public SearchGuardFilter(final PrivilegesEvaluator evalp, final AdminDNs adminDns, DlsFlsRequestValve dlsFlsValve, AuditLog auditLog, ThreadPool threadPool, ClusterService cs, ComplianceConfig complianceConfig, final CompatConfig compatConfig) { this.evalp = evalp; this.adminDns = adminDns; this.dlsFlsValve = dlsFlsValve; this.auditLog = auditLog; this.threadContext = threadPool.getThreadContext(); this.cs = cs; this.complianceConfig = complianceConfig; this.compatConfig = compatConfig; }
public SearchGuardNonSslHttpServerTransport(final Settings settings, final NetworkService networkService, final BigArrays bigArrays, final ThreadPool threadPool, final NamedXContentRegistry namedXContentRegistry, final Dispatcher dispatcher) { super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher); this.threadContext = threadPool.getThreadContext(); }
public XFFResolver(final ThreadPool threadPool) { super(); this.threadContext = threadPool.getThreadContext(); }
public SearchGuardRestFilter(final BackendRegistry registry, final AuditLog auditLog, final ThreadPool threadPool, final PrincipalExtractor principalExtractor, final Settings settings, final Path configPath, final CompatConfig compatConfig) { super(); this.registry = registry; this.auditLog = auditLog; this.threadContext = threadPool.getThreadContext(); this.principalExtractor = principalExtractor; this.settings = settings; this.configPath = configPath; this.compatConfig = compatConfig; }
protected final ThreadContext getThreadContext() { return threadPool.getThreadContext(); } }
private ThreadContext getThreadContext() { return threadPool.getThreadContext(); }
public TenantInfoAction(final Settings settings, final RestController controller, final PrivilegesEvaluator evaluator, final ThreadPool threadPool, final ClusterService clusterService, final AdminDNs adminDns) { super(settings); this.threadContext = threadPool.getThreadContext(); this.evaluator = evaluator; this.clusterService = clusterService; this.adminDns = adminDns; controller.registerHandler(GET, "/_searchguard/tenantinfo", this); controller.registerHandler(POST, "/_searchguard/tenantinfo", this); }
public SearchGuardInfoAction(final Settings settings, final RestController controller, final PrivilegesEvaluator evaluator, final ThreadPool threadPool) { super(settings); this.threadContext = threadPool.getThreadContext(); this.evaluator = evaluator; controller.registerHandler(GET, "/_searchguard/authinfo", this); controller.registerHandler(POST, "/_searchguard/authinfo", this); }
public KibanaInfoAction(final Settings settings, final RestController controller, final PrivilegesEvaluator evaluator, final ThreadPool threadPool) { super(settings); this.threadContext = threadPool.getThreadContext(); this.evaluator = evaluator; controller.registerHandler(GET, "/_searchguard/kibanainfo", this); controller.registerHandler(POST, "/_searchguard/kibanainfo", this); }
@Override protected void doExecute(WhoAmIRequest request, ActionListener<WhoAmIResponse> listener) { final User user = threadPool.getThreadContext().getTransient(ConfigConstants.SG_USER); final String dn = user==null?threadPool.getThreadContext().getTransient(ConfigConstants.SG_SSL_TRANSPORT_PRINCIPAL):user.getName(); final boolean isAdmin = adminDNs.isAdminDN(dn); final boolean isAuthenticated = isAdmin?true: user != null; final boolean isNodeCertificateRequest = HeaderHelper.isInterClusterRequest(threadPool.getThreadContext()) || HeaderHelper.isTrustedClusterRequest(threadPool.getThreadContext()); listener.onResponse(new WhoAmIResponse(dn, isAdmin, isAuthenticated, isNodeCertificateRequest)); } }
public SearchGuardIndexSearcherWrapper(final IndexService indexService, final Settings settings, final AdminDNs adminDNs) { index = indexService.index(); threadContext = indexService.getThreadPool().getThreadContext(); this.searchguardIndex = settings.get(ConfigConstants.SEARCHGUARD_CONFIG_INDEX_NAME, ConfigConstants.SG_DEFAULT_CONFIG_INDEX); this.adminDns = adminDNs; }
.deserializeSafeFromHeader(threadPool.getThreadContext(), ConfigConstants.SG_FLS_FIELDS_HEADER);
String injectedUserString = threadPool.getThreadContext().getTransient(ConfigConstants.SG_INJECTED_USER); InetAddress iAdress = InetAddress.getByName(ipAndPort[0]); int port = Integer.parseInt(ipAndPort[1]); threadPool.getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new TransportAddress(iAdress, port)); } catch (UnknownHostException | NumberFormatException e) { log.error("Cannot parse remote IP or port: {}, user injection failed.", parts[2], e); threadPool.getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, xffResolver.resolve(request)); threadPool.getThreadContext().putTransient(ConfigConstants.SG_USER, user); auditLog.logSucceededLogin(parts[0], true, null, request); if (log.isTraceEnabled()) {
