diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
index ec62285c6aa5f..fc96399a289f6 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
@@ -402,11 +402,11 @@ boolean isActive() {
}
public boolean isIpFilteringAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isAuditingAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isStatsAndHealthAllowed() {
@@ -427,33 +427,33 @@ public boolean isStatsAndHealthAllowed() {
* @return {@code true} to enable DLS and FLS. Otherwise {@code false}.
*/
public boolean isDocumentAndFieldLevelSecurityAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, false);
+ return isAllowedByLicense(OperationMode.PLATINUM, false);
}
public boolean areAllRealmsAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, false);
+ return isAllowedByLicense(OperationMode.PLATINUM, false);
}
public boolean areStandardRealmsAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isCustomRoleProvidersAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, true);
+ return isAllowedByLicense(OperationMode.PLATINUM, true);
}
/**
* Whether the Elasticsearch {@code TokenService} is allowed
*/
public boolean isTokenServiceAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
/**
* Whether the Elasticsearch {@code ApiKeyService} is allowed
*/
public boolean isApiKeyServiceAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.MISSING, false);
+ return isAllowedByLicense(OperationMode.MISSING, false);
}
/**
@@ -461,7 +461,7 @@ public boolean isApiKeyServiceAllowed() {
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizationRealmAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, true);
+ return isAllowedByLicense(OperationMode.PLATINUM, true);
}
/**
@@ -469,7 +469,7 @@ public boolean isAuthorizationRealmAllowed() {
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizationEngineAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, true);
+ return isAllowedByLicense(OperationMode.PLATINUM, true);
}
public boolean isWatcherAllowed() {
@@ -683,32 +683,7 @@ public XPackLicenseState copyCurrentLicenseState() {
}
/**
- * Test whether a feature is allowed by the status of license and security configuration.
- * Note the difference to {@link #isAllowedByLicense(OperationMode, boolean)}
- * is this method requires security to be enabled.
- *
- * @param minimumMode The minimum license to meet or exceed
- * @param needActive Whether current license needs to be active.
- *
- * @return true if feature is allowed, otherwise false
- */
- private boolean isAllowedBySecurityAndLicense(OperationMode minimumMode, boolean needActive) {
- return checkAgainstStatus(status -> {
- if (false == isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled)) {
- return false;
- }
- // Do not delegate to isAllowedByLicense as it also captures "status" which may be different from here
- if (needActive && false == status.active) {
- return false;
- }
- return isAllowedByOperationMode(status.mode, minimumMode);
- });
- }
-
- /**
- * Test whether a feature is allowed by the status of license. Note difference to
- * {@link #isAllowedBySecurityAndLicense} is this method does Not require security
- * to be enabled.
+ * Test whether a feature is allowed by the status of license.
*
* @param minimumMode The minimum license to meet or exceed
* @param needActive Whether current license needs to be active
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java
index 57af4eb16c5ba..8d02191bebd5e 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java
@@ -61,7 +61,7 @@ public SecurityIndexReaderWrapper(Function queryShar
@Override
public DirectoryReader apply(final DirectoryReader reader) {
- if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
+ if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return reader;
}
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
index 4961899f3c7e4..94decec26bdfe 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
@@ -107,7 +107,7 @@ public void testSecurityBasicWithoutExplicitSecurityEnabled() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
- assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
+ assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isSecurityAvailable(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(false));
@@ -142,7 +142,7 @@ public void testSecurityDefaultBasicExpired() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
- assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
+ assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
}
public void testSecurityEnabledBasicExpired() {
@@ -260,11 +260,6 @@ public void testNewTrialDefaultsSecurityOff() {
private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
assertThat(licenseState.isSecurityEnabled(), is(false));
- assertThat(licenseState.isIpFilteringAllowed(), is(false));
- assertThat(licenseState.isAuditingAllowed(), is(false));
- assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
- assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
- assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityAckBasicToNotGoldOrStandard() {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java
