, index.getName()); final String dlsEval = SecurityUtils.evalMap(queries, index.getName()); diff --git a/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java b/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java index 9476130b53..4b0e4bee42 100644 --- a/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java +++ b/src/main/java/org/opensearch/security/configuration/SecurityIndexSearcherWrapper.java @@ -71,15 +71,15 @@ public class SecurityIndexSearcherWrapper implements CheckedFunction securityRoles = evaluator.mapRoles(user, caller); if (allowedRolesMatcher.matchAny(securityRoles)) { return true; diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java index 669e140e51..36adea8851 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java @@ -88,8 +88,8 @@ protected AbstractApiAction(final Settings settings, final Path configPath, fina ThreadPool threadPool, AuditLog auditLog) { super(); this.settings = settings; - this.opendistroIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, - ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); + this.opendistroIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, + ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX); this.adminDNs = adminDNs; this.cl = cl; @@ -373,7 +373,7 @@ protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClie // check if request is authorized String authError = restApiPrivilegesEvaluator.checkAccessPermissions(request, getEndpoint()); - final User user = (User) threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = (User) threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_USER); final String userName = user == null ? null : user.getName(); if (authError != null) { log.error("No permission to access REST API: " + authError); @@ -385,17 +385,17 @@ protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClie auditLog.logGrantedPrivileges(userName, request); } - final Object originalUser = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final Object originalUser = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_USER); final Object originalRemoteAddress = threadPool.getThreadContext() - .getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); - final Object originalOrigin = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN); + .getTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS); + final Object originalOrigin = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_ORIGIN); return channel -> threadPool.generic().submit(() -> { try (StoredContext ignore = threadPool.getThreadContext().stashContext()) { - threadPool.getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true"); - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUser); - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, originalRemoteAddress); - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, originalOrigin); + threadPool.getThreadContext().putHeader(ConfigConstants.SECURITY_CONF_REQUEST_HEADER, "true"); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_USER, originalUser); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, originalRemoteAddress); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_ORIGIN, originalOrigin); handleApiRequest(channel, request, client); } catch (Exception e) { @@ -557,7 +557,7 @@ public String getName() { protected abstract Endpoint getEndpoint(); protected boolean isSuperAdmin() { - User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + User user = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_USER); return adminDNs.isAdmin(user); } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java index dda4fa2595..36c5f191c3 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AccountApiAction.java @@ -128,9 +128,9 @@ protected void handleGet(RestChannel channel, RestRequest request, Client client try { builder.startObject(); - final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); if (user != null) { - final TransportAddress remoteAddress = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); + final TransportAddress remoteAddress = threadContext.getTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS); final Set securityRoles = privilegesEvaluator.mapRoles(user, remoteAddress); final SecurityDynamicConfiguration configuration = load(getConfigName(), false); @@ -183,7 +183,7 @@ protected void handleGet(RestChannel channel, RestRequest request, Client client */ @Override protected void handlePut(RestChannel channel, final RestRequest request, final Client client, final JsonNode content) throws IOException { - final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); final String username = user.getName(); final SecurityDynamicConfiguration internalUser = load(CType.INTERNALUSERS, false); @@ -231,7 +231,7 @@ public void onResponse(IndexResponse response) { @Override protected AbstractConfigurationValidator getValidator(RestRequest request, BytesReference ref, Object... params) { - final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); return new AccountValidator(request, ref, this.settings, user.getName()); } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java index ff60802b43..443d03d1e4 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java @@ -50,9 +50,9 @@ * in node restart can be avoided by populating the coordinating cluster's nodes_dn values. * * The APIs are only accessible to SuperAdmin since the configuration controls the core application layer trust validation. - * By default the APIs are disabled and can be enabled by a YML setting - {@link ConfigConstants#OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED} + * By default the APIs are disabled and can be enabled by a YML setting - {@link ConfigConstants#SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED} * - * The backing data is stored in {@link ConfigConstants#OPENDISTRO_SECURITY_CONFIG_INDEX_NAME} which is populated during bootstrap. + * The backing data is stored in {@link ConfigConstants#SECURITY_CONFIG_INDEX_NAME} which is populated during bootstrap. * For existing clusters, {@link SecurityAdmin} tool can * be used to populate the index. * @@ -76,12 +76,12 @@ public NodesDnApiAction(final Settings settings, final Path configPath, final Re final AdminDNs adminDNs, final ConfigurationRepository cl, final ClusterService cs, final PrincipalExtractor principalExtractor, final PrivilegesEvaluator evaluator, ThreadPool threadPool, AuditLog auditLog) { super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, evaluator, threadPool, auditLog); - this.staticNodesDnFromEsYml = settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, Collections.emptyList()); + this.staticNodesDnFromEsYml = settings.getAsList(ConfigConstants.SECURITY_NODES_DN, Collections.emptyList()); } @Override public List routes() { - if (settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false)) { + if (settings.getAsBoolean(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false)) { return routes; } return Collections.emptyList(); diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java index 1ef4ba64d9..1f8a3c1e49 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java @@ -100,8 +100,8 @@ public void accept(RestChannel channel) throws Exception { try { - final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - final TransportAddress remoteAddress = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); + final User user = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_USER); + final TransportAddress remoteAddress = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS); Set userRoles = privilegesEvaluator.mapRoles(user, remoteAddress); Boolean hasApiAccess = restApiPrivilegesEvaluator.currentUserHasRestApiAccess(userRoles); Map> disabledEndpoints = restApiPrivilegesEvaluator.getDisabledEndpointsForCurrentUser(user.getName(), userRoles); diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java index a72b9a4dbc..3653dd4a0b 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java @@ -96,12 +96,12 @@ public RestApiPrivilegesEvaluator(Settings settings, AdminDNs adminDNs, Privileg this.allEndpoints = Collections.unmodifiableMap(allEndpoints); // setup role based permissions - allowedRoles.addAll(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED)); + allowedRoles.addAll(settings.getAsList(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED)); this.roleBasedAccessEnabled = !allowedRoles.isEmpty(); // globally disabled endpoints, disables access to Endpoint/Method combination for all roles - Settings globalSettings = settings.getAsSettings(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".global"); + Settings globalSettings = settings.getAsSettings(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".global"); if (!globalSettings.isEmpty()) { globallyDisabledEndpoints = parseDisabledEndpoints(globalSettings); } @@ -112,7 +112,7 @@ public RestApiPrivilegesEvaluator(Settings settings, AdminDNs adminDNs, Privileg } for (String role : allowedRoles) { - Settings settingsForRole = settings.getAsSettings(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED + "." + role); + Settings settingsForRole = settings.getAsSettings(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + "." + role); if (settingsForRole.isEmpty()) { if (isDebugEnabled) { logger.debug("No disabled endpoints/methods for permitted role {} found, allowing all", role); @@ -347,8 +347,8 @@ private String checkRoleBasedAccessPermissions(RestRequest request, Endpoint end if (this.roleBasedAccessEnabled) { // get current user and roles - final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - final TransportAddress remoteAddress = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); + final User user = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_USER); + final TransportAddress remoteAddress = threadPool.getThreadContext().getTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS); // map the users Security roles Set userRoles = privilegesEvaluator.mapRoles(user, remoteAddress); diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigAction.java index 9f2e27f292..d51416846c 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigAction.java @@ -64,7 +64,7 @@ public SecurityConfigAction(final Settings settings, final Path configPath, fina final PrincipalExtractor principalExtractor, final PrivilegesEvaluator evaluator, ThreadPool threadPool, AuditLog auditLog) { super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, evaluator, threadPool, auditLog); - allowPutOrPatch = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, false); + allowPutOrPatch = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, false); } @Override diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java index a08ebb7065..2507afadd7 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/WhitelistApiAction.java @@ -54,7 +54,7 @@ * These APIs allow the SuperAdmin to enable/disable whitelisting, and also change the list of whitelisted APIs. *

* A SuperAdmin is identified by a certificate which represents a distinguished name(DN). - * SuperAdmin DN's can be set in {@link ConfigConstants#OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN} + * SuperAdmin DN's can be set in {@link ConfigConstants#SECURITY_AUTHCZ_ADMIN_DN} * SuperAdmin certificate for the default superuser is stored as a kirk.pem file in config folder of OpenSearch *

* Example calling the PUT API as SuperAdmin using curl (if http basic auth is on): @@ -81,7 +81,7 @@ * "value": true * } * - * The backing data is stored in {@link ConfigConstants#OPENDISTRO_SECURITY_CONFIG_INDEX_NAME} which is populated during bootstrap. + * The backing data is stored in {@link ConfigConstants#SECURITY_CONFIG_INDEX_NAME} which is populated during bootstrap. * For existing clusters, {@link SecurityAdmin} tool can * be used to populate the index. *

diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java index 389742b6dd..97e810b520 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/validation/AbstractConfigurationValidator.java @@ -243,7 +243,7 @@ public XContentBuilder errorsAsXContent(RestChannel channel) { break; case INVALID_PASSWORD: builder.field("status", "error"); - builder.field("reason", opensearchSettings.get(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, + builder.field("reason", opensearchSettings.get(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, "Password does not match minimum criteria")); break; case WRONG_DATATYPE: diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java index afc2198a78..532d3c73cc 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/validation/AuditValidator.java @@ -44,7 +44,7 @@ public class AuditValidator extends AbstractConfigurationValidator { AuditCategory.GRANTED_PRIVILEGES, AuditCategory.MISSING_PRIVILEGES, AuditCategory.INDEX_EVENT, - AuditCategory.OPENDISTRO_SECURITY_INDEX_ATTEMPT + AuditCategory.SECURITY_INDEX_ATTEMPT ); public AuditValidator(final RestRequest request, diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java index 03ee4755c5..82994396e0 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/validation/CredentialsValidator.java @@ -51,7 +51,7 @@ public boolean validate() { return false; } - final String regex = this.opensearchSettings.get(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, null); + final String regex = this.opensearchSettings.get(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, null); if ((request.method() == RestRequest.Method.PUT || request.method() == RestRequest.Method.PATCH) && this.content != null diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index 105eddda24..b5339f653a 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -130,7 +130,7 @@ public SecurityFilter(final Client client, final Settings settings, final Privil this.cs = cs; this.compatConfig = compatConfig; this.indexResolverReplacer = indexResolverReplacer; - this.immutableIndicesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList())); + this.immutableIndicesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList())); this.rolesInjector = new RolesInjector(); this.backendRegistry = backendRegistry; log.info("{} indices are made immutable.", immutableIndicesMatcher); @@ -163,8 +163,8 @@ private void ap ActionListener listener, ActionFilterChain chain) { try { - if(threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) == null) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.LOCAL.toString()); + if(threadContext.getTransient(ConfigConstants.SECURITY_ORIGIN) == null) { + threadContext.putTransient(ConfigConstants.SECURITY_ORIGIN, Origin.LOCAL.toString()); } final ComplianceConfig complianceConfig = auditLog.getComplianceConfig(); @@ -173,16 +173,16 @@ private void ap } final Set injectedRoles = rolesInjector.injectUserAndRoles(threadContext); boolean enforcePrivilegesEvaluation = false; - User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); if(user == null && (user = backendRegistry.authenticate(request, null, task, action)) != null) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); + threadContext.putTransient(ConfigConstants.SECURITY_USER, user); enforcePrivilegesEvaluation = true; } final boolean userIsAdmin = isUserAdmin(user, adminDns); final boolean interClusterRequest = HeaderHelper.isInterClusterRequest(threadContext); final boolean trustedClusterRequest = HeaderHelper.isTrustedClusterRequest(threadContext); - final boolean confRequest = "true".equals(HeaderHelper.getSafeFromHeader(threadContext, ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER)); + final boolean confRequest = "true".equals(HeaderHelper.getSafeFromHeader(threadContext, ConfigConstants.SECURITY_CONF_REQUEST_HEADER)); final boolean passThroughRequest = action.startsWith("indices:admin/seq_no") || action.equals(WhoAmIAction.NAME); @@ -211,11 +211,11 @@ private void ap } traceAction("Node "+cs.localNode().getName()+" -> "+action+" ("+count+"): userIsAdmin="+userIsAdmin+"/conRequest="+confRequest+"/internalRequest="+internalRequest - +"origin="+threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()); + +"origin="+threadContext.getTransient(ConfigConstants.SECURITY_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()); threadContext.putHeader("_opendistro_security_trace"+System.currentTimeMillis()+"#"+UUID.randomUUID().toString(), Thread.currentThread().getName()+" FILTER -> "+"Node "+cs.localNode().getName()+" -> "+action+" userIsAdmin="+userIsAdmin+"/conRequest="+confRequest+"/internalRequest="+internalRequest - +"origin="+threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()+" "+threadContext.getHeaders().entrySet().stream().filter(p->!p.getKey().startsWith("_opendistro_security_trace")).collect(Collectors.toMap(p -> p.getKey(), p -> p.getValue()))); + +"origin="+threadContext.getTransient(ConfigConstants.SECURITY_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()+" "+threadContext.getHeaders().entrySet().stream().filter(p->!p.getKey().startsWith("_opendistro_security_trace")).collect(Collectors.toMap(p -> p.getKey(), p -> p.getValue()))); } @@ -257,7 +257,7 @@ private void ap } - if(Origin.LOCAL.toString().equals(threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)) + if(Origin.LOCAL.toString().equals(threadContext.getTransient(ConfigConstants.SECURITY_ORIGIN)) && (interClusterRequest || HeaderHelper.isDirectRequest(threadContext)) && (injectedRoles == null) && !enforcePrivilegesEvaluation @@ -279,7 +279,7 @@ private void ap return; } - log.error("No user found for "+ action+" from "+request.remoteAddress()+" "+threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)+" via "+threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE)+" "+threadContext.getHeaders()); + log.error("No user found for "+ action+" from "+request.remoteAddress()+" "+threadContext.getTransient(ConfigConstants.SECURITY_ORIGIN)+" via "+threadContext.getTransient(ConfigConstants.SECURITY_CHANNEL_TYPE)+" "+threadContext.getHeaders()); listener.onFailure(new OpenSearchSecurityException("No user found for "+action, RestStatus.INTERNAL_SERVER_ERROR)); return; } diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java index c7186f2d85..12fd671949 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java @@ -112,7 +112,7 @@ public RestHandler wrap(RestHandler original, AdminDNs adminDNs) { public void handleRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception { org.apache.logging.log4j.ThreadContext.clearAll(); if (!checkAndAuthenticateRequest(request, channel, client)) { - User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); if (userIsSuperAdmin(user, adminDNs) || whitelistingSettings.checkRequestIsAllowed(request, channel, client)) { original.handleRequest(request, channel, client); } @@ -131,7 +131,7 @@ private boolean userIsSuperAdmin(User user, AdminDNs adminDNs) { private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.REST.toString()); + threadContext.putTransient(ConfigConstants.SECURITY_ORIGIN, Origin.REST.toString()); if(HTTPHelper.containsBadHeader(request)) { final OpenSearchException exception = ExceptionUtils.createBadHeaderException(); @@ -141,7 +141,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha return true; } - if(SSLRequestHelper.containsBadHeader(threadContext, ConfigConstants.OPENDISTRO_SECURITY_CONFIG_PREFIX)) { + if(SSLRequestHelper.containsBadHeader(threadContext, ConfigConstants.SECURITY_CONFIG_PREFIX)) { final OpenSearchException exception = ExceptionUtils.createBadHeaderException(); log.error(exception); auditLog.logBadHeaders(request); @@ -181,7 +181,7 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha return true; } else { // make it possible to filter logs by username - org.apache.logging.log4j.ThreadContext.put("user", ((User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER)).getName()); + org.apache.logging.log4j.ThreadContext.put("user", ((User)threadContext.getTransient(ConfigConstants.SECURITY_USER)).getName()); } } diff --git a/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java index a034c67cae..d75c76fbe3 100644 --- a/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java @@ -63,7 +63,7 @@ public HTTPClientCertAuthenticator(final Settings settings, final Path configPat @Override public AuthCredentials extractCredentials(final RestRequest request, final ThreadContext threadContext) { - final String principal = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL); + final String principal = threadContext.getTransient(ConfigConstants.SECURITY_SSL_PRINCIPAL); if (!Strings.isNullOrEmpty(principal)) { diff --git a/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java index fe3d7be6f0..eb2ac58290 100644 --- a/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java @@ -62,7 +62,7 @@ public HTTPProxyAuthenticator(Settings settings, final Path configPath) { @Override public AuthCredentials extractCredentials(final RestRequest request, ThreadContext context) { - if(context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE) != Boolean.TRUE) { + if(context.getTransient(ConfigConstants.SECURITY_XFF_DONE) != Boolean.TRUE) { throw new OpenSearchSecurityException("xff not done"); } diff --git a/src/main/java/org/opensearch/security/http/RemoteIpDetector.java b/src/main/java/org/opensearch/security/http/RemoteIpDetector.java index 9524e17f64..868fc9e93b 100644 --- a/src/main/java/org/opensearch/security/http/RemoteIpDetector.java +++ b/src/main/java/org/opensearch/security/http/RemoteIpDetector.java @@ -180,7 +180,7 @@ String detect(RestRequest request, ThreadContext threadContext){ log.trace("Incoming request {} with originalRemoteAddr '{}', originalRemoteHost='{}', will be seen as newRemoteAddr='{}'", request.uri(), originalRemoteAddr, originalRemoteHost, remoteIp); } - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE, Boolean.TRUE); + threadContext.putTransient(ConfigConstants.SECURITY_XFF_DONE, Boolean.TRUE); return remoteIp; } else { diff --git a/src/main/java/org/opensearch/security/http/XFFResolver.java b/src/main/java/org/opensearch/security/http/XFFResolver.java index bfef7c8dc8..6c7bd67a29 100644 --- a/src/main/java/org/opensearch/security/http/XFFResolver.java +++ b/src/main/java/org/opensearch/security/http/XFFResolver.java @@ -72,7 +72,7 @@ public TransportAddress resolve(final RestRequest request) throws OpenSearchSecu if (isTraceEnabled) { - if(threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE) == Boolean.TRUE) { + if(threadContext.getTransient(ConfigConstants.SECURITY_XFF_DONE) == Boolean.TRUE) { log.trace("xff resolved {} to {}", request.getHttpChannel().getRemoteAddress(), isa); } else { log.trace("no xff done for {}",request.getClass()); diff --git a/src/main/java/org/opensearch/security/privileges/DlsFlsEvaluator.java b/src/main/java/org/opensearch/security/privileges/DlsFlsEvaluator.java index ff4b343d8a..aae10c8078 100644 --- a/src/main/java/org/opensearch/security/privileges/DlsFlsEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/DlsFlsEvaluator.java @@ -78,21 +78,21 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final C if (maskedFieldsMap != null && !maskedFieldsMap.isEmpty()) { if(request instanceof ClusterSearchShardsRequest && HeaderHelper.isTrustedClusterRequest(threadContext)) { - threadContext.addResponseHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFieldsMap)); + threadContext.addResponseHeader(ConfigConstants.SECURITY_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFieldsMap)); if (isDebugEnabled) { log.debug("Added response header for masked fields info: {}", maskedFieldsMap); } } else { - if (threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER) != null) { - if (!maskedFieldsMap.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER)))) { - throw new OpenSearchSecurityException(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER + " does not match "); + if (threadContext.getHeader(ConfigConstants.SECURITY_MASKED_FIELD_HEADER) != null) { + if (!maskedFieldsMap.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SECURITY_MASKED_FIELD_HEADER)))) { + throw new OpenSearchSecurityException(ConfigConstants.SECURITY_MASKED_FIELD_HEADER + " does not match "); } else { if (isDebugEnabled) { - log.debug("Header {} already set", ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); + log.debug("Header {} already set", ConfigConstants.SECURITY_MASKED_FIELD_HEADER); } } } else { - threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFieldsMap)); + threadContext.putHeader(ConfigConstants.SECURITY_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFieldsMap)); if (isDebugEnabled) { log.debug("Attach masked fields info: {}", maskedFieldsMap); } @@ -116,17 +116,17 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final C if (!dlsQueries.isEmpty()) { if(request instanceof ClusterSearchShardsRequest && HeaderHelper.isTrustedClusterRequest(threadContext)) { - threadContext.addResponseHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) dlsQueries)); + threadContext.addResponseHeader(ConfigConstants.SECURITY_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) dlsQueries)); if (isDebugEnabled) { log.debug("Added response header for DLS info: {}", dlsQueries); } } else { - if (threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER) != null) { - if (!dlsQueries.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER)))) { - throw new OpenSearchSecurityException(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER + " does not match (SG 900D)"); + if (threadContext.getHeader(ConfigConstants.SECURITY_DLS_QUERY_HEADER) != null) { + if (!dlsQueries.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SECURITY_DLS_QUERY_HEADER)))) { + throw new OpenSearchSecurityException(ConfigConstants.SECURITY_DLS_QUERY_HEADER + " does not match (SG 900D)"); } } else { - threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) dlsQueries)); + threadContext.putHeader(ConfigConstants.SECURITY_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) dlsQueries)); if (isDebugEnabled) { log.debug("Attach DLS info: {}", dlsQueries); } @@ -143,21 +143,21 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final C if (!flsFields.isEmpty()) { if(request instanceof ClusterSearchShardsRequest && HeaderHelper.isTrustedClusterRequest(threadContext)) { - threadContext.addResponseHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) flsFields)); + threadContext.addResponseHeader(ConfigConstants.SECURITY_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) flsFields)); if (isDebugEnabled) { log.debug("Added response header for FLS info: {}", flsFields); } } else { - if (threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER) != null) { - if (!flsFields.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER)))) { - throw new OpenSearchSecurityException(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER + " does not match "); + if (threadContext.getHeader(ConfigConstants.SECURITY_FLS_FIELDS_HEADER) != null) { + if (!flsFields.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SECURITY_FLS_FIELDS_HEADER)))) { + throw new OpenSearchSecurityException(ConfigConstants.SECURITY_FLS_FIELDS_HEADER + " does not match "); } else { if (isDebugEnabled) { - log.debug("Header {} already set", ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); + log.debug("Header {} already set", ConfigConstants.SECURITY_FLS_FIELDS_HEADER); } } } else { - threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) flsFields)); + threadContext.putHeader(ConfigConstants.SECURITY_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) flsFields)); if (isDebugEnabled) { log.debug("Attach FLS info: {}", flsFields); } diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index e77ae8690b..01375048eb 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -98,7 +98,7 @@ import com.google.common.collect.Sets; import static org.opensearch.security.OpenSearchSecurityPlugin.traceAction; -import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT; +import static org.opensearch.security.support.ConfigConstants.SECURITY_USER_INFO_THREAD_CONTEXT; public class PrivilegesEvaluator { @@ -142,8 +142,8 @@ public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool this.privilegesInterceptor = privilegesInterceptor; - this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, - ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES); + this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, + ConfigConstants.SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES); this.clusterInfoHolder = clusterInfoHolder; this.irr = irr; @@ -174,7 +174,7 @@ public boolean isInitialized() { } private void setUserInfoInThreadContext(User user, Set mappedRoles) { - if (threadContext.getTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT) == null) { + if (threadContext.getTransient(SECURITY_USER_INFO_THREAD_CONTEXT) == null) { StringJoiner joiner = new StringJoiner("|"); joiner.add(user.getName()); joiner.add(String.join(",", user.getRoles())); @@ -183,7 +183,7 @@ private void setUserInfoInThreadContext(User user, Set mappedRoles) { if (!Strings.isNullOrEmpty(requestedTenant)) { joiner.add(requestedTenant); } - threadContext.putTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT, joiner.toString()); + threadContext.putTransient(SECURITY_USER_INFO_THREAD_CONTEXT, joiner.toString()); } } @@ -206,7 +206,7 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin action0 = PutMappingAction.NAME; } - final TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); + final TransportAddress caller = threadContext.getTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS); final Set mappedRoles = (injectedRoles == null) ? mapRoles(user, caller) : injectedRoles; final SecurityRoles securityRoles = getSecurityRoles(mappedRoles); @@ -565,7 +565,7 @@ private Set evaluateAdditionalIndexPermissions(final ActionRequest reque } if (request instanceof RestoreSnapshotRequest && checkSnapshotRestoreWritePrivileges) { - additionalPermissionsRequired.addAll(ConfigConstants.OPENDISTRO_SECURITY_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES); + additionalPermissionsRequired.addAll(ConfigConstants.SECURITY_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES); } if (additionalPermissionsRequired.size() > 1) { diff --git a/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java index 6bcc986dd9..c55df60a58 100644 --- a/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java @@ -43,9 +43,9 @@ public class ProtectedIndexAccessEvaluator { public ProtectedIndexAccessEvaluator(final Settings settings, AuditLog auditLog) { - this.indexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT)); - this.allowedRolesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT)); - this.protectedIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT); + this.indexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, ConfigConstants.SECURITY_PROTECTED_INDICES_DEFAULT)); + this.allowedRolesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_DEFAULT)); + this.protectedIndexEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT); this.auditLog = auditLog; final List indexDeniedActionPatterns = new ArrayList(); diff --git a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java index 7db225af77..9fcfa6d8da 100644 --- a/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/SecurityIndexAccessEvaluator.java @@ -64,14 +64,14 @@ public class SecurityIndexAccessEvaluator { private final boolean systemIndexEnabled; public SecurityIndexAccessEvaluator(final Settings settings, AuditLog auditLog, IndexResolverReplacer irr) { - this.securityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); + this.securityIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX); this.auditLog = auditLog; this.irr = irr; - this.filterSecurityIndex = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, false); - this.systemIndexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT)); - this.systemIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT); + this.filterSecurityIndex = settings.getAsBoolean(ConfigConstants.SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, false); + this.systemIndexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, ConfigConstants.SECURITY_SYSTEM_INDICES_DEFAULT)); + this.systemIndexEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY, ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT); - final boolean restoreSecurityIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false); + final boolean restoreSecurityIndexEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false); final List securityIndexDeniedActionPatternsList = new ArrayList(); securityIndexDeniedActionPatternsList.add("indices:data/write*"); diff --git a/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java b/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java index 2f73385bba..2114870c6b 100644 --- a/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java @@ -53,11 +53,11 @@ public class SnapshotRestoreEvaluator { private final boolean restoreSecurityIndexEnabled; public SnapshotRestoreEvaluator(final Settings settings, AuditLog auditLog) { - this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, - ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE); - this.restoreSecurityIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false); + this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, + ConfigConstants.SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE); + this.restoreSecurityIndexEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false); - this.securityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX); + this.securityIndex = settings.get(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX); this.auditLog = auditLog; } diff --git a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java index f39b493efd..d6ea1bf7a8 100644 --- a/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/DashboardsInfoAction.java @@ -88,7 +88,7 @@ public void accept(RestChannel channel) throws Exception { try { - final User user = (User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = (User)threadContext.getTransient(ConfigConstants.SECURITY_USER); builder.startObject(); builder.field("user_name", user==null?null:user.getName()); diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java index 62465d7c60..b9fc900b9b 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java @@ -97,9 +97,9 @@ public void accept(RestChannel channel) throws Exception { final boolean verbose = request.paramAsBoolean("verbose", false); - final X509Certificate[] certs = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PEER_CERTIFICATES); - final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - final TransportAddress remoteAddress = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); + final X509Certificate[] certs = threadContext.getTransient(ConfigConstants.SECURITY_SSL_PEER_CERTIFICATES); + final User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); + final TransportAddress remoteAddress = threadContext.getTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS); final Set securityRoles = evaluator.mapRoles(user, remoteAddress); @@ -112,7 +112,7 @@ public void accept(RestChannel channel) throws Exception { builder.field("custom_attribute_names", user==null?null:user.getCustomAttributesMap().keySet()); builder.field("roles", securityRoles); builder.field("tenants", evaluator.mapTenants(user, securityRoles)); - builder.field("principal", (String)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL)); + builder.field("principal", (String)threadContext.getTransient(ConfigConstants.SECURITY_SSL_PRINCIPAL)); builder.field("peer_certificates", certs != null && certs.length > 0 ? certs.length + "" : "0"); builder.field("sso_logout_url", (String)threadContext.getTransient(ConfigConstants.SSO_LOGOUT_URL)); diff --git a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java index ab587841d2..b00a1b7af0 100644 --- a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java @@ -106,7 +106,7 @@ public void accept(RestChannel channel) throws Exception { try { - final User user = (User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = (User)threadContext.getTransient(ConfigConstants.SECURITY_USER); //only allowed for admins or the kibanaserveruser if(!isAuthorized()) { @@ -146,7 +146,7 @@ public void accept(RestChannel channel) throws Exception { } private boolean isAuthorized() { - final User user = (User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = (User)threadContext.getTransient(ConfigConstants.SECURITY_USER); if (user == null) { return false; diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java index 721e7b6c75..0b2f50c011 100644 --- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java +++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java @@ -86,7 +86,7 @@ public ConfigModelV6( try { rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf( - opensearchSettings.get(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()) + opensearchSettings.get(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()) .toUpperCase()); } catch (Exception e) { log.error("Cannot apply roles mapping resolution", e); diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java index 030baf06a3..d16b0d14f1 100644 --- a/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java +++ b/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java @@ -89,7 +89,7 @@ public ConfigModelV7( try { rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf( - opensearchSettings.get(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()) + opensearchSettings.get(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()) .toUpperCase()); } catch (Exception e) { log.error("Cannot apply roles mapping resolution", e); diff --git a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java index 08525865b7..3874d4f760 100644 --- a/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java +++ b/src/main/java/org/opensearch/security/securityconf/DynamicConfigFactory.java @@ -137,7 +137,7 @@ public DynamicConfigFactory(ConfigurationRepository cr, final Settings opensearc this.opensearchSettings = opensearchSettings; this.configPath = configPath; - if(opensearchSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true)) { + if(opensearchSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true)) { try { loadStaticConfig(); } catch (IOException e) { @@ -147,7 +147,7 @@ public DynamicConfigFactory(ConfigurationRepository cr, final Settings opensearc log.info("Static resources will not be loaded."); } - if(opensearchSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true)) { + if(opensearchSettings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true)) { try { loadStaticConfig(); } catch (IOException e) { diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index 1706f3dfb3..2916ae00e0 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -124,16 +124,16 @@ public DefaultSecurityKeyStore(final Settings settings, final Path configPath) { _env = null; } env = _env; - httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_DEFAULT); - transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED, - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT); + httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, + SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT); + transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, + SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT); final boolean useOpenSSLForHttpIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && settings - .getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true); + .getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true); final boolean useOpenSSLForTransportIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && settings - .getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true); + .getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true); - if(!OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && (settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true) || settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true) )) { + if(!OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && (settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true) || settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true) )) { if (PlatformDependent.javaVersion() < 12) { log.warn("Support for OpenSSL with Java 11 or prior versions require using Netty allocator. Set 'opensearch.unsafe.use_netty_default_allocator' system property to true"); } else { @@ -264,35 +264,35 @@ public void initTransportSSLConfig() { // when extendedKeyUsageEnabled and we use rawFiles, client/server certs will be in // different files // That's why useRawFiles checks for extra location - final boolean useKeyStore = settings.hasValue(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH); - final boolean useRawFiles = settings.hasValue(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH) || - (settings.hasValue(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH) && settings.hasValue(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH)); + final boolean useKeyStore = settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH); + final boolean useRawFiles = settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH) || + (settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH) && settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH)); - final boolean extendedKeyUsageEnabled = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT); + final boolean extendedKeyUsageEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, + SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT); if (useKeyStore) { - final String keystoreFilePath = resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + final String keystoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, true); - final String keystoreType = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, + final String keystoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, DEFAULT_STORE_TYPE); final String keystorePassword = settings.get( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, + SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); final String truststoreFilePath = resolve( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, true); + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, true); - if (settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, null) == null) { - throw new OpenSearchException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH + if (settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, null) == null) { + throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH + " must be set if transport ssl is requested."); } - final String truststoreType = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, + final String truststoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE); final String truststorePassword = settings.get( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, + SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); KeystoreProps keystoreProps = new KeystoreProps( @@ -304,29 +304,29 @@ public void initTransportSSLConfig() { CertFromKeystore certFromKeystore; CertFromTruststore certFromTruststore; if (extendedKeyUsageEnabled) { - final String truststoreServerAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, + final String truststoreServerAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, null); - final String truststoreClientAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, + final String truststoreClientAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, null); - final String keystoreServerAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, + final String keystoreServerAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, null); - final String keystoreClientAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, + final String keystoreClientAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, null); - final String serverKeyPassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, + final String serverKeyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, keystorePassword); - final String clientKeyPassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, + final String clientKeyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, keystorePassword); // we require all aliases to be set explicitly // because they should be different for client and server if (keystoreServerAlias == null || keystoreClientAlias == null || truststoreServerAlias == null || truststoreClientAlias == null) { - throw new OpenSearchException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS + ", " - + SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS + ", " - + SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS + ", " - + SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS + throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS + ", " + + SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS + ", " + + SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS + ", " + + SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS + " must be set when " - + SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED + " is true."); + + SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED + " is true."); } certFromKeystore = new CertFromKeystore( @@ -335,11 +335,11 @@ public void initTransportSSLConfig() { truststoreProps, truststoreServerAlias, truststoreClientAlias); } else { // when alias is null, we take first entry in the store - final String truststoreAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, + final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, null); - final String keystoreAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, + final String keystoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, null); - final String keyPassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, + final String keyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, keystorePassword); certFromKeystore = new CertFromKeystore(keystoreProps, keystoreAlias, keyPassword); @@ -367,26 +367,26 @@ public void initTransportSSLConfig() { CertFromFile certFromFile; if (extendedKeyUsageEnabled) { CertFileProps clientCertProps = new CertFileProps( - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, true), - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, true), - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, true), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD) + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, true), + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD) ); CertFileProps serverCertProps = new CertFileProps( - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, true), - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, true), - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, true), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD) + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, true), + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD) ); certFromFile = new CertFromFile(clientCertProps, serverCertProps); } else { CertFileProps certProps = new CertFileProps( - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, true), - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, true), - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD) + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true), + settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD) ); certFromFile = new CertFromFile(certProps); } @@ -409,9 +409,9 @@ public void initTransportSSLConfig() { "Error while initializing transport SSL layer from PEM: " + e.toString(), e); } } else { - throw new OpenSearchException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH + " or " - + SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH + " and " - + SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH + throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH + " or " + + SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH + " and " + + SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH + " must be set if transport ssl is requested."); } } @@ -420,38 +420,38 @@ public void initTransportSSLConfig() { * Initializes certs used for client https communication */ public void initHttpSSLConfig() { - final boolean useKeyStore = settings.hasValue(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH); - final boolean useRawFiles = settings.hasValue(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH); + final boolean useKeyStore = settings.hasValue(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH); + final boolean useRawFiles = settings.hasValue(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH); final ClientAuth httpClientAuthMode = ClientAuth.valueOf(settings - .get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, ClientAuth.OPTIONAL.toString())); + .get(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, ClientAuth.OPTIONAL.toString())); if (useKeyStore) { - final String keystoreFilePath = resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, + final String keystoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, true); - final String keystoreType = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_TYPE, + final String keystoreType = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, DEFAULT_STORE_TYPE); - final String keystorePassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, + final String keystorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); final String keyPassword = settings.get( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, + SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, keystorePassword); - final String keystoreAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, null); + final String keystoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, null); log.info("HTTPS client auth mode {}", httpClientAuthMode); - if (settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, null) == null) { - throw new OpenSearchException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH + if (settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, null) == null) { + throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH + " must be set if https is requested."); } if (httpClientAuthMode == ClientAuth.REQUIRE) { - if (settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, null) == null) { - throw new OpenSearchException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH + if (settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, null) == null) { + throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH + " must be set if http ssl and client auth is requested."); } @@ -465,18 +465,18 @@ public void initHttpSSLConfig() { CertFromKeystore certFromKeystore = new CertFromKeystore(keystoreProps, keystoreAlias, keyPassword); CertFromTruststore certFromTruststore = CertFromTruststore.Empty(); - if (settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, null) != null) { + if (settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, null) != null) { final String truststoreFilePath = resolve( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, true); + SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, true); final String truststoreType = settings - .get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE); + .get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE); final String truststorePassword = settings.get( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, + SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, SSLConfigConstants.DEFAULT_STORE_PASSWORD); final String truststoreAlias = settings - .get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null); + .get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null); KeystoreProps truststoreProps = new KeystoreProps( truststoreFilePath, truststoreType, truststorePassword); @@ -498,18 +498,18 @@ public void initHttpSSLConfig() { } } else if (useRawFiles) { - final String trustedCas = resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, + final String trustedCas = resolve(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, false); if (httpClientAuthMode == ClientAuth.REQUIRE) { - checkPath(trustedCas, SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH); + checkPath(trustedCas, SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH); } try { CertFileProps certFileProps = new CertFileProps( - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, true), - resolve(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, true), + resolve(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, true), trustedCas, - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD) + settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD) ); CertFromFile certFromFile = new CertFromFile(certFileProps); @@ -517,7 +517,7 @@ public void initHttpSSLConfig() { httpSslContext = buildSSLServerContext( certFromFile.getServerPemKey(), certFromFile.getServerPemCert(), certFromFile.getServerTrustedCas(), - settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD), + settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD), getEnabledSSLCiphers(this.sslHTTPProvider, true), sslHTTPProvider, httpClientAuthMode); setHttpSSLCerts(certFromFile.getCerts()); @@ -528,8 +528,8 @@ public void initHttpSSLConfig() { } } else { - throw new OpenSearchException(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH + " or " - + SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH + throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH + " or " + + SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH + " must be set if http ssl is requested."); } } diff --git a/src/main/java/org/opensearch/security/ssl/ExternalSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/ExternalSecurityKeyStore.java index ea76b02005..e3be6c263e 100644 --- a/src/main/java/org/opensearch/security/ssl/ExternalSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/ExternalSecurityKeyStore.java @@ -45,7 +45,7 @@ public class ExternalSecurityKeyStore implements SecurityKeyStore { public ExternalSecurityKeyStore(final Settings settings) { this.settings = Objects.requireNonNull(settings); final String externalContextId = settings - .get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, null); + .get(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, null); if(externalContextId == null || externalContextId.length() == 0) { throw new OpenSearchException("no external ssl context id was set"); @@ -134,7 +134,7 @@ public static void registerExternalSslContext(String id, SSLContext externalSssl public static boolean hasExternalSslContext(Settings settings) { final String externalContextId = settings - .get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, null); + .get(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, null); if(externalContextId == null || externalContextId.length() == 0) { return false; diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 804ae8bbdd..3589eb6404 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -143,7 +143,7 @@ public Object run() { log.info("OpenSearch Config path is not set"); } - final boolean allowClientInitiatedRenegotiation = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_ALLOW_CLIENT_INITIATED_RENEGOTIATION, false); + final boolean allowClientInitiatedRenegotiation = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_ALLOW_CLIENT_INITIATED_RENEGOTIATION, false); final boolean rejectClientInitiatedRenegotiation = Boolean.parseBoolean(System.getProperty(SSLConfigConstants.JDK_TLS_REJECT_CLIENT_INITIATED_RENEGOTIATION)); if(allowClientInitiatedRenegotiation && !rejectClientInitiatedRenegotiation) { @@ -199,12 +199,12 @@ public Object run() { client = !"node".equals(this.settings.get(OpenSearchSecuritySSLPlugin.CLIENT_TYPE)); - httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_DEFAULT); - transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED, - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT); - extendedKeyUsageEnabled = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT); + httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, + SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT); + transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, + SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT); + extendedKeyUsageEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, + SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT); if (!httpSSLEnabled && !transportSSLEnabled) { log.error("SSL not activated for http and/or transport."); @@ -295,7 +295,7 @@ public Collection createComponents(Client localClient, ClusterService cl return components; } - final String principalExtractorClass = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null); + final String principalExtractorClass = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null); if(principalExtractorClass == null) { principalExtractor = new DefaultPrincipalExtractor(); @@ -318,77 +318,77 @@ public Collection createComponents(Client localClient, ClusterService cl @Override public List> getSettings() { List> settings = new ArrayList>(); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.listSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.listSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.listSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.listSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Property.NodeScope, Property.Filtered)); - - - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered)); + settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here + settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here + settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here + settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Property.NodeScope, Property.Filtered)); + + + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); if(extendedKeyUsageEnabled) { - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); + + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); + + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); + + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); } else { - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); + + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); } - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_FILE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.longSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); + + settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Property.NodeScope, Property.Filtered)); + settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Property.NodeScope, Property.Filtered)); + settings.add(Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)); return settings; } diff --git a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLCertsInfoAction.java b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLCertsInfoAction.java index cfead7297d..b6082261e2 100644 --- a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLCertsInfoAction.java +++ b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLCertsInfoAction.java @@ -120,7 +120,7 @@ public void accept(RestChannel channel) throws Exception { BytesRestResponse response = null; // Check for Super admin user - final User user = (User)threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = (User)threadContext.getTransient(ConfigConstants.SECURITY_USER); if(user == null || !adminDns.isAdmin(user)) { response = new BytesRestResponse(RestStatus.FORBIDDEN, builder); } else { diff --git a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLReloadCertsAction.java b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLReloadCertsAction.java index 7cbb039eea..693ced0053 100644 --- a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLReloadCertsAction.java +++ b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLReloadCertsAction.java @@ -103,7 +103,7 @@ public void accept(RestChannel channel) throws Exception { BytesRestResponse response = null; // Check for Super admin user - final User user = (User) threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + final User user = (User) threadContext.getTransient(ConfigConstants.SECURITY_USER); if(user ==null||!adminDns.isAdmin(user)) { response = new BytesRestResponse(RestStatus.FORBIDDEN, ""); } else { diff --git a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java index 9c0bfdc4d1..a3bea9f3b7 100644 --- a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java +++ b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java @@ -24,7 +24,7 @@ public class SSLConfig { - public static final Setting SSL_DUAL_MODE_SETTING = Setting.boolSetting(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, + public static final Setting SSL_DUAL_MODE_SETTING = Setting.boolSetting(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Dynamic); // Not filtered private static final Logger logger = LogManager.getLogger(SSLConfig.class); @@ -43,8 +43,8 @@ public SSLConfig(final boolean sslOnly, final boolean dualModeEnabled) { } public SSLConfig(final Settings settings) { - this(settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, false), - settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false)); + this(settings.getAsBoolean(ConfigConstants.SECURITY_SSL_ONLY, false), + settings.getAsBoolean(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false)); } public void registerClusterSettingsChangeListener(final ClusterSettings clusterSettings) { diff --git a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java index d945a648cd..b30b6f6c89 100644 --- a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java +++ b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLNettyTransport.java @@ -214,9 +214,9 @@ protected class SSLClientChannelInitializer extends Netty4Transport.ClientChanne public SSLClientChannelInitializer(DiscoveryNode node) { this.node = node; hostnameVerificationEnabled = settings.getAsBoolean( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true); + SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true); hostnameVerificationResovleHostName = settings.getAsBoolean( - SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true); + SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true); connectionTestResult = SSLConnectionTestResult.SSL_AVAILABLE; if (SSLConfig.isDualModeEnabled()) { diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java index f20fbe2ae6..83cb56af9a 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java @@ -25,80 +25,80 @@ public final class SSLConfigConstants { - public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.http.enable_openssl_if_available"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLED = "opendistro_security.ssl.http.enabled"; - public static final boolean OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_DEFAULT = false; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE = "opendistro_security.ssl.http.clientauth_mode"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS = "opendistro_security.ssl.http.keystore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = "opendistro_security.ssl.http.keystore_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH = "opendistro_security.ssl.http.pemkey_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD = "opendistro_security.ssl.http.pemkey_password"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH = "opendistro_security.ssl.http.pemcert_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.http.pemtrustedcas_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = "opendistro_security.ssl.http.keystore_password"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.http.keystore_keypassword"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_TYPE = "opendistro_security.ssl.http.keystore_type"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "opendistro_security.ssl.http.truststore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.http.truststore_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.http.truststore_password"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "opendistro_security.ssl.http.truststore_type"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.transport.enable_openssl_if_available"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED = "opendistro_security.ssl.transport.enabled"; - public static final boolean OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT = true; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = "opendistro_security.ssl.transport.enforce_hostname_verification"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = "opendistro_security.ssl.transport.resolve_hostname"; + public static final String SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.http.enable_openssl_if_available"; + public static final String SECURITY_SSL_HTTP_ENABLED = "opendistro_security.ssl.http.enabled"; + public static final boolean SECURITY_SSL_HTTP_ENABLED_DEFAULT = false; + public static final String SECURITY_SSL_HTTP_CLIENTAUTH_MODE = "opendistro_security.ssl.http.clientauth_mode"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_ALIAS = "opendistro_security.ssl.http.keystore_alias"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = "opendistro_security.ssl.http.keystore_filepath"; + public static final String SECURITY_SSL_HTTP_PEMKEY_FILEPATH = "opendistro_security.ssl.http.pemkey_filepath"; + public static final String SECURITY_SSL_HTTP_PEMKEY_PASSWORD = "opendistro_security.ssl.http.pemkey_password"; + public static final String SECURITY_SSL_HTTP_PEMCERT_FILEPATH = "opendistro_security.ssl.http.pemcert_filepath"; + public static final String SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.http.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = "opendistro_security.ssl.http.keystore_password"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.http.keystore_keypassword"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_TYPE = "opendistro_security.ssl.http.keystore_type"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "opendistro_security.ssl.http.truststore_alias"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.http.truststore_filepath"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.http.truststore_password"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "opendistro_security.ssl.http.truststore_type"; + public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.transport.enable_openssl_if_available"; + public static final String SECURITY_SSL_TRANSPORT_ENABLED = "opendistro_security.ssl.transport.enabled"; + public static final boolean SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT = true; + public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = "opendistro_security.ssl.transport.enforce_hostname_verification"; + public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = "opendistro_security.ssl.transport.resolve_hostname"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.keystore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.server.keystore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.client.keystore_alias"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.keystore_alias"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.server.keystore_alias"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.client.keystore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = "opendistro_security.ssl.transport.keystore_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.pemkey_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.pemkey_password"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.pemcert_filepath"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = "opendistro_security.ssl.transport.keystore_filepath"; + public static final String SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.pemkey_filepath"; + public static final String SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.pemkey_password"; + public static final String SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.pemcert_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.pemtrustedcas_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = "opendistro_security.ssl.transport.extended_key_usage_enabled"; - public static final boolean OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT = false; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.server.pemkey_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.server.pemkey_password"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.server.pemcert_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.server.pemtrustedcas_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.client.pemkey_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.client.pemkey_password"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.client.pemcert_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.client.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = "opendistro_security.ssl.transport.extended_key_usage_enabled"; + public static final boolean SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT = false; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.server.pemkey_filepath"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.server.pemkey_password"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.server.pemcert_filepath"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.server.