use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class SSLTest method testNodeClientSSLwithJavaTLSv13.
@Test
public void testNodeClientSSLwithJavaTLSv13() throws Exception {
// Java TLS 1.3 is available since Java 11
Assume.assumeTrue(!allowOpenSSL && PlatformDependent.javaVersion() >= 11);
final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true).put(ConfigConstants.SECURITY_SSL_ONLY, true).put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("plugins.security.ssl.transport.enforce_hostname_verification", false).put("plugins.security.ssl.transport.resolve_hostname", false).putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3").putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_AES_128_GCM_SHA256").build();
setupSslOnlyMode(settings);
RestHelper rh = nonSslRestHelper();
final Settings tcSettings = Settings.builder().put("cluster.name", clusterInfo.clustername).put("path.data", "./target/data/" + clusterInfo.clustername + "/ssl/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/ssl/logs").put("path.home", "./target").put("node.name", "client_node_" + new Random().nextInt()).put("discovery.initial_state_timeout", "8s").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).put(// -----
settings).build();
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) {
ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet();
Assert.assertFalse(res.isTimedOut());
Assert.assertEquals(4, res.getNumberOfNodes());
Assert.assertEquals(4, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
}
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
}
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class SlowIntegrationTests method testNodeClientDisallowedWithNonServerCertificate2.
@SuppressWarnings("resource")
@Test
public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception {
setup();
Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes());
Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus());
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "transportclient").put("discovery.initial_state_timeout", "8s").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "spock").build();
log.debug("Start node client");
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) {
Thread.sleep(10000);
Assert.assertEquals(1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
} catch (Exception e) {
Assert.fail(e.toString());
}
}
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class TransportUserInjectorIntegTest method testSecurityUserInjectionWithConfigDisabled.
@Test
public void testSecurityUserInjectionWithConfigDisabled() throws Exception {
final Settings clusterNodeSettings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false).build();
setup(clusterNodeSettings, new DynamicSecurityConfig().setSecurityRolesMapping("roles_transport_inject_user.yml"), Settings.EMPTY);
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false).putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
// 1. without user injection
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
}
// with invalid backend roles
UserInjectorPlugin.injectedUser = "ttt|kkk";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
// Should pass as the user injection is disabled
Assert.assertTrue(cir.isAcknowledged());
}
}
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class RolesInjectorIntegTest method testRolesInject.
@Test
public void testRolesInject() throws Exception {
setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY);
Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes());
Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus());
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
// 1. Without roles injection.
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-1")).actionGet();
Assert.assertTrue(ier.isExists());
}
// 2. With invalid roles, must throw security exception.
RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role";
Exception exception = null;
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
} catch (OpenSearchSecurityException ex) {
exception = ex;
log.warn(ex.toString());
}
Assert.assertNotNull(exception);
Assert.assertTrue(exception.getMessage().contains("indices:admin/create"));
// 3. With valid roles - which has permission to create index.
RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-3")).actionGet();
Assert.assertTrue(ier.isExists());
}
}
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class RolesValidationIntegTest method testRolesValidation.
@Test
public void testRolesValidation() throws Exception {
setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY);
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
// 1. Without roles validation
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-1")).actionGet();
Assert.assertTrue(ier.isExists());
}
OpenSearchSecurityException exception = null;
// 2. with roles invalid to the user
RolesValidationPlugin.rolesValidation = "invalid_role";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
} catch (OpenSearchSecurityException ex) {
exception = ex;
}
Assert.assertNotNull(exception);
Assert.assertTrue(exception.getMessage().contains("No mapping for"));
// 3. with roles valid to the user
RolesValidationPlugin.rolesValidation = "opendistro_security_all_access";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
}
}
Aggregations