index e7a29c7083824..f3f88c836b2b4 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java
@@ -97,6 +97,7 @@ null, null, mapperService, null, null, xContentRegistry(), writableRegistry(),
QueryShardContext queryShardContext = spy(realQueryShardContext);
DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor());
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
Directory directory = newDirectory();
@@ -232,6 +233,7 @@ null, null, mapperService, null, null, xContentRegistry(), writableRegistry(),
DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor());
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> queryShardContext,
bitsetCache, securityContext, licenseState, scriptService) {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java
index c91469a62e593..6254349c32ed2 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java
@@ -64,6 +64,7 @@ public void setup() throws Exception {
ShardId shardId = new ShardId(index, 0);
licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY));
IndexShard indexShard = mock(IndexShard.class);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
index 1d7264985c15f..5e4a520f3a265 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -1029,7 +1029,8 @@ public UnaryOperator> getIndexTemplateMetadat
public Function> getFieldFilter() {
if (enabled) {
return index -> {
- if (getLicenseState().isDocumentAndFieldLevelSecurityAllowed() == false) {
+ XPackLicenseState licenseState = getLicenseState();
+ if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return MapperPlugin.NOOP_FIELD_PREDICATE;
}
IndicesAccessControl indicesAccessControl = threadContext.get().getTransient(
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
index b194dfa39efc6..dc7bfe87339e5 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/AuditTrailService.java
@@ -31,7 +31,8 @@ public AuditTrailService(List auditTrails, XPackLicenseState license
}
public AuditTrail get() {
- if (compositeAuditTrail.isEmpty() == false && licenseState.isAuditingAllowed()) {
+ if (compositeAuditTrail.isEmpty() == false &&
+ licenseState.isSecurityEnabled() && licenseState.isAuditingAllowed()) {
return compositeAuditTrail;
} else {
return NOOP_AUDIT_TRAIL;
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
index 980235f3e3005..aea8798468dc3 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
@@ -581,11 +581,11 @@ private Instant getApiKeyExpiration(Instant now, CreateApiKeyRequest request) {
}
private boolean isEnabled() {
- return enabled && licenseState.isApiKeyServiceAllowed();
+ return enabled && licenseState.isSecurityEnabled() && licenseState.isApiKeyServiceAllowed();
}
public void ensureEnabled() {
- if (licenseState.isApiKeyServiceAllowed() == false) {
+ if (licenseState.isSecurityEnabled() == false || licenseState.isApiKeyServiceAllowed() == false) {
throw LicenseUtils.newComplianceException("api keys");
}
if (enabled == false) {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
index 8794abcdf64aa..77a4fe982e7f5 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
@@ -1519,11 +1519,11 @@ private static String getTokenIdFromDocumentId(String docId) {
}
private boolean isEnabled() {
- return enabled && licenseState.isTokenServiceAllowed();
+ return enabled && licenseState.isSecurityEnabled() && licenseState.isTokenServiceAllowed();
}
private void ensureEnabled() {
- if (licenseState.isTokenServiceAllowed() == false) {
+ if (licenseState.isSecurityEnabled() == false || licenseState.isTokenServiceAllowed() == false) {
throw LicenseUtils.newComplianceException("security tokens");
}
if (enabled == false) {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java
index 1c76c11676d27..e28ba08313f40 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.java
@@ -80,7 +80,8 @@ public boolean hasDelegation() {
* with a meaningful diagnostic message.
*/
public void resolve(String username, ActionListener resultListener) {
- if (licenseState.isAuthorizationRealmAllowed() == false) {
+ boolean authzOk = licenseState.isSecurityEnabled() && licenseState.isAuthorizationRealmAllowed();
+ if (authzOk == false) {
resultListener.onResponse(AuthenticationResult.unsuccessful(
DelegatedAuthorizationSettings.AUTHZ_REALMS_SUFFIX + " are not permitted",
LicenseUtils.newComplianceException(DelegatedAuthorizationSettings.AUTHZ_REALMS_SUFFIX)
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
index 42d123616f671..70618e2c87c58 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java
@@ -365,7 +365,7 @@ AuthorizationEngine getAuthorizationEngine(final Authentication authentication)
}
private AuthorizationEngine getAuthorizationEngineForUser(final User user) {
- if (rbacEngine != authorizationEngine && licenseState.isAuthorizationEngineAllowed()) {
+ if (rbacEngine != authorizationEngine && licenseState.isSecurityEnabled() && licenseState.isAuthorizationEngineAllowed()) {
if (ClientReservedRealm.isReserved(user.principal(), settings) || isInternalUser(user)) {
return rbacEngine;
} else {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java