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.client.pemkey_filepath"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.client.pemkey_password"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.client.pemcert_filepath"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.client.pemtrustedcas_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = "opendistro_security.ssl.transport.keystore_password"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.keystore_keypassword"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.server.keystore_keypassword"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.client.keystore_keypassword"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = "opendistro_security.ssl.transport.keystore_password"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.keystore_keypassword"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.server.keystore_keypassword"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.client.keystore_keypassword"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = "opendistro_security.ssl.transport.keystore_type"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = "opendistro_security.ssl.transport.keystore_type"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.truststore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.server.truststore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.client.truststore_alias"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.truststore_alias"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.server.truststore_alias"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.client.truststore_alias"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.transport.truststore_filepath"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.transport.truststore_password"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = "opendistro_security.ssl.transport.truststore_type"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = "opendistro_security.ssl.transport.enabled_ciphers"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = "opendistro_security.ssl.transport.enabled_protocols"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS = "opendistro_security.ssl.http.enabled_ciphers"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = "opendistro_security.ssl.http.enabled_protocols"; - public static final String OPENDISTRO_SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = "opendistro_security.ssl.client.external_context_id"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = "opendistro_security.ssl.transport.principal_extractor_class"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.transport.truststore_filepath"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.transport.truststore_password"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = "opendistro_security.ssl.transport.truststore_type"; + public static final String SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = "opendistro_security.ssl.transport.enabled_ciphers"; + public static final String SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = "opendistro_security.ssl.transport.enabled_protocols"; + public static final String SECURITY_SSL_HTTP_ENABLED_CIPHERS = "opendistro_security.ssl.http.enabled_ciphers"; + public static final String SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = "opendistro_security.ssl.http.enabled_protocols"; + public static final String SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = "opendistro_security.ssl.client.external_context_id"; + public static final String SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = "opendistro_security.ssl.transport.principal_extractor_class"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_FILE = "opendistro_security.ssl.http.crl.file_path"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE = "opendistro_security.ssl.http.crl.validate"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = "opendistro_security.ssl.http.crl.prefer_crlfile_over_ocsp"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = "opendistro_security.ssl.http.crl.check_only_end_entities"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = "opendistro_security.ssl.http.crl.disable_ocsp"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = "opendistro_security.ssl.http.crl.disable_crldp"; - public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = "opendistro_security.ssl.http.crl.validation_date"; + public static final String SECURITY_SSL_HTTP_CRL_FILE = "opendistro_security.ssl.http.crl.file_path"; + public static final String SECURITY_SSL_HTTP_CRL_VALIDATE = "opendistro_security.ssl.http.crl.validate"; + public static final String SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = "opendistro_security.ssl.http.crl.prefer_crlfile_over_ocsp"; + public static final String SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = "opendistro_security.ssl.http.crl.check_only_end_entities"; + public static final String SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = "opendistro_security.ssl.http.crl.disable_ocsp"; + public static final String SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = "opendistro_security.ssl.http.crl.disable_crldp"; + public static final String SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = "opendistro_security.ssl.http.crl.validation_date"; - public static final String OPENDISTRO_SECURITY_SSL_ALLOW_CLIENT_INITIATED_RENEGOTIATION = "opendistro_security.ssl.allow_client_initiated_renegotiation"; + public static final String SECURITY_SSL_ALLOW_CLIENT_INITIATED_RENEGOTIATION = "opendistro_security.ssl.allow_client_initiated_renegotiation"; public static final String DEFAULT_STORE_PASSWORD = "changeit"; //#16 @@ -112,9 +112,9 @@ public static final String[] getSecureSSLProtocols(Settings settings, boolean ht if(settings != null) { if(http) { - configuredProtocols = settings.getAsList(OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList()); + configuredProtocols = settings.getAsList(SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList()); } else { - configuredProtocols = settings.getAsList(OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList()); + configuredProtocols = settings.getAsList(SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList()); } } @@ -250,9 +250,9 @@ public static final List getSecureSSLCiphers(Settings settings, boolean if(settings != null) { if(http) { - configuredCiphers = settings.getAsList(OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList()); + configuredCiphers = settings.getAsList(SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList()); } else { - configuredCiphers = settings.getAsList(OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList()); + configuredCiphers = settings.getAsList(SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList()); } } diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java index 64ffc9c5fa..54313fbf91 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java @@ -180,7 +180,7 @@ public static boolean containsBadHeader(final ThreadContext context, String pref private static boolean validate(X509Certificate[] x509Certs, final Settings settings, final Path configPath) { - final boolean validateCrl = settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE, false); + final boolean validateCrl = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false); final boolean isTraceEnabled = log.isTraceEnabled(); if (isTraceEnabled) { @@ -196,7 +196,7 @@ private static boolean validate(X509Certificate[] x509Certs, final Settings sett try { Collection crls = null; - final String crlFile = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_FILE); + final String crlFile = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE); if(crlFile != null) { final File crl = env.configFile().resolve(crlFile).toAbsolutePath().toFile(); @@ -213,13 +213,13 @@ private static boolean validate(X509Certificate[] x509Certs, final Settings sett } } - final String truststore = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH); + final String truststore = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH); CertificateValidator validator = null; if(truststore != null) { - final String truststoreType = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, "JKS"); - final String truststorePassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, "changeit"); - //final String truststoreAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null); + final String truststoreType = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, "JKS"); + final String truststorePassword = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, "changeit"); + //final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, null); final KeyStore ts = KeyStore.getInstance(truststoreType); try(FileInputStream fin = new FileInputStream(new File(env.configFile().resolve(truststore).toAbsolutePath().toString()))) { @@ -227,18 +227,18 @@ private static boolean validate(X509Certificate[] x509Certs, final Settings sett } validator = new CertificateValidator(ts, crls); } else { - final File trustedCas = env.configFile().resolve(settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "")).toAbsolutePath().toFile(); + final File trustedCas = env.configFile().resolve(settings.get(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, "")).toAbsolutePath().toFile(); try(FileInputStream trin = new FileInputStream(trustedCas)) { Collection cert = (Collection) CertificateFactory.getInstance("X.509").generateCertificates(trin); validator = new CertificateValidator(cert.toArray(new X509Certificate[0]), crls); } } - validator.setEnableCRLDP(!settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false)); - validator.setEnableOCSP(!settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false)); - validator.setCheckOnlyEndEntities(settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true)); - validator.setPreferCrl(settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false)); - Long dateTimestamp = settings.getAsLong(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, null); + validator.setEnableCRLDP(!settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false)); + validator.setEnableOCSP(!settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false)); + validator.setCheckOnlyEndEntities(settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true)); + validator.setPreferCrl(settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false)); + Long dateTimestamp = settings.getAsLong(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, null); if(dateTimestamp != null && dateTimestamp.longValue() < 0) { dateTimestamp = null; } diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index b2bdec25b7..dda3d7103a 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -46,186 +46,186 @@ public class ConfigConstants { - public static final String OPENDISTRO_SECURITY_CONFIG_PREFIX = "_opendistro_security_"; + public static final String SECURITY_CONFIG_PREFIX = "_opendistro_security_"; - public static final String OPENDISTRO_SECURITY_CHANNEL_TYPE = OPENDISTRO_SECURITY_CONFIG_PREFIX+"channel_type"; + public static final String SECURITY_CHANNEL_TYPE = SECURITY_CONFIG_PREFIX+"channel_type"; - public static final String OPENDISTRO_SECURITY_ORIGIN = OPENDISTRO_SECURITY_CONFIG_PREFIX+"origin"; - public static final String OPENDISTRO_SECURITY_ORIGIN_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"origin_header"; + public static final String SECURITY_ORIGIN = SECURITY_CONFIG_PREFIX+"origin"; + public static final String SECURITY_ORIGIN_HEADER = SECURITY_CONFIG_PREFIX+"origin_header"; - public static final String OPENDISTRO_SECURITY_DLS_QUERY_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"dls_query"; + public static final String SECURITY_DLS_QUERY_HEADER = SECURITY_CONFIG_PREFIX+"dls_query"; - public static final String OPENDISTRO_SECURITY_FLS_FIELDS_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"fls_fields"; + public static final String SECURITY_FLS_FIELDS_HEADER = SECURITY_CONFIG_PREFIX+"fls_fields"; - public static final String OPENDISTRO_SECURITY_MASKED_FIELD_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"masked_fields"; + public static final String SECURITY_MASKED_FIELD_HEADER = SECURITY_CONFIG_PREFIX+"masked_fields"; - public static final String OPENDISTRO_SECURITY_DLS_QUERY_CCS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"dls_query_ccs"; + public static final String SECURITY_DLS_QUERY_CCS = SECURITY_CONFIG_PREFIX+"dls_query_ccs"; - public static final String OPENDISTRO_SECURITY_FLS_FIELDS_CCS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"fls_fields_ccs"; + public static final String SECURITY_FLS_FIELDS_CCS = SECURITY_CONFIG_PREFIX+"fls_fields_ccs"; - public static final String OPENDISTRO_SECURITY_MASKED_FIELD_CCS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"masked_fields_ccs"; + public static final String SECURITY_MASKED_FIELD_CCS = SECURITY_CONFIG_PREFIX+"masked_fields_ccs"; - public static final String OPENDISTRO_SECURITY_CONF_REQUEST_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"conf_request"; + public static final String SECURITY_CONF_REQUEST_HEADER = SECURITY_CONFIG_PREFIX+"conf_request"; - public static final String OPENDISTRO_SECURITY_REMOTE_ADDRESS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"remote_address"; - public static final String OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"remote_address_header"; + public static final String SECURITY_REMOTE_ADDRESS = SECURITY_CONFIG_PREFIX+"remote_address"; + public static final String SECURITY_REMOTE_ADDRESS_HEADER = SECURITY_CONFIG_PREFIX+"remote_address_header"; - public static final String OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"initial_action_class_header"; + public static final String SECURITY_INITIAL_ACTION_CLASS_HEADER = SECURITY_CONFIG_PREFIX+"initial_action_class_header"; /** * Set by SSL plugin for https requests only */ - public static final String OPENDISTRO_SECURITY_SSL_PEER_CERTIFICATES = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_peer_certificates"; + public static final String SECURITY_SSL_PEER_CERTIFICATES = SECURITY_CONFIG_PREFIX+"ssl_peer_certificates"; /** * Set by SSL plugin for https requests only */ - public static final String OPENDISTRO_SECURITY_SSL_PRINCIPAL = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_principal"; + public static final String SECURITY_SSL_PRINCIPAL = SECURITY_CONFIG_PREFIX+"ssl_principal"; /** * If this is set to TRUE then the request comes from a Server Node (fully trust) * Its expected that there is a _opendistro_security_user attached as header */ - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_INTERCLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_intercluster_request"; + public static final String SECURITY_SSL_TRANSPORT_INTERCLUSTER_REQUEST = SECURITY_CONFIG_PREFIX+"ssl_transport_intercluster_request"; - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_trustedcluster_request"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST = SECURITY_CONFIG_PREFIX+"ssl_transport_trustedcluster_request"; /** * Set by the SSL plugin, this is the peer node certificate on the transport layer */ - public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_principal"; + public static final String SECURITY_SSL_TRANSPORT_PRINCIPAL = SECURITY_CONFIG_PREFIX+"ssl_transport_principal"; - public static final String OPENDISTRO_SECURITY_USER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"user"; - public static final String OPENDISTRO_SECURITY_USER_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"user_header"; + public static final String SECURITY_USER = SECURITY_CONFIG_PREFIX+"user"; + public static final String SECURITY_USER_HEADER = SECURITY_CONFIG_PREFIX+"user_header"; - public static final String OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT = OPENDISTRO_SECURITY_CONFIG_PREFIX + "user_info"; + public static final String SECURITY_USER_INFO_THREAD_CONTEXT = SECURITY_CONFIG_PREFIX + "user_info"; - public static final String OPENDISTRO_SECURITY_INJECTED_USER = "injected_user"; - public static final String OPENDISTRO_SECURITY_INJECTED_USER_HEADER = "injected_user_header"; + public static final String SECURITY_INJECTED_USER = "injected_user"; + public static final String SECURITY_INJECTED_USER_HEADER = "injected_user_header"; - public static final String OPENDISTRO_SECURITY_XFF_DONE = OPENDISTRO_SECURITY_CONFIG_PREFIX+"xff_done"; + public static final String SECURITY_XFF_DONE = SECURITY_CONFIG_PREFIX+"xff_done"; - public static final String SSO_LOGOUT_URL = OPENDISTRO_SECURITY_CONFIG_PREFIX+"sso_logout_url"; + public static final String SSO_LOGOUT_URL = SECURITY_CONFIG_PREFIX+"sso_logout_url"; - public static final String OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX = ".opendistro_security"; + public static final String SECURITY_DEFAULT_CONFIG_INDEX = ".opendistro_security"; - public static final String OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = "opendistro_security.enable_snapshot_restore_privilege"; - public static final boolean OPENDISTRO_SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = true; + public static final String SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = "opendistro_security.enable_snapshot_restore_privilege"; + public static final boolean SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = true; - public static final String OPENDISTRO_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = "opendistro_security.check_snapshot_restore_write_privileges"; - public static final boolean OPENDISTRO_SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = true; - public static final Set OPENDISTRO_SECURITY_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES = Collections.unmodifiableSet( + public static final String SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = "opendistro_security.check_snapshot_restore_write_privileges"; + public static final boolean SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = true; + public static final Set SECURITY_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES = Collections.unmodifiableSet( new HashSet(Arrays.asList( "indices:admin/create", "indices:data/write/index" // "indices:data/write/bulk" ))); - public static final String OPENDISTRO_SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; - public static final String OPENDISTRO_SECURITY_ACTION_NAME = OPENDISTRO_SECURITY_CONFIG_PREFIX+"action_name"; + public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; + public static final String SECURITY_ACTION_NAME = SECURITY_CONFIG_PREFIX+"action_name"; - public static final String OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN = "opendistro_security.authcz.admin_dn"; - public static final String OPENDISTRO_SECURITY_CONFIG_INDEX_NAME = "opendistro_security.config_index_name"; - public static final String OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN = "opendistro_security.authcz.impersonation_dn"; - public static final String OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS="opendistro_security.authcz.rest_impersonation_user"; + public static final String SECURITY_AUTHCZ_ADMIN_DN = "opendistro_security.authcz.admin_dn"; + public static final String SECURITY_CONFIG_INDEX_NAME = "opendistro_security.config_index_name"; + public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "opendistro_security.authcz.impersonation_dn"; + public static final String SECURITY_AUTHCZ_REST_IMPERSONATION_USERS="opendistro_security.authcz.rest_impersonation_user"; - public static final String OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT = "opendistro_security.audit.type"; - public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT = "opendistro_security.audit.config"; - public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES = "opendistro_security.audit.routes"; - public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS = "opendistro_security.audit.endpoints"; - public static final String OPENDISTRO_SECURITY_AUDIT_THREADPOOL_SIZE = "opendistro_security.audit.threadpool.size"; - public static final String OPENDISTRO_SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = "opendistro_security.audit.threadpool.max_queue_len"; - public static final String OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY = "opendistro_security.audit.log_request_body"; - public static final String OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES = "opendistro_security.audit.resolve_indices"; - public static final String OPENDISTRO_SECURITY_AUDIT_ENABLE_REST = "opendistro_security.audit.enable_rest"; - public static final String OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT = "opendistro_security.audit.enable_transport"; - public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = "opendistro_security.audit.config.disabled_transport_categories"; - public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = "opendistro_security.audit.config.disabled_rest_categories"; - public static final List OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT = ImmutableList.of(AuditCategory.AUTHENTICATED.toString(), + public static final String SECURITY_AUDIT_TYPE_DEFAULT = "opendistro_security.audit.type"; + public static final String SECURITY_AUDIT_CONFIG_DEFAULT = "opendistro_security.audit.config"; + public static final String SECURITY_AUDIT_CONFIG_ROUTES = "opendistro_security.audit.routes"; + public static final String SECURITY_AUDIT_CONFIG_ENDPOINTS = "opendistro_security.audit.endpoints"; + public static final String SECURITY_AUDIT_THREADPOOL_SIZE = "opendistro_security.audit.threadpool.size"; + public static final String SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = "opendistro_security.audit.threadpool.max_queue_len"; + public static final String SECURITY_AUDIT_LOG_REQUEST_BODY = "opendistro_security.audit.log_request_body"; + public static final String SECURITY_AUDIT_RESOLVE_INDICES = "opendistro_security.audit.resolve_indices"; + public static final String SECURITY_AUDIT_ENABLE_REST = "opendistro_security.audit.enable_rest"; + public static final String SECURITY_AUDIT_ENABLE_TRANSPORT = "opendistro_security.audit.enable_transport"; + public static final String SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = "opendistro_security.audit.config.disabled_transport_categories"; + public static final String SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = "opendistro_security.audit.config.disabled_rest_categories"; + public static final List SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT = ImmutableList.of(AuditCategory.AUTHENTICATED.toString(), AuditCategory.GRANTED_PRIVILEGES.toString()); - public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS = "opendistro_security.audit.ignore_users"; - public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS = "opendistro_security.audit.ignore_requests"; - public static final String OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "opendistro_security.audit.resolve_bulk_requests"; - public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_VERIFY_HOSTNAMES_DEFAULT = true; - public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false; - public static final String OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = "opendistro_security.audit.exclude_sensitive_headers"; + public static final String SECURITY_AUDIT_IGNORE_USERS = "opendistro_security.audit.ignore_users"; + public static final String SECURITY_AUDIT_IGNORE_REQUESTS = "opendistro_security.audit.ignore_requests"; + public static final String SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "opendistro_security.audit.resolve_bulk_requests"; + public static final boolean SECURITY_AUDIT_SSL_VERIFY_HOSTNAMES_DEFAULT = true; + public static final boolean SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false; + public static final String SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = "opendistro_security.audit.exclude_sensitive_headers"; - public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX = "opendistro_security.audit.config."; + public static final String SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX = "opendistro_security.audit.config."; // Internal / External OpenSearch - public static final String OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX = "index"; - public static final String OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE = "type"; + public static final String SECURITY_AUDIT_OPENSEARCH_INDEX = "index"; + public static final String SECURITY_AUDIT_OPENSEARCH_TYPE = "type"; // External OpenSearch - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS = "http_endpoints"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME = "username"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD = "password"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL = "enable_ssl"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES = "verify_hostnames"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH = "enable_ssl_client_auth"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH = "pemkey_filepath"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT = "pemkey_content"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD = "pemkey_password"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH = "pemcert_filepath"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT = "pemcert_content"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT = "pemtrustedcas_content"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS = "cert_alias"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS = "enabled_ssl_ciphers"; - public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS = "enabled_ssl_protocols"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS = "http_endpoints"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME = "username"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD = "password"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL = "enable_ssl"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES = "verify_hostnames"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH = "enable_ssl_client_auth"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH = "pemkey_filepath"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT = "pemkey_content"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD = "pemkey_password"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH = "pemcert_filepath"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT = "pemcert_content"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT = "pemtrustedcas_content"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS = "cert_alias"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS = "enabled_ssl_ciphers"; + public static final String SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS = "enabled_ssl_protocols"; // Webhooks - public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL = "webhook.url"; - public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT = "webhook.format"; - public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_SSL_VERIFY = "webhook.ssl.verify"; - public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH = "webhook.ssl.pemtrustedcas_filepath"; - public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT = "webhook.ssl.pemtrustedcas_content"; + public static final String SECURITY_AUDIT_WEBHOOK_URL = "webhook.url"; + public static final String SECURITY_AUDIT_WEBHOOK_FORMAT = "webhook.format"; + public static final String SECURITY_AUDIT_WEBHOOK_SSL_VERIFY = "webhook.ssl.verify"; + public static final String SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH = "webhook.ssl.pemtrustedcas_filepath"; + public static final String SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT = "webhook.ssl.pemtrustedcas_content"; // Log4j - public static final String OPENDISTRO_SECURITY_AUDIT_LOG4J_LOGGER_NAME = "log4j.logger_name"; - public static final String OPENDISTRO_SECURITY_AUDIT_LOG4J_LEVEL = "log4j.level"; + public static final String SECURITY_AUDIT_LOG4J_LOGGER_NAME = "log4j.logger_name"; + public static final String SECURITY_AUDIT_LOG4J_LEVEL = "log4j.level"; //retry - public static final String OPENDISTRO_SECURITY_AUDIT_RETRY_COUNT = "opendistro_security.audit.config.retry_count"; - public static final String OPENDISTRO_SECURITY_AUDIT_RETRY_DELAY_MS = "opendistro_security.audit.config.retry_delay_ms"; + public static final String SECURITY_AUDIT_RETRY_COUNT = "opendistro_security.audit.config.retry_count"; + public static final String SECURITY_AUDIT_RETRY_DELAY_MS = "opendistro_security.audit.config.retry_delay_ms"; - public static final String OPENDISTRO_SECURITY_KERBEROS_KRB5_FILEPATH = "opendistro_security.kerberos.krb5_filepath"; - public static final String OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = "opendistro_security.kerberos.acceptor_keytab_filepath"; - public static final String OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = "opendistro_security.kerberos.acceptor_principal"; - public static final String OPENDISTRO_SECURITY_CERT_OID = "opendistro_security.cert.oid"; - public static final String OPENDISTRO_SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; - public static final String OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED = "opendistro_security.advanced_modules_enabled"; - public static final String OPENDISTRO_SECURITY_NODES_DN = "opendistro_security.nodes_dn"; - public static final String OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = "opendistro_security.nodes_dn_dynamic_config_enabled"; - public static final String OPENDISTRO_SECURITY_DISABLED = "opendistro_security.disabled"; - public static final String OPENDISTRO_SECURITY_CACHE_TTL_MINUTES = "opendistro_security.cache.ttl_minutes"; - public static final String OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = "opendistro_security.allow_unsafe_democertificates"; - public static final String OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = "opendistro_security.allow_default_init_securityindex"; - public static final String OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = "opendistro_security.background_init_if_securityindex_not_exist"; - - public static final String OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION = "opendistro_security.roles_mapping_resolution"; - - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY = "opendistro_security.compliance.history.write.metadata_only"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY = "opendistro_security.compliance.history.read.metadata_only"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS = "opendistro_security.compliance.history.read.watched_fields"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = "opendistro_security.compliance.history.write.watched_indices"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS = "opendistro_security.compliance.history.write.log_diffs"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS = "opendistro_security.compliance.history.read.ignore_users"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS = "opendistro_security.compliance.history.write.ignore_users"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.external_config_enabled"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION = "opendistro_security.compliance.disable_anonymous_authentication"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES = "opendistro_security.compliance.immutable_indices"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_SALT = "opendistro_security.compliance.salt"; - public static final String OPENDISTRO_SECURITY_COMPLIANCE_SALT_DEFAULT = "e1ukloTsQlOgPquJ";//16 chars - public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.internal_config_enabled"; - public static final String OPENDISTRO_SECURITY_SSL_ONLY = "opendistro_security.ssl_only"; - public static final String OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED = "opendistro_security_config.ssl_dual_mode_enabled"; - public static final String OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED = "opendistro_security.ssl_cert_reload_enabled"; - public static final String OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT = "opendistro_security.disable_envvar_replacement"; + public static final String SECURITY_KERBEROS_KRB5_FILEPATH = "opendistro_security.kerberos.krb5_filepath"; + public static final String SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = "opendistro_security.kerberos.acceptor_keytab_filepath"; + public static final String SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = "opendistro_security.kerberos.acceptor_principal"; + public static final String SECURITY_CERT_OID = "opendistro_security.cert.oid"; + public static final String SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; + public static final String SECURITY_ADVANCED_MODULES_ENABLED = "opendistro_security.advanced_modules_enabled"; + public static final String SECURITY_NODES_DN = "opendistro_security.nodes_dn"; + public static final String SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = "opendistro_security.nodes_dn_dynamic_config_enabled"; + public static final String SECURITY_DISABLED = "opendistro_security.disabled"; + public static final String SECURITY_CACHE_TTL_MINUTES = "opendistro_security.cache.ttl_minutes"; + public static final String SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = "opendistro_security.allow_unsafe_democertificates"; + public static final String SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = "opendistro_security.allow_default_init_securityindex"; + public static final String SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = "opendistro_security.background_init_if_securityindex_not_exist"; + + public static final String SECURITY_ROLES_MAPPING_RESOLUTION = "opendistro_security.roles_mapping_resolution"; + + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY = "opendistro_security.compliance.history.write.metadata_only"; + public static final String SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY = "opendistro_security.compliance.history.read.metadata_only"; + public static final String SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS = "opendistro_security.compliance.history.read.watched_fields"; + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = "opendistro_security.compliance.history.write.watched_indices"; + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS = "opendistro_security.compliance.history.write.log_diffs"; + public static final String SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS = "opendistro_security.compliance.history.read.ignore_users"; + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS = "opendistro_security.compliance.history.write.ignore_users"; + public static final String SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.external_config_enabled"; + public static final String SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION = "opendistro_security.compliance.disable_anonymous_authentication"; + public static final String SECURITY_COMPLIANCE_IMMUTABLE_INDICES = "opendistro_security.compliance.immutable_indices"; + public static final String SECURITY_COMPLIANCE_SALT = "opendistro_security.compliance.salt"; + public static final String SECURITY_COMPLIANCE_SALT_DEFAULT = "e1ukloTsQlOgPquJ";//16 chars + public static final String SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.internal_config_enabled"; + public static final String SECURITY_SSL_ONLY = "opendistro_security.ssl_only"; + public static final String SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED = "opendistro_security_config.ssl_dual_mode_enabled"; + public static final String SECURITY_SSL_CERT_RELOAD_ENABLED = "opendistro_security.ssl_cert_reload_enabled"; + public static final String SECURITY_DISABLE_ENVVAR_REPLACEMENT = "opendistro_security.disable_envvar_replacement"; public enum RolesMappingResolution { MAPPING_ONLY, @@ -233,42 +233,42 @@ public enum RolesMappingResolution { BOTH } - public static final String OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = "opendistro_security.filter_securityindex_from_all_requests"; + public static final String SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = "opendistro_security.filter_securityindex_from_all_requests"; // REST API - public static final String OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED = "opendistro_security.restapi.roles_enabled"; - public static final String OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED = "opendistro_security.restapi.endpoints_disabled"; - public static final String OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "opendistro_security.restapi.password_validation_regex"; - public static final String OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "opendistro_security.restapi.password_validation_error_message"; + public static final String SECURITY_RESTAPI_ROLES_ENABLED = "opendistro_security.restapi.roles_enabled"; + public static final String SECURITY_RESTAPI_ENDPOINTS_DISABLED = "opendistro_security.restapi.endpoints_disabled"; + public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "opendistro_security.restapi.password_validation_regex"; + public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "opendistro_security.restapi.password_validation_error_message"; // Illegal Opcodes from here on - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "opendistro_security.unsupported.disable_rest_auth_initially"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = "opendistro_security.unsupported.disable_intertransport_auth_initially"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = "opendistro_security.unsupported.restore.securityindex.enabled"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED = "opendistro_security.unsupported.inject_user.enabled"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED = "opendistro_security.unsupported.inject_user.admin.enabled"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS = "opendistro_security.unsupported.allow_now_in_dls"; + public static final String SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "opendistro_security.unsupported.disable_rest_auth_initially"; + public static final String SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = "opendistro_security.unsupported.disable_intertransport_auth_initially"; + public static final String SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = "opendistro_security.unsupported.restore.securityindex.enabled"; + public static final String SECURITY_UNSUPPORTED_INJECT_USER_ENABLED = "opendistro_security.unsupported.inject_user.enabled"; + public static final String SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED = "opendistro_security.unsupported.inject_user.admin.enabled"; + public static final String SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS = "opendistro_security.unsupported.allow_now_in_dls"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION = "opendistro_security.unsupported.restapi.allow_securityconfig_modification"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = "opendistro_security.unsupported.load_static_resources"; - public static final String OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = "opendistro_security.unsupported.accept_invalid_config"; + public static final String SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION = "opendistro_security.unsupported.restapi.allow_securityconfig_modification"; + public static final String SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = "opendistro_security.unsupported.load_static_resources"; + public static final String SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = "opendistro_security.unsupported.accept_invalid_config"; // Protected indices settings. Marked for deprecation, after all config indices move to System indices. - public static final String OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY = "opendistro_security.protected_indices.enabled"; - public static final Boolean OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT = false; - public static final String OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY = "opendistro_security.protected_indices.indices"; - public static final List OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT = Collections.emptyList(); - public static final String OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY = "opendistro_security.protected_indices.roles"; - public static final List OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT = Collections.emptyList(); + public static final String SECURITY_PROTECTED_INDICES_ENABLED_KEY = "opendistro_security.protected_indices.enabled"; + public static final Boolean SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT = false; + public static final String SECURITY_PROTECTED_INDICES_KEY = "opendistro_security.protected_indices.indices"; + public static final List SECURITY_PROTECTED_INDICES_DEFAULT = Collections.emptyList(); + public static final String SECURITY_PROTECTED_INDICES_ROLES_KEY = "opendistro_security.protected_indices.roles"; + public static final List SECURITY_PROTECTED_INDICES_ROLES_DEFAULT = Collections.emptyList(); // Roles injection for plugins - public static final String OPENDISTRO_SECURITY_INJECTED_ROLES = "opendistro_security_injected_roles"; + public static final String SECURITY_INJECTED_ROLES = "opendistro_security_injected_roles"; // System indices settings - public static final String OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY = "opendistro_security.system_indices.enabled"; - public static final Boolean OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT = false; - public static final String OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY = "opendistro_security.system_indices.indices"; - public static final List OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT = Collections.emptyList(); + public static final String SECURITY_SYSTEM_INDICES_ENABLED_KEY = "opendistro_security.system_indices.enabled"; + public static final Boolean SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT = false; + public static final String SECURITY_SYSTEM_INDICES_KEY = "opendistro_security.system_indices.indices"; + public static final List SECURITY_SYSTEM_INDICES_DEFAULT = Collections.emptyList(); public static Set getSettingAsSet(final Settings settings, final String key, final List defaultList, final boolean ignoreCaseForNone) { final List list = settings.getAsList(key, defaultList); diff --git a/src/main/java/org/opensearch/security/support/HTTPHelper.java b/src/main/java/org/opensearch/security/support/HTTPHelper.java index 90c387beae..8a547c7b12 100644 --- a/src/main/java/org/opensearch/security/support/HTTPHelper.java +++ b/src/main/java/org/opensearch/security/support/HTTPHelper.java @@ -95,7 +95,7 @@ public static boolean containsBadHeader(final RestRequest request) { if (request != null && ( headers = request.getHeaders()) != null) { for (final String key: headers.keySet()) { if ( key != null - && key.trim().toLowerCase().startsWith(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_PREFIX.toLowerCase())) { + && key.trim().toLowerCase().startsWith(ConfigConstants.SECURITY_CONFIG_PREFIX.toLowerCase())) { return true; } } diff --git a/src/main/java/org/opensearch/security/support/HeaderHelper.java b/src/main/java/org/opensearch/security/support/HeaderHelper.java index 89b27cfaf5..5017200115 100644 --- a/src/main/java/org/opensearch/security/support/HeaderHelper.java +++ b/src/main/java/org/opensearch/security/support/HeaderHelper.java @@ -40,13 +40,13 @@ public class HeaderHelper { public static boolean isInterClusterRequest(final ThreadContext context) { - return context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_INTERCLUSTER_REQUEST) == Boolean.TRUE; + return context.getTransient(ConfigConstants.SECURITY_SSL_TRANSPORT_INTERCLUSTER_REQUEST) == Boolean.TRUE; } public static boolean isDirectRequest(final ThreadContext context) { - return "direct".equals(context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE)) - || context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE) == null; + return "direct".equals(context.getTransient(ConfigConstants.SECURITY_CHANNEL_TYPE)) + || context.getTransient(ConfigConstants.SECURITY_CHANNEL_TYPE) == null; } @@ -82,6 +82,6 @@ public static Serializable deserializeSafeFromHeader(final ThreadContext context } public static boolean isTrustedClusterRequest(final ThreadContext context) { - return context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST) == Boolean.TRUE; + return context.getTransient(ConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST) == Boolean.TRUE; } } diff --git a/src/main/java/org/opensearch/security/support/LegacyOpenDistroConfigConstants.java b/src/main/java/org/opensearch/security/support/LegacyOpenDistroConfigConstants.java new file mode 100644 index 0000000000..b811b930bd --- /dev/null +++ b/src/main/java/org/opensearch/security/support/LegacyOpenDistroConfigConstants.java @@ -0,0 +1,270 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +/* + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package org.opensearch.security.support; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import org.opensearch.common.settings.Settings; +import org.opensearch.security.auditlog.impl.AuditCategory; + +import java.util.*; + +public class LegacyOpenDistroConfigConstants { + + + public static final String OPENDISTRO_SECURITY_CONFIG_PREFIX = "_opendistro_security_"; + + public static final String OPENDISTRO_SECURITY_CHANNEL_TYPE = OPENDISTRO_SECURITY_CONFIG_PREFIX+"channel_type"; + + public static final String OPENDISTRO_SECURITY_ORIGIN = OPENDISTRO_SECURITY_CONFIG_PREFIX+"origin"; + public static final String OPENDISTRO_SECURITY_ORIGIN_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"origin_header"; + + public static final String OPENDISTRO_SECURITY_DLS_QUERY_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"dls_query"; + + public static final String OPENDISTRO_SECURITY_FLS_FIELDS_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"fls_fields"; + + public static final String OPENDISTRO_SECURITY_MASKED_FIELD_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"masked_fields"; + + public static final String OPENDISTRO_SECURITY_DLS_QUERY_CCS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"dls_query_ccs"; + + public static final String OPENDISTRO_SECURITY_FLS_FIELDS_CCS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"fls_fields_ccs"; + + public static final String OPENDISTRO_SECURITY_MASKED_FIELD_CCS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"masked_fields_ccs"; + + public static final String OPENDISTRO_SECURITY_CONF_REQUEST_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"conf_request"; + + public static final String OPENDISTRO_SECURITY_REMOTE_ADDRESS = OPENDISTRO_SECURITY_CONFIG_PREFIX+"remote_address"; + public static final String OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"remote_address_header"; + + public static final String OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"initial_action_class_header"; + + /** + * Set by SSL plugin for https requests only + */ + public static final String OPENDISTRO_SECURITY_SSL_PEER_CERTIFICATES = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_peer_certificates"; + + /** + * Set by SSL plugin for https requests only + */ + public static final String OPENDISTRO_SECURITY_SSL_PRINCIPAL = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_principal"; + + /** + * If this is set to TRUE then the request comes from a Server Node (fully trust) + * Its expected that there is a _opendistro_security_user attached as header + */ + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_INTERCLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_intercluster_request"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_trustedcluster_request"; + + + /** + * Set by the SSL plugin, this is the peer node certificate on the transport layer + */ + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_principal"; + + public static final String OPENDISTRO_SECURITY_USER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"user"; + public static final String OPENDISTRO_SECURITY_USER_HEADER = OPENDISTRO_SECURITY_CONFIG_PREFIX+"user_header"; + + public static final String OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT = OPENDISTRO_SECURITY_CONFIG_PREFIX + "user_info"; + + public static final String OPENDISTRO_SECURITY_INJECTED_USER = "injected_user"; + public static final String OPENDISTRO_SECURITY_INJECTED_USER_HEADER = "injected_user_header"; + + public static final String OPENDISTRO_SECURITY_XFF_DONE = OPENDISTRO_SECURITY_CONFIG_PREFIX+"xff_done"; + + public static final String SSO_LOGOUT_URL = OPENDISTRO_SECURITY_CONFIG_PREFIX+"sso_logout_url"; + + + public static final String OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX = ".opendistro_security"; + + public static final String OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = "opendistro_security.enable_snapshot_restore_privilege"; + public static final boolean OPENDISTRO_SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = true; + + public static final String OPENDISTRO_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = "opendistro_security.check_snapshot_restore_write_privileges"; + public static final boolean OPENDISTRO_SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = true; + public static final Set OPENDISTRO_SECURITY_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES = Collections.unmodifiableSet( + new HashSet(Arrays.asList( + "indices:admin/create", + "indices:data/write/index" + // "indices:data/write/bulk" + ))); + + public static final String OPENDISTRO_SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; + public static final String OPENDISTRO_SECURITY_ACTION_NAME = OPENDISTRO_SECURITY_CONFIG_PREFIX+"action_name"; + + + public static final String OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN = "opendistro_security.authcz.admin_dn"; + public static final String OPENDISTRO_SECURITY_CONFIG_INDEX_NAME = "opendistro_security.config_index_name"; + public static final String OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN = "opendistro_security.authcz.impersonation_dn"; + public static final String OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS="opendistro_security.authcz.rest_impersonation_user"; + + public static final String OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT = "opendistro_security.audit.type"; + public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT = "opendistro_security.audit.config"; + public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES = "opendistro_security.audit.routes"; + public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS = "opendistro_security.audit.endpoints"; + public static final String OPENDISTRO_SECURITY_AUDIT_THREADPOOL_SIZE = "opendistro_security.audit.threadpool.size"; + public static final String OPENDISTRO_SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = "opendistro_security.audit.threadpool.max_queue_len"; + public static final String OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY = "opendistro_security.audit.log_request_body"; + public static final String OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES = "opendistro_security.audit.resolve_indices"; + public static final String OPENDISTRO_SECURITY_AUDIT_ENABLE_REST = "opendistro_security.audit.enable_rest"; + public static final String OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT = "opendistro_security.audit.enable_transport"; + public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = "opendistro_security.audit.config.disabled_transport_categories"; + public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = "opendistro_security.audit.config.disabled_rest_categories"; + public static final List OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT = ImmutableList.of(AuditCategory.AUTHENTICATED.toString(), + AuditCategory.GRANTED_PRIVILEGES.toString()); + public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS = "opendistro_security.audit.ignore_users"; + public static final String OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS = "opendistro_security.audit.ignore_requests"; + public static final String OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "opendistro_security.audit.resolve_bulk_requests"; + public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_VERIFY_HOSTNAMES_DEFAULT = true; + public static final boolean OPENDISTRO_SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false; + public static final String OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = "opendistro_security.audit.exclude_sensitive_headers"; + + public static final String OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX = "opendistro_security.audit.config."; + + // Internal / External OpenSearch + public static final String OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX = "index"; + public static final String OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE = "type"; + + // External OpenSearch + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS = "http_endpoints"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME = "username"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD = "password"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL = "enable_ssl"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES = "verify_hostnames"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH = "enable_ssl_client_auth"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH = "pemkey_filepath"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT = "pemkey_content"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD = "pemkey_password"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH = "pemcert_filepath"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT = "pemcert_content"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT = "pemtrustedcas_content"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS = "cert_alias"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS = "enabled_ssl_ciphers"; + public static final String OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS = "enabled_ssl_protocols"; + + // Webhooks + public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL = "webhook.url"; + public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT = "webhook.format"; + public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_SSL_VERIFY = "webhook.ssl.verify"; + public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH = "webhook.ssl.pemtrustedcas_filepath"; + public static final String OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT = "webhook.ssl.pemtrustedcas_content"; + + // Log4j + public static final String OPENDISTRO_SECURITY_AUDIT_LOG4J_LOGGER_NAME = "log4j.logger_name"; + public static final String OPENDISTRO_SECURITY_AUDIT_LOG4J_LEVEL = "log4j.level"; + + //retry + public static final String OPENDISTRO_SECURITY_AUDIT_RETRY_COUNT = "opendistro_security.audit.config.retry_count"; + public static final String OPENDISTRO_SECURITY_AUDIT_RETRY_DELAY_MS = "opendistro_security.audit.config.retry_delay_ms"; + + + public static final String OPENDISTRO_SECURITY_KERBEROS_KRB5_FILEPATH = "opendistro_security.kerberos.krb5_filepath"; + public static final String OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = "opendistro_security.kerberos.acceptor_keytab_filepath"; + public static final String OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = "opendistro_security.kerberos.acceptor_principal"; + public static final String OPENDISTRO_SECURITY_CERT_OID = "opendistro_security.cert.oid"; + public static final String OPENDISTRO_SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; + public static final String OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED = "opendistro_security.advanced_modules_enabled"; + public static final String OPENDISTRO_SECURITY_NODES_DN = "opendistro_security.nodes_dn"; + public static final String OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = "opendistro_security.nodes_dn_dynamic_config_enabled"; + public static final String OPENDISTRO_SECURITY_DISABLED = "opendistro_security.disabled"; + public static final String OPENDISTRO_SECURITY_CACHE_TTL_MINUTES = "opendistro_security.cache.ttl_minutes"; + public static final String OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = "opendistro_security.allow_unsafe_democertificates"; + public static final String OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = "opendistro_security.allow_default_init_securityindex"; + public static final String OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = "opendistro_security.background_init_if_securityindex_not_exist"; + + public static final String OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION = "opendistro_security.roles_mapping_resolution"; + + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY = "opendistro_security.compliance.history.write.metadata_only"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY = "opendistro_security.compliance.history.read.metadata_only"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS = "opendistro_security.compliance.history.read.watched_fields"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = "opendistro_security.compliance.history.write.watched_indices"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS = "opendistro_security.compliance.history.write.log_diffs"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS = "opendistro_security.compliance.history.read.ignore_users"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS = "opendistro_security.compliance.history.write.ignore_users"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.external_config_enabled"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION = "opendistro_security.compliance.disable_anonymous_authentication"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES = "opendistro_security.compliance.immutable_indices"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_SALT = "opendistro_security.compliance.salt"; + public static final String OPENDISTRO_SECURITY_COMPLIANCE_SALT_DEFAULT = "e1ukloTsQlOgPquJ";//16 chars + public static final String OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.internal_config_enabled"; + public static final String OPENDISTRO_SECURITY_SSL_ONLY = "opendistro_security.ssl_only"; + public static final String OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED = "opendistro_security_config.ssl_dual_mode_enabled"; + public static final String OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED = "opendistro_security.ssl_cert_reload_enabled"; + public static final String OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT = "opendistro_security.disable_envvar_replacement"; + + public enum RolesMappingResolution { + MAPPING_ONLY, + BACKENDROLES_ONLY, + BOTH + } + + public static final String OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = "opendistro_security.filter_securityindex_from_all_requests"; + + // REST API + public static final String OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED = "opendistro_security.restapi.roles_enabled"; + public static final String OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED = "opendistro_security.restapi.endpoints_disabled"; + public static final String OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "opendistro_security.restapi.password_validation_regex"; + public static final String OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "opendistro_security.restapi.password_validation_error_message"; + + // Illegal Opcodes from here on + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "opendistro_security.unsupported.disable_rest_auth_initially"; + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = "opendistro_security.unsupported.disable_intertransport_auth_initially"; + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = "opendistro_security.unsupported.restore.securityindex.enabled"; + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED = "opendistro_security.unsupported.inject_user.enabled"; + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED = "opendistro_security.unsupported.inject_user.admin.enabled"; + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS = "opendistro_security.unsupported.allow_now_in_dls"; + + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION = "opendistro_security.unsupported.restapi.allow_securityconfig_modification"; + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = "opendistro_security.unsupported.load_static_resources"; + public static final String OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = "opendistro_security.unsupported.accept_invalid_config"; + + // Protected indices settings. Marked for deprecation, after all config indices move to System indices. + public static final String OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY = "opendistro_security.protected_indices.enabled"; + public static final Boolean OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT = false; + public static final String OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY = "opendistro_security.protected_indices.indices"; + public static final List OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT = Collections.emptyList(); + public static final String OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY = "opendistro_security.protected_indices.roles"; + public static final List OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT = Collections.emptyList(); + + // Roles injection for plugins + public static final String OPENDISTRO_SECURITY_INJECTED_ROLES = "opendistro_security_injected_roles"; + + // System indices settings + public static final String OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY = "opendistro_security.system_indices.enabled"; + public static final Boolean OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT = false; + public static final String OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY = "opendistro_security.system_indices.indices"; + public static final List OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT = Collections.emptyList(); + + public static Set getSettingAsSet(final Settings settings, final String key, final List defaultList, final boolean ignoreCaseForNone) { + final List list = settings.getAsList(key, defaultList); + if (list.size() == 1 && "NONE".equals(ignoreCaseForNone? list.get(0).toUpperCase() : list.get(0))) { + return Collections.emptySet(); + } + return ImmutableSet.copyOf(list); + } +} diff --git a/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java b/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java new file mode 100644 index 0000000000..6ef8fab4de --- /dev/null +++ b/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java @@ -0,0 +1,289 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +/* + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package org.opensearch.security.support; + +import com.google.common.collect.Lists; +import org.opensearch.common.settings.Setting; +import org.opensearch.common.settings.Settings; + +import java.util.Collections; +import java.util.List; +import java.util.function.Function; + +public class LegacyOpenDistroSecuritySettings { + public static final Setting SECURITY_SSL_ONLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + + // currently dual mode is supported only when ssl_only is enabled, but this stance would change in future + //settings.add(OpenDistroSSLConfig.SSL_DUAL_MODE_SETTING); + + // Protected index settings + public static final Setting SECURITY_PROTECTED_INDICES_ENABLED_KEY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); + public static final Setting> SECURITY_PROTECTED_INDICES_KEY = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); + public static final Setting> SECURITY_PROTECTED_INDICES_ROLES_KEY = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); + + // System index settings + public static final Setting SECURITY_SYSTEM_INDICES_ENABLED_KEY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); + public static final Setting> SECURITY_SYSTEM_INDICES_KEY = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); + + //if(!openDistroSSLConfig.isSslOnlyMode()) { + public static final Setting> SECURITY_AUTHCZ_ADMIN_DN = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_CONFIG_INDEX_NAME = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_AUTHCZ_IMPERSONATION_DN = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".", Setting.Property.NodeScope, Setting.Property.Deprecated); + public static final Setting SECURITY_CERT_OID = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CERT_OID, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting> SECURITY_NODES_DN = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_NODES_DN, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_DISABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_CACHE_TTL_MINUTES = Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CACHE_TTL_MINUTES, 60, 0, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".", Setting.Property.NodeScope)); //not filtered here + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CERT_OID, Setting.Property.NodeScope, Setting.Property.Filtered)); + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_NODES_DN, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false, Setting.Property.NodeScope));//not filtered here + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, + // Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, + // Setting.Property.NodeScope, Setting.Property.Filtered)); + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + + //settings.add(Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CACHE_TTL_MINUTES, 60, 0, Setting.Property.NodeScope, Setting.Property.Filtered)); + + //Security + public static final Setting SECURITY_ADVANCED_MODULES_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUTHCZ_REST_IMPERSONATION_USERS = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_ROLES_MAPPING_RESOLUTION = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_DISABLE_ENVVAR_REPLACEMENT = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //ettings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Setting.Property.NodeScope)); //not filtered here + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + + // Security - Audit + public static final Setting SECURITY_AUDIT_TYPE_DEFAULT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_CONFIG_ROUTES = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES + ".", Setting.Property.NodeScope, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_CONFIG_ENDPOINTS = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS + ".", Setting.Property.NodeScope, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_THREADPOOL_SIZE = Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_SIZE, 10, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, 100*1000, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_LOG_REQUEST_BODY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_RESOLVE_INDICES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_ENABLE_REST = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_ENABLE_TRANSPORT = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES + ".", Setting.Property.NodeScope)); + //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS + ".", Setting.Property.NodeScope)); + //settings.add(Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_SIZE, 10, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, 100*1000, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //private static final List disabledCategories = Stream.of("AUTHENTICATED", "GRANTED_PRIVILEGES").collect(Collectors.toCollection(ArrayList::new)); + //disabledCategories.add("AUTHENTICATED"); + //disabledCategories.add("GRANTED_PRIVILEGES"); + public static final Setting> SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Lists.newArrayList("AUTHENTICATED", "GRANTED_PRIVILEGES"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Lists.newArrayList("AUTHENTICATED", "GRANTED_PRIVILEGES"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategories, Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategories, Function.identity(), Setting.Property.NodeScope)); //not filtered here + //private static final List ignoredUsers = Stream.of("kibanaserver").collect(Collectors.toCollection(ArrayList::new)); + //ignoredUsers.add("kibanaserver"); + public static final Setting> SECURITY_AUDIT_IGNORE_USERS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Lists.newArrayList("kibanaserver"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_AUDIT_IGNORE_REQUESTS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, ignoredUsers, Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + + + // Security - Audit - Sink + public static final Setting SECURITY_AUDIT_OPENSEARCH_INDEX = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_OPENSEARCH_TYPE = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + + // External OpenSearch + public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS, Lists.newArrayList("localhost:9200"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS, Lists.newArrayList("localhost:9200"), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + + // Webhooks + public static final Setting SECURITY_AUDIT_WEBHOOK_URL = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_WEBHOOK_FORMAT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_WEBHOOK_SSL_VERIFY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); + + // Log4j + public static final Setting SECURITY_AUDIT_LOG4J_LOGGER_NAME = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LOGGER_NAME, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_AUDIT_LOG4J_LEVEL = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LEVEL, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LOGGER_NAME, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LEVEL, Setting.Property.NodeScope, Setting.Property.Filtered)); + + + // Kerberos + public static final Setting SECURITY_KERBEROS_KRB5_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_KRB5_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_KRB5_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL, Setting.Property.NodeScope, Setting.Property.Filtered)); + + + // Open Distro Security - REST API + public static final Setting> SECURITY_RESTAPI_ROLES_ENABLED = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_RESTAPI_ENDPOINTS_DISABLED = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Setting.Property.NodeScope, Setting.Property.Deprecated); + public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Setting.Property.NodeScope)); + + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Setting.Property.NodeScope, Setting.Property.Filtered)); + + + // Compliance + public static final Setting> SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting> SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting> SECURITY_COMPLIANCE_IMMUTABLE_INDICES = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_COMPLIANCE_SALT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here + //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, false, Setting.Property.NodeScope, + // Setting.Property.Filtered)); + + //compat + public static final Setting SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + + // system integration + public static final Setting SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_UNSUPPORTED_INJECT_USER_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_CERT_RELOAD_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //} +} diff --git a/src/main/java/org/opensearch/security/support/SecuritySettings.java b/src/main/java/org/opensearch/security/support/SecuritySettings.java new file mode 100644 index 0000000000..72bdacc21d --- /dev/null +++ b/src/main/java/org/opensearch/security/support/SecuritySettings.java @@ -0,0 +1,164 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +/* + * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package org.opensearch.security.support; + +import com.google.common.collect.Lists; +import org.opensearch.common.settings.Setting; +import org.opensearch.common.settings.Settings; + +import java.util.Collections; +import java.util.List; +import java.util.function.Function; + +public class SecuritySettings { + public static final Setting SECURITY_SSL_ONLY = Setting.boolSetting(ConfigConstants.SECURITY_SSL_ONLY, LegacyOpenDistroSecuritySettings.SECURITY_SSL_ONLY, Setting.Property.NodeScope, Setting.Property.Filtered); + + // Protected index settings + public static final Setting SECURITY_PROTECTED_INDICES_ENABLED_KEY = Setting.boolSetting(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_ENABLED_KEY, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final); + public static final Setting> SECURITY_PROTECTED_INDICES_KEY = Setting.listSetting(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_KEY, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final); + public static final Setting> SECURITY_PROTECTED_INDICES_ROLES_KEY = Setting.listSetting(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_ROLES_KEY, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final); + + // System index settings + public static final Setting SECURITY_SYSTEM_INDICES_ENABLED_KEY = Setting.boolSetting(ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY, LegacyOpenDistroSecuritySettings.SECURITY_SYSTEM_INDICES_ENABLED_KEY, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final); + public static final Setting> SECURITY_SYSTEM_INDICES_KEY = Setting.listSetting(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, LegacyOpenDistroSecuritySettings.SECURITY_SYSTEM_INDICES_KEY, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final); + + public static final Setting> SECURITY_AUTHCZ_ADMIN_DN = Setting.listSetting(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, LegacyOpenDistroSecuritySettings.SECURITY_AUTHCZ_ADMIN_DN, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_CONFIG_INDEX_NAME = Setting.simpleString(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, LegacyOpenDistroSecuritySettings.SECURITY_CONFIG_INDEX_NAME, Setting.Property.NodeScope); //not filtered here + //groupSetting issue + public static final Setting SECURITY_AUTHCZ_IMPERSONATION_DN = Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN+".", Setting.Property.NodeScope); + public static final Setting SECURITY_CERT_OID = Setting.simpleString(ConfigConstants.SECURITY_CERT_OID, LegacyOpenDistroSecuritySettings.SECURITY_CERT_OID, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = Setting.simpleString(ConfigConstants.SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, LegacyOpenDistroSecuritySettings.SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting> SECURITY_NODES_DN = Setting.listSetting(ConfigConstants.SECURITY_NODES_DN, LegacyOpenDistroSecuritySettings.SECURITY_NODES_DN, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = Setting.boolSetting(ConfigConstants.SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, LegacyOpenDistroSecuritySettings.SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = Setting.boolSetting(ConfigConstants.SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, LegacyOpenDistroSecuritySettings.SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_DISABLED = Setting.boolSetting(ConfigConstants.SECURITY_DISABLED, LegacyOpenDistroSecuritySettings.SECURITY_DISABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_CACHE_TTL_MINUTES = Setting.intSetting(ConfigConstants.SECURITY_CACHE_TTL_MINUTES, LegacyOpenDistroSecuritySettings.SECURITY_CACHE_TTL_MINUTES, Setting.Property.NodeScope, Setting.Property.Filtered); + + //Security + public static final Setting SECURITY_ADVANCED_MODULES_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, LegacyOpenDistroSecuritySettings.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, LegacyOpenDistroSecuritySettings.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = Setting.boolSetting(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, LegacyOpenDistroSecuritySettings.