diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
index ec62285c6aa5f..fc96399a289f6 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
@@ -402,11 +402,11 @@ boolean isActive() {
}
public boolean isIpFilteringAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isAuditingAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isStatsAndHealthAllowed() {
@@ -427,33 +427,33 @@ public boolean isStatsAndHealthAllowed() {
* @return {@code true} to enable DLS and FLS. Otherwise {@code false}.
*/
public boolean isDocumentAndFieldLevelSecurityAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, false);
+ return isAllowedByLicense(OperationMode.PLATINUM, false);
}
public boolean areAllRealmsAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, false);
+ return isAllowedByLicense(OperationMode.PLATINUM, false);
}
public boolean areStandardRealmsAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
public boolean isCustomRoleProvidersAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, true);
+ return isAllowedByLicense(OperationMode.PLATINUM, true);
}
/**
* Whether the Elasticsearch {@code TokenService} is allowed
*/
public boolean isTokenServiceAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.GOLD, false);
+ return isAllowedByLicense(OperationMode.GOLD, false);
}
/**
* Whether the Elasticsearch {@code ApiKeyService} is allowed
*/
public boolean isApiKeyServiceAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.MISSING, false);
+ return isAllowedByLicense(OperationMode.MISSING, false);
}
/**
@@ -461,7 +461,7 @@ public boolean isApiKeyServiceAllowed() {
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizationRealmAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, true);
+ return isAllowedByLicense(OperationMode.PLATINUM, true);
}
/**
@@ -469,7 +469,7 @@ public boolean isAuthorizationRealmAllowed() {
* @see org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings
*/
public boolean isAuthorizationEngineAllowed() {
- return isAllowedBySecurityAndLicense(OperationMode.PLATINUM, true);
+ return isAllowedByLicense(OperationMode.PLATINUM, true);
}
public boolean isWatcherAllowed() {
@@ -683,32 +683,7 @@ public XPackLicenseState copyCurrentLicenseState() {
}
/**
- * Test whether a feature is allowed by the status of license and security configuration.
- * Note the difference to {@link #isAllowedByLicense(OperationMode, boolean)}
- * is this method requires security to be enabled.
- *
- * @param minimumMode The minimum license to meet or exceed
- * @param needActive Whether current license needs to be active.
- *
- * @return true if feature is allowed, otherwise false
- */
- private boolean isAllowedBySecurityAndLicense(OperationMode minimumMode, boolean needActive) {
- return checkAgainstStatus(status -> {
- if (false == isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled)) {
- return false;
- }
- // Do not delegate to isAllowedByLicense as it also captures "status" which may be different from here
- if (needActive && false == status.active) {
- return false;
- }
- return isAllowedByOperationMode(status.mode, minimumMode);
- });
- }
-
- /**
- * Test whether a feature is allowed by the status of license. Note difference to
- * {@link #isAllowedBySecurityAndLicense} is this method does Not require security
- * to be enabled.
+ * Test whether a feature is allowed by the status of license.
*
* @param minimumMode The minimum license to meet or exceed
* @param needActive Whether current license needs to be active
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java
index 57af4eb16c5ba..8d02191bebd5e 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java
@@ -61,7 +61,7 @@ public SecurityIndexReaderWrapper(Function queryShar
@Override
public DirectoryReader apply(final DirectoryReader reader) {
- if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
+ if (licenseState.isSecurityEnabled() == false || licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return reader;
}
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
index 4961899f3c7e4..94decec26bdfe 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
@@ -107,7 +107,7 @@ public void testSecurityBasicWithoutExplicitSecurityEnabled() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
- assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
+ assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
assertThat(licenseState.isSecurityAvailable(), is(true));
assertThat(licenseState.isSecurityEnabled(), is(false));
@@ -142,7 +142,7 @@ public void testSecurityDefaultBasicExpired() {
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertThat(licenseState.isTokenServiceAllowed(), is(false));
- assertThat(licenseState.isApiKeyServiceAllowed(), is(false));
+ assertThat(licenseState.isApiKeyServiceAllowed(), is(true));
}
public void testSecurityEnabledBasicExpired() {
@@ -260,11 +260,6 @@ public void testNewTrialDefaultsSecurityOff() {
private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
assertThat(licenseState.isSecurityEnabled(), is(false));
- assertThat(licenseState.isIpFilteringAllowed(), is(false));
- assertThat(licenseState.isAuditingAllowed(), is(false));
- assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
- assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
- assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}
public void testSecurityAckBasicToNotGoldOrStandard() {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java
index e7a29c7083824..f3f88c836b2b4 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperIntegrationTests.java
@@ -97,6 +97,7 @@ null, null, mapperService, null, null, xContentRegistry(), writableRegistry(),
QueryShardContext queryShardContext = spy(realQueryShardContext);
DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor());
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
Directory directory = newDirectory();
@@ -232,6 +233,7 @@ null, null, mapperService, null, null, xContentRegistry(), writableRegistry(),
DocumentSubsetBitsetCache bitsetCache = new DocumentSubsetBitsetCache(Settings.EMPTY, Executors.newSingleThreadExecutor());
XPackLicenseState licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
SecurityIndexReaderWrapper wrapper = new SecurityIndexReaderWrapper(s -> queryShardContext,
bitsetCache, securityContext, licenseState, scriptService) {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java
index c91469a62e593..6254349c32ed2 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapperUnitTests.java
@@ -64,6 +64,7 @@ public void setup() throws Exception {
ShardId shardId = new ShardId(index, 0);
licenseState = mock(XPackLicenseState.class);
+ when(licenseState.isSecurityEnabled()).thenReturn(true);
when(licenseState.isDocumentAndFieldLevelSecurityAllowed()).thenReturn(true);
securityContext = new SecurityContext(Settings.EMPTY, new ThreadContext(Settings.EMPTY));
IndexShard indexShard = mock(IndexShard.class);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
index 1d7264985c15f..5e4a520f3a265 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -1029,7 +1029,8 @@ public UnaryOperator