index 21253f5b4bb37..e64b93ff1465b 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.java
@@ -40,7 +40,8 @@ public BulkShardRequestInterceptor(ThreadPool threadPool, XPackLicenseState lice
@Override
public void intercept(RequestInfo requestInfo, AuthorizationEngine authzEngine, AuthorizationInfo authorizationInfo,
ActionListener listener) {
- if (requestInfo.getRequest() instanceof BulkShardRequest && licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
+ boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isDocumentAndFieldLevelSecurityAllowed();
+ if (requestInfo.getRequest() instanceof BulkShardRequest && shouldIntercept) {
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
final BulkShardRequest bulkShardRequest = (BulkShardRequest) requestInfo.getRequest();
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
index cb2c1a5bb9315..1165be6b1f129 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
@@ -38,7 +38,8 @@ public void intercept(RequestInfo requestInfo, AuthorizationEngine authorization
ActionListener listener) {
if (requestInfo.getRequest() instanceof IndicesRequest) {
IndicesRequest indicesRequest = (IndicesRequest) requestInfo.getRequest();
- if (supports(indicesRequest) && licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
+ boolean shouldIntercept = licenseState.isSecurityEnabled() && licenseState.isDocumentAndFieldLevelSecurityAllowed();
+ if (supports(indicesRequest) && shouldIntercept) {
final IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
for (String index : indicesRequest.indices()) {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
index 68478e6def1fd..1c97d21e0a246 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/filter/IPFilter.java
@@ -199,7 +199,7 @@ private void setHttpFiltering(boolean enabled) {
}
public boolean accept(String profile, InetSocketAddress peerAddress) {
- if (licenseState.isIpFilteringAllowed() == false) {
+ if (licenseState.isSecurityEnabled() == false || licenseState.isIpFilteringAllowed() == false) {
return true;
}
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java
index 372a095c93433..cc73af5ec53ce 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutActionTests.java
@@ -177,6 +177,7 @@ public void setup() throws Exception {
final ClusterService clusterService = ClusterServiceUtils.createClusterService(threadPool);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
tokenService = new TokenService(settings, Clock.systemUTC(), client, licenseState, new SecurityContext(settings, threadContext),
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java
index 9542090c1a8ed..c16bdf8322103 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionActionTests.java
@@ -204,6 +204,7 @@ void doExecute(ActionType action, Request request, ActionListener realmList = Arrays.asList(realms);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
index f9123c231cd9a..3b356f584a82f 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
@@ -74,6 +74,7 @@ public void setup() throws Exception {
.put("path.home", createTempDir())
.build();
licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
}
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java
index 55991fddbd862..92b8282349b6c 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java
@@ -296,6 +296,7 @@ private AuthenticationResult performAuthentication(UserRoleMapper roleMapper, bo
private void initializeRealms(Realm... realms) {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
final List realmList = Arrays.asList(realms);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java
index 20a8d8b27c3d1..346520dafde4a 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupportTests.java
@@ -188,6 +188,7 @@ public void testLicenseRejection() throws Exception {
private XPackLicenseState getLicenseState(boolean authzRealmsAllowed) {
final XPackLicenseState license = mock(XPackLicenseState.class);
+ when(license.isSecurityEnabled()).thenReturn(true);
when(license.isAuthorizationRealmAllowed()).thenReturn(authzRealmsAllowed);
return license;
}
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
index b7840a633ba60..d51fa8c0d9a85 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/AuthorizationServiceTests.java
@@ -203,6 +203,7 @@ public void setup() {
when(clusterService.state()).thenReturn(ClusterState.EMPTY_STATE);
auditTrail = mock(AuditTrail.class);
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
auditTrailService = new AuditTrailService(Collections.singletonList(auditTrail), licenseState);
threadContext = new ThreadContext(settings);
@@ -1454,6 +1455,7 @@ public void getUserPrivileges(Authentication authentication, AuthorizationInfo a
};
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isAuthorizationEngineAllowed()).thenReturn(true);
authorizationService = new AuthorizationService(Settings.EMPTY, rolesStore, clusterService,
auditTrailService, new DefaultAuthenticationFailureHandler(Collections.emptyMap()), threadPool,
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java
index 2a8a518d31d2e..53afc21236e85 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java
@@ -29,6 +29,7 @@
