Merge branch 'stable-2.14' into stable-2.15

* stable-2.14:
  Revert "ElasticContainer: Limit heap usage for test containers"
  config-gerrit: Mention that Elasticsearch must be reachable during init
  ElasticContainer: Limit heap usage for test containers
  config-gerrit: Move elasticsearch security settings to separate section
  Elasticsearch: Allow to omit the elasticsearch.username
  Test coverage for elasticsearch.username and elasticsearch.password
  Fix creation of plugin log file when log4j.configuration is set

Change-Id: I448b583d33794834aae5e69f48e50aff04baa1df

Documentation/config-gerrit.txt

@@ -2901,6 +2901,9 @@ respectively. When using version 6.2 or later, the open and closed changes are
 merged into the default `_doc` type. The latter is also used for the accounts and
 groups indices starting with Elasticsearch 6.2.
 
+Note that when Gerrit is configured to use Elasticsearch, the Elasticsearch
+server(s) must be reachable during the site initialization.
+
 [[elasticsearch.prefix]]elasticsearch.prefix::
 +
 This setting can be used to prefix index names to allow multiple Gerrit
@@ -2909,18 +2912,6 @@ change index named `gerrit1_changes_0001`.
 +
 Not set by default.
 
-[[elasticsearch.username]]elasticsearch.username::
-+
-Username used to connect to Elasticsearch.
-+
-Not set by default.
-
-[[elasticsearch.password]]elasticsearch.password::
-+
-Password used to connect to Elasticsearch.
-+
-Not set by default.
-
 [[elasticsearch.maxRetryTimeout]]elasticsearch.maxRetryTimeout::
 +
 Sets the maximum timeout to honor in case of multiple retries of the same request.
@@ -2929,6 +2920,30 @@ The value is in the usual time-unit format like `1 m`, `5 m`.
 +
 Defaults to `30000 ms`.
 
+==== Elasticsearch Security
+
+When security is enabled in Elasticsearch, the username and password must be provided.
+Note that the same username and password are used for all servers.
+
+For further information about Elasticsearch security, please refer to the documentation:
+
+* link:https://www.elastic.co/guide/en/elasticsearch/plugins/2.4/security.html[Elasticsearch 2.4]
+* link:https://www.elastic.co/guide/en/x-pack/5.6/security-getting-started.html[Elasticsearch 5.6]
+* link:https://www.elastic.co/guide/en/x-pack/6.2/security-getting-started.html[Elasticsearch 6.2]
+* link:https://www.elastic.co/guide/en/elastic-stack-overview/6.3/security-getting-started.html[Elasticsearch 6.3]
+
+[[elasticsearch.username]]elasticsearch.username::
++
+Username used to connect to Elasticsearch.
++
+If a password is set, defaults to `elastic`, otherwise not set by default.
+
+[[elasticsearch.password]]elasticsearch.password::
++
+Password used to connect to Elasticsearch.
++
+Not set by default.
+
 ==== Elasticsearch server(s) configuration
 
 Each section corresponds to one Elasticsearch server.
@@ -2951,7 +2966,6 @@ Elasticsearch server port.
 +
 Defaults to `9200`.
 
-
 [[ldap]]
 === Section ldap
 

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/pgm/ElasticReindexIT.java

@@ -33,7 +33,8 @@ public class ElasticReindexIT extends AbstractReindexTests {
     elasticNodeInfo = new ElasticNodeInfo(container.getHttpHost().getPort());
     String indicesPrefix = UUID.randomUUID().toString();
     Config cfg = new Config();
-    ElasticTestUtils.configure(cfg, elasticNodeInfo.port, indicesPrefix);
+    String password = version == ElasticVersion.V5_6 ? "changeme" : null;
+    ElasticTestUtils.configure(cfg, elasticNodeInfo.port, indicesPrefix, password);
     return cfg;
   }
 

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/ssh/ElasticIndexIT.java

@@ -32,7 +32,8 @@ public class ElasticIndexIT extends AbstractIndexTests {
     elasticNodeInfo = new ElasticNodeInfo(container.getHttpHost().getPort());
     String indicesPrefix = UUID.randomUUID().toString();
     Config cfg = new Config();
-    ElasticTestUtils.configure(cfg, elasticNodeInfo.port, indicesPrefix);
+    String password = version == ElasticVersion.V5_6 ? "changeme" : null;
+    ElasticTestUtils.configure(cfg, elasticNodeInfo.port, indicesPrefix, password);
     return cfg;
   }
 

gerrit-elasticsearch/src/main/java/com/google/gerrit/elasticsearch/ElasticConfiguration.java

@@ -14,6 +14,8 @@
 
 package com.google.gerrit.elasticsearch;
 
+import static com.google.common.base.MoreObjects.firstNonNull;
+
 import com.google.common.base.MoreObjects;
 import com.google.common.base.Strings;
 import com.google.gerrit.server.config.GerritServerConfig;
@@ -36,6 +38,7 @@ class ElasticConfiguration {
   private static final String DEFAULT_HOST = "localhost";
   private static final String DEFAULT_PORT = "9200";
   private static final String DEFAULT_PROTOCOL = "http";
+  private static final String DEFAULT_USERNAME = "elastic";
 
   private final Config cfg;
   private final List<HttpHost> hosts;
@@ -48,8 +51,11 @@ class ElasticConfiguration {
   @Inject
   ElasticConfiguration(@GerritServerConfig Config cfg) {
     this.cfg = cfg;
-    this.username = cfg.getString("elasticsearch", null, "username");
     this.password = cfg.getString("elasticsearch", null, "password");
+    this.username =
+        password == null
+            ? null
+            : firstNonNull(cfg.getString("elasticsearch", null, "username"), DEFAULT_USERNAME);
     this.maxRetryTimeout =
         (int)
             cfg.getTimeUnit("elasticsearch", null, "maxRetryTimeout", 30000, TimeUnit.MILLISECONDS);

gerrit-elasticsearch/src/test/java/com/google/gerrit/elasticsearch/ElasticContainer.java

