Deprecate implicit security on trial licenses (#38295)

In 6.x security is implicitly enabled on a trial license if transport
SSL is enabled, or the trial is from pre-6.3.

This is no longer true on 7.0, so this behaviour is now deprecated.

Relates: #38009, #38075

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -6,9 +6,11 @@
 package org.elasticsearch.license;
 
 import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.elasticsearch.Version;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.logging.DeprecationLogger;
 import org.elasticsearch.common.logging.LoggerMessageFormat;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.license.License.OperationMode;
@@ -266,30 +268,56 @@ private static class Status {
         }
     }
 
+    private final Logger logger;
+    private final DeprecationLogger deprecationLogger;
     private final List<LicenseStateListener> listeners;
+
     private final boolean isSecurityEnabled;
     private final boolean isSecurityExplicitlyEnabled;
 
     private Status status = new Status(OperationMode.TRIAL, true);
     private boolean isSecurityEnabledByTrialVersion;
 
     public XPackLicenseