address feedback, simplify changes

Author: ywangd

server/src/main/java/org/elasticsearch/Version.java

@@ -452,19 +452,6 @@ public boolean isCompatible(Version version) {
         return compatible;
     }
 
-    /**
-     * Get the released version that is before the given version
-     */
-    public Version getPreviousVersion() {
-        for (int i = DeclaredVersionsHolder.DECLARED_VERSIONS.size() - 1; i >= 0; i--) {
-            final Version version = DeclaredVersionsHolder.DECLARED_VERSIONS.get(i);
-            if (version.isRelease() && version.before(this)) {
-                return version;
-            }
-        }
-        throw new IllegalArgumentException("cannot find a released version before [" + this + "]");
-    }
-
     @SuppressForbidden(reason = "System.out.*")
     public static void main(String[] args) {
         final String versionOutput = String.format(

server/src/test/java/org/elasticsearch/VersionTests.java

@@ -388,13 +388,4 @@ public void testUnreleasedVersion() {
         VersionTests.assertUnknownVersion(VERSION_5_1_0_UNRELEASED);
     }
 
-    public void testPreviousVersion() {
-        assertThat(Version.V_7_13_0.getPreviousVersion(), is(Version.V_7_12_1));
-        assertThat(Version.V_7_12_1.getPreviousVersion(), is(Version.V_7_12_0));
-        assertThat(Version.V_7_12_0.getPreviousVersion(), is(Version.V_7_11_2));
-        assertThat(Version.V_7_11_2.getPreviousVersion(), is(Version.V_7_11_1));
-        assertThat(Version.V_7_11_1.getPreviousVersion(), is(Version.V_7_11_0));
-        final IllegalArgumentException e = expectThrows(IllegalArgumentException.class, Version.V_6_0_0::getPreviousVersion);
-        assertThat(e.getMessage(), containsString("cannot find a released version before [6.0.0]"));
-    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -200,7 +200,6 @@
 import org.elasticsearch.xpack.security.authc.TokenService;
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
 import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
-import org.elasticsearch.xpack.security.authc.support.ApiKeyGenerator;
 import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator;
 import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
 import org.elasticsearch.xpack.security.authz.AuthorizationService;
@@ -532,8 +531,6 @@ Collection<Object> createComponents(Client client, ThreadPool threadPool, Cluste
             dlsBitsetCache.get(), new DeprecationRoleDescriptorConsumer(clusterService, threadPool));
         securityIndex.get().addIndexStateListener(allRolesStore::onSecurityIndexStateChange);
 
-        components.add(new ApiKeyGenerator(apiKeyService, allRolesStore, clusterService, xContentRegistry));
-
         // to keep things simple, just invalidate all cached entries on license change. this happens so rarely that the impact should be
         // minimal
         getLicenseState().addListener(allRolesStore::invalidateAll);
@@ -1248,7 +1245,7 @@ private static SystemIndexDescriptor getSecurityMainIndexDescriptor() {
                      .setIndexPattern(".security-[0-9]+")
                      .setPrimaryIndex(RestrictedIndicesNames.INTERNAL_SECURITY_MAIN_INDEX_7)
                      .setDescription("Contains Security configuration")
-                     .setMappings(getIndexMappings(Version.V_7_13_0.getPreviousVersion()))
+                     .setMappings(getIndexMappings(Version.V_7_12_0))
                      .setSettings(getIndexSettings())
                      .setAliasName(SECURITY_MAIN_ALIAS)
                      .setIndexFormat(INTERNAL_MAIN_INDEX_FORMAT)

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/TransportCreateApiKeyAction.java

@@ -11,14 +11,17 @@
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.HandledTransportAction;
 import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.xcontent.NamedXContentRegistry;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xpack.core.security.SecurityContext;
 import org.elasticsearch.xpack.core.security.action.CreateApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
 import org.elasticsearch.xpack.core.security.action.CreateApiKeyResponse;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.security.authc.ApiKeyService;
 import org.elasticsearch.xpack.security.authc.support.ApiKeyGenerator;
+import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
 
 /**
  * Implementation of the action needed to create an API key
@@ -29,10 +32,10 @@ public final class TransportCreateApiKeyAction extends HandledTransportAction<Cr
     private final SecurityContext securityContext;
 
     @Inject
-    public TransportCreateApiKeyAction(TransportService transportService, ActionFilters actionFilters,
-                                       SecurityContext context, ApiKeyGenerator apiKeyGenerator) {
+    public TransportCreateApiKeyAction(TransportService transportService, ActionFilters actionFilters, ApiKeyService apiKeyService,
+                                       SecurityContext context, CompositeRolesStore rolesStore, NamedXContentRegistry xContentRegistry) {
         super(CreateApiKeyAction.NAME, transportService, actionFilters, CreateApiKeyRequest::new);
-        this.generator = apiKeyGenerator;
+        this.generator = new ApiKeyGenerator(apiKeyService, rolesStore, xContentRegistry);
         this.securityContext = context;
     }
 
