Skip to content

Move security tokens to a separate internal index #37236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 23 commits into from
Closed

Move security tokens to a separate internal index #37236

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
9493da4
Fork out the security tokens template
albertzaharovits Jan 1, 2019
c4d8a0a
No templates in SecurityIndexManager
albertzaharovits Jan 1, 2019
903dbb7
Remove extraneous method from SecurityManager
albertzaharovits Jan 1, 2019
748b8fb
SecurityIndexManager independent of static
albertzaharovits Jan 1, 2019
a93ada8
Merge branch 'master' into tokens_on_new_index
albertzaharovits Jan 1, 2019
ddda03e
Okay, let's go!
albertzaharovits Jan 2, 2019
05de53b
TokenService
albertzaharovits Jan 3, 2019
a433eb9
Use alias to resolve the index in the SecurityManager
albertzaharovits Jan 4, 2019
ec21cec
WIP
albertzaharovits Jan 5, 2019
441b971
WIP
albertzaharovits Jan 5, 2019
24dafb3
Wonderfully
albertzaharovits Jan 6, 2019
e46ed31
Plug in SecurityUpgradeCheck
albertzaharovits Jan 6, 2019
00c23f7
ExpiredTokenRemover
albertzaharovits Jan 8, 2019
7dff216
Nits
albertzaharovits Jan 8, 2019
4be665e
add creation time for tokens
albertzaharovits Jan 8, 2019
37489fe
Yay!!
albertzaharovits Jan 8, 2019
3eebd01
Merge branch 'master' into tokens_on_new_index
albertzaharovits Jan 8, 2019
37d2d84
Merge branch 'master' into tokens_on_new_index
albertzaharovits Jan 9, 2019
2d6e100
Templates have specific index patterns
albertzaharovits Jan 9, 2019
a626bc1
Merge branch 'master' into tokens_on_new_index
albertzaharovits Jan 13, 2019
e70d0d9
Renames
albertzaharovits Jan 13, 2019
ff22f81
Forgo "invalidated-token"
albertzaharovits Jan 13, 2019
f030a7f
StepListener
albertzaharovits Jan 13, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 0 additions & 13 deletions ...gin/core/src/main/java/org/elasticsearch/xpack/core/upgrade/IndexUpgradeCheckVersion.java
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion ...in/resources/security-index-template.json → .../resources/security-index-template-6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"index_patterns" : [ ".security-*" ],
"index_patterns" : [ ".security-6" ],
"order" : 1000,
"settings" : {
"number_of_shards" : 1,
Expand Down
151 changes: 151 additions & 0 deletions x-pack/plugin/core/src/main/resources/security-index-template-7.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
{
"index_patterns" : [ ".security-7" ],
"order" : 1000,
"settings" : {
"number_of_shards" : 1,
"number_of_replicas" : 0,
"auto_expand_replicas" : "0-1",
"index.priority": 1000,
"index.format": 6,
"analysis" : {
"filter" : {
"email" : {
"type" : "pattern_capture",
"preserve_original" : true,
"patterns" : [
"([^@]+)",
"(\\p{L}+)",
"(\\d+)",
"@(.+)"
]
}
},
"analyzer" : {
"email" : {
"tokenizer" : "uax_url_email",
"filter" : [
"email",
"lowercase",
"unique"
]
}
}
}
},
"mappings" : {
"doc" : {
"_meta": {
"security-version": "${security.template.version}"
},
"dynamic" : "strict",
"properties" : {
"username" : {
"type" : "keyword"
},
"roles" : {
"type" : "keyword"
},
"password" : {
"type" : "keyword",
"index" : false,
"doc_values": false
},
"full_name" : {
"type" : "text"
},
"email" : {
"type" : "text",
"analyzer" : "email"
},
"metadata" : {
"type" : "object",
"dynamic" : true
},
"enabled": {
"type": "boolean"
},
"cluster" : {
"type" : "keyword"
},
"indices" : {
"type" : "object",
"properties" : {
"field_security" : {
"properties" : {
"grant": {
"type": "keyword"
},
"except": {
"type": "keyword"
}
}
},
"names" : {
"type" : "keyword"
},
"privileges" : {
"type" : "keyword"
},
"query" : {
"type" : "keyword"
}
}
},
"applications": {
"type": "object",
"properties": {
"application": {
"type": "keyword"
},
"privileges": {
"type": "keyword"
},
"resources": {
"type": "keyword"
}
}
},
"application" : {
"type" : "keyword"
},
"global": {
"type": "object",
"properties": {
"application": {
"type": "object",
"properties": {
"manage": {
"type": "object",
"properties": {
"applications": {
"type": "keyword"
}
}
}
}
}
}
},
"name" : {
"type" : "keyword"
},
"run_as" : {
"type" : "keyword"
},
"doc_type" : {
"type" : "keyword"
},
"type" : {
"type" : "keyword"
},
"actions" : {
"type" : "keyword"
},
"rules" : {
"type" : "object",
"dynamic" : true
}
}
}
}
}
89 changes: 89 additions & 0 deletions x-pack/plugin/core/src/main/resources/security-tokens-index-template-7.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
{
"index_patterns" : [ ".security-tokens-7" ],
"order" : 1000,
"settings" : {
"number_of_shards" : 1,
"number_of_replicas" : 0,
"auto_expand_replicas" : "0-1",
"index.priority": 1000,
"index.format": 7
},
"mappings" : {
"doc" : {
"_meta": {
"security-version": "${security.template.version}"
},
"dynamic" : "strict",
"properties" : {
"doc_type" : {
"type" : "keyword"
},
"creation_time" : {
"type" : "date",
"format" : "epoch_millis"
},
"refresh_token" : {
"type" : "object",
"properties" : {
"token" : {
"type" : "keyword"
},
"refreshed" : {
"type" : "boolean"
},
"invalidated" : {
"type" : "boolean"
},
"client" : {
"type" : "object",
"properties" : {
"type" : {
"type" : "keyword"
},
"user" : {
"type" : "keyword"
},
"realm" : {
"type" : "keyword"
}
}
}
}
},
"access_token" : {
"type" : "object",
"properties" : {
"user_token" : {
"type" : "object",
"properties" : {
"id" : {
"type" : "keyword"
},
"expiration_time" : {
"type" : "date",
"format" : "epoch_millis"
},
"version" : {
"type" : "integer"
},
"metadata" : {
"type" : "object",
"dynamic" : true
},
"authentication" : {
"type" : "binary"
}
}
},
"invalidated" : {
"type" : "boolean"
},
"realm" : {
"type" : "keyword"
}
}
}
}
}
}
}
18 changes: 10 additions & 8 deletions x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,8 +252,8 @@
import static java.util.Collections.singletonList;
import static org.elasticsearch.cluster.metadata.IndexMetaData.INDEX_FORMAT_SETTING;
import static org.elasticsearch.xpack.core.XPackSettings.HTTP_SSL_ENABLED;
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.INTERNAL_INDEX_FORMAT;
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_INDEX_NAME;
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.INTERNAL_SECURITY_INDEX_FORMAT;
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_ALIAS_NAME;
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_TEMPLATE_NAME;

public class Security extends Plugin implements ActionPlugin, IngestPlugin, NetworkPlugin, ClusterPlugin,
Expand Down Expand Up @@ -428,9 +428,11 @@ Collection<Object> createComponents(Client client, ThreadPool threadPool, Cluste
components.add(auditTrailService);
this.auditTrailService.set(auditTrailService);

securityIndex.set(new SecurityIndexManager(client, SecurityIndexManager.SECURITY_INDEX_NAME, clusterService));
securityIndex.set(SecurityIndexManager.buildSecurityIndexManager(client, clusterService));
final SecurityIndexManager securityTokensIndex = SecurityIndexManager.buildSecurityTokensIndexManager(client, clusterService);

final TokenService tokenService = new TokenService(settings, Clock.systemUTC(), client, securityIndex.get(), clusterService);
final TokenService tokenService = new TokenService(settings, Clock.systemUTC(), client, securityIndex.get(),
securityTokensIndex, clusterService);
this.tokenService.set(tokenService);
components.add(tokenService);

Expand Down Expand Up @@ -1077,10 +1079,10 @@ static final class ValidateUpgradedSecurityIndex implements BiConsumer<Discovery
@Override
public void accept(DiscoveryNode node, ClusterState state) {
if (state.getNodes().getMinNodeVersion().before(Version.V_7_0_0)) {
IndexMetaData indexMetaData = state.getMetaData().getIndices().get(SECURITY_INDEX_NAME);
if (indexMetaData != null && INDEX_FORMAT_SETTING.get(indexMetaData.getSettings()) < INTERNAL_INDEX_FORMAT) {
throw new IllegalStateException("Security index is not on the current version [" + INTERNAL_INDEX_FORMAT + "] - " +
"The Upgrade API must be run for 7.x nodes to join the cluster");
IndexMetaData indexMetaData = state.getMetaData().getIndices().get(SECURITY_ALIAS_NAME);
if (indexMetaData != null && INDEX_FORMAT_SETTING.get(indexMetaData.getSettings()) < INTERNAL_SECURITY_INDEX_FORMAT) {
throw new IllegalStateException("Index [" + SECURITY_ALIAS_NAME + "] is not on the current version ["
+ INTERNAL_SECURITY_INDEX_FORMAT + "]. The Upgrade API must be run for 7.x nodes to join the cluster");
}
}
}
Expand Down
13 changes: 11 additions & 2 deletions ...in/security/src/main/java/org/elasticsearch/xpack/security/authc/ExpiredTokenRemover.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,15 +43,24 @@ final class ExpiredTokenRemover extends AbstractRunnable {
private final Client client;
private final AtomicBoolean inProgress = new AtomicBoolean(false);
private final TimeValue timeout;
private final SecurityIndexManager securityIndex;
private final SecurityIndexManager securityTokensIndex;

ExpiredTokenRemover(Settings settings, Client client) {
ExpiredTokenRemover(Settings settings, Client client, SecurityIndexManager securityIndex, SecurityIndexManager securityTokensIndex) {
this.client = client;
this.timeout = TokenService.DELETE_TIMEOUT.get(settings);
this.securityIndex = securityIndex;
this.securityTokensIndex = securityTokensIndex;
}

@Override
public void doRun() {
DeleteByQueryRequest expiredDbq = new DeleteByQueryRequest(SecurityIndexManager.SECURITY_INDEX_NAME);
final DeleteByQueryRequest expiredDbq;
if (securityTokensIndex.exists()) {
expiredDbq = new DeleteByQueryRequest(securityTokensIndex.aliasName());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this truly a binary choice? Maybe the alias should point to both indices until the upgrade or something like that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a binary choice.

Tokens, expired or not, can sit in a single index at a certain moment in time: either .security-6 or .security-tokens-7. When the remover job starts, it builds the query accordingly. It is possible that after building the query and before its execution, the tokens can move (from .security-6 to .security-tokens-7) and the delete will miss them, but they will be catched by the next removal job.

} else {
expiredDbq = new DeleteByQueryRequest(securityIndex.aliasName());
}
if (timeout != TimeValue.MINUS_ONE) {
expiredDbq.setTimeout(timeout);
expiredDbq.getSearchRequest().source().timeout(timeout);
Expand Down
Loading