Search in sources :

Example 1 with PluginAwareNode

use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.

the class SSLTest method testNodeClientSSLwithJavaTLSv13.

@Test
public void testNodeClientSSLwithJavaTLSv13() throws Exception {
    // Java TLS 1.3 is available since Java 11
    Assume.assumeTrue(!allowOpenSSL && PlatformDependent.javaVersion() >= 11);
    final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true).put(ConfigConstants.SECURITY_SSL_ONLY, true).put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("plugins.security.ssl.transport.enforce_hostname_verification", false).put("plugins.security.ssl.transport.resolve_hostname", false).putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3").putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_AES_128_GCM_SHA256").build();
    setupSslOnlyMode(settings);
    RestHelper rh = nonSslRestHelper();
    final Settings tcSettings = Settings.builder().put("cluster.name", clusterInfo.clustername).put("path.data", "./target/data/" + clusterInfo.clustername + "/ssl/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/ssl/logs").put("path.home", "./target").put("node.name", "client_node_" + new Random().nextInt()).put("discovery.initial_state_timeout", "8s").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).put(// -----
    settings).build();
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) {
        ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet();
        Assert.assertFalse(res.isTimedOut());
        Assert.assertEquals(4, res.getNumberOfNodes());
        Assert.assertEquals(4, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
    }
    Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
    Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
    Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
    Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
}
Also used : PluginAwareNode(org.opensearch.node.PluginAwareNode) Random(java.util.Random) ClusterHealthResponse(org.opensearch.action.admin.cluster.health.ClusterHealthResponse) ClusterHealthRequest(org.opensearch.action.admin.cluster.health.ClusterHealthRequest) Netty4Plugin(org.opensearch.transport.Netty4Plugin) Node(org.opensearch.node.Node) PluginAwareNode(org.opensearch.node.PluginAwareNode) OpenSearchSecurityPlugin(org.opensearch.security.OpenSearchSecurityPlugin) NodesInfoRequest(org.opensearch.action.admin.cluster.node.info.NodesInfoRequest) RestHelper(org.opensearch.security.test.helper.rest.RestHelper) Settings(org.opensearch.common.settings.Settings) Test(org.junit.Test) SingleClusterTest(org.opensearch.security.test.SingleClusterTest)

Example 2 with PluginAwareNode

use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.

the class SlowIntegrationTests method testNodeClientDisallowedWithNonServerCertificate2.

@SuppressWarnings("resource")
@Test
public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception {
    setup();
    Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes());
    Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus());
    final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "transportclient").put("discovery.initial_state_timeout", "8s").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "spock").build();
    log.debug("Start node client");
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) {
        Thread.sleep(10000);
        Assert.assertEquals(1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
    } catch (Exception e) {
        Assert.fail(e.toString());
    }
}
Also used : PluginAwareNode(org.opensearch.node.PluginAwareNode) ClusterHealthRequest(org.opensearch.action.admin.cluster.health.ClusterHealthRequest) Netty4Plugin(org.opensearch.transport.Netty4Plugin) Node(org.opensearch.node.Node) PluginAwareNode(org.opensearch.node.PluginAwareNode) NodesInfoRequest(org.opensearch.action.admin.cluster.node.info.NodesInfoRequest) Settings(org.opensearch.common.settings.Settings) IOException(java.io.IOException) Test(org.junit.Test) SingleClusterTest(org.opensearch.security.test.SingleClusterTest)

Example 3 with PluginAwareNode

use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.

the class TransportUserInjectorIntegTest method testSecurityUserInjectionWithConfigDisabled.

@Test
public void testSecurityUserInjectionWithConfigDisabled() throws Exception {
    final Settings clusterNodeSettings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false).build();
    setup(clusterNodeSettings, new DynamicSecurityConfig().setSecurityRolesMapping("roles_transport_inject_user.yml"), Settings.EMPTY);
    final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false).putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
    // 1. without user injection
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
        Assert.assertTrue(cir.isAcknowledged());
    }
    // with invalid backend roles
    UserInjectorPlugin.injectedUser = "ttt|kkk";
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
        // Should pass as the user injection is disabled
        Assert.assertTrue(cir.isAcknowledged());
    }
}
Also used : PluginAwareNode(org.opensearch.node.PluginAwareNode) DynamicSecurityConfig(org.opensearch.security.test.DynamicSecurityConfig) Netty4Plugin(org.opensearch.transport.Netty4Plugin) Node(org.opensearch.node.Node) PluginAwareNode(org.opensearch.node.PluginAwareNode) CreateIndexResponse(org.opensearch.action.admin.indices.create.CreateIndexResponse) CreateIndexRequest(org.opensearch.action.admin.indices.create.CreateIndexRequest) Settings(org.opensearch.common.settings.Settings) Test(org.junit.Test) SingleClusterTest(org.opensearch.security.test.SingleClusterTest)

Example 4 with PluginAwareNode

use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.

the class RolesInjectorIntegTest method testRolesInject.