@@ -45,4 +48,5 @@ protected void doExecute(Task task, CreateApiKeyRequest request, ActionListener<
             generator.generateApiKey(authentication, request, listener);
         }
     }
+
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/TransportGrantApiKeyAction.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.action.support.HandledTransportAction;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.common.xcontent.NamedXContentRegistry;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportRequest;
@@ -22,9 +23,11 @@
 import org.elasticsearch.xpack.core.security.action.GrantApiKeyRequest;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
+import org.elasticsearch.xpack.security.authc.ApiKeyService;
 import org.elasticsearch.xpack.security.authc.AuthenticationService;
 import org.elasticsearch.xpack.security.authc.TokenService;
 import org.elasticsearch.xpack.security.authc.support.ApiKeyGenerator;
+import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
 
 /**
  * Implementation of the action needed to create an API key on behalf of another user (using an OAuth style "grant")
@@ -38,10 +41,10 @@ public final class TransportGrantApiKeyAction extends HandledTransportAction<Gra
 
     @Inject
     public TransportGrantApiKeyAction(TransportService transportService, ActionFilters actionFilters, ThreadPool threadPool,
-                                      AuthenticationService authenticationService, TokenService tokenService,
-                                      ApiKeyGenerator apiKeyGenerator) {
+                                      ApiKeyService apiKeyService, AuthenticationService authenticationService, TokenService tokenService,
+                                      CompositeRolesStore rolesStore, NamedXContentRegistry xContentRegistry) {
         this(transportService, actionFilters, threadPool.getThreadContext(),
-            apiKeyGenerator, authenticationService, tokenService
+            new ApiKeyGenerator(apiKeyService, rolesStore, xContentRegistry), authenticationService, tokenService
         );
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java

@@ -141,6 +141,7 @@ public class ApiKeyService {
 
     private static final Logger logger = LogManager.getLogger(ApiKeyService.class);
     private static final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(ApiKeyService.class);
+    private static final Version METADATA_INTRODUCED = Version.V_7_13_0;
     public static final String API_KEY_ID_KEY = "_security_api_key_id";
     public static final String API_KEY_NAME_KEY = "_security_api_key_name";
     public static final String API_KEY_METADATA_KEY = "_security_api_key_metadata";
@@ -250,6 +251,13 @@ public void invalidateAll() {
     public void createApiKey(Authentication authentication, CreateApiKeyRequest request, Set<RoleDescriptor> userRoles,
                              ActionListener<CreateApiKeyResponse> listener) {
         ensureEnabled();
+        if (request.getMetadata() != null && false == request.getMetadata().isEmpty()) {
+            if (securityIndex.getInstallableMappingVersion().before(METADATA_INTRODUCED)) {
+                listener.onFailure(new IllegalArgumentException("API metadata requires all nodes to be at least ["
+                    + FLATTENED_FIELD_TYPE_INTRODUCED + "]"));
+                return;
+            }
+        }
         if (authentication == null) {
             listener.onFailure(new IllegalArgumentException("authentication must be provided"));
         } else {
@@ -337,13 +345,11 @@ XContentBuilder newDocument(SecureString apiKey, String name, Authentication aut
         builder.field("name", name)
             .field("version", version.id);
 
-        final Version smallestNonClientNodeVersion = clusterService.state().nodes().getSmallestNonClientNodeVersion();
-        if (smallestNonClientNodeVersion.onOrAfter(FLATTENED_FIELD_TYPE_INTRODUCED)) {
+        if (metadata != null && false == metadata.isEmpty()) {
+            // The check in createApiKey method should prevent this assertion from tripping
+            assert securityIndex.getInstallableMappingVersion().onOrAfter(METADATA_INTRODUCED)
+                : "API metadata requires all nodes to be at least [" + FLATTENED_FIELD_TYPE_INTRODUCED + "]";
             builder.field("metadata_flattened", metadata);
-        } else {
-            // The assertion should not trip because ApiKeyGenerator should prevent it
-            assert metadata == null || metadata.isEmpty()
-                : "API key metadata requires all nodes to be at least [" + FLATTENED_FIELD_TYPE_INTRODUCED + "]";
         }
 
         builder.startObject("creator")

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/ApiKeyGenerator.java

@@ -9,9 +9,7 @@
 
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchSecurityException;
-import org.elasticsearch.Version;
 import org.elasticsearch.action.ActionListener;
-import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.xcontent.NamedXContentRegistry;
 import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
 import org.elasticsearch.xpack.core.security.action.CreateApiKeyResponse;
@@ -24,23 +22,18 @@
 import java.util.Arrays;
 import java.util.HashSet;
 
-import static org.elasticsearch.xpack.security.Security.FLATTENED_FIELD_TYPE_INTRODUCED;
-
 /**
  * Utility class for generating API keys for a provided {@link Authentication}.
  */
 public class ApiKeyGenerator {
 
     private final ApiKeyService apiKeyService;
     private final CompositeRolesStore rolesStore;
-    private final ClusterService clusterService;
     private final NamedXContentRegistry xContentRegistry;
 
