Refine search
if(threadContext.getTransient(ConfigConstants.SG_ORIGIN) == null) { threadContext.putTransient(ConfigConstants.SG_ORIGIN, Origin.LOCAL.toString()); final User user = threadContext.getTransient(ConfigConstants.SG_USER); final boolean userIsAdmin = isUserAdmin(user, adminDns); final boolean interClusterRequest = HeaderHelper.isInterClusterRequest(threadContext); if(actionTrace.isTraceEnabled()) { actionTrace.trace("Node "+cs.localNode().getName()+" -> "+action+" ("+count+"): userIsAdmin="+userIsAdmin+"/conRequest="+confRequest+"/internalRequest="+internalRequest +"origin="+threadContext.getTransient(ConfigConstants.SG_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()); threadContext.putHeader("_sg_trace"+System.currentTimeMillis()+"#"+UUID.randomUUID().toString(), Thread.currentThread().getName()+" FILTER -> "+"Node "+cs.localNode().getName()+" -> "+action+" userIsAdmin="+userIsAdmin+"/conRequest="+confRequest+"/internalRequest="+internalRequest +"origin="+threadContext.getTransient(ConfigConstants.SG_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()+" "+threadContext.getHeaders().entrySet().stream().filter(p->!p.getKey().startsWith("_sg_trace")).collect(Collectors.toMap(p -> p.getKey(), p -> p.getValue()))); if(Origin.LOCAL.toString().equals(threadContext.getTransient(ConfigConstants.SG_ORIGIN)) && (interClusterRequest || HeaderHelper.isDirectRequest(threadContext)) ) { log.error("No user found for "+ action+" from "+request.remoteAddress()+" "+threadContext.getTransient(ConfigConstants.SG_ORIGIN)+" via "+threadContext.getTransient(ConfigConstants.SG_CHANNEL_TYPE)+" "+threadContext.getHeaders()); listener.onFailure(new ElasticsearchSecurityException("No user found for "+action, RestStatus.INTERNAL_SERVER_ERROR)); return;
LOGGER.info("Check if "+searchguardIndex+" index exists ..."); .masterNodeTimeout(TimeValue.timeValueMinutes(1)); final ThreadContext threadContext = threadPool.getThreadContext(); try(StoredContext ctx = threadContext.stashContext()) { threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true"); LOGGER.error("Failure while executing IndicesExistsRequest {}",e2, e2); bgThread.start();
private ThreadContext newThreadContext(String sslPrincipal) { ThreadContext threadContext = new ThreadContext(Settings.EMPTY); threadContext.putTransient(ConfigConstants.SG_SSL_PRINCIPAL, sslPrincipal); return threadContext; }
private void putInitialActionClassHeader(String initialActionClassValue, String resolvedActionClass) { if(initialActionClassValue == null) { if(getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, resolvedActionClass); } } else { if(getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, initialActionClassValue); } } }
@Override protected void addAdditionalContextValues(final String action, final TransportRequest request, final X509Certificate[] localCerts, final X509Certificate[] peerCerts, final String principal) throws Exception { boolean isInterClusterRequest = requestEvalProvider.isInterClusterRequest(request, localCerts, peerCerts, principal); if (isInterClusterRequest) { boolean fromTn = Boolean.parseBoolean(getThreadContext().getHeader("_sg_header_tn")); if(fromTn || cs.getClusterName().value().equals(getThreadContext().getHeader("_sg_remotecn"))) { if (log.isTraceEnabled() && !action.startsWith("internal:")) { log.trace("Is inter cluster request ({}/{}/{})", action, request.getClass(), request.remoteAddress()); } getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE); } else { getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, Boolean.TRUE); } } else { if (log.isTraceEnabled()) { log.trace("Is not an inter cluster request"); } } super.addAdditionalContextValues(action, request, localCerts, peerCerts, principal); } }
