Introduce system index APIs for Kibana (elastic#52385)

This commit introduces a module for Kibana that exposes REST APIs that will be used by Kibana for access to its system indices. These APIs are wrapped versions of the existing REST endpoints. A new setting is also introduced since the Kibana system indices' names are allowed to be changed by a user in case multiple instances of Kibana use the same instance of Elasticsearch. Additionally, the ThreadContext has been extended to indicate that the use of system indices may be allowed in a request. This will be built upon in the future for the protection of system indices.
rjernst · Mar 2, 2020 · 4c0e8f1 · 4c0e8f1
1 parent 4e58dde
commit 4c0e8f1
Show file tree

Hide file tree

Showing 42 changed files with 974 additions and 108 deletions.
diff --git a/modules/kibana/build.gradle b/modules/kibana/build.gradle
@@ -0,0 +1,31 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+esplugin {
+  description 'Plugin exposing APIs for Kibana system indices'
+  classname 'org.elasticsearch.kibana.KibanaPlugin'
+}
+
+dependencies {
+  compile project(path: ':modules:reindex', configuration: 'runtime')
+}
+
+testClusters.integTest {
+  module file(project(':modules:reindex').tasks.bundlePlugin.archiveFile)
+}
diff --git a/modules/kibana/src/main/java/org/elasticsearch/kibana/KibanaPlugin.java b/modules/kibana/src/main/java/org/elasticsearch/kibana/KibanaPlugin.java
@@ -0,0 +1,145 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.kibana;
+
+import org.elasticsearch.client.node.NodeClient;
+import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
+import org.elasticsearch.cluster.node.DiscoveryNodes;
+import org.elasticsearch.common.settings.ClusterSettings;
+import org.elasticsearch.common.settings.IndexScopedSettings;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Setting.Property;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsFilter;
+import org.elasticsearch.index.reindex.RestDeleteByQueryAction;
+import org.elasticsearch.indices.SystemIndexDescriptor;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.plugins.SystemIndexPlugin;
+import org.elasticsearch.rest.BaseRestHandler;
+import org.elasticsearch.rest.RestController;
+import org.elasticsearch.rest.RestHandler;
+import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.rest.action.admin.indices.RestCreateIndexAction;
+import org.elasticsearch.rest.action.admin.indices.RestGetAliasesAction;
+import org.elasticsearch.rest.action.admin.indices.RestGetIndicesAction;
+import org.elasticsearch.rest.action.admin.indices.RestIndexPutAliasAction;
+import org.elasticsearch.rest.action.admin.indices.RestRefreshAction;
+import org.elasticsearch.rest.action.admin.indices.RestUpdateSettingsAction;
+import org.elasticsearch.rest.action.document.RestBulkAction;
+import org.elasticsearch.rest.action.document.RestDeleteAction;
+import org.elasticsearch.rest.action.document.RestGetAction;
+import org.elasticsearch.rest.action.document.RestIndexAction;
+import org.elasticsearch.rest.action.document.RestIndexAction.AutoIdHandler;
+import org.elasticsearch.rest.action.document.RestIndexAction.CreateHandler;
+import org.elasticsearch.rest.action.document.RestMultiGetAction;
+import org.elasticsearch.rest.action.document.RestUpdateAction;
+import org.elasticsearch.rest.action.search.RestClearScrollAction;
+import org.elasticsearch.rest.action.search.RestSearchAction;
+import org.elasticsearch.rest.action.search.RestSearchScrollAction;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Function;
+import java.util.function.Supplier;
+import java.util.stream.Collectors;
+
+public class KibanaPlugin extends Plugin implements SystemIndexPlugin {
+
+    public static final Setting<List<String>> KIBANA_INDEX_NAMES_SETTING = Setting.listSetting("kibana.system_indices",
+        List.of(".kibana*", ".reporting"), Function.identity(), Property.NodeScope);
+
+    @Override
+    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
+        return KIBANA_INDEX_NAMES_SETTING.get(settings).stream()
+            .map(pattern -> new SystemIndexDescriptor(pattern, "System index used by kibana"))
+            .collect(Collectors.toUnmodifiableList());
+    }
+
+    @Override
+    public List<RestHandler> getRestHandlers(Settings settings, RestController restController, ClusterSettings clusterSettings,
+                                             IndexScopedSettings indexScopedSettings, SettingsFilter settingsFilter,