@@ -45,7 +45,7 @@ public class ElasticContainer<SELF extends ElasticContainer<SELF>> extends Gener
       case V2_4:
         return "elasticsearch:2.4.6-alpine";
       case V5_6:
-        return "elasticsearch:5.6.10-alpine";
+        return "docker.elastic.co/elasticsearch/elasticsearch:5.6.10";
       case V6_2:
         return "docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4";
       case V6_3:

gerrit-elasticsearch/src/test/java/com/google/gerrit/elasticsearch/ElasticTestUtils.java

@@ -32,13 +32,20 @@ public final class ElasticTestUtils {
     }
   }
 
-  public static void configure(Config config, int port, String prefix) {
+  public static void configure(Config config, int port, String prefix, String password) {
     config.setEnum("index", null, "type", IndexType.ELASTICSEARCH);
     config.setString("elasticsearch", "test", "protocol", "http");
     config.setString("elasticsearch", "test", "hostname", "localhost");
     config.setInt("elasticsearch", "test", "port", port);
     config.setString("elasticsearch", null, "prefix", prefix);
     config.setInt("index", null, "maxLimit", 10000);
+    if (password != null) {
+      config.setString("elasticsearch", null, "password", password);
+    }
+  }
+
+  public static void configure(Config config, int port, String prefix) {
+    configure(config, port, prefix, null);
   }
 
   public static void createAllIndexes(Injector injector) throws IOException {

gerrit-elasticsearch/src/test/java/com/google/gerrit/elasticsearch/ElasticV5QueryAccountsTest.java

@@ -60,7 +60,7 @@ public class ElasticV5QueryAccountsTest extends AbstractQueryAccountsTest {
     Config elasticsearchConfig = new Config(config);
     InMemoryModule.setDefaults(elasticsearchConfig);
     String indicesPrefix = testName();
-    ElasticTestUtils.configure(elasticsearchConfig, nodeInfo.port, indicesPrefix);
+    ElasticTestUtils.configure(elasticsearchConfig, nodeInfo.port, indicesPrefix, "changeme");
     return Guice.createInjector(new InMemoryModule(elasticsearchConfig, notesMigration));
   }
 }

gerrit-elasticsearch/src/test/java/com/google/gerrit/elasticsearch/ElasticV5QueryChangesTest.java

@@ -60,7 +60,7 @@ public class ElasticV5QueryChangesTest extends AbstractQueryChangesTest {
     Config elasticsearchConfig = new Config(config);
     InMemoryModule.setDefaults(elasticsearchConfig);
     String indicesPrefix = testName();
-    ElasticTestUtils.configure(elasticsearchConfig, nodeInfo.port, indicesPrefix);
+    ElasticTestUtils.configure(elasticsearchConfig, nodeInfo.port, indicesPrefix, "changeme");
     return Guice.createInjector(new InMemoryModule(elasticsearchConfig, notesMigration));
   }
 }

gerrit-elasticsearch/src/test/java/com/google/gerrit/elasticsearch/ElasticV5QueryGroupsTest.java

@@ -60,7 +60,7 @@ public class ElasticV5QueryGroupsTest extends AbstractQueryGroupsTest {
     Config elasticsearchConfig = new Config(config);
     InMemoryModule.setDefaults(elasticsearchConfig);
     String indicesPrefix = testName();
-    ElasticTestUtils.configure(elasticsearchConfig, nodeInfo.port, indicesPrefix);
+    ElasticTestUtils.configure(elasticsearchConfig, nodeInfo.port, indicesPrefix, "changeme");
     return Guice.createInjector(new InMemoryModule(elasticsearchConfig, notesMigration));
   }
 }

gerrit-server/src/main/java/com/google/gerrit/server/util/PluginLogFile.java

@@ -38,7 +38,7 @@ public abstract class PluginLogFile implements LifecycleListener {
 
   @Override
   public void start() {
-    AsyncAppender asyncAppender = systemLog.createAsyncAppender(logName, layout);
+    AsyncAppender asyncAppender = systemLog.createAsyncAppender(logName, layout, true);
     Logger logger = LogManager.getLogger(logName);
     logger.removeAppender(logName);
     logger.addAppender(asyncAppender);

gerrit-server/src/main/java/com/google/gerrit/server/util/SystemLog.java

@@ -70,13 +70,17 @@ public class SystemLog {
   }
 
   public AsyncAppender createAsyncAppender(String name, Layout layout) {
+    return createAsyncAppender(name, layout, false);
+  }
+
+  public AsyncAppender createAsyncAppender(String name, Layout layout, boolean forPlugin) {
     AsyncAppender async = new AsyncAppender();
     async.setName(name);
     async.setBlocking(true);
     async.setBufferSize(config.getInt("core", "asyncLoggingBufferSize", 64));
     async.setLocationInfo(false);
 
-    if (shouldConfigure()) {
+    if (forPlugin || shouldConfigure()) {
       async.addAppender(createAppender(site.logs_dir, name, layout));
     } else {
       Appender appender = LogManager.getLogger(name).getAppender(name);