Merge pull request #34 from NihalHarish/6.7-migration

Support for Elasticsearch 6.7.1

Author: NihalHarish

.gitignore

@@ -34,3 +34,5 @@ data/
 puppet/.vagrant
 test.sh
 .vagrant/
+.idea/
+*.iml

plugin-descriptor.properties

@@ -3,7 +3,7 @@
 description=Provide access control related features for Elasticsearch 6
 #
 # 'version': plugin's version
-version=0.8.0.0
+version=0.9.0.0
 #
 # 'name': the plugin name
 name=opendistro_security
@@ -22,4 +22,4 @@ java.version=1.8
 # elasticsearch release. This version is checked when the plugin
 # is loaded so Elasticsearch will refuse to start in the presence of
 # plugins with the incorrect elasticsearch.version.
-elasticsearch.version=6.6.2
+elasticsearch.version=6.7.1

pom.xml

@@ -34,17 +34,15 @@
   <parent>
     <groupId>com.amazon.opendistroforelasticsearch</groupId>
     <artifactId>opendistro_security_parent</artifactId>
-    <version>0.8.0.0</version>
+    <version>0.9.0.0</version>
   </parent>
 
   <artifactId>opendistro_security</artifactId>
   <packaging>jar</packaging>
-  <version>0.8.0.0</version>
-  <name>Open Distro For Elasticsearch Security</name>
+  <version>0.9.0.0</version>
+  <name>Open Distro Security for Elasticsearch</name>
   <description>Open Distro For Elasticsearch Security</description>
-  <url>https://github.com/opendistro-for-elasticsearch/security</url>
   <inceptionYear>2015</inceptionYear>
-
   <licenses>
     <license>
       <name>The Apache Software License, Version 2.0</name>
@@ -54,9 +52,9 @@
   </licenses>
 
   <properties>
-    <opendistro_security_ssl.version>0.8.0.0</opendistro_security_ssl.version>
-    <opendistro_security_advanced_modules.version>0.8.0.0</opendistro_security_advanced_modules.version>
-    <elasticsearch.version>6.6.2</elasticsearch.version>
+    <opendistro_security_ssl.version>0.9.0.0</opendistro_security_ssl.version>
+    <opendistro_security_advanced_modules.version>0.9.0.0</opendistro_security_advanced_modules.version>
+    <elasticsearch.version>6.7.1</elasticsearch.version>
 
     <!-- deps -->
     <netty-native.version>2.0.20.Final</netty-native.version>
@@ -78,7 +76,7 @@
     <url>https://github.com/opendistro-for-elasticsearch/security</url>
     <connection>scm:git:[email protected]:opendistro-for-elasticsearch/security.git</connection>
     <developerConnection>scm:git:[email protected]:opendistro-for-elasticsearch/security.git</developerConnection>
-    <tag>0.8.0.0</tag>
+    <tag>0.9.0.0</tag>
   </scm>
 
   <issueManagement>
@@ -247,8 +245,12 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
+
+        <version>3.0.0-M3</version>
 
         <configuration>
+          <argLine>-Xmx3072m</argLine>
+          <rerunFailingTestsCount>3</rerunFailingTestsCount>
           <forkCount>3</forkCount>
           <reuseForks>true</reuseForks>
           <!-- 

securityconfig/action_groups.yml

@@ -117,7 +117,6 @@ CLUSTER_COMPOSITE_OPS_RO:
     - "indices:data/read/mget"
     - "indices:data/read/msearch"
     - "indices:data/read/mtv"
-    - "indices:data/read/coordinate-msearch*"
     - "indices:admin/aliases/exists*"
     - "indices:admin/aliases/get*"
     - "indices:data/read/scroll"

src/main/java/com/amazon/opendistroforelasticsearch/security/OpenDistroSecurityPlugin.java

@@ -315,10 +315,7 @@ public List<Path> run() {
                   final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath();
                     if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) {
                         try (Stream<Path> s = Files.walk(confPath)) {
-                            return s
-                            .distinct()
-                            .filter(p->checkFilePermissions(p))
-                            .collect(Collectors.toList());
+                            return s.distinct().filter(p -> checkFilePermissions(p)).collect(Collectors.toList());
                         } catch (Exception e) {
                             log.error(e);
                             return null;
@@ -348,10 +345,7 @@ public List<String> run() {
                   final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath();
                     if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) {
                         try (Stream<Path> s = Files.walk(confPath)) {
-                            return s
-                            .distinct()
-                            .map(p->sha256(p))
-                            .collect(Collectors.toList());
+                            return s.distinct().map(p -> sha256(p)).collect(Collectors.toList());
                         } catch (Exception e) {
                             log.error(e);
                             return null;
@@ -421,8 +415,7 @@ private boolean checkFilePermissions(final Path p) {
                 return true;
             }
         } else {
-            if (perms.contains(PosixFilePermission.OWNER_EXECUTE)
-                    || perms.contains(PosixFilePermission.GROUP_EXECUTE)
+            if (perms.contains(PosixFilePermission.OWNER_EXECUTE) || perms.contains(PosixFilePermission.GROUP_EXECUTE)
                     || perms.contains(PosixFilePermission.OTHERS_EXECUTE)) {
                 // no x must be set
                 return true;
@@ -776,13 +769,14 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
         adminDns = new AdminDNs(settings);
         //final PrincipalExtractor pe = new DefaultPrincipalExtractor();
         cr = (IndexBaseConfigurationRepository) IndexBaseConfigurationRepository.create(settings, this.configPath, threadPool, localClient, clusterService, auditLog, complianceConfig);
+        cr.subscribeOnChange(ConfigConstants.CONFIGNAME_CONFIG, irr);
         final InternalAuthenticationBackend iab = new InternalAuthenticationBackend(cr);
         final XFFResolver xffResolver = new XFFResolver(threadPool);
         cr.subscribeOnChange(ConfigConstants.CONFIGNAME_CONFIG, xffResolver);
         backendRegistry = new BackendRegistry(settings, configPath, adminDns, xffResolver, iab, auditLog, threadPool);
         cr.subscribeOnChange(ConfigConstants.CONFIGNAME_CONFIG, backendRegistry);
         final ActionGroupHolder ah = new ActionGroupHolder(cr);
-        evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, ah, resolver, auditLog, settings, privilegesInterceptor, cih);
+        evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, ah, resolver, auditLog, settings, privilegesInterceptor, cih, irr, advancedModulesEnabled);
 
         final CompatConfig compatConfig = new CompatConfig(environment);
         cr.subscribeOnChange(ConfigConstants.CONFIGNAME_CONFIG, compatConfig);
@@ -1023,6 +1017,9 @@ public Collection<Class<? extends LifecycleComponent>> getGuiceServiceClasses()
     @Override
     public Function<String, Predicate<String>> getFieldFilter() {
         return index -> {
+            if (threadPool == null) {
+                return field -> true;
+            }
             final Map<String, Set<String>> allowedFlsFields = (Map<String, Set<String>>) HeaderHelper
                     .deserializeSafeFromHeader(threadPool.getThreadContext(), ConfigConstants.OPENDISTRO_SECURITY_FLS_FIELDS_HEADER);
 
@@ -1033,9 +1030,9 @@ public Function<String, Predicate<String>> getFieldFilter() {
             } else {
 
                 final Set<String> includesExcludes = allowedFlsFields.get(eval);
+                final Set includesSet = new HashSet<>(includesExcludes.size());
+                final Set excludesSet = new HashSet<>(includesExcludes.size());
 
-                final Set<String> includesSet = new HashSet<>(includesExcludes.size());
-                final Set<String> excludesSet = new HashSet<>(includesExcludes.size());
 
                 for (final String incExc : includesExcludes) {
                     final char firstChar = incExc.charAt(0);