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
+import org.mockito.Mockito;
import java.util.Collections;
@@ -133,7 +134,7 @@ public void testValidateSearchContext() throws Exception {
SearchContextMissingException expected =
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.contextId());
- verify(licenseState, times(3)).isSecurityEnabled();
+ verify(licenseState, Mockito.atLeast(3)).isSecurityEnabled();
verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request),
authzInfoRoles(authentication.getUser().roles()));
}
@@ -150,7 +151,7 @@ public void testValidateSearchContext() throws Exception {
threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
listener.validateSearchContext(testSearchContext, request);
- verify(licenseState, times(4)).isSecurityEnabled();
+ verify(licenseState, Mockito.atLeast(4)).isSecurityEnabled();
verifyNoMoreInteractions(auditTrail);
}
@@ -169,7 +170,7 @@ public void testValidateSearchContext() throws Exception {
SearchContextMissingException expected =
expectThrows(SearchContextMissingException.class, () -> listener.validateSearchContext(testSearchContext, request));
assertEquals(testSearchContext.id(), expected.contextId());
- verify(licenseState, times(5)).isSecurityEnabled();
+ verify(licenseState, Mockito.atLeast(5)).isSecurityEnabled();
verify(auditTrail).accessDenied(eq(null), eq(authentication), eq("action"), eq(request),
authzInfoRoles(authentication.getUser().roles()));
}
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java
index 88cf479c572bb..f3fca53eabf43 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java
@@ -117,6 +117,7 @@ public class CompositeRolesStoreTests extends ESTestCase {
public void testRolesWhenDlsFlsUnlicensed() throws IOException {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] {
IndicesPrivileges.builder()
@@ -187,6 +188,7 @@ public void testRolesWhenDlsFlsUnlicensed() throws IOException {
public void testRolesWhenDlsFlsLicensed() throws IOException {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
RoleDescriptor flsRole = new RoleDescriptor("fls", null, new IndicesPrivileges[] {
IndicesPrivileges.builder()
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
index 54d643b0c9005..92658c2720e0b 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java
@@ -287,6 +287,7 @@ public void testParseFileWithFLSAndDLSUnlicensed() throws Exception {
List events = CapturingLogger.output(logger.getName(), Level.WARN);
events.clear();
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
Map roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY, licenseState, xContentRegistry());
assertThat(roles, notNullValue());
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java
index 1d44430861644..1009b3b110637 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStoreTests.java
@@ -94,6 +94,7 @@ public void testBWCFieldPermissions() throws IOException {
public void testRoleDescriptorWithFlsDlsLicensing() throws IOException {
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(false);
RoleDescriptor flsRole = new RoleDescriptor("fls", null,
new IndicesPrivileges[] { IndicesPrivileges.builder().privileges("READ").indices("*")
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java
index ca418c236a98f..6d4e17e6dde6f 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/test/SecurityMocks.java
@@ -172,6 +172,7 @@ public static TokenServiceMock tokenService(boolean enabled, ThreadPool threadPo
final Client client = mock(Client.class);
when(client.threadPool()).thenReturn(threadPool);
final XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isTokenServiceAllowed()).thenReturn(true);
final ClusterService clusterService = mock(ClusterService.class);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java
index 5f5db88729899..c11a8f779c8fe 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/filter/IPFilterTests.java
@@ -60,6 +60,7 @@ public class IPFilterTests extends ESTestCase {
@Before
public void init() {
licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
when(licenseState.isAuditingAllowed()).thenReturn(true);
auditTrail = mock(AuditTrail.class);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java
index f17e9f4ff0871..4a69dabeaecab 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IpFilterRemoteAddressFilterTests.java
@@ -56,6 +56,7 @@ public void init() throws Exception {
IPFilter.PROFILE_FILTER_ALLOW_SETTING,
IPFilter.PROFILE_FILTER_DENY_SETTING)));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
IPFilter ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java
index 842c9f031eff9..30908198a4f88 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/nio/NioIPFilterTests.java
@@ -59,6 +59,7 @@ public void init() throws Exception {
IPFilter.PROFILE_FILTER_ALLOW_SETTING,
IPFilter.PROFILE_FILTER_DENY_SETTING)));
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isIpFilteringAllowed()).thenReturn(true);
AuditTrailService auditTrailService = new AuditTrailService(Collections.emptyList(), licenseState);
ipFilter = new IPFilter(settings, auditTrailService, clusterSettings, licenseState);