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, Setting.Property.NodeScope, Setting.Property.Filtered); + //groupSetting issue + public static final Setting SECURITY_AUTHCZ_REST_IMPERSONATION_USERS = Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_ROLES_MAPPING_RESOLUTION = Setting.simpleString(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, LegacyOpenDistroSecuritySettings.SECURITY_ROLES_MAPPING_RESOLUTION, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_DISABLE_ENVVAR_REPLACEMENT = Setting.boolSetting(ConfigConstants.SECURITY_DISABLE_ENVVAR_REPLACEMENT, LegacyOpenDistroSecuritySettings.SECURITY_DISABLE_ENVVAR_REPLACEMENT, Setting.Property.NodeScope, Setting.Property.Filtered); + + // Security - Audit + public static final Setting SECURITY_AUDIT_TYPE_DEFAULT = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_TYPE_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered); + //groupSetting issue + public static final Setting SECURITY_AUDIT_CONFIG_ROUTES = Setting.groupSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_ROUTES + ".", Setting.Property.NodeScope); + //groupSetting issue + public static final Setting SECURITY_AUDIT_CONFIG_ENDPOINTS = Setting.groupSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_ENDPOINTS + ".", Setting.Property.NodeScope); + public static final Setting SECURITY_AUDIT_THREADPOOL_SIZE = Setting.intSetting(ConfigConstants.SECURITY_AUDIT_THREADPOOL_SIZE, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_THREADPOOL_SIZE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = Setting.intSetting(ConfigConstants.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_LOG_REQUEST_BODY = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_LOG_REQUEST_BODY, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_RESOLVE_INDICES = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_RESOLVE_INDICES, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_RESOLVE_INDICES, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_ENABLE_REST = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_ENABLE_REST, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_ENABLE_TRANSPORT = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_ENABLE_TRANSPORT, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting> SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = Setting.listSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = Setting.listSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_AUDIT_IGNORE_USERS = Setting.listSetting(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_IGNORE_USERS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_AUDIT_IGNORE_REQUESTS = Setting.listSetting(ConfigConstants.SECURITY_AUDIT_IGNORE_REQUESTS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_IGNORE_REQUESTS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, Setting.Property.NodeScope, Setting.Property.Filtered); + + // Security - Audit - Sink + public static final Setting SECURITY_AUDIT_OPENSEARCH_INDEX = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_OPENSEARCH_INDEX, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_OPENSEARCH_TYPE = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_TYPE, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_OPENSEARCH_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered); + + // External OpenSearch + public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS = Setting.listSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS = Setting.listSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS = Setting.listSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, Function.identity(), Setting.Property.NodeScope); //not filtered here + + // Webhooks + public static final Setting SECURITY_AUDIT_WEBHOOK_URL = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_WEBHOOK_URL, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_URL, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_WEBHOOK_FORMAT = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_WEBHOOK_FORMAT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_FORMAT, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_WEBHOOK_SSL_VERIFY = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered); + + // Log4j + public static final Setting SECURITY_AUDIT_LOG4J_LOGGER_NAME = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_LOG4J_LOGGER_NAME, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_LOG4J_LOGGER_NAME, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_AUDIT_LOG4J_LEVEL = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_LOG4J_LEVEL, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_LOG4J_LEVEL, Setting.Property.NodeScope, Setting.Property.Filtered); + + // Kerberos + public static final Setting SECURITY_KERBEROS_KRB5_FILEPATH = Setting.simpleString(ConfigConstants.SECURITY_KERBEROS_KRB5_FILEPATH, LegacyOpenDistroSecuritySettings.SECURITY_KERBEROS_KRB5_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = Setting.simpleString(ConfigConstants.SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH, LegacyOpenDistroSecuritySettings.SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = Setting.simpleString(ConfigConstants.SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL, LegacyOpenDistroSecuritySettings.SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL, Setting.Property.NodeScope, Setting.Property.Filtered); + + // Open Distro Security - REST API + public static final Setting> SECURITY_RESTAPI_ROLES_ENABLED = Setting.listSetting(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED, Function.identity(), Setting.Property.NodeScope); //not filtered here + //groupSetting issue + public static final Setting SECURITY_RESTAPI_ENDPOINTS_DISABLED = Setting.groupSetting(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Setting.Property.NodeScope); + public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Setting.Property.NodeScope, Setting.Property.Filtered); + + // Compliance + public static final Setting> SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = Setting.listSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS = Setting.listSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY = Setting.boolSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY = Setting.boolSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS = Setting.boolSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting> SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS = Setting.listSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS = Setting.listSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION = Setting.boolSetting(ConfigConstants.SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting> SECURITY_COMPLIANCE_IMMUTABLE_INDICES = Setting.listSetting(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_COMPLIANCE_SALT = Setting.simpleString(ConfigConstants.SECURITY_COMPLIANCE_SALT, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_SALT, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = Setting.boolSetting(ConfigConstants.SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, LegacyOpenDistroSecuritySettings.SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, Setting.Property.NodeScope, Setting.Property.Filtered); + + //compat + public static final Setting SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, Setting.Property.NodeScope, Setting.Property.Filtered); + + // system integration + public static final Setting SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_UNSUPPORTED_INJECT_USER_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_CERT_RELOAD_ENABLED = Setting.boolSetting(ConfigConstants.SECURITY_SSL_CERT_RELOAD_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_SSL_CERT_RELOAD_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = Setting.boolSetting(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, Setting.Property.NodeScope, Setting.Property.Filtered); +} diff --git a/src/main/java/org/opensearch/security/support/SecurityUtils.java b/src/main/java/org/opensearch/security/support/SecurityUtils.java index ec81daebd5..4e0e13f8d3 100644 --- a/src/main/java/org/opensearch/security/support/SecurityUtils.java +++ b/src/main/java/org/opensearch/security/support/SecurityUtils.java @@ -124,7 +124,7 @@ public static String replaceEnvVars(String in, Settings settings) { return in; } - if(settings == null || settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT, false)) { + if(settings == null || settings.getAsBoolean(ConfigConstants.SECURITY_DISABLE_ENVVAR_REPLACEMENT, false)) { return in; } diff --git a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java index 9d6ee010d5..27c505f070 100644 --- a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java +++ b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java @@ -141,11 +141,11 @@ @SuppressWarnings("deprecation") public class SecurityAdmin { - private static final boolean CREATE_AS_LEGACY = Boolean.parseBoolean(System.getenv("OPENDISTRO_SECURITY_ADMIN_CREATE_AS_LEGACY")); - private static final boolean ALLOW_MIXED = Boolean.parseBoolean(System.getenv("OPENDISTRO_SECURITY_ADMIN_ALLOW_MIXED_CLUSTER")); - private static final String OPENDISTRO_SECURITY_TS_PASS = "OPENDISTRO_SECURITY_TS_PASS"; - private static final String OPENDISTRO_SECURITY_KS_PASS = "OPENDISTRO_SECURITY_KS_PASS"; - private static final String OPENDISTRO_SECURITY_KEYPASS = "OPENDISTRO_SECURITY_KEYPASS"; + private static final boolean CREATE_AS_LEGACY = Boolean.parseBoolean(System.getenv("SECURITY_ADMIN_CREATE_AS_LEGACY")); + private static final boolean ALLOW_MIXED = Boolean.parseBoolean(System.getenv("SECURITY_ADMIN_ALLOW_MIXED_CLUSTER")); + private static final String SECURITY_TS_PASS = "SECURITY_TS_PASS"; + private static final String SECURITY_KS_PASS = "SECURITY_KS_PASS"; + private static final String SECURITY_KEYPASS = "SECURITY_KEYPASS"; //not used in multithreaded fashion, so it's okay to define it as a constant here private static final SimpleDateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MMM-dd_HH-mm-ss", Locale.ENGLISH); //NOSONAR private static final Settings ENABLE_ALL_ALLOCATIONS_SETTINGS = Settings.builder() @@ -259,8 +259,8 @@ public static int execute(final String[] args) throws Exception { String hostname = "localhost"; int port = 9300; - String kspass = System.getenv(OPENDISTRO_SECURITY_KS_PASS); - String tspass = System.getenv(OPENDISTRO_SECURITY_TS_PASS); + String kspass = System.getenv(SECURITY_KS_PASS); + String tspass = System.getenv(SECURITY_TS_PASS); String cd = "."; String ks = null; String ts = null; @@ -279,7 +279,7 @@ public static int execute(final String[] args) throws Exception { String[] enabledProtocols = new String[0]; String[] enabledCiphers = new String[0]; Integer updateSettings = null; - String index = ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX; + String index = ConfigConstants.SECURITY_DEFAULT_CONFIG_INDEX; Boolean replicaAutoExpand = null; boolean reload = false; boolean failFast = false; @@ -288,7 +288,7 @@ public static int execute(final String[] args) throws Exception { boolean enableShardAllocation = false; boolean acceptRedCluster = false; - String keypass = System.getenv(OPENDISTRO_SECURITY_KEYPASS); + String keypass = System.getenv(SECURITY_KEYPASS); boolean useOpenSSLIfAvailable = true; //boolean simpleAuth = false; String cacert = null; @@ -449,68 +449,68 @@ public static int execute(final String[] args) throws Exception { final Settings.Builder settingsBuilder = Settings .builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, !nhnv) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, !nrhn) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && useOpenSSLIfAvailable) - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, enabledCiphers) - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, enabledProtocols) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, !nhnv) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, !nrhn) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && useOpenSSLIfAvailable) + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, enabledCiphers) + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, enabledProtocols) .put("cluster.name", clustername) .put("client.transport.ignore_cluster_name", icl) .put("client.transport.sniff", sniff); if(ksAlias != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, ksAlias); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, ksAlias); } if(tsAlias != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, tsAlias); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, tsAlias); } if(ks != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, ks); - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, kst==null?(ks.endsWith(".jks")?"JKS":"PKCS12"):kst); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, ks); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, kst==null?(ks.endsWith(".jks")?"JKS":"PKCS12"):kst); if(kspass == null && promptForPassword) { - kspass = promptForPassword("Keystore", "kspass", OPENDISTRO_SECURITY_KS_PASS); + kspass = promptForPassword("Keystore", "kspass", SECURITY_KS_PASS); } if(kspass != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, kspass); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, kspass); } } if(ts != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, ts); - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, tst==null?(ts.endsWith(".jks")?"JKS":"PKCS12"):tst); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, ts); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, tst==null?(ts.endsWith(".jks")?"JKS":"PKCS12"):tst); if(tspass == null && promptForPassword) { - tspass = promptForPassword("Truststore", "tspass", OPENDISTRO_SECURITY_TS_PASS); + tspass = promptForPassword("Truststore", "tspass", SECURITY_TS_PASS); } if(tspass != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, tspass); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, tspass); } } if(cacert != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, cacert); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, cacert); } if(cert != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, cert); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, cert); } if(key != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, key); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, key); if(keypass == null && promptForPassword) { - keypass = promptForPassword("Pemkey", "keypass", OPENDISTRO_SECURITY_KEYPASS); + keypass = promptForPassword("Pemkey", "keypass", SECURITY_KEYPASS); } if(keypass != null) { - settingsBuilder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, keypass); + settingsBuilder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, keypass); } } diff --git a/src/main/java/org/opensearch/security/transport/DefaultInterClusterRequestEvaluator.java b/src/main/java/org/opensearch/security/transport/DefaultInterClusterRequestEvaluator.java index b9eaad0e86..ca8c91e06b 100644 --- a/src/main/java/org/opensearch/security/transport/DefaultInterClusterRequestEvaluator.java +++ b/src/main/java/org/opensearch/security/transport/DefaultInterClusterRequestEvaluator.java @@ -60,12 +60,12 @@ public final class DefaultInterClusterRequestEvaluator implements InterClusterRe private volatile Map dynamicNodesDn; public DefaultInterClusterRequestEvaluator(final Settings settings) { - this.certOid = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CERT_OID, "1.2.3.4.5.5"); + this.certOid = settings.get(ConfigConstants.SECURITY_CERT_OID, "1.2.3.4.5.5"); this.staticNodesDnFromEsYml = WildcardMatcher.from( - settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, Collections.emptyList()), + settings.getAsList(ConfigConstants.SECURITY_NODES_DN, Collections.emptyList()), false ); - this.dynamicNodesDnConfigEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false); + this.dynamicNodesDnConfigEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false); this.dynamicNodesDn = Collections.emptyMap(); } diff --git a/src/main/java/org/opensearch/security/transport/OIDClusterRequestEvaluator.java b/src/main/java/org/opensearch/security/transport/OIDClusterRequestEvaluator.java index e7a70b1ab2..5e7de9d8a3 100644 --- a/src/main/java/org/opensearch/security/transport/OIDClusterRequestEvaluator.java +++ b/src/main/java/org/opensearch/security/transport/OIDClusterRequestEvaluator.java @@ -47,7 +47,7 @@ public final class OIDClusterRequestEvaluator implements InterClusterRequestEval private final String certOid; public OIDClusterRequestEvaluator(final Settings settings) { - this.certOid = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CERT_OID, "1.2.3.4.5.5"); + this.certOid = settings.get(ConfigConstants.SECURITY_CERT_OID, "1.2.3.4.5.5"); } @Override diff --git a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java index f630d0323e..5b01f6f161 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java +++ b/src/main/java/org/opensearch/security/transport/SecurityInterceptor.java @@ -116,13 +116,13 @@ public void sendRequestDecorate(AsyncSender sender TransportRequest request, TransportRequestOptions options, TransportResponseHandler handler) { final Map origHeaders0 = getThreadContext().getHeaders(); - final User user0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - final String injectedUserString = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER); - final String origin0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN); - final Object remoteAddress0 = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); - final String origCCSTransientDls = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_CCS); - final String origCCSTransientFls = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_CCS); - final String origCCSTransientMf = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_CCS); + final User user0 = getThreadContext().getTransient(ConfigConstants.SECURITY_USER); + final String injectedUserString = getThreadContext().getTransient(ConfigConstants.SECURITY_INJECTED_USER); + final String origin0 = getThreadContext().getTransient(ConfigConstants.SECURITY_ORIGIN); + final Object remoteAddress0 = getThreadContext().getTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS); + final String origCCSTransientDls = getThreadContext().getTransient(ConfigConstants.SECURITY_DLS_QUERY_CCS); + final String origCCSTransientFls = getThreadContext().getTransient(ConfigConstants.SECURITY_FLS_FIELDS_CCS); + final String origCCSTransientMf = getThreadContext().getTransient(ConfigConstants.SECURITY_MASKED_FIELD_CCS); final boolean isDebugEnabled = log.isDebugEnabled(); try (ThreadContext.StoredContext stashedContext = getThreadContext().stashContext()) { @@ -130,16 +130,16 @@ public void sendRequestDecorate(AsyncSender sender getThreadContext().putHeader("_opendistro_security_remotecn", cs.getClusterName().value()); final Map headerMap = new HashMap<>(Maps.filterKeys(origHeaders0, k->k!=null && ( - k.equals(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER) - || k.equals(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER) - || k.equals(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER) - || k.equals(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER) - || k.equals(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER) - || k.equals(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER) - || k.equals(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER) + k.equals(ConfigConstants.SECURITY_CONF_REQUEST_HEADER) + || k.equals(ConfigConstants.SECURITY_ORIGIN_HEADER) + || k.equals(ConfigConstants.SECURITY_REMOTE_ADDRESS_HEADER) + || k.equals(ConfigConstants.SECURITY_USER_HEADER) + || k.equals(ConfigConstants.SECURITY_DLS_QUERY_HEADER) + || k.equals(ConfigConstants.SECURITY_FLS_FIELDS_HEADER) + || k.equals(ConfigConstants.SECURITY_MASKED_FIELD_HEADER) || (k.equals("_opendistro_security_source_field_context") && ! (request instanceof SearchRequest) && !(request instanceof GetRequest)) || k.startsWith("_opendistro_security_trace") - || k.startsWith(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER) + || k.startsWith(ConfigConstants.SECURITY_INITIAL_ACTION_CLASS_HEADER) ))); if (OpenSearchSecurityPlugin.GuiceHolder.getRemoteClusterService().isCrossClusterSearchEnabled() @@ -151,9 +151,9 @@ public void sendRequestDecorate(AsyncSender sender if (isDebugEnabled) { log.debug("remove dls/fls/mf because we sent a ccs request to a remote cluster"); } - headerMap.remove(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER); - headerMap.remove(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); - headerMap.remove(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); + headerMap.remove(ConfigConstants.SECURITY_DLS_QUERY_HEADER); + headerMap.remove(ConfigConstants.SECURITY_MASKED_FIELD_HEADER); + headerMap.remove(ConfigConstants.SECURITY_FLS_FIELDS_HEADER); } if (OpenSearchSecurityPlugin.GuiceHolder.getRemoteClusterService().isCrossClusterSearchEnabled() @@ -167,13 +167,13 @@ public void sendRequestDecorate(AsyncSender sender } if (origCCSTransientDls != null && !origCCSTransientDls.isEmpty()) { - headerMap.put(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER, origCCSTransientDls); + headerMap.put(ConfigConstants.SECURITY_DLS_QUERY_HEADER, origCCSTransientDls); } if (origCCSTransientMf != null && !origCCSTransientMf.isEmpty()) { - headerMap.put(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER, origCCSTransientMf); + headerMap.put(ConfigConstants.SECURITY_MASKED_FIELD_HEADER, origCCSTransientMf); } if (origCCSTransientFls != null && !origCCSTransientFls.isEmpty()) { - headerMap.put(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER, origCCSTransientFls); + headerMap.put(ConfigConstants.SECURITY_FLS_FIELDS_HEADER, origCCSTransientFls); } } @@ -192,32 +192,32 @@ public void sendRequestDecorate(AsyncSender sender private void ensureCorrectHeaders(final Object remoteAdr, final User origUser, final String origin, final String injectedUserString) { // keep original address - if(origin != null && !origin.isEmpty() /*&& !Origin.LOCAL.toString().equalsIgnoreCase(origin)*/ && getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER) == null) { - getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER, origin); + if(origin != null && !origin.isEmpty() /*&& !Origin.LOCAL.toString().equalsIgnoreCase(origin)*/ && getThreadContext().getHeader(ConfigConstants.SECURITY_ORIGIN_HEADER) == null) { + getThreadContext().putHeader(ConfigConstants.SECURITY_ORIGIN_HEADER, origin); } - if(origin == null && getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER) == null) { - getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER, Origin.LOCAL.toString()); + if(origin == null && getThreadContext().getHeader(ConfigConstants.SECURITY_ORIGIN_HEADER) == null) { + getThreadContext().putHeader(ConfigConstants.SECURITY_ORIGIN_HEADER, Origin.LOCAL.toString()); } if (remoteAdr != null && remoteAdr instanceof TransportAddress) { - String remoteAddressHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER); + String remoteAddressHeader = getThreadContext().getHeader(ConfigConstants.SECURITY_REMOTE_ADDRESS_HEADER); if(remoteAddressHeader == null) { - getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER, Base64Helper.serializeObject(((TransportAddress) remoteAdr).address())); + getThreadContext().putHeader(ConfigConstants.SECURITY_REMOTE_ADDRESS_HEADER, Base64Helper.serializeObject(((TransportAddress) remoteAdr).address())); } } - String userHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER); + String userHeader = getThreadContext().getHeader(ConfigConstants.SECURITY_USER_HEADER); if(userHeader == null) { if(origUser != null) { - getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER, Base64Helper.serializeObject(origUser)); + getThreadContext().putHeader(ConfigConstants.SECURITY_USER_HEADER, Base64Helper.serializeObject(origUser)); } else if(StringUtils.isNotEmpty(injectedUserString)) { - getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER_HEADER, injectedUserString); + getThreadContext().putHeader(ConfigConstants.SECURITY_INJECTED_USER_HEADER, injectedUserString); } } @@ -247,9 +247,9 @@ public T read(StreamInput in) throws IOException { @Override public void handleResponse(T response) { - final List flsResponseHeader = getThreadContext().getResponseHeaders().get(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER); - final List dlsResponseHeader = getThreadContext().getResponseHeaders().get(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER); - final List maskedFieldsResponseHeader = getThreadContext().getResponseHeaders().get(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_HEADER); + final List flsResponseHeader = getThreadContext().getResponseHeaders().get(ConfigConstants.SECURITY_FLS_FIELDS_HEADER); + final List dlsResponseHeader = getThreadContext().getResponseHeaders().get(ConfigConstants.SECURITY_DLS_QUERY_HEADER); + final List maskedFieldsResponseHeader = getThreadContext().getResponseHeaders().get(ConfigConstants.SECURITY_MASKED_FIELD_HEADER); contextToRestore.restore(); @@ -258,14 +258,14 @@ public void handleResponse(T response) { if (isDebugEnabled) { log.debug("add flsResponseHeader as transient"); } - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_CCS, flsResponseHeader.get(0)); + getThreadContext().putTransient(ConfigConstants.SECURITY_FLS_FIELDS_CCS, flsResponseHeader.get(0)); } if (response instanceof ClusterSearchShardsResponse && dlsResponseHeader != null && !dlsResponseHeader.isEmpty()) { if (isDebugEnabled) { log.debug("add dlsResponseHeader as transient"); } - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_CCS, dlsResponseHeader.get(0)); + getThreadContext().putTransient(ConfigConstants.SECURITY_DLS_QUERY_CCS, dlsResponseHeader.get(0)); } @@ -273,7 +273,7 @@ public void handleResponse(T response) { if (isDebugEnabled) { log.debug("add maskedFieldsResponseHeader as transient"); } - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_MASKED_FIELD_CCS, maskedFieldsResponseHeader.get(0)); + getThreadContext().putTransient(ConfigConstants.SECURITY_MASKED_FIELD_CCS, maskedFieldsResponseHeader.get(0)); } innerHandler.handleResponse(response); diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index 6312a07178..1af3d7e8a5 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -106,14 +106,14 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa resolvedActionClass = ((ConcreteShardRequest) request).getRequest().getClass().getSimpleName(); } - String initialActionClassValue = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER); + String initialActionClassValue = getThreadContext().getHeader(ConfigConstants.SECURITY_INITIAL_ACTION_CLASS_HEADER); final ThreadContext.StoredContext sgContext = getThreadContext().newStoredContext(false); - final String originHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN_HEADER); + final String originHeader = getThreadContext().getHeader(ConfigConstants.SECURITY_ORIGIN_HEADER); if(!Strings.isNullOrEmpty(originHeader)) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, originHeader); + getThreadContext().putTransient(ConfigConstants.SECURITY_ORIGIN, originHeader); } try { @@ -129,8 +129,8 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa channelType = innerChannel.getChannelType(); } - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE, channelType); - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_ACTION_NAME, task.getAction()); + getThreadContext().putTransient(ConfigConstants.SECURITY_CHANNEL_TYPE, channelType); + getThreadContext().putTransient(ConfigConstants.SECURITY_ACTION_NAME, task.getAction()); if(request instanceof ShardSearchRequest) { ShardSearchRequest sr = ((ShardSearchRequest) request); @@ -141,21 +141,21 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa //bypass non-netty requests if(channelType.equals("direct")) { - final String userHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER); - final String injectedUserHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER_HEADER); + final String userHeader = getThreadContext().getHeader(ConfigConstants.SECURITY_USER_HEADER); + final String injectedUserHeader = getThreadContext().getHeader(ConfigConstants.SECURITY_INJECTED_USER_HEADER); if(Strings.isNullOrEmpty(userHeader)) { if(!Strings.isNullOrEmpty(injectedUserHeader)) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, injectedUserHeader); + getThreadContext().putTransient(ConfigConstants.SECURITY_INJECTED_USER, injectedUserHeader); } } else { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(userHeader))); + getThreadContext().putTransient(ConfigConstants.SECURITY_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(userHeader))); } - final String originalRemoteAddress = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER); + final String originalRemoteAddress = getThreadContext().getHeader(ConfigConstants.SECURITY_REMOTE_ADDRESS_HEADER); if(!Strings.isNullOrEmpty(originalRemoteAddress)) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(originalRemoteAddress))); + getThreadContext().putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(originalRemoteAddress))); } if (isActionTraceEnabled()) { @@ -186,7 +186,7 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa String principal = null; - if ((principal = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null) { + if ((principal = getThreadContext().getTransient(ConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null) { Exception ex = new OpenSearchSecurityException( "No SSL client certificates found for transport type "+transportChannel.getChannelType()+". OpenSearch Security needs the OpenSearch Security SSL plugin to be installed"); auditLog.logSSLException(request, ex, task.getAction(), task); @@ -195,31 +195,31 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa return; } else { - if(getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) == null) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.TRANSPORT.toString()); + if(getThreadContext().getTransient(ConfigConstants.SECURITY_ORIGIN) == null) { + getThreadContext().putTransient(ConfigConstants.SECURITY_ORIGIN, Origin.TRANSPORT.toString()); } //network intercluster request or cross search cluster request if(HeaderHelper.isInterClusterRequest(getThreadContext()) || HeaderHelper.isTrustedClusterRequest(getThreadContext())) { - final String userHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER); - final String injectedUserHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER_HEADER); + final String userHeader = getThreadContext().getHeader(ConfigConstants.SECURITY_USER_HEADER); + final String injectedUserHeader = getThreadContext().getHeader(ConfigConstants.SECURITY_INJECTED_USER_HEADER); if(Strings.isNullOrEmpty(userHeader)) { if(!Strings.isNullOrEmpty(injectedUserHeader)) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, injectedUserHeader); + getThreadContext().putTransient(ConfigConstants.SECURITY_INJECTED_USER, injectedUserHeader); } } else { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(userHeader))); + getThreadContext().putTransient(ConfigConstants.SECURITY_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(userHeader))); } - String originalRemoteAddress = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS_HEADER); + String originalRemoteAddress = getThreadContext().getHeader(ConfigConstants.SECURITY_REMOTE_ADDRESS_HEADER); if(!Strings.isNullOrEmpty(originalRemoteAddress)) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(originalRemoteAddress))); + getThreadContext().putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(originalRemoteAddress))); } else { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, request.remoteAddress()); + getThreadContext().putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, request.remoteAddress()); } } else { @@ -227,7 +227,7 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa //this is a netty request from a non-server node (maybe also be internal: or a shard request) //and therefore issued by a transport client - if(SSLRequestHelper.containsBadHeader(getThreadContext(), ConfigConstants.OPENDISTRO_SECURITY_CONFIG_PREFIX)) { + if(SSLRequestHelper.containsBadHeader(getThreadContext(), ConfigConstants.SECURITY_CONFIG_PREFIX)) { final OpenSearchException exception = ExceptionUtils.createBadHeaderException(); auditLog.logBadHeaders(request, task.getAction(), task); log.error(exception); @@ -253,8 +253,8 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa } - log.error("Cannot authenticate {} for {}", getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER), task.getAction()); - transportChannel.sendResponse(new OpenSearchSecurityException("Cannot authenticate "+getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER))); + log.error("Cannot authenticate {} for {}", getThreadContext().getTransient(ConfigConstants.SECURITY_USER), task.getAction()); + transportChannel.sendResponse(new OpenSearchSecurityException("Cannot authenticate "+getThreadContext().getTransient(ConfigConstants.SECURITY_USER))); return; } else { // make it possible to filter logs by username @@ -267,11 +267,11 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa //return; //} - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); + getThreadContext().putTransient(ConfigConstants.SECURITY_USER, user); TransportAddress originalRemoteAddress = request.remoteAddress(); if(originalRemoteAddress != null && (originalRemoteAddress instanceof TransportAddress)) { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, originalRemoteAddress); + getThreadContext().putTransient(ConfigConstants.SECURITY_REMOTE_ADDRESS, originalRemoteAddress); } else { log.error("Request has no proper remote address {}", originalRemoteAddress); transportChannel.sendResponse(new OpenSearchException("Request has no proper remote address")); @@ -302,12 +302,12 @@ protected void messageReceivedDecorate(final T request, final TransportRequestHa private void putInitialActionClassHeader(String initialActionClassValue, String resolvedActionClass) { if(initialActionClassValue == null) { - if(getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER) == null) { - getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER, resolvedActionClass); + if(getThreadContext().getHeader(ConfigConstants.SECURITY_INITIAL_ACTION_CLASS_HEADER) == null) { + getThreadContext().putHeader(ConfigConstants.SECURITY_INITIAL_ACTION_CLASS_HEADER, resolvedActionClass); } } else { - if(getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER) == null) { - getThreadContext().putHeader(ConfigConstants.OPENDISTRO_SECURITY_INITIAL_ACTION_CLASS_HEADER, initialActionClassValue); + if(getThreadContext().getHeader(ConfigConstants.SECURITY_INITIAL_ACTION_CLASS_HEADER) == null) { + getThreadContext().putHeader(ConfigConstants.SECURITY_INITIAL_ACTION_CLASS_HEADER, initialActionClassValue); } } @@ -326,9 +326,9 @@ protected void addAdditionalContextValues(final String action, final TransportRe log.trace("Is inter cluster request ({}/{}/{})", action, request.getClass(), request.remoteAddress()); } - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE); + getThreadContext().putTransient(ConfigConstants.SECURITY_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE); } else { - getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, Boolean.TRUE); + getThreadContext().putTransient(ConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, Boolean.TRUE); } } else { diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java index c99c566061..c3bbf2ec11 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java +++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendIntegTest.java @@ -77,7 +77,7 @@ public void testAttributesWithImpersonation() throws Exception { String securityConfigAsYamlString = FileHelper.loadFile("ldap/config.yml"); securityConfigAsYamlString = securityConfigAsYamlString.replace("${ldapsPort}", String.valueOf(ldapsPort)); final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".cn=Captain Spock,ou=people,o=TEST", "*") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".cn=Captain Spock,ou=people,o=TEST", "*") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfigAsYamlString(securityConfigAsYamlString), settings); final RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java index 887a9e2eeb..5f5614c282 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java +++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendIntegTest2.java @@ -77,7 +77,7 @@ public void testAttributesWithImpersonation() throws Exception { String securityConfigAsYamlString = FileHelper.loadFile("ldap/config_ldap2.yml"); securityConfigAsYamlString = securityConfigAsYamlString.replace("${ldapsPort}", String.valueOf(ldapsPort)); final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".cn=Captain Spock,ou=people,o=TEST", "*") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".cn=Captain Spock,ou=people,o=TEST", "*") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfigAsYamlString(securityConfigAsYamlString), settings); final RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java b/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java index e53232947b..0e160d5e5c 100644 --- a/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java +++ b/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java @@ -37,8 +37,8 @@ public void testSslOnlyModeDualModeDisabled() throws Exception { private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, dualModeEnabled) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, dualModeEnabled) .build(); setupSslOnlyMode(settings); final RestHelper rh = nonSslRestHelper(); @@ -60,7 +60,7 @@ private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("\"opendistro_security_config.ssl_dual_mode_enabled\":\"true\"")); - String disableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": false } }"; + String disableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": false } }"; res = rh.executePutRequest("_cluster/settings", disableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"opendistro_security_config\":{\"ssl_dual_mode_enabled\":\"false\"}},\"transient\":{}}", res.getBody()); @@ -70,7 +70,7 @@ private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertTrue(res.getBody().contains("\"opendistro_security_config.ssl_dual_mode_enabled\":\"false\"")); - String enableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": true } }"; + String enableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": true } }"; res = rh.executePutRequest("_cluster/settings", enableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"opendistro_security_config\":{\"ssl_dual_mode_enabled\":\"true\"}},\"transient\":{}}", res.getBody()); @@ -94,8 +94,8 @@ private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { @Test public void testSslOnlyModeDualModeWithNonSSLMasterNode() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true) .build(); setupSslOnlyModeWithMasterNodeWithoutSSL(settings); final RestHelper rh = nonSslRestHelper(); @@ -107,8 +107,8 @@ public void testSslOnlyModeDualModeWithNonSSLMasterNode() throws Exception { @Test public void testSslOnlyModeDualModeWithNonSSLDataNode() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, true) .build(); setupSslOnlyModeWithDataNodeWithoutSSL(settings); final RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/org/opensearch/security/HttpIntegrationTests.java b/src/test/java/org/opensearch/security/HttpIntegrationTests.java index fe15ed425d..675ba807f5 100644 --- a/src/test/java/org/opensearch/security/HttpIntegrationTests.java +++ b/src/test/java/org/opensearch/security/HttpIntegrationTests.java @@ -69,7 +69,7 @@ public class HttpIntegrationTests extends SingleClusterTest { @Test public void testHTTPBasic() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); @@ -350,10 +350,10 @@ public void testHTTPClientCert() throws Exception { .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") + .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") + .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_clientcert.yml"), settings, true); @@ -532,7 +532,7 @@ public void testHTTPBasic2() throws Exception { @Test public void testBulk() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles_bulk.yml"), settings); final RestHelper rh = nonSslRestHelper(); @@ -553,7 +553,7 @@ public void testBulk() throws Exception { @Test public void testBulkWithOneIndexFailure() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles_bulk.yml"), settings); final RestHelper rh = nonSslRestHelper(); @@ -576,7 +576,7 @@ public void testBulkWithOneIndexFailure() throws Exception { @Test public void test557() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); @@ -607,7 +607,7 @@ public void test557() throws Exception { @Test public void testITT1635() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_dnfof.yml").setSecurityRoles("roles_itt1635.yml"), settings); @@ -701,7 +701,7 @@ public void testTenantInfo() throws Exception { @Test public void testRestImpersonation() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "someotherusernotininternalusersfile") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "someotherusernotininternalusersfile") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_rest_impersonation.yml"), settings); final RestHelper rh = nonSslRestHelper(); @@ -716,7 +716,7 @@ public void testRestImpersonation() throws Exception { @Test public void testSslOnlyMode() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) .build(); setupSslOnlyMode(settings); final RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/org/opensearch/security/IndexIntegrationTests.java b/src/test/java/org/opensearch/security/IndexIntegrationTests.java index 55a55fc4f6..d27d6f9bff 100644 --- a/src/test/java/org/opensearch/security/IndexIntegrationTests.java +++ b/src/test/java/org/opensearch/security/IndexIntegrationTests.java @@ -355,7 +355,7 @@ public void testIndices() throws Exception { public void testAliases() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(settings); diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java index 9d968df82f..bf453586d2 100644 --- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java +++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java @@ -67,7 +67,7 @@ public class InitializationIntegrationTests extends SingleClusterTest { public void testEnsureInitViaRestDoesWork() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) @@ -189,7 +189,7 @@ public void testConfigHotReload() throws Exception { @Test public void testDefaultConfig() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) + .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) .build(); setup(Settings.EMPTY, null, settings, false); RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/org/opensearch/security/IntegrationTests.java b/src/test/java/org/opensearch/security/IntegrationTests.java index 76101a5884..d0c74b5836 100644 --- a/src/test/java/org/opensearch/security/IntegrationTests.java +++ b/src/test/java/org/opensearch/security/IntegrationTests.java @@ -86,7 +86,7 @@ public void uncaughtException(Thread t, Throwable e) { }); final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); @@ -189,7 +189,7 @@ public void testDnParsingCertAuth() throws Exception { private ThreadContext newThreadContext(String sslPrincipal) { ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL, sslPrincipal); + threadContext.putTransient(ConfigConstants.SECURITY_SSL_PRINCIPAL, sslPrincipal); return threadContext; } @@ -197,18 +197,18 @@ private ThreadContext newThreadContext(String sslPrincipal) { public void testDNSpecials() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .putList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, "EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") - .put(ConfigConstants.OPENDISTRO_SECURITY_CERT_OID,"1.2.3.4.5.6") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .putList(ConfigConstants.SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") + .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, "EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") + .put(ConfigConstants.SECURITY_CERT_OID,"1.2.3.4.5.6") .build(); Settings tcSettings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .build(); setup(tcSettings, new DynamicSecurityConfig(), settings, true); @@ -223,9 +223,9 @@ public void testDNSpecials() throws Exception { public void testDNSpecials1() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .putList("opendistro_security.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") .putList("opendistro_security.authcz.admin_dn", "EMAILADDREss=unt@xxx.com, cn=node-untspec6.example.com, OU=SSL,O=Te\\, st,L=Test, c=DE") .put("opendistro_security.cert.oid","1.2.3.4.5.6") @@ -234,7 +234,7 @@ public void testDNSpecials1() throws Exception { Settings tcSettings = Settings.builder() .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .build(); setup(tcSettings, new DynamicSecurityConfig(), settings, true); @@ -290,7 +290,7 @@ public void testMultiget() throws Exception { public void testRestImpersonation() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".spock", "knuddel","userwhonotexists").build(); + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".spock", "knuddel","userwhonotexists").build(); setup(settings); @@ -479,7 +479,7 @@ public void testDeleteByQueryDnfof() throws Exception { @Test public void testUpdate() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); @@ -501,7 +501,7 @@ public void testUpdate() throws Exception { public void testDnfof() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_dnfof.yml"), settings); @@ -676,7 +676,7 @@ public void testDnfof() throws Exception { public void testNoDnfof() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); diff --git a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java index 32f6d1614f..aa549656df 100644 --- a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java @@ -68,7 +68,7 @@ public Collection createComponents(Client client, ClusterService cluster IndexNameExpressionResolver indexNameExpressionResolver, Supplier repositoriesServiceSupplier) { if(injectedRoles != null) - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES, injectedRoles); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_INJECTED_ROLES, injectedRoles); return new ArrayList<>(); } } diff --git a/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java b/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java index bbd74deddc..c8197aec27 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java @@ -39,7 +39,7 @@ public class SecurityAdminMigrationTests extends SingleClusterTest { @Test public void testSecurityMigrate() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) @@ -85,7 +85,7 @@ public void testSecurityMigrate() throws Exception { @Test public void testSecurityMigrate2() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) diff --git a/src/test/java/org/opensearch/security/SecurityAdminTests.java b/src/test/java/org/opensearch/security/SecurityAdminTests.java index 2860ed7cd8..d2dc04f7d2 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminTests.java @@ -277,7 +277,7 @@ public void testSecurityAdminInvalidYml() throws Exception { @Test public void testSecurityAdminReloadInvalidConfig() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) diff --git a/src/test/java/org/opensearch/security/SecurityRolesTests.java b/src/test/java/org/opensearch/security/SecurityRolesTests.java index f3357b39fb..88110ebdd7 100644 --- a/src/test/java/org/opensearch/security/SecurityRolesTests.java +++ b/src/test/java/org/opensearch/security/SecurityRolesTests.java @@ -97,7 +97,7 @@ public void testSecurityRoles() throws Exception { public void testSecurityRolesImpersonation() throws Exception { Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".sr_user", "sr_impuser") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".sr_user", "sr_impuser") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig() diff --git a/src/test/java/org/opensearch/security/SlowIntegrationTests.java b/src/test/java/org/opensearch/security/SlowIntegrationTests.java index 5b49f087f0..55b3280bbe 100644 --- a/src/test/java/org/opensearch/security/SlowIntegrationTests.java +++ b/src/test/java/org/opensearch/security/SlowIntegrationTests.java @@ -56,7 +56,7 @@ public class SlowIntegrationTests extends SingleClusterTest { public void testCustomInterclusterRequestEvaluator() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, "org.opensearch.security.AlwaysFalseInterClusterRequestEvaluator") + .put(ConfigConstants.SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, "org.opensearch.security.AlwaysFalseInterClusterRequestEvaluator") .put("discovery.initial_state_timeout","8s") .build(); setup(Settings.EMPTY, null, settings, false, ClusterConfiguration.DEFAULT ,5,1); @@ -115,7 +115,7 @@ public void testNodeClientDisallowedWithNonServerCertificate() throws Exception .put("discovery.initial_state_timeout","8s") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("kirk-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"kirk") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"kirk") .build(); log.debug("Start node client"); @@ -149,7 +149,7 @@ public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception .put("discovery.initial_state_timeout","8s") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .build(); log.debug("Start node client"); diff --git a/src/test/java/org/opensearch/security/SystemIntegratorsTests.java b/src/test/java/org/opensearch/security/SystemIntegratorsTests.java index 1a90f7d8b3..031c589f6a 100644 --- a/src/test/java/org/opensearch/security/SystemIntegratorsTests.java +++ b/src/test/java/org/opensearch/security/SystemIntegratorsTests.java @@ -49,7 +49,7 @@ public class SystemIntegratorsTests extends SingleClusterTest { public void testInjectedUserMalformed() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") .build(); @@ -60,31 +60,31 @@ public void testInjectedUserMalformed() throws Exception { HttpResponse resc; - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, null)); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, null)); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "|||")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "|||")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "||127.0.0:80|")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "||127.0.0:80|")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip|")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "username||ip|")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip:port|")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "username||ip:port|")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||ip:80|")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "username||ip:80|")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||127.0.x:80|")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "username||127.0.x:80|")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "username||127.0.0:80|key1,value1,key2")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "username||127.0.0:80|key1,value1,key2")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "||127.0.0:80|key1,value1,key2,value2")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "||127.0.0:80|key1,value1,key2,value2")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); } @@ -93,7 +93,7 @@ public void testInjectedUserMalformed() throws Exception { public void testInjectedUser() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") .build(); @@ -104,21 +104,21 @@ public void testInjectedUser() throws Exception { HttpResponse resc; - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin||127.0.0:80|")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "admin||127.0.0:80|")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[], requestedTenant=null]")); Assert.assertTrue(resc.getBody().contains("\"remote_address\":\"127.0.0.0:80\"")); Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[role1], requestedTenant=null]")); Assert.assertTrue(resc.getBody().contains("\"remote_address\":\"127.0.0.0:80\"")); Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[\"role1\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1,role2||key1,value1")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "admin|role1,role2||key1,value1")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[role1, role2], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -126,7 +126,7 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[\"role1\",\"role2\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1,role2|8.8.8.8:8|key1,value1,key2,value2")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "admin|role1,role2|8.8.8.8:8|key1,value1,key2,value2")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=admin, backend_roles=[role1, role2], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -134,7 +134,7 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"backend_roles\":[\"role1\",\"role2\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "nagilum|role1,role2|8.8.8.8:8|key1,value1,key2,value2")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "nagilum|role1,role2|8.8.8.8:8|key1,value1,key2,value2")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=nagilum, backend_roles=[role1, role2], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -144,7 +144,7 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"roles\":[\"opendistro_security_all_access\"")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -155,7 +155,7 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); // add requested tenant - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=null]")); // remote IP is assigned by XFFResolver @@ -165,7 +165,7 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody(), resc.getBody().contains("\"roles\":[\"public\",\"role_vulcans_admin\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|mytenant")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8|key1,value1,key2,value2|mytenant")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=mytenant]")); // remote IP is assigned by XFFResolver @@ -175,7 +175,7 @@ public void testInjectedUser() throws Exception { Assert.assertTrue(resc.getBody().contains("\"roles\":[\"public\",\"role_vulcans_admin\"]")); Assert.assertTrue(resc.getBody().contains("\"custom_attribute_names\":[\"key1\",\"key2\"]")); - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8||mytenant with whitespace")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "myuser|role1,vulcanadmin|8.8.8.8:8||mytenant with whitespace")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("User [name=myuser, backend_roles=[role1, vulcanadmin], requestedTenant=mytenant with whitespace]")); // remote IP is assigned by XFFResolver @@ -201,7 +201,7 @@ public void testInjectedUserDisabled() throws Exception { HttpResponse resc; - resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest("_opendistro/_security/authinfo", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "admin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_UNAUTHORIZED, resc.getStatusCode()); } @@ -209,9 +209,9 @@ public void testInjectedUserDisabled() throws Exception { public void testInjectedAdminUser() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, true) + .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") .build(); @@ -221,14 +221,14 @@ public void testInjectedAdminUser() throws Exception { HttpResponse resc; // injected user is admin, access to Security index must be allowed - resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_OK, resc.getStatusCode()); Assert.assertTrue(resc.getBody().contains("\"_id\" : \"config\"")); Assert.assertTrue(resc.getBody().contains("\"_id\" : \"roles\"")); Assert.assertTrue(resc.getBody().contains("\"_id\" : \"internalusers\"")); Assert.assertTrue(resc.getBody().contains("\"total\" : 5")); - resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "wrongadmin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "wrongadmin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); } @@ -237,8 +237,8 @@ public void testInjectedAdminUser() throws Exception { public void testInjectedAdminUserAdminInjectionDisabled() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, Lists.newArrayList("CN=kirk,OU=client,O=client,L=Test,C=DE","injectedadmin")) .put("http.type", "org.opensearch.security.http.UserInjectingServerTransport") .build(); @@ -248,7 +248,7 @@ public void testInjectedAdminUserAdminInjectionDisabled() throws Exception { HttpResponse resc; // injected user is admin, access to Security index must be allowed - resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); + resc = rh.executeGetRequest(".opendistro_security/_search?pretty", new BasicHeader(ConfigConstants.SECURITY_INJECTED_USER, "injectedadmin|role1|127.0.0:80|key1,value1")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, resc.getStatusCode()); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"config\"")); Assert.assertFalse(resc.getBody().contains("\"_id\" : \"roles\"")); diff --git a/src/test/java/org/opensearch/security/TracingTests.java b/src/test/java/org/opensearch/security/TracingTests.java index 141bbdc24e..0964be8aef 100644 --- a/src/test/java/org/opensearch/security/TracingTests.java +++ b/src/test/java/org/opensearch/security/TracingTests.java @@ -262,7 +262,7 @@ public void uncaughtException(Thread t, Throwable e) { }); final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); @@ -328,7 +328,7 @@ public void uncaughtException(Thread t, Throwable e) { }); final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java b/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java index b0cb8c2cee..e5a63fe0c7 100644 --- a/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java +++ b/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java @@ -66,7 +66,7 @@ public class TransportClientIntegrationTests extends SingleClusterTest { public void testTransportClient() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") + .putList(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN+".CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") .put("discovery.initial_state_timeout","8s") .build(); setup(settings); @@ -79,7 +79,7 @@ public void testTransportClient() throws Exception { Settings tcSettings = Settings.builder() .put(settings) .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .build(); System.out.println("------- 0 ---------"); @@ -380,7 +380,7 @@ public void testTransportClientImpersonation() throws Exception { Settings tcSettings = Settings.builder() .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") .build(); @@ -403,7 +403,7 @@ public void testTransportClientImpersonationWildcard() throws Exception { Settings tcSettings = Settings.builder() .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") .build(); @@ -420,7 +420,7 @@ public void testTransportClientImpersonationWildcard() throws Exception { public void testTransportClientUsernameAttribute() throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") + .putList(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN+".CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") .put("discovery.initial_state_timeout","8s") .build(); @@ -437,7 +437,7 @@ public void testTransportClientUsernameAttribute() throws Exception { Settings tcSettings = Settings.builder() .put(settings) .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .build(); System.out.println("------- 0 ---------"); @@ -741,7 +741,7 @@ public void testTransportClientImpersonationUsernameAttribute() throws Exception Settings tcSettings = Settings.builder() .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") .build(); @@ -766,7 +766,7 @@ public void testTransportClientImpersonationWildcardUsernameAttribute() throws E Settings tcSettings = Settings.builder() .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") .build(); diff --git a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java index 790df8a7fb..1cb437a0a7 100644 --- a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java @@ -50,7 +50,7 @@ public Collection createComponents(Client client, ClusterService cluster IndexNameExpressionResolver indexNameExpressionResolver, Supplier repositoriesServiceSupplier) { if(injectedUser != null) - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, injectedUser); + threadPool.getThreadContext().putTransient(ConfigConstants.SECURITY_INJECTED_USER, injectedUser); return new ArrayList<>(); } } @@ -70,7 +70,7 @@ private void waitForInit(Client client) throws Exception { @Test public void testSecurityUserInjection() throws Exception { final Settings clusterNodeSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) .build(); setup(clusterNodeSettings, new DynamicSecurityConfig().setSecurityRolesMapping("roles_transport_inject_user.yml"), Settings.EMPTY); final Settings tcSettings = Settings.builder() @@ -85,7 +85,7 @@ public void testSecurityUserInjection() throws Exception { .put("node.name", "testclient") .put("discovery.initial_state_timeout", "8s") .put("opendistro_security.allow_default_init_securityindex", "true") - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) .build(); @@ -127,7 +127,7 @@ public void testSecurityUserInjection() throws Exception { @Test public void testSecurityUserInjectionWithConfigDisabled() throws Exception { final Settings clusterNodeSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) .build(); setup(clusterNodeSettings, new DynamicSecurityConfig().setSecurityRolesMapping("roles_transport_inject_user.yml"), Settings.EMPTY); final Settings tcSettings = Settings.builder() @@ -142,7 +142,7 @@ public void testSecurityUserInjectionWithConfigDisabled() throws Exception { .put("node.name", "testclient") .put("discovery.initial_state_timeout", "8s") .put("opendistro_security.allow_default_init_securityindex", "true") - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) .build(); diff --git a/src/test/java/org/opensearch/security/UtilTests.java b/src/test/java/org/opensearch/security/UtilTests.java index 898eba1c40..26cc15ce7c 100644 --- a/src/test/java/org/opensearch/security/UtilTests.java +++ b/src/test/java/org/opensearch/security/UtilTests.java @@ -176,7 +176,7 @@ public void testEnvReplace() { @Test public void testNoEnvReplace() { - Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT, true).build(); + Settings settings = Settings.builder().put(ConfigConstants.SECURITY_DISABLE_ENVVAR_REPLACEMENT, true).build(); assertEquals("abv${env.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV}xyz",settings)); assertEquals("abv${envbc.MYENV}xyz", SecurityUtils.replaceEnvVars("abv${envbc.MYENV}xyz",settings)); assertEquals("abv${env.MYENV:-tTt}xyz", SecurityUtils.replaceEnvVars("abv${env.MYENV:-tTt}xyz",settings)); diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java index 633cf1dc3e..229021b5ae 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java @@ -47,13 +47,13 @@ public void testSourceFilter() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - //.put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "emp") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + //.put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "emp") + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setup(additionalSettings); @@ -135,13 +135,13 @@ public void testSourceFilterMsearch() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - //.put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "emp") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + //.put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "emp") + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "emp") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setup(additionalSettings); @@ -203,14 +203,14 @@ public void testInternalConfig() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); TestAuditlogImpl.clear(); @@ -250,13 +250,13 @@ public void testExternalConfig() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); TestAuditlogImpl.clear(); @@ -287,13 +287,13 @@ public void testUpdate() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "finance") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "humanresources,Designation,FirstName,LastName") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "finance") + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "humanresources,Designation,FirstName,LastName") .build(); setup(additionalSettings); @@ -324,13 +324,13 @@ public void testUpdatePerf() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "humanresources") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "humanresources,*") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "humanresources") + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "humanresources,*") .build(); setup(additionalSettings); @@ -374,11 +374,11 @@ public void testWriteHistory() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "humanresources") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "humanresources") .build(); setup(additionalSettings); diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java index 2e08628ee0..bbb0ded0e7 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceConfigTest.java @@ -54,17 +54,17 @@ public void testConfig() { // arrange final String testSalt = "abcdefghijklmnop"; final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, testSalt) - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "write_index1", "write_index_pattern*") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "read_index1,field1,field2", "read_index_pattern*,field1,field_pattern*") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "write_index1", "write_index_pattern*") + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "read_index1,field1,field2", "read_index_pattern*,field1,field_pattern*") + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, "test-user-1", "test-user-2") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "test-user-3", "test-user-4") .build(); @@ -109,9 +109,9 @@ public void testConfig() { public void testNone() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, "NONE") - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "NONE") .build(); // act @@ -125,9 +125,9 @@ public void testNone() { public void testEmpty() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, + .putList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, Collections.emptyList()) .build(); // act diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java index 6ddc785494..309766f669 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java @@ -34,14 +34,14 @@ public void testRestApiRolesEnabled() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setup(additionalSettings); @@ -64,13 +64,13 @@ public void testRestApiRolesDisabled() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setup(additionalSettings); @@ -100,13 +100,13 @@ public void testRestApiRolesDisabledGet() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setup(additionalSettings); @@ -136,13 +136,13 @@ public void testAutoInit() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setup(additionalSettings); @@ -163,13 +163,13 @@ public void testRestApiNewUser() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "admin") + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, "admin") .build(); setup(additionalSettings); @@ -188,14 +188,14 @@ public void testRestInternalConfigRead() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setup(additionalSettings); @@ -222,11 +222,11 @@ public void testRestInternalConfigRead() throws Exception { public void testBCryptHashRedaction() throws Exception { final Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) .build(); setup(settings); rh.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java index 7344677609..d85c33f700 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigFilterTest.java @@ -62,17 +62,17 @@ public void testDefault() { public void testConfig() { // arrange final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, "test-request") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "test-user") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_INDICES, false) + .put(ConfigConstants.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, false) + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_REQUESTS, "test-request") + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "test-user") + .putList(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, BAD_HEADERS.toString(), SSL_EXCEPTION.toString()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, + .putList(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, FAILED_LOGIN.toString(), MISSING_PRIVILEGES.toString()) .build(); // act @@ -94,10 +94,10 @@ public void testConfig() { public void testNone() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "NONE") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "NONE") + .putList(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "None") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, + .putList(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "none") .build(); // act @@ -112,11 +112,11 @@ public void testNone() { public void testEmpty() { // arrange final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, Collections.emptyList()) + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList()) + .putList(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Collections.emptyList()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, + .putList(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Collections.emptyList()) .build(); // act diff --git a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java index 2cbf871d33..5d8297d6e0 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/AuditConfigSerializeTest.java @@ -291,9 +291,9 @@ public void testNullDeSerialize() throws IOException { public void testCustomSettings() throws IOException { // arrange final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, "test-security-index") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, "internal_opensearch") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, + .put(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, "test-security-index") + .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "internal_opensearch") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_OPENSEARCH_INDEX, "test-auditlog-index") .build(); final ObjectMapper customObjectMapper = new ObjectMapper(); diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java index 8dbf95caef..c005268c4c 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditCategoryTest.java @@ -54,7 +54,7 @@ public static Collection data() { {Arrays.asList("bAd_HeAdErS"), EnumSet.of(BAD_HEADERS)}, {Arrays.asList("BAD_HEADERS", "AUTHENTICATED"), EnumSet.of(BAD_HEADERS, AUTHENTICATED)}, {Arrays.asList("BAD_HEADERS", "FAILED_LOGIN", "MISSING_PRIVILEGES", "GRANTED_PRIVILEGES", - "OPENDISTRO_SECURITY_INDEX_ATTEMPT", "SSL_EXCEPTION", "AUTHENTICATED", "INDEX_EVENT", + "SECURITY_INDEX_ATTEMPT", "SSL_EXCEPTION", "AUTHENTICATED", "INDEX_EVENT", "COMPLIANCE_DOC_READ", "COMPLIANCE_DOC_WRITE", "COMPLIANCE_EXTERNAL_CONFIG", "COMPLIANCE_INTERNAL_CONFIG_READ", "COMPLIANCE_INTERNAL_CONFIG_WRITE" ), EnumSet.allOf(AuditCategory.class)}, diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java index 12b6d533db..22606b9d60 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java @@ -54,7 +54,7 @@ public void setup() { public void testClusterHealthRequest() { Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); TestAuditlogImpl.clear(); @@ -71,7 +71,7 @@ public void testSearchRequest() { Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); TestAuditlogImpl.clear(); @@ -84,9 +84,9 @@ public void testSslException() { Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); TestAuditlogImpl.clear(); @@ -103,11 +103,11 @@ public void testRetry() { Settings settings = Settings.builder() .put("opendistro_security.audit.type", RetrySink.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RETRY_COUNT, 10) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RETRY_DELAY_MS, 500) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_COUNT, 10) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_DELAY_MS, 500) .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); al.logSSLException(null, new Exception("test retry")); @@ -122,11 +122,11 @@ public void testNoRetry() { Settings settings = Settings.builder() .put("opendistro_security.audit.type", RetrySink.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RETRY_COUNT, 0) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RETRY_DELAY_MS, 500) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_COUNT, 0) + .put(ConfigConstants.SECURITY_AUDIT_RETRY_DELAY_MS, 500) .