-    public ApiKeyGenerator(ApiKeyService apiKeyService, CompositeRolesStore rolesStore, ClusterService clusterService,
-                           NamedXContentRegistry xContentRegistry) {
+    public ApiKeyGenerator(ApiKeyService apiKeyService, CompositeRolesStore rolesStore, NamedXContentRegistry xContentRegistry) {
         this.apiKeyService = apiKeyService;
         this.rolesStore = rolesStore;
-        this.clusterService = clusterService;
         this.xContentRegistry = xContentRegistry;
     }
 
@@ -50,14 +43,6 @@ public void generateApiKey(Authentication authentication, CreateApiKeyRequest re
             return;
         }
         apiKeyService.ensureEnabled();
-        if (request.getMetadata() != null && false == request.getMetadata().isEmpty()) {
-            final Version smallestNonClientNodeVersion = clusterService.state().nodes().getSmallestNonClientNodeVersion();
-            if (smallestNonClientNodeVersion.before(FLATTENED_FIELD_TYPE_INTRODUCED)) {
-                listener.onFailure(new IllegalArgumentException("API metadata requires all nodes to be at least ["
-                    + FLATTENED_FIELD_TYPE_INTRODUCED + "], got [" + smallestNonClientNodeVersion + "]"));
-                return;
-            }
-        }
         if (Authentication.AuthenticationType.API_KEY == authentication.getAuthenticationType() && grantsAnyPrivileges(request)) {
             listener.onFailure(new IllegalArgumentException(
                 "creating derived api keys requires an explicit role descriptor that is empty (has no privileges)"));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityIndexManager.java

@@ -421,6 +421,12 @@ public void onFailure(Exception e) {
         }
     }
 
+    public Version getInstallableMappingVersion() {
+        final State indexState = this.indexState; // use a local copy so all checks execute against the same state!
+        final SystemIndexDescriptor descriptor = systemIndexDescriptor.getDescriptorCompatibleWith(indexState.minimumNodeVersion);
+        return descriptor == null ? Version.V_EMPTY : descriptor.getMappingVersion();
+    }
+
     /**
      * Return true if the state moves from an unhealthy ("RED") index state to a healthy ("non-RED") state.
      */

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java

@@ -11,9 +11,7 @@
 import org.elasticsearch.Version;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.node.DiscoveryNode;
-import org.elasticsearch.cluster.node.DiscoveryNodes;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.ClusterSettings;
@@ -96,13 +94,10 @@ public void init() throws Exception {
             arg0.updateLocalNodeInfo(localNode);
             return null;
         }).when(clusterService).addListener(Mockito.isA(LoggingAuditTrail.class));
-        final ClusterState clusterState = mock(ClusterState.class);
-        final DiscoveryNodes nodes = mock(DiscoveryNodes.class);
-        when(nodes.getSmallestNonClientNodeVersion()).thenReturn(Version.CURRENT);
-        when(clusterState.nodes()).thenReturn(nodes);
-        when(clusterService.state()).thenReturn(clusterState);
+        final SecurityIndexManager securityIndexManager = mock(SecurityIndexManager.class);
+        when(securityIndexManager.getInstallableMappingVersion()).thenReturn(Version.CURRENT);
         apiKeyService = new ApiKeyService(settings, Clock.systemUTC(), mock(Client.class), new XPackLicenseState(settings, () -> 0),
-                                          mock(SecurityIndexManager.class), clusterService,
+            securityIndexManager, clusterService,
                                           mock(CacheInvalidatorRegistry.class), mock(ThreadPool.class));
     }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java

@@ -15,9 +15,7 @@
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.action.support.WriteRequest;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.node.DiscoveryNode;
-import org.elasticsearch.cluster.node.DiscoveryNodes;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.bytes.BytesArray;
@@ -262,6 +260,7 @@ public void init() throws Exception {
         when(localNode.getAddress()).thenReturn(buildNewFakeTransportAddress());
         Client client = mock(Client.class);
         SecurityIndexManager securityIndexManager = mock(SecurityIndexManager.class);
+        when(securityIndexManager.getInstallableMappingVersion()).thenReturn(Version.CURRENT);
         clusterService = mock(ClusterService.class);
         when(clusterService.localNode()).thenReturn(localNode);
         Mockito.doAnswer((Answer) invocation -> {
@@ -278,11 +277,6 @@ public void init() throws Exception {
                         LoggingAuditTrail.FILTER_POLICY_IGNORE_INDICES, LoggingAuditTrail.FILTER_POLICY_IGNORE_ACTIONS,
                         Loggers.LOG_LEVEL_SETTING)));
         when(clusterService.getClusterSettings()).thenReturn(clusterSettings);
-        final ClusterState clusterState = mock(ClusterState.class);
-        final DiscoveryNodes nodes = mock(DiscoveryNodes.class);
-        when(nodes.getSmallestNonClientNodeVersion()).thenReturn(Version.CURRENT);
-        when(clusterState.nodes()).thenReturn(nodes);
-        when(clusterService.state()).thenReturn(clusterState);
         commonFields = new LoggingAuditTrail.EntryCommonFields(settings, localNode).commonFields;
         threadContext = new ThreadContext(Settings.EMPTY);
         if (randomBoolean()) {