String injectedUserString = threadPool.getThreadContext().getTransient(ConfigConstants.SG_INJECTED_USER); if (log.isDebugEnabled()) { log.debug("Injected user string: {}", injectedUserString); log.error("User string malformed, could not extract parts. User string was '{}.' User injection failed.", injectedUserString); return false; InetAddress iAdress = InetAddress.getByName(ipAndPort[0]); int port = Integer.parseInt(ipAndPort[1]); threadPool.getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new TransportAddress(iAdress, port)); } catch (UnknownHostException | NumberFormatException e) { log.error("Cannot parse remote IP or port: {}, user injection failed.", parts[2], e); threadPool.getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, xffResolver.resolve(request)); threadPool.getThreadContext().putTransient(ConfigConstants.SG_USER, user); auditLog.logSucceededLogin(parts[0], true, null, request); if (log.isTraceEnabled()) {
public User authenticate(final TransportRequest request, final String sslPrincipal, final Task task, final String action) { if(log.isDebugEnabled() && request.remoteAddress() != null) { log.debug("Transport authentication request from {}", request.remoteAddress()); log.error("Not yet initialized (you may need to run sgadmin)"); return null; final String authorizationHeader = threadPool.getThreadContext().getHeader("Authorization");
final int halfProcMaxAt5 = halfNumberOfProcessorsMaxFive(availableProcessors); final int halfProcMaxAt10 = halfNumberOfProcessorsMaxTen(availableProcessors); final int genericThreadPoolMax = boundedBy(4 * availableProcessors, 128, 512); builders.put(Names.GENERIC, new ScalingExecutorBuilder(Names.GENERIC, 4, genericThreadPoolMax, TimeValue.timeValueSeconds(30))); builders.put(Names.INDEX, new FixedExecutorBuilder(settings, Names.INDEX, availableProcessors, 200, true)); threadContext = new ThreadContext(settings); throw new IllegalStateException("duplicate executors with name [" + executorHolder.info.getName() + "] registered"); logger.debug("created thread pool: {}", entry.getValue().formatInfo(executorHolder.info)); executors.put(entry.getKey(), executorHolder);
cancellableThreads.executeIO(() -> { final DiscoveryNode seedNode = maybeAddProxyAddress(proxyAddress, seedNodes.next().get()); logger.debug("[{}] opening connection to seed node: [{}] proxy address: [{}]", clusterAlias, seedNode, proxyAddress); final TransportService.HandshakeResponse handshakeResponse; (c) -> remoteClusterName.get() == null ? true : c.equals(remoteClusterName.get())); } catch (IllegalStateException ex) { logger.warn(() -> new ParameterizedMessage("seed node {} cluster name mismatch expected " + "cluster name {}", connection.getNode(), remoteClusterName.get()), ex); throw ex; ThreadContext threadContext = threadPool.getThreadContext(); TransportService.ContextRestoreResponseHandler<ClusterStateResponse> responseHandler = new TransportService .ContextRestoreResponseHandler<>(threadContext.newRestorableContext(false), new SniffClusterStateResponseHandler(connection, listener, seedNodes, cancellableThreads)); try (ThreadContext.StoredContext ignore = threadContext.stashContext()) { threadContext.markAsSystemContext(); transportService.sendRequest(connection, ClusterStateAction.NAME, request, TransportRequestOptions.EMPTY, responseHandler); logger.warn(() -> new ParameterizedMessage("fetching nodes from external cluster [{}] failed", clusterAlias), ex);
if (threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER) != null) { if (!maskedFieldsMap.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER)))) { throw new ElasticsearchSecurityException(ConfigConstants.SG_MASKED_FIELD_HEADER + " does not match (SG 901D)"); } else { if (log.isDebugEnabled()) { log.debug(ConfigConstants.SG_MASKED_FIELD_HEADER + " already set"); threadContext.putHeader(ConfigConstants.SG_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFieldsMap)); if (log.isDebugEnabled()) { log.debug("attach masked fields info: {}", maskedFieldsMap); if (threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER) != null) { if (!dlsQueries.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER)))) { throw new ElasticsearchSecurityException(ConfigConstants.SG_DLS_QUERY_HEADER + " does not match (SG 900D)"); threadContext.putHeader(ConfigConstants.SG_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) dlsQueries)); if (log.isDebugEnabled()) { log.debug("attach DLS info: {}", dlsQueries); if (threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER) != null) { if (!flsFields.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER)))) { throw new ElasticsearchSecurityException(ConfigConstants.SG_FLS_FIELDS_HEADER + " does not match (SG 901D)"); } else { threadContext.putHeader(ConfigConstants.SG_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) flsFields)); if (log.isDebugEnabled()) { log.debug("attach FLS info: {}", flsFields);