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); al.logSSLException(null, new Exception("test retry")); @@ -136,7 +136,7 @@ public void testNoRetry() { @Test public void testRestFilterEnabledCheck() { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .build(); final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); for (AuditCategory category: AuditCategory.values()) { @@ -147,7 +147,7 @@ public void testRestFilterEnabledCheck() { @Test public void testTransportFilterEnabledCheck() { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .build(); final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); for (AuditCategory category: AuditCategory.values()) { @@ -158,8 +158,8 @@ public void testTransportFilterEnabledCheck() { @Test public void testTransportFilterMonitorActionsCheck() { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); for (AuditCategory category: AuditCategory.values()) { diff --git a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java index 1753037748..eed86a4303 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java @@ -69,7 +69,7 @@ public void invalidRestCategoryConfigurationTest() { Builder settingsBuilder = Settings.builder(); settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "nonexistent"); + settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "nonexistent"); AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); } @@ -80,7 +80,7 @@ public void invalidTransportCategoryConfigurationTest() { Builder settingsBuilder = Settings.builder(); settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "nonexistent"); + settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "nonexistent"); AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); } @@ -100,8 +100,8 @@ public void enableAllCategoryTest() throws Exception { final Builder settingsBuilder = Settings.builder(); settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE"); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE"); + settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE"); + settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE"); // we use the debug output, no OpenSearch client is needed. Also, we // do not need to close. @@ -160,8 +160,8 @@ protected void checkCategoriesDisabled(AuditCategory... disabledCategories) thro Builder settingsBuilder = Settings.builder(); settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategoriesString); - settingsBuilder.put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategoriesString); + settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategoriesString); + settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategoriesString); // we use the debug output, no OpenSearch client is needed. Also, we diff --git a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java index f2a0c6630f..8b838a87c4 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java @@ -74,7 +74,7 @@ public void testConfiguredIgnoreUser() { .put("opendistro_security.audit.ignore_users", ignoreUser) .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), null, cs); + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_USER, ignoreUserObj), null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(0, TestAuditlogImpl.messages.size()); @@ -85,10 +85,10 @@ public void testNonConfiguredIgnoreUser() { Settings settings = Settings.builder() .put("opendistro_security.audit.ignore_users", nonIgnoreUser) .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), null, cs); + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_USER, ignoreUserObj), null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); @@ -98,10 +98,10 @@ public void testNonConfiguredIgnoreUser() { public void testNonExistingIgnoreUser() { Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_USER, ignoreUserObj), null, cs); + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_USER, ignoreUserObj), null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); Assert.assertEquals(1, TestAuditlogImpl.messages.size()); @@ -112,9 +112,9 @@ public void testWildcards() { SearchRequest sr = new SearchRequest(); User user = new User("John Doe"); - //sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_USER, user); - //sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, "8.8.8.8"); - //sr.putInContext(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE"); + //sr.putInContext(ConfigConstants.SECURITY_USER, user); + //sr.putInContext(ConfigConstants.SECURITY_REMOTE_ADDRESS, "8.8.8.8"); + //sr.putInContext(ConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE"); //sr.putHeader("myheader", "hval"); sr.indices("index1","logstash*"); sr.types("mytype","logs"); @@ -122,15 +122,15 @@ public void testWildcards() { Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .putList("opendistro_security.audit.ignore_users", "*") .build(); TransportAddress ta = new TransportAddress(new InetSocketAddress("8.8.8.8",80)); - AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" + AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_REMOTE_ADDRESS, ta, + ConfigConstants.SECURITY_USER, new User("John Doe"), + ConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" ), null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); @@ -138,13 +138,13 @@ ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .putList("opendistro_security.audit.ignore_users", "xxx") .build(); - al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" + al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_REMOTE_ADDRESS, ta, + ConfigConstants.SECURITY_USER, new User("John Doe"), + ConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" ), null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); @@ -152,13 +152,13 @@ ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .putList("opendistro_security.audit.ignore_users", "John Doe","Capatin Kirk") .build(); - al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" + al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_REMOTE_ADDRESS, ta, + ConfigConstants.SECURITY_USER, new User("John Doe"), + ConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" ), null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); @@ -168,13 +168,13 @@ ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .putList("opendistro_security.audit.ignore_users", "Wil Riker","Capatin Kirk") .build(); - al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS, ta, - ConfigConstants.OPENDISTRO_SECURITY_USER, new User("John Doe"), - ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" + al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_REMOTE_ADDRESS, ta, + ConfigConstants.SECURITY_USER, new User("John Doe"), + ConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL, "CN=kirk,OU=client,O=client,L=test,C=DE" ), null, cs); TestAuditlogImpl.clear(); al.logGrantedPrivileges("indices:data/read/search", sr, null); diff --git a/src/test/java/org/opensearch/security/auditlog/impl/TracingTests.java b/src/test/java/org/opensearch/security/auditlog/impl/TracingTests.java index 54378efaea..d89d3020b3 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/TracingTests.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/TracingTests.java @@ -60,10 +60,10 @@ public void testHTTPTrace() throws Exception { logger.setLevel(Level.TRACE); final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, "debug") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, "true") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "*") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "*") + .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "debug") + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, "true") + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "*") + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "*") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true, ClusterConfiguration.DEFAULT); @@ -245,7 +245,7 @@ public void uncaughtException(Thread t, Throwable e) { }); final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); @@ -311,7 +311,7 @@ public void uncaughtException(Thread t, Throwable e) { }); final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") + .putList(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); setup(settings); final RestHelper rh = nonSslRestHelper(); @@ -342,9 +342,9 @@ public void uncaughtException(Thread t, Throwable e) { @Test public void testAdvancedMapping() throws Exception { Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "*") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "*") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, "debug").build(); + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, "*") + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, "*") + .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "debug").build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true, ClusterConfiguration.DEFAULT); RestHelper rh = nonSslRestHelper(); @@ -394,9 +394,9 @@ public void testAdvancedMapping() throws Exception { @Test public void testImmutableIndex() throws Exception { Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "myindex1") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, "debug").build(); + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "myindex1") + .put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "debug").build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true, ClusterConfiguration.DEFAULT); diff --git a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java index 4a1becdab1..09a15cd246 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java @@ -80,10 +80,10 @@ public void testSimpleAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated") .build(); setup(additionalSettings); @@ -113,8 +113,8 @@ public void testSSLPlainText() throws Exception { .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -141,11 +141,11 @@ public void testSimpleTransportAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -183,8 +183,8 @@ public void testTaskId() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -223,8 +223,8 @@ public void testDefaultsRest() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -251,9 +251,9 @@ public void testDefaultsRest() throws Exception { public void testGrantedPrivilegesRest() throws Exception { final Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .build(); setup(additionalSettings); @@ -266,8 +266,8 @@ public void testGrantedPrivilegesRest() throws Exception { public void testMissingPrivilegesRest() throws Exception { final Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .build(); setup(additionalSettings); setupStarfleetIndex(); @@ -291,10 +291,10 @@ public void testAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -399,7 +399,7 @@ public void testSecurityIndexAttempt() throws Exception { HttpResponse response = rh.executePutRequest(".opendistro_security/config/0", "{}", encodeBasicHeader("admin", "admin")); Assert.assertEquals(HttpStatus.SC_FORBIDDEN, response.getStatusCode()); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("MISSING_PRIVILEGES")); - Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("OPENDISTRO_SECURITY_INDEX_ATTEMPT")); + Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("SECURITY_INDEX_ATTEMPT")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains("admin")); Assert.assertTrue(TestAuditlogImpl.sb.toString().contains(AuditMessage.UTC_TIMESTAMP)); Assert.assertFalse(TestAuditlogImpl.sb.toString().contains("AUTHENTICATED")); @@ -545,10 +545,10 @@ public void testIndexPattern() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", "internal_opensearch") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_INDICES, false) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .put("opendistro_security.audit.threadpool.size", 10) //must be greater 0 .put("opendistro_security.audit.config.index", "'auditlog-'YYYY.MM.dd.ss") .build(); @@ -572,10 +572,10 @@ public void testAliases() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -616,10 +616,10 @@ public void testScroll() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -656,11 +656,11 @@ public void testAliasResolution() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -689,10 +689,10 @@ public void testAliasBadHeaders() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -714,11 +714,11 @@ public void testIndexCloseDelete() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); setup(additionalSettings); @@ -746,11 +746,11 @@ public void testDeleteByQuery() throws Exception { final Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); setup(settings); @@ -774,10 +774,10 @@ public void testDeleteByQuery() throws Exception { public void testIndexRequests() throws Exception { final Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "AUTHENTICATED,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "AUTHENTICATED,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, true) .build(); setup(settings); @@ -817,9 +817,9 @@ public void testIndexRequests() throws Exception { public void testRestMethod() throws Exception { final Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .build(); setup(settings); final Header adminHeader = encodeBasicHeader("admin", "admin"); @@ -889,9 +889,9 @@ public void testRestMethod() throws Exception { public void testSensitiveMethodRedaction() throws Exception { final Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .build(); setup(settings); rh.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java index 9fb0535aa3..110fd79a24 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java @@ -66,20 +66,20 @@ public void testExternalPemUserPass() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", "external_opensearch") .put("opendistro_security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, false) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crtfull.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.key.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, "admin") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, "admin") .build(); @@ -105,16 +105,16 @@ public void testExternalPemClientAuth() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", "external_opensearch") .put("opendistro_security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/kirk.crtfull.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/kirk.key.pem")) .build(); @@ -139,15 +139,15 @@ public void testExternalPemUserPassTp() throws Exception { Settings additionalSettings = Settings.builder() .put("opendistro_security.audit.type", "external_opensearch") .put("opendistro_security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, + .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("auditlog/chain-ca.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, "admin") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + ConfigConstants.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, "admin") .build(); diff --git a/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java b/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java index a7bd65a4c0..796bb947be 100644 --- a/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java +++ b/src/test/java/org/opensearch/security/auditlog/routing/FallbackTest.java @@ -40,7 +40,7 @@ public class FallbackTest extends AbstractAuditlogiUnitTest { public void testFallback() throws Exception { Settings.Builder settingsBuilder = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/fallback.yml")); - Settings settings = settingsBuilder.put("path.home", ".").put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE").build(); + Settings settings = settingsBuilder.put("path.home", ".").put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE").build(); AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); diff --git a/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java b/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java index 102128dbc9..3a49cfee5b 100644 --- a/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java +++ b/src/test/java/org/opensearch/security/auditlog/routing/PerfTest.java @@ -37,7 +37,7 @@ public void testPerf() throws Exception { Settings.Builder settingsBuilder = Settings.builder().loadFromPath(FileHelper.getAbsoluteFilePathFromClassPath("auditlog/endpoints/routing/perftest.yml")); Settings settings = settingsBuilder.put("path.home", ".") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); diff --git a/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java b/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java index 5aae2d0b8d..699b1359fc 100644 --- a/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java +++ b/src/test/java/org/opensearch/security/auditlog/routing/RouterTest.java @@ -70,7 +70,7 @@ public void testMessageRouting() throws Exception { Settings settings = settingsBuilder .put("path.home", ".") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); AuditMessageRouter router = createMessageRouterComplianceEnabled(settings); diff --git a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java index c6c48b6151..35cd4bc30d 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java @@ -71,7 +71,7 @@ public void invalidConfFallbackTest() throws Exception { FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); - MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, fallback); + MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, fallback); auditlog.store(msg); // Webhook sink has failed ... Assert.assertEquals(null, auditlog.webhookFormat); @@ -96,7 +96,7 @@ public void formatsTest() throws Exception { .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .build(); - MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null); + MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); auditlog.store(msg); Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); @@ -110,7 +110,7 @@ public void formatsTest() throws Exception { FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); auditlog.store(msg); Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); @@ -125,7 +125,7 @@ public void formatsTest() throws Exception { FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); auditlog.store(msg); Assert.assertEquals(WebhookFormat.TEXT, auditlog.webhookFormat); Assert.assertEquals(ContentType.TEXT_PLAIN, auditlog.webhookFormat.getContentType()); @@ -141,7 +141,7 @@ public void formatsTest() throws Exception { FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); auditlog.store(msg); System.out.println(auditlog.payload); Assert.assertEquals(WebhookFormat.JSON, auditlog.webhookFormat); @@ -158,7 +158,7 @@ public void formatsTest() throws Exception { FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); - auditlog = new MockWebhookAuditLog(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null); + auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); auditlog.store(msg); Assert.assertEquals(WebhookFormat.SLACK, auditlog.webhookFormat); Assert.assertEquals(ContentType.APPLICATION_JSON, auditlog.webhookFormat.getContentType()); @@ -182,7 +182,7 @@ public void invalidUrlTest() throws Exception { .put("path.home", ".") .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, fallback); + MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, fallback); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); auditlog.store(msg); Assert.assertEquals(null, auditlog.url); @@ -206,7 +206,7 @@ public void noServerRunningHttpTest() throws Exception { .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); auditlog.store(msg); // can't connect, no server running ... @@ -241,7 +241,7 @@ public void postGetHttpTest() throws Exception { .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); @@ -261,7 +261,7 @@ public void postGetHttpTest() throws Exception { .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -279,7 +279,7 @@ public void postGetHttpTest() throws Exception { .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -296,7 +296,7 @@ public void postGetHttpTest() throws Exception { FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body.equals("")); @@ -313,7 +313,7 @@ public void postGetHttpTest() throws Exception { FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("GET")); Assert.assertEquals(null, handler.body); @@ -345,7 +345,7 @@ public void httpsTestWithoutTLSServer() throws Exception { .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null);; - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); AuditMessage msg = MockAuditMessageFactory.validAuditMessage(); auditlog.store(msg); Assert.assertTrue(handler.method == null); @@ -384,7 +384,7 @@ public void httpsTest() throws Exception { .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); - WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + WebhookSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -401,7 +401,7 @@ public void httpsTest() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", false) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -417,7 +417,7 @@ public void httpsTest() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -433,7 +433,7 @@ public void httpsTest() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -469,7 +469,7 @@ public void httpsTestPemDefault() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - AuditLogSink auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + AuditLogSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -485,7 +485,7 @@ public void httpsTestPemDefault() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -502,7 +502,7 @@ public void httpsTestPemDefault() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -517,7 +517,7 @@ public void httpsTestPemDefault() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -532,7 +532,7 @@ public void httpsTestPemDefault() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -548,7 +548,7 @@ public void httpsTestPemDefault() throws Exception { .put("opendistro_security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); + auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); diff --git a/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java b/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java index 470db7b968..13c37cf657 100644 --- a/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java +++ b/src/test/java/org/opensearch/security/auth/RolesInjectorTest.java @@ -25,7 +25,7 @@ import java.util.List; import java.util.Set; -import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES; +import static org.opensearch.security.support.ConfigConstants.SECURITY_INJECTED_ROLES; import static org.junit.Assert.assertEquals; @@ -37,19 +37,19 @@ public void testNotInjected() { RolesInjector rolesInjector = new RolesInjector(); Set roles = rolesInjector.injectUserAndRoles(threadContext); assertEquals(null, roles); - User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); assertEquals(null, user); } @Test public void testInjected() { ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - threadContext.putTransient(OPENDISTRO_SECURITY_INJECTED_ROLES, "user1|role_1,role_2"); + threadContext.putTransient(SECURITY_INJECTED_ROLES, "user1|role_1,role_2"); RolesInjector rolesInjector = new RolesInjector(); Set roles = rolesInjector.injectUserAndRoles(threadContext); - User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); assertEquals("user1", user.getName()); assertEquals(0, user.getRoles().size()); assertEquals(2, roles.size()); @@ -69,13 +69,13 @@ public void testCorruptedInjection() { corruptedStrs.forEach(name -> { ThreadContext threadContext = new ThreadContext(Settings.EMPTY); - threadContext.putTransient(OPENDISTRO_SECURITY_INJECTED_ROLES, name); + threadContext.putTransient(SECURITY_INJECTED_ROLES, name); RolesInjector rolesInjector = new RolesInjector(); Set roles = rolesInjector.injectUserAndRoles(threadContext); assertEquals(null, roles); - User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + User user = threadContext.getTransient(ConfigConstants.SECURITY_USER); assertEquals(null, user); }); } diff --git a/src/test/java/org/opensearch/security/auth/UserInjectorTest.java b/src/test/java/org/opensearch/security/auth/UserInjectorTest.java index d4a2265111..6bbc29d9ce 100644 --- a/src/test/java/org/opensearch/security/auth/UserInjectorTest.java +++ b/src/test/java/org/opensearch/security/auth/UserInjectorTest.java @@ -32,7 +32,7 @@ public class UserInjectorTest { public void setup() { threadPool = mock(ThreadPool.class); Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) .build(); threadContext = new ThreadContext(settings); Mockito.when(threadPool.getThreadContext()).thenReturn(threadContext); @@ -45,7 +45,7 @@ public void setup() { public void testValidInjectUser() { HashSet roles = new HashSet<>(); roles.addAll(Arrays.asList("role1", "role2")); - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "user|role1,role2"); + threadContext.putTransient(ConfigConstants.SECURITY_INJECTED_USER, "user|role1,role2"); User injectedUser = userInjector.getInjectedUser(); assertEquals(injectedUser.getName(), "user"); assertEquals(injectedUser.getRoles(), roles); @@ -55,7 +55,7 @@ public void testValidInjectUser() { public void testInvalidInjectUser() { HashSet roles = new HashSet<>(); roles.addAll(Arrays.asList("role1", "role2")); - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, "|role1,role2"); + threadContext.putTransient(ConfigConstants.SECURITY_INJECTED_USER, "|role1,role2"); User injectedUser = userInjector.getInjectedUser(); assertNull(injectedUser); } diff --git a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java index e4f59a95dd..e660124e05 100644 --- a/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/org/opensearch/security/ccstest/CrossClusterSearchTests.java @@ -141,7 +141,7 @@ private Tuple setupCluster(ClusterHelper ch, ClusterTra NodeSettingsSupplier settings = minimumSecuritySettings(cluster.clusterSettings()); ClusterInfo clusterInfo = ch.startCluster(settings, ClusterConfiguration.DEFAULT); initialize(clusterInfo, cluster.transportClientSettings(), dynamicSecurityConfig); - boolean httpsEnabled = settings.get(0).getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, false); + boolean httpsEnabled = settings.get(0).getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, false); RestHelper rh = new RestHelper(clusterInfo, httpsEnabled, httpsEnabled, getResourceFolder()); rh.sendAdminCertificate = httpsEnabled; rh.keystore = "restapi/kirk-keystore.jks"; @@ -883,24 +883,24 @@ public void testCcsAggregationsDnfof() throws Exception { private ClusterTransportClientSettings getBaseSettingsWithDifferentCert() { Settings cluster = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, + .put(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") - .put(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .putList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") + .put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") + .putList(ConfigConstants.SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE")//, "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE") - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, + .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, "EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE", "CN=kirk,OU=client,O=client,l=tEst, C=De") - .put(ConfigConstants.OPENDISTRO_SECURITY_CERT_OID,"1.2.3.4.5.6") + .put(ConfigConstants.SECURITY_CERT_OID,"1.2.3.4.5.6") .build(); Settings transport = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) .build(); return new ClusterTransportClientSettings(cluster, transport); } @@ -944,7 +944,7 @@ public void testCcsWithDiffCertsWithNodesDnStaticallyAdded() throws Exception { ClusterTransportClientSettings cluster2 = getBaseSettingsWithDifferentCert(); Settings updatedCluster2 = Settings.builder() .put(cluster2.clusterSettings()) - .putList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, + .putList(ConfigConstants.SECURITY_NODES_DN, "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE", "CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE") .build(); diff --git a/src/test/java/org/opensearch/security/configuration/SaltTest.java b/src/test/java/org/opensearch/security/configuration/SaltTest.java index 65a0b4535c..226acca3bf 100644 --- a/src/test/java/org/opensearch/security/configuration/SaltTest.java +++ b/src/test/java/org/opensearch/security/configuration/SaltTest.java @@ -40,7 +40,7 @@ public void testDefault() { // assert assertEquals(SALT_SIZE, salt.getSalt16().length); - assertArrayEquals(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT_DEFAULT.getBytes(StandardCharsets.UTF_8), salt.getSalt16()); + assertArrayEquals(ConfigConstants.SECURITY_COMPLIANCE_SALT_DEFAULT.getBytes(StandardCharsets.UTF_8), salt.getSalt16()); } @Test @@ -48,7 +48,7 @@ public void testConfig() { // arrange final String testSalt = "abcdefghijklmnop"; final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, testSalt) + .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) .build(); // act @@ -64,7 +64,7 @@ public void testSaltUsesOnlyFirst16Bytes() { // arrange final String testSalt = "abcdefghijklmnopqrstuvwxyz"; final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, testSalt) + .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) .build(); // act final Salt salt = Salt.from(settings); @@ -83,7 +83,7 @@ public void testSaltThrowsExceptionWhenInsufficientBytesProvided() { // arrange final String testSalt = "abcd"; final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, testSalt) + .put(ConfigConstants.SECURITY_COMPLIANCE_SALT, testSalt) .build(); // act final Salt salt = Salt.from(settings); diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java index 583c3703fd..3bc24d155b 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/AbstractDlsFlsTest.java @@ -45,7 +45,7 @@ protected final void setup(DynamicSecurityConfig dynamicSecurityConfig) throws E } protected final void setup(Settings override, DynamicSecurityConfig dynamicSecurityConfig) throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, "debug").put(override).build(); + Settings settings = Settings.builder().put(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, "debug").put(override).build(); setup(Settings.EMPTY, dynamicSecurityConfig, settings, true); try(TransportClient tc = getInternalTransportClient(this.clusterInfo, Settings.EMPTY)) { diff --git a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java index 2eb3ba656d..8645636157 100644 --- a/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java +++ b/src/test/java/org/opensearch/security/dlic/dlsfls/DlsDateMathTest.java @@ -55,7 +55,7 @@ protected void populateData(TransportClient tc) { @Test public void testDlsDateMathQuery() throws Exception { - final Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS,true).build(); + final Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS,true).build(); setup(settings); HttpResponse res; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java index 820c05fb73..0a2d0fbcf9 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java @@ -47,7 +47,7 @@ public void testActionGroupsApi() throws Exception { Assert.assertNotNull(permissions); Assert.assertEquals(2, permissions.size()); Assert.assertTrue(permissions.contains("READ_UT")); - Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_WRITE")); + Assert.assertTrue(permissions.contains("SECURITY_WRITE")); // GET_UT, actiongroup does not exist response = rh.executeGetRequest("/_opendistro/_security/api/actiongroups/nothinghthere", new Header[0]); @@ -215,12 +215,12 @@ public void testActionGroupsApi() throws Exception { // PATCH with relative JSON pointer, must fail rh.sendAdminCertificate = true; - response = rh.executePatchRequest("/_opendistro/_security/api/actiongroups/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"1/INTERNAL/allowed_actions/-\", \"value\": \"OPENDISTRO_SECURITY_DELETE\" }]", new Header[0]); + response = rh.executePatchRequest("/_opendistro/_security/api/actiongroups/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"1/INTERNAL/allowed_actions/-\", \"value\": \"SECURITY_DELETE\" }]", new Header[0]); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); // PATCH new format rh.sendAdminCertificate = true; - response = rh.executePatchRequest("/_opendistro/_security/api/actiongroups/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"/allowed_actions/-\", \"value\": \"OPENDISTRO_SECURITY_DELETE\" }]", new Header[0]); + response = rh.executePatchRequest("/_opendistro/_security/api/actiongroups/CRUD_UT", "[{ \"op\": \"add\", \"path\": \"/allowed_actions/-\", \"value\": \"SECURITY_DELETE\" }]", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest("/_opendistro/_security/api/actiongroups/CRUD_UT", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -229,8 +229,8 @@ public void testActionGroupsApi() throws Exception { Assert.assertNotNull(permissions); Assert.assertEquals(3, permissions.size()); Assert.assertTrue(permissions.contains("READ_UT")); - Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_WRITE")); - Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_DELETE")); + Assert.assertTrue(permissions.contains("SECURITY_WRITE")); + Assert.assertTrue(permissions.contains("SECURITY_DELETE")); // -- PATCH on whole config resource diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java index c01a295960..b1ca38d955 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AuditApiActionTest.java @@ -148,7 +148,7 @@ public void testInvalidDisabledCategories() throws Exception { // test success for transport disabled categories auditConfig = new AuditConfig(true, AuditConfig.Filter.from( ImmutableMap.of("disabled_transport_categories", - ImmutableList.of("BAD_HEADERS", "SSL_EXCEPTION", "AUTHENTICATED", "FAILED_LOGIN", "GRANTED_PRIVILEGES", "MISSING_PRIVILEGES", "INDEX_EVENT", "OPENDISTRO_SECURITY_INDEX_ATTEMPT")) + ImmutableList.of("BAD_HEADERS", "SSL_EXCEPTION", "AUTHENTICATED", "FAILED_LOGIN", "GRANTED_PRIVILEGES", "MISSING_PRIVILEGES", "INDEX_EVENT", "SECURITY_INDEX_ATTEMPT")) ), ComplianceConfig.DEFAULT); json = DefaultObjectMapper.objectMapper.valueToTree(auditConfig); response = rh.executePutRequest(CONFIG_ENDPOINT, writeValueAsString(json, false)); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java index b01e80be8f..2ef824df0c 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/IndexMissingTest.java @@ -90,7 +90,7 @@ protected void testHttpOperations() throws Exception { response = rh.executeGetRequest("_opendistro/_security/api/roles"); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); SecurityJsonNode securityJsonNode = new SecurityJsonNode(DefaultObjectMapper.readTree(response.getBody())); - Assert.assertEquals("OPENDISTRO_SECURITY_CLUSTER_ALL", securityJsonNode.get("opendistro_security_admin").get("cluster_permissions").get(0).asString()); + Assert.assertEquals("SECURITY_CLUSTER_ALL", securityJsonNode.get("opendistro_security_admin").get("cluster_permissions").get(0).asString()); } } diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java index fc68028c59..e4f3a47170 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java @@ -35,7 +35,7 @@ public class MigrationTests extends SingleClusterTest { public void testSecurityMigrate() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) @@ -64,11 +64,11 @@ public void testSecurityMigrate() throws Exception { @Test public void testSecurityMigrateInvalid() throws Exception { - final Settings settings = Settings.builder().put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_users2.yml").setLegacy(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper @@ -93,7 +93,7 @@ public void testSecurityMigrateInvalid() throws Exception { @Test public void testSecurityValidate() throws Exception { - final Settings settings = Settings.builder().put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")).build(); @@ -113,11 +113,11 @@ public void testSecurityValidate() throws Exception { @Test public void testSecurityValidateWithInvalidConfig() throws Exception { - final Settings settings = Settings.builder().put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_users2.yml").setLegacy(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper @@ -139,11 +139,11 @@ public void testSecurityValidateWithInvalidConfig() throws Exception { @Test public void testSecurityMigrateWithEmptyPassword() throws Exception{ - final Settings settings = Settings.builder().put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") + final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) - .put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) + .put(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_users2.yml").setLegacy(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java index 2c507f57fc..159e725f47 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java @@ -108,8 +108,8 @@ public void testNodesDnApiWithDynamicConfigDisabled() throws Exception { @Test public void testNodesDnApi() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, "CN=example.com") + Settings settings = Settings.builder().put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + .putList(ConfigConstants.SECURITY_NODES_DN, "CN=example.com") .build(); setupWithRestRoles(settings); @@ -158,17 +158,17 @@ public void testNodesDnApi() throws Exception { @Test public void testNodesDnApiAuditComplianceLogging() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, "CN=example.com") + Settings settings = Settings.builder().put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) + .putList(ConfigConstants.SECURITY_NODES_DN, "CN=example.com") .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setupWithRestRoles(settings); TestAuditlogImpl.clear(); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java index 2497c8489b..a6f52c9df1 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RoleBasedAccessTest.java @@ -108,7 +108,7 @@ public void testActionGroupsApi() throws Exception { // settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build(); // Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); // Assert.assertEquals("", settings.getAsList("ALL").get(0), "indices:*"); - // Assert.assertEquals("", settings.getAsList("OPENDISTRO_SECURITY_CLUSTER_MONITOR").get(0), "cluster:monitor/*"); + // Assert.assertEquals("", settings.getAsList("SECURITY_CLUSTER_MONITOR").get(0), "cluster:monitor/*"); // new format for action groups // Assert.assertEquals("", settings.getAsList("CRUD.permissions").get(0), "READ_UT"); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java index 34d6a3d74a..ee41267b67 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/RolesApiTest.java @@ -385,8 +385,8 @@ public void testRolesApi() throws Exception { permissions = DefaultObjectMapper.objectMapper.convertValue(settings.get("opendistro_security_role_starfleet").get("indices").get("sf").get("ships"), List.class); Assert.assertNotNull(permissions); Assert.assertEquals(2, permissions.size()); - Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_READ")); - Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_SEARCH")); */ + Assert.assertTrue(permissions.contains("SECURITY_READ")); + Assert.assertTrue(permissions.contains("SECURITY_SEARCH")); */ // -- PATCH on whole config resource // PATCH on non-existing resource @@ -418,13 +418,13 @@ public void testRolesApi() throws Exception { // PATCH value of hidden flag, must fail with validation error rh.sendAdminCertificate = true; - response = rh.executePatchRequest("/_opendistro/_security/api/roles", "[{ \"op\": \"add\", \"path\": \"/newnewnew\", \"value\": { \"hidden\": true, \"index_permissions\" : [ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"OPENDISTRO_SECURITY_READ\" ]}] }}]", new Header[0]); + response = rh.executePatchRequest("/_opendistro/_security/api/roles", "[{ \"op\": \"add\", \"path\": \"/newnewnew\", \"value\": { \"hidden\": true, \"index_permissions\" : [ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"SECURITY_READ\" ]}] }}]", new Header[0]); Assert.assertEquals(HttpStatus.SC_BAD_REQUEST, response.getStatusCode()); Assert.assertTrue(response.getBody().matches(".*\"invalid_keys\"\\s*:\\s*\\{\\s*\"keys\"\\s*:\\s*\"hidden\"\\s*\\}.*")); // PATCH rh.sendAdminCertificate = true; - response = rh.executePatchRequest("/_opendistro/_security/api/roles", "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": { \"index_permissions\" : [ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"OPENDISTRO_SECURITY_READ\" ]}] }}]", new Header[0]); + response = rh.executePatchRequest("/_opendistro/_security/api/roles", "[{ \"op\": \"add\", \"path\": \"/bulknew1\", \"value\": { \"index_permissions\" : [ {\"index_patterns\" : [ \"sf\" ],\"allowed_actions\" : [ \"SECURITY_READ\" ]}] }}]", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); response = rh.executeGetRequest("/_opendistro/_security/api/roles/bulknew1", new Header[0]); Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode()); @@ -432,7 +432,7 @@ public void testRolesApi() throws Exception { permissions = new SecurityJsonNode(settings).get("bulknew1").get("index_permissions").get(0).get("allowed_actions").asList(); Assert.assertNotNull(permissions); Assert.assertEquals(1, permissions.size()); - Assert.assertTrue(permissions.contains("OPENDISTRO_SECURITY_READ")); + Assert.assertTrue(permissions.contains("SECURITY_READ")); // delete resource rh.sendAdminCertificate = true; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java index 0d7f550276..95880d8818 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiTest.java @@ -55,7 +55,7 @@ public void testSecurityConfigApiRead() throws Exception { @Test public void testSecurityConfigApiWrite() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java index b9466667b8..0844e3a553 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/TenantInfoActionTest.java @@ -30,7 +30,7 @@ public class TenantInfoActionTest extends AbstractRestApiUnitTest { @Test public void testTenantInfoAPI() throws Exception { - Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); + Settings settings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, true).build(); setup(settings); rh.keystore = "restapi/kirk-keystore.jks"; diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java index 8769b83518..22bd541143 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java @@ -381,8 +381,8 @@ public void testPasswordRules() throws Exception { Settings nodeSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, "xxx") - .put(ConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, + .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, "xxx") + .put(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, "(?=.*[A-Z])(?=.*[^a-zA-Z\\\\d])(?=.*[0-9])(?=.*[a-z]).{8,}") .build(); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java index fe0853f2ce..b5ac4bf9da 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java @@ -181,14 +181,14 @@ public void testWhitelistApi() throws Exception { public void testWhitelistAuditComplianceLogging() throws Exception { Settings settings = Settings.builder() .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) - .put(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") - .put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) + .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) + .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, true) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) + .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, true) + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") + .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "authenticated,GRANTED_PRIVILEGES") .build(); setupWithRestRoles(settings); TestAuditlogImpl.clear(); diff --git a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java index ba2bd1840a..3c48446840 100644 --- a/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java +++ b/src/test/java/org/opensearch/security/filter/SecurityFilterTest.java @@ -57,11 +57,11 @@ public static Collection data() { return Arrays.asList(new Object[][]{ {Settings.EMPTY, WildcardMatcher.NONE}, {Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "immutable1", "immutable2") + .putList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "immutable1", "immutable2") .build(), WildcardMatcher.from(ImmutableSet.of("immutable1", "immutable2"))}, {Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "immutable1", "immutable2", "immutable2") + .putList(ConfigConstants.SECURITY_COMPLIANCE_IMMUTABLE_INDICES, "immutable1", "immutable2", "immutable2") .build(), WildcardMatcher.from(ImmutableSet.of("immutable1", "immutable2"))}, }); diff --git a/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java index da4e6534e9..82ca4033f6 100644 --- a/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java +++ b/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java @@ -68,7 +68,7 @@ public class HTTPExtendedProxyAuthenticatorTest { @Before public void setup() { - context.putTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE, Boolean.TRUE); + context.putTransient(ConfigConstants.SECURITY_XFF_DONE, Boolean.TRUE); settings = Settings.builder() .put("user_header","user") .build(); diff --git a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java index 1bd59287ab..96595580cc 100644 --- a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java +++ b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java @@ -78,8 +78,8 @@ public void testSslConnection() throws Exception { final Settings settings = Settings.builder() .put("opendistro_security.ssl.http.enabled", true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); @@ -111,8 +111,8 @@ public void testSslConnectionPKIAuth() throws Exception { final Settings settings = Settings.builder() .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); diff --git a/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java b/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java index 6b6cb83cd2..2a0b53fd0d 100644 --- a/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java +++ b/src/test/java/org/opensearch/security/multitenancy/test/MultitenancyTests.java @@ -51,7 +51,7 @@ protected String getResourceFolder() { public void testNoDnfof() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") + .put(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, "BOTH") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_nodnfof.yml"), settings); diff --git a/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java b/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java index 58f0219828..48bb1e3347 100644 --- a/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java +++ b/src/test/java/org/opensearch/security/protected_indices/ProtectedIndicesTests.java @@ -84,9 +84,9 @@ public class ProtectedIndicesTests extends SingleClusterTest { public void setupSettingsEnabled() throws Exception { // Setup settings Settings protectedIndexSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig() @@ -101,9 +101,9 @@ public void setupSettingsEnabled() throws Exception { public void setupSettingsIndexPatterns() throws Exception { // Setup settings Settings protectedIndexSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, listOfIndexPatternsToTest) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexPatternsToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig() @@ -125,9 +125,9 @@ public void setupSettingsIndexPatterns() throws Exception { public void setupSettingsDisabled() throws Exception { // Setup settings Settings protectedIndexSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, false) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, false) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig() @@ -142,9 +142,9 @@ public void setupSettingsDisabled() throws Exception { public void setupSettingsEnabledSnapshot() throws Exception { final Settings settings = Settings.builder() .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) - .putList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) + .put(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, true) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, listOfIndexesToTest) + .putList(ConfigConstants.SECURITY_PROTECTED_INDICES_ROLES_KEY, protectedIndexRoles) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig() diff --git a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java index c85f54a642..1e9c1bff38 100644 --- a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java @@ -72,8 +72,8 @@ public void setup() { public void testEnsureOpenSSLAvailability() { //Assert.assertTrue("OpenSSL not available: "+String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable()); - final String openSSLOptional = System.getenv("OPENDISTRO_SECURITY_TEST_OPENSSL_OPT"); - System.out.println("OPENDISTRO_SECURITY_TEST_OPENSSL_OPT "+openSSLOptional); + final String openSSLOptional = System.getenv("SECURITY_TEST_OPENSSL_OPT"); + System.out.println("SECURITY_TEST_OPENSSL_OPT "+openSSLOptional); if(!Boolean.parseBoolean(openSSLOptional)) { System.out.println("OpenSSL must be available"); Assert.assertTrue("OpenSSL not available: "+String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable()); @@ -202,16 +202,16 @@ public void testNodeClientSSLwithOpenSslTLSv13() throws Exception { Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L); final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_CHACHA20_POLY1305_SHA256") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_CHACHA20_POLY1305_SHA256") .put("node.max_local_storage_nodes",4) .build(); diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java index e17fe99c7d..17ce0325cc 100644 --- a/src/test/java/org/opensearch/security/ssl/SSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java @@ -79,15 +79,15 @@ public class SSLTest extends SingleClusterTest { public void testHttps() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put("opendistro_security.ssl.http.enabled", true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") + .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") + .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .build(); @@ -120,10 +120,10 @@ public void testCipherAndProtocols() throws Exception { System.out.println("allowOpenSSL: "+allowOpenSSL); Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) @@ -152,9 +152,9 @@ public void testCipherAndProtocols() throws Exception { } settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) //WEAK and insecure cipher, do NOT use this, its here for unittesting only!!! @@ -209,10 +209,10 @@ public void testCipherAndProtocols() throws Exception { public void testHttpsOptionalAuth() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); @@ -234,11 +234,11 @@ public void testHttpsOptionalAuth() throws Exception { public void testHttpsAndNodeSSL() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) @@ -273,22 +273,22 @@ public void testHttpsAndNodeSSL() throws Exception { public void testHttpsAndNodeSSLPem() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) - //.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) + //.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) - //.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) + //.put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) .build(); setupSslOnlyMode(settings); @@ -310,22 +310,22 @@ public void testHttpsAndNodeSSLPem() throws Exception { public void testHttpsAndNodeSSLPemEnc() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) .build(); setupSslOnlyMode(settings); @@ -348,11 +348,11 @@ public void testHttpsAndNodeSSLPemEnc() throws Exception { public void testHttpsAndNodeSSLFailedCipher() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) @@ -382,10 +382,10 @@ public void testHttpPlainFail() throws Exception { thrown.expect(NoHttpResponseException.class); final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "OPTIONAL") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); @@ -407,10 +407,10 @@ public void testHttpPlainFail() throws Exception { public void testHttpsNoEnforce() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "NONE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); @@ -431,10 +431,10 @@ public void testHttpsNoEnforce() throws Exception { public void testHttpsEnforceFail() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); @@ -463,10 +463,10 @@ public void testHttpsV3Fail() throws Exception { thrown.expect(SSLHandshakeException.class); final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "NONE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); @@ -488,10 +488,10 @@ public void testHttpsV3Fail() throws Exception { public void testTransportClientSSL() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) @@ -525,10 +525,10 @@ public void testTransportClientSSL() throws Exception { public void testTransportClientSSLExternalContext() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) @@ -592,10 +592,10 @@ public void testTransportClientSSLExternalContext() throws Exception { public void testNodeClientSSL() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) @@ -637,10 +637,10 @@ public void testTransportClientSSLFail() throws Exception { thrown.expect(IllegalStateException.class); final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) @@ -695,16 +695,16 @@ public void testUnmodifieableCipherProtocolConfig() throws Exception { public void testCustomPrincipalExtractor() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) .put("opendistro_security.ssl.transport.principal_extractor_class", "org.opensearch.security.ssl.TestPrincipalExtractor") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); @@ -749,24 +749,24 @@ public void testCustomPrincipalExtractor() throws Exception { public void testCRLPem() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) - //.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) + //.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) - //.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/chain-ca.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, CertificateValidatorTest.CRL_DATE.getTime()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) + //.put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/chain-ca.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, CertificateValidatorTest.CRL_DATE.getTime()) .build(); setupSslOnlyMode(settings); @@ -783,16 +783,16 @@ public void testCRLPem() throws Exception { public void testCRL() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_FILE, FileHelper. getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crl")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, CertificateValidatorTest.CRL_DATE.getTime()) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, FileHelper. getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crl")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, CertificateValidatorTest.CRL_DATE.getTime()) .build(); setupSslOnlyMode(settings); @@ -813,16 +813,16 @@ public void testNodeClientSSLwithJavaTLSv13() throws Exception { Assume.assumeTrue(!allowOpenSSL && PlatformDependent.javaVersion() >= 11); final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") - .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_AES_128_GCM_SHA256") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") + .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_AES_128_GCM_SHA256") .build(); setupSslOnlyMode(settings); @@ -857,18 +857,18 @@ public void testNodeClientSSLwithJavaTLSv13() throws Exception { public void testTLSv1() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .build(); setupSslOnlyMode(settings); @@ -885,21 +885,21 @@ public void testTLSv1() throws Exception { public void testHttpsAndNodeSSLKeyPass() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, "changeit") .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit") .build(); @@ -927,28 +927,28 @@ public void testHttpsAndNodeSSLKeyPass() throws Exception { public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, "node-0-client") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, "node-0-server") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, "root-ca") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, "root-ca") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, "node-0-client") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, "node-0-server") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, "root-ca") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, "root-ca") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit") .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit") .build(); @@ -976,21 +976,21 @@ public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { public void testHttpsAndNodeSSLKeyPassFail() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, "wrongpass") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, "wrongpass") .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "wrongpass") + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "wrongpass") .build(); @@ -1010,24 +1010,24 @@ public void testHttpsAndNodeSSLKeyPassFail() throws Exception { public void testHttpsAndNodeSSLPemExtendedUsageEnabled() throws Exception { final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-client.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-key-client.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/root-ca.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-server.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-key-server.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/root-ca.pem")) + .put(ConfigConstants.SECURITY_SSL_ONLY, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-client.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-key-client.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/root-ca.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-server.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-key-server.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/root-ca.pem")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) .put("opendistro_security.ssl.transport.resolve_hostname", false) .put("opendistro_security.ssl.http.enabled", true) .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) .build(); setupSslOnlyMode(settings); diff --git a/src/test/java/org/opensearch/security/ssl/SecuritySSLCertsInfoActionTests.java b/src/test/java/org/opensearch/security/ssl/SecuritySSLCertsInfoActionTests.java index 590927997c..75919b968a 100644 --- a/src/test/java/org/opensearch/security/ssl/SecuritySSLCertsInfoActionTests.java +++ b/src/test/java/org/opensearch/security/ssl/SecuritySSLCertsInfoActionTests.java @@ -78,17 +78,17 @@ public void testCertInfoFail_NonAdmin() throws Exception { */ private void initTestCluster() throws Exception { final Settings settings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) + .put(ConfigConstants.SECURITY_SSL_CERT_RELOAD_ENABLED, true) .build(); setup(settings); } diff --git a/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java b/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java index 233a7251ab..f3be16a166 100644 --- a/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java +++ b/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java @@ -261,26 +261,26 @@ public void testSSLReloadFail_NoReloadSet() throws Exception { */ private void initTestCluster(final String transportPemCertFilePath, final String transportPemKeyFilePath, final String httpPemCertFilePath, final String httpPemKeyFilePath, final boolean sslCertReload) throws Exception { final Settings settings = Settings.builder() - .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, "CN=kirk,OU=client,O=client,L=Test,C=DE") - .putList(ConfigConstants.OPENDISTRO_SECURITY_NODES_DN, "C=DE,L=Test,O=Test,OU=SSL,CN=node-1.example.com") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, true) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, transportPemCertFilePath) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, transportPemKeyFilePath) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, httpPemCertFilePath) // "ssl/reload/node.crt.pem" - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, httpPemKeyFilePath) // "ssl/reload/node.key.pem" - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem")) - .put(ConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, sslCertReload) + .putList(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, "CN=kirk,OU=client,O=client,L=Test,C=DE") + .putList(ConfigConstants.SECURITY_NODES_DN, "C=DE,L=Test,O=Test,OU=SSL,CN=node-1.example.com") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, transportPemCertFilePath) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, transportPemKeyFilePath) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem")) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, httpPemCertFilePath) // "ssl/reload/node.crt.pem" + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, httpPemKeyFilePath) // "ssl/reload/node.key.pem" + .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem")) + .put(ConfigConstants.SECURITY_SSL_CERT_RELOAD_ENABLED, sslCertReload) .build(); final Settings initTransportClientSettings = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/truststore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk-keystore.jks")) .build(); diff --git a/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java b/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java index 3d6d5893f5..14779b9278 100644 --- a/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java +++ b/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java @@ -61,8 +61,8 @@ public class SystemIndicesTests extends SingleClusterTest { private void setupSystemIndicesDisabledWithSsl() throws Exception { Settings systemIndexSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, false) - .putList(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, listOfIndexesToTest) + .put(ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY, false) + .putList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, listOfIndexesToTest) .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) @@ -81,8 +81,8 @@ private void setupSystemIndicesDisabledWithSsl() throws Exception { private void setupSystemIndicesEnabledWithSsl() throws Exception { Settings systemIndexSettings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, true) - .putList(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, listOfIndexesToTest) + .put(ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY, true) + .putList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, listOfIndexesToTest) .put("opendistro_security.ssl.http.enabled",true) .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) diff --git a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java index d4153be941..13d419f692 100644 --- a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java +++ b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java @@ -224,21 +224,21 @@ protected Settings.Builder minimumSecuritySettingsBuilder(int node, boolean sslO final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; Settings.Builder builder = Settings.builder() - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL); // If custom transport settings are not defined use defaults if (!hasCustomTransportSettings(other)) { - builder.put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, + builder.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath(prefix+"node-0-keystore.jks")) - .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks")) + .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks")) .put("opendistro_security.ssl.transport.enforce_hostname_verification", false); } if(!sslOnly) { builder.putList("opendistro_security.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=tEst, C=De"); - builder.put(ConfigConstants.OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, false); + builder.put(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, false); } builder.put(other); @@ -310,7 +310,7 @@ protected String getType() { */ protected boolean hasCustomTransportSettings(Settings customSettings) { // If Transport key extended usage is enabled this is true - return Boolean.parseBoolean(customSettings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED)) || - customSettings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH) != null; + return Boolean.parseBoolean(customSettings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED)) || + customSettings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH) != null; } } diff --git a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java index fff5f6987b..54ea99dfdc 100644 --- a/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java +++ b/src/test/java/org/opensearch/security/test/plugin/UserInjectorPlugin.java @@ -101,14 +101,14 @@ public UserInjectingDispatcher(final Dispatcher originalDispatcher) { @Override public void dispatchRequest(RestRequest request, RestChannel channel, ThreadContext threadContext) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, request.header(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER)); + threadContext.putTransient(ConfigConstants.SECURITY_INJECTED_USER, request.header(ConfigConstants.SECURITY_INJECTED_USER)); originalDispatcher.dispatchRequest(request, channel, threadContext); } @Override public void dispatchBadRequest(RestChannel channel, ThreadContext threadContext, Throwable cause) { - threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER, channel.request().header(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_USER)); + threadContext.putTransient(ConfigConstants.SECURITY_INJECTED_USER, channel.request().header(ConfigConstants.SECURITY_INJECTED_USER)); originalDispatcher.dispatchBadRequest(channel, threadContext, cause); } } diff --git a/src/test/resources/action_groups.yml b/src/test/resources/action_groups.yml index dee9e2e8c5..4a57d98875 100644 --- a/src/test/resources/action_groups.yml +++ b/src/test/resources/action_groups.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -16,21 +16,21 @@ ALL: - "indices:*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_WRITE" + - "SECURITY_READ" + - "SECURITY_WRITE" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "index" description: "Migrated from v6" MONITOR: @@ -40,7 +40,7 @@ MONITOR: - "indices:monitor/*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: @@ -48,7 +48,7 @@ OPENDISTRO_SECURITY_DATA_ACCESS: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: @@ -56,7 +56,7 @@ OPENDISTRO_SECURITY_CREATE_INDEX: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: @@ -64,38 +64,38 @@ OPENDISTRO_SECURITY_WRITE: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: - "indices:admin/aliases*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: reserved: false hidden: false allowed_actions: - "indices:data/read*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: - "indices:data/write/delete*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS: +SECURITY_CLUSTER_COMPOSITE_OPS: reserved: false hidden: false allowed_actions: - "indices:data/write/bulk" - "indices:admin/aliases*" - "indices:data/write/reindex" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" type: "cluster" description: "Migrated from v6" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: +SECURITY_CLUSTER_COMPOSITE_OPS_RO: reserved: false hidden: false allowed_actions: @@ -107,7 +107,7 @@ OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: - "indices:admin/aliases/get*" type: "cluster" description: "Migrated from v6" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: reserved: false hidden: false allowed_actions: @@ -115,7 +115,7 @@ OPENDISTRO_SECURITY_GET: - "indices:data/read/mget*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -123,14 +123,14 @@ OPENDISTRO_SECURITY_MANAGE: - "indices:admin/*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "cluster" description: "Migrated from v6" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -139,7 +139,7 @@ OPENDISTRO_SECURITY_INDEX: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/action_groups_packaged.yml b/src/test/resources/action_groups_packaged.yml index 2c7a4feb63..d442f1be9b 100644 --- a/src/test/resources/action_groups_packaged.yml +++ b/src/test/resources/action_groups_packaged.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -13,42 +13,42 @@ ALL: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_WRITE" + - "SECURITY_READ" + - "SECURITY_WRITE" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "index" description: "Migrated from v6" MONITOR: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_MONITOR" + - "SECURITY_INDICES_MONITOR" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: - "indices:data/*" - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: @@ -56,7 +56,7 @@ OPENDISTRO_SECURITY_CREATE_INDEX: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: @@ -64,14 +64,14 @@ OPENDISTRO_SECURITY_WRITE: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: - "indices:admin/aliases*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: reserved: false hidden: false allowed_actions: @@ -79,30 +79,30 @@ OPENDISTRO_SECURITY_READ: - "indices:admin/mappings/fields/get*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_INDICES_ALL: +SECURITY_INDICES_ALL: reserved: false hidden: false allowed_actions: - "indices:*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: - "indices:data/write/delete*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS: +SECURITY_CLUSTER_COMPOSITE_OPS: reserved: false hidden: false allowed_actions: - "indices:data/write/bulk" - "indices:admin/aliases*" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" type: "cluster" description: "Migrated from v6" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: +SECURITY_CLUSTER_COMPOSITE_OPS_RO: reserved: false hidden: false allowed_actions: @@ -114,7 +114,7 @@ OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: - "indices:admin/aliases/get*" type: "cluster" description: "Migrated from v6" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: reserved: false hidden: false allowed_actions: @@ -122,7 +122,7 @@ OPENDISTRO_SECURITY_GET: - "indices:data/read/mget*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -130,14 +130,14 @@ OPENDISTRO_SECURITY_MANAGE: - "indices:admin/*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "cluster" description: "Migrated from v6" -OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS: +SECURITY_MANAGE_SNAPSHOTS: reserved: false hidden: false allowed_actions: @@ -145,7 +145,7 @@ OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS: - "cluster:admin/repository/*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -155,21 +155,21 @@ OPENDISTRO_SECURITY_INDEX: - "indices:data/write/bulk*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_UNLIMITED: +SECURITY_UNLIMITED: reserved: false hidden: false allowed_actions: - "*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_INDICES_MONITOR: +SECURITY_INDICES_MONITOR: reserved: false hidden: false allowed_actions: - "indices:monitor/*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/auditlog/action_groups.yml b/src/test/resources/auditlog/action_groups.yml index 5f0a6c57b8..d1ecd933fb 100644 --- a/src/test/resources/auditlog/action_groups.yml +++ b/src/test/resources/auditlog/action_groups.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -16,21 +16,21 @@ ALL: - "indices:*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_WRITE" + - "SECURITY_READ" + - "SECURITY_WRITE" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "unknown" description: "Migrated from v6 (legacy)" MONITOR: @@ -40,49 +40,49 @@ MONITOR: - "indices:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: - "indices:data/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: - "indices:admin/create" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: - "indices:data/write*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: - "indices:admin/aliases*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: reserved: false hidden: false allowed_actions: - "indices:data/read*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: - "indices:data/write/delete*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: reserved: false hidden: false allowed_actions: @@ -90,7 +90,7 @@ OPENDISTRO_SECURITY_GET: - "indices:data/read/mget*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -98,14 +98,14 @@ OPENDISTRO_SECURITY_MANAGE: - "indices:admin/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -113,7 +113,7 @@ OPENDISTRO_SECURITY_INDEX: - "indices:data/write/update*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/auditlog/roles.yml b/src/test/resources/auditlog/roles.yml index 5a2fe0216c..971ea5cf56 100644 --- a/src/test/resources/auditlog/roles.yml +++ b/src/test/resources/auditlog/roles.yml @@ -48,7 +48,7 @@ opendistro_security_dls_without_field_perm: - "zip" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_dls_without_field_perm3: reserved: false @@ -65,5 +65,5 @@ opendistro_security_dls_without_field_perm3: - "zip" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] diff --git a/src/test/resources/auditlog/roles_2.yml b/src/test/resources/auditlog/roles_2.yml index d85de80508..670847afc7 100644 --- a/src/test/resources/auditlog/roles_2.yml +++ b/src/test/resources/auditlog/roles_2.yml @@ -15,7 +15,7 @@ opendistro_security_all_access: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_dls_without_field_perm: reserved: false @@ -33,7 +33,7 @@ opendistro_security_dls_without_field_perm: - "zip" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_dls_without_field_perm3: reserved: false @@ -50,7 +50,7 @@ opendistro_security_dls_without_field_perm3: - "zip" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_picard: reserved: false @@ -65,5 +65,5 @@ opendistro_security_picard: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] diff --git a/src/test/resources/cache/action_groups.yml b/src/test/resources/cache/action_groups.yml index f59cb58643..d72e9324ff 100644 --- a/src/test/resources/cache/action_groups.yml +++ b/src/test/resources/cache/action_groups.