Example 1 with PluginAwareNode
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class SSLTest method testNodeClientSSLwithJavaTLSv13.
@Test
public void testNodeClientSSLwithJavaTLSv13() throws Exception {
// Java TLS 1.3 is available since Java 11
Assume.assumeTrue(!allowOpenSSL && PlatformDependent.javaVersion() >= 11);
final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true).put(ConfigConstants.SECURITY_SSL_ONLY, true).put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("plugins.security.ssl.transport.enforce_hostname_verification", false).put("plugins.security.ssl.transport.resolve_hostname", false).putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3").putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_AES_128_GCM_SHA256").build();
setupSslOnlyMode(settings);
RestHelper rh = nonSslRestHelper();
final Settings tcSettings = Settings.builder().put("cluster.name", clusterInfo.clustername).put("path.data", "./target/data/" + clusterInfo.clustername + "/ssl/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/ssl/logs").put("path.home", "./target").put("node.name", "client_node_" + new Random().nextInt()).put("discovery.initial_state_timeout", "8s").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).put(// -----
settings).build();
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) {
ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet();
Assert.assertFalse(res.isTimedOut());
Assert.assertEquals(4, res.getNumberOfNodes());
Assert.assertEquals(4, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
}
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
}
Also used :
PluginAwareNode(org.opensearch.node.PluginAwareNode)
Random(java.util.Random)
ClusterHealthResponse(org.opensearch.action.admin.cluster.health.ClusterHealthResponse)
ClusterHealthRequest(org.opensearch.action.admin.cluster.health.ClusterHealthRequest)
Netty4Plugin(org.opensearch.transport.Netty4Plugin)
Node(org.opensearch.node.Node)
PluginAwareNode(org.opensearch.node.PluginAwareNode)
OpenSearchSecurityPlugin(org.opensearch.security.OpenSearchSecurityPlugin)
NodesInfoRequest(org.opensearch.action.admin.cluster.node.info.NodesInfoRequest)
RestHelper(org.opensearch.security.test.helper.rest.RestHelper)
Settings(org.opensearch.common.settings.Settings)
Test(org.junit.Test)
SingleClusterTest(org.opensearch.security.test.SingleClusterTest)
Example 2 with PluginAwareNode
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class SlowIntegrationTests method testNodeClientDisallowedWithNonServerCertificate2.
@SuppressWarnings("resource")
@Test
public void testNodeClientDisallowedWithNonServerCertificate2() throws Exception {
setup();
Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes());
Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus());
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "transportclient").put("discovery.initial_state_timeout", "8s").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("spock-keystore.jks")).put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "spock").build();
log.debug("Start node client");
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class).start()) {
Thread.sleep(10000);
Assert.assertEquals(1, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
} catch (Exception e) {
Assert.fail(e.toString());
}
}
Also used :
PluginAwareNode(org.opensearch.node.PluginAwareNode)
ClusterHealthRequest(org.opensearch.action.admin.cluster.health.ClusterHealthRequest)
Netty4Plugin(org.opensearch.transport.Netty4Plugin)
Node(org.opensearch.node.Node)
PluginAwareNode(org.opensearch.node.PluginAwareNode)
NodesInfoRequest(org.opensearch.action.admin.cluster.node.info.NodesInfoRequest)
Settings(org.opensearch.common.settings.Settings)
IOException(java.io.IOException)
Test(org.junit.Test)
SingleClusterTest(org.opensearch.security.test.SingleClusterTest)
Example 3 with PluginAwareNode
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class TransportUserInjectorIntegTest method testSecurityUserInjectionWithConfigDisabled.
