Elasticsearch 2.3

[jehuty0shift]

Hello, I wrote a support for Elasticsearch 2.3.3 based on the previous work done for the Elasticsearch 2.1 support. Since ES 2.2, the plugin security is enhanced so i made several changes to the plugin to make it work. I'm detailing these changes in the text below.

1) The biggest change concerns the DLS and FLS filters. These filters needed to inject a callback into Elasticsearch code itself. So basically they needed a lot of java policy authorizations to be able to do that. In my opinion, this is really intrusive and can be done more easily by implementing simple filtering of queries like the ArmorAction Filter do. This kind of query rewrite is not perfect since another ES plugin could mess the whole thing, but it is more maintainable IMHO (since the ES Query API is not subject to change often). Because DLS and FLS are filters, they are now always enabled and the callback code is now gone. I would be happy to discuss implementation details since i think we can improve this code even more.

2) Since ES 2.2 requires permissions for so i added a policy file. Note that i couldn't manage to get the policy java.io.FilePermission work for the directory "." (current directory), this permission is needed to for the _armor.keypath default value. I added a workaround by requiring the permission on the _armor.keypath directly so now this setting is mandatory. (we could maybe set the default path to /tmp or the path.data, since these paths are writable by any plugin.

3) I did not touch the tests since for a first version i wanted that all the tests pass as before (they do). The only change i made is that we now in ES 2.2+ need to create special ES Nodes Builder to attach the plugin to the nodes.

I still need to update the documentation and do some code cleaning (Copyright and other stuff), but the whole thing is working on my production system for several days now.

So let me know if you see something that you don't understand. PS: i did a PR on this elasticsearch_2.1 branch since it is likely to become the es 2.x branch

[jmaitrehenry]

Hello! Great works! I just check the travis build and we have 2 failing tests:

Failed tests: 
  AuthNAuthZTest.testSpnegoAuth:118->AbstractScenarioTest.searchOnlyAllowed:162->AbstractUnitTest.executeSearch:434 Error msg: 401 Unauthorized
  AuthNAuthZTest.testSpnegoAuth:118->AbstractScenarioTest.searchOnlyAllowed:162->AbstractUnitTest.executeSearch:434 Error msg: 401 Unauthorized

Could you check it? After that I will be really happy to merge your works (and merge the elastic_2_1 branche into master). After that, you can do a code cleanup in an another Pull Request without problem and I could add you as a maintainer.

Thanks again for your works.

[jehuty0shift]

Thanks for your quick reply ! I fixed the copyright as you asked. Sorry my IDE wasn't configured properly for this project. For the 2 failing tests, i will have to dig into them because they do not failed on my setup :-/. I will check what's going on but it seems that when the JestClient tries to contact the cluster, it is not available anymore. I 'm checking it !

[coveralls]

Changes Unknown when pulling 96d2d18a9ff4c7ebc0e0c5f228902e6efef74706 on jehuty0shift:elasticsearch_2.3 into \ on petalmd:elasticsearch_2.1**.

[jehuty0shift]

Ok just to let you know, the problem was in fact with the configuration of the SPNegoSchemeFactory that used the hostname to contact the Kerberos server instead of th IP address. Forcing the AuthSchemeProvider to use the IP in Travis allows it to work as Expected.

[jmaitrehenry]

Thanks for your work!