Enable license feature usage for Security Realms

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -45,8 +45,13 @@ public enum Feature {
         SECURITY_IP_FILTERING(OperationMode.GOLD, false),
         SECURITY_AUDITING(OperationMode.GOLD, false),
         SECURITY_DLS_FLS(OperationMode.PLATINUM, false),
-        SECURITY_ALL_REALMS(OperationMode.PLATINUM, false),
-        SECURITY_STANDARD_REALMS(OperationMode.GOLD, false),
+        SECURITY_LDAP_REALM(OperationMode.GOLD, false),
+        SECURITY_AD_REALM(OperationMode.GOLD, false),
+        SECURITY_PKI_REALM(OperationMode.GOLD, false),
+        SECURITY_SAML_REALM(OperationMode.PLATINUM, false),
+        SECURITY_OIDC_REALM(OperationMode.PLATINUM, false),
+        SECURITY_KERBEROS_REALM(OperationMode.PLATINUM, false),
+        SECURITY_CUSTOM_REALM(OperationMode.PLATINUM, false),
         SECURITY_CUSTOM_ROLE_PROVIDERS(OperationMode.PLATINUM, true),
         SECURITY_TOKEN_SERVICE(OperationMode.GOLD, false),
         SECURITY_API_KEY_SERVICE(OperationMode.MISSING, false),
@@ -109,12 +114,10 @@ public enum Feature {
         }
     }
 
-    // temporarily non tracked feeatures which need rework in how they are checked
+    // temporarily non tracked features which need rework in how they are checked
     // so they are not tracked as always used
     private static final Set<Feature> NON_TRACKED_FEATURES = Set.of(
-        Feature.SECURITY_IP_FILTERING,
-        Feature.SECURITY_ALL_REALMS,
-        Feature.SECURITY_STANDARD_REALMS
+        Feature.SECURITY_IP_FILTERING
     );
 
     /** Messages for each feature which are printed when the license expires. */

x-pack/plugin/core/src/test/java/org/elasticsearch/license/TestUtils.java

@@ -35,6 +35,7 @@
 import java.util.UUID;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.LongSupplier;
 
 import static com.carrotsearch.randomizedtesting.RandomizedTest.randomBoolean;
 import static com.carrotsearch.randomizedtesting.RandomizedTest.randomInt;
@@ -383,7 +384,11 @@ public UpdatableLicenseState() {
         }
 
         public UpdatableLicenseState(Settings settings) {
-            super(settings, () -> 0);
+            this(settings, () -> 0);
+        }
+
+        public UpdatableLicenseState(Settings settings, LongSupplier epochMillis) {
+            super(settings, epochMillis);
         }
 
         @Override

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

@@ -87,8 +87,16 @@ public void testSecurityDefaults() {
         assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_STATS_AND_HEALTH), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_AD_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_LDAP_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_PKI_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_SAML_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_OIDC_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_KERBEROS_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_REALM), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_API_KEY_SERVICE), is(true));
 
         licenseState = TestUtils.newTestLicenseState();
         assertSecurityNotAllowed(licenseState);
@@ -203,7 +211,13 @@ public void testSecurityGold() {
         assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_STATS_AND_HEALTH), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_STANDARD_REALMS), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_AD_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_LDAP_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_PKI_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_SAML_REALM), is(false));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_OIDC_REALM), is(false));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_KERBEROS_REALM), is(false));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_REALM), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_API_KEY_SERVICE), is(true));
@@ -220,7 +234,13 @@ public void testSecurityGoldExpired() {
         assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_STATS_AND_HEALTH), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(false));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_STANDARD_REALMS), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_AD_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_LDAP_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_PKI_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_SAML_REALM), is(false));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_OIDC_REALM), is(false));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_KERBEROS_REALM), is(false));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_REALM), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_API_KEY_SERVICE), is(true));
@@ -237,7 +257,13 @@ public void testSecurityPlatinum() {
         assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_STATS_AND_HEALTH), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_AD_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_LDAP_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_PKI_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_SAML_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_OIDC_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_KERBEROS_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_REALM), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_API_KEY_SERVICE), is(true));
@@ -254,7 +280,13 @@ public void testSecurityPlatinumExpired() {
         assertThat(licenseState.checkFeature(Feature.SECURITY_AUDITING), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_STATS_AND_HEALTH), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_DLS_FLS), is(true));
-        assertThat(licenseState.checkFeature(Feature.SECURITY_ALL_REALMS), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_AD_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_LDAP_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_PKI_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_SAML_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_OIDC_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_KERBEROS_REALM), is(true));
+        assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_REALM), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_CUSTOM_ROLE_PROVIDERS), is(false));
         assertThat(licenseState.checkFeature(Feature.SECURITY_TOKEN_SERVICE), is(true));
         assertThat(licenseState.checkFeature(Feature.SECURITY_API_KEY_SERVICE), is(true));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/InternalRealms.java

@@ -9,6 +9,7 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.authc.Realm;
@@ -52,13 +53,18 @@
 public final class InternalRealms {
 