@Test
public void testSecurityUserInjectionWithConfigDisabled() throws Exception {
final Settings clusterNodeSettings = Settings.builder().put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false).build();
setup(clusterNodeSettings, new DynamicSecurityConfig().setSecurityRolesMapping("roles_transport_inject_user.yml"), Settings.EMPTY);
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").put(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false).putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
// 1. without user injection
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
}
// with invalid backend roles
UserInjectorPlugin.injectedUser = "ttt|kkk";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, UserInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
// Should pass as the user injection is disabled
Assert.assertTrue(cir.isAcknowledged());
}
}
Also used :
PluginAwareNode(org.opensearch.node.PluginAwareNode)
DynamicSecurityConfig(org.opensearch.security.test.DynamicSecurityConfig)
Netty4Plugin(org.opensearch.transport.Netty4Plugin)
Node(org.opensearch.node.Node)
PluginAwareNode(org.opensearch.node.PluginAwareNode)
CreateIndexResponse(org.opensearch.action.admin.indices.create.CreateIndexResponse)
CreateIndexRequest(org.opensearch.action.admin.indices.create.CreateIndexRequest)
Settings(org.opensearch.common.settings.Settings)
Test(org.junit.Test)
SingleClusterTest(org.opensearch.security.test.SingleClusterTest)
Example 4 with PluginAwareNode
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class RolesInjectorIntegTest method testRolesInject.
@Test
public void testRolesInject() throws Exception {
setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY);
Assert.assertEquals(clusterInfo.numNodes, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getNumberOfNodes());
Assert.assertEquals(ClusterHealthStatus.GREEN, clusterHelper.nodeClient().admin().cluster().health(new ClusterHealthRequest().waitForGreenStatus()).actionGet().getStatus());
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
// 1. Without roles injection.
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-1")).actionGet();
Assert.assertTrue(ier.isExists());
}
// 2. With invalid roles, must throw security exception.
RolesInjectorPlugin.injectedRoles = "invalid_user|invalid_role";
Exception exception = null;
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
} catch (OpenSearchSecurityException ex) {
exception = ex;
log.warn(ex.toString());
}
Assert.assertNotNull(exception);
Assert.assertTrue(exception.getMessage().contains("indices:admin/create"));
// 3. With valid roles - which has permission to create index.
RolesInjectorPlugin.injectedRoles = "valid_user|opendistro_security_all_access";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesInjectorPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-3")).actionGet();
Assert.assertTrue(ier.isExists());
}
}
Also used :
OpenSearchSecurityException(org.opensearch.OpenSearchSecurityException)
ClusterHealthRequest(org.opensearch.action.admin.cluster.health.ClusterHealthRequest)
Netty4Plugin(org.opensearch.transport.Netty4Plugin)
Node(org.opensearch.node.Node)
PluginAwareNode(org.opensearch.node.PluginAwareNode)
OpenSearchSecurityException(org.opensearch.OpenSearchSecurityException)
PluginAwareNode(org.opensearch.node.PluginAwareNode)
DynamicSecurityConfig(org.opensearch.security.test.DynamicSecurityConfig)
IndicesExistsResponse(org.opensearch.action.admin.indices.exists.indices.IndicesExistsResponse)
CreateIndexResponse(org.opensearch.action.admin.indices.create.CreateIndexResponse)
CreateIndexRequest(org.opensearch.action.admin.indices.create.CreateIndexRequest)
Settings(org.opensearch.common.settings.Settings)
IndicesExistsRequest(org.opensearch.action.admin.indices.exists.indices.IndicesExistsRequest)
Test(org.junit.Test)
SingleClusterTest(org.opensearch.security.test.SingleClusterTest)
Example 5 with PluginAwareNode
use of org.opensearch.node.PluginAwareNode in project security by opensearch-project.
the class RolesValidationIntegTest method testRolesValidation.
