/** ensure exception if we publish to multicast ipv6 address */
 public void testPublishMulticastV6() throws Exception {
   NetworkService service = new NetworkService(Settings.EMPTY);
   try {
     service.resolvePublishHostAddress("FF08::108");
     fail("should have hit exception");
   } catch (IllegalArgumentException e) {
     assertTrue(e.getMessage().contains("invalid: multicast"));
   }
 }
  /** ensure specifying wildcard ipv4 address selects reasonable publish address */
  public void testPublishAnyLocalV4() throws Exception {
    InetAddress expected = null;
    try {
      expected = NetworkUtils.getFirstNonLoopbackAddresses()[0];
    } catch (Exception e) {
      assumeNoException("test requires up-and-running non-loopback address", e);
    }

    NetworkService service = new NetworkService(Settings.EMPTY);
    assertEquals(expected, service.resolvePublishHostAddress("0.0.0.0"));
  }
Exemplo n.º 3
0
 @Inject
 public AwsEc2ServiceImpl(
     Settings settings,
     SettingsFilter settingsFilter,
     NetworkService networkService,
     DiscoveryNodeService discoveryNodeService) {
   super(settings);
   // Filter global settings
   settingsFilter.addFilter(CLOUD_AWS.KEY);
   settingsFilter.addFilter(CLOUD_AWS.SECRET);
   settingsFilter.addFilter(CLOUD_EC2.KEY);
   settingsFilter.addFilter(CLOUD_EC2.SECRET);
   // add specific ec2 name resolver
   networkService.addCustomNameResolver(new Ec2NameResolver(settings));
   discoveryNodeService.addCustomAttributeProvider(new Ec2CustomNodeAttributes(settings));
 }
 /** ensure specifying wildcard ipv6 address will bind to all interfaces */
 public void testBindAnyLocalV6() throws Exception {
   NetworkService service = new NetworkService(Settings.EMPTY);
   assertEquals(InetAddress.getByName("::"), service.resolveBindHostAddress("::")[0]);
 }
  @Override
  protected void doStart() throws ElasticsearchException {
    // Bind and start to accept incoming connections.
    InetAddress hostAddressX;
    try {
      hostAddressX = networkService.resolveBindHostAddress(bindHost);
    } catch (IOException e) {
      throw new BindHttpException("Failed to resolve host [" + bindHost + "]", e);
    }
    final InetAddress hostAddress = hostAddressX;

    InetAddress publishAddressHostX;
    try {
      publishAddressHostX = networkService.resolvePublishHostAddress(publishHost);
    } catch (IOException e) {
      throw new BindHttpException(
          "Failed to resolve publish address host [" + publishHost + "]", e);
    }
    final InetAddress publishAddressHost = publishAddressHostX;

    capiBehavior = new ElasticSearchCAPIBehavior(client, logger, bucketUUIDCache, pluginSettings);
    couchbaseBehavior =
        new ElasticSearchCouchbaseBehavior(client, logger, bucketUUIDCache, pluginSettings);

    PortsRange portsRange = new PortsRange(port);
    final AtomicReference<Exception> lastException = new AtomicReference<Exception>();
    boolean success =
        portsRange.iterate(
            new PortsRange.PortCallback() {
              @Override
              public boolean onPortNumber(int portNumber) {
                try {

                  server =
                      new CAPIServer(
                          capiBehavior,
                          couchbaseBehavior,
                          new InetSocketAddress(hostAddress, portNumber),
                          CouchbaseCAPITransportImpl.this.username,
                          CouchbaseCAPITransportImpl.this.password,
                          numVbuckets);

                  if (publishAddressHost != null) {
                    server.setPublishAddress(publishAddressHost);
                  }

                  server.start();
                } catch (Exception e) {
                  lastException.set(e);
                  return false;
                }
                return true;
              }
            });
    if (!success) {
      throw new BindHttpException("Failed to bind to [" + port + "]", lastException.get());
    }