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -13,43 +13,43 @@ ALL: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_WRITE" - - "OPENDISTRO_SECURITY_DELETE" + - "SECURITY_READ" + - "SECURITY_WRITE" + - "SECURITY_DELETE" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "unknown" description: "Migrated from v6 (legacy)" MONITOR: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_MONITOR" + - "SECURITY_INDICES_MONITOR" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: - "indices:data/*" - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: @@ -57,7 +57,7 @@ OPENDISTRO_SECURITY_CREATE_INDEX: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: @@ -65,14 +65,14 @@ OPENDISTRO_SECURITY_WRITE: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: - "indices:admin/aliases*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: reserved: false hidden: false allowed_actions: @@ -80,30 +80,30 @@ OPENDISTRO_SECURITY_READ: - "indices:admin/mappings/fields/get*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDICES_ALL: +SECURITY_INDICES_ALL: reserved: false hidden: false allowed_actions: - "indices:*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: - "indices:data/write/delete*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS: +SECURITY_CLUSTER_COMPOSITE_OPS: reserved: false hidden: false allowed_actions: - "indices:data/write/bulk" - "indices:admin/aliases*" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: +SECURITY_CLUSTER_COMPOSITE_OPS_RO: reserved: false hidden: false allowed_actions: @@ -115,7 +115,7 @@ OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: - "indices:admin/aliases/get*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: reserved: false hidden: false allowed_actions: @@ -123,7 +123,7 @@ OPENDISTRO_SECURITY_GET: - "indices:data/read/mget*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -131,14 +131,14 @@ OPENDISTRO_SECURITY_MANAGE: - "indices:admin/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS: +SECURITY_MANAGE_SNAPSHOTS: reserved: false hidden: false allowed_actions: @@ -146,7 +146,7 @@ OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS: - "cluster:admin/repository/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -156,21 +156,21 @@ OPENDISTRO_SECURITY_INDEX: - "indices:data/write/bulk*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_UNLIMITED: +SECURITY_UNLIMITED: reserved: false hidden: false allowed_actions: - "*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDICES_MONITOR: +SECURITY_INDICES_MONITOR: reserved: false hidden: false allowed_actions: - "indices:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/cache/roles.yml b/src/test/resources/cache/roles.yml index 45c5e23af0..adaf4ba3ec 100644 --- a/src/test/resources/cache/roles.yml +++ b/src/test/resources/cache/roles.yml @@ -7,7 +7,7 @@ opendistro_security_own_index: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "${user_name}" @@ -15,14 +15,14 @@ opendistro_security_own_index: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: [] opendistro_security_kibana_testindex: reserved: false hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "test*" @@ -30,7 +30,7 @@ opendistro_security_kibana_testindex: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - "indices:admin/mappings/fields/get*" - index_patterns: - ".kibana" @@ -38,7 +38,7 @@ opendistro_security_kibana_testindex: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: - tenant_patterns: - "test_tenant_rw" @@ -53,7 +53,7 @@ opendistro_security_human_resources: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "humanresources" @@ -87,7 +87,7 @@ opendistro_security_human_resources_trainee: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "humanresources" @@ -99,7 +99,7 @@ opendistro_security_human_resources_trainee: - "Salary" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" - index_patterns: - "?kibana" dls: null @@ -119,8 +119,8 @@ opendistro_security_readonly_and_monitor: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "*" @@ -128,7 +128,7 @@ opendistro_security_readonly_and_monitor: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: [] opendistro_security_kibana: reserved: false @@ -136,7 +136,7 @@ opendistro_security_kibana: description: "Migrated from v6 (all types mapped)" cluster_permissions: - "MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "?kibana" @@ -144,20 +144,20 @@ opendistro_security_kibana: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_DELETE" - - "OPENDISTRO_SECURITY_MANAGE" - - "OPENDISTRO_SECURITY_INDEX" + - "SECURITY_READ" + - "SECURITY_DELETE" + - "SECURITY_MANAGE" + - "SECURITY_INDEX" - index_patterns: - "?kibana-6" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_DELETE" - - "OPENDISTRO_SECURITY_MANAGE" - - "OPENDISTRO_SECURITY_INDEX" + - "SECURITY_READ" + - "SECURITY_DELETE" + - "SECURITY_MANAGE" + - "SECURITY_INDEX" - index_patterns: - "*" dls: null @@ -171,7 +171,7 @@ opendistro_security_manage_snapshots: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS" + - "SECURITY_MANAGE_SNAPSHOTS" index_permissions: - index_patterns: - "*" @@ -187,8 +187,8 @@ opendistro_security_kibana_server: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "?kibana" @@ -196,7 +196,7 @@ opendistro_security_kibana_server: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: [] opendistro_security_public: reserved: false @@ -204,7 +204,7 @@ opendistro_security_public: description: "Migrated from v6 (all types mapped)" cluster_permissions: - "cluster:monitor/main" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: [] tenant_permissions: [] opendistro_security_all_access: @@ -212,7 +212,7 @@ opendistro_security_all_access: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_UNLIMITED" + - "SECURITY_UNLIMITED" index_permissions: - index_patterns: - "*" @@ -220,7 +220,7 @@ opendistro_security_all_access: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_UNLIMITED" + - "SECURITY_UNLIMITED" tenant_permissions: - tenant_patterns: - "adm_tenant" @@ -234,8 +234,8 @@ opendistro_security_logstash: cluster_permissions: - "indices:admin/template/get" - "indices:admin/template/put" - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "logstash-*" @@ -243,16 +243,16 @@ opendistro_security_logstash: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CRUD" + - "SECURITY_CREATE_INDEX" - index_patterns: - "*beat*" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CRUD" + - "SECURITY_CREATE_INDEX" tenant_permissions: [] opendistro_security_ua: reserved: false @@ -295,7 +295,7 @@ opendistro_security_finance: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "finance" @@ -314,7 +314,7 @@ opendistro_security_finance: - "Salary" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - index_patterns: - "?kibana" dls: null @@ -340,7 +340,7 @@ opendistro_security_readonly_dlsfls: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "/\\S*/" @@ -350,14 +350,14 @@ opendistro_security_readonly_dlsfls: - "bbb" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_finance_trainee: reserved: false hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "finance" @@ -365,7 +365,7 @@ opendistro_security_finance_trainee: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" - index_patterns: - "?kibana" dls: null @@ -383,7 +383,7 @@ opendistro_security_role_starfleet: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "sf" @@ -391,15 +391,15 @@ opendistro_security_role_starfleet: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_READ" + - "SECURITY_INDICES_ALL" - index_patterns: - "pub*" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: - tenant_patterns: - "enterprise_tenant" @@ -411,7 +411,7 @@ opendistro_security_readall: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "*" @@ -419,7 +419,7 @@ opendistro_security_readall: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_ub: reserved: false @@ -442,7 +442,7 @@ opendistro_security_role_starfleet_captains: description: "Migrated from v6 (all types mapped)" cluster_permissions: - "cluster:monitor*" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "sf" @@ -450,14 +450,14 @@ opendistro_security_role_starfleet_captains: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" - index_patterns: - "pub*" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" tenant_permissions: - tenant_patterns: - "command_tenant" diff --git a/src/test/resources/dlsfls/action_groups.yml b/src/test/resources/dlsfls/action_groups.yml index 5a9c17fb4a..87448d19bd 100644 --- a/src/test/resources/dlsfls/action_groups.yml +++ b/src/test/resources/dlsfls/action_groups.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -16,21 +16,21 @@ ALL: - "indices:*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_WRITE" + - "SECURITY_READ" + - "SECURITY_WRITE" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "unknown" description: "Migrated from v6 (legacy)" MONITOR: @@ -40,7 +40,7 @@ MONITOR: - "indices:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: @@ -48,7 +48,7 @@ OPENDISTRO_SECURITY_DATA_ACCESS: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: @@ -56,7 +56,7 @@ OPENDISTRO_SECURITY_CREATE_INDEX: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: @@ -64,28 +64,28 @@ OPENDISTRO_SECURITY_WRITE: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: - "indices:admin/aliases*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: reserved: false hidden: false allowed_actions: - "indices:data/read*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: - "indices:data/write/delete*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: reserved: false hidden: false allowed_actions: @@ -93,7 +93,7 @@ OPENDISTRO_SECURITY_GET: - "indices:data/read/mget*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -101,14 +101,14 @@ OPENDISTRO_SECURITY_MANAGE: - "indices:admin/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -117,7 +117,7 @@ OPENDISTRO_SECURITY_INDEX: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/dlsfls/roles.yml b/src/test/resources/dlsfls/roles.yml index d9b7e76b21..e7a1e4b003 100644 --- a/src/test/resources/dlsfls/roles.yml +++ b/src/test/resources/dlsfls/roles.yml @@ -66,7 +66,7 @@ opendistro_security_fls_fields_wc: - "*field*" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_aaa: reserved: false @@ -130,7 +130,7 @@ opendistro_security_fls_fields: - "*field*" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_masked: reserved: false @@ -164,7 +164,7 @@ opendistro_security_dls_without_field_perm: - "zip" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_dls_multi2: reserved: false @@ -183,7 +183,7 @@ opendistro_security_dls_multi2: - "zip" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_perf_named_ex: reserved: false @@ -1251,7 +1251,7 @@ opendistro_security_midsized_deals: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_dls_multi1: reserved: false @@ -1269,14 +1269,14 @@ opendistro_security_dls_multi1: - "amount" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_masked_nowc: reserved: false hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "logs" @@ -1328,7 +1328,7 @@ opendistro_security_masked_nowc1: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "logs" @@ -1377,14 +1377,14 @@ opendistro_security_prop_replace: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - index_patterns: - "prop2" dls: "{\"terms\" : { \"role\" : [${user.roles}]}}" fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_logstash: reserved: false @@ -2464,5 +2464,5 @@ opendistro_security_combined: - "amount" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] diff --git a/src/test/resources/dlsfls/roles_983.yml b/src/test/resources/dlsfls/roles_983.yml index fb3f6af469..3aa4cf0897 100644 --- a/src/test/resources/dlsfls/roles_983.yml +++ b/src/test/resources/dlsfls/roles_983.yml @@ -20,7 +20,7 @@ opendistro_security_human_resources_trainee: - "LocalRules" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - "indices:admin/shards/search_shards" - index_patterns: - "?kibana" diff --git a/src/test/resources/dlsfls/roles_ccs2.yml b/src/test/resources/dlsfls/roles_ccs2.yml index b1c3d32f5f..d07fe4cbb8 100644 --- a/src/test/resources/dlsfls/roles_ccs2.yml +++ b/src/test/resources/dlsfls/roles_ccs2.yml @@ -20,7 +20,7 @@ opendistro_security_human_resources_trainee: - "CCSRules" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - "indices:admin/shards/search_shards" - index_patterns: - "?kibana" diff --git a/src/test/resources/ldap/action_groups.yml b/src/test/resources/ldap/action_groups.yml index 5f0a6c57b8..d1ecd933fb 100644 --- a/src/test/resources/ldap/action_groups.yml +++ b/src/test/resources/ldap/action_groups.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -16,21 +16,21 @@ ALL: - "indices:*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_WRITE" + - "SECURITY_READ" + - "SECURITY_WRITE" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "unknown" description: "Migrated from v6 (legacy)" MONITOR: @@ -40,49 +40,49 @@ MONITOR: - "indices:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: - "indices:data/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: - "indices:admin/create" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: - "indices:data/write*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: - "indices:admin/aliases*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: reserved: false hidden: false allowed_actions: - "indices:data/read*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: - "indices:data/write/delete*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: reserved: false hidden: false allowed_actions: @@ -90,7 +90,7 @@ OPENDISTRO_SECURITY_GET: - "indices:data/read/mget*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -98,14 +98,14 @@ OPENDISTRO_SECURITY_MANAGE: - "indices:admin/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -113,7 +113,7 @@ OPENDISTRO_SECURITY_INDEX: - "indices:data/write/update*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/legacy/securityconfig_v6/action_groups.yml b/src/test/resources/legacy/securityconfig_v6/action_groups.yml index 5acbe1aea8..bae297a518 100644 --- a/src/test/resources/legacy/securityconfig_v6/action_groups.yml +++ b/src/test/resources/legacy/securityconfig_v6/action_groups.yml @@ -1,11 +1,11 @@ -OPENDISTRO_SECURITY_UNLIMITED: +SECURITY_UNLIMITED: readonly: true permissions: - "*" ###### INDEX LEVEL ###### -OPENDISTRO_SECURITY_INDICES_ALL: +SECURITY_INDICES_ALL: readonly: true permissions: - "indices:*" @@ -16,19 +16,19 @@ ALL: permissions: - INDICES_ALL -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: readonly: true permissions: - "indices:monitor/*" - "indices:admin/*" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: readonly: true permissions: - "indices:admin/create" - "indices:admin/mapping/put" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: readonly: true permissions: - "indices:admin/aliases*" @@ -39,53 +39,53 @@ MONITOR: permissions: - INDICES_MONITOR -OPENDISTRO_SECURITY_INDICES_MONITOR: +SECURITY_INDICES_MONITOR: readonly: true permissions: - "indices:monitor/*" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: readonly: true permissions: - "indices:data/*" - CRUD -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: readonly: true permissions: - "indices:data/write*" - "indices:admin/mapping/put" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: readonly: true permissions: - "indices:data/read*" - "indices:admin/mappings/fields/get*" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: readonly: true permissions: - "indices:data/write/delete*" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: readonly: true permissions: - READ - WRITE -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: readonly: true permissions: - "indices:data/read/search*" - "indices:data/read/msearch*" - SUGGEST -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: readonly: true permissions: - "indices:data/read/suggest*" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: readonly: true permissions: - "indices:data/write/index*" @@ -93,7 +93,7 @@ OPENDISTRO_SECURITY_INDEX: - "indices:admin/mapping/put" - "indices:data/write/bulk*" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: readonly: true permissions: - "indices:data/read/get*" @@ -101,17 +101,17 @@ OPENDISTRO_SECURITY_GET: ###### CLUSTER LEVEL ###### -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: readonly: true permissions: - "cluster:*" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: readonly: true permissions: - "cluster:monitor/*" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: +SECURITY_CLUSTER_COMPOSITE_OPS_RO: readonly: true permissions: - "indices:data/read/mget" @@ -121,7 +121,7 @@ OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: - "indices:admin/aliases/get*" - "indices:data/read/scroll" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS: +SECURITY_CLUSTER_COMPOSITE_OPS: readonly: true permissions: - "indices:data/write/bulk" @@ -129,7 +129,7 @@ OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS: - "indices:data/write/reindex" - CLUSTER_COMPOSITE_OPS_RO -OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS: +SECURITY_MANAGE_SNAPSHOTS: readonly: true permissions: - "cluster:admin/snapshot/*" diff --git a/src/test/resources/multitenancy/action_groups.yml b/src/test/resources/multitenancy/action_groups.yml index f59cb58643..d72e9324ff 100644 --- a/src/test/resources/multitenancy/action_groups.yml +++ b/src/test/resources/multitenancy/action_groups.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -13,43 +13,43 @@ ALL: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CRUD: +SECURITY_CRUD: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_WRITE" - - "OPENDISTRO_SECURITY_DELETE" + - "SECURITY_READ" + - "SECURITY_WRITE" + - "SECURITY_DELETE" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "unknown" description: "Migrated from v6 (legacy)" MONITOR: reserved: false hidden: false allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_MONITOR" + - "SECURITY_INDICES_MONITOR" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: - "indices:data/*" - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: @@ -57,7 +57,7 @@ OPENDISTRO_SECURITY_CREATE_INDEX: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: @@ -65,14 +65,14 @@ OPENDISTRO_SECURITY_WRITE: - "indices:admin/mapping/put" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: - "indices:admin/aliases*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_READ: +SECURITY_READ: reserved: false hidden: false allowed_actions: @@ -80,30 +80,30 @@ OPENDISTRO_SECURITY_READ: - "indices:admin/mappings/fields/get*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDICES_ALL: +SECURITY_INDICES_ALL: reserved: false hidden: false allowed_actions: - "indices:*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: - "indices:data/write/delete*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS: +SECURITY_CLUSTER_COMPOSITE_OPS: reserved: false hidden: false allowed_actions: - "indices:data/write/bulk" - "indices:admin/aliases*" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: +SECURITY_CLUSTER_COMPOSITE_OPS_RO: reserved: false hidden: false allowed_actions: @@ -115,7 +115,7 @@ OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO: - "indices:admin/aliases/get*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_GET: +SECURITY_GET: reserved: false hidden: false allowed_actions: @@ -123,7 +123,7 @@ OPENDISTRO_SECURITY_GET: - "indices:data/read/mget*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -131,14 +131,14 @@ OPENDISTRO_SECURITY_MANAGE: - "indices:admin/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS: +SECURITY_MANAGE_SNAPSHOTS: reserved: false hidden: false allowed_actions: @@ -146,7 +146,7 @@ OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS: - "cluster:admin/repository/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -156,21 +156,21 @@ OPENDISTRO_SECURITY_INDEX: - "indices:data/write/bulk*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_UNLIMITED: +SECURITY_UNLIMITED: reserved: false hidden: false allowed_actions: - "*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_INDICES_MONITOR: +SECURITY_INDICES_MONITOR: reserved: false hidden: false allowed_actions: - "indices:monitor/*" type: "unknown" description: "Migrated from v6 (legacy)" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/multitenancy/roles.yml b/src/test/resources/multitenancy/roles.yml index 45c5e23af0..adaf4ba3ec 100644 --- a/src/test/resources/multitenancy/roles.yml +++ b/src/test/resources/multitenancy/roles.yml @@ -7,7 +7,7 @@ opendistro_security_own_index: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "${user_name}" @@ -15,14 +15,14 @@ opendistro_security_own_index: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: [] opendistro_security_kibana_testindex: reserved: false hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "test*" @@ -30,7 +30,7 @@ opendistro_security_kibana_testindex: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - "indices:admin/mappings/fields/get*" - index_patterns: - ".kibana" @@ -38,7 +38,7 @@ opendistro_security_kibana_testindex: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: - tenant_patterns: - "test_tenant_rw" @@ -53,7 +53,7 @@ opendistro_security_human_resources: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "humanresources" @@ -87,7 +87,7 @@ opendistro_security_human_resources_trainee: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "humanresources" @@ -99,7 +99,7 @@ opendistro_security_human_resources_trainee: - "Salary" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" - index_patterns: - "?kibana" dls: null @@ -119,8 +119,8 @@ opendistro_security_readonly_and_monitor: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "*" @@ -128,7 +128,7 @@ opendistro_security_readonly_and_monitor: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: [] opendistro_security_kibana: reserved: false @@ -136,7 +136,7 @@ opendistro_security_kibana: description: "Migrated from v6 (all types mapped)" cluster_permissions: - "MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "?kibana" @@ -144,20 +144,20 @@ opendistro_security_kibana: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_DELETE" - - "OPENDISTRO_SECURITY_MANAGE" - - "OPENDISTRO_SECURITY_INDEX" + - "SECURITY_READ" + - "SECURITY_DELETE" + - "SECURITY_MANAGE" + - "SECURITY_INDEX" - index_patterns: - "?kibana-6" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_DELETE" - - "OPENDISTRO_SECURITY_MANAGE" - - "OPENDISTRO_SECURITY_INDEX" + - "SECURITY_READ" + - "SECURITY_DELETE" + - "SECURITY_MANAGE" + - "SECURITY_INDEX" - index_patterns: - "*" dls: null @@ -171,7 +171,7 @@ opendistro_security_manage_snapshots: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS" + - "SECURITY_MANAGE_SNAPSHOTS" index_permissions: - index_patterns: - "*" @@ -187,8 +187,8 @@ opendistro_security_kibana_server: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "?kibana" @@ -196,7 +196,7 @@ opendistro_security_kibana_server: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" tenant_permissions: [] opendistro_security_public: reserved: false @@ -204,7 +204,7 @@ opendistro_security_public: description: "Migrated from v6 (all types mapped)" cluster_permissions: - "cluster:monitor/main" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: [] tenant_permissions: [] opendistro_security_all_access: @@ -212,7 +212,7 @@ opendistro_security_all_access: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_UNLIMITED" + - "SECURITY_UNLIMITED" index_permissions: - index_patterns: - "*" @@ -220,7 +220,7 @@ opendistro_security_all_access: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_UNLIMITED" + - "SECURITY_UNLIMITED" tenant_permissions: - tenant_patterns: - "adm_tenant" @@ -234,8 +234,8 @@ opendistro_security_logstash: cluster_permissions: - "indices:admin/template/get" - "indices:admin/template/put" - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "logstash-*" @@ -243,16 +243,16 @@ opendistro_security_logstash: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CRUD" + - "SECURITY_CREATE_INDEX" - index_patterns: - "*beat*" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CRUD" + - "SECURITY_CREATE_INDEX" tenant_permissions: [] opendistro_security_ua: reserved: false @@ -295,7 +295,7 @@ opendistro_security_finance: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "finance" @@ -314,7 +314,7 @@ opendistro_security_finance: - "Salary" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - index_patterns: - "?kibana" dls: null @@ -340,7 +340,7 @@ opendistro_security_readonly_dlsfls: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "/\\S*/" @@ -350,14 +350,14 @@ opendistro_security_readonly_dlsfls: - "bbb" masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_finance_trainee: reserved: false hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "finance" @@ -365,7 +365,7 @@ opendistro_security_finance_trainee: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" - index_patterns: - "?kibana" dls: null @@ -383,7 +383,7 @@ opendistro_security_role_starfleet: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "sf" @@ -391,15 +391,15 @@ opendistro_security_role_starfleet: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_READ" + - "SECURITY_INDICES_ALL" - index_patterns: - "pub*" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: - tenant_patterns: - "enterprise_tenant" @@ -411,7 +411,7 @@ opendistro_security_readall: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "*" @@ -419,7 +419,7 @@ opendistro_security_readall: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_ub: reserved: false @@ -442,7 +442,7 @@ opendistro_security_role_starfleet_captains: description: "Migrated from v6 (all types mapped)" cluster_permissions: - "cluster:monitor*" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "sf" @@ -450,14 +450,14 @@ opendistro_security_role_starfleet_captains: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" - index_patterns: - "pub*" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" tenant_permissions: - tenant_patterns: - "command_tenant" diff --git a/src/test/resources/restapi/action_groups.yml b/src/test/resources/restapi/action_groups.yml index 638f65f72f..b2145cc8f1 100644 --- a/src/test/resources/restapi/action_groups.yml +++ b/src/test/resources/restapi/action_groups.yml @@ -2,7 +2,7 @@ _meta: type: "actiongroups" config_version: 2 -OPENDISTRO_SECURITY_CLUSTER_ALL: +SECURITY_CLUSTER_ALL: reserved: false hidden: false allowed_actions: @@ -21,16 +21,16 @@ CRUD_UT: hidden: false allowed_actions: - "READ_UT" - - "OPENDISTRO_SECURITY_WRITE" + - "SECURITY_WRITE" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_SEARCH: +SECURITY_SEARCH: reserved: false hidden: false allowed_actions: - "indices:data/read/search*" - "indices:data/read/msearch*" - - "OPENDISTRO_SECURITY_SUGGEST" + - "SECURITY_SUGGEST" type: "index" description: "Migrated from v6" MONITOR: @@ -40,7 +40,7 @@ MONITOR: - "indices:monitor/*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_DATA_ACCESS: +SECURITY_DATA_ACCESS: reserved: false hidden: false allowed_actions: @@ -48,7 +48,7 @@ OPENDISTRO_SECURITY_DATA_ACCESS: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CREATE_INDEX: +SECURITY_CREATE_INDEX: reserved: false hidden: false allowed_actions: @@ -56,7 +56,7 @@ OPENDISTRO_SECURITY_CREATE_INDEX: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_WRITE: +SECURITY_WRITE: reserved: false hidden: false allowed_actions: @@ -64,7 +64,7 @@ OPENDISTRO_SECURITY_WRITE: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_MANAGE_ALIASES: +SECURITY_MANAGE_ALIASES: reserved: false hidden: false allowed_actions: @@ -78,7 +78,7 @@ READ_UT: - "indices:data/read*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_DELETE: +SECURITY_DELETE: reserved: false hidden: false allowed_actions: @@ -93,7 +93,7 @@ GET_UT: - "indices:data/read/mget*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_MANAGE: +SECURITY_MANAGE: reserved: false hidden: false allowed_actions: @@ -109,14 +109,14 @@ INTERNAL: - "indices:data/read/mget*" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_CLUSTER_MONITOR: +SECURITY_CLUSTER_MONITOR: reserved: false hidden: false allowed_actions: - "cluster:monitor/*" type: "cluster" description: "Migrated from v6" -OPENDISTRO_SECURITY_INDEX: +SECURITY_INDEX: reserved: false hidden: false allowed_actions: @@ -125,7 +125,7 @@ OPENDISTRO_SECURITY_INDEX: - "indices:admin/mapping/put" type: "index" description: "Migrated from v6" -OPENDISTRO_SECURITY_SUGGEST: +SECURITY_SUGGEST: reserved: false hidden: false allowed_actions: diff --git a/src/test/resources/restapi/actiongroup_crud.json b/src/test/resources/restapi/actiongroup_crud.json index 494c020953..00bc9488bd 100644 --- a/src/test/resources/restapi/actiongroup_crud.json +++ b/src/test/resources/restapi/actiongroup_crud.json @@ -1,3 +1,3 @@ { - "allowed_actions": ["READ_UT", "OPENDISTRO_SECURITY_WRITE"] + "allowed_actions": ["READ_UT", "SECURITY_WRITE"] } diff --git a/src/test/resources/restapi/actiongroup_not_parseable.json b/src/test/resources/restapi/actiongroup_not_parseable.json index a12bf663f6..2072d0a5b4 100644 --- a/src/test/resources/restapi/actiongroup_not_parseable.json +++ b/src/test/resources/restapi/actiongroup_not_parseable.json @@ -1,3 +1,3 @@ { - ["OPENDISTRO_SECURITY_READ", "OPENDISTRO_SECURITY_WRITE"] + ["SECURITY_READ", "SECURITY_WRITE"] } diff --git a/src/test/resources/restapi/actiongroup_readonly.json b/src/test/resources/restapi/actiongroup_readonly.json index 5af22565a8..3a90c81d2e 100644 --- a/src/test/resources/restapi/actiongroup_readonly.json +++ b/src/test/resources/restapi/actiongroup_readonly.json @@ -1,4 +1,4 @@ { - "allowed_actions": ["READ_UT", "OPENDISTRO_SECURITY_WRITE"], + "allowed_actions": ["READ_UT", "SECURITY_WRITE"], "reserved": "true" } diff --git a/src/test/resources/restapi/roles.yml b/src/test/resources/restapi/roles.yml index d82382e4f6..f18f508dc4 100644 --- a/src/test/resources/restapi/roles.yml +++ b/src/test/resources/restapi/roles.yml @@ -37,7 +37,7 @@ opendistro_security_hidden: hidden: true description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_ALL" + - "SECURITY_CLUSTER_ALL" index_permissions: - index_patterns: - "*" @@ -52,7 +52,7 @@ opendistro_security_reserved: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_ALL" + - "SECURITY_CLUSTER_ALL" index_permissions: - index_patterns: - "*" @@ -66,7 +66,7 @@ opendistro_security_internal: hidden: true description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_ALL" + - "SECURITY_CLUSTER_ALL" index_permissions: - index_patterns: - "abc*" @@ -160,7 +160,7 @@ opendistro_security_power_user: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_MONITOR" index_permissions: - index_patterns: - "*" @@ -214,7 +214,7 @@ opendistro_security_admin: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_ALL" + - "SECURITY_CLUSTER_ALL" index_permissions: - index_patterns: - "*" @@ -284,7 +284,7 @@ opendistro_security_logstash: - "indices:data/read/scroll" - "indices:data/write/bulk" - "indices:data/read/search" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CREATE_INDEX" tenant_permissions: [] opendistro_security_flsdls: reserved: false diff --git a/src/test/resources/restapi/roles_captains.json b/src/test/resources/restapi/roles_captains.json index 1fff7a6db3..27af0b7fa3 100644 --- a/src/test/resources/restapi/roles_captains.json +++ b/src/test/resources/restapi/roles_captains.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ ] } diff --git a/src/test/resources/restapi/roles_captains_different_content.json b/src/test/resources/restapi/roles_captains_different_content.json index 7f08bf0786..0e16f1dbdb 100644 --- a/src/test/resources/restapi/roles_captains_different_content.json +++ b/src/test/resources/restapi/roles_captains_different_content.json @@ -5,7 +5,7 @@ "allowed_actions" : [ "blafasel" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ { "tenant_patterns" : [ "tenant2" ], diff --git a/src/test/resources/restapi/roles_captains_no_tenants.json b/src/test/resources/restapi/roles_captains_no_tenants.json index 1fff7a6db3..27af0b7fa3 100644 --- a/src/test/resources/restapi/roles_captains_no_tenants.json +++ b/src/test/resources/restapi/roles_captains_no_tenants.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ ] } diff --git a/src/test/resources/restapi/roles_captains_tenants.json b/src/test/resources/restapi/roles_captains_tenants.json index 0528332a7b..82dc03f082 100644 --- a/src/test/resources/restapi/roles_captains_tenants.json +++ b/src/test/resources/restapi/roles_captains_tenants.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ { "tenant_patterns" : [ "tenant2" ], diff --git a/src/test/resources/restapi/roles_captains_tenants2.json b/src/test/resources/restapi/roles_captains_tenants2.json index 1911ec47e3..5d2c02a777 100644 --- a/src/test/resources/restapi/roles_captains_tenants2.json +++ b/src/test/resources/restapi/roles_captains_tenants2.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ { "tenant_patterns" : [ "tenant2", "tenant4" ], diff --git a/src/test/resources/restapi/roles_captains_tenants_malformed.json b/src/test/resources/restapi/roles_captains_tenants_malformed.json index 709db5a17f..9e1ddbaaf6 100644 --- a/src/test/resources/restapi/roles_captains_tenants_malformed.json +++ b/src/test/resources/restapi/roles_captains_tenants_malformed.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenantz_permissions" : [ { "tenant_patterns" : [ "tenant2", "tenant4" ], diff --git a/src/test/resources/restapi/roles_complete_invalid.json b/src/test/resources/restapi/roles_complete_invalid.json index 4b65da593c..605e2d2218 100644 --- a/src/test/resources/restapi/roles_complete_invalid.json +++ b/src/test/resources/restapi/roles_complete_invalid.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ ] {[} diff --git a/src/test/resources/restapi/roles_invalid_keys.json b/src/test/resources/restapi/roles_invalid_keys.json index 1dfa463fec..679edee7be 100644 --- a/src/test/resources/restapi/roles_invalid_keys.json +++ b/src/test/resources/restapi/roles_invalid_keys.json @@ -2,10 +2,10 @@ "kluster_permissions" : [ "cluster:monitor*", "indices:data/read/scroll" ], "indexx_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_READ", "indices:*" ] + "allowed_actions" : [ "SECURITY_READ", "indices:*" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_READ" ] + "allowed_actions" : [ "SECURITY_READ" ] } ], "tenant_permissions" : [ ] } diff --git a/src/test/resources/restapi/roles_multiple.json b/src/test/resources/restapi/roles_multiple.json index 9e3a44da3b..495d47475e 100644 --- a/src/test/resources/restapi/roles_multiple.json +++ b/src/test/resources/restapi/roles_multiple.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor1*" ], "index_permissions" : [ { "index_patterns" : [ "sf1" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub1" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ ] } @@ -13,10 +13,10 @@ "cluster_permissions" : [ "cluster:monitor2*" ], "index_permissions" : [ { "index_patterns" : [ "sf2" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub2" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ ] } diff --git a/src/test/resources/restapi/roles_multiple_2.json b/src/test/resources/restapi/roles_multiple_2.json index bb3780db8a..8bf1e99c31 100644 --- a/src/test/resources/restapi/roles_multiple_2.json +++ b/src/test/resources/restapi/roles_multiple_2.json @@ -3,10 +3,10 @@ "cluster_permissions" : [ "cluster:monitor*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_CRUD" ] + "allowed_actions" : [ "SECURITY_CRUD" ] } ], "tenant_permissions" : [ ] } diff --git a/src/test/resources/restapi/roles_starfleet.json b/src/test/resources/restapi/roles_starfleet.json index 028ba07368..83f93af8ac 100644 --- a/src/test/resources/restapi/roles_starfleet.json +++ b/src/test/resources/restapi/roles_starfleet.json @@ -2,10 +2,10 @@ "cluster_permissions" : [ "cluster:monitor*", "indices:data/read/scroll", "*bulk*" ], "index_permissions" : [ { "index_patterns" : [ "sf" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_READ", "indices:*", "*bulk*" ] + "allowed_actions" : [ "SECURITY_READ", "indices:*", "*bulk*" ] }, { "index_patterns" : [ "pub" ], - "allowed_actions" : [ "OPENDISTRO_SECURITY_READ" ] + "allowed_actions" : [ "SECURITY_READ" ] } ], "tenant_permissions" : [ ] } diff --git a/src/test/resources/restapi/simple_role.json b/src/test/resources/restapi/simple_role.json index d290f79d75..dabd48bf9f 100644 --- a/src/test/resources/restapi/simple_role.json +++ b/src/test/resources/restapi/simple_role.json @@ -1,6 +1,6 @@ { "cluster_permissions": [ - "OPENDISTRO_SECURITY_UNLIMITED" + "SECURITY_UNLIMITED" ], "index_permissions": [{ "index_patterns": [ @@ -9,7 +9,7 @@ "fls": [], "masked_fields": [], "allowed_actions": [ - "OPENDISTRO_SECURITY_UNLIMITED" + "SECURITY_UNLIMITED" ] }], "tenant_permissions": [{ diff --git a/src/test/resources/roles.yml b/src/test/resources/roles.yml index a1497a4858..101893156e 100644 --- a/src/test/resources/roles.yml +++ b/src/test/resources/roles.yml @@ -29,7 +29,7 @@ rexclude: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] underscore: reserved: false @@ -62,7 +62,7 @@ shakespeare: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - "indices:data/write/bulk*" - "indices:admin/validate/query*" - "indices:admin/exists" @@ -84,7 +84,7 @@ aliasmngt: - "indices:admin/aliases*" - "indices:data/write/*" - "indices:data/read/*" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CREATE_INDEX" tenant_permissions: [] transport_client: reserved: false @@ -106,7 +106,7 @@ user1: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] ccsresolv: reserved: false @@ -134,7 +134,7 @@ user2: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] role_starfleet_captains: reserved: false @@ -149,14 +149,14 @@ role_starfleet_captains: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" - index_patterns: - "public" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CRUD" + - "SECURITY_CRUD" tenant_permissions: [] restore: reserved: false @@ -231,14 +231,14 @@ baz: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - index_patterns: - "foo" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] kibana4: reserved: false @@ -356,14 +356,14 @@ multiget: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - index_patterns: - "mindex2" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] public: reserved: false @@ -462,7 +462,7 @@ kibana4_server: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] role_starfleet: reserved: false @@ -478,7 +478,7 @@ role_starfleet: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - "indices:*" - index_patterns: - "pub*" @@ -486,7 +486,7 @@ role_starfleet: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] opendistro_security_own_index: reserved: false @@ -530,7 +530,7 @@ admin: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_ALL" + - "SECURITY_CLUSTER_ALL" index_permissions: - index_patterns: - "*" @@ -624,7 +624,7 @@ uc: allowed_actions: - "indices:data/write/*" - "indices:data/read/*" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CREATE_INDEX" tenant_permissions: [] dummy: reserved: false @@ -724,7 +724,7 @@ role_klingons1: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: - tenant_patterns: - "kltentrw" @@ -739,7 +739,7 @@ snapres: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_MANAGE_SNAPSHOTS" + - "SECURITY_MANAGE_SNAPSHOTS" index_permissions: - index_patterns: - "*" @@ -762,7 +762,7 @@ role_klingons2: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: - tenant_patterns: - "praxisrw" @@ -777,7 +777,7 @@ theindex_admin: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "theindex" @@ -792,7 +792,7 @@ power_user: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_MONITOR" index_permissions: - index_patterns: - "*" @@ -823,8 +823,8 @@ opendistro_security_kibana_server: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_MONITOR" - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_MONITOR" + - "SECURITY_CLUSTER_COMPOSITE_OPS" - "indices:admin/template*" - "indices:data/read/scroll*" index_permissions: @@ -834,28 +834,28 @@ opendistro_security_kibana_server: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" - index_patterns: - "?kibana-6" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" - index_patterns: - "?kibana_*" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" - index_patterns: - "?tasks" dls: null fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_INDICES_ALL" + - "SECURITY_INDICES_ALL" - index_patterns: - "*" dls: null @@ -898,7 +898,7 @@ marvel_user: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - index_patterns: - "?kibana" dls: null @@ -925,8 +925,8 @@ writer: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_CREATE_INDEX" - - "OPENDISTRO_SECURITY_WRITE" + - "SECURITY_CREATE_INDEX" + - "SECURITY_WRITE" tenant_permissions: [] opendistro_security_logstash: reserved: false @@ -945,7 +945,7 @@ opendistro_security_logstash: allowed_actions: - "indices:data/write/*" - "indices:data/read/*" - - "OPENDISTRO_SECURITY_CREATE_INDEX" + - "SECURITY_CREATE_INDEX" tenant_permissions: [] user: reserved: false @@ -959,14 +959,14 @@ user: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] twitter: reserved: false hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "twitter" @@ -1022,7 +1022,7 @@ xyz_sr: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "twitter" @@ -1040,7 +1040,7 @@ xyz_sr_hidden: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "twitter" @@ -1057,7 +1057,7 @@ xyz_sr_reserved: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS_RO" + - "SECURITY_CLUSTER_COMPOSITE_OPS_RO" index_permissions: - index_patterns: - "twitter" diff --git a/src/test/resources/roles_bs.yml b/src/test/resources/roles_bs.yml index a8cf55a668..7b06ef8da8 100644 --- a/src/test/resources/roles_bs.yml +++ b/src/test/resources/roles_bs.yml @@ -7,7 +7,7 @@ public: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "*" diff --git a/src/test/resources/roles_composite.yml b/src/test/resources/roles_composite.yml index cd836a5d38..08c79d2e6f 100644 --- a/src/test/resources/roles_composite.yml +++ b/src/test/resources/roles_composite.yml @@ -14,7 +14,7 @@ user1: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] role_klingons1: reserved: false @@ -29,7 +29,7 @@ role_klingons1: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] role_klingons2: reserved: false @@ -43,7 +43,7 @@ role_klingons2: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] role_starfleet: reserved: false @@ -59,7 +59,7 @@ role_starfleet: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" - "indices:*" - index_patterns: - "pub*" @@ -67,5 +67,5 @@ role_starfleet: fls: null masked_fields: null allowed_actions: - - "OPENDISTRO_SECURITY_READ" + - "SECURITY_READ" tenant_permissions: [] diff --git a/src/test/resources/roles_itt1635.yml b/src/test/resources/roles_itt1635.yml index 6722404566..3aa18e4268 100644 --- a/src/test/resources/roles_itt1635.yml +++ b/src/test/resources/roles_itt1635.yml @@ -7,7 +7,7 @@ esb_1: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "esb-prod-1" @@ -22,7 +22,7 @@ esb_5: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "esb-prod-5" @@ -37,7 +37,7 @@ esb_3: hidden: false description: "Migrated from v6 (all types mapped)" cluster_permissions: - - "OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS" + - "SECURITY_CLUSTER_COMPOSITE_OPS" index_permissions: - index_patterns: - "esb-prod-3" From ed017c8efbfc1e5ff7f889f32fa30a2703b7161f Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Wed, 19 May 2021 21:57:28 -0700 Subject: [PATCH 02/17] Add SSL settings class --- .../security/OpenSearchSecurityPlugin.java | 2 +- .../ssl/OpenSearchSecuritySSLPlugin.java | 137 ++++----- .../LegacyOpenDistroSSLConfigConstants.java | 281 ++++++++++++++++++ .../LegacyOpenDistroSSLSecuritySettings.java | 157 ++++++++++ .../ssl/util/SSLSecuritySettings.java | 94 ++++++ 5 files changed, 602 insertions(+), 69 deletions(-) create mode 100644 src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLConfigConstants.java create mode 100644 src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java create mode 100644 src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 7010c86644..93169e4de3 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -852,7 +852,7 @@ public Settings additionalSettings() { public List> getSettings() { List> settings = new ArrayList>(); settings.addAll(super.getSettings()); - + //TODO: add fallbacksettings settings.add(SecuritySettings.SECURITY_SSL_ONLY); // currently dual mode is supported only when ssl_only is enabled, but this stance would change in future settings.add(SSLConfig.SSL_DUAL_MODE_SETTING); diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 3589eb6404..42002131c2 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -77,6 +77,7 @@ import org.opensearch.security.ssl.rest.SecuritySSLInfoAction; import org.opensearch.security.ssl.transport.*; import org.opensearch.security.ssl.util.SSLConfigConstants; +import org.opensearch.security.ssl.util.SSLSecuritySettings; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.SharedGroupFactory; import org.opensearch.transport.Transport; @@ -318,77 +319,77 @@ public Collection createComponents(Client localClient, ClusterService cl @Override public List> getSettings() { List> settings = new ArrayList>(); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Property.NodeScope));//not filtered here - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Property.NodeScope, Property.Filtered)); - - - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); + //TODO: add fallbackSettings + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CLIENTAUTH_MODE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_TYPE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_CIPHERS); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS); + settings.add(SSLSecuritySettings.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS); + + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED); if(extendedKeyUsageEnabled) { - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD); + + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD); + + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH); + + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH); } else { - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD); + + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH); } - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered)); - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)); - - settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Property.NodeScope, Property.Filtered)); - settings.add(Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMCERT_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_PASSWORD); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH); + + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_FILE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE); return settings; } diff --git a/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLConfigConstants.java new file mode 100644 index 0000000000..99689a5101 --- /dev/null +++ b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLConfigConstants.java @@ -0,0 +1,281 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +/* + * Copyright 2015-2017 floragunn GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.opensearch.security.ssl.util; + +import org.opensearch.common.settings.Settings; + +import java.util.Arrays; +import java.util.Collections; +import java.util.List; + +public final class LegacyOpenDistroSSLConfigConstants { + + public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.http.enable_openssl_if_available"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLED = "opendistro_security.ssl.http.enabled"; + public static final boolean OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_DEFAULT = false; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE = "opendistro_security.ssl.http.clientauth_mode"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS = "opendistro_security.ssl.http.keystore_alias"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = "opendistro_security.ssl.http.keystore_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH = "opendistro_security.ssl.http.pemkey_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD = "opendistro_security.ssl.http.pemkey_password"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH = "opendistro_security.ssl.http.pemcert_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.http.pemtrustedcas_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = "opendistro_security.ssl.http.keystore_password"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.http.keystore_keypassword"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_TYPE = "opendistro_security.ssl.http.keystore_type"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "opendistro_security.ssl.http.truststore_alias"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.http.truststore_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.http.truststore_password"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "opendistro_security.ssl.http.truststore_type"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.transport.enable_openssl_if_available"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED = "opendistro_security.ssl.transport.enabled"; + public static final boolean OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT = true; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = "opendistro_security.ssl.transport.enforce_hostname_verification"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = "opendistro_security.ssl.transport.resolve_hostname"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.keystore_alias"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.server.keystore_alias"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.client.keystore_alias"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = "opendistro_security.ssl.transport.keystore_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.pemkey_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.pemkey_password"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.pemcert_filepath"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.pemtrustedcas_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = "opendistro_security.ssl.transport.extended_key_usage_enabled"; + public static final boolean OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT = false; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.server.pemkey_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.server.pemkey_password"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.server.pemcert_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.server.pemtrustedcas_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.client.pemkey_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.client.pemkey_password"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.client.pemcert_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.client.pemtrustedcas_filepath"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = "opendistro_security.ssl.transport.keystore_password"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.keystore_keypassword"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.server.keystore_keypassword"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.client.keystore_keypassword"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = "opendistro_security.ssl.transport.keystore_type"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.truststore_alias"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.server.truststore_alias"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.client.truststore_alias"; + + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.transport.truststore_filepath"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.transport.truststore_password"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = "opendistro_security.ssl.transport.truststore_type"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = "opendistro_security.ssl.transport.enabled_ciphers"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = "opendistro_security.ssl.transport.enabled_protocols"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS = "opendistro_security.ssl.http.enabled_ciphers"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = "opendistro_security.ssl.http.enabled_protocols"; + public static final String OPENDISTRO_SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = "opendistro_security.ssl.client.external_context_id"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = "opendistro_security.ssl.transport.principal_extractor_class"; + + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_FILE = "opendistro_security.ssl.http.crl.file_path"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE = "opendistro_security.ssl.http.crl.validate"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = "opendistro_security.ssl.http.crl.prefer_crlfile_over_ocsp"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = "opendistro_security.ssl.http.crl.check_only_end_entities"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = "opendistro_security.ssl.http.crl.disable_ocsp"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = "opendistro_security.ssl.http.crl.disable_crldp"; + public static final String OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = "opendistro_security.ssl.http.crl.validation_date"; + + public static final String OPENDISTRO_SECURITY_SSL_ALLOW_CLIENT_INITIATED_RENEGOTIATION = "opendistro_security.ssl.allow_client_initiated_renegotiation"; + + public static final String DEFAULT_STORE_PASSWORD = "changeit"; //#16 + + public static final String JDK_TLS_REJECT_CLIENT_INITIATED_RENEGOTIATION = "jdk.tls.rejectClientInitiatedRenegotiation"; + + private static final String[] _SECURE_SSL_PROTOCOLS = {"TLSv1.3", "TLSv1.2", "TLSv1.1"}; + + public static final String[] getSecureSSLProtocols(Settings settings, boolean http) + { + List configuredProtocols = null; + + if(settings != null) { + if(http) { + configuredProtocols = settings.getAsList(OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList()); + } else { + configuredProtocols = settings.getAsList(OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList()); + } + } + + if(configuredProtocols != null && configuredProtocols.size() > 0) { + return configuredProtocols.toArray(new String[0]); + } + + return _SECURE_SSL_PROTOCOLS.clone(); + } + + // @formatter:off + private static final String[] _SECURE_SSL_CIPHERS = + { + //TLS__WITH_ + + //Example (including unsafe ones) + //Protocol: TLS, SSL + //Key Exchange RSA, Diffie-Hellman, ECDH, SRP, PSK + //Authentication RSA, DSA, ECDSA + //Bulk Ciphers RC4, 3DES, AES + //Message Authentication HMAC-SHA256, HMAC-SHA1, HMAC-MD5 + + + //thats what chrome 48 supports (https://cc.dcsec.uni-hannover.de/) + //(c0,2b)ECDHE-ECDSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. + //(c0,2f)ECDHE-RSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. + //(00,9e)DHE-RSA-AES128-GCM-SHA256128 BitKey exchange: DH, encryption: AES, MAC: SHA256. + //(cc,14)ECDHE-ECDSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. + //(cc,13)ECDHE-RSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. + //(c0,0a)ECDHE-ECDSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. + //(c0,14)ECDHE-RSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. + //(00,39)DHE-RSA-AES256-SHA256 BitKey exchange: DH, encryption: AES, MAC: SHA1. + //(c0,09)ECDHE-ECDSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. + //(c0,13)ECDHE-RSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. + //(00,33)DHE-RSA-AES128-SHA128 BitKey exchange: DH, encryption: AES, MAC: SHA1. + //(00,9c)RSA-AES128-GCM-SHA256128 BitKey exchange: RSA, encryption: AES, MAC: SHA256. + //(00,35)RSA-AES256-SHA256 BitKey exchange: RSA, encryption: AES, MAC: SHA1. + //(00,2f)RSA-AES128-SHA128 BitKey exchange: RSA, encryption: AES, MAC: SHA1. + //(00,0a)RSA-3DES-EDE-SHA168 BitKey exchange: RSA, encryption: 3DES, MAC: SHA1. + + //thats what firefox 42 supports (https://cc.dcsec.uni-hannover.de/) + //(c0,2b) ECDHE-ECDSA-AES128-GCM-SHA256 + //(c0,2f) ECDHE-RSA-AES128-GCM-SHA256 + //(c0,0a) ECDHE-ECDSA-AES256-SHA + //(c0,09) ECDHE-ECDSA-AES128-SHA + //(c0,13) ECDHE-RSA-AES128-SHA + //(c0,14) ECDHE-RSA-AES256-SHA + //(00,33) DHE-RSA-AES128-SHA + //(00,39) DHE-RSA-AES256-SHA + //(00,2f) RSA-AES128-SHA + //(00,35) RSA-AES256-SHA + //(00,0a) RSA-3DES-EDE-SHA + + //Mozilla modern browsers + //https://wiki.mozilla.org/Security/Server_Side_TLS + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + + //TLS 1.3 + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256", //Open SSL >= 1.1.1 and Java >= 12 + + //TLS 1.2 CHACHA20 POLY1305 supported by Java >= 12 and + //OpenSSL >= 1.1.0 + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + + //IBM + "SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "SSL_DHE_RSA_WITH_AES_128_GCM_SHA256", + "SSL_DHE_DSS_WITH_AES_128_GCM_SHA256", + "SSL_DHE_DSS_WITH_AES_256_GCM_SHA384", + "SSL_DHE_RSA_WITH_AES_256_GCM_SHA384", + "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "SSL_DHE_RSA_WITH_AES_128_CBC_SHA256", + "SSL_DHE_RSA_WITH_AES_128_CBC_SHA", + "SSL_DHE_DSS_WITH_AES_128_CBC_SHA256", + "SSL_DHE_RSA_WITH_AES_256_CBC_SHA256", + "SSL_DHE_DSS_WITH_AES_256_CBC_SHA", + "SSL_DHE_RSA_WITH_AES_256_CBC_SHA" + + //some others + //"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + //"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + //"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + //"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + //"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + //"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + //"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + //"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + //"TLS_RSA_WITH_AES_128_CBC_SHA256", + //"TLS_RSA_WITH_AES_128_GCM_SHA256", + //"TLS_RSA_WITH_AES_128_CBC_SHA", + //"TLS_RSA_WITH_AES_256_CBC_SHA", + }; + // @formatter:on + + public static final List getSecureSSLCiphers(Settings settings, boolean http) { + + List configuredCiphers = null; + + if(settings != null) { + if(http) { + configuredCiphers = settings.getAsList(OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList()); + } else { + configuredCiphers = settings.getAsList(OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList()); + } + } + + if(configuredCiphers != null && configuredCiphers.size() > 0) { + return configuredCiphers; + } + + return Collections.unmodifiableList(Arrays.asList(_SECURE_SSL_CIPHERS)); + } + + private LegacyOpenDistroSSLConfigConstants() { + + } + +} diff --git a/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java new file mode 100644 index 0000000000..f60024fa19 --- /dev/null +++ b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java @@ -0,0 +1,157 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.ssl.util; + +import io.netty.util.internal.PlatformDependent; +import org.opensearch.common.Booleans; +import org.opensearch.common.settings.Setting; +import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.function.Function; + +public class LegacyOpenDistroSSLSecuritySettings { + public static final Setting SECURITY_SSL_HTTP_CLIENTAUTH_MODE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting> SECURITY_SSL_HTTP_ENABLED_CIPHERS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered)); + + public static final Setting SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //if(extendedKeyUsageEnabled) { + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //} else { + + + + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //} + public static final Setting SECURITY_SSL_HTTP_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_HTTP_CRL_FILE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered)); + //return settings; + + +} diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java b/src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java new file mode 100644 index 0000000000..d9f64bfa7d --- /dev/null +++ b/src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java @@ -0,0 +1,94 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security.ssl.util; + +import io.netty.util.internal.PlatformDependent; +import org.opensearch.common.Booleans; +import org.opensearch.common.settings.Setting; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.function.Function; + +public class SSLSecuritySettings { + public static final Setting SECURITY_SSL_HTTP_CLIENTAUTH_MODE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting> SECURITY_SSL_HTTP_ENABLED_CIPHERS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Function.identity(), Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_HTTP_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered); + + public static final Setting SECURITY_SSL_HTTP_CRL_FILE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATE, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, Setting.Property.NodeScope, Setting.Property.Filtered); + public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, Setting.Property.NodeScope, Setting.Property.Filtered); +} From 218c7decb3d9d32a971558201fa623f1b871bcc6 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Wed, 19 May 2021 23:35:51 -0700 Subject: [PATCH 03/17] Change opendistro_security. to plugins.security. --- .../kerberos/HTTPSpnegoAuthenticator.java | 12 +- .../security/OpenSearchSecurityPlugin.java | 2 +- .../security/auditlog/sink/WebhookSink.java | 4 +- .../security/compliance/ComplianceConfig.java | 2 +- .../security/configuration/CompatConfig.java | 4 +- .../ssl/OpenSearchSecuritySSLPlugin.java | 2 +- .../security/ssl/transport/SSLConfig.java | 2 +- .../security/ssl/util/SSLConfigConstants.java | 124 +++---- .../security/support/ConfigConstants.java | 152 ++++----- .../security/tools/SecurityAdmin.java | 2 +- .../dlic/auth/ldap/LdapBackendTest.java | 14 +- .../auth/ldap/LdapBackendTestClientCert.java | 20 +- .../ldap/LdapBackendTestNewStyleConfig.java | 14 +- .../ldap2/LdapBackendTestClientCert2.java | 20 +- .../ldap2/LdapBackendTestNewStyleConfig2.java | 14 +- .../ldap2/LdapBackendTestOldStyleConfig2.java | 18 +- .../security/HttpIntegrationTests.java | 26 +- .../InitializationIntegrationTests.java | 10 +- .../opensearch/security/IntegrationTests.java | 8 +- .../security/RolesInjectorIntegTest.java | 2 +- .../security/SecurityAdminMigrationTests.java | 12 +- .../security/SecurityAdminTests.java | 6 +- .../security/SlowIntegrationTests.java | 4 +- .../security/SnapshotRestoreTests.java | 8 +- .../TransportClientIntegrationTests.java | 20 +- .../TransportUserInjectorIntegTest.java | 4 +- .../auditlog/AbstractAuditlogiUnitTest.java | 6 +- .../compliance/ComplianceAuditlogTest.java | 16 +- .../RestApiComplianceAuditlogTest.java | 14 +- .../auditlog/config/ThreadPoolConfigTest.java | 4 +- .../security/auditlog/impl/AuditlogTest.java | 10 +- .../security/auditlog/impl/DelegateTest.java | 2 +- .../auditlog/impl/DisabledCategoriesTest.java | 12 +- .../auditlog/impl/IgnoreAuditUsersTest.java | 26 +- .../integration/BasicAuditlogTest.java | 50 +-- .../auditlog/integration/SSLAuditlogTest.java | 12 +- .../auditlog/sink/SinkProviderTLSTest.java | 6 +- .../auditlog/sink/WebhookAuditLogTest.java | 218 ++++++------ .../security/cache/CachingTest.java | 4 +- .../rest/api/AbstractRestApiUnitTest.java | 42 +-- .../dlic/rest/api/MigrationTests.java | 30 +- .../dlic/rest/api/NodesDnApiTest.java | 2 +- .../dlic/rest/api/WhitelistApiTest.java | 2 +- .../security/httpclient/HttpClientTest.java | 16 +- .../opensearch/security/ssl/OpenSSLTest.java | 10 +- .../org/opensearch/security/ssl/SSLTest.java | 310 +++++++++--------- .../system_indices/SystemIndicesTests.java | 16 +- .../test/AbstractSecurityUnitTest.java | 16 +- .../SettingsBasedSSLConfiguratorTest.java | 8 +- .../configuration_no_multiple_endpoints.yml | 10 +- .../endpoints/sink/configuration_tls.yml | 22 +- 51 files changed, 685 insertions(+), 685 deletions(-) diff --git a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java index e17aac00e8..5ecc93b5ce 100644 --- a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java @@ -75,7 +75,7 @@ public HTTPSpnegoAuthenticator(final Settings settings, final Path configPath) { super(); try { final Path configDir = new Environment(settings, configPath).configFile(); - final String krb5PathSetting = settings.get("opendistro_security.kerberos.krb5_filepath"); + final String krb5PathSetting = settings.get("plugins.security.kerberos.krb5_filepath"); final SecurityManager sm = System.getSecurityManager(); @@ -129,8 +129,8 @@ public Void run() { } stripRealmFromPrincipalName = settings.getAsBoolean("strip_realm_from_principal", true); - acceptorPrincipal = new HashSet<>(settings.getAsList("opendistro_security.kerberos.acceptor_principal", Collections.emptyList())); - final String _acceptorKeyTabPath = settings.get("opendistro_security.kerberos.acceptor_keytab_filepath"); + acceptorPrincipal = new HashSet<>(settings.getAsList("plugins.security.kerberos.acceptor_principal", Collections.emptyList())); + final String _acceptorKeyTabPath = settings.get("plugins.security.kerberos.acceptor_keytab_filepath"); if(acceptorPrincipal == null || acceptorPrincipal.size() == 0) { log.error("acceptor_principal must not be null or empty. Kerberos authentication will not work"); @@ -138,10 +138,10 @@ public Void run() { } if(_acceptorKeyTabPath == null || _acceptorKeyTabPath.length() == 0) { - log.error("opendistro_security.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work"); + log.error("plugins.security.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work"); acceptorKeyTabPath = null; } else { - acceptorKeyTabPath = configDir.resolve(settings.get("opendistro_security.kerberos.acceptor_keytab_filepath")); + acceptorKeyTabPath = configDir.resolve(settings.get("plugins.security.kerberos.acceptor_keytab_filepath")); if(!Files.exists(acceptorKeyTabPath)) { log.error("Unable to read keytab from {} - Maybe the file does not exist or is not readable. Kerberos authentication will not work", acceptorKeyTabPath); @@ -159,7 +159,7 @@ public Void run() { } catch (Throwable e) { log.error("Cannot construct HTTPSpnegoAuthenticator due to {}", e.getMessage(), e); - log.error("Please make sure you configured 'opendistro_security.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!"); + log.error("Please make sure you configured 'plugins.security.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!"); throw e; } diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 93169e4de3..0f641d1c8b 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1004,7 +1004,7 @@ public List getSettingsFilter() { return settingsFilter; } - settingsFilter.add("opendistro_security.*"); + settingsFilter.add("plugins.security.*"); return settingsFilter; } diff --git a/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java b/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java index 05e214c427..8fb4728803 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/WebhookSink.java @@ -76,7 +76,7 @@ public WebhookSink(final String name, final Settings settings, final String sett } if (Strings.isEmpty(webhookUrl)) { - log.error("opendistro_security.audit.config.webhook.url not provided, webhook audit log will not work"); + log.error("plugins.security.audit.config.webhook.url not provided, webhook audit log will not work"); return; } else { try { @@ -89,7 +89,7 @@ public WebhookSink(final String name, final Settings settings, final String sett } if (Strings.isEmpty(format)) { - log.warn("opendistro_security.audit.config.webhook.format not provided, falling back to 'text'"); + log.warn("plugins.security.audit.config.webhook.format not provided, falling back to 'text'"); webhookFormat = WebhookFormat.TEXT; } else { try { diff --git a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java index c8bf03474c..e4ecd33332 100644 --- a/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java +++ b/src/main/java/org/opensearch/security/compliance/ComplianceConfig.java @@ -261,7 +261,7 @@ public static ComplianceConfig from(Settings settings) { final boolean logDiffsForWrite = settings.getAsBoolean(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false); final List watchedReadFields = settings.getAsList(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), false); - //opendistro_security.compliance.pii_fields: + //plugins.security.compliance.pii_fields: // - indexpattern,fieldpattern,fieldpattern,.... final Map> readEnabledFields = watchedReadFields.stream() .map(watchedReadField -> watchedReadField.split(",")) diff --git a/src/main/java/org/opensearch/security/configuration/CompatConfig.java b/src/main/java/org/opensearch/security/configuration/CompatConfig.java index 1cbd1100ea..4edcc8eceb 100644 --- a/src/main/java/org/opensearch/security/configuration/CompatConfig.java +++ b/src/main/java/org/opensearch/security/configuration/CompatConfig.java @@ -69,7 +69,7 @@ public boolean restAuthEnabled() { } else { final boolean restDynamicallyDisabled = dcm.isRestAuthDisabled(); if (isTraceEnabled) { - log.trace("opendistro_security.dynamic.disable_rest_auth {}", restDynamicallyDisabled); + log.trace("plugins.security.dynamic.disable_rest_auth {}", restDynamicallyDisabled); } return !restDynamicallyDisabled; } @@ -92,7 +92,7 @@ public boolean transportInterClusterAuthEnabled() { } else { final boolean interClusterAuthDynamicallyDisabled = dcm.isInterTransportAuthDisabled(); if (isTraceEnabled) { - log.trace("opendistro_security.dynamic.disable_intertransport_auth {}", interClusterAuthDynamicallyDisabled); + log.trace("plugins.security.dynamic.disable_intertransport_auth {}", interClusterAuthDynamicallyDisabled); } return !interClusterAuthDynamicallyDisabled; } diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 42002131c2..c75d44c3c3 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -418,7 +418,7 @@ public Settings additionalSettings() { @Override public List getSettingsFilter() { List settingsFilter = new ArrayList<>(); - settingsFilter.add("opendistro_security.*"); + settingsFilter.add("plugins.security.