@Test
public void testRolesValidation() throws Exception {
setup(Settings.EMPTY, new DynamicSecurityConfig().setSecurityRoles("roles.yml"), Settings.EMPTY);
final Settings tcSettings = Settings.builder().put(minimumSecuritySettings(Settings.EMPTY).get(0)).put("cluster.name", clusterInfo.clustername).put("node.data", false).put("node.master", false).put("node.ingest", false).put("path.data", "./target/data/" + clusterInfo.clustername + "/cert/data").put("path.logs", "./target/data/" + clusterInfo.clustername + "/cert/logs").put("path.home", "./target").put("node.name", "testclient").put("discovery.initial_state_timeout", "8s").put("plugins.security.allow_default_init_securityindex", "true").putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost + ":" + clusterInfo.nodePort).build();
// 1. Without roles validation
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-1")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
IndicesExistsResponse ier = node.client().admin().indices().exists(new IndicesExistsRequest("captain-logs-1")).actionGet();
Assert.assertTrue(ier.isExists());
}
OpenSearchSecurityException exception = null;
// 2. with roles invalid to the user
RolesValidationPlugin.rolesValidation = "invalid_role";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-2")).actionGet();
} catch (OpenSearchSecurityException ex) {
exception = ex;
}
Assert.assertNotNull(exception);
Assert.assertTrue(exception.getMessage().contains("No mapping for"));
// 3. with roles valid to the user
RolesValidationPlugin.rolesValidation = "opendistro_security_all_access";
try (Node node = new PluginAwareNode(false, tcSettings, Netty4Plugin.class, OpenSearchSecurityPlugin.class, RolesValidationPlugin.class).start()) {
waitForInit(node.client());
CreateIndexResponse cir = node.client().admin().indices().create(new CreateIndexRequest("captain-logs-3")).actionGet();
Assert.assertTrue(cir.isAcknowledged());
}
}
Also used :
OpenSearchSecurityException(org.opensearch.OpenSearchSecurityException)
PluginAwareNode(org.opensearch.node.PluginAwareNode)
DynamicSecurityConfig(org.opensearch.security.test.DynamicSecurityConfig)
Netty4Plugin(org.opensearch.transport.Netty4Plugin)
Node(org.opensearch.node.Node)
PluginAwareNode(org.opensearch.node.PluginAwareNode)
IndicesExistsResponse(org.opensearch.action.admin.indices.exists.indices.IndicesExistsResponse)
CreateIndexResponse(org.opensearch.action.admin.indices.create.CreateIndexResponse)
CreateIndexRequest(org.opensearch.action.admin.indices.create.CreateIndexRequest)
Settings(org.opensearch.common.settings.Settings)
IndicesExistsRequest(org.opensearch.action.admin.indices.exists.indices.IndicesExistsRequest)
Test(org.junit.Test)
SingleClusterTest(org.opensearch.security.test.SingleClusterTest)
Aggregations
PluginAwareNode (org.opensearch.node.PluginAwareNode)13
Test (org.junit.Test)12
Settings (org.opensearch.common.settings.Settings)12
Node (org.opensearch.node.Node)12
Netty4Plugin (org.opensearch.transport.Netty4Plugin)12
ClusterHealthRequest (org.opensearch.action.admin.cluster.health.ClusterHealthRequest)9
SingleClusterTest (org.opensearch.security.test.SingleClusterTest)9
NodesInfoRequest (org.opensearch.action.admin.cluster.node.info.NodesInfoRequest)6
DynamicSecurityConfig (org.opensearch.security.test.DynamicSecurityConfig)6
OpenSearchSecurityException (org.opensearch.OpenSearchSecurityException)5
OpenSearchSecurityPlugin (org.opensearch.security.OpenSearchSecurityPlugin)5
CreateIndexRequest (org.opensearch.action.admin.indices.create.CreateIndexRequest)4
CreateIndexResponse (org.opensearch.action.admin.indices.create.CreateIndexResponse)4
IOException (java.io.IOException)3
Random (java.util.Random)3
ClusterHealthResponse (org.opensearch.action.admin.cluster.health.ClusterHealthResponse)3
RestHelper (org.opensearch.security.test.helper.rest.RestHelper)3
IndicesExistsRequest (org.opensearch.action.admin.indices.exists.indices.IndicesExistsRequest)2
IndicesExistsResponse (org.opensearch.action.admin.indices.exists.indices.IndicesExistsResponse)2
AcknowledgedResponse (org.opensearch.action.support.master.AcknowledgedResponse)2