    InetSocketAddress boundAddress = server.getBindAddress();
    InetSocketAddress publishAddress =
        new InetSocketAddress(publishAddressHost, boundAddress.getPort());
    this.boundAddress =
        new BoundTransportAddress(
            new InetSocketTransportAddress(boundAddress),
            new InetSocketTransportAddress(publishAddress));
  }
  @Override
  protected void doStart() {
    this.serverOpenChannels = new OpenChannelsHandler(logger);

    if (blockingServer) {
      serverBootstrap =
          new ServerBootstrap(
              new OioServerSocketChannelFactory(
                  Executors.newCachedThreadPool(daemonThreadFactory(settings, "http_server_boss")),
                  Executors.newCachedThreadPool(
                      daemonThreadFactory(settings, "http_server_worker"))));
    } else {
      serverBootstrap =
          new ServerBootstrap(
              new NioServerSocketChannelFactory(
                  Executors.newCachedThreadPool(daemonThreadFactory(settings, "http_server_boss")),
                  Executors.newCachedThreadPool(
                      daemonThreadFactory(settings, "http_server_worker")),
                  workerCount));
    }

    serverBootstrap.setPipelineFactory(configureServerChannelPipelineFactory());

    if (!"default".equals(tcpNoDelay)) {
      serverBootstrap.setOption("child.tcpNoDelay", Booleans.parseBoolean(tcpNoDelay, null));
    }
    if (!"default".equals(tcpKeepAlive)) {
      serverBootstrap.setOption("child.keepAlive", Booleans.parseBoolean(tcpKeepAlive, null));
    }
    if (tcpSendBufferSize != null && tcpSendBufferSize.bytes() > 0) {
      serverBootstrap.setOption("child.sendBufferSize", tcpSendBufferSize.bytes());
    }
    if (tcpReceiveBufferSize != null && tcpReceiveBufferSize.bytes() > 0) {
      serverBootstrap.setOption("child.receiveBufferSize", tcpReceiveBufferSize.bytes());
    }
    serverBootstrap.setOption(
        "receiveBufferSizePredictorFactory", receiveBufferSizePredictorFactory);
    serverBootstrap.setOption(
        "child.receiveBufferSizePredictorFactory", receiveBufferSizePredictorFactory);
    serverBootstrap.setOption("reuseAddress", reuseAddress);
    serverBootstrap.setOption("child.reuseAddress", reuseAddress);

    // Bind and start to accept incoming connections.
    InetAddress hostAddresses[];
    try {
      hostAddresses = networkService.resolveBindHostAddress(bindHost);
    } catch (IOException e) {
      throw new BindHttpException("Failed to resolve host [" + bindHost + "]", e);
    }

    for (InetAddress address : hostAddresses) {
      bindAddress(address);
    }

    InetSocketAddress boundAddress = (InetSocketAddress) serverChannels.get(0).getLocalAddress();
    InetSocketAddress publishAddress;
    if (0 == publishPort) {
      publishPort = boundAddress.getPort();
    }
    try {
      publishAddress =
          new InetSocketAddress(networkService.resolvePublishHostAddress(publishHost), publishPort);
    } catch (Exception e) {
      throw new BindTransportException("Failed to resolve publish address", e);
    }
    this.boundAddress =
        new BoundTransportAddress(
            new InetSocketTransportAddress(boundAddress),
            new InetSocketTransportAddress(publishAddress));
  }
  @Override
  protected void doStart() throws ElasticsearchException {
    try {

      final String currentDir = new File(".").getCanonicalPath();
      final String tomcatDir = currentDir + File.separatorChar + "tomcat";

      logger.debug("cur dir " + currentDir);

      if (tomcat != null) {
        try {
          tomcat.stop();
          tomcat.destroy();
        } catch (final Exception e) {

        }
      }

      tomcat = new ExtendedTomcat();
      tomcat.enableNaming();
      tomcat.getServer().setPort(-1); // shutdown disabled
      tomcat.getServer().setAddress("localhost");

      final String httpProtocolImpl =
          blockingServer
              ? "org.apache.coyote.http11.Http11Protocol"
              : "org.apache.coyote.http11.Http11NioProtocol";

      final Connector httpConnector = new Connector(httpProtocolImpl);
      tomcat.setConnector(httpConnector);
      tomcat.getService().addConnector(httpConnector);

      // TODO report tomcat bug with setProtocol

      if (maxContentLength != null) {
        httpConnector.setMaxPostSize(maxContentLength.bytesAsInt());
      }

      if (maxHeaderSize != null) {
        httpConnector.setAttribute("maxHttpHeaderSize", maxHeaderSize.bytesAsInt());
      }

      if (tcpNoDelay != null) {
        httpConnector.setAttribute("tcpNoDelay", tcpNoDelay.booleanValue());
      }

      if (reuseAddress != null) {
        httpConnector.setAttribute("socket.soReuseAddress", reuseAddress.booleanValue());
      }

      if (tcpKeepAlive != null) {
        httpConnector.setAttribute("socket.soKeepAlive", tcpKeepAlive.booleanValue());
        httpConnector.setAttribute(
            "maxKeepAliveRequests", tcpKeepAlive.booleanValue() ? "100" : "1");
      }

      if (tcpReceiveBufferSize != null) {
        httpConnector.setAttribute("socket.rxBufSize", tcpReceiveBufferSize.bytesAsInt());
      }

      if (tcpSendBufferSize != null) {
        httpConnector.setAttribute("socket.txBufSize", tcpSendBufferSize.bytesAsInt());
      }

      httpConnector.setAttribute(
          "compression", compression ? String.valueOf(compressionLevel) : "off");

      if (maxChunkSize != null) {
        httpConnector.setAttribute("maxExtensionSize", maxChunkSize.bytesAsInt());
      }

      httpConnector.setPort(Integer.parseInt(port));

      tomcat.setBaseDir(tomcatDir);

      final TomcatHttpTransportHandlerServlet servlet = new TomcatHttpTransportHandlerServlet();
      servlet.setTransport(this);

      final Context ctx = tomcat.addContext("", currentDir);

      logger.debug("currentDir " + currentDir);

      Tomcat.addServlet(ctx, "ES Servlet", servlet);

      ctx.addServletMapping("/*", "ES Servlet");

      if (useSSL) {
        logger.info("Using SSL");

        // System.setProperty("javax.net.debug", "ssl");
        httpConnector.setAttribute("SSLEnabled", "true");
        httpConnector.setSecure(true);
        httpConnector.setScheme("https");

        httpConnector.setAttribute("sslProtocol", "TLS");

        httpConnector.setAttribute(
            "keystoreFile", settings.get("security.ssl.keystorefile", "keystore"));
        httpConnector.setAttribute(
            "keystorePass", settings.get("security.ssl.keystorepass", "changeit"));
        httpConnector.setAttribute(
            "keystoreType", settings.get("security.ssl.keystoretype", "JKS"));

        final String keyalias = settings.get("security.ssl.keyalias", null);

        if (keyalias != null) {
          httpConnector.setAttribute("keyAlias", keyalias);
        }

        if (useClientAuth) {

          logger.info(
              "Using SSL Client Auth (PKI), so user/roles will be retrieved from client certificate.");

          httpConnector.setAttribute("clientAuth", "true");

          httpConnector.setAttribute(
              "truststoreFile",
              settings.get("security.ssl.clientauth.truststorefile", "truststore"));
          httpConnector.setAttribute(
              "truststorePass", settings.get("security.ssl.clientauth.truststorepass", "changeit"));
          httpConnector.setAttribute(
              "truststoreType", settings.get("security.ssl.clientauth.truststoretype", "JKS"));

          /*final String loginconf = this.settings
          		.get("security.kerberos.login.conf.path");
          final String krbconf = this.settings
          		.get("security.kerberos.krb5.conf.path");

          SecurityUtil.setSystemPropertyToAbsoluteFile(
          		"java.security.auth.login.config", loginconf);
          SecurityUtil.setSystemPropertyToAbsoluteFile(
          		"java.security.krb5.conf", krbconf);*/

          // httpConnector.setAttribute("allowUnsafeLegacyRenegotiation", "true");

          final SecurityConstraint constraint = new SecurityConstraint();
          constraint.addAuthRole("*");
          constraint.setAuthConstraint(true);
          constraint.setUserConstraint("CONFIDENTIAL");

          final SecurityCollection col = new SecurityCollection();
          col.addPattern("/*");

          constraint.addCollection(col);
          ctx.addConstraint(constraint);

          final LoginConfig lc = new LoginConfig();
          lc.setAuthMethod("CLIENT-CERT");
          lc.setRealmName("clientcretificate");
          ctx.setLoginConfig(lc);

          configureJndiRealm(ctx);

          ctx.getPipeline().addValve(new SSLAuthenticator());
          logger.info("Auth Method is CLIENT-CERT");

          // http://pki-tutorial.readthedocs.org/en/latest/simple/

        }

      } else {
        if (useClientAuth) {
          logger.error("Client Auth only available with SSL");
          throw new RuntimeException("Client Auth only available with SSL");
        }

