in src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java [720:850]
public Collection<Object> createComponents(Client localClient, ClusterService clusterService, ThreadPool threadPool,
ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry xContentRegistry,
Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry,
IndexNameExpressionResolver indexNameExpressionResolver, Supplier<RepositoriesService> repositoriesServiceSupplier) {
SSLConfig.registerClusterSettingsChangeListener(clusterService.getClusterSettings());
if(SSLConfig.isSslOnlyMode()) {
return super.createComponents(
localClient,
clusterService,
threadPool,
resourceWatcherService,
scriptService,
xContentRegistry,
environment,
nodeEnvironment,
namedWriteableRegistry,
indexNameExpressionResolver,
repositoriesServiceSupplier
);
}
this.threadPool = threadPool;
this.cs = clusterService;
this.localClient = localClient;
final List<Object> components = new ArrayList<Object>();
if (client || disabled) {
return components;
}
//Register opensearch dynamic settings
transportPassiveAuthSetting.registerClusterSettingsChangeListener(clusterService.getClusterSettings());
final ClusterInfoHolder cih = new ClusterInfoHolder();
this.cs.addListener(cih);
this.salt = Salt.from(settings);
final IndexNameExpressionResolver resolver = new IndexNameExpressionResolver(threadPool.getThreadContext());
irr = new IndexResolverReplacer(resolver, clusterService, cih);
final String DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = DefaultInterClusterRequestEvaluator.class.getName();
InterClusterRequestEvaluator interClusterRequestEvaluator = new DefaultInterClusterRequestEvaluator(settings);
final String className = settings.get(ConfigConstants.SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS,
DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS);
log.debug("Using {} as intercluster request evaluator class", className);
if (!DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS.equals(className)) {
interClusterRequestEvaluator = ReflectionHelper.instantiateInterClusterRequestEvaluator(className, settings);
}
final PrivilegesInterceptor privilegesInterceptor;
if (SSLConfig.isSslOnlyMode()) {
dlsFlsValve = new DlsFlsRequestValve.NoopDlsFlsRequestValve();
auditLog = new NullAuditLog();
privilegesInterceptor = new PrivilegesInterceptor(resolver, clusterService, localClient, threadPool);
} else {
dlsFlsValve = new DlsFlsValveImpl();
auditLog = new AuditLogImpl(settings, configPath, localClient, threadPool, resolver, clusterService, environment);
privilegesInterceptor = new PrivilegesInterceptorImpl(resolver, clusterService, localClient, threadPool);
}
sslExceptionHandler = new AuditLogSslExceptionHandler(auditLog);
adminDns = new AdminDNs(settings);
cr = ConfigurationRepository.create(settings, this.configPath, threadPool, localClient, clusterService, auditLog);
final XFFResolver xffResolver = new XFFResolver(threadPool);
backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool);
final CompatConfig compatConfig = new CompatConfig(environment, transportPassiveAuthSetting);
// DLS-FLS is enabled if not client and not disabled and not SSL only.
final boolean dlsFlsEnabled = !SSLConfig.isSslOnlyMode();
evaluator = new PrivilegesEvaluator(clusterService, threadPool, cr, resolver, auditLog,
settings, privilegesInterceptor, cih, irr, dlsFlsEnabled);
sf = new SecurityFilter(localClient, settings, evaluator, adminDns, dlsFlsValve, auditLog, threadPool, cs, compatConfig, irr, backendRegistry);
final String principalExtractorClass = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, null);
if(principalExtractorClass == null) {
principalExtractor = new DefaultPrincipalExtractor();
} else {
principalExtractor = ReflectionHelper.instantiatePrincipalExtractor(principalExtractorClass);
}
securityRestHandler = new SecurityRestFilter(backendRegistry, auditLog, threadPool,
principalExtractor, settings, configPath, compatConfig);
final DynamicConfigFactory dcf = new DynamicConfigFactory(cr, settings, configPath, localClient, threadPool, cih);
dcf.registerDCFListener(backendRegistry);
dcf.registerDCFListener(compatConfig);
dcf.registerDCFListener(irr);
dcf.registerDCFListener(xffResolver);
dcf.registerDCFListener(evaluator);
dcf.registerDCFListener(securityRestHandler);
if (!(auditLog instanceof NullAuditLog)) {
// Don't register if advanced modules is disabled in which case auditlog is instance of NullAuditLog
dcf.registerDCFListener(auditLog);
}
cr.setDynamicConfigFactory(dcf);
si = new SecurityInterceptor(settings, threadPool, backendRegistry, auditLog, principalExtractor,
interClusterRequestEvaluator, cs, Objects.requireNonNull(sslExceptionHandler), Objects.requireNonNull(cih), SSLConfig);
components.add(principalExtractor);
// NOTE: We need to create DefaultInterClusterRequestEvaluator before creating ConfigurationRepository since the latter requires security index to be accessible which means
// communciation with other nodes is already up. However for the communication to be up, there needs to be trusted nodes_dn. Hence the base values from opensearch.yml
// is used to first establish trust between same cluster nodes and there after dynamic config is loaded if enabled.
if (DEFAULT_INTERCLUSTER_REQUEST_EVALUATOR_CLASS.equals(className)) {
DefaultInterClusterRequestEvaluator e = (DefaultInterClusterRequestEvaluator) interClusterRequestEvaluator;
e.subscribeForChanges(dcf);
}
components.add(adminDns);
components.add(cr);
components.add(xffResolver);
components.add(backendRegistry);
components.add(evaluator);
components.add(si);
components.add(dcf);
return components;
}