All Classes and Interfaces
Class
Description
This is the base class for
UserRoleMapper implementations that need to notify registered CachingRealms,
when the role mapping rules change, to invalidate their caches that could rely on the obsolete role mapping rules.A cached version of the
ApiKeyService.ApiKeyDoc.An authentication service that delegates the authentication process to its configured
realms.The Authenticator interface represents an authentication mechanism or a group of similar authentication mechanisms.
This class is a container to encapsulate the current request and other necessary information (mostly configuration related)
required for authentication.
A
KeyStoreAwareCommand that can be extended fpr any CLI tool that needs to allow a local user with
filesystem write access to perform actions on the node as a superuser.Similar to
UpdateRequestInterceptor, but checks if there are update requests embedded in a bulk request.Simple wrapper around bytes so that it can be used as a cache key.
A registry that provides common cache invalidation services for caches that relies on the security index.
Request to change a user's password.
Helper class for parsing JWT claims.
A role mapper the reads the role mapping rules (i.e.
A
UserRoleMapper that composes one or more delegate role-mappers.A composite roles store that can retrieve roles from multiple sources.
Utility class for supporting "delegated authorization" (aka "authorization_realms", aka "lookup realms").
Inspects all aliases that have greater privileges than the indices that they point to and logs the role descriptor, granting privileges
in this manner, as deprecated and requiring changes.
The wrapper of
IndicesAccessControl which adds ability to track actual Document and Field Level Security feature usage.This class loads and monitors the file defining the mappings of DNs to internal ES Roles.
An abstract implementation of
SecurityBaseRestHandler that performs enrollment_enabled setting checkImplementation of role mapper which wraps a
UserRoleMapper
and filters out the resolved roles by removing the configured roles to exclude.Immutable implementation of
SecurityExtension.SecurityComponents.A JWT claim that can optionally fallback to another claim (if configured) for retrieving the associated value
from a
JWTClaimsSet.The features names here are constants that form part of our API contract.
A utility for cli tools to capture file attributes
before writing files, and to warn if the permissions/group/owner changes.
Provides a check which will be applied to roles in the file-based roles store.
The default file role validator used in stateful Elasticsearch, a no-op.
Responsible for cleaning the invalidated and expired API keys from the security index.
Provides a single entry point into dealing with all standard XPack security
realms.A wrapper of
Cache that keeps a counter for invalidation calls in order to
minimizes the possibility of caching stale results.This class is responsible for loading the JWK set for PKC signature from either a file or URL.
Utilities for JWK Validation.
An
AuthenticationToken to hold JWT authentication related content.This class performs validations of header, claims and signatures against the incoming
JwtAuthenticationToken.Validator for fields (header or claim) of a JWT token
JWT realms supports JWTs as bearer tokens for authenticating to Elasticsearch.
Validates a specific string claim form a
JWTClaimsSet against both a list of explicit values and a list of Lucene patterns.Utilities for JWT realm.
Helper class to consolidate multiple trace level statements to a single trace statement with lazy evaluation.
This class represents an AuthenticationToken for Kerberos authentication
using SPNEGO.
This class provides support for Kerberos authentication using spnego
mechanism.
Utility class that validates kerberos ticket for peer authentication.
Enumeration representing the various supported
ServerSet types that can be used with out built in realms.Authenticates username/password tokens against ldap, locates groups and maps them to roles.
Represents a LDAP connection with an authenticated/bound user that needs closing.
A GroupsResolver is used to resolve the group names of a given LDAP user
This factory creates LDAP connections via iterating through user templates.
An utility class that keeps an internal counter to ensure given runnable is only executed
when the counter matches the expected value.
NativePrivilegeStore is a store that reads/writes ApplicationPrivilegeDescriptor objects,
from an Elasticsearch index.User/password realm that is backed by an Elasticsearch index
This store reads + writes
role mappings in an Elasticsearch
index.NativeRolesStore is a
RolesStore that, instead of reading from a
file, reads from an Elasticsearch index instead.NativeUsersStore is a store for users that reads from an Elasticsearch index.