        // useClientAuth = false;
      }

      if (!useClientAuth) {
        if ("waffle".equalsIgnoreCase(kerberosMode)) {

          final Boolean testMode = settings.getAsBoolean("security.waffle.testmode", false);

          final FilterDef fd = new FilterDef();
          fd.setFilterClass("waffle.servlet.NegotiateSecurityFilter");
          fd.setFilterName("Waffle");

          if (testMode != null && testMode.booleanValue()) {

            fd.addInitParameter("principalFormat", "fqn");
            fd.addInitParameter("roleFormat", "both");
            fd.addInitParameter("allowGuestLogin", "true");
            fd.addInitParameter(
                "securityFilterProviders",
                "org.elasticsearch.plugins.security.waffle.TestProvider");

            logger.info(
                "Kerberos implementaton is WAFFLE in testmode (only work on Windows Operations system)");
          } else {
            final Map<String, String> waffleSettings =
                settings.getByPrefix("security.waffle").getAsMap();

            for (final String waffleKey : waffleSettings.keySet()) {

              fd.addInitParameter(waffleKey.substring(1), waffleSettings.get(waffleKey));

              logger.debug(waffleKey.substring(1) + "=" + waffleSettings.get(waffleKey));
            }

            fd.addInitParameter("principalFormat", "fqn");
            fd.addInitParameter("roleFormat", "both");
            fd.addInitParameter("allowGuestLogin", "false");

            logger.info(
                "Kerberos implementaton is WAFFLE (only work on Windows Operations system)");
          }

          ctx.addFilterDef(fd);
          final FilterMap fm = new FilterMap();
          fm.setFilterName("Waffle");
          fm.addURLPattern("/*");
          ctx.addFilterMap(fm);

        } else if ("spnegoad".equalsIgnoreCase(kerberosMode)) {

          // System.setProperty("sun.security.krb5.debug", "true"); // TODO
          // switch
          // off

          System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

          final SecurityConstraint constraint = new SecurityConstraint();
          constraint.addAuthRole("*");
          constraint.setAuthConstraint(true);
          constraint.setDisplayName("spnego_sc_all");
          final SecurityCollection col = new SecurityCollection();
          col.addPattern("/*");

          constraint.addCollection(col);
          ctx.addConstraint(constraint);

          final LoginConfig lc = new LoginConfig();
          lc.setAuthMethod("SPNEGO");
          lc.setRealmName("SPNEGO");
          ctx.setLoginConfig(lc);

          logger.info("Kerberos implementaton is SPNEGOAD");

          configureJndiRealm(ctx);

          final ExtendedSpnegoAuthenticator spnegoValve = new ExtendedSpnegoAuthenticator();
          // spnegoValve.setLoginConfigName("es-login");
          spnegoValve.setStoreDelegatedCredential(true);
          ctx.getPipeline().addValve(spnegoValve);

          // final SpnegoAuthenticator spnegoValve = new SpnegoAuthenticator();
          // spnegoValve.setLoginEntryName("es-login");
          // ctx.getPipeline().addValve(spnegoValve);

        } else if ("none".equalsIgnoreCase(kerberosMode)) {

          logger.warn(
              "Kerberos is not configured so user/roles are unavailable. Host based security, in contrast, is woking. ");

        } else {
          logger.error(
              "No Kerberos implementaion '"
                  + kerberosMode
                  + "' found. Kerberos is therefore not configured so user/roles are unavailable. Host based security, in contrast, is woking. ");
        }
      }

      tomcat.start();

      logger.info("Tomcat started");

      InetSocketAddress bindAddress;
      try {
        bindAddress =
            new InetSocketAddress(
                networkService.resolveBindHostAddress(bindHost),
                tomcat.getConnector().getLocalPort());
      } catch (final Exception e) {
        throw new BindTransportException("Failed to resolve bind address", e);
      }

      InetSocketAddress publishAddress;
      try {
        publishAddress =
            new InetSocketAddress(
                networkService.resolvePublishHostAddress(publishHost), bindAddress.getPort());
      } catch (final Exception e) {
        throw new BindTransportException("Failed to resolve publish address", e);
      }

      logger.debug("bindAddress " + bindAddress);
      logger.debug("publishAddress " + publishAddress);

      boundAddress =
          new BoundTransportAddress(
              new InetSocketTransportAddress(bindAddress),
              new InetSocketTransportAddress(publishAddress));

    } catch (final Exception e) {
      throw new ElasticsearchException("Unable to start Tomcat", e);
    }
  }