Merge pull request #801 from untergeek/release/4.2.0

Release prep for 4.2.0

curator/_version.py

@@ -1 +1 @@
-__version__ = '4.2.0.dev0'
+__version__ = '4.2.0'

docs/Changelog.rst

@@ -3,8 +3,8 @@
 Changelog
 =========
 
-4.2.0 (? ? ?)
--------------
+4.2.0 (4 November 2016)
+-----------------------
 
 **New Features**
 

docs/asciidoc/index.asciidoc

@@ -1,4 +1,4 @@
-:curator_version: 4.1.2
+:curator_version: 4.2.0
 :curator_major: 4
 :es_py_version: 2.4.0
 :ref:  http://www.elastic.co/guide/en/elasticsearch/reference/current
@@ -15,4 +15,5 @@ include::options.asciidoc[]
 include::filters.asciidoc[]
 include::filter_elements.asciidoc[]
 include::examples.asciidoc[]
+include::security.asciidoc[]
 include::faq.asciidoc[]

docs/asciidoc/installation.asciidoc

@@ -8,9 +8,14 @@ needs.  It is important to note that Curator only requires access to a client
 node in the Elasticsearch cluster to work.  It need not be installed on one of
 the nodes in the cluster if you do not want it that way.
 
+IMPORTANT: If you plan on using SSL/TLS to connect to Elasticsearch, you may
+  encounter issues with older versions of Python and outdated libraries.  The
+  binary packages have been compiled with up-to-date versions for your
+  convenience. See the <<security,security>> page for more information.
+
 * <<pip,pip>>, the easiest way to use and upgrade.
-* <<apt-repository,APT Repository>>, including a single, binary package!
-* <<yum-repository,YUM Repository>>, including a single, binary package!
+* <<apt-repository,APT Repository>>, installs a single, binary package!
+* <<yum-repository,YUM Repository>>, installs a single, binary package!
 * <<windows-zip,Windows Zip Package>>
 * <<windows-msi,Windows MSI Installer>>
 * <<python-source,Source Code>>
@@ -120,7 +125,7 @@ file and the installation should work as expected.
 ==================================================
 
 [[apt-binary]]
-=== Binary Package Installation (recommended)
+=== Binary Package Installation
 
 Starting with version 4.1.2, Curator comes with a binary version.  What this
 really means is that the source is compiled, and all required libraries are
@@ -142,38 +147,13 @@ aforementioned directory.
 
 [WARNING]
 ====================================================
-The `elasticsearch-curator` binary package cannot coexist with the
-`python-elasticsearch-curator` package.  This collision is explicitly defined
+The `elasticsearch-curator` binary package cannot coexist with the older
+`python-elasticsearch-curator` packages.  This collision is explicitly defined
 in packages since 4.1.2, but not in previous packages.  If it is installed, you
 _must_ uninstall the `python-elasticsearch-curator` package before installing
 the `elasticsearch-curator` binary package.
 ====================================================
 
-=== Python Package Installation
-
-This method will install all of the python modules (or libraries) that Curator
-requires, as well as an entry-point to launch Curator.  The shared library
-approach introduces the possibility of library collision, which will prevent
-installation, with error messages explaining why.  If this happens, it is
-recommended that you use the <<apt-binary,binary installation>> method, as this
-precludes the possibility of library collision.
-
-To install Curator, run the following:
-
-[source,sh]
---------------------------------------------------
-sudo apt-get update && sudo apt-get install python-elasticsearch-curator
---------------------------------------------------
-
-[WARNING]
-====================================================
-The `python-elasticsearch-curator` binary package cannot coexist with the
-`elasticsearch-curator` package.  This collision is explicitly defined
-in packages since 4.1.2, but not in previous packages.  If it is installed, you
-_must_ uninstall the `elasticsearch-curator` binary package before installing
-the `python-elasticsearch-curator` package and its dependencies.
-====================================================
-
 [[yum-repository]]
 == YUM repository
 
@@ -228,7 +208,7 @@ enabled=1
 =========================================
 
 [[yum-binary]]
-=== Binary Package Installation (recommended)
+=== Binary Package Installation
 
 Starting with version 4.1.2, Curator comes with a binary version.  What this
 really means is that the source is compiled, and all required libraries are
@@ -250,85 +230,13 @@ aforementioned directory.
 
 [WARNING]
 ====================================================
-The `elasticsearch-curator` binary package cannot coexist with the
-`python-elasticsearch-curator` package.  This collision is explicitly defined
+The `elasticsearch-curator` binary package cannot coexist with the older
+`python-elasticsearch-curator` packages.  This collision is explicitly defined
 in packages since 4.1.2, but not in previous packages.  If it is installed, you
 _must_ uninstall the `python-elasticsearch-curator` package before installing
 the `elasticsearch-curator` binary package.
 ====================================================
 