@Test
public void testRolesInject() throws Exception {
    setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY);
    Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes());
    Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus());
    final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
    // 1. Without roles injection.
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
        Assert.assertTrue(cir.isAcknowledged());
        IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-1")).actionGet();
        Assert.assertTrue(ier.isExists());
    }
    // 2. With invalid roles, must throw security exception.
    RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role";
    Exception exception = null;
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
        Assert.assertTrue(cir.isAcknowledged());
    } catch (OpenSearchSecurityException ex) {
        exception = ex;
        log.warn(ex.toString());
    }
    Assert.assertNotNull(exception);
    Assert.assertTrue(exception.getMessage().contains("indices:admin/create"));
    // 3. With valid roles - which has permission to create index.
    RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access";
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet();
        Assert.assertTrue(cir.isAcknowledged());
        IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-3")).actionGet();
        Assert.assertTrue(ier.isExists());
    }
}
Also used : OpenSearchSecurityException(org.opensearch.OpenSearchSecurityException) ClusterHealthRequest(org.opensearch.action.admin.cluster.health.ClusterHealthRequest) Netty4Plugin(org.opensearch.transport.Netty4Plugin) Node(org.opensearch.node.Node) PluginAwareNode(org.opensearch.node.PluginAwareNode) OpenSearchSecurityException(org.opensearch.OpenSearchSecurityException) PluginAwareNode(org.opensearch.node.PluginAwareNode) DynamicSecurityConfig(org.opensearch.security.test.DynamicSecurityConfig) IndicesExistsResponse(org.opensearch.action.admin.indices.exists.indices.IndicesExistsResponse) CreateIndexResponse(org.opensearch.action.admin.indices.create.CreateIndexResponse) CreateIndexRequest(org.opensearch.action.admin.indices.create.CreateIndexRequest) Settings(org.opensearch.common.settings.Settings) IndicesExistsRequest(org.opensearch.action.admin.indices.exists.indices.IndicesExistsRequest) Test(org.junit.Test) SingleClusterTest(org.opensearch.security.test.SingleClusterTest)

Example 5 with PluginAwareNode

use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.

the class RolesValidationIntegTest method testRolesValidation.

@Test
public void testRolesValidation() throws Exception {
    setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY);
    final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
    // 1. Without roles validation
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
        Assert.assertTrue(cir.isAcknowledged());
        IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-1")).actionGet();
        Assert.assertTrue(ier.isExists());
    }
    OpenSearchSecurityException exception = null;
    // 2. with roles invalid to the user
    RolesValidationPlugin.rolesValidation = "invalid_role";
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
    } catch (OpenSearchSecurityException ex) {
        exception = ex;
    }
    Assert.assertNotNull(exception);
    Assert.assertTrue(exception.getMessage().contains("No mapping for"));
    // 3. with roles valid to the user
    RolesValidationPlugin.rolesValidation = "opendistro_security_all_access";
    try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
        waitForInit(node.client());
        CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet();
        Assert.assertTrue(cir.isAcknowledged());
    }
}
Also used : OpenSearchSecurityException(org.opensearch.OpenSearchSecurityException) PluginAwareNode(org.opensearch.node.PluginAwareNode) DynamicSecurityConfig(org.opensearch.security.test.DynamicSecurityConfig) Netty4Plugin(org.opensearch.transport.Netty4Plugin) Node(org.opensearch.node.Node) PluginAwareNode(org.opensearch.node.PluginAwareNode) IndicesExistsResponse(org.opensearch.action.admin.indices.exists.indices.IndicesExistsResponse) CreateIndexResponse(org.opensearch.action.admin.indices.create.CreateIndexResponse) CreateIndexRequest(org.opensearch.action.admin.indices.create.CreateIndexRequest) Settings(org.opensearch.common.settings.Settings) IndicesExistsRequest(org.opensearch.action.admin.indices.exists.indices.IndicesExistsRequest) Test(org.junit.Test) SingleClusterTest(org.opensearch.security.test.SingleClusterTest)

Aggregations

PluginAwareNode (org.opensearch.node.PluginAwareNode)13 Test (org.junit.Test)12 Settings (org.opensearch.common.settings.Settings)12 Node (org.opensearch.node.Node)12 Netty4Plugin (org.opensearch.transport.Netty4Plugin)12 ClusterHealthRequest (org.opensearch.action.admin.cluster.health.ClusterHealthRequest)9 SingleClusterTest (org.opensearch.security.test.SingleClusterTest)9 NodesInfoRequest (org.opensearch.action.admin.cluster.node.info.NodesInfoRequest)6 DynamicSecurityConfig (org.opensearch.security.test.DynamicSecurityConfig)6 OpenSearchSecurityException (org.opensearch.OpenSearchSecurityException)5 OpenSearchSecurityPlugin (org.opensearch.security.OpenSearchSecurityPlugin)5 CreateIndexRequest (org.opensearch.action.admin.indices.create.CreateIndexRequest)4 CreateIndexResponse (org.opensearch.action.admin.indices.create.CreateIndexResponse)4 IOException (java.io.IOException)3 Random (java.util.Random)3 ClusterHealthResponse (org.opensearch.action.admin.cluster.health.ClusterHealthResponse)3 RestHelper (org.opensearch.security.test.helper.rest.RestHelper)3 IndicesExistsRequest (org.opensearch.action.admin.indices.exists.indices.IndicesExistsRequest)2 IndicesExistsResponse (org.opensearch.action.admin.indices.exists.indices.IndicesExistsResponse)2 AcknowledgedResponse (org.opensearch.action.support.master.AcknowledgedResponse)2