+                                             IndexNameExpressionResolver indexNameExpressionResolver,
+                                             Supplier<DiscoveryNodes> nodesInCluster) {
+        // TODO need to figure out what subset of system indices Kibana should have access to via these APIs
+        final List<String> allowedIndexPatterns = List.of();
+        return List.of(
+            // Based on https://github.com/elastic/kibana/issues/49764
+            // apis needed to perform migrations... ideally these will go away
+            new KibanaWrappedRestHandler(new RestCreateIndexAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestGetAliasesAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestIndexPutAliasAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestRefreshAction(), allowedIndexPatterns),
+
+            // apis needed to access saved objects
+            new KibanaWrappedRestHandler(new RestGetAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestMultiGetAction(settings), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestSearchAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestBulkAction(settings), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestDeleteAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestDeleteByQueryAction(), allowedIndexPatterns),
+
+            // api used for testing
+            new KibanaWrappedRestHandler(new RestUpdateSettingsAction(), allowedIndexPatterns),
+
+            // apis used specifically by reporting
+            new KibanaWrappedRestHandler(new RestGetIndicesAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestIndexAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new CreateHandler(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new AutoIdHandler(nodesInCluster), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestUpdateAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestSearchScrollAction(), allowedIndexPatterns),
+            new KibanaWrappedRestHandler(new RestClearScrollAction(), allowedIndexPatterns)
+        );
+
+    }
+
+    @Override
+    public List<Setting<?>> getSettings() {
+        return List.of(KIBANA_INDEX_NAMES_SETTING);
+    }
+
+    static class KibanaWrappedRestHandler extends BaseRestHandler.Wrapper {
+
+        private final List<String> allowedIndexPatterns;
+
+        KibanaWrappedRestHandler(BaseRestHandler delegate, List<String> allowedIndexPatterns) {
+            super(delegate);
+            this.allowedIndexPatterns = allowedIndexPatterns;
+        }
+
+        @Override
+        public String getName() {
+            return "kibana_" + super.getName();
+        }
+
+        @Override
+        public List<Route> routes() {
+            return super.routes().stream().map(route -> new Route(route.getMethod(), "/_kibana" + route.getPath()))
+                .collect(Collectors.toUnmodifiableList());
+        }
+
+        @Override
+        protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
+            client.threadPool().getThreadContext().allowSystemIndexAccess(allowedIndexPatterns);
+            return super.prepareRequest(request, client);
+        }
+    }
+}
diff --git a/modules/kibana/src/test/java/org/elasticsearch/kibana/KibanaPluginTests.java b/modules/kibana/src/test/java/org/elasticsearch/kibana/KibanaPluginTests.java
@@ -0,0 +1,46 @@
+
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.kibana;
+
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.indices.SystemIndexDescriptor;
+import org.elasticsearch.test.ESTestCase;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.is;
+
+public class KibanaPluginTests extends ESTestCase {
+
+    public void testKibanaIndexNames() {
+        assertThat(new KibanaPlugin().getSettings(), contains(KibanaPlugin.KIBANA_INDEX_NAMES_SETTING));
+        assertThat(new KibanaPlugin().getSystemIndexDescriptors(Settings.EMPTY).stream()
+            .map(SystemIndexDescriptor::getIndexPattern).collect(Collectors.toUnmodifiableList()),
+            contains(".kibana*", ".reporting"));
+        final List<String> names = List.of("." + randomAlphaOfLength(4), "." + randomAlphaOfLength(6));
+        final List<String> namesFromDescriptors = new KibanaPlugin().getSystemIndexDescriptors(
+                Settings.builder().putList(KibanaPlugin.KIBANA_INDEX_NAMES_SETTING.getKey(), names).build()
+            ).stream().map(SystemIndexDescriptor::getIndexPattern).collect(Collectors.toUnmodifiableList());
+        assertThat(namesFromDescriptors, is(names));
+    }
+}