*"); return settingsFilter; } } diff --git a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java index a3bea9f3b7..52b0fbe5c4 100644 --- a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java +++ b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java @@ -36,7 +36,7 @@ public SSLConfig(final boolean sslOnly, final boolean dualModeEnabled) { this.sslOnly = sslOnly; this.dualModeEnabled = dualModeEnabled; if (this.dualModeEnabled && !this.sslOnly) { - logger.warn("opendistro_security_config.ssl_dual_mode_enabled is enabled but opendistro_security.ssl_only mode is disabled. " + logger.warn("opendistro_security_config.ssl_dual_mode_enabled is enabled but plugins.security.ssl_only mode is disabled. " + "SSL Dual mode is supported only when security plugin is in ssl_only mode"); } logger.info("SSL dual mode is {}", isDualModeEnabled() ? "enabled" : "disabled"); diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java index 83cb56af9a..609a90511e 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java @@ -25,80 +25,80 @@ public final class SSLConfigConstants { - public static final String SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.http.enable_openssl_if_available"; - public static final String SECURITY_SSL_HTTP_ENABLED = "opendistro_security.ssl.http.enabled"; + public static final String SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = "plugins.security.ssl.http.enable_openssl_if_available"; + public static final String SECURITY_SSL_HTTP_ENABLED = "plugins.security.ssl.http.enabled"; public static final boolean SECURITY_SSL_HTTP_ENABLED_DEFAULT = false; - public static final String SECURITY_SSL_HTTP_CLIENTAUTH_MODE = "opendistro_security.ssl.http.clientauth_mode"; - public static final String SECURITY_SSL_HTTP_KEYSTORE_ALIAS = "opendistro_security.ssl.http.keystore_alias"; - public static final String SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = "opendistro_security.ssl.http.keystore_filepath"; - public static final String SECURITY_SSL_HTTP_PEMKEY_FILEPATH = "opendistro_security.ssl.http.pemkey_filepath"; - public static final String SECURITY_SSL_HTTP_PEMKEY_PASSWORD = "opendistro_security.ssl.http.pemkey_password"; - public static final String SECURITY_SSL_HTTP_PEMCERT_FILEPATH = "opendistro_security.ssl.http.pemcert_filepath"; - public static final String SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.http.pemtrustedcas_filepath"; - public static final String SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = "opendistro_security.ssl.http.keystore_password"; - public static final String SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.http.keystore_keypassword"; - public static final String SECURITY_SSL_HTTP_KEYSTORE_TYPE = "opendistro_security.ssl.http.keystore_type"; - public static final String SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "opendistro_security.ssl.http.truststore_alias"; - public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.http.truststore_filepath"; - public static final String SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.http.truststore_password"; - public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "opendistro_security.ssl.http.truststore_type"; - public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = "opendistro_security.ssl.transport.enable_openssl_if_available"; - public static final String SECURITY_SSL_TRANSPORT_ENABLED = "opendistro_security.ssl.transport.enabled"; + public static final String SECURITY_SSL_HTTP_CLIENTAUTH_MODE = "plugins.security.ssl.http.clientauth_mode"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_ALIAS = "plugins.security.ssl.http.keystore_alias"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = "plugins.security.ssl.http.keystore_filepath"; + public static final String SECURITY_SSL_HTTP_PEMKEY_FILEPATH = "plugins.security.ssl.http.pemkey_filepath"; + public static final String SECURITY_SSL_HTTP_PEMKEY_PASSWORD = "plugins.security.ssl.http.pemkey_password"; + public static final String SECURITY_SSL_HTTP_PEMCERT_FILEPATH = "plugins.security.ssl.http.pemcert_filepath"; + public static final String SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = "plugins.security.ssl.http.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = "plugins.security.ssl.http.keystore_password"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = "plugins.security.ssl.http.keystore_keypassword"; + public static final String SECURITY_SSL_HTTP_KEYSTORE_TYPE = "plugins.security.ssl.http.keystore_type"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "plugins.security.ssl.http.truststore_alias"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "plugins.security.ssl.http.truststore_filepath"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = "plugins.security.ssl.http.truststore_password"; + public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "plugins.security.ssl.http.truststore_type"; + public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = "plugins.security.ssl.transport.enable_openssl_if_available"; + public static final String SECURITY_SSL_TRANSPORT_ENABLED = "plugins.security.ssl.transport.enabled"; public static final boolean SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT = true; - public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = "opendistro_security.ssl.transport.enforce_hostname_verification"; - public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = "opendistro_security.ssl.transport.resolve_hostname"; + public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = "plugins.security.ssl.transport.enforce_hostname_verification"; + public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = "plugins.security.ssl.transport.resolve_hostname"; - public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.keystore_alias"; - public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.server.keystore_alias"; - public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "opendistro_security.ssl.transport.client.keystore_alias"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.keystore_alias"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "plugins.security.ssl.transport.server.keystore_alias"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.client.keystore_alias"; - public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = "opendistro_security.ssl.transport.keystore_filepath"; - public static final String SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.pemkey_filepath"; - public static final String SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.pemkey_password"; - public static final String SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.pemcert_filepath"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = "plugins.security.ssl.transport.keystore_filepath"; + public static final String SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = "plugins.security.ssl.transport.pemkey_filepath"; + public static final String SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = "plugins.security.ssl.transport.pemkey_password"; + public static final String SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = "plugins.security.ssl.transport.pemcert_filepath"; - public static final String SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.pemtrustedcas_filepath"; - public static final String SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = "opendistro_security.ssl.transport.extended_key_usage_enabled"; + public static final String SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = "plugins.security.ssl.transport.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = "plugins.security.ssl.transport.extended_key_usage_enabled"; public static final boolean SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT = false; - public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.server.pemkey_filepath"; - public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.server.pemkey_password"; - public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.server.pemcert_filepath"; - public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.server.pemtrustedcas_filepath"; - public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = "opendistro_security.ssl.transport.client.pemkey_filepath"; - public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = "opendistro_security.ssl.transport.client.pemkey_password"; - public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = "opendistro_security.ssl.transport.client.pemcert_filepath"; - public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = "opendistro_security.ssl.transport.client.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = "plugins.security.ssl.transport.server.pemkey_filepath"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = "plugins.security.ssl.transport.server.pemkey_password"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = "plugins.security.ssl.transport.server.pemcert_filepath"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = "plugins.security.ssl.transport.server.pemtrustedcas_filepath"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = "plugins.security.ssl.transport.client.pemkey_filepath"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = "plugins.security.ssl.transport.client.pemkey_password"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = "plugins.security.ssl.transport.client.pemcert_filepath"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = "plugins.security.ssl.transport.client.pemtrustedcas_filepath"; - public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = "opendistro_security.ssl.transport.keystore_password"; - public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.keystore_keypassword"; - public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.server.keystore_keypassword"; - public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = "opendistro_security.ssl.transport.client.keystore_keypassword"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = "plugins.security.ssl.transport.keystore_password"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = "plugins.security.ssl.transport.keystore_keypassword"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = "plugins.security.ssl.transport.server.keystore_keypassword"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = "plugins.security.ssl.transport.client.keystore_keypassword"; - public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = "opendistro_security.ssl.transport.keystore_type"; + public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = "plugins.security.ssl.transport.keystore_type"; - public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.truststore_alias"; - public static final String SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.server.truststore_alias"; - public static final String SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = "opendistro_security.ssl.transport.client.truststore_alias"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = "plugins.security.ssl.transport.truststore_alias"; + public static final String SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = "plugins.security.ssl.transport.server.truststore_alias"; + public static final String SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = "plugins.security.ssl.transport.client.truststore_alias"; - public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = "opendistro_security.ssl.transport.truststore_filepath"; - public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = "opendistro_security.ssl.transport.truststore_password"; - public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = "opendistro_security.ssl.transport.truststore_type"; - public static final String SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = "opendistro_security.ssl.transport.enabled_ciphers"; - public static final String SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = "opendistro_security.ssl.transport.enabled_protocols"; - public static final String SECURITY_SSL_HTTP_ENABLED_CIPHERS = "opendistro_security.ssl.http.enabled_ciphers"; - public static final String SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = "opendistro_security.ssl.http.enabled_protocols"; - public static final String SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = "opendistro_security.ssl.client.external_context_id"; - public static final String SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = "opendistro_security.ssl.transport.principal_extractor_class"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = "plugins.security.ssl.transport.truststore_filepath"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = "plugins.security.ssl.transport.truststore_password"; + public static final String SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = "plugins.security.ssl.transport.truststore_type"; + public static final String SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = "plugins.security.ssl.transport.enabled_ciphers"; + public static final String SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = "plugins.security.ssl.transport.enabled_protocols"; + public static final String SECURITY_SSL_HTTP_ENABLED_CIPHERS = "plugins.security.ssl.http.enabled_ciphers"; + public static final String SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = "plugins.security.ssl.http.enabled_protocols"; + public static final String SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = "plugins.security.ssl.client.external_context_id"; + public static final String SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = "plugins.security.ssl.transport.principal_extractor_class"; - public static final String SECURITY_SSL_HTTP_CRL_FILE = "opendistro_security.ssl.http.crl.file_path"; - public static final String SECURITY_SSL_HTTP_CRL_VALIDATE = "opendistro_security.ssl.http.crl.validate"; - public static final String SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = "opendistro_security.ssl.http.crl.prefer_crlfile_over_ocsp"; - public static final String SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = "opendistro_security.ssl.http.crl.check_only_end_entities"; - public static final String SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = "opendistro_security.ssl.http.crl.disable_ocsp"; - public static final String SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = "opendistro_security.ssl.http.crl.disable_crldp"; - public static final String SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = "opendistro_security.ssl.http.crl.validation_date"; + public static final String SECURITY_SSL_HTTP_CRL_FILE = "plugins.security.ssl.http.crl.file_path"; + public static final String SECURITY_SSL_HTTP_CRL_VALIDATE = "plugins.security.ssl.http.crl.validate"; + public static final String SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = "plugins.security.ssl.http.crl.prefer_crlfile_over_ocsp"; + public static final String SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = "plugins.security.ssl.http.crl.check_only_end_entities"; + public static final String SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = "plugins.security.ssl.http.crl.disable_ocsp"; + public static final String SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = "plugins.security.ssl.http.crl.disable_crldp"; + public static final String SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = "plugins.security.ssl.http.crl.validation_date"; - public static final String SECURITY_SSL_ALLOW_CLIENT_INITIATED_RENEGOTIATION = "opendistro_security.ssl.allow_client_initiated_renegotiation"; + public static final String SECURITY_SSL_ALLOW_CLIENT_INITIATED_RENEGOTIATION = "plugins.security.ssl.allow_client_initiated_renegotiation"; public static final String DEFAULT_STORE_PASSWORD = "changeit"; //#16 diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index dda3d7103a..42eccbc1c3 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -111,10 +111,10 @@ public class ConfigConstants { public static final String SECURITY_DEFAULT_CONFIG_INDEX = ".opendistro_security"; - public static final String SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = "opendistro_security.enable_snapshot_restore_privilege"; + public static final String SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = "plugins.security.enable_snapshot_restore_privilege"; public static final boolean SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE = true; - public static final String SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = "opendistro_security.check_snapshot_restore_write_privileges"; + public static final String SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = "plugins.security.check_snapshot_restore_write_privileges"; public static final boolean SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = true; public static final Set SECURITY_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES = Collections.unmodifiableSet( new HashSet(Arrays.asList( @@ -123,37 +123,37 @@ public class ConfigConstants { // "indices:data/write/bulk" ))); - public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; + public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "plugins.security.cert.intercluster_request_evaluator_class"; public static final String SECURITY_ACTION_NAME = SECURITY_CONFIG_PREFIX+"action_name"; - public static final String SECURITY_AUTHCZ_ADMIN_DN = "opendistro_security.authcz.admin_dn"; - public static final String SECURITY_CONFIG_INDEX_NAME = "opendistro_security.config_index_name"; - public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "opendistro_security.authcz.impersonation_dn"; - public static final String SECURITY_AUTHCZ_REST_IMPERSONATION_USERS="opendistro_security.authcz.rest_impersonation_user"; + public static final String SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn"; + public static final String SECURITY_CONFIG_INDEX_NAME = "plugins.security.config_index_name"; + public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "plugins.security.authcz.impersonation_dn"; + public static final String SECURITY_AUTHCZ_REST_IMPERSONATION_USERS="plugins.security.authcz.rest_impersonation_user"; - public static final String SECURITY_AUDIT_TYPE_DEFAULT = "opendistro_security.audit.type"; - public static final String SECURITY_AUDIT_CONFIG_DEFAULT = "opendistro_security.audit.config"; - public static final String SECURITY_AUDIT_CONFIG_ROUTES = "opendistro_security.audit.routes"; - public static final String SECURITY_AUDIT_CONFIG_ENDPOINTS = "opendistro_security.audit.endpoints"; - public static final String SECURITY_AUDIT_THREADPOOL_SIZE = "opendistro_security.audit.threadpool.size"; - public static final String SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = "opendistro_security.audit.threadpool.max_queue_len"; - public static final String SECURITY_AUDIT_LOG_REQUEST_BODY = "opendistro_security.audit.log_request_body"; - public static final String SECURITY_AUDIT_RESOLVE_INDICES = "opendistro_security.audit.resolve_indices"; - public static final String SECURITY_AUDIT_ENABLE_REST = "opendistro_security.audit.enable_rest"; - public static final String SECURITY_AUDIT_ENABLE_TRANSPORT = "opendistro_security.audit.enable_transport"; - public static final String SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = "opendistro_security.audit.config.disabled_transport_categories"; - public static final String SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = "opendistro_security.audit.config.disabled_rest_categories"; + public static final String SECURITY_AUDIT_TYPE_DEFAULT = "plugins.security.audit.type"; + public static final String SECURITY_AUDIT_CONFIG_DEFAULT = "plugins.security.audit.config"; + public static final String SECURITY_AUDIT_CONFIG_ROUTES = "plugins.security.audit.routes"; + public static final String SECURITY_AUDIT_CONFIG_ENDPOINTS = "plugins.security.audit.endpoints"; + public static final String SECURITY_AUDIT_THREADPOOL_SIZE = "plugins.security.audit.threadpool.size"; + public static final String SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = "plugins.security.audit.threadpool.max_queue_len"; + public static final String SECURITY_AUDIT_LOG_REQUEST_BODY = "plugins.security.audit.log_request_body"; + public static final String SECURITY_AUDIT_RESOLVE_INDICES = "plugins.security.audit.resolve_indices"; + public static final String SECURITY_AUDIT_ENABLE_REST = "plugins.security.audit.enable_rest"; + public static final String SECURITY_AUDIT_ENABLE_TRANSPORT = "plugins.security.audit.enable_transport"; + public static final String SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = "plugins.security.audit.config.disabled_transport_categories"; + public static final String SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = "plugins.security.audit.config.disabled_rest_categories"; public static final List SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT = ImmutableList.of(AuditCategory.AUTHENTICATED.toString(), AuditCategory.GRANTED_PRIVILEGES.toString()); - public static final String SECURITY_AUDIT_IGNORE_USERS = "opendistro_security.audit.ignore_users"; - public static final String SECURITY_AUDIT_IGNORE_REQUESTS = "opendistro_security.audit.ignore_requests"; - public static final String SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "opendistro_security.audit.resolve_bulk_requests"; + public static final String SECURITY_AUDIT_IGNORE_USERS = "plugins.security.audit.ignore_users"; + public static final String SECURITY_AUDIT_IGNORE_REQUESTS = "plugins.security.audit.ignore_requests"; + public static final String SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = "plugins.security.audit.resolve_bulk_requests"; public static final boolean SECURITY_AUDIT_SSL_VERIFY_HOSTNAMES_DEFAULT = true; public static final boolean SECURITY_AUDIT_SSL_ENABLE_SSL_CLIENT_AUTH_DEFAULT = false; - public static final String SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = "opendistro_security.audit.exclude_sensitive_headers"; + public static final String SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = "plugins.security.audit.exclude_sensitive_headers"; - public static final String SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX = "opendistro_security.audit.config."; + public static final String SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX = "plugins.security.audit.config."; // Internal / External OpenSearch public static final String SECURITY_AUDIT_OPENSEARCH_INDEX = "index"; @@ -189,43 +189,43 @@ public class ConfigConstants { public static final String SECURITY_AUDIT_LOG4J_LEVEL = "log4j.level"; //retry - public static final String SECURITY_AUDIT_RETRY_COUNT = "opendistro_security.audit.config.retry_count"; - public static final String SECURITY_AUDIT_RETRY_DELAY_MS = "opendistro_security.audit.config.retry_delay_ms"; + public static final String SECURITY_AUDIT_RETRY_COUNT = "plugins.security.audit.config.retry_count"; + public static final String SECURITY_AUDIT_RETRY_DELAY_MS = "plugins.security.audit.config.retry_delay_ms"; - public static final String SECURITY_KERBEROS_KRB5_FILEPATH = "opendistro_security.kerberos.krb5_filepath"; - public static final String SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = "opendistro_security.kerberos.acceptor_keytab_filepath"; - public static final String SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = "opendistro_security.kerberos.acceptor_principal"; - public static final String SECURITY_CERT_OID = "opendistro_security.cert.oid"; - public static final String SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "opendistro_security.cert.intercluster_request_evaluator_class"; - public static final String SECURITY_ADVANCED_MODULES_ENABLED = "opendistro_security.advanced_modules_enabled"; - public static final String SECURITY_NODES_DN = "opendistro_security.nodes_dn"; - public static final String SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = "opendistro_security.nodes_dn_dynamic_config_enabled"; - public static final String SECURITY_DISABLED = "opendistro_security.disabled"; - public static final String SECURITY_CACHE_TTL_MINUTES = "opendistro_security.cache.ttl_minutes"; - public static final String SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = "opendistro_security.allow_unsafe_democertificates"; - public static final String SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = "opendistro_security.allow_default_init_securityindex"; - public static final String SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = "opendistro_security.background_init_if_securityindex_not_exist"; - - public static final String SECURITY_ROLES_MAPPING_RESOLUTION = "opendistro_security.roles_mapping_resolution"; - - public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY = "opendistro_security.compliance.history.write.metadata_only"; - public static final String SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY = "opendistro_security.compliance.history.read.metadata_only"; - public static final String SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS = "opendistro_security.compliance.history.read.watched_fields"; - public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = "opendistro_security.compliance.history.write.watched_indices"; - public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS = "opendistro_security.compliance.history.write.log_diffs"; - public static final String SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS = "opendistro_security.compliance.history.read.ignore_users"; - public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS = "opendistro_security.compliance.history.write.ignore_users"; - public static final String SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.external_config_enabled"; - public static final String SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION = "opendistro_security.compliance.disable_anonymous_authentication"; - public static final String SECURITY_COMPLIANCE_IMMUTABLE_INDICES = "opendistro_security.compliance.immutable_indices"; - public static final String SECURITY_COMPLIANCE_SALT = "opendistro_security.compliance.salt"; + public static final String SECURITY_KERBEROS_KRB5_FILEPATH = "plugins.security.kerberos.krb5_filepath"; + public static final String SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = "plugins.security.kerberos.acceptor_keytab_filepath"; + public static final String SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = "plugins.security.kerberos.acceptor_principal"; + public static final String SECURITY_CERT_OID = "plugins.security.cert.oid"; + public static final String SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "plugins.security.cert.intercluster_request_evaluator_class"; + public static final String SECURITY_ADVANCED_MODULES_ENABLED = "plugins.security.advanced_modules_enabled"; + public static final String SECURITY_NODES_DN = "plugins.security.nodes_dn"; + public static final String SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED = "plugins.security.nodes_dn_dynamic_config_enabled"; + public static final String SECURITY_DISABLED = "plugins.security.disabled"; + public static final String SECURITY_CACHE_TTL_MINUTES = "plugins.security.cache.ttl_minutes"; + public static final String SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = "plugins.security.allow_unsafe_democertificates"; + public static final String SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = "plugins.security.allow_default_init_securityindex"; + public static final String SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = "plugins.security.background_init_if_securityindex_not_exist"; + + public static final String SECURITY_ROLES_MAPPING_RESOLUTION = "plugins.security.roles_mapping_resolution"; + + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY = "plugins.security.compliance.history.write.metadata_only"; + public static final String SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY = "plugins.security.compliance.history.read.metadata_only"; + public static final String SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS = "plugins.security.compliance.history.read.watched_fields"; + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = "plugins.security.compliance.history.write.watched_indices"; + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS = "plugins.security.compliance.history.write.log_diffs"; + public static final String SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS = "plugins.security.compliance.history.read.ignore_users"; + public static final String SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS = "plugins.security.compliance.history.write.ignore_users"; + public static final String SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED = "plugins.security.compliance.history.external_config_enabled"; + public static final String SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION = "plugins.security.compliance.disable_anonymous_authentication"; + public static final String SECURITY_COMPLIANCE_IMMUTABLE_INDICES = "plugins.security.compliance.immutable_indices"; + public static final String SECURITY_COMPLIANCE_SALT = "plugins.security.compliance.salt"; public static final String SECURITY_COMPLIANCE_SALT_DEFAULT = "e1ukloTsQlOgPquJ";//16 chars - public static final String SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = "opendistro_security.compliance.history.internal_config_enabled"; - public static final String SECURITY_SSL_ONLY = "opendistro_security.ssl_only"; + public static final String SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = "plugins.security.compliance.history.internal_config_enabled"; + public static final String SECURITY_SSL_ONLY = "plugins.security.ssl_only"; public static final String SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED = "opendistro_security_config.ssl_dual_mode_enabled"; - public static final String SECURITY_SSL_CERT_RELOAD_ENABLED = "opendistro_security.ssl_cert_reload_enabled"; - public static final String SECURITY_DISABLE_ENVVAR_REPLACEMENT = "opendistro_security.disable_envvar_replacement"; + public static final String SECURITY_SSL_CERT_RELOAD_ENABLED = "plugins.security.ssl_cert_reload_enabled"; + public static final String SECURITY_DISABLE_ENVVAR_REPLACEMENT = "plugins.security.disable_envvar_replacement"; public enum RolesMappingResolution { MAPPING_ONLY, @@ -233,41 +233,41 @@ public enum RolesMappingResolution { BOTH } - public static final String SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = "opendistro_security.filter_securityindex_from_all_requests"; + public static final String SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = "plugins.security.filter_securityindex_from_all_requests"; // REST API - public static final String SECURITY_RESTAPI_ROLES_ENABLED = "opendistro_security.restapi.roles_enabled"; - public static final String SECURITY_RESTAPI_ENDPOINTS_DISABLED = "opendistro_security.restapi.endpoints_disabled"; - public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "opendistro_security.restapi.password_validation_regex"; - public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "opendistro_security.restapi.password_validation_error_message"; + public static final String SECURITY_RESTAPI_ROLES_ENABLED = "plugins.security.restapi.roles_enabled"; + public static final String SECURITY_RESTAPI_ENDPOINTS_DISABLED = "plugins.security.restapi.endpoints_disabled"; + public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = "plugins.security.restapi.password_validation_regex"; + public static final String SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = "plugins.security.restapi.password_validation_error_message"; // Illegal Opcodes from here on - public static final String SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "opendistro_security.unsupported.disable_rest_auth_initially"; - public static final String SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = "opendistro_security.unsupported.disable_intertransport_auth_initially"; - public static final String SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = "opendistro_security.unsupported.restore.securityindex.enabled"; - public static final String SECURITY_UNSUPPORTED_INJECT_USER_ENABLED = "opendistro_security.unsupported.inject_user.enabled"; - public static final String SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED = "opendistro_security.unsupported.inject_user.admin.enabled"; - public static final String SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS = "opendistro_security.unsupported.allow_now_in_dls"; + public static final String SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = "plugins.security.unsupported.disable_rest_auth_initially"; + public static final String SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = "plugins.security.unsupported.disable_intertransport_auth_initially"; + public static final String SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = "plugins.security.unsupported.restore.securityindex.enabled"; + public static final String SECURITY_UNSUPPORTED_INJECT_USER_ENABLED = "plugins.security.unsupported.inject_user.enabled"; + public static final String SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED = "plugins.security.unsupported.inject_user.admin.enabled"; + public static final String SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS = "plugins.security.unsupported.allow_now_in_dls"; - public static final String SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION = "opendistro_security.unsupported.restapi.allow_securityconfig_modification"; - public static final String SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = "opendistro_security.unsupported.load_static_resources"; - public static final String SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = "opendistro_security.unsupported.accept_invalid_config"; + public static final String SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION = "plugins.security.unsupported.restapi.allow_securityconfig_modification"; + public static final String SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = "plugins.security.unsupported.load_static_resources"; + public static final String SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = "plugins.security.unsupported.accept_invalid_config"; // Protected indices settings. Marked for deprecation, after all config indices move to System indices. - public static final String SECURITY_PROTECTED_INDICES_ENABLED_KEY = "opendistro_security.protected_indices.enabled"; + public static final String SECURITY_PROTECTED_INDICES_ENABLED_KEY = "plugins.security.protected_indices.enabled"; public static final Boolean SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT = false; - public static final String SECURITY_PROTECTED_INDICES_KEY = "opendistro_security.protected_indices.indices"; + public static final String SECURITY_PROTECTED_INDICES_KEY = "plugins.security.protected_indices.indices"; public static final List SECURITY_PROTECTED_INDICES_DEFAULT = Collections.emptyList(); - public static final String SECURITY_PROTECTED_INDICES_ROLES_KEY = "opendistro_security.protected_indices.roles"; + public static final String SECURITY_PROTECTED_INDICES_ROLES_KEY = "plugins.security.protected_indices.roles"; public static final List SECURITY_PROTECTED_INDICES_ROLES_DEFAULT = Collections.emptyList(); // Roles injection for plugins public static final String SECURITY_INJECTED_ROLES = "opendistro_security_injected_roles"; // System indices settings - public static final String SECURITY_SYSTEM_INDICES_ENABLED_KEY = "opendistro_security.system_indices.enabled"; + public static final String SECURITY_SYSTEM_INDICES_ENABLED_KEY = "plugins.security.system_indices.enabled"; public static final Boolean SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT = false; - public static final String SECURITY_SYSTEM_INDICES_KEY = "opendistro_security.system_indices.indices"; + public static final String SECURITY_SYSTEM_INDICES_KEY = "plugins.security.system_indices.indices"; public static final List SECURITY_SYSTEM_INDICES_DEFAULT = Collections.emptyList(); public static Set getSettingAsSet(final Settings settings, final String key, final List defaultList, final boolean ignoreCaseForNone) { diff --git a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java index 27c505f070..704de95719 100644 --- a/src/main/java/org/opensearch/security/tools/SecurityAdmin.java +++ b/src/main/java/org/opensearch/security/tools/SecurityAdmin.java @@ -531,7 +531,7 @@ public static int execute(final String[] args) throws Exception { if(!whoAmIRes.isNodeCertificateRequest()) { System.out.println("Seems you use a client certificate but this one is not registered as admin_dn"); System.out.println("Make sure opensearch.yml on all nodes contains:"); - System.out.println("opendistro_security.authcz.admin_dn:"+System.lineSeparator()+ + System.out.println("plugins.security.authcz.admin_dn:"+System.lineSeparator()+ " - \""+whoAmIRes.getDn()+"\""); } else { System.out.println("Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in opensearch.yml"); diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java index f6a11a36d8..0a0316b8bc 100755 --- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java +++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTest.java @@ -176,7 +176,7 @@ public void testLdapAuthenticationSSL() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false) .put("path.home",".") .build(); @@ -232,7 +232,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "SSLv3") .put("path.home",".") @@ -256,7 +256,7 @@ public void testLdapAuthenticationSSLUnknowCipher() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false) .putList("enabled_ssl_ciphers", "AAA") .put("path.home",".") @@ -280,7 +280,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false) .putList("enabled_ssl_protocols", "TLSv1") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA") @@ -302,7 +302,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false) .put("path.home",".") .build(); @@ -354,7 +354,7 @@ public void testLdapAuthorization() throws Exception { .put(ConfigConstants.LDAP_AUTHZ_ROLEBASE, "ou=groups,o=TEST") .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn") .put(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, "(uniqueMember={0})") - // .put("opendistro_security.authentication.authorization.ldap.userrolename", + // .put("plugins.security.authentication.authorization.ldap.userrolename", // "(uniqueMember={0})") .build(); @@ -608,7 +608,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".") .build(); diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestClientCert.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestClientCert.java index 7bdb3916b5..c57dc2edf6 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestClientCert.java +++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestClientCert.java @@ -47,7 +47,7 @@ public void testNoAuth() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") .put("path.home",".") @@ -73,7 +73,7 @@ public void testNoAuthX() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "kdc.dummy.com:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAPS_VERIFY_HOSTNAMES, false) .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") @@ -100,7 +100,7 @@ public void testNoAuthY() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "kdc.dummy.com:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/wrong/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/wrong/truststore.jks") .put(ConfigConstants.LDAPS_VERIFY_HOSTNAMES, false) .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") @@ -130,7 +130,7 @@ public void testBindDnAuthLocalhost() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") .put(ConfigConstants.LDAP_BIND_DN, "cn=ldapbinder,ou=people,dc=example,dc=com") @@ -152,8 +152,8 @@ public void testLdapSslAuth() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/spock-keystore.jks") - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/spock-keystore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH, true) .put(ConfigConstants.LDAPS_JKS_CERT_ALIAS, "spock") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") @@ -201,8 +201,8 @@ public void testLdapSslAuthNo() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/kirk-keystore.jks") - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/kirk-keystore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH, true) .put(ConfigConstants.LDAPS_JKS_CERT_ALIAS, "kirk") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") @@ -226,8 +226,8 @@ public void testLdapAuthenticationSSL() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "kdc.dummy.com:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - //.put("opendistro_security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/cn=ldapbinder,ou=people,dc=example,dc=com-keystore.jks") - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + //.put("plugins.security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/cn=ldapbinder,ou=people,dc=example,dc=com-keystore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") //.put("verify_hostnames", false) //.put(ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH, true) //.put(ConfigConstants.LDAPS_JKS_CERT_ALIAS, "cn=ldapbinder,ou=people,dc=example,dc=com") diff --git a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java index cb96574fb1..4795929a26 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java +++ b/src/test/java/com/amazon/dlic/auth/ldap/LdapBackendTestNewStyleConfig.java @@ -163,7 +163,7 @@ public void testLdapAuthenticationSSL() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); @@ -214,7 +214,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_protocols", "SSLv3").put("path.home", ".").build(); @@ -234,7 +234,7 @@ public void testLdapAuthenticationSSLUnknownCipher() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_ciphers", "AAA").put("path.home", ".").build(); @@ -254,7 +254,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_protocols", "TLSv1") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA").put("path.home", ".").build(); @@ -272,7 +272,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); @@ -317,7 +317,7 @@ public void testLdapAuthorization() throws Exception { .put("users.u1.search", "(uid={0})").put("users.u1.base", "ou=people,o=TEST") .put("roles.g1.base", "ou=groups,o=TEST").put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn") .put("roles.g1.search", "(uniqueMember={0})") - // .put("opendistro_security.authentication.authorization.ldap.userrolename", + // .put("plugins.security.authentication.authorization.ldap.userrolename", // "(uniqueMember={0})") .build(); @@ -516,7 +516,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { final Settings settings = Settings.builder() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestClientCert2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestClientCert2.java index 2d549d1d87..ededcd0ca4 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestClientCert2.java +++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestClientCert2.java @@ -47,7 +47,7 @@ public void testNoAuth() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") .put("path.home",".") @@ -74,7 +74,7 @@ public void testNoAuthX() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "kdc.dummy.com:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAPS_VERIFY_HOSTNAMES, false) .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") @@ -102,7 +102,7 @@ public void testNoAuthY() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "kdc.dummy.com:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/wrong/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/wrong/truststore.jks") .put(ConfigConstants.LDAPS_VERIFY_HOSTNAMES, false) .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") @@ -133,7 +133,7 @@ public void testBindDnAuthLocalhost() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") .put(ConfigConstants.LDAP_AUTHC_USERNAME_ATTRIBUTE, "uid") .put(ConfigConstants.LDAP_BIND_DN, "cn=ldapbinder,ou=people,dc=example,dc=com") @@ -155,8 +155,8 @@ public void testLdapSslAuth() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/spock-keystore.jks") - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/spock-keystore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH, true) .put(ConfigConstants.LDAPS_JKS_CERT_ALIAS, "spock") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") @@ -204,8 +204,8 @@ public void testLdapSslAuthNo() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/kirk-keystore.jks") - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + .put("plugins.security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/kirk-keystore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") .put(ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH, true) .put(ConfigConstants.LDAPS_JKS_CERT_ALIAS, "kirk") .put(ConfigConstants.LDAP_AUTHC_USERBASE, "ou=people,dc=example,dc=com") @@ -229,8 +229,8 @@ public void testLdapAuthenticationSSL() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "kdc.dummy.com:636") .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_SSL, true) - //.put("opendistro_security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/cn=ldapbinder,ou=people,dc=example,dc=com-keystore.jks") - .put("opendistro_security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") + //.put("plugins.security.ssl.transport.keystore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/cn=ldapbinder,ou=people,dc=example,dc=com-keystore.jks") + .put("plugins.security.ssl.transport.truststore_filepath", "/Users/temp/opendistro_security_integration_tests/ldap/ssl-root-ca/truststore.jks") //.put("verify_hostnames", false) //.put(ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH, true) //.put(ConfigConstants.LDAPS_JKS_CERT_ALIAS, "cn=ldapbinder,ou=people,dc=example,dc=com") diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java index a5b9ffc272..42c124de5b 100644 --- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java +++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestNewStyleConfig2.java @@ -195,7 +195,7 @@ public void testLdapAuthenticationSSL() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); @@ -246,7 +246,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_protocols", "SSLv3").put("path.home", ".").build(); @@ -267,7 +267,7 @@ public void testLdapAuthenticationSSLUnknownCipher() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_ciphers", "AAA").put("path.home", ".").build(); @@ -288,7 +288,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_protocols", "TLSv1") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA").put("path.home", ".").build(); @@ -306,7 +306,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); @@ -352,7 +352,7 @@ public void testLdapAuthorization() throws Exception { .put("users.u1.search", "(uid={0})").put("users.u1.base", "ou=people,o=TEST") .put("roles.g1.base", "ou=groups,o=TEST").put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn") .put("roles.g1.search", "(uniqueMember={0})") - // .put("opendistro_security.authentication.authorization.ldap.userrolename", + // .put("plugins.security.authentication.authorization.ldap.userrolename", // "(uniqueMember={0})") .build(); @@ -552,7 +552,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put("users.u1.search", "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); diff --git a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java index a40dea0f29..c16b282cbc 100755 --- a/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java +++ b/src/test/java/com/amazon/dlic/auth/ldap2/LdapBackendTestOldStyleConfig2.java @@ -226,7 +226,7 @@ public void testLdapAuthenticationSSL() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); @@ -243,7 +243,7 @@ public void testLdapAuthenticationSSLPooled() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) .put(ConfigConstants.LDAP_POOL_ENABLED, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); @@ -294,7 +294,7 @@ public void testLdapAuthenticationSSLSSLv3() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_protocols", "SSLv3").put("path.home", ".").build(); @@ -315,7 +315,7 @@ public void testLdapAuthenticationSSLUnknowCipher() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_ciphers", "AAA").put("path.home", ".").build(); @@ -336,7 +336,7 @@ public void testLdapAuthenticationSpecialCipherProtocol() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).putList("enabled_ssl_protocols", "TLSv1") .putList("enabled_ssl_ciphers", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA").put("path.home", ".").build(); @@ -354,7 +354,7 @@ public void testLdapAuthenticationSSLNoKeystore() throws Exception { final Settings settings = createBaseSettings() .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapsPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})").put(ConfigConstants.LDAPS_ENABLE_SSL, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); @@ -403,7 +403,7 @@ public void testLdapAuthorization() throws Exception { .put(ConfigConstants.LDAP_AUTHZ_ROLEBASE, "ou=groups,o=TEST") .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn") .put(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, "(uniqueMember={0})") - // .put("opendistro_security.authentication.authorization.ldap.userrolename", + // .put("plugins.security.authentication.authorization.ldap.userrolename", // "(uniqueMember={0})") .build(); @@ -430,7 +430,7 @@ public void testLdapAuthorizationPooled() throws Exception { .put(ConfigConstants.LDAP_AUTHZ_ROLENAME, "cn") .put(ConfigConstants.LDAP_AUTHZ_ROLESEARCH, "(uniqueMember={0})") .put(ConfigConstants.LDAP_POOL_ENABLED, true) - // .put("opendistro_security.authentication.authorization.ldap.userrolename", + // .put("plugins.security.authentication.authorization.ldap.userrolename", // "(uniqueMember={0})") .build(); @@ -647,7 +647,7 @@ public void testLdapAuthenticationStartTLS() throws Exception { .putList(ConfigConstants.LDAP_HOSTS, "localhost:" + ldapPort) .put(ConfigConstants.LDAP_AUTHC_USERSEARCH, "(uid={0})") .put(ConfigConstants.LDAPS_ENABLE_START_TLS, true) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")) .put("verify_hostnames", false).put("path.home", ".").build(); diff --git a/src/test/java/org/opensearch/security/HttpIntegrationTests.java b/src/test/java/org/opensearch/security/HttpIntegrationTests.java index 675ba807f5..8e247d9d8e 100644 --- a/src/test/java/org/opensearch/security/HttpIntegrationTests.java +++ b/src/test/java/org/opensearch/security/HttpIntegrationTests.java @@ -262,9 +262,9 @@ public void testHTTPBasic() throws Exception { @Test public void testHTTPSCompressionEnabled() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .put("http.compression",true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); @@ -284,9 +284,9 @@ public void testHTTPSCompressionEnabled() throws Exception { @Test public void testHTTPSCompression() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper @@ -346,10 +346,10 @@ public void testHTTPAnon() throws Exception { @Test public void testHTTPClientCert() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.ssl.http.clientauth_mode","REQUIRE") - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.clientauth_mode","REQUIRE") + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") @@ -389,9 +389,9 @@ public void testHTTPPlaintextErrMsg() throws Exception { try { final Settings settings = Settings.builder() - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) - .put("opendistro_security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled", true) .build(); setup(settings); RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java index bf453586d2..6a7a94eb78 100644 --- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java +++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java @@ -68,9 +68,9 @@ public void testEnsureInitViaRestDoesWork() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .build(); setup(Settings.EMPTY, null, settings, false); final RestHelper rh = restHelper(); //ssl resthelper @@ -97,7 +97,7 @@ public void testInitWithInjectedUser() throws Exception { final Settings settings = Settings.builder() .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("opendistro_security.unsupported.inject_user.enabled", true) + .put("plugins.security.unsupported.inject_user.enabled", true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_disable_all.yml"), settings, true); @@ -228,7 +228,7 @@ public void testInvalidDefaultConfig() throws Exception { @Test public void testDisabled() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.disabled", true).build(); + final Settings settings = Settings.builder().put("plugins.security.disabled", true).build(); setup(Settings.EMPTY, null, settings, false); RestHelper rh = nonSslRestHelper(); diff --git a/src/test/java/org/opensearch/security/IntegrationTests.java b/src/test/java/org/opensearch/security/IntegrationTests.java index d0c74b5836..33645e6615 100644 --- a/src/test/java/org/opensearch/security/IntegrationTests.java +++ b/src/test/java/org/opensearch/security/IntegrationTests.java @@ -226,14 +226,14 @@ public void testDNSpecials1() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "1") .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") - .putList("opendistro_security.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") - .putList("opendistro_security.authcz.admin_dn", "EMAILADDREss=unt@xxx.com, cn=node-untspec6.example.com, OU=SSL,O=Te\\, st,L=Test, c=DE") - .put("opendistro_security.cert.oid","1.2.3.4.5.6") + .putList("plugins.security.nodes_dn", "EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE") + .putList("plugins.security.authcz.admin_dn", "EMAILADDREss=unt@xxx.com, cn=node-untspec6.example.com, OU=SSL,O=Te\\, st,L=Test, c=DE") + .put("plugins.security.cert.oid","1.2.3.4.5.6") .build(); Settings tcSettings = Settings.builder() - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, "PKCS12") .build(); diff --git a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java index aa549656df..6b3ff9ff43 100644 --- a/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/RolesInjectorIntegTest.java @@ -105,7 +105,7 @@ public void testRolesInject() throws Exception { .put("path.home", "./target") .put("node.name", "testclient") .put("discovery.initial_state_timeout", "8s") - .put("opendistro_security.allow_default_init_securityindex", "true") + .put("plugins.security.allow_default_init_securityindex", "true") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) .build(); diff --git a/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java b/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java index c8197aec27..e7865ad122 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminMigrationTests.java @@ -40,9 +40,9 @@ public class SecurityAdminMigrationTests extends SingleClusterTest { public void testSecurityMigrate() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setLegacy(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper @@ -86,9 +86,9 @@ public void testSecurityMigrate() throws Exception { public void testSecurityMigrate2() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setLegacy(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper diff --git a/src/test/java/org/opensearch/security/SecurityAdminTests.java b/src/test/java/org/opensearch/security/SecurityAdminTests.java index d2dc04f7d2..062c927771 100644 --- a/src/test/java/org/opensearch/security/SecurityAdminTests.java +++ b/src/test/java/org/opensearch/security/SecurityAdminTests.java @@ -278,9 +278,9 @@ public void testSecurityAdminInvalidYml() throws Exception { public void testSecurityAdminReloadInvalidConfig() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper diff --git a/src/test/java/org/opensearch/security/SlowIntegrationTests.java b/src/test/java/org/opensearch/security/SlowIntegrationTests.java index 55b3280bbe..ef5f5da87d 100644 --- a/src/test/java/org/opensearch/security/SlowIntegrationTests.java +++ b/src/test/java/org/opensearch/security/SlowIntegrationTests.java @@ -114,7 +114,7 @@ public void testNodeClientDisallowedWithNonServerCertificate() throws Exception .put("node.name", "transportclient") .put("discovery.initial_state_timeout","8s") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("kirk-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("kirk-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"kirk") .build(); @@ -148,7 +148,7 @@ public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception .put("node.name", "transportclient") .put("discovery.initial_state_timeout","8s") .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .build(); diff --git a/src/test/java/org/opensearch/security/SnapshotRestoreTests.java b/src/test/java/org/opensearch/security/SnapshotRestoreTests.java index 6f2903013a..72eec9ce05 100644 --- a/src/test/java/org/opensearch/security/SnapshotRestoreTests.java +++ b/src/test/java/org/opensearch/security/SnapshotRestoreTests.java @@ -74,8 +74,8 @@ public void testSnapshotEnableSecurityIndexRestore() throws Exception { final Settings settings = Settings.builder() .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("opendistro_security.check_snapshot_restore_write_privileges", false) - .put("opendistro_security.unsupported.restore.securityindex.enabled", true) + .put("plugins.security.check_snapshot_restore_write_privileges", false) + .put("plugins.security.unsupported.restore.securityindex.enabled", true) .build(); setup(settings, currentClusterConfig); @@ -136,7 +136,7 @@ public void testSnapshot() throws Exception { final Settings settings = Settings.builder() .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("opendistro_security.check_snapshot_restore_write_privileges", false) + .put("plugins.security.check_snapshot_restore_write_privileges", false) .build(); setup(settings, currentClusterConfig); @@ -307,7 +307,7 @@ public void testNoSnapshotRestore() throws Exception { final Settings settings = Settings.builder() .putList("path.repo", repositoryPath.getRoot().getAbsolutePath()) - .put("opendistro_security.enable_snapshot_restore_privilege", false) + .put("plugins.security.enable_snapshot_restore_privilege", false) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityActionGroups("action_groups_packaged.yml"), settings, true, currentClusterConfig); diff --git a/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java b/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java index e5a63fe0c7..d2e1d7428b 100644 --- a/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java +++ b/src/test/java/org/opensearch/security/TransportClientIntegrationTests.java @@ -78,7 +78,7 @@ public void testTransportClient() throws Exception { Settings tcSettings = Settings.builder() .put(settings) - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .build(); @@ -364,7 +364,7 @@ public void testTransportClient() throws Exception { public void testTransportClientImpersonation() throws Exception { final Settings settings = Settings.builder() - .putList("opendistro_security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") + .putList("plugins.security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") .build(); @@ -379,7 +379,7 @@ public void testTransportClientImpersonation() throws Exception { } Settings tcSettings = Settings.builder() - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") @@ -395,14 +395,14 @@ public void testTransportClientImpersonation() throws Exception { public void testTransportClientImpersonationWildcard() throws Exception { final Settings settings = Settings.builder() - .putList("opendistro_security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "*") + .putList("plugins.security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "*") .build(); setup(settings); Settings tcSettings = Settings.builder() - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") @@ -436,7 +436,7 @@ public void testTransportClientUsernameAttribute() throws Exception { Settings tcSettings = Settings.builder() .put(settings) - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .build(); @@ -722,7 +722,7 @@ public void testTransportClientUsernameAttribute() throws Exception { public void testTransportClientImpersonationUsernameAttribute() throws Exception { final Settings settings = Settings.builder() - .putList("opendistro_security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") + .putList("plugins.security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "worf", "nagilum") .build(); @@ -740,7 +740,7 @@ public void testTransportClientImpersonationUsernameAttribute() throws Exception } Settings tcSettings = Settings.builder() - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") @@ -756,7 +756,7 @@ public void testTransportClientImpersonationUsernameAttribute() throws Exception public void testTransportClientImpersonationWildcardUsernameAttribute() throws Exception { final Settings settings = Settings.builder() - .putList("opendistro_security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "*") + .putList("plugins.security.authcz.impersonation_dn.CN=spock,OU=client,O=client,L=Test,C=DE", "*") .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setConfig("config_transport_username.yml") @@ -765,7 +765,7 @@ public void testTransportClientImpersonationWildcardUsernameAttribute() throws E , settings); Settings tcSettings = Settings.builder() - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,"spock") .put("path.home", ".") .put("request.headers.opendistro_security_impersonate_as", "worf") diff --git a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java index 1cb437a0a7..1cdae40017 100644 --- a/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java +++ b/src/test/java/org/opensearch/security/TransportUserInjectorIntegTest.java @@ -84,7 +84,7 @@ public void testSecurityUserInjection() throws Exception { .put("path.home", "./target") .put("node.name", "testclient") .put("discovery.initial_state_timeout", "8s") - .put("opendistro_security.allow_default_init_securityindex", "true") + .put("plugins.security.allow_default_init_securityindex", "true") .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, true) .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) .build(); @@ -141,7 +141,7 @@ public void testSecurityUserInjectionWithConfigDisabled() throws Exception { .put("path.home", "./target") .put("node.name", "testclient") .put("discovery.initial_state_timeout", "8s") - .put("opendistro_security.allow_default_init_securityindex", "true") + .put("plugins.security.allow_default_init_securityindex", "true") .put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false) .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort) .build(); diff --git a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java index 26aab434de..d9a257a1f7 100644 --- a/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java +++ b/src/test/java/org/opensearch/security/auditlog/AbstractAuditlogiUnitTest.java @@ -59,10 +59,10 @@ protected final void setup(Settings additionalSettings) throws Exception { protected Settings defaultNodeSettings(Settings additionalSettings) { Settings.Builder builder = Settings.builder(); - builder.put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", + builder.put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")); return builder.put(additionalSettings).build(); diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java index 229021b5ae..f7be3bffb7 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/ComplianceAuditlogTest.java @@ -46,7 +46,7 @@ public class ComplianceAuditlogTest extends AbstractAuditlogiUnitTest { public void testSourceFilter() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) @@ -98,7 +98,7 @@ public void testSourceFilter() throws Exception { @Test public void testComplianceEnable() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .build(); setup(additionalSettings); @@ -134,7 +134,7 @@ public void testComplianceEnable() throws Exception { public void testSourceFilterMsearch() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .put(ConfigConstants.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false) @@ -202,7 +202,7 @@ public void testSourceFilterMsearch() throws Exception { public void testInternalConfig() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) @@ -249,7 +249,7 @@ public void testInternalConfig() throws Exception { public void testExternalConfig() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) @@ -286,7 +286,7 @@ public void testExternalConfig() throws Exception { public void testUpdate() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -323,7 +323,7 @@ public void testUpdate() throws Exception { public void testUpdatePerf() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -373,7 +373,7 @@ public void testUpdatePerf() throws Exception { public void testWriteHistory() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) diff --git a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java index 309766f669..bea3d999af 100644 --- a/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/compliance/RestApiComplianceAuditlogTest.java @@ -33,7 +33,7 @@ public class RestApiComplianceAuditlogTest extends AbstractAuditlogiUnitTest { public void testRestApiRolesEnabled() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) @@ -63,7 +63,7 @@ public void testRestApiRolesEnabled() throws Exception { public void testRestApiRolesDisabled() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) @@ -99,7 +99,7 @@ public void testRestApiRolesDisabled() throws Exception { public void testRestApiRolesDisabledGet() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) @@ -135,7 +135,7 @@ public void testRestApiRolesDisabledGet() throws Exception { public void testAutoInit() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) @@ -162,7 +162,7 @@ public void testAutoInit() throws Exception { public void testRestApiNewUser() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) @@ -187,7 +187,7 @@ public void testRestApiNewUser() throws Exception { public void testRestInternalConfigRead() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) @@ -221,7 +221,7 @@ public void testRestInternalConfigRead() throws Exception { @Test public void testBCryptHashRedaction() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) diff --git a/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java b/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java index abe7719456..8811baf573 100644 --- a/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java +++ b/src/test/java/org/opensearch/security/auditlog/config/ThreadPoolConfigTest.java @@ -77,8 +77,8 @@ public void testConfig() { public void testGenerationFromSettings() { // arrange Settings settings = Settings.builder() - .put("opendistro_security.audit.threadpool.size", "8") - .put("opendistro_security.audit.threadpool.max_queue_len", "50") + .put("plugins.security.audit.threadpool.size", "8") + .put("plugins.security.audit.threadpool.max_queue_len", "50") .build(); // assert diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java index 22606b9d60..d01faa8470 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java @@ -53,7 +53,7 @@ public void setup() { @Test public void testClusterHealthRequest() { Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); @@ -70,7 +70,7 @@ public void testSearchRequest() { sr.types("mytype","logs"); Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); @@ -83,7 +83,7 @@ public void testSearchRequest() { public void testSslException() { Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -102,7 +102,7 @@ public void testRetry() { RetrySink.init(); Settings settings = Settings.builder() - .put("opendistro_security.audit.type", RetrySink.class.getName()) + .put("plugins.security.audit.type", RetrySink.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -121,7 +121,7 @@ public void testNoRetry() { RetrySink.init(); Settings settings = Settings.builder() - .put("opendistro_security.audit.type", RetrySink.class.getName()) + .put("plugins.security.audit.type", RetrySink.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) diff --git a/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java b/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java index 70d7e73293..88dc845cdf 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/DelegateTest.java @@ -38,7 +38,7 @@ public void auditLogTypeTest() throws Exception{ private void testAuditType(String type, Class expectedClass) throws Exception { Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("opendistro_security.audit.type", type); + settingsBuilder.put("plugins.security.audit.type", type); settingsBuilder.put("path.home", "."); AuditLogImpl auditLog = new AuditLogImpl(settingsBuilder.build(), null, null, null, null, null); auditLog.close(); diff --git a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java index eed86a4303..0f2db082a0 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/DisabledCategoriesTest.java @@ -68,7 +68,7 @@ public void invalidRestCategoryConfigurationTest() { thrown.expect(IllegalArgumentException.class); Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "nonexistent"); AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); @@ -79,7 +79,7 @@ public void invalidTransportCategoryConfigurationTest() { thrown.expect(IllegalArgumentException.class); Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "nonexistent"); AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); } @@ -87,8 +87,8 @@ public void invalidTransportCategoryConfigurationTest() { @Test public void invalidConfigurationTest() { Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("opendistro_security.audit.type", "debug"); - settingsBuilder.put("opendistro_security.audit.config.disabled_categories", "nonexistant, bad_headers"); + settingsBuilder.put("plugins.security.audit.type", "debug"); + settingsBuilder.put("plugins.security.audit.config.disabled_categories", "nonexistant, bad_headers"); AbstractAuditLog auditLog = AuditTestUtils.createAuditLog(settingsBuilder.build(), null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); logAll(auditLog); String result = TestAuditlogImpl.sb.toString(); @@ -99,7 +99,7 @@ public void invalidConfigurationTest() { public void enableAllCategoryTest() throws Exception { final Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE"); settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE"); @@ -159,7 +159,7 @@ protected void checkCategoriesDisabled(AuditCategory... disabledCategories) thro String disabledCategoriesString = Joiner.on(",").join(categoryNames); Builder settingsBuilder = Settings.builder(); - settingsBuilder.put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()); + settingsBuilder.put("plugins.security.audit.type", TestAuditlogImpl.class.getName()); settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategoriesString); settingsBuilder.put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategoriesString); diff --git a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java index 8b838a87c4..f7cc3374ab 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/IgnoreAuditUsersTest.java @@ -71,8 +71,8 @@ public static void initSearchRequest() { public void testConfiguredIgnoreUser() { Settings settings = Settings.builder() - .put("opendistro_security.audit.ignore_users", ignoreUser) - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.ignore_users", ignoreUser) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .build(); AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_USER, ignoreUserObj), null, cs); TestAuditlogImpl.clear(); @@ -83,8 +83,8 @@ public void testConfiguredIgnoreUser() { @Test public void testNonConfiguredIgnoreUser() { Settings settings = Settings.builder() - .put("opendistro_security.audit.ignore_users", nonIgnoreUser) - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.ignore_users", nonIgnoreUser) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); @@ -97,7 +97,7 @@ public void testNonConfiguredIgnoreUser() { @Test public void testNonExistingIgnoreUser() { Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); @@ -121,9 +121,9 @@ public void testWildcards() { //sr.source("{\"query\": false}"); Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) - .putList("opendistro_security.audit.ignore_users", "*") + .putList("plugins.security.audit.ignore_users", "*") .build(); TransportAddress ta = new TransportAddress(new InetSocketAddress("8.8.8.8",80)); @@ -137,10 +137,10 @@ ConfigConstants.SECURITY_USER, new User("John Doe"), Assert.assertEquals(0, TestAuditlogImpl.messages.size()); settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .putList("opendistro_security.audit.ignore_users", "xxx") + .putList("plugins.security.audit.ignore_users", "xxx") .build(); al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_REMOTE_ADDRESS, ta, ConfigConstants.SECURITY_USER, new User("John Doe"), @@ -151,10 +151,10 @@ ConfigConstants.SECURITY_USER, new User("John Doe"), Assert.assertEquals(1, TestAuditlogImpl.messages.size()); settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .putList("opendistro_security.audit.ignore_users", "John Doe","Capatin Kirk") + .putList("plugins.security.audit.ignore_users", "John Doe","Capatin Kirk") .build(); al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_REMOTE_ADDRESS, ta, ConfigConstants.SECURITY_USER, new User("John Doe"), @@ -167,10 +167,10 @@ ConfigConstants.SECURITY_USER, new User("John Doe"), Assert.assertEquals(TestAuditlogImpl.messages.toString(), 0, TestAuditlogImpl.messages.size()); settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .putList("opendistro_security.audit.ignore_users", "Wil Riker","Capatin Kirk") + .putList("plugins.security.audit.ignore_users", "Wil Riker","Capatin Kirk") .build(); al = AuditTestUtils.createAuditLog(settings, null, null, newThreadPool(ConfigConstants.SECURITY_REMOTE_ADDRESS, ta, ConfigConstants.SECURITY_USER, new User("John Doe"), diff --git a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java index 09a15cd246..e432d5d29c 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/BasicAuditlogTest.java @@ -51,7 +51,7 @@ public class BasicAuditlogTest extends AbstractAuditlogiUnitTest { @Test public void testAuditLogEnable() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .build(); setup(additionalSettings); @@ -79,7 +79,7 @@ public void testAuditLogEnable() throws Exception { public void testSimpleAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "authenticated") @@ -109,10 +109,10 @@ public void testSSLPlainText() throws Exception { //needs proper ssl plugin version Settings additionalSettings = Settings.builder() - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); @@ -140,7 +140,7 @@ public void testSSLPlainText() throws Exception { public void testSimpleTransportAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -182,7 +182,7 @@ public void testSimpleTransportAuthenticated() throws Exception { public void testTaskId() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); @@ -222,7 +222,7 @@ public void testTaskId() throws Exception { public void testDefaultsRest() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .build(); @@ -250,7 +250,7 @@ public void testDefaultsRest() throws Exception { @Test public void testGrantedPrivilegesRest() throws Exception { final Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, "opendistro_security_all_access") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) @@ -265,7 +265,7 @@ public void testGrantedPrivilegesRest() throws Exception { @Test public void testMissingPrivilegesRest() throws Exception { final Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .build(); @@ -290,7 +290,7 @@ private void testPrivilegeRest(final int expectedStatus, final String endpoint, public void testAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") @@ -318,7 +318,7 @@ public void testAuthenticated() throws Exception { public void testNonAuthenticated() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .build(); setup(additionalSettings); @@ -544,13 +544,13 @@ public void testUpdateSettings() throws Exception { public void testIndexPattern() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", "internal_opensearch") + .put("plugins.security.audit.type", "internal_opensearch") .put(ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_INDICES, false) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") - .put("opendistro_security.audit.threadpool.size", 10) //must be greater 0 - .put("opendistro_security.audit.config.index", "'auditlog-'YYYY.MM.dd.ss") + .put("plugins.security.audit.threadpool.size", 10) //must be greater 0 + .put("plugins.security.audit.config.index", "'auditlog-'YYYY.MM.dd.ss") .build(); setup(additionalSettings); @@ -571,7 +571,7 @@ public void testIndexPattern() throws Exception { public void testAliases() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") @@ -615,7 +615,7 @@ public void testAliases() throws Exception { public void testScroll() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") @@ -655,7 +655,7 @@ public void testScroll() throws Exception { public void testAliasResolution() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) @@ -688,7 +688,7 @@ public void testAliasResolution() throws Exception { public void testAliasBadHeaders() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "NONE") @@ -713,7 +713,7 @@ public void testAliasBadHeaders() throws Exception { public void testIndexCloseDelete() throws Exception { Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -745,7 +745,7 @@ public void testIndexCloseDelete() throws Exception { public void testDeleteByQuery() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -773,7 +773,7 @@ public void testDeleteByQuery() throws Exception { @Test public void testIndexRequests() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, "AUTHENTICATED,GRANTED_PRIVILEGES") @@ -816,7 +816,7 @@ public void testIndexRequests() throws Exception { @Test public void testRestMethod() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "NONE") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) @@ -888,7 +888,7 @@ public void testRestMethod() throws Exception { @Test public void testSensitiveMethodRedaction() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, true) .put(ConfigConstants.