@Override public Map<String, Supplier<HttpServerTransport>> getHttpTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NamedXContentRegistry xContentRegistry, NetworkService networkService, Dispatcher dispatcher) { if(sslOnly) { return super.getHttpTransports(settings, threadPool, bigArrays, circuitBreakerService, namedWriteableRegistry, xContentRegistry, networkService, dispatcher); } Map<String, Supplier<HttpServerTransport>> httpTransports = new HashMap<String, Supplier<HttpServerTransport>>(1); if(!disabled) { if (!client && httpSSLEnabled && !tribeNodeClient) { final ValidatingDispatcher validatingDispatcher = new ValidatingDispatcher(threadPool.getThreadContext(), dispatcher, settings, configPath, evaluateSslExceptionHandler()); //TODO close sghst final SearchGuardHttpServerTransport sghst = new SearchGuardHttpServerTransport(settings, networkService, bigArrays, threadPool, sgks, evaluateSslExceptionHandler(), xContentRegistry, validatingDispatcher); httpTransports.put("com.floragunn.searchguard.http.SearchGuardHttpServerTransport", () -> sghst); } else if (!client && !tribeNodeClient) { httpTransports.put("com.floragunn.searchguard.http.SearchGuardHttpServerTransport", () -> new SearchGuardNonSslHttpServerTransport(settings, networkService, bigArrays, threadPool, xContentRegistry, dispatcher)); } } return httpTransports; }
public Map<String, Tuple<Long, Settings>> loadConfigurations(Collection<String> configTypes, boolean logComplianceEvent) { final ThreadContext threadContext = threadPool.getThreadContext(); final Map<String, Tuple<Long, Settings>> retVal = new HashMap<String, Tuple<Long, Settings>>();
public PrivilegesEvaluatorResponse evaluate(final ClusterService clusterService, final IndexNameExpressionResolver resolver, final Resolved requestedResolved, final User user, final SgRoles sgRoles, final PrivilegesEvaluatorResponse presponse) { ThreadContext threadContext = threadPool.getThreadContext();
public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool threadPool, final ConfigurationRepository configurationRepository, final ActionGroupHolder ah, final IndexNameExpressionResolver resolver, AuditLog auditLog, final Settings settings, final PrivilegesInterceptor privilegesInterceptor, final ClusterInfoHolder clusterInfoHolder) { super(); this.configurationRepository = configurationRepository; this.clusterService = clusterService; this.resolver = resolver; this.auditLog = auditLog; this.threadContext = threadPool.getThreadContext(); this.privilegesInterceptor = privilegesInterceptor; try { rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf(settings.get(ConfigConstants.SEARCHGUARD_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()).toUpperCase()); } catch (Exception e) { log.error("Cannot apply roles mapping resolution",e); rolesMappingResolution = ConfigConstants.RolesMappingResolution.MAPPING_ONLY; } this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, ConfigConstants.SG_DEFAULT_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES); this.clusterInfoHolder = clusterInfoHolder; //this.typeSecurityDisabled = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_DISABLE_TYPE_SECURITY, false); configModel = new ConfigModel(ah, configurationRepository); irr = new IndexResolverReplacer(resolver, clusterService, clusterInfoHolder); snapshotRestoreEvaluator = new SnapshotRestoreEvaluator(settings, auditLog); sgIndexAccessEvaluator = new SearchGuardIndexAccessEvaluator(settings, auditLog); dlsFlsEvaluator = new DlsFlsEvaluator(settings, threadPool); termsAggregationEvaluator = new TermsAggregationEvaluator(); }
private SearchGuardLicense createOrGetTrial(String msg) { long created = System.currentTimeMillis(); ThreadContext threadContext = threadPool.getThreadContext(); try(StoredContext ctx = threadContext.stashContext()) { threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true"); GetResponse get = client.prepareGet(searchguardIndex, "sg", "tattr").get(); if(get.isExists()) { created = (long) get.getSource().get("val"); } else { try { client.index(new IndexRequest(searchguardIndex) .type("sg") .id("tattr") .setRefreshPolicy(RefreshPolicy.IMMEDIATE) .create(true) .source("{\"val\": "+System.currentTimeMillis()+"}", XContentType.JSON)).actionGet(); } catch (VersionConflictEngineException e) { //ignore } catch (Exception e) { LOGGER.error("Unable to index tattr", e); } } } return SearchGuardLicense.createTrialLicense(formatDate(created), clusterService, msg); } }
private User impersonate(final TransportRequest tr, final User origPKIuser) throws ElasticsearchSecurityException { final String impersonatedUser = threadPool.getThreadContext().getHeader("sg_impersonate_as"); if(Strings.isNullOrEmpty(impersonatedUser)) { return null; //nothing to do } if (!isInitialized()) { throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized"); } if (origPKIuser == null) { throw new ElasticsearchSecurityException("no original PKI user found"); } User aU = origPKIuser; if (adminDns.isAdminDN(impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as an adminuser '" + impersonatedUser+"'"); } try { if (impersonatedUser != null && !adminDns.isTransportImpersonationAllowed(new LdapName(origPKIuser.getName()), impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as '" + impersonatedUser+"'"); } else if (impersonatedUser != null) { aU = new User(impersonatedUser); if(log.isDebugEnabled()) { log.debug("Impersonate from '{}' to '{}'",origPKIuser.getName(), impersonatedUser); } } } catch (final InvalidNameException e1) { throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + origPKIuser.getName() + "'), should never happen", e1); } return aU; }
final String authorizationHeader = threadPool.getThreadContext().getHeader("Authorization");