Result record for every document matching a user
Total result for a Query User query
Handles an OpenID Connect Authentication response as received by the facilitator.
A Class that contains all the OpenID Connect Provider configuration
A
AuthenticationToken to hold OpenID Connect related content.Opts out of the query cache if field level security is active for the current request, and it is unsafe to cache.
Extension of
FileWatcher that does privileged calls to IO.Settings for a transport profile usually begin with "transport.profiles.NAME."
The settings can be either of the two categories:
1.
A class that holds the built-in roles and their hash digests.
A listener that is notified when the built-in roles change.
A provider that provides the built-in roles and can notify subscribed listeners when the built-in roles change.
Synchronizes built-in roles to the .security index.
Utility class which provides helper method for calculating the hash of a role descriptor,
determining the roles to upsert and the roles to delete.
A provider of the built-in reserved roles.
Serves as a realms registry (also responsible for ordering the realms appropriately)
This interface allows adding support for reload operations (on secure settings change) in a generic way for security components.
A Class that contains all the OpenID Connect Relying Party configuration
A request interceptor can introspect a request and modify it.
A realm for predefined users.
This Action is the reserved state save version of RestPutRoleMappingAction/RestDeleteRoleMappingAction
Security Provider implementation for the
ReservedClusterStateHandlerProvider service interfaceRest endpoint to bulk delete roles to the security index
Rest endpoint to bulk add a Roles to the security index
Rest action to create an API key
Rest action to create an API key specific to cross cluster access via the dedicate remote cluster server port
Implements the exchange of an
X509Certificate chain into an access token.Rest action to delete one or more privileges from the security index
Rest endpoint to delete a Role from the security index
Rest endpoint to delete a role-mapping from the
NativeRoleMappingStoreRest action to delete a user from the security index
Rest action to get one or more API keys information.
Rest action to retrieve built-in (cluster/index) privileges
Rest action to retrieve an application privilege from the security index
Rest endpoint to retrieve a role-mapping from the org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore
Rest endpoint to retrieve a Role from the security index
An implementation of a OAuth2-esque API for retrieval of an access token.
REST handler that list the privileges held by a user.
Rest action to retrieve a user from the security index
Rest action to create an API key on behalf of another user.
REST handler that tests whether a user has the specified
privilegesRest action to invalidate one or more API keys
Rest handler for handling access token invalidation requests
Rest handler that authenticates the user based on the information provided as parameters of the redirect_uri
Rest handler that invalidates a security token for the given OpenID Connect realm and if the configuration of
the realm supports it, generates a redirect to the `end_session_endpoint` of the OpenID Connect Provider.
Generates an oAuth 2.0 authentication request as a URL string and returns it to the REST client.
Rest endpoint to add one or more
ApplicationPrivilege objects to the security indexRest endpoint to add a Role to the security index
Rest endpoint to add a role-mapping to the native store
Rest endpoint to add a User to the security index
Rest action to search for API keys
Rest action to search for Users
A REST handler that attempts to authenticate a user based on the provided SAML response/assertion.
This Rest endpoint handles SAML LogoutResponse sent from idP with either HTTP-Redirect or HTTP-Post binding.
Invalidates any security tokens associated with the provided SAML session.
Invalidates the provided security token, and if the associated SAML realm support logout, generates
a SAML logout request (
<LogoutRequest>).Generates a SAML authentication request (
<AuthnRequest>) based on the provided
parameters.REST handler for enabling and disabling users.
A BootstrapCheck that
DnRoleMapper files exist and are valid (valid YAML and valid DNs)Encapsulates logic regarding the active set of role providers in the system, and their order
The supported providers are (in order):
- built in (reserved) roles
- file-based roles
- index-based roles
- custom (plugin) providers.