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, "AUTHENTICATED") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) diff --git a/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java index 110fd79a24..500cefd62e 100644 --- a/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/integration/SSLAuditlogTest.java @@ -64,8 +64,8 @@ public void testExternalPemUserPass() throws Exception { setupMonitoring(); Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", "external_opensearch") - .put("opendistro_security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) + .put("plugins.security.audit.type", "external_opensearch") + .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -103,8 +103,8 @@ public void testExternalPemClientAuth() throws Exception { setupMonitoring(); Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", "external_opensearch") - .put("opendistro_security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) + .put("plugins.security.audit.type", "external_opensearch") + .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) @@ -137,8 +137,8 @@ public void testExternalPemUserPassTp() throws Exception { setupMonitoring(); Settings additionalSettings = Settings.builder() - .put("opendistro_security.audit.type", "external_opensearch") - .put("opendistro_security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) + .put("plugins.security.audit.type", "external_opensearch") + .put("plugins.security.audit.config.http_endpoints", monitoringClusterInfo.httpHost+":"+monitoringClusterInfo.httpPort) .putList(ConfigConstants.SECURITY_AUDIT_IGNORE_USERS, "*spock*","admin", "CN=kirk,OU=client,O=client,L=Test,C=DE") .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, true) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, true) diff --git a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java index 23628b9480..1cf52c1075 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/SinkProviderTLSTest.java @@ -67,9 +67,9 @@ public void testTlsConfigurationNoFallback() throws Exception { builder.put("path.home", "/"); // replace some values with absolute paths for unit tests - builder.put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")); - builder.put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")); - builder.put("opendistro_security.audit.endpoints.endpoint2.config.webhook.ssl.pemtrustedcas_content", FileHelper.loadFile("auditlog/root-ca.pem")); + builder.put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")); + builder.put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")); + builder.put("plugins.security.audit.endpoints.endpoint2.config.webhook.ssl.pemtrustedcas_content", FileHelper.loadFile("auditlog/root-ca.pem")); SinkProvider provider = new SinkProvider(builder.build(), null, null, null); WebhookSink defaultSink = (WebhookSink) provider.defaultSink; diff --git a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java index 35cd4bc30d..0976714b32 100644 --- a/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/sink/WebhookAuditLogTest.java @@ -67,7 +67,7 @@ public void invalidConfFallbackTest() throws Exception { // provide no settings, fallback must be used Settings settings = Settings.builder() .put("path.home", ".") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); @@ -89,11 +89,11 @@ public void formatsTest() throws Exception { // provide no format, defaults to TEXT Settings settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.url", url) .put("path.home", ".") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) .build(); MockWebhookAuditLog auditlog = new MockWebhookAuditLog(settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null); @@ -104,9 +104,9 @@ public void formatsTest() throws Exception { // provide faulty format, defaults to TEXT settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "idonotexist") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "idonotexist") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -119,9 +119,9 @@ public void formatsTest() throws Exception { // TEXT settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "text") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "text") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -135,9 +135,9 @@ public void formatsTest() throws Exception { // JSON settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "json") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "json") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -152,9 +152,9 @@ public void formatsTest() throws Exception { // SLACK settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "slack") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -175,9 +175,9 @@ public void invalidUrlTest() throws Exception { String url = "faultyurl"; final Settings settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "slack") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -198,9 +198,9 @@ public void noServerRunningHttpTest() throws Exception { String url = "http://localhost:8080/endpoint"; Settings settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "slack") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -233,10 +233,10 @@ public void postGetHttpTest() throws Exception { // SLACK Settings settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "slack") + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") .put("path.home", ".") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); @@ -254,9 +254,9 @@ public void postGetHttpTest() throws Exception { // TEXT settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "texT") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "texT") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -272,9 +272,9 @@ public void postGetHttpTest() throws Exception { // JSON settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "JSon") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "JSon") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); @@ -289,10 +289,10 @@ public void postGetHttpTest() throws Exception { // URL POST settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "URL_PARAMETER_POST") + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_POST") .put("path.home", ".") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); @@ -306,10 +306,10 @@ public void postGetHttpTest() throws Exception { // URL GET settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "URL_PARAMETER_GET") + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "URL_PARAMETER_GET") .put("path.home", ".") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); @@ -337,10 +337,10 @@ public void httpsTestWithoutTLSServer() throws Exception { String url = "https://localhost:8081/endpoint"; Settings settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "slack") + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") .put("path.home", ".") - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); @@ -377,10 +377,10 @@ public void httpsTest() throws Exception { // try with ssl verification on, no trust ca, must fail Settings settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "slack") + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "slack") .put("path.home", ".") - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .build(); LoggingSink fallback = new LoggingSink("test", Settings.EMPTY, null, null); @@ -396,9 +396,9 @@ public void httpsTest() throws Exception { // disable ssl verification, no ca, call must succeed handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.audit.config.webhook.ssl.verify", false) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.verify", false) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -411,10 +411,10 @@ public void httpsTest() throws Exception { // enable ssl verification, provide correct trust ca, call must succeed handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -427,10 +427,10 @@ public void httpsTest() throws Exception { // enable ssl verification, provide wrong trust ca, call must succeed handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -463,10 +463,10 @@ public void httpsTestPemDefault() throws Exception { // test default with filepath handler.reset(); Settings settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")) - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); AuditLogSink auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -479,10 +479,10 @@ public void httpsTestPemDefault() throws Exception { // test default with missing filepath and fallback to correct Security settings handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -495,11 +495,11 @@ public void httpsTestPemDefault() throws Exception { // test default with wrong filepath and fallback to wrong Security settings handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -511,10 +511,10 @@ public void httpsTestPemDefault() throws Exception { // test default with wrong/no filepath and no fallback to Security settings, must fail handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", "wrong") + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -526,10 +526,10 @@ public void httpsTestPemDefault() throws Exception { // test default with existing but wrong PEM, no fallback handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -541,11 +541,11 @@ public void httpsTestPemDefault() throws Exception { // test default with existing but wrong PEM, fallback present but pemtrustedcas_filepath takes precedence and must fail handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.config.webhook.url", url) - .put("opendistro_security.audit.config.webhook.format", "jSoN") - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) - .put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) - .put("opendistro_security.audit.config.webhook.ssl.verify", true) + .put("plugins.security.audit.config.webhook.url", url) + .put("plugins.security.audit.config.webhook.format", "jSoN") + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) + .put("plugins.security.audit.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); auditlog = new WebhookSink("name", settings, ConfigConstants.SECURITY_AUDIT_CONFIG_DEFAULT, null, fallback); @@ -577,13 +577,13 @@ public void httpsTestPemEndpoint() throws Exception { // test default with filepath handler.reset(); Settings settings = Settings.builder() - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/root-ca.pem")) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - AuditLogSink auditlog = new WebhookSink("name", settings, "opendistro_security.audit.endpoints.endpoint1.config", null, fallback); + AuditLogSink auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -593,13 +593,13 @@ public void httpsTestPemEndpoint() throws Exception { // test default with missing filepath and fallback to correct Security settings handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, "opendistro_security.audit.endpoints.endpoint1.config", null, fallback); + auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); @@ -609,13 +609,13 @@ public void httpsTestPemEndpoint() throws Exception { // test default with wrong filepath and fallback to wrong Security settings handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore_fail.jks")) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, "opendistro_security.audit.endpoints.endpoint1.config", null, fallback); + auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -624,12 +624,12 @@ public void httpsTestPemEndpoint() throws Exception { // test default with wrong/no filepath and no fallback to Security settings, must fail handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, "opendistro_security.audit.endpoints.endpoint1.config", null, fallback); + auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -638,13 +638,13 @@ public void httpsTestPemEndpoint() throws Exception { // test default with existing but wrong PEM, no fallback handler.reset(); settings = Settings.builder() - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/spock.crt.pem")) .put("path.home", ".") .build(); - auditlog = new WebhookSink("name", settings, "opendistro_security.audit.endpoints.endpoint1.config", null, fallback); + auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertNull(handler.method); Assert.assertNull(handler.body); @@ -674,14 +674,14 @@ public void httpsTestPemContentEndpoint() throws Exception { // test with filecontent handler.reset(); Settings settings = Settings.builder() - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.url", url) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_content", FileHelper.loadFile("auditlog/root-ca.pem")) - .put("opendistro_security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.url", url) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.format", "jSoN") + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.pemtrustedcas_content", FileHelper.loadFile("auditlog/root-ca.pem")) + .put("plugins.security.audit.endpoints.endpoint1.config.webhook.ssl.verify", true) .put("path.home", ".") .build(); - AuditLogSink auditlog = new WebhookSink("name", settings, "opendistro_security.audit.endpoints.endpoint1.config", null, fallback); + AuditLogSink auditlog = new WebhookSink("name", settings, "plugins.security.audit.endpoints.endpoint1.config", null, fallback); auditlog.store(msg); Assert.assertTrue(handler.method.equals("POST")); Assert.assertTrue(handler.body != null); diff --git a/src/test/java/org/opensearch/security/cache/CachingTest.java b/src/test/java/org/opensearch/security/cache/CachingTest.java index b870919aa3..4461866a50 100644 --- a/src/test/java/org/opensearch/security/cache/CachingTest.java +++ b/src/test/java/org/opensearch/security/cache/CachingTest.java @@ -64,7 +64,7 @@ public void testRestCaching() throws Exception { @Test public void testRestNoCaching() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.cache.ttl_minutes", 0).build(); + final Settings settings = Settings.builder().put("plugins.security.cache.ttl_minutes", 0).build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); final RestHelper rh = nonSslRestHelper(); HttpResponse res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty"); @@ -85,7 +85,7 @@ public void testRestNoCaching() throws Exception { @Test public void testRestCachingWithImpersonation() throws Exception { - final Settings settings = Settings.builder().putList("opendistro_security.authcz.rest_impersonation_user.dummy", "*").build(); + final Settings settings = Settings.builder().putList("plugins.security.authcz.rest_impersonation_user.dummy", "*").build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); final RestHelper rh = nonSslRestHelper(); HttpResponse res = rh.executeGetRequest("_opendistro/_security/authinfo?pretty", new BasicHeader("opendistro_security_impersonate_as", "impuser")); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java index 4d0882231d..0267115650 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/AbstractRestApiUnitTest.java @@ -53,10 +53,10 @@ protected String getResourceFolder() { protected final void setup() throws Exception { Settings.Builder builder = Settings.builder(); - builder.put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", + builder.put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); setup(Settings.EMPTY, new DynamicSecurityConfig(), builder.build(), init); @@ -68,10 +68,10 @@ protected final void setup() throws Exception { protected final void setup(Settings nodeOverride) throws Exception { Settings.Builder builder = Settings.builder(); - builder.put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", + builder.put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")) .put(nodeOverride); @@ -89,24 +89,24 @@ protected final void setupWithRestRoles() throws Exception { protected final void setupWithRestRoles(Settings nodeOverride) throws Exception { Settings.Builder builder = Settings.builder(); - builder.put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", + builder.put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); - builder.put("opendistro_security.restapi.roles_enabled.0", "opendistro_security_role_klingons"); - builder.put("opendistro_security.restapi.roles_enabled.1", "opendistro_security_role_vulcans"); - builder.put("opendistro_security.restapi.roles_enabled.2", "opendistro_security_test"); + builder.put("plugins.security.restapi.roles_enabled.0", "opendistro_security_role_klingons"); + builder.put("plugins.security.restapi.roles_enabled.1", "opendistro_security_role_vulcans"); + builder.put("plugins.security.restapi.roles_enabled.2", "opendistro_security_test"); - builder.put("opendistro_security.restapi.endpoints_disabled.global.CACHE.0", "*"); + builder.put("plugins.security.restapi.endpoints_disabled.global.CACHE.0", "*"); - builder.put("opendistro_security.restapi.endpoints_disabled.opendistro_security_role_klingons.conFiGuration.0", "*"); - builder.put("opendistro_security.restapi.endpoints_disabled.opendistro_security_role_klingons.wRongType.0", "WRONGType"); - builder.put("opendistro_security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.0", "PUT"); - builder.put("opendistro_security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.1", "DELETE"); + builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.conFiGuration.0", "*"); + builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.wRongType.0", "WRONGType"); + builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.0", "PUT"); + builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_klingons.ROLESMAPPING.1", "DELETE"); - builder.put("opendistro_security.restapi.endpoints_disabled.opendistro_security_role_vulcans.CONFIG.0", "*"); + builder.put("plugins.security.restapi.endpoints_disabled.opendistro_security_role_vulcans.CONFIG.0", "*"); if (null != nodeOverride) { builder.put(nodeOverride); @@ -248,10 +248,10 @@ protected Settings defaultNodeSettings(boolean enableRestSSL) { Settings.Builder builder = Settings.builder(); if (enableRestSSL) { - builder.put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", + builder.put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("restapi/truststore.jks")); } return builder.build(); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java b/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java index e4f3a47170..8b38a21234 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/MigrationTests.java @@ -36,9 +36,9 @@ public void testSecurityMigrate() throws Exception { final Settings settings = Settings.builder() .put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setLegacy(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper @@ -65,9 +65,9 @@ public void testSecurityMigrate() throws Exception { @Test public void testSecurityMigrateInvalid() throws Exception { final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) .put(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_users2.yml").setLegacy(), settings, true); @@ -94,9 +94,9 @@ public void testSecurityMigrateInvalid() throws Exception { @Test public void testSecurityValidate() throws Exception { final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")).build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")).build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setLegacy(), settings, true); final RestHelper rh = restHelper(); //ssl resthelper @@ -114,9 +114,9 @@ public void testSecurityValidate() throws Exception { @Test public void testSecurityValidateWithInvalidConfig() throws Exception { final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) .put(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_users2.yml").setLegacy(), settings, true); @@ -140,9 +140,9 @@ public void testSecurityValidateWithInvalidConfig() throws Exception { @Test public void testSecurityMigrateWithEmptyPassword() throws Exception{ final Settings settings = Settings.builder().put(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, "REQUIRE") - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("migration/truststore.jks")) .put(ConfigConstants.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, true) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityInternalUsers("internal_users2.yml").setLegacy(), settings, true); diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java index 159e725f47..368a2f6280 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/NodesDnApiTest.java @@ -160,7 +160,7 @@ public void testNodesDnApi() throws Exception { public void testNodesDnApiAuditComplianceLogging() throws Exception { Settings settings = Settings.builder().put(ConfigConstants.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, true) .putList(ConfigConstants.SECURITY_NODES_DN, "CN=example.com") - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) diff --git a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java b/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java index b5ac4bf9da..c99ffe44de 100644 --- a/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java +++ b/src/test/java/org/opensearch/security/dlic/rest/api/WhitelistApiTest.java @@ -180,7 +180,7 @@ public void testWhitelistApi() throws Exception { @Test public void testWhitelistAuditComplianceLogging() throws Exception { Settings settings = Settings.builder() - .put("opendistro_security.audit.type", TestAuditlogImpl.class.getName()) + .put("plugins.security.audit.type", TestAuditlogImpl.class.getName()) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_TRANSPORT, false) .put(ConfigConstants.SECURITY_AUDIT_ENABLE_REST, false) .put(ConfigConstants.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false) diff --git a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java index 96595580cc..a7bef1526b 100644 --- a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java +++ b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java @@ -35,7 +35,7 @@ protected String getResourceFolder() { public void testPlainConnection() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.ssl.http.enabled", false) + .put("plugins.security.ssl.http.enabled", false) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); @@ -77,11 +77,11 @@ public void testPlainConnection() throws Exception { public void testSslConnection() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.enabled", true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); @@ -109,12 +109,12 @@ public void testSslConnection() throws Exception { public void testSslConnectionPKIAuth() throws Exception { final Settings settings = Settings.builder() - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) .build(); setup(Settings.EMPTY, new DynamicSecurityConfig(), settings); diff --git a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java index 1e9c1bff38..c86facc34a 100644 --- a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java @@ -201,15 +201,15 @@ public void testNodeClientSSLwithOpenSslTLSv13() throws Exception { Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L); - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_CHACHA20_POLY1305_SHA256") .put("node.max_local_storage_nodes",4) diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java index 17ce0325cc..8d0d317214 100644 --- a/src/test/java/org/opensearch/security/ssl/SSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java @@ -78,18 +78,18 @@ public class SSLTest extends SingleClusterTest { @Test public void testHttps() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put("opendistro_security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.enabled", true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .build(); setupSslOnlyMode(settings); @@ -119,18 +119,18 @@ public void testCipherAndProtocols() throws Exception { System.out.println("Disabled algos: "+Security.getProperty("jdk.tls.disabledAlgorithms")); System.out.println("allowOpenSSL: "+allowOpenSSL); - Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) //WEAK and insecure cipher, do NOT use this, its here for unittesting only!!! - .put("opendistro_security.ssl.http.enabled_ciphers","SSL_RSA_EXPORT_WITH_RC4_40_MD5") + .put("plugins.security.ssl.http.enabled_ciphers","SSL_RSA_EXPORT_WITH_RC4_40_MD5") //WEAK and insecure protocol, do NOT use this, its here for unittesting only!!! - .put("opendistro_security.ssl.http.enabled_protocols","SSLv3") + .put("plugins.security.ssl.http.enabled_protocols","SSLv3") .put("client.type","node") .put("path.home",".") .build(); @@ -151,16 +151,16 @@ public void testCipherAndProtocols() throws Exception { Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); } - settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) //WEAK and insecure cipher, do NOT use this, its here for unittesting only!!! - .put("opendistro_security.ssl.transport.enabled_ciphers","SSL_RSA_EXPORT_WITH_RC4_40_MD5") + .put("plugins.security.ssl.transport.enabled_ciphers","SSL_RSA_EXPORT_WITH_RC4_40_MD5") //WEAK and insecure protocol, do NOT use this, its here for unittesting only!!! - .put("opendistro_security.ssl.transport.enabled_protocols","SSLv3") + .put("plugins.security.ssl.transport.enabled_protocols","SSLv3") .put("client.type","node") .put("path.home",".") .build(); @@ -208,13 +208,13 @@ public void testCipherAndProtocols() throws Exception { @Test public void testHttpsOptionalAuth() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); setupSslOnlyMode(settings); @@ -233,20 +233,20 @@ public void testHttpsOptionalAuth() throws Exception { @Test public void testHttpsAndNodeSSL() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) - - .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) + + .put("plugins.security.ssl.http.enabled", true).put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .build(); @@ -272,7 +272,7 @@ public void testHttpsAndNodeSSL() throws Exception { @Test public void testHttpsAndNodeSSLPem() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) @@ -280,11 +280,11 @@ public void testHttpsAndNodeSSLPem() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) //.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) //.put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") @@ -309,7 +309,7 @@ public void testHttpsAndNodeSSLPem() throws Exception { @Test public void testHttpsAndNodeSSLPemEnc() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) @@ -317,11 +317,11 @@ public void testHttpsAndNodeSSLPemEnc() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") @@ -347,22 +347,22 @@ public void testHttpsAndNodeSSLPemEnc() throws Exception { @Test public void testHttpsAndNodeSSLFailedCipher() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) - - .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) + + .put("plugins.security.ssl.http.enabled", true).put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enabled_ciphers","INVALID_CIPHER") + .put("plugins.security.ssl.transport.enabled_ciphers","INVALID_CIPHER") .build(); @@ -381,14 +381,14 @@ public void testHttpsAndNodeSSLFailedCipher() throws Exception { public void testHttpPlainFail() throws Exception { thrown.expect(NoHttpResponseException.class); - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "OPTIONAL") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "OPTIONAL") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); setupSslOnlyMode(settings); @@ -406,14 +406,14 @@ public void testHttpPlainFail() throws Exception { @Test public void testHttpsNoEnforce() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "NONE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "NONE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); setupSslOnlyMode(settings); @@ -430,14 +430,14 @@ public void testHttpsNoEnforce() throws Exception { @Test public void testHttpsEnforceFail() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); setupSslOnlyMode(settings); @@ -462,14 +462,14 @@ public void testHttpsEnforceFail() throws Exception { public void testHttpsV3Fail() throws Exception { thrown.expect(SSLHandshakeException.class); - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "NONE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "NONE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); setupSslOnlyMode(settings); @@ -487,15 +487,15 @@ public void testHttpsV3Fail() throws Exception { @Test public void testTransportClientSSL() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false).build(); + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false).build(); setupSslOnlyMode(settings); @@ -524,15 +524,15 @@ public void testTransportClientSSL() throws Exception { @Test public void testTransportClientSSLExternalContext() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false).build(); + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false).build(); setupSslOnlyMode(settings); @@ -541,7 +541,7 @@ public void testTransportClientSSLExternalContext() throws Exception { final Settings tcSettings = Settings.builder() .put("cluster.name", clusterInfo.clustername) .put("path.home", ".") - .put("opendistro_security.ssl.client.external_context_id", "abcx") + .put("plugins.security.ssl.client.external_context_id", "abcx") .build(); final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory @@ -591,15 +591,15 @@ public void testTransportClientSSLExternalContext() throws Exception { @Test public void testNodeClientSSL() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) .build(); setupSslOnlyMode(settings); @@ -636,24 +636,24 @@ public void testNodeClientSSL() throws Exception { public void testTransportClientSSLFail() throws Exception { thrown.expect(IllegalStateException.class); - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false).build(); + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false).build(); setupSslOnlyMode(settings); final Settings tcSettings = Settings.builder().put("cluster.name", clusterInfo.clustername) .put("path.home", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks").getParent()) - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore_fail.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false).build(); + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore_fail.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false).build(); try (TransportClient tc = new TransportClientImpl(tcSettings, asCollection(OpenSearchSecurityPlugin.class))) { tc.addTransportAddress(new TransportAddress(new InetSocketAddress(clusterInfo.nodeHost, clusterInfo.nodePort))); @@ -694,20 +694,20 @@ public void testUnmodifieableCipherProtocolConfig() throws Exception { @Test public void testCustomPrincipalExtractor() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) - .put("opendistro_security.ssl.transport.principal_extractor_class", "org.opensearch.security.ssl.TestPrincipalExtractor") + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.principal_extractor_class", "org.opensearch.security.ssl.TestPrincipalExtractor") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); setupSslOnlyMode(settings); @@ -748,7 +748,7 @@ public void testCustomPrincipalExtractor() throws Exception { @Test public void testCRLPem() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) @@ -756,11 +756,11 @@ public void testCRLPem() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) //.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) //.put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, "changeit") @@ -782,14 +782,14 @@ public void testCRLPem() throws Exception { @Test public void testCRL() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", false) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("opendistro_security.ssl.http.enabled", true) + .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, FileHelper. getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crl")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, CertificateValidatorTest.CRL_DATE.getTime()) @@ -812,15 +812,15 @@ public void testNodeClientSSLwithJavaTLSv13() throws Exception { //Java TLS 1.3 is available since Java 11 Assume.assumeTrue(!allowOpenSSL && PlatformDependent.javaVersion() >= 11); - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_AES_128_GCM_SHA256") .build(); @@ -856,17 +856,17 @@ public void testNodeClientSSLwithJavaTLSv13() throws Exception { @Test public void testTLSv1() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1") .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, true) .build(); @@ -884,21 +884,21 @@ public void testTLSv1() throws Exception { @Test public void testHttpsAndNodeSSLKeyPass() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, "changeit") - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) - .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.http.enabled", true).put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit") @@ -926,7 +926,7 @@ public void testHttpsAndNodeSSLKeyPass() throws Exception { @Test public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) @@ -937,17 +937,17 @@ public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, "root-ca") .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, "root-ca") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/truststore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/truststore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, "changeit") .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "changeit") - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.http.enabled", true).put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "changeit") @@ -975,21 +975,21 @@ public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { @Test(expected=IllegalStateException.class) public void testHttpsAndNodeSSLKeyPassFail() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") - .put("opendistro_security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, "wrongpass") - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) - .put("opendistro_security.ssl.http.enabled", true).put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) + .put("plugins.security.ssl.http.enabled", true).put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, "wrongpass") @@ -1009,7 +1009,7 @@ public void testHttpsAndNodeSSLKeyPassFail() throws Exception { @Test public void testHttpsAndNodeSSLPemExtendedUsageEnabled() throws Exception { - final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true) + final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) @@ -1020,11 +1020,11 @@ public void testHttpsAndNodeSSLPemExtendedUsageEnabled() throws Exception { .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-server.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-key-server.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/root-ca.pem")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.resolve_hostname", false) - .put("opendistro_security.ssl.http.enabled", true) - .put("opendistro_security.ssl.http.clientauth_mode", "REQUIRE") + .put("plugins.security.ssl.http.enabled", true) + .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) diff --git a/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java b/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java index 14779b9278..128cfb2fbd 100644 --- a/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java +++ b/src/test/java/org/opensearch/security/system_indices/SystemIndicesTests.java @@ -47,8 +47,8 @@ /** * Test for opendistro system indices, to restrict configured indices access to adminDn - * Refer: "opendistro_security.system_indices.enabled" - * "opendistro_security.system_indices.indices"; + * Refer: "plugins.security.system_indices.enabled" + * "plugins.security.system_indices.indices"; */ public class SystemIndicesTests extends SingleClusterTest { @@ -63,9 +63,9 @@ private void setupSystemIndicesDisabledWithSsl() throws Exception { Settings systemIndexSettings = Settings.builder() .put(ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY, false) .putList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, listOfIndexesToTest) - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .put("path.repo", repositoryPath.getRoot().getAbsolutePath()) .build(); setup(Settings.EMPTY, @@ -83,9 +83,9 @@ private void setupSystemIndicesEnabledWithSsl() throws Exception { Settings systemIndexSettings = Settings.builder() .put(ConfigConstants.SECURITY_SYSTEM_INDICES_ENABLED_KEY, true) .putList(ConfigConstants.SECURITY_SYSTEM_INDICES_KEY, listOfIndexesToTest) - .put("opendistro_security.ssl.http.enabled",true) - .put("opendistro_security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) - .put("opendistro_security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) + .put("plugins.security.ssl.http.enabled",true) + .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-0-keystore.jks")) + .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("truststore.jks")) .put("path.repo", repositoryPath.getRoot().getAbsolutePath()) .build(); setup(Settings.EMPTY, diff --git a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java index 13d419f692..67ed3a9897 100644 --- a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java +++ b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java @@ -141,10 +141,10 @@ protected TransportClient getInternalTransportClient(ClusterInfo info, Settings Settings tcSettings = Settings.builder() .put("cluster.name", info.clustername) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.keystore_filepath", + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath(prefix+"kirk-keystore.jks")) .put(initTransportClientSettings) .build(); @@ -160,10 +160,10 @@ protected TransportClient getUserTransportClient(ClusterInfo info, String keySto Settings tcSettings = Settings.builder() .put("cluster.name", info.clustername) - .put("opendistro_security.ssl.transport.truststore_filepath", + .put("plugins.security.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) - .put("opendistro_security.ssl.transport.keystore_filepath", + .put("plugins.security.ssl.transport.enforce_hostname_verification", false) + .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath(prefix+keyStore)) .put(initTransportClientSettings) .build(); @@ -233,11 +233,11 @@ protected Settings.Builder minimumSecuritySettingsBuilder(int node, boolean sslO .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath(prefix+"node-0-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath(prefix+"truststore.jks")) - .put("opendistro_security.ssl.transport.enforce_hostname_verification", false); + .put("plugins.security.ssl.transport.enforce_hostname_verification", false); } if(!sslOnly) { - builder.putList("opendistro_security.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=tEst, C=De"); + builder.putList("plugins.security.authcz.admin_dn", "CN=kirk,OU=client,O=client,l=tEst, C=De"); builder.put(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, false); } diff --git a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorTest.java b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorTest.java index 5dd2ae1540..fe1377e7fc 100644 --- a/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorTest.java +++ b/src/test/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorTest.java @@ -268,8 +268,8 @@ public void testJksTrust() throws Exception { Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/truststore.jks"); Settings settings = Settings.builder() - .put("opendistro_security.ssl.transport.truststore_filepath", rootCaJksPath.getFileName().toString()) - .put("opendistro_security.ssl.transport.truststore_password", "secret").put("prefix.enable_ssl", "true") + .put("plugins.security.ssl.transport.truststore_filepath", rootCaJksPath.getFileName().toString()) + .put("plugins.security.ssl.transport.truststore_password", "secret").put("prefix.enable_ssl", "true") .put("path.home", rootCaJksPath.getParent().toString()).build(); Path configPath = rootCaJksPath.getParent(); @@ -296,8 +296,8 @@ public void testJksWrongTrust() throws Exception { Path rootCaJksPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/other-root-ca.jks"); Settings settings = Settings.builder() - .put("opendistro_security.ssl.transport.truststore_filepath", rootCaJksPath.getFileName().toString()) - .put("opendistro_security.ssl.transport.truststore_password", "secret").put("prefix.enable_ssl", "true") + .put("plugins.security.ssl.transport.truststore_filepath", rootCaJksPath.getFileName().toString()) + .put("plugins.security.ssl.transport.truststore_password", "secret").put("prefix.enable_ssl", "true") .put("path.home", rootCaJksPath.getParent().toString()).build(); Path configPath = rootCaJksPath.getParent(); diff --git a/src/test/resources/auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml b/src/test/resources/auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml index 906aedae90..ba636e7262 100644 --- a/src/test/resources/auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml +++ b/src/test/resources/auditlog/endpoints/sink/configuration_no_multiple_endpoints.yml @@ -1,5 +1,5 @@ -opendistro_security.audit.type: internal_opensearch -opendistro_security.audit.config.index: "myownindex" -opendistro_security.audit.config.type: "auditevents" -opendistro_security.audit.threadpool.size: 5 -opendistro_security.audit.threadpool.max_queue_len: 200000 \ No newline at end of file +plugins.security.audit.type: internal_opensearch +plugins.security.audit.config.index: "myownindex" +plugins.security.audit.config.type: "auditevents" +plugins.security.audit.threadpool.size: 5 +plugins.security.audit.threadpool.max_queue_len: 200000 \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml b/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml index 2571efd336..f75194d385 100644 --- a/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml +++ b/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml @@ -1,14 +1,14 @@ -opendistro_security.ssl.transport.enabled: true -opendistro_security.ssl.transport.keystore_filepath: "transport.keystore_filepath" -opendistro_security.ssl.transport.truststore_filepath: "transport.truststore_filepath" -opendistro_security.ssl.transport.enforce_hostname_verification: true -opendistro_security.ssl.transport.resolve_hostname: true -opendistro_security.ssl.transport.enable_openssl_if_available: true -opendistro_security.ssl.http.enabled: true -opendistro_security.ssl.http.keystore_filepath: "http.keystore_filepath" -opendistro_security.ssl.http.truststore_filepath: "http.truststore_filepath" -opendistro_security.ssl.http.enable_openssl_if_available: true -opendistro_security.ssl.http.clientauth_mode: OPTIONAL +plugins.security.ssl.transport.enabled: true +plugins.security.ssl.transport.keystore_filepath: "transport.keystore_filepath" +plugins.security.ssl.transport.truststore_filepath: "transport.truststore_filepath" +plugins.security.ssl.transport.enforce_hostname_verification: true +plugins.security.ssl.transport.resolve_hostname: true +plugins.security.ssl.transport.enable_openssl_if_available: true +plugins.security.ssl.http.enabled: true +plugins.security.ssl.http.keystore_filepath: "http.keystore_filepath" +plugins.security.ssl.http.truststore_filepath: "http.truststore_filepath" +plugins.security.ssl.http.enable_openssl_if_available: true +plugins.security.ssl.http.clientauth_mode: OPTIONAL opendistro_security: audit: From 3a8bce9b9be532aa8840e8fedfd2140fd0ff8795 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Thu, 20 May 2021 11:04:48 -0700 Subject: [PATCH 04/17] Change opendistro_security to plugins.security in test/resources yml files --- .../configuration_wrong_endpoint_names.yml | 49 +++++----- .../routing/configuration_no_default.yml | 39 ++++---- .../endpoints/routing/configuration_valid.yml | 71 +++++++------- .../configuration_wrong_categories.yml | 71 +++++++------- .../configuration_wrong_endpoint_names.yml | 67 ++++++------- .../configuration_wrong_endpoint_types.yml | 63 ++++++------ .../auditlog/endpoints/routing/fallback.yml | 67 ++++++------- .../auditlog/endpoints/routing/perftest.yml | 25 ++--- .../auditlog/endpoints/routing/routing.yml | 45 ++++----- .../sink/configuration_all_variants.yml | 95 ++++++++++--------- .../endpoints/sink/configuration_kafka.yml | 15 +-- .../sink/configuration_no_default.yml | 65 ++++++------- .../endpoints/sink/configuration_tls.yml | 63 ++++++------ src/test/resources/config_ldap.yml | 55 +++++------ 14 files changed, 402 insertions(+), 388 deletions(-) diff --git a/src/test/resources/auditlog/endpoints/configuration_wrong_endpoint_names.yml b/src/test/resources/auditlog/endpoints/configuration_wrong_endpoint_names.yml index 01b8f977c4..685a368742 100644 --- a/src/test/resources/auditlog/endpoints/configuration_wrong_endpoint_names.yml +++ b/src/test/resources/auditlog/endpoints/configuration_wrong_endpoint_names.yml @@ -1,24 +1,25 @@ -opendistro_security: - audit: - endpoints: - endpoint1: - type: internal_opensearch - endpoint2: - type: external_opensearch - config: - http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] - index: auditlog - username: auditloguser - password: auditlogpassword - enable_ssl: false - verify_hostnames: false - enable_ssl_client_auth: false - endpoint3: - type: debug - routes: - MISSING_PRIVILEGEs: - endpoints: - - default - COMPLIANCE_DOC_READ: - endpoints: - - endpoint3 \ No newline at end of file +plugins: + security: + audit: + endpoints: + endpoint1: + type: internal_opensearch + endpoint2: + type: external_opensearch + config: + http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] + index: auditlog + username: auditloguser + password: auditlogpassword + enable_ssl: false + verify_hostnames: false + enable_ssl_client_auth: false + endpoint3: + type: debug + routes: + MISSING_PRIVILEGEs: + endpoints: + - default + COMPLIANCE_DOC_READ: + endpoints: + - endpoint3 \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/configuration_no_default.yml b/src/test/resources/auditlog/endpoints/routing/configuration_no_default.yml index ecb499e4a1..ab8ee2f490 100644 --- a/src/test/resources/auditlog/endpoints/routing/configuration_no_default.yml +++ b/src/test/resources/auditlog/endpoints/routing/configuration_no_default.yml @@ -1,19 +1,20 @@ -opendistro_security: - audit: - endpoints: - endpoint1: - type: internal_opensearch - endpoint2: - type: external_opensearch - endpoint3: - type: debug - routes: - MISSING_PRIVILEGEs: - endpoints: - - default - - endpoint1 - - endpoint2 - COMPLIANCE_DOC_READ: - endpoints: - - endpoint3 - - default \ No newline at end of file +plugins: + security: + audit: + endpoints: + endpoint1: + type: internal_opensearch + endpoint2: + type: external_opensearch + endpoint3: + type: debug + routes: + MISSING_PRIVILEGEs: + endpoints: + - default + - endpoint1 + - endpoint2 + COMPLIANCE_DOC_READ: + endpoints: + - endpoint3 + - default \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/configuration_valid.yml b/src/test/resources/auditlog/endpoints/routing/configuration_valid.yml index 99a8691805..49951153a1 100644 --- a/src/test/resources/auditlog/endpoints/routing/configuration_valid.yml +++ b/src/test/resources/auditlog/endpoints/routing/configuration_valid.yml @@ -1,35 +1,36 @@ -opendistro_security: - audit: - type: external_opensearch - config: - http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] - index: auditlog - username: auditloguser - password: auditlogpassword - enable_ssl: false - verify_hostnames: false - enable_ssl_client_auth: false - endpoints: - endpoint1: - type: internal_opensearch - endpoint2: - type: external_opensearch - config: - http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] - index: auditlog - username: auditloguser - password: auditlogpassword - enable_ssl: false - verify_hostnames: false - enable_ssl_client_auth: false - endpoint3: - type: debug - routes: - MISSING_PRIVILEGEs: - endpoints: - - endpoint1 - - endpoint2 - - default - COMPLIANCE_DOC_READ: - endpoints: - - endpoint3 \ No newline at end of file +plugins: + security: + audit: + type: external_opensearch + config: + http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] + index: auditlog + username: auditloguser + password: auditlogpassword + enable_ssl: false + verify_hostnames: false + enable_ssl_client_auth: false + endpoints: + endpoint1: + type: internal_opensearch + endpoint2: + type: external_opensearch + config: + http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] + index: auditlog + username: auditloguser + password: auditlogpassword + enable_ssl: false + verify_hostnames: false + enable_ssl_client_auth: false + endpoint3: + type: debug + routes: + MISSING_PRIVILEGEs: + endpoints: + - endpoint1 + - endpoint2 + - default + COMPLIANCE_DOC_READ: + endpoints: + - endpoint3 \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/configuration_wrong_categories.yml b/src/test/resources/auditlog/endpoints/routing/configuration_wrong_categories.yml index 13415aa967..ce769da4e0 100644 --- a/src/test/resources/auditlog/endpoints/routing/configuration_wrong_categories.yml +++ b/src/test/resources/auditlog/endpoints/routing/configuration_wrong_categories.yml @@ -1,35 +1,36 @@ -opendistro_security: - audit: - type: debug - endpoints: - ENDPOINT1: - type: internal_opensearch - endpoint2: - type: external_opensearch - endPoint3: - type: debug - routes: - MissIng_PrIVILEGEs: - endpoints: - - default - - endpoint1 - - endpoint2 - COMPLIANCE: - endpoints: - - endpoint3 - - default - WRONG: - endpoints: - - endpoint3 - - default - granted_PrIVILEGEs: - endpoints: - - EndPoint1 - - Endpoint3 - - DeFault - authenticated: - endpoints: - - EndPoint1 - BAD_HEADERS: - endpoints: - - endpoint4 \ No newline at end of file +plugins: + security: + audit: + type: debug + endpoints: + ENDPOINT1: + type: internal_opensearch + endpoint2: + type: external_opensearch + endPoint3: + type: debug + routes: + MissIng_PrIVILEGEs: + endpoints: + - default + - endpoint1 + - endpoint2 + COMPLIANCE: + endpoints: + - endpoint3 + - default + WRONG: + endpoints: + - endpoint3 + - default + granted_PrIVILEGEs: + endpoints: + - EndPoint1 + - Endpoint3 + - DeFault + authenticated: + endpoints: + - EndPoint1 + BAD_HEADERS: + endpoints: + - endpoint4 \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_names.yml b/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_names.yml index 93ee63c36d..6df4ec89e3 100644 --- a/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_names.yml +++ b/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_names.yml @@ -1,33 +1,34 @@ -opendistro_security: - audit: - type: internal_opensearch - endpoints: - endpoint1: - type: internal_opensearch - endpoint2: - type: external_opensearch - config: - http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] - index: auditlog - username: auditloguser - password: auditlogpassword - enable_ssl: false - verify_hostnames: false - enable_ssl_client_auth: false - endpoint3: - type: debug - routes: - MISSING_PRIVILEGEs: - endpoints: - - endpoint1 - - nonexisting - - endpoint1 - - endpoint1 - - wrong - - endpoint3 - COMPLIANCE_DOC_READ: - endpoints: - - nothinghere - COMPLIANCE_DOC_WRITE: - endpoints: - - default \ No newline at end of file +plugins: + security: + audit: + type: internal_opensearch + endpoints: + endpoint1: + type: internal_opensearch + endpoint2: + type: external_opensearch + config: + http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] + index: auditlog + username: auditloguser + password: auditlogpassword + enable_ssl: false + verify_hostnames: false + enable_ssl_client_auth: false + endpoint3: + type: debug + routes: + MISSING_PRIVILEGEs: + endpoints: + - endpoint1 + - nonexisting + - endpoint1 + - endpoint1 + - wrong + - endpoint3 + COMPLIANCE_DOC_READ: + endpoints: + - nothinghere + COMPLIANCE_DOC_WRITE: + endpoints: + - default \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_types.yml b/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_types.yml index ca37aede8a..361b1d94f7 100644 --- a/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_types.yml +++ b/src/test/resources/auditlog/endpoints/routing/configuration_wrong_endpoint_types.yml @@ -1,31 +1,32 @@ -opendistro_security: - audit: - type: debug - endpoints: - endpoint1: - type: interrrrnal_opensearch - endpoint2: - type: external_opensearch - config: - http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] - index: auditlog - username: auditloguser - password: auditlogpassword - enable_ssl: false - verify_hostnames: false - enable_ssl_client_auth: false - endpoint3: - type: debug - routes: - MISSInG_PRIVILEGEs: - endpoints: - - endpoint1 - - endpoint2 - - endpoint3 - - default - COMPLIANCE_DOC_READ: - endpoints: - - nothinghere - COMPLIANCE_DOC_WRITE: - endpoints: - - default \ No newline at end of file +plugins: + security: + audit: + type: debug + endpoints: + endpoint1: + type: interrrrnal_opensearch + endpoint2: + type: external_opensearch + config: + http_endpoints: ['localhost:9200','localhost:9201','localhost:9202'] + index: auditlog + username: auditloguser + password: auditlogpassword + enable_ssl: false + verify_hostnames: false + enable_ssl_client_auth: false + endpoint3: + type: debug + routes: + MISSInG_PRIVILEGEs: + endpoints: + - endpoint1 + - endpoint2 + - endpoint3 + - default + COMPLIANCE_DOC_READ: + endpoints: + - nothinghere + COMPLIANCE_DOC_WRITE: + endpoints: + - default \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/fallback.yml b/src/test/resources/auditlog/endpoints/routing/fallback.yml index 010c325d58..301b01030e 100644 --- a/src/test/resources/auditlog/endpoints/routing/fallback.yml +++ b/src/test/resources/auditlog/endpoints/routing/fallback.yml @@ -1,34 +1,35 @@ -opendistro_security: - audit: - type: org.opensearch.security.auditlog.helper.LoggingSink - endpoints: - endpoint1: - type: org.opensearch.security.auditlog.helper.FailingSink - endpoint2: - type: org.opensearch.security.auditlog.helper.LoggingSink - endpoint3: - type: org.opensearch.security.auditlog.helper.FailingSink - endpoint4: - type: org.opensearch.security.auditlog.helper.LoggingSink - endpoint5: - type: org.opensearch.security.auditlog.helper.LoggingSink +plugins: + security: + audit: + type: org.opensearch.security.auditlog.helper.LoggingSink + endpoints: + endpoint1: + type: org.opensearch.security.auditlog.helper.FailingSink + endpoint2: + type: org.opensearch.security.auditlog.helper.LoggingSink + endpoint3: + type: org.opensearch.security.auditlog.helper.FailingSink + endpoint4: + type: org.opensearch.security.auditlog.helper.LoggingSink + endpoint5: + type: org.opensearch.security.auditlog.helper.LoggingSink + fallback: + type: org.opensearch.security.auditlog.helper.LoggingSink + routes: + MISSING_PRIVILEGEs: + endpoints: + - endpoint1 + - endpoint2 + - default + COMPLIANCE_DOC_READ: + endpoints: + - endpoint3 + COMPLIANCE_DOC_WRITE: + endpoints: + - default + bad_Headers: + endpoints: + - endpoint4 + - endpoint5 fallback: - type: org.opensearch.security.auditlog.helper.LoggingSink - routes: - MISSING_PRIVILEGEs: - endpoints: - - endpoint1 - - endpoint2 - - default - COMPLIANCE_DOC_READ: - endpoints: - - endpoint3 - COMPLIANCE_DOC_WRITE: - endpoints: - - default - bad_Headers: - endpoints: - - endpoint4 - - endpoint5 - fallback: - type: org.opensearch.security.auditlog.helper.LoggingSink \ No newline at end of file + type: org.opensearch.security.auditlog.helper.LoggingSink \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/perftest.yml b/src/test/resources/auditlog/endpoints/routing/perftest.yml index 5ac2e9ad0d..26484ed91d 100644 --- a/src/test/resources/auditlog/endpoints/routing/perftest.yml +++ b/src/test/resources/auditlog/endpoints/routing/perftest.yml @@ -1,12 +1,13 @@ -opendistro_security: - audit: - type: org.opensearch.security.auditlog.helper.SlowSink - endpoints: - endpoint1: - type: org.opensearch.security.auditlog.helper.SlowSink - routes: - MISSING_PRIVILEGEs: - endpoints: - - endpoint1 - fallback: - type: org.opensearch.security.auditlog.helper.LoggingSink \ No newline at end of file +plugins: + security: + audit: + type: org.opensearch.security.auditlog.helper.SlowSink + endpoints: + endpoint1: + type: org.opensearch.security.auditlog.helper.SlowSink + routes: + MISSING_PRIVILEGEs: + endpoints: + - endpoint1 + fallback: + type: org.opensearch.security.auditlog.helper.LoggingSink \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/routing/routing.yml b/src/test/resources/auditlog/endpoints/routing/routing.yml index 238ad08ec3..09f2c14bbe 100644 --- a/src/test/resources/auditlog/endpoints/routing/routing.yml +++ b/src/test/resources/auditlog/endpoints/routing/routing.yml @@ -1,22 +1,23 @@ -opendistro_security: - audit: - type: org.opensearch.security.auditlog.helper.LoggingSink - endpoints: - endpoint1: - type: org.opensearch.security.auditlog.helper.LoggingSink - endpoint2: - type: org.opensearch.security.auditlog.helper.LoggingSink - endpoint3: - type: org.opensearch.security.auditlog.helper.LoggingSink - routes: - MISSING_PRIVILEGEs: - endpoints: - - endpoint1 - - endpoint2 - - default - COMPLIANCE_DOC_READ: - endpoints: - - endpoint3 - COMPLIANCE_DOC_WRITE: - endpoints: - - default \ No newline at end of file +plugins: + security: + audit: + type: org.opensearch.security.auditlog.helper.LoggingSink + endpoints: + endpoint1: + type: org.opensearch.security.auditlog.helper.LoggingSink + endpoint2: + type: org.opensearch.security.auditlog.helper.LoggingSink + endpoint3: + type: org.opensearch.security.auditlog.helper.LoggingSink + routes: + MISSING_PRIVILEGEs: + endpoints: + - endpoint1 + - endpoint2 + - default + COMPLIANCE_DOC_READ: + endpoints: + - endpoint3 + COMPLIANCE_DOC_WRITE: + endpoints: + - default \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml b/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml index 69f69cdc02..dee4d131d1 100644 --- a/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml +++ b/src/test/resources/auditlog/endpoints/sink/configuration_all_variants.yml @@ -1,47 +1,48 @@ -opendistro_security: - audit: - type: debug - endpoints: - eNDpoint1: - type: internal_opensearch - config: - key: value - wedontneed: anyconfigforinternal - endpoint2: - type: external_opensearch - endPOINT3: - type: debug - endpoint4: - type: idonotexist - endpoint5: - type: external_opensearch - something: - key: value - endpoint6: - something: - key: value - endpoint7: - config: - key: value - endpoint8: - type: DeBug - config: - key: value - endpoint9: - type: external_opensearch - config: - endpoints: stringhere - endpoint10: - type: log4j - config: - log4j.logger_name: loggername - log4j.level: WaRn - endpoint11: - type: log4j - config: - log4j.logger_name: loggername - endpoint12: - type: log4j - config: - log4j.logger_name: loggername - log4j.level: invalid +plugins: + security: + audit: + type: debug + endpoints: + eNDpoint1: + type: internal_opensearch + config: + key: value + wedontneed: anyconfigforinternal + endpoint2: + type: external_opensearch + endPOINT3: + type: debug + endpoint4: + type: idonotexist + endpoint5: + type: external_opensearch + something: + key: value + endpoint6: + something: + key: value + endpoint7: + config: + key: value + endpoint8: + type: DeBug + config: + key: value + endpoint9: + type: external_opensearch + config: + endpoints: stringhere + endpoint10: + type: log4j + config: + log4j.logger_name: loggername + log4j.level: WaRn + endpoint11: + type: log4j + config: + log4j.logger_name: loggername + endpoint12: + type: log4j + config: + log4j.logger_name: loggername + log4j.level: invalid diff --git a/src/test/resources/auditlog/endpoints/sink/configuration_kafka.yml b/src/test/resources/auditlog/endpoints/sink/configuration_kafka.yml index 4bcc10110d..6afa537132 100644 --- a/src/test/resources/auditlog/endpoints/sink/configuration_kafka.yml +++ b/src/test/resources/auditlog/endpoints/sink/configuration_kafka.yml @@ -1,7 +1,8 @@ -opendistro_security: - audit: - type: kafka - config: - bootstrap_servers: _RPLC_BOOTSTRAP_SERVERS_ - topic_name: compliance - client_id: opensearch_cluster_1 \ No newline at end of file +plugins: + security: + audit: + type: kafka + config: + bootstrap_servers: _RPLC_BOOTSTRAP_SERVERS_ + topic_name: compliance + client_id: opensearch_cluster_1 \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/sink/configuration_no_default.yml b/src/test/resources/auditlog/endpoints/sink/configuration_no_default.yml index 037be861f6..75ca4a3a0e 100644 --- a/src/test/resources/auditlog/endpoints/sink/configuration_no_default.yml +++ b/src/test/resources/auditlog/endpoints/sink/configuration_no_default.yml @@ -1,32 +1,33 @@ -opendistro_security: - audit: - endpoints: - eNDpoint1: - type: internal_opensearch - config: - key: value - wedontneed: anyconfigforinternal - endpoint2: - type: external_opensearch - endPOINT3: - type: debug - endpoint4: - type: idonotexist - endpoint5: - type: external_opensearch - something: - key: value - endpoint6: - something: - key: value - endpoint7: - config: - key: value - endpoint8: - type: DeBug - config: - key: value - endpoint9: - type: external_opensearch - config: - endpoints: stringhere \ No newline at end of file +plugins: + security: + audit: + endpoints: + eNDpoint1: + type: internal_opensearch + config: + key: value + wedontneed: anyconfigforinternal + endpoint2: + type: external_opensearch + endPOINT3: + type: debug + endpoint4: + type: idonotexist + endpoint5: + type: external_opensearch + something: + key: value + endpoint6: + something: + key: value + endpoint7: + config: + key: value + endpoint8: + type: DeBug + config: + key: value + endpoint9: + type: external_opensearch + config: + endpoints: stringhere \ No newline at end of file diff --git a/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml b/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml index f75194d385..5a0d1f581b 100644 --- a/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml +++ b/src/test/resources/auditlog/endpoints/sink/configuration_tls.yml @@ -10,34 +10,35 @@ plugins.security.ssl.http.truststore_filepath: "http.truststore_filepath" plugins.security.ssl.http.enable_openssl_if_available: true plugins.security.ssl.http.clientauth_mode: OPTIONAL -opendistro_security: - audit: - type: webhook - config: - webhook: - url: https://localhost:8083 - format: JSON - ssl: - verify: true - pemtrustedcas_filepath: dyn - endpoints: - endpoint1: - type: webhook - config: - webhook: - url: https://localhost:8083 - format: JSON - ssl: - verify: true - pemtrustedcas_filepath: dyn - endpoint2: - type: webhook - config: - webhook: - url: https://localhost:8083 - format: JSON - ssl: - verify: true - pemtrustedcas_content: dyn - fallback: - type: org.opensearch.security.auditlog.helper.LoggingSink +plugins: + security: + audit: + type: webhook + config: + webhook: + url: https://localhost:8083 + format: JSON + ssl: + verify: true + pemtrustedcas_filepath: dyn + endpoints: + endpoint1: + type: webhook + config: + webhook: + url: https://localhost:8083 + format: JSON + ssl: + verify: true + pemtrustedcas_filepath: dyn + endpoint2: + type: webhook + config: + webhook: + url: https://localhost:8083 + format: JSON + ssl: + verify: true + pemtrustedcas_content: dyn + fallback: + type: org.opensearch.security.auditlog.helper.LoggingSink diff --git a/src/test/resources/config_ldap.yml b/src/test/resources/config_ldap.yml index 142823f8e0..552edb2428 100644 --- a/src/test/resources/config_ldap.yml +++ b/src/test/resources/config_ldap.yml @@ -1,27 +1,28 @@ -opendistro_security: - dynamic: - http: - xff: - enabled: false - internalProxies: 192\.168\.0\.10|192\.168\.0\.11 - remoteIpHeader: "x-forwarded-for" - proxiesHeader: "x-forwarded-by" - trustedProxies: "proxy1|proxy2" - authenticator: - type: org.opensearch.security.http.HTTPBasicAuthenticator - authcz: - authentication_domain_basic_internal: - enabled: true - order: 1 - authentication_backend: - type: ldap - config: - host: "localhost:40622" - usersearch: "(uid={0})" - authorization_backend: - type: ldap - config: - rolesearch: "(uniqueMember={0})" - resolve_nested_roles: true - rolebase: "ou=groups,o=TEST" - rolename: cn \ No newline at end of file +plugins: + security: + dynamic: + http: + xff: + enabled: false + internalProxies: 192\.168\.0\.10|192\.168\.0\.11 + remoteIpHeader: "x-forwarded-for" + proxiesHeader: "x-forwarded-by" + trustedProxies: "proxy1|proxy2" + authenticator: + type: org.opensearch.security.http.HTTPBasicAuthenticator + authcz: + authentication_domain_basic_internal: + enabled: true + order: 1 + authentication_backend: + type: ldap + config: + host: "localhost:40622" + usersearch: "(uid={0})" + authorization_backend: + type: ldap + config: + rolesearch: "(uniqueMember={0})" + resolve_nested_roles: true + rolebase: "ou=groups,o=TEST" + rolename: cn \ No newline at end of file From 398f826efb7e307d6bdae117eec293ef2e2e7020 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Thu, 20 May 2021 14:18:01 -0700 Subject: [PATCH 05/17] Replace opendistro_security_config with security_config --- .github/workflows/ci.yml | 1 + .../security/ssl/transport/SSLConfig.java | 2 +- .../security/support/ConfigConstants.java | 2 +- .../EncryptionInTransitMigrationTests.java | 14 +++++++------- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b296f26eb0..d4f2086d26 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,6 +47,7 @@ jobs: working-directory: ./OpenSearch run: ./gradlew publishToMavenLocal -Dbuild.version_qualifier=rc1 -Dbuild.snapshot=false + - name: Checkstyle run: mvn -B checkstyle:checkstyle diff --git a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java index 52b0fbe5c4..5dc67e7c85 100644 --- a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java +++ b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java @@ -36,7 +36,7 @@ public SSLConfig(final boolean sslOnly, final boolean dualModeEnabled) { this.sslOnly = sslOnly; this.dualModeEnabled = dualModeEnabled; if (this.dualModeEnabled && !this.sslOnly) { - logger.warn("opendistro_security_config.ssl_dual_mode_enabled is enabled but plugins.security.ssl_only mode is disabled. " + logger.warn("security_config.ssl_dual_mode_enabled is enabled but plugins.security.ssl_only mode is disabled. " + "SSL Dual mode is supported only when security plugin is in ssl_only mode"); } logger.info("SSL dual mode is {}", isDualModeEnabled() ? "enabled" : "disabled"); diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index 42eccbc1c3..ddc45882d0 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -223,7 +223,7 @@ public class ConfigConstants { public static final String SECURITY_COMPLIANCE_SALT_DEFAULT = "e1ukloTsQlOgPquJ";//16 chars public static final String SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = "plugins.security.compliance.history.internal_config_enabled"; public static final String SECURITY_SSL_ONLY = "plugins.security.ssl_only"; - public static final String SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED = "opendistro_security_config.ssl_dual_mode_enabled"; + public static final String SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED = "security_config.ssl_dual_mode_enabled"; public static final String SECURITY_SSL_CERT_RELOAD_ENABLED = "plugins.security.ssl_cert_reload_enabled"; public static final String SECURITY_DISABLE_ENVVAR_REPLACEMENT = "plugins.security.disable_envvar_replacement"; diff --git a/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java b/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java index 0e160d5e5c..f163778d2b 100644 --- a/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java +++ b/src/test/java/org/opensearch/security/EncryptionInTransitMigrationTests.java @@ -58,36 +58,36 @@ private void testSslOnlyMode(boolean dualModeEnabled) throws Exception { if (dualModeEnabled) { res = rh.executeGetRequest("_cluster/settings?flat_settings&include_defaults"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"opendistro_security_config.ssl_dual_mode_enabled\":\"true\"")); + Assert.assertTrue(res.getBody().contains("\"security_config.ssl_dual_mode_enabled\":\"true\"")); String disableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": false } }"; res = rh.executePutRequest("_cluster/settings", disableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"opendistro_security_config\":{\"ssl_dual_mode_enabled\":\"false\"}},\"transient\":{}}", res.getBody()); + Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"false\"}},\"transient\":{}}", res.getBody()); res = rh.executeGetRequest("_cluster/settings?flat_settings&include_defaults"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"opendistro_security_config.ssl_dual_mode_enabled\":\"false\"")); + Assert.assertTrue(res.getBody().contains("\"security_config.ssl_dual_mode_enabled\":\"false\"")); String enableDualModeClusterSetting = "{ \"persistent\": { \"" + ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED + "\": true } }"; res = rh.executePutRequest("_cluster/settings", enableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"opendistro_security_config\":{\"ssl_dual_mode_enabled\":\"true\"}},\"transient\":{}}", res.getBody()); + Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"true\"}},\"transient\":{}}", res.getBody()); res = rh.executeGetRequest("_cluster/settings?flat_settings&include_defaults"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"opendistro_security_config.ssl_dual_mode_enabled\":\"true\"")); + Assert.assertTrue(res.getBody().contains("\"security_config.ssl_dual_mode_enabled\":\"true\"")); res = rh.executePutRequest("_cluster/settings", disableDualModeClusterSetting); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"opendistro_security_config\":{\"ssl_dual_mode_enabled\":\"false\"}},\"transient\":{}}", res.getBody()); + Assert.assertEquals("{\"acknowledged\":true,\"persistent\":{\"security_config\":{\"ssl_dual_mode_enabled\":\"false\"}},\"transient\":{}}", res.getBody()); res = rh.executeGetRequest("_cluster/settings?flat_settings&include_defaults"); Assert.assertEquals(HttpStatus.SC_OK, res.getStatusCode()); - Assert.assertTrue(res.getBody().contains("\"opendistro_security_config.ssl_dual_mode_enabled\":\"false\"")); + Assert.assertTrue(res.getBody().contains("\"security_config.ssl_dual_mode_enabled\":\"false\"")); } } From b1fa99a284928c23104ba5694b513109b87eca9c Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Thu, 20 May 2021 17:41:53 -0700 Subject: [PATCH 06/17] Fix LegacyOpenDistroSSLSecuritySettings --- .../LegacyOpenDistroSSLSecuritySettings.java | 244 +++++++++--------- 1 file changed, 122 insertions(+), 122 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java index f60024fa19..bc38f0e67f 100644 --- a/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java +++ b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java @@ -22,135 +22,135 @@ import java.util.function.Function; public class LegacyOpenDistroSSLSecuritySettings { - public static final Setting SECURITY_SSL_HTTP_CLIENTAUTH_MODE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_KEYSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting> SECURITY_SSL_HTTP_ENABLED_CIPHERS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here - public static final Setting> SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here - public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here - public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here - public static final Setting SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.listSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_HTTP_CLIENTAUTH_MODE = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_KEYSTORE_TYPE = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_ENABLED = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED, LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENABLED = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED, LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting> SECURITY_SSL_HTTP_ENABLED_CIPHERS = Setting.listSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_SSL_HTTP_ENABLED_PROTOCOLS = Setting.listSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS = Setting.listSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = Setting.listSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here + public static final Setting SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered)); - public static final Setting SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); //if(extendedKeyUsageEnabled) { - public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); //} else { - public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - public static final Setting SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); //} - public static final Setting SECURITY_SSL_HTTP_PEMCERT_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_PEMKEY_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_PEMKEY_PASSWORD = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - public static final Setting SECURITY_SSL_HTTP_CRL_FILE = Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATE = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_HTTP_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_HTTP_CRL_FILE = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATE = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = Setting.longSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); + //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); + //settings.add(Setting.longSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered)); //return settings; From 480a6b60ec8e2925e5997227d318c0c1d99c9bd7 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Thu, 20 May 2021 17:48:37 -0700 Subject: [PATCH 07/17] Delete comments --- .../LegacyOpenDistroSSLSecuritySettings.java | 76 +--------- .../LegacyOpenDistroSecuritySettings.java | 134 +----------------- 2 files changed, 9 insertions(+), 201 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java index bc38f0e67f..487973246c 100644 --- a/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java +++ b/src/main/java/org/opensearch/security/ssl/util/LegacyOpenDistroSSLSecuritySettings.java @@ -50,93 +50,41 @@ public class LegacyOpenDistroSSLSecuritySettings { public static final Setting> SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS = Setting.listSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CLIENTAUTH_MODE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered)); public static final Setting SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //if(extendedKeyUsageEnabled) { + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //} else { - - public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //} + public static final Setting SECURITY_SSL_HTTP_PEMCERT_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_HTTP_PEMKEY_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_HTTP_PEMKEY_PASSWORD = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); + public static final Setting SECURITY_SSL_HTTP_CRL_FILE = Setting.simpleString(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATE = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); @@ -144,14 +92,4 @@ public class LegacyOpenDistroSSLSecuritySettings { public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_HTTP_CRL_DISABLE_OCSP = Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_HTTP_CRL_VALIDATION_DATE = Setting.longSetting(LegacyOpenDistroSSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.longSetting(LegacyOpenDistroSSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Setting.Property.NodeScope, Setting.Property.Filtered)); - //return settings; - - } diff --git a/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java b/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java index 6ef8fab4de..1248a26b6c 100644 --- a/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java +++ b/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java @@ -37,28 +37,15 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_SSL_ONLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - - // currently dual mode is supported only when ssl_only is enabled, but this stance would change in future - //settings.add(OpenDistroSSLConfig.SSL_DUAL_MODE_SETTING); - // Protected index settings public static final Setting SECURITY_PROTECTED_INDICES_ENABLED_KEY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); public static final Setting> SECURITY_PROTECTED_INDICES_KEY = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); public static final Setting> SECURITY_PROTECTED_INDICES_ROLES_KEY = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); - - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); - + // System index settings public static final Setting SECURITY_SYSTEM_INDICES_ENABLED_KEY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); public static final Setting> SECURITY_SYSTEM_INDICES_KEY = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final)); - - //if(!openDistroSSLConfig.isSslOnlyMode()) { public static final Setting> SECURITY_AUTHCZ_ADMIN_DN = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting SECURITY_CONFIG_INDEX_NAME = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting SECURITY_AUTHCZ_IMPERSONATION_DN = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".", Setting.Property.NodeScope, Setting.Property.Deprecated); @@ -71,27 +58,6 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_DISABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_CACHE_TTL_MINUTES = Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CACHE_TTL_MINUTES, 60, 0, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_IMPERSONATION_DN+".", Setting.Property.NodeScope)); //not filtered here - - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CERT_OID, Setting.Property.NodeScope, Setting.Property.Filtered)); - - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_NODES_DN, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED, false, Setting.Property.NodeScope));//not filtered here - - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, - // Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, - // Setting.Property.NodeScope, Setting.Property.Filtered)); - - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - - //settings.add(Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CACHE_TTL_MINUTES, 60, 0, Setting.Property.NodeScope, Setting.Property.Filtered)); - //Security public static final Setting SECURITY_ADVANCED_MODULES_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); @@ -101,15 +67,6 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_ROLES_MAPPING_RESOLUTION = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_DISABLE_ENVVAR_REPLACEMENT = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //ettings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Setting.Property.NodeScope)); //not filtered here - - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_ROLES_MAPPING_RESOLUTION, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_DISABLE_ENVVAR_REPLACEMENT, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - // Security - Audit public static final Setting SECURITY_AUDIT_TYPE_DEFAULT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_CONFIG_ROUTES = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES + ".", Setting.Property.NodeScope, Setting.Property.Deprecated); @@ -120,40 +77,17 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_AUDIT_RESOLVE_INDICES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_ENABLE_REST = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_ENABLE_TRANSPORT = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ROUTES + ".", Setting.Property.NodeScope)); - //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_ENDPOINTS + ".", Setting.Property.NodeScope)); - //settings.add(Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_SIZE, 10, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.intSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, 100*1000, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //private static final List disabledCategories = Stream.of("AUTHENTICATED", "GRANTED_PRIVILEGES").collect(Collectors.toCollection(ArrayList::new)); - //disabledCategories.add("AUTHENTICATED"); - //disabledCategories.add("GRANTED_PRIVILEGES"); public static final Setting> SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, Lists.newArrayList("AUTHENTICATED", "GRANTED_PRIVILEGES"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting> SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, Lists.newArrayList("AUTHENTICATED", "GRANTED_PRIVILEGES"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, disabledCategories, Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, disabledCategories, Function.identity(), Setting.Property.NodeScope)); //not filtered here - //private static final List ignoredUsers = Stream.of("kibanaserver").collect(Collectors.toCollection(ArrayList::new)); - //ignoredUsers.add("kibanaserver"); public static final Setting> SECURITY_AUDIT_IGNORE_USERS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, Lists.newArrayList("kibanaserver"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting> SECURITY_AUDIT_IGNORE_REQUESTS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting SECURITY_AUDIT_RESOLVE_BULK_REQUESTS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, ignoredUsers, Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - // Security - Audit - Sink public static final Setting SECURITY_AUDIT_OPENSEARCH_INDEX = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_OPENSEARCH_TYPE = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_INDEX, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_OPENSEARCH_TYPE, Setting.Property.NodeScope, Setting.Property.Filtered)); - + // External OpenSearch public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS, Lists.newArrayList("localhost:9200"), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); @@ -172,23 +106,6 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting> SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS, Lists.newArrayList("localhost:9200"), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope));//not filtered here - // Webhooks public static final Setting SECURITY_AUDIT_WEBHOOK_URL = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_WEBHOOK_FORMAT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); @@ -196,41 +113,20 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_URL, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_FORMAT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_SSL_VERIFY, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT, Setting.Property.NodeScope, Setting.Property.Filtered)); - // Log4j public static final Setting SECURITY_AUDIT_LOG4J_LOGGER_NAME = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LOGGER_NAME, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_AUDIT_LOG4J_LEVEL = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LEVEL, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LOGGER_NAME, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DEFAULT_PREFIX + LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG4J_LEVEL, Setting.Property.NodeScope, Setting.Property.Filtered)); - - // Kerberos public static final Setting SECURITY_KERBEROS_KRB5_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_KRB5_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_KRB5_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL, Setting.Property.NodeScope, Setting.Property.Filtered)); - - // Open Distro Security - REST API public static final Setting> SECURITY_RESTAPI_ROLES_ENABLED = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here public static final Setting SECURITY_RESTAPI_ENDPOINTS_DISABLED = Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Setting.Property.NodeScope, Setting.Property.Deprecated); public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ROLES_ENABLED, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.groupSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Setting.Property.NodeScope)); - - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Setting.Property.NodeScope, Setting.Property.Filtered)); - // Compliance public static final Setting> SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope, Setting.Property.Deprecated); //not filtered here @@ -246,27 +142,10 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_COMPLIANCE_SALT = Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList(), Function.identity(), Setting.Property.NodeScope)); //not filtered here - //settings.add(Setting.simpleString(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_SALT, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS, false, Setting.Property.NodeScope, - // Setting.Property.Filtered)); //compat public static final Setting SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY, false, Setting.Property.NodeScope, Setting.Property.Filtered)); // system integration public static final Setting SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); @@ -277,13 +156,4 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_SSL_CERT_RELOAD_ENABLED = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); public static final Setting SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES, true, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_CERT_RELOAD_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //settings.add(Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG, false, Setting.Property.NodeScope, Setting.Property.Filtered)); - //} } From d3b986f314df68d590d5f090f81292032e32e3e7 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Thu, 20 May 2021 18:13:33 -0700 Subject: [PATCH 08/17] Add groupSetting fallback --- .../security/support/SecuritySettings.java | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/src/main/java/org/opensearch/security/support/SecuritySettings.java b/src/main/java/org/opensearch/security/support/SecuritySettings.java index 72bdacc21d..12e018bc01 100644 --- a/src/main/java/org/opensearch/security/support/SecuritySettings.java +++ b/src/main/java/org/opensearch/security/support/SecuritySettings.java @@ -48,8 +48,7 @@ public class SecuritySettings { public static final Setting> SECURITY_AUTHCZ_ADMIN_DN = Setting.listSetting(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DN, LegacyOpenDistroSecuritySettings.SECURITY_AUTHCZ_ADMIN_DN, Function.identity(), Setting.Property.NodeScope); //not filtered here public static final Setting SECURITY_CONFIG_INDEX_NAME = Setting.simpleString(ConfigConstants.SECURITY_CONFIG_INDEX_NAME, LegacyOpenDistroSecuritySettings.SECURITY_CONFIG_INDEX_NAME, Setting.Property.NodeScope); //not filtered here - //groupSetting issue - public static final Setting SECURITY_AUTHCZ_IMPERSONATION_DN = Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN+".", Setting.Property.NodeScope); + public static final Setting SECURITY_AUTHCZ_IMPERSONATION_DN = Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_IMPERSONATION_DN+".", LegacyOpenDistroSecuritySettings.SECURITY_AUTHCZ_IMPERSONATION_DN, Setting.Property.NodeScope); public static final Setting SECURITY_CERT_OID = Setting.simpleString(ConfigConstants.SECURITY_CERT_OID, LegacyOpenDistroSecuritySettings.SECURITY_CERT_OID, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = Setting.simpleString(ConfigConstants.SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, LegacyOpenDistroSecuritySettings.SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting> SECURITY_NODES_DN = Setting.listSetting(ConfigConstants.SECURITY_NODES_DN, LegacyOpenDistroSecuritySettings.SECURITY_NODES_DN, Function.identity(), Setting.Property.NodeScope); //not filtered here @@ -64,17 +63,14 @@ public class SecuritySettings { public static final Setting SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES = Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, LegacyOpenDistroSecuritySettings.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX = Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, LegacyOpenDistroSecuritySettings.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST = Setting.boolSetting(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, LegacyOpenDistroSecuritySettings.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, Setting.Property.NodeScope, Setting.Property.Filtered); - //groupSetting issue - public static final Setting SECURITY_AUTHCZ_REST_IMPERSONATION_USERS = Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Setting.Property.NodeScope); //not filtered here + public static final Setting SECURITY_AUTHCZ_REST_IMPERSONATION_USERS = Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", LegacyOpenDistroSecuritySettings.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS, Setting.Property.NodeScope); //not filtered here public static final Setting SECURITY_ROLES_MAPPING_RESOLUTION = Setting.simpleString(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, LegacyOpenDistroSecuritySettings.SECURITY_ROLES_MAPPING_RESOLUTION, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting SECURITY_DISABLE_ENVVAR_REPLACEMENT = Setting.boolSetting(ConfigConstants.SECURITY_DISABLE_ENVVAR_REPLACEMENT, LegacyOpenDistroSecuritySettings.SECURITY_DISABLE_ENVVAR_REPLACEMENT, Setting.Property.NodeScope, Setting.Property.Filtered); // Security - Audit public static final Setting SECURITY_AUDIT_TYPE_DEFAULT = Setting.simpleString(ConfigConstants.SECURITY_AUDIT_TYPE_DEFAULT, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_TYPE_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered); - //groupSetting issue - public static final Setting SECURITY_AUDIT_CONFIG_ROUTES = Setting.groupSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_ROUTES + ".", Setting.Property.NodeScope); - //groupSetting issue - public static final Setting SECURITY_AUDIT_CONFIG_ENDPOINTS = Setting.groupSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_ENDPOINTS + ".", Setting.Property.NodeScope); + public static final Setting SECURITY_AUDIT_CONFIG_ROUTES = Setting.groupSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_ROUTES + ".", LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_ROUTES, Setting.Property.NodeScope); + public static final Setting SECURITY_AUDIT_CONFIG_ENDPOINTS = Setting.groupSetting(ConfigConstants.SECURITY_AUDIT_CONFIG_ENDPOINTS + ".", LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_ENDPOINTS, Setting.Property.NodeScope); public static final Setting SECURITY_AUDIT_THREADPOOL_SIZE = Setting.intSetting(ConfigConstants.SECURITY_AUDIT_THREADPOOL_SIZE, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_THREADPOOL_SIZE, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN = Setting.intSetting(ConfigConstants.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting SECURITY_AUDIT_LOG_REQUEST_BODY = Setting.boolSetting(ConfigConstants.SECURITY_AUDIT_LOG_REQUEST_BODY, LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_LOG_REQUEST_BODY, Setting.Property.NodeScope, Setting.Property.Filtered); @@ -128,8 +124,7 @@ public class SecuritySettings { // Open Distro Security - REST API public static final Setting> SECURITY_RESTAPI_ROLES_ENABLED = Setting.listSetting(ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED, LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED, Function.identity(), Setting.Property.NodeScope); //not filtered here - //groupSetting issue - public static final Setting SECURITY_RESTAPI_ENDPOINTS_DISABLED = Setting.groupSetting(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", Setting.Property.NodeScope); + public static final Setting SECURITY_RESTAPI_ENDPOINTS_DISABLED = Setting.groupSetting(ConfigConstants.SECURITY_RESTAPI_ENDPOINTS_DISABLED + ".", LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_ENDPOINTS_DISABLED, Setting.Property.NodeScope); public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX = Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX, Setting.Property.NodeScope, Setting.Property.Filtered); public static final Setting SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE = Setting.simpleString(ConfigConstants.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE, Setting.Property.NodeScope, Setting.Property.Filtered); From 8c0e97b4db79c561768f7e4b47f4826d5cf3e629 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 00:49:10 -0700 Subject: [PATCH 09/17] Fix CI --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4f2086d26..b296f26eb0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,6 @@ jobs: working-directory: ./OpenSearch run: ./gradlew publishToMavenLocal -Dbuild.version_qualifier=rc1 -Dbuild.snapshot=false - - name: Checkstyle run: mvn -B checkstyle:checkstyle From 8df238c79fe308e6b8fb723fb2e8f66edb5f8708 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 09:40:53 -0700 Subject: [PATCH 10/17] Add legacy settings in getSettings() --- .../security/OpenSearchSecurityPlugin.java | 118 +++++++++++++++++- .../ssl/OpenSearchSecuritySSLPlugin.java | 74 ++++++++++- 2 files changed, 189 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 0f641d1c8b..22a368f224 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -852,21 +852,44 @@ public Settings additionalSettings() { public List> getSettings() { List> settings = new ArrayList>(); settings.addAll(super.getSettings()); - //TODO: add fallbacksettings + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_SSL_ONLY); settings.add(SecuritySettings.SECURITY_SSL_ONLY); // currently dual mode is supported only when ssl_only is enabled, but this stance would change in future settings.add(SSLConfig.SSL_DUAL_MODE_SETTING); - // Protected index settings + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_ENABLED_KEY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_KEY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_ROLES_KEY); settings.add(SecuritySettings.SECURITY_PROTECTED_INDICES_ENABLED_KEY); settings.add(SecuritySettings.SECURITY_PROTECTED_INDICES_KEY); settings.add(SecuritySettings.SECURITY_PROTECTED_INDICES_ROLES_KEY); // System index settings + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_SYSTEM_INDICES_ENABLED_KEY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_SYSTEM_INDICES_KEY); settings.add(SecuritySettings.SECURITY_SYSTEM_INDICES_ENABLED_KEY); settings.add(SecuritySettings.SECURITY_SYSTEM_INDICES_KEY); if(!SSLConfig.isSslOnlyMode()) { + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUTHCZ_ADMIN_DN); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_CONFIG_INDEX_NAME); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUTHCZ_IMPERSONATION_DN); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_CERT_OID); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_NODES_DN); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_DISABLED); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_CACHE_TTL_MINUTES); + settings.add(SecuritySettings.SECURITY_AUTHCZ_ADMIN_DN); settings.add(SecuritySettings.SECURITY_CONFIG_INDEX_NAME); @@ -887,6 +910,15 @@ public List> getSettings() { settings.add(SecuritySettings.SECURITY_CACHE_TTL_MINUTES); //Security + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_ROLES_MAPPING_RESOLUTION); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_DISABLE_ENVVAR_REPLACEMENT); + settings.add(SecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED); settings.add(SecuritySettings.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES); settings.add(SecuritySettings.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX); @@ -897,6 +929,22 @@ public List> getSettings() { settings.add(SecuritySettings.SECURITY_DISABLE_ENVVAR_REPLACEMENT); // Security - Audit + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_TYPE_DEFAULT); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_ROUTES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_ENDPOINTS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_THREADPOOL_SIZE); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_LOG_REQUEST_BODY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_RESOLVE_INDICES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_ENABLE_REST); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_ENABLE_TRANSPORT); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_IGNORE_USERS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_IGNORE_REQUESTS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS); + settings.add(SecuritySettings.SECURITY_AUDIT_TYPE_DEFAULT); settings.add(SecuritySettings.SECURITY_AUDIT_CONFIG_ROUTES); settings.add(SecuritySettings.SECURITY_AUDIT_CONFIG_ENDPOINTS); @@ -915,10 +963,30 @@ public List> getSettings() { // Security - Audit - Sink + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_OPENSEARCH_INDEX); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_OPENSEARCH_TYPE); + settings.add(SecuritySettings.SECURITY_AUDIT_OPENSEARCH_INDEX); settings.add(SecuritySettings.SECURITY_AUDIT_OPENSEARCH_TYPE); // External OpenSearch + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS); //not filtered here + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS); + settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS); //not filtered here settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME); settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD); @@ -937,6 +1005,12 @@ public List> getSettings() { settings.add(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS); // Webhooks + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_URL); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_FORMAT); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT); + settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_URL); settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_FORMAT); settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY); @@ -944,17 +1018,30 @@ public List> getSettings() { settings.add(SecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT); // Log4j + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_LOG4J_LOGGER_NAME); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_AUDIT_LOG4J_LEVEL); + settings.add(SecuritySettings.SECURITY_AUDIT_LOG4J_LOGGER_NAME); settings.add(SecuritySettings.SECURITY_AUDIT_LOG4J_LEVEL); // Kerberos + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_KERBEROS_KRB5_FILEPATH); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL); + settings.add(SecuritySettings.SECURITY_KERBEROS_KRB5_FILEPATH); settings.add(SecuritySettings.SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH); settings.add(SecuritySettings.SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL); // Open Distro Security - REST API + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_ENDPOINTS_DISABLED); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE); + settings.add(SecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED); settings.add(SecuritySettings.SECURITY_RESTAPI_ENDPOINTS_DISABLED); @@ -963,6 +1050,21 @@ public List> getSettings() { // Compliance + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_IMMUTABLE_INDICES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_SALT); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED); + + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS); + settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES); settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS); settings.add(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY); @@ -979,10 +1081,22 @@ public List> getSettings() { settings.add(SecuritySettings.SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS); //compat + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY); settings.add(SecuritySettings.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY); // system integration + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_SSL_CERT_RELOAD_ENABLED); + settings.add(LegacyOpenDistroSecuritySettings.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG); + settings.add(SecuritySettings.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED); settings.add(SecuritySettings.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED); settings.add(SecuritySettings.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED); diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index c75d44c3c3..0c6ea093d6 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -27,6 +27,7 @@ import io.netty.util.internal.PlatformDependent; import java.nio.file.Path; +import java.rmi.dgc.Lease; import java.security.AccessController; import java.security.PrivilegedAction; import java.util.ArrayList; @@ -76,6 +77,7 @@ import org.opensearch.script.ScriptService; import org.opensearch.security.ssl.rest.SecuritySSLInfoAction; import org.opensearch.security.ssl.transport.*; +import org.opensearch.security.ssl.util.LegacyOpenDistroSSLSecuritySettings; import org.opensearch.security.ssl.util.SSLConfigConstants; import org.opensearch.security.ssl.util.SSLSecuritySettings; import org.opensearch.threadpool.ThreadPool; @@ -319,7 +321,37 @@ public Collection createComponents(Client localClient, ClusterService cl @Override public List> getSettings() { List> settings = new ArrayList>(); - //TODO: add fallbackSettings + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CLIENTAUTH_MODE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_TYPE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_CIPHERS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS); + + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_CLIENTAUTH_MODE); settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_ALIAS); settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH); @@ -351,6 +383,24 @@ public List> getSettings() { settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED); if(extendedKeyUsageEnabled) { + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD); + + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD); + + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH); + + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS); settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS); settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD); @@ -369,6 +419,15 @@ public List> getSettings() { settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD); settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH); } else { + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD); + + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH); + settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS); settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS); settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD); @@ -378,6 +437,19 @@ public List> getSettings() { settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD); settings.add(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH); } + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMCERT_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_FILEPATH); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_PASSWORD); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH); + + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_FILE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATE); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP); + settings.add(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE); + settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMCERT_FILEPATH); settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_FILEPATH); settings.add(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_PASSWORD); From 5f191291ec76d1d51c6c04f6d1ad9fcfdcd86251 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 09:56:08 -0700 Subject: [PATCH 11/17] Add SSL_DUAL_MODE_SETTING to SecuritySettings --- .../org/opensearch/security/OpenSearchSecurityPlugin.java | 3 ++- .../org/opensearch/security/ssl/transport/SSLConfig.java | 7 ++----- .../security/support/LegacyOpenDistroSecuritySettings.java | 2 +- .../org/opensearch/security/support/SecuritySettings.java | 2 +- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 22a368f224..bf30633238 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -855,7 +855,8 @@ public List> getSettings() { settings.add(LegacyOpenDistroSecuritySettings.SECURITY_SSL_ONLY); settings.add(SecuritySettings.SECURITY_SSL_ONLY); // currently dual mode is supported only when ssl_only is enabled, but this stance would change in future - settings.add(SSLConfig.SSL_DUAL_MODE_SETTING); + settings.add(LegacyOpenDistroSecuritySettings.SSL_DUAL_MODE_SETTING); + settings.add(SecuritySettings.SSL_DUAL_MODE_SETTING); // Protected index settings settings.add(LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_ENABLED_KEY); settings.add(LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_KEY); diff --git a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java index 5dc67e7c85..2dedf033a0 100644 --- a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java +++ b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java @@ -19,14 +19,11 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.common.settings.ClusterSettings; -import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; +import org.opensearch.security.support.SecuritySettings; public class SSLConfig { - public static final Setting SSL_DUAL_MODE_SETTING = Setting.boolSetting(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, - false, Setting.Property.NodeScope, Setting.Property.Dynamic); // Not filtered - private static final Logger logger = LogManager.getLogger(SSLConfig.class); private final boolean sslOnly; @@ -48,7 +45,7 @@ public SSLConfig(final Settings settings) { } public void registerClusterSettingsChangeListener(final ClusterSettings clusterSettings) { - clusterSettings.addSettingsUpdateConsumer(SSL_DUAL_MODE_SETTING, + clusterSettings.addSettingsUpdateConsumer(SecuritySettings.SSL_DUAL_MODE_SETTING, dualModeEnabledClusterSetting -> { logger.info("Detected change in settings, cluster setting for SSL dual mode is {}", dualModeEnabledClusterSetting ? "enabled" : "disabled"); setDualModeEnabled(dualModeEnabledClusterSetting); diff --git a/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java b/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java index 1248a26b6c..bb060e73eb 100644 --- a/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java +++ b/src/main/java/org/opensearch/security/support/LegacyOpenDistroSecuritySettings.java @@ -36,7 +36,7 @@ public class LegacyOpenDistroSecuritySettings { public static final Setting SECURITY_SSL_ONLY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_SSL_ONLY, false, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Deprecated); - + public static final Setting SSL_DUAL_MODE_SETTING = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, false, Setting.Property.NodeScope, Setting.Property.Dynamic, Setting.Property.Deprecated); // Not filtered // Protected index settings public static final Setting SECURITY_PROTECTED_INDICES_ENABLED_KEY = Setting.boolSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); public static final Setting> SECURITY_PROTECTED_INDICES_KEY = Setting.listSetting(LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, LegacyOpenDistroConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final, Setting.Property.Deprecated); diff --git a/src/main/java/org/opensearch/security/support/SecuritySettings.java b/src/main/java/org/opensearch/security/support/SecuritySettings.java index 12e018bc01..4334e623d0 100644 --- a/src/main/java/org/opensearch/security/support/SecuritySettings.java +++ b/src/main/java/org/opensearch/security/support/SecuritySettings.java @@ -36,7 +36,7 @@ public class SecuritySettings { public static final Setting SECURITY_SSL_ONLY = Setting.boolSetting(ConfigConstants.SECURITY_SSL_ONLY, LegacyOpenDistroSecuritySettings.SECURITY_SSL_ONLY, Setting.Property.NodeScope, Setting.Property.Filtered); - + public static final Setting SSL_DUAL_MODE_SETTING = Setting.boolSetting(ConfigConstants.SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED, LegacyOpenDistroSecuritySettings.SSL_DUAL_MODE_SETTING, Setting.Property.NodeScope, Setting.Property.Dynamic); // Not filtered // Protected index settings public static final Setting SECURITY_PROTECTED_INDICES_ENABLED_KEY = Setting.boolSetting(ConfigConstants.SECURITY_PROTECTED_INDICES_ENABLED_KEY, LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_ENABLED_KEY, Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final); public static final Setting> SECURITY_PROTECTED_INDICES_KEY = Setting.listSetting(ConfigConstants.SECURITY_PROTECTED_INDICES_KEY, LegacyOpenDistroSecuritySettings.SECURITY_PROTECTED_INDICES_KEY, Function.identity(), Setting.Property.NodeScope, Setting.Property.Filtered, Setting.Property.Final); From 674b659feae918c15ef4132176ad73b9f22f3751 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 11:20:04 -0700 Subject: [PATCH 12/17] Add test --- .../security/OpenSearchSecurityPlugin.java | 9 +++- .../security/SecuritySettingsTests.java | 53 +++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 src/test/java/org/opensearch/security/SecuritySettingsTests.java diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index bf30633238..c3715d7498 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -62,7 +62,6 @@ import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction; import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor; -import org.opensearch.security.support.*; import org.opensearch.security.transport.SecurityInterceptor; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -167,6 +166,14 @@ import org.opensearch.security.configuration.ConfigurationRepository; import org.opensearch.security.configuration.DlsFlsRequestValve; import org.opensearch.security.ssl.http.netty.ValidatingDispatcher; +import org.opensearch.security.support.ConfigConstants; +import org.opensearch.security.support.HeaderHelper; +import org.opensearch.security.support.ModuleInfo; +import org.opensearch.security.support.ReflectionHelper; +import org.opensearch.security.support.WildcardMatcher; +import org.opensearch.security.support.SecurityUtils; +import org.opensearch.security.support.LegacyOpenDistroSecuritySettings; +import org.opensearch.security.support.SecuritySettings; import com.google.common.collect.Lists; public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin { diff --git a/src/test/java/org/opensearch/security/SecuritySettingsTests.java b/src/test/java/org/opensearch/security/SecuritySettingsTests.java new file mode 100644 index 0000000000..7c2120b8a8 --- /dev/null +++ b/src/test/java/org/opensearch/security/SecuritySettingsTests.java @@ -0,0 +1,53 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + * + * Modifications Copyright OpenSearch Contributors. See + * GitHub history for details. + */ + +package org.opensearch.security; + +import org.junit.Assert; +import org.junit.Test; +import org.opensearch.common.settings.Setting; +import org.opensearch.common.settings.Settings; +import org.opensearch.security.support.LegacyOpenDistroSecuritySettings; +import org.opensearch.security.support.SecuritySettings; + +import java.nio.file.Path; +import java.util.Arrays; +import java.util.List; + +public class SecuritySettingsTests { + + @Test + public void testLegacyOpenDistroSettingsFallback() { + Assert.assertEquals( + SecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED.get(Settings.EMPTY), + LegacyOpenDistroSecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED.get(Settings.EMPTY) + ); + } + + @Test + public void testSettingsGetValue() { + Settings settings = Settings.builder().put("plugins.security.disabled", false).build(); + Assert.assertEquals(SecuritySettings.SECURITY_DISABLED.get(settings), false); + Assert.assertEquals(LegacyOpenDistroSecuritySettings.SECURITY_DISABLED.get(settings), false); + } + + @Test + public void testSettingsGetValueWithLegacyFallback() { + Settings settings = Settings.builder() + .put("opendistro_security.disabled", false) + .put("opendistro_security.config_index_name", "test") + .build(); + + Assert.assertEquals(SecuritySettings.SECURITY_DISABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_CONFIG_INDEX_NAME.get(settings), "test"); + + } +} From eecd54eba8d7464212dd7850356af1d2e2831939 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 12:36:04 -0700 Subject: [PATCH 13/17] Add more UT --- .../security/SecuritySettingsTests.java | 34 +++++++++++++++---- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/src/test/java/org/opensearch/security/SecuritySettingsTests.java b/src/test/java/org/opensearch/security/SecuritySettingsTests.java index 7c2120b8a8..45b85e2087 100644 --- a/src/test/java/org/opensearch/security/SecuritySettingsTests.java +++ b/src/test/java/org/opensearch/security/SecuritySettingsTests.java @@ -11,16 +11,16 @@ package org.opensearch.security; +import com.google.common.collect.Lists; import org.junit.Assert; import org.junit.Test; -import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; +import org.opensearch.security.ssl.util.LegacyOpenDistroSSLSecuritySettings; +import org.opensearch.security.ssl.util.SSLSecuritySettings; import org.opensearch.security.support.LegacyOpenDistroSecuritySettings; import org.opensearch.security.support.SecuritySettings; -import java.nio.file.Path; -import java.util.Arrays; -import java.util.List; +import java.util.Map; public class SecuritySettingsTests { @@ -30,13 +30,22 @@ public void testLegacyOpenDistroSettingsFallback() { SecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED.get(Settings.EMPTY), LegacyOpenDistroSecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED.get(Settings.EMPTY) ); + Assert.assertEquals( + SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED.get(Settings.EMPTY), + LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED.get(Settings.EMPTY) + ); } @Test public void testSettingsGetValue() { - Settings settings = Settings.builder().put("plugins.security.disabled", false).build(); - Assert.assertEquals(SecuritySettings.SECURITY_DISABLED.get(settings), false); + Settings settings = Settings.builder() + .put("plugins.security.disabled", true) + .put("plugins.security.ssl.http.enabled", true) + .build(); + Assert.assertEquals(SecuritySettings.SECURITY_DISABLED.get(settings), true); Assert.assertEquals(LegacyOpenDistroSecuritySettings.SECURITY_DISABLED.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED.get(settings), true); + Assert.assertEquals(LegacyOpenDistroSSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED.get(settings), false); } @Test @@ -44,10 +53,21 @@ public void testSettingsGetValueWithLegacyFallback() { Settings settings = Settings.builder() .put("opendistro_security.disabled", false) .put("opendistro_security.config_index_name", "test") + .putList("opendistro_security.restapi.roles_enabled", "a", "b") + .put("opendistro_security.audit.threadpool.size", 12) + .put("opendistro_security.audit.endpoints.1.value", "value 1") + .put("opendistro_security.audit.endpoints.2.value", "value 2") + .put("opendistro_security.ssl.http.crl.validation_date", 1) .build(); Assert.assertEquals(SecuritySettings.SECURITY_DISABLED.get(settings), false); Assert.assertEquals(SecuritySettings.SECURITY_CONFIG_INDEX_NAME.get(settings), "test"); - + Assert.assertEquals(SecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_THREADPOOL_SIZE.get(settings), Integer.valueOf(12)); + Map asMap = SecuritySettings.SECURITY_AUDIT_CONFIG_ENDPOINTS.get(settings).getAsGroups(); + Assert.assertEquals(2, asMap.size()); + Assert.assertEquals(asMap.get("1").get("value"), "value 1"); + Assert.assertEquals(asMap.get("2").get("value"), "value 2"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE.get(settings), Long.valueOf(1)); } } From 9c990ca68ffafa98e3688326dc84dbaf868543f3 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 12:40:31 -0700 Subject: [PATCH 14/17] Remove variable prefix for SlowIntegrationTests --- src/test/java/org/opensearch/security/SlowIntegrationTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/opensearch/security/SlowIntegrationTests.java b/src/test/java/org/opensearch/security/SlowIntegrationTests.java index ef5f5da87d..f38dbe8372 100644 --- a/src/test/java/org/opensearch/security/SlowIntegrationTests.java +++ b/src/test/java/org/opensearch/security/SlowIntegrationTests.java @@ -165,7 +165,7 @@ public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception @Test public void testDelayInSecurityIndexInitialization() throws Exception { final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) + .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) .put("cluster.routing.allocation.exclude._ip", "127.0.0.1") .build(); try { From 99ae075da9b1eeb50e51e830110c0d4d9be8d75b Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 18:06:50 -0700 Subject: [PATCH 15/17] Add UTs for all settings --- .../security/SecuritySettingsTests.java | 400 +++++++++++++++++- 1 file changed, 393 insertions(+), 7 deletions(-) diff --git a/src/test/java/org/opensearch/security/SecuritySettingsTests.java b/src/test/java/org/opensearch/security/SecuritySettingsTests.java index 45b85e2087..8f9dffdd49 100644 --- a/src/test/java/org/opensearch/security/SecuritySettingsTests.java +++ b/src/test/java/org/opensearch/security/SecuritySettingsTests.java @@ -14,13 +14,18 @@ import com.google.common.collect.Lists; import org.junit.Assert; import org.junit.Test; +import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; import org.opensearch.security.ssl.util.LegacyOpenDistroSSLSecuritySettings; +import org.opensearch.security.ssl.util.SSLConfigConstants; import org.opensearch.security.ssl.util.SSLSecuritySettings; +import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.LegacyOpenDistroSecuritySettings; import org.opensearch.security.support.SecuritySettings; +import java.util.List; import java.util.Map; +import java.util.function.Function; public class SecuritySettingsTests { @@ -51,23 +56,404 @@ public void testSettingsGetValue() { @Test public void testSettingsGetValueWithLegacyFallback() { Settings settings = Settings.builder() - .put("opendistro_security.disabled", false) + .put("opendistro_security.ssl_only", false) + .put("opendistro_security_config.ssl_dual_mode_enabled", false) + // Protected index settings + .put("opendistro_security.protected_indices.enabled", false) + .putList("opendistro_security.protected_indices.indices", "a", "b") + .putList("opendistro_security.protected_indices.roles", "a", "b") + // System index settings + .put("opendistro_security.system_indices.enabled", false) + .putList("opendistro_security.system_indices.indices", "a", "b") + + .putList("opendistro_security.authcz.admin_dn", "a", "b") .put("opendistro_security.config_index_name", "test") - .putList("opendistro_security.restapi.roles_enabled", "a", "b") - .put("opendistro_security.audit.threadpool.size", 12) + + .put("opendistro_security.authcz.impersonation_dn.1.value", "value 1") + .put("opendistro_security.authcz.impersonation_dn.2.value", "value 2") + + .put("opendistro_security.cert.oid", "test") + .put("opendistro_security.cert.intercluster_request_evaluator_class", "test") + .putList("opendistro_security.nodes_dn", "a", "b") + .put("opendistro_security.nodes_dn_dynamic_config_enabled", false) + .put("opendistro_security.enable_snapshot_restore_privilege", false) + .put("opendistro_security.check_snapshot_restore_write_privileges", false) + .put("opendistro_security.disabled", false) + .put("opendistro_security.cache.ttl_minutes", 12) + //security + .put("opendistro_security.advanced_modules_enabled", false) + .put("opendistro_security.allow_unsafe_democertificates", false) + .put("opendistro_security.allow_default_init_securityindex", false) + .put("opendistro_security.background_init_if_securityindex_not_exist", false) + + .put("opendistro_security.authcz.rest_impersonation_user.1.value", "value 1") + .put("opendistro_security.authcz.rest_impersonation_user.2.value", "value 2") + + .put("opendistro_security.roles_mapping_resolution", "test") + .put("opendistro_security.disable_envvar_replacement", false) + //Security - Audit + .put("opendistro_security.audit.type", "test") + + .put("opendistro_security.audit.routes.1.value", "value 1") + .put("opendistro_security.audit.routes.2.value", "value 2") + .put("opendistro_security.audit.endpoints.1.value", "value 1") .put("opendistro_security.audit.endpoints.2.value", "value 2") - .put("opendistro_security.ssl.http.crl.validation_date", 1) + + .put("opendistro_security.audit.threadpool.size", 12) + .put("opendistro_security.audit.threadpool.max_queue_len", 12) + .put("opendistro_security.audit.log_request_body", false) + .put("opendistro_security.audit.resolve_indices", false) + .put("opendistro_security.audit.enable_rest", false) + .put("opendistro_security.audit.enable_transport", false) + .putList("opendistro_security.audit.config.disabled_transport_categories", "a", "b") + .putList("opendistro_security.audit.config.disabled_rest_categories", "a", "b") + .putList("opendistro_security.audit.ignore_users", "a", "b") + .putList("opendistro_security.audit.ignore_requests", "a", "b") + .put("opendistro_security.audit.resolve_bulk_requests", false) + .put("opendistro_security.audit.exclude_sensitive_headers", false) + // Security - Audit - Sink + .put("opendistro_security.audit.config.index", "test") + .put("opendistro_security.audit.config.type", "test") + // External OpenSearch + .putList("opendistro_security.audit.config.http_endpoints", "a", "b") + .put("opendistro_security.audit.config.username", "test") + .put("opendistro_security.audit.config.password", "test") + .put("opendistro_security.audit.config.enable_ssl", false) + .put("opendistro_security.audit.config.verify_hostnames", false) + .put("opendistro_security.audit.config.enable_ssl_client_auth", false) + .put("opendistro_security.audit.config.pemcert_content", "test") + .put("opendistro_security.audit.config.pemcert_filepath", "test") + .put("opendistro_security.audit.config.pemkey_content", "test") + .put("opendistro_security.audit.config.pemkey_filepath", "test") + .put("opendistro_security.audit.config.pemkey_password", "test") + .put("opendistro_security.audit.config.pemtrustedcas_content", "test") + .put("opendistro_security.audit.config.pemtrustedcas_filepath", "test") + .put("opendistro_security.audit.config.cert_alias", "test") + .putList("opendistro_security.audit.config.enabled_ssl_ciphers", "a", "b") + .putList("opendistro_security.audit.config.enabled_ssl_protocols", "a", "b") + // Webhooks + .put("opendistro_security.audit.config.webhook.url", "test") + .put("opendistro_security.audit.config.webhook.format", "test") + .put("opendistro_security.audit.config.webhook.ssl.verify", false) + .put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath", "test") + .put("opendistro_security.audit.config.webhook.ssl.pemtrustedcas_content", "test") + // Log4j + .put("opendistro_security.audit.config.log4j.logger_name", "test") + .put("opendistro_security.audit.config.log4j.level", "test") + // Kerberos + .put("opendistro_security.kerberos.krb5_filepath", "test") + .put("opendistro_security.kerberos.acceptor_keytab_filepath", "test") + .put("opendistro_security.kerberos.acceptor_principal", "test") + // Open Distro Security - REST API + .putList("opendistro_security.restapi.roles_enabled", "a", "b") + + .put("opendistro_security.restapi.endpoints_disabled.1.value", "value 1") + .put("opendistro_security.restapi.endpoints_disabled.2.value", "value 2") + + .put("opendistro_security.restapi.password_validation_regex", "test") + .put("opendistro_security.restapi.password_validation_error_message", "test") + // Compliance + .putList("opendistro_security.compliance.history.write.watched_indices", "a", "b") + .putList("opendistro_security.compliance.history.read.watched_fields", "a", "b") + .put("opendistro_security.compliance.history.write.metadata_only", false) + .put("opendistro_security.compliance.history.read.metadata_only", false) + .put("opendistro_security.compliance.history.write.log_diffs", false) + .put("opendistro_security.compliance.history.external_config_enabled", false) + .putList("opendistro_security.compliance.history.read.ignore_users", "a", "b") + .putList("opendistro_security.compliance.history.write.ignore_users", "a", "b") + .put("opendistro_security.compliance.disable_anonymous_authentication", false) + .putList("opendistro_security.compliance.immutable_indices", "a", "b") + .put("opendistro_security.compliance.salt", "test") + .put("opendistro_security.compliance.history.internal_config_enabled", false) + .put("opendistro_security.filter_securityindex_from_all_requests", false) + //compat + .put("opendistro_security.unsupported.disable_intertransport_auth_initially", false) + .put("opendistro_security.unsupported.disable_rest_auth_initially", false) + // system integration + .put("opendistro_security.unsupported.restore.securityindex.enabled", false) + .put("opendistro_security.unsupported.inject_user.enabled", false) + .put("opendistro_security.unsupported.inject_user.admin.enabled", false) + .put("opendistro_security.unsupported.allow_now_in_dls", false) + .put("opendistro_security.unsupported.restapi.allow_securityconfig_modification", false) + .put("opendistro_security.unsupported.load_static_resources", false) + .put("opendistro_security.ssl_cert_reload_enabled", false) + .put("opendistro_security.unsupported.accept_invalid_config", false) .build(); - Assert.assertEquals(SecuritySettings.SECURITY_DISABLED.get(settings), false); + Map asMap; + Assert.assertEquals(SecuritySettings.SECURITY_SSL_ONLY.get(settings), false); + Assert.assertEquals(SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings), false); + // Protected index settings + Assert.assertEquals(SecuritySettings.SECURITY_PROTECTED_INDICES_ENABLED_KEY.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_PROTECTED_INDICES_KEY.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_PROTECTED_INDICES_ROLES_KEY.get(settings), Lists.newArrayList("a", "b")); + + // System index settings + Assert.assertEquals(SecuritySettings.SECURITY_SYSTEM_INDICES_ENABLED_KEY.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_SYSTEM_INDICES_KEY.get(settings), Lists.newArrayList("a", "b")); + + Assert.assertEquals(SecuritySettings.SECURITY_AUTHCZ_ADMIN_DN.get(settings), Lists.newArrayList("a", "b")); Assert.assertEquals(SecuritySettings.SECURITY_CONFIG_INDEX_NAME.get(settings), "test"); - Assert.assertEquals(SecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED.get(settings), Lists.newArrayList("a", "b")); + asMap = SecuritySettings.SECURITY_AUTHCZ_IMPERSONATION_DN.get(settings).getAsGroups(); + Assert.assertEquals(2, asMap.size()); + Assert.assertEquals(asMap.get("1").get("value"), "value 1"); + Assert.assertEquals(asMap.get("2").get("value"), "value 2"); + Assert.assertEquals(SecuritySettings.SECURITY_CERT_OID.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_CERT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_NODES_DN.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_NODES_DN_DYNAMIC_CONFIG_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_DISABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_CACHE_TTL_MINUTES.get(settings), Integer.valueOf(12)); + + //Security + Assert.assertEquals(SecuritySettings.SECURITY_ADVANCED_MODULES_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST.get(settings), false); + asMap = SecuritySettings.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS.get(settings).getAsGroups(); + Assert.assertEquals(2, asMap.size()); + Assert.assertEquals(asMap.get("1").get("value"), "value 1"); + Assert.assertEquals(asMap.get("2").get("value"), "value 2"); + Assert.assertEquals(SecuritySettings.SECURITY_ROLES_MAPPING_RESOLUTION.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_DISABLE_ENVVAR_REPLACEMENT.get(settings), false); + + // Security - Audit + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_TYPE_DEFAULT.get(settings), "test"); + asMap = SecuritySettings.SECURITY_AUDIT_CONFIG_ROUTES.get(settings).getAsGroups(); + Assert.assertEquals(2, asMap.size()); + Assert.assertEquals(asMap.get("1").get("value"), "value 1"); + Assert.assertEquals(asMap.get("2").get("value"), "value 2"); + asMap = SecuritySettings.SECURITY_AUDIT_CONFIG_ENDPOINTS.get(settings).getAsGroups(); + Assert.assertEquals(2, asMap.size()); + Assert.assertEquals(asMap.get("1").get("value"), "value 1"); + Assert.assertEquals(asMap.get("2").get("value"), "value 2"); Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_THREADPOOL_SIZE.get(settings), Integer.valueOf(12)); - Map asMap = SecuritySettings.SECURITY_AUDIT_CONFIG_ENDPOINTS.get(settings).getAsGroups(); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_THREADPOOL_MAX_QUEUE_LEN.get(settings), Integer.valueOf(12)); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_LOG_REQUEST_BODY.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_RESOLVE_INDICES.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_ENABLE_REST.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_ENABLE_TRANSPORT.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_IGNORE_USERS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_IGNORE_REQUESTS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_RESOLVE_BULK_REQUESTS.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS.get(settings), false); + + // Security - Audit - Sink + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_OPENSEARCH_INDEX.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_OPENSEARCH_TYPE.get(settings), "test"); + + // External OpenSearch + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_HTTP_ENDPOINTS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_USERNAME.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PASSWORD.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_VERIFY_HOSTNAMES.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLE_SSL_CLIENT_AUTH.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_CONTENT.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMCERT_FILEPATH.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_CONTENT.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_FILEPATH.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMKEY_PASSWORD.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_CONTENT.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_PEMTRUSTEDCAS_FILEPATH.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_JKS_CERT_ALIAS.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_CIPHERS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_EXTERNAL_OPENSEARCH_ENABLED_SSL_PROTOCOLS.get(settings), Lists.newArrayList("a", "b")); + + // Webhooks + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_WEBHOOK_URL.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_WEBHOOK_FORMAT.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_WEBHOOK_SSL_VERIFY.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_FILEPATH.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_WEBHOOK_PEMTRUSTEDCAS_CONTENT.get(settings), "test"); + + // Log4j + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_LOG4J_LOGGER_NAME.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_AUDIT_LOG4J_LEVEL.get(settings), "test"); + + // Kerberos + Assert.assertEquals(SecuritySettings.SECURITY_KERBEROS_KRB5_FILEPATH.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_KERBEROS_ACCEPTOR_KEYTAB_FILEPATH.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_KERBEROS_ACCEPTOR_PRINCIPAL.get(settings), "test"); + + // Open Distro Security - REST API + Assert.assertEquals(SecuritySettings.SECURITY_RESTAPI_ROLES_ENABLED.get(settings), Lists.newArrayList("a", "b")); + asMap = SecuritySettings.SECURITY_RESTAPI_ENDPOINTS_DISABLED.get(settings).getAsGroups(); Assert.assertEquals(2, asMap.size()); Assert.assertEquals(asMap.get("1").get("value"), "value 1"); Assert.assertEquals(asMap.get("2").get("value"), "value 2"); + Assert.assertEquals(SecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_REGEX.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_RESTAPI_PASSWORD_VALIDATION_ERROR_MESSAGE.get(settings), "test"); + + // Compliance + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_IMMUTABLE_INDICES.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_SALT.get(settings), "test"); + Assert.assertEquals(SecuritySettings.SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_FILTER_SECURITYINDEX_FROM_ALL_REQUESTS.get(settings), false); + + //compat + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_DISABLE_INTERTRANSPORT_AUTH_INITIALLY.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_DISABLE_REST_AUTH_INITIALLY.get(settings), false); + + // system integration + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_INJECT_ADMIN_USER_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_ALLOW_NOW_IN_DLS.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_LOAD_STATIC_RESOURCES.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_SSL_CERT_RELOAD_ENABLED.get(settings), false); + Assert.assertEquals(SecuritySettings.SECURITY_UNSUPPORTED_ACCEPT_INVALID_CONFIG.get(settings), false); + } + @Test + public void testSSLSettingsGetValueWithLegacyFallback() { + Settings settings = Settings.builder() + .put("opendistro_security.ssl.http.clientauth_mode", "test") + .put("opendistro_security.ssl.http.keystore_alias", "test") + .put("opendistro_security.ssl.http.keystore_filepath", "test") + .put("opendistro_security.ssl.http.keystore_password", "test") + .put("opendistro_security.ssl.http.keystore_keypassword", "test") + .put("opendistro_security.ssl.http.keystore_type", "test") + .put("opendistro_security.ssl.http.truststore_alias", "test") + .put("opendistro_security.ssl.http.truststore_filepath", "test") + .put("opendistro_security.ssl.http.truststore_password", "test") + .put("opendistro_security.ssl.http.truststore_type", "test") + .put("opendistro_security.ssl.http.enable_openssl_if_available", false) + .put("opendistro_security.ssl.http.enabled", false) + .put("opendistro_security.ssl.transport.enable_openssl_if_available", false) + .put("opendistro_security.ssl.transport.enabled", false) + .put("opendistro_security.ssl.transport.enforce_hostname_verification", false) + .put("opendistro_security.ssl.transport.resolve_hostname", false) + .put("opendistro_security.ssl.transport.keystore_filepath", "test") + .put("opendistro_security.ssl.transport.keystore_password", "test") + .put("opendistro_security.ssl.transport.keystore_type", "test") + .put("opendistro_security.ssl.transport.truststore_filepath", "test") + .put("opendistro_security.ssl.transport.truststore_password", "test") + .put("opendistro_security.ssl.transport.truststore_type", "test") + .putList("opendistro_security.ssl.http.enabled_ciphers", "a", "b") + .putList("opendistro_security.ssl.http.enabled_protocols", "a", "b") + .putList("opendistro_security.ssl.transport.enabled_ciphers", "a", "b") + .putList("opendistro_security.ssl.transport.enabled_protocols", "a", "b") + .put("opendistro_security.ssl.client.external_context_id", "test") + .put("opendistro_security.ssl.transport.principal_extractor_class", "test") + .put("opendistro_security.ssl.transport.extended_key_usage_enabled", false) + .put("opendistro_security.ssl.transport.server.keystore_alias", "test") + .put("opendistro_security.ssl.transport.server.truststore_alias", "test") + .put("opendistro_security.ssl.transport.server.keystore_keypassword", "test") + .put("opendistro_security.ssl.transport.client.keystore_alias", "test") + .put("opendistro_security.ssl.transport.client.truststore_alias", "test") + .put("opendistro_security.ssl.transport.client.keystore_keypassword", "test") + .put("opendistro_security.ssl.transport.server.pemcert_filepath", "test") + .put("opendistro_security.ssl.transport.server.pemkey_filepath", "test") + .put("opendistro_security.ssl.transport.server.pemkey_password", "test") + .put("opendistro_security.ssl.transport.server.pemtrustedcas_filepath", "test") + .put("opendistro_security.ssl.transport.client.pemcert_filepath", "test") + .put("opendistro_security.ssl.transport.client.pemkey_filepath", "test") + .put("opendistro_security.ssl.transport.client.pemkey_password", "test") + .put("opendistro_security.ssl.transport.client.pemtrustedcas_filepath", "test") + .put("opendistro_security.ssl.transport.keystore_alias", "test") + .put("opendistro_security.ssl.transport.truststore_alias", "test") + .put("opendistro_security.ssl.transport.keystore_keypassword", "test") + .put("opendistro_security.ssl.transport.pemcert_filepath", "test") + .put("opendistro_security.ssl.transport.pemkey_filepath", "test") + .put("opendistro_security.ssl.transport.pemkey_password", "test") + .put("opendistro_security.ssl.transport.pemtrustedcas_filepath", "test") + .put("opendistro_security.ssl.http.pemcert_filepath", "test") + .put("opendistro_security.ssl.http.pemkey_filepath", "test") + .put("opendistro_security.ssl.http.pemkey_password", "test") + .put("opendistro_security.ssl.http.pemtrustedcas_filepath", "test") + .put("opendistro_security.ssl.http.crl.file_path", "test") + .put("opendistro_security.ssl.http.crl.validate", false) + .put("opendistro_security.ssl.http.crl.prefer_crlfile_over_ocsp", false) + .put("opendistro_security.ssl.http.crl.check_only_end_entities", false) + .put("opendistro_security.ssl.http.crl.disable_crldp", false) + .put("opendistro_security.ssl.http.crl.disable_ocsp", false) + .put("opendistro_security.ssl.http.crl.validation_date", 1) + .build(); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CLIENTAUTH_MODE.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_TYPE.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_CIPHERS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS.get(settings), Lists.newArrayList("a", "b")); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_CLIENT_EXTERNAL_CONTEXT_ID.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED.get(settings), false); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMCERT_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_FILEPATH.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMKEY_PASSWORD.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH.get(settings), "test"); + + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_FILE.get(settings), "test"); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATE.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_CRLDP.get(settings), false); + Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_DISABLE_OCSP.get(settings), false); Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE.get(settings), Long.valueOf(1)); } } From f31646a52ccda435c9e0765d262fd03241dc47e2 Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Fri, 21 May 2021 18:10:19 -0700 Subject: [PATCH 16/17] Delete unused imports in test file --- .../org/opensearch/security/SecuritySettingsTests.java | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/test/java/org/opensearch/security/SecuritySettingsTests.java b/src/test/java/org/opensearch/security/SecuritySettingsTests.java index 8f9dffdd49..e2c194acd3 100644 --- a/src/test/java/org/opensearch/security/SecuritySettingsTests.java +++ b/src/test/java/org/opensearch/security/SecuritySettingsTests.java @@ -14,18 +14,13 @@ import com.google.common.collect.Lists; import org.junit.Assert; import org.junit.Test; -import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; import org.opensearch.security.ssl.util.LegacyOpenDistroSSLSecuritySettings; -import org.opensearch.security.ssl.util.SSLConfigConstants; import org.opensearch.security.ssl.util.SSLSecuritySettings; -import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.LegacyOpenDistroSecuritySettings; import org.opensearch.security.support.SecuritySettings; -import java.util.List; import java.util.Map; -import java.util.function.Function; public class SecuritySettingsTests { @@ -383,7 +378,7 @@ public void testSSLSettingsGetValueWithLegacyFallback() { .put("opendistro_security.ssl.http.crl.disable_crldp", false) .put("opendistro_security.ssl.http.crl.disable_ocsp", false) .put("opendistro_security.ssl.http.crl.validation_date", 1) - .build(); + .build(); Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_CLIENTAUTH_MODE.get(settings), "test"); Assert.assertEquals(SSLSecuritySettings.SECURITY_SSL_HTTP_KEYSTORE_ALIAS.get(settings), "test"); From 2e5034d75c1d0b3ca37a76791a6292539798550e Mon Sep 17 00:00:00 2001 From: Andy Lin Date: Mon, 24 May 2021 13:37:26 -0700 Subject: [PATCH 17/17] Remove unused imports in SSLSecuritySettings, remove OPENDISTRO_ prefix in InitializationIntegrationTests --- .../org/opensearch/security/ssl/util/SSLSecuritySettings.java | 4 ---- .../opensearch/security/InitializationIntegrationTests.java | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java b/src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java index d9f64bfa7d..d8c25be9bb 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLSecuritySettings.java @@ -11,12 +11,8 @@ package org.opensearch.security.ssl.util; -import io.netty.util.internal.PlatformDependent; -import org.opensearch.common.Booleans; import org.opensearch.common.settings.Setting; -import java.util.ArrayList; -import java.util.Collections; import java.util.List; import java.util.function.Function; diff --git a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java index 6a7a94eb78..6d2ebb585e 100644 --- a/src/test/java/org/opensearch/security/InitializationIntegrationTests.java +++ b/src/test/java/org/opensearch/security/InitializationIntegrationTests.java @@ -204,7 +204,7 @@ public void testInvalidDefaultConfig() throws Exception { try { System.setProperty("security.default_init.dir", new File("./src/test/resources/invalid_config").getAbsolutePath()); final Settings settings = Settings.builder() - .put(ConfigConstants.OPENDISTRO_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) + .put(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true) .build(); setup(Settings.EMPTY, null, settings, false); RestHelper rh = nonSslRestHelper();