@SuppressLoggerChecks(reason = "safely delegates to logger") void deprecated(final Set<ThreadContext> threadContexts, final String message, final boolean log, final Object... params) { final Iterator<ThreadContext> iterator = threadContexts.iterator(); if (iterator.hasNext()) { final String formattedMessage = LoggerMessageFormat.format(message, params); final String warningHeaderValue = formatWarning(formattedMessage); assert WARNING_HEADER_PATTERN.matcher(warningHeaderValue).matches(); assert extractWarningValueFromWarningHeader(warningHeaderValue).equals(escapeAndEncode(formattedMessage)); while (iterator.hasNext()) { try { final ThreadContext next = iterator.next(); next.addResponseHeader("Warning", warningHeaderValue, DeprecationLogger::extractWarningValueFromWarningHeader); } catch (final IllegalStateException e) { // ignored; it should be removed shortly } } } if (log) { logger.warn(message, params); } }
if(log.isTraceEnabled()) { log.trace("originalRemoteAddr {}", originalRemoteAddr); if(log.isTraceEnabled()) { log.trace("concatRemoteIpHeaderValue {}", concatRemoteIpHeaderValue.toString()); threadContext.putTransient(ConfigConstants.SG_XFF_DONE, Boolean.TRUE);
public void updateGlobalCheckpointForShard(final ShardId shardId) { final ThreadContext threadContext = threadPool.getThreadContext(); try (ThreadContext.StoredContext ignore = threadContext.stashContext()) { threadContext.markAsSystemContext(); execute( new Request(shardId), ActionListener.wrap(r -> { }, e -> { if (ExceptionsHelper.unwrap(e, AlreadyClosedException.class, IndexShardClosedException.class) == null) { logger.info(new ParameterizedMessage("{} global checkpoint sync failed", shardId), e); } })); } }
@Before public final void before() { logger.info("[{}]: before test", getTestName()); assertNull("Thread context initialized twice", threadContext); if (enableWarningsCheck()) { this.threadContext = new ThreadContext(Settings.EMPTY); DeprecationLogger.setThreadContext(threadContext); } }
String initialActionClassValue = getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER); final ThreadContext.StoredContext sgContext = getThreadContext().newStoredContext(false); final String originHeader = getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER); getThreadContext().putTransient(ConfigConstants.SG_ORIGIN, originHeader); getThreadContext().putTransient(ConfigConstants.SG_CHANNEL_TYPE, transportChannel.getChannelType()); getThreadContext().putTransient(ConfigConstants.SG_ACTION_NAME, task.getAction()); final String userHeader = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER); getThreadContext().putTransient(ConfigConstants.SG_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(userHeader))); final String originalRemoteAddress = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER); getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(originalRemoteAddress))); if(actionTrace.isTraceEnabled()) { getThreadContext().putHeader("_sg_trace"+System.currentTimeMillis()+"#"+UUID.randomUUID().toString(), Thread.currentThread().getName()+" DIR -> "+transportChannel.getChannelType()+" "+getThreadContext().getHeaders()); if ((principal = getThreadContext().getTransient(ConfigConstants.SG_SSL_TRANSPORT_PRINCIPAL)) == null) { Exception ex = new ElasticsearchSecurityException( "No SSL client certificates found for transport type "+transportChannel.getChannelType()+". Search Guard needs the Search Guard SSL plugin to be installed"); auditLog.logSSLException(request, ex, task.getAction(), task); log.error("No SSL client certificates found for transport type "+transportChannel.getChannelType()+". Search Guard needs the Search Guard SSL plugin to be installed"); transportChannel.sendResponse(ex); return;
private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel channel, NodeClient client) throws Exception { threadContext.putTransient(ConfigConstants.SG_ORIGIN, Origin.REST.toString()); log.error(exception); auditLog.logBadHeaders(request); channel.sendResponse(new BytesRestResponse(channel, RestStatus.FORBIDDEN, exception)); log.error(exception); auditLog.logBadHeaders(request); channel.sendResponse(new BytesRestResponse(channel, RestStatus.FORBIDDEN, exception)); if((sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, request, principalExtractor)) != null) { if(sslInfo.getPrincipal() != null) { threadContext.putTransient("_sg_ssl_principal", sslInfo.getPrincipal()); threadContext.putTransient("_sg_ssl_peer_certificates", sslInfo.getX509Certs()); threadContext.putTransient("_sg_ssl_protocol", sslInfo.getProtocol()); threadContext.putTransient("_sg_ssl_cipher", sslInfo.getCipher()); log.error("No ssl info", e); auditLog.logSSLException(request, e); channel.sendResponse(new BytesRestResponse(channel, RestStatus.FORBIDDEN, e)); } else { org.apache.logging.log4j.ThreadContext.put("user", ((User)threadContext.getTransient(ConfigConstants.SG_USER)).getName());
public Map<String, Tuple<Long, Settings>> loadConfigurations(Collection<String> configTypes, boolean logComplianceEvent) { final ThreadContext threadContext = threadPool.getThreadContext(); final Map<String, Tuple<Long, Settings>> retVal = new HashMap<String, Tuple<Long, Settings>>(); try(StoredContext ctx = threadContext.stashContext()) { threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true"); if(clusterService.state().metaData().index(this.searchguardIndex).mapping("config") != null) { LOGGER.debug("sg index exists and was created before ES 6 (legacy layout)"); retVal.putAll(validate(legacycl.loadLegacy(configTypes.toArray(new String[0]), 5, TimeUnit.SECONDS), configTypes.size())); } else { LOGGER.debug("sg index exists and was created with ES 6 (new layout)"); retVal.putAll(validate(cl.load(configTypes.toArray(new String[0]), 5, TimeUnit.SECONDS), configTypes.size())); LOGGER.debug("sg index not exists (yet)"); retVal.putAll(validate(cl.load(configTypes.toArray(new String[0]), 30, TimeUnit.SECONDS), configTypes.size()));
Supplier<ThreadContext.StoredContext> storedContextSupplier = threadPool.getThreadContext().newRestorableContext(true); ContextRestoreResponseHandler<T> responseHandler = new ContextRestoreResponseHandler<>(storedContextSupplier, handler); timeoutHandler.future = threadPool.schedule(options.timeout(), ThreadPool.Names.GENERIC, timeoutHandler); threadPool.executor(ThreadPool.Names.GENERIC).execute(new AbstractRunnable() { @Override public void onRejection(Exception e) { logger.debug("Exception while sending request, handler likely already notified due to timeout", e);
long headerSize = 0; long maxSize = maxHeaderSize.getBytes(); ThreadContext threadContext = threadPool.getThreadContext(); for (String key : taskHeaders) { String httpHeader = threadContext.getHeader(key); if (httpHeader != null) { headerSize += key.length() * 2 + httpHeader.length() * 2; if (logger.isTraceEnabled()) { logger.trace("register {} [{}] [{}] [{}]", task.getId(), type, action, task.getDescription());
listener = new ContextPreservingListener(listener, contextHolder.newRestorableContext(false)); if (observingContext.get() != null) { throw new ElasticsearchException("already waiting for a cluster state change"); if (timeoutTimeLeftMS <= 0L) { logger.trace("observer timed out. notifying listener. timeout setting [{}], time since start [{}]", timeOutValue, new TimeValue(timeSinceStartMS)); if (lastObservedState.get().isOlderOrDifferentMaster(newState) && statePredicate.test(newState)) { logger.trace("observer: sampled state accepted by predicate ({})", newState); lastObservedState.set(new StoredState(newState)); listener.onNewClusterState(newState); } else { logger.trace("observer: sampled state rejected by predicate ({}). adding listener to ClusterService", newState); final ObservingContext context = new ObservingContext(listener, statePredicate); if (!observingContext.compareAndSet(null, context)) {