An lightweight collection of SAML attributes
An abstract implementation of
SecurityBaseRestHandler that performs a license check for the SAML realm typeProcesses a LogoutRequest for an IdP-initiated logout.
Abstract base class for object that build some sort of
SAMLObjectLightweight (non-XML) representation of a SAML
NameID elementThis class is
Releasable because it uses a library that thinks timers and timer tasks
are still cool and no chance to opt outConstructs SAML Metadata to describe a Service Provider.
A very lightweight
AuthenticationToken to hold SAML content.Actions that are only available when a secondary authenticator is present.
Performs "secondary user authentication" (that is, a second user, _not_ second factor authentication).
This class analyzes an incoming request and its action name, and returns the security action name for it.
Base class for security rest handlers.
Manages the lifecycle, mapping and data upgrades/migrations of the
RestrictedIndicesNames#SECURITY_MAIN_ALIAS
and RestrictedIndicesNames#SECURITY_MAIN_ALIAS alias-index pair.When checking availability, check for availability of search or availability of all primaries
State of the security index.
Indicates whether the features of Security are currently in use
decorator class to have a useful toString() method for an IpFilterRule
as this is needed for audit logging
Enumerates all metric groups we want to collect.
Holds all metric information needed to register a metric in
MeterRegistry.This class provides a common way for registering and collecting different types of security metrics.
Defines all security metric types that can be collected.
Interface for creating SecurityMigrations that will be automatically applied once to existing .security indices
IMPORTANT: A new index version needs to be added to
IndexVersions for the migration to be triggeredImplementation of a transport that extends the
Netty4Transport to add SSL and IP FilteringA
SearchOperationListener that is used to provide authorization for scroll requests.Responsible for handling system indices for the Security plugin
Every change to the mapping of .security index must be versioned.
A decoded credential that may be used to authenticate a
ServiceAccount.The interface should be implemented by credential stores of different backends.
This factory holds settings needed for authenticating to LDAP and creating LdapConnections.
Request builder for setting a user as enabled or disabled
A processor that adds information of the current authenticated user to the document being ingested.
Encapsulates the rules and credentials for how and when Elasticsearch should sign outgoing SAML messages.
A simple container class that holds all configuration related to a SAML Service Provider (SP).
Service responsible for the creation, validation, and other management of
UserToken
objects for authenticationClears a security cache by name (with optional keys).
Implementation of the action needed to create an API key
Implementation of the action needed to create an API key
Transport action responsible for creating a token based on a request.
Implements the exchange of an
X509Certificate chain into an access token.Transport action to retrieve one or more application privileges from the security index
Transport action to retrieve built-in (cluster/index) privileges
Transport action to retrieve one or more application privileges from the security index
This action handler is to retrieve service account credentials that are local to the node.
Transport action for
GetUserPrivilegesActionImplementation of the action needed to create an API key on behalf of another user (using an OAuth style "grant")
Transport action that tests whether the currently authenticated user has the specified
privilegesTransport action responsible for handling invalidation of tokens
Transport action responsible for generating an OpenID connect logout request to be sent to an OpenID Connect Provider
Transport action that tests whether the users for the given profile ids have the specified
privilegesTransport action to retrieve one or more application privileges from the security index
This is a local-only action which updates remote cluster credentials for remote cluster connections, from keystore settings reloaded via
a call to
RestReloadSecureSettingsAction.Transport action responsible for taking saml content and turning it into a token.
Transport action responsible for completing SAML LogoutResponse
Transport action responsible for taking a SAML
LogoutRequest and invalidating any associated Security TokensTransport action responsible for generating a SAML
<LogoutRequest> as a redirect binding URL.Transport action responsible for generating a SAML
<AuthnRequest> as a redirect binding URL.Transport action responsible for generating a SAML SP Metadata.
Transport action that handles setting a native or reserved user to enabled
A request interceptor that fails update request if field or document level security is enabled.
This token is a combination of a
Authentication object with an expiry.