Issue ssl users fabric8io#333 - adding ACL

KurtStam · Jun 7, 2016 · 42756dd · 42756dd
1 parent ea4b606
commit 42756dd
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/apiman/src/main/java/io/fabric8/apiman/Fabric8EsClientFactory.java b/apiman/src/main/java/io/fabric8/apiman/Fabric8EsClientFactory.java
@@ -45,6 +45,7 @@ protected void updateHttpConfig(Builder httpConfig) {
         String timeout  = config.get("timeout"); //$NON-NLS-1$
         if (username != null) {
             httpConfig.defaultCredentials(username, password);
+            log.info("Setting creds for " + username);
         }
         if (timeout == null) {
             timeout = "10000"; //$NON-NLS-1$

diff --git a/elasticsearch/src/main/resources/docker-entrypoint.sh b/elasticsearch/src/main/resources/docker-entrypoint.sh
@@ -15,6 +15,7 @@ searchguard.authentication.settingsdb.user.admin: supersecret
 searchguard.authentication.authorization.settingsdb.roles.admin: ["admin"]
 searchguard:
   allow_all_from_loopback: true
+  config_index_name: ".searchguard"
   ssl:
     transport:
       http:
@@ -29,13 +30,53 @@ searchguard:
 EOF
 fi
 
+echo "Searchguard config update completed"
+
 cd /usr/share/elasticsearch/bin
 
 # Add elasticsearch as command if needed
 if [ "${1:0:1}" = '-' ]; then
     set -- elasticsearch "$1"
 fi
 
+
+if [ $2 = 'ssl' ]; then
+
+echo "Starting elastic to load the ACL..."
+gosu elasticsearch ./elasticsearch -Des.pidfile=/usr/share/elasticsearch/bin/elasticsearch.pid -d
+
+# check to see if ES has started up yet
+until $(curl -k -s -f -o /dev/null --connect-timeout 1 -m 1 --head https://localhost:9200); do
+  sleep 0.1;
+done
+
+  curl -k -q -XPUT "https://localhost:9200/.searchguard/ac/ac?pretty" -d '{
+    "acl": [
+    {    
+        "__Comment__": "By default no filters are executed and no filters a by-passed. In such a case an exception is thrown and access will be denied.",
+        "filters_bypass": [],
+        "filters_execute": []
+     },
+     {
+           "__Comment__": "For role *admin* all filters are bypassed (so none will be executed). This means unrestricted access.",
+           "roles": [
+               "admin"
+           ],
+           "filters_bypass": ["*"],
+           "filters_execute": [""]
+     }
+     ]
+  }'
+
+  echo "Completed the ACL"
+  # check to make sure the ACL has been persisted
+  until $(curl -k -s -f -o /dev/null --connect-timeout 1 -m 1 https://localhost:9200/.searchguard/ac/ac); do
+    sleep 0.1;
+  done
+
+  kill `cat /usr/share/elasticsearch/bin/elasticsearch.pid`
+fi
+
 # Drop root privileges if we are running elasticsearch
 if [ "$1" = 'elasticsearch' ]; then
     # Change the ownership of /usr/share/elasticsearch/data to elasticsearch