     /**
-     * The list of all <em>internal</em> realm types, excluding {@link ReservedRealm#TYPE}.
+     * The map of all <em>internal</em> realm types, excluding {@link ReservedRealm#TYPE}, to their relevant license feature
      */
-    private static final Set<String> XPACK_TYPES = Collections
-        .unmodifiableSet(Sets.newHashSet(NativeRealmSettings.TYPE, FileRealmSettings.TYPE, LdapRealmSettings.AD_TYPE,
-            LdapRealmSettings.LDAP_TYPE, PkiRealmSettings.TYPE, SamlRealmSettings.TYPE, KerberosRealmSettings.TYPE,
-            OpenIdConnectRealmSettings.TYPE));
-
+    private static final Map<String, XPackLicenseState.Feature> XPACK_TYPES = Map.ofEntries(
+        Map.entry(NativeRealmSettings.TYPE, XPackLicenseState.Feature.SECURITY),
+        Map.entry(FileRealmSettings.TYPE, XPackLicenseState.Feature.SECURITY),
+        Map.entry(LdapRealmSettings.AD_TYPE, XPackLicenseState.Feature.SECURITY_AD_REALM),
+        Map.entry(LdapRealmSettings.LDAP_TYPE, XPackLicenseState.Feature.SECURITY_LDAP_REALM),
+        Map.entry(PkiRealmSettings.TYPE, XPackLicenseState.Feature.SECURITY_PKI_REALM),
+        Map.entry(SamlRealmSettings.TYPE, XPackLicenseState.Feature.SECURITY_SAML_REALM),
+        Map.entry(OpenIdConnectRealmSettings.TYPE, XPackLicenseState.Feature.SECURITY_OIDC_REALM),
+        Map.entry(KerberosRealmSettings.TYPE, XPackLicenseState.Feature.SECURITY_KERBEROS_REALM)
+    );
     /**
      * The list of all standard realm types, which are those provided by x-pack and do not have extensive
      * interaction with third party sources
@@ -71,14 +77,14 @@ public final class InternalRealms {
      * including the {@link ReservedRealm}
      */
     static boolean isXPackRealm(String type) {
-        if (XPACK_TYPES.contains(type)) {
+        if (XPACK_TYPES.containsKey(type)) {
             return true;
         }
         return ReservedRealm.TYPE.equals(type);
     }
 
     public static Collection<String> getConfigurableRealmsTypes() {
-        return Collections.unmodifiableSet(XPACK_TYPES);
+        return XPACK_TYPES.keySet();
     }
 
     /**
@@ -102,34 +108,34 @@ public static Map<String, Realm.Factory> getFactories(ThreadPool threadPool, Res
                                                           SecurityIndexManager securityIndex) {
 
         return Map.of(
-                // file realm
-                FileRealmSettings.TYPE,
-                config -> new FileRealm(config, resourceWatcherService, threadPool),
-                // native realm
-                NativeRealmSettings.TYPE,
-                config -> {
-                    final NativeRealm nativeRealm = new NativeRealm(config, nativeUsersStore, threadPool);
-                    securityIndex.addIndexStateListener(nativeRealm::onSecurityIndexStateChange);
-                    return nativeRealm;
-                },
-                // active directory realm
-                LdapRealmSettings.AD_TYPE,
-                config -> new LdapRealm(config, sslService, resourceWatcherService, nativeRoleMappingStore, threadPool),
-                // LDAP realm
-                LdapRealmSettings.LDAP_TYPE,
-                config -> new LdapRealm(config, sslService, resourceWatcherService, nativeRoleMappingStore, threadPool),
-                // PKI realm
-                PkiRealmSettings.TYPE,
-                config -> new PkiRealm(config, resourceWatcherService, nativeRoleMappingStore),
-                // SAML realm
-                SamlRealmSettings.TYPE,
-                config -> SamlRealm.create(config, sslService, resourceWatcherService, nativeRoleMappingStore),
-                // Kerberos realm
-                KerberosRealmSettings.TYPE,
-                config -> new KerberosRealm(config, nativeRoleMappingStore, threadPool),
-                // OpenID Connect realm
-                OpenIdConnectRealmSettings.TYPE,
-                config -> new OpenIdConnectRealm(config, sslService, nativeRoleMappingStore, resourceWatcherService));
+            // file realm
+            FileRealmSettings.TYPE,
+            config -> new FileRealm(config, resourceWatcherService, threadPool),
+            // native realm
+            NativeRealmSettings.TYPE,
+            config -> {
+                final NativeRealm nativeRealm = new NativeRealm(config, nativeUsersStore, threadPool);
+                securityIndex.addIndexStateListener(nativeRealm::onSecurityIndexStateChange);
+                return nativeRealm;
+            },
+            // active directory realm
+            LdapRealmSettings.AD_TYPE,
+            config -> new LdapRealm(config, sslService, resourceWatcherService, nativeRoleMappingStore, threadPool),
+            // LDAP realm
+            LdapRealmSettings.LDAP_TYPE,
+            config -> new LdapRealm(config, sslService, resourceWatcherService, nativeRoleMappingStore, threadPool),
+            // PKI realm
+            PkiRealmSettings.TYPE,
+            config -> new PkiRealm(config, resourceWatcherService, nativeRoleMappingStore),
+            // SAML realm
+            SamlRealmSettings.TYPE,
+            config -> SamlRealm.create(config, sslService, resourceWatcherService, nativeRoleMappingStore),
+            // Kerberos realm
+            KerberosRealmSettings.TYPE,
+            config -> new KerberosRealm(config, nativeRoleMappingStore, threadPool),
+            // OpenID Connect realm
+            OpenIdConnectRealmSettings.TYPE,
+            config -> new OpenIdConnectRealm(config, sslService, nativeRoleMappingStore, resourceWatcherService));
     }
 
     private InternalRealms() {
@@ -146,4 +152,11 @@ public static List<BootstrapCheck> getBootstrapChecks(final Settings globalSetti
             .collect(Collectors.toList());
         return checks;
     }
+
+    public static XPackLicenseState.Feature getLicenseFeature(String type) {
+        if (ReservedRealm.TYPE.equals(type)) {
+            return XPackLicenseState.Feature.SECURITY;
+        }
+        return XPACK_TYPES.getOrDefault(type, XPackLicenseState.Feature.SECURITY_CUSTOM_REALM);
+    }
 }