-=== Python Package Installation
-
-This method will install all of the python modules (or libraries) that Curator
-requires, as well as an entry-point to launch Curator.  The shared library
-approach introduces the possibility of library collision, which will prevent
-installation, with error messages explaining why.  If this happens, it is
-recommended that you use the <<yum-binary,binary installation>> method, as this
-precludes the possibility of library collision.
-
-To install Curator, run the following:
-
-[source,sh]
-----------------------------------------
-yum install python-elasticsearch-curator
-----------------------------------------
-
-[WARNING]
-====================================================
-The `python-elasticsearch-curator` binary package cannot coexist with the
-`elasticsearch-curator` package.  This collision is explicitly defined
-in packages since 4.1.2, but not in previous packages.  If it is installed, you
-_must_ uninstall the `elasticsearch-curator` binary package before installing
-the `python-elasticsearch-curator` package and its dependencies.
-====================================================
-
-[float]
-==== Troubleshooting
-There are some pitfalls you may encounter:
-
-* `ImportError: No module named pkg_resources`
-+
-If you see this error:
-+
-[source,sh]
-------------------------------
-Traceback (most recent call last):
-  File "/usr/bin/curator", line 5, in <module>
-    from pkg_resources import load_entry_point
-ImportError: No module named pkg_resources
-------------------------------
-+
-Then you will need to install `python-setuptools` (provided in the Curator
-repository):
-+
-[source,sh]
------------------------------
-yum install python-setuptools
------------------------------
-+
-See more detail in this <<entrypoint-fix,FAQ>>.
-
-* `Requires: python-unittest2` (RHEL/CentOS 6 only)
-+
-If you see an error like this:
-+
-[source,sh]
----------------------
-Error: Package: python-elasticsearch-2.4.0-1.noarch (curator-4)
-           Requires: python-unittest2
----------------------
-+
-Then you will need to install python-unittest2, which is provided in the Curator
-repository, and also in the `epel-release` repository:
-+
-[source,sh]
-------------------
-yum install epel-release
-------------------
-+
-After this is installed, run the `yum install python-elasticsearch-curator`
-command again.
-
 [[windows-zip]]
 == Windows Binary Zip Package
 If you do not wish to install and maintain Python on Windows, there is a
@@ -422,7 +330,7 @@ or uncompress and run `python setup.py install`
 &nbsp;
 
 === click
-Download and install the http://click.pocoo.org/[click] dependency (3.3 or
+Download and install the http://click.pocoo.org/[click] dependency (6.0 or
 greater):
 
 . `wget https://pypi.python.org/packages/source/c/click/click-6.2.tar.gz -O click-6.3.tar.gz`

docs/asciidoc/security.asciidoc

@@ -0,0 +1,104 @@
+[[security]]
+= Security
+
+[partintro]
+--
+Please read the following sections for help with securing the connection between
+Curator and Elasticsearch.
+
+* <<python-security,Python and Secure Connectivity>>
+* <<security-errors,Common security error messages>>
+--
+
+[[python-security]]
+== Python and Secure Connectivity
+
+Curator was written in Python, which allows it to be distributed as code which
+can run across a wide variety of systems, including Linux, Windows, Mac OS, and
+any other system or architecture for which a Python interpreter has been
+written. Curator was also written to be usable by the 4 most recent major
+release branches of Python: 2.6, 2.7, 3.4, and 3.5.  It may even run on other
+versions, but those versions are not tested.
+
+Unfortunately, this broad support comes at a cost.  While Curator happily runs
+on Python version 2.6, this version had its last update more than 3 years ago.
+There have been many improvements to security, SSL/TLS and the libraries that
+support them since then.  Not all of these have been back-ported, which results
+in Curator not being able to communicate securely via SSL/TLS, or in some cases
+even connect securely.
+
+Because it is impossible to know if a given system has the correct Python
+version, leave alone the most recent libraries and modules, it becomes nearly
+impossible to guarantee that Curator will be able to make a secure and
+error-free connection to a secured Elasticsearch instance for any `pip` or
+RPM/DEB installed modules.  This has lead to an increased amount of
+troubleshooting and support work for Curator.  The precompiled binary packages
+were created to address this.
+
+The precompiled binary packages (APT/YUM, Windows) have been compiled with
+Python 3.5.2, which has all of the up-to-date libraries needed for secure
+transactions.  These packages have been tested connecting to Shield (2.x) and
+Security (5.x X-Pack) with self-signed PKI certificates.  Connectivity via SSL
+or TLS to other open-source plugins may work, but is not guaranteed.
+
+If you are encountering SSL/TLS errors in Curator, please see the list of
+<<security-errors,common security error messages>>.
+
+[[security-errors]]
+== Common Security Error Messages
+
+=== Elasticsearch ConnectionError
+
+[source,sh]
+-----------
+Unable to create client connection to Elasticsearch.  Error:ConnectionError(error return without exception set) caused by: SystemError(error return without exception set)
+-----------
+
+This error can happen on non-secured connections as well.  If it happens with a
+secured instance, it will usually be accompanied by one or more of the following
+messages
+
+=== SNIMissingWarning
+
+[source,sh]
+-----------
+SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
+-----------
+
+This happens on Python 2 versions older than 2.7.9. These older versions lack
+https://en.wikipedia.org/wiki/Server_Name_Indication[SNI] support. This can
+cause servers to present a certificate that the client thinks is invalid. Follow
+the https://urllib3.readthedocs.io/en/latest/user-guide.html#ssl-py2[pyOpenSSL]
+guide to resolve this warning.
+
+=== InsecurePlatformWarning
+
+[source,sh]
+-----------
+InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
+-----------
+
+This happens on Python 2 platforms that have an outdated **ssl** module. These
+older **ssl** modules can cause some insecure requests to succeed where they
+should fail and secure requests to fail where they should succeed. Follow the
+https://urllib3.readthedocs.io/en/latest/user-guide.html#ssl-py2[pyOpenSSL]
+guide to resolve this warning.
+
+=== InsecureRequestWarning
+
+[source,sh]
+-----------
+InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
+-----------
+
+This happens when an request is made to an HTTPS URL without certificate
+verification enabled. Follow the
+https://urllib3.readthedocs.io/en/latest/user-guide.html#ssl[certificate verification]
+guide to resolve this warning.
+
+Related:
+
+[source,sh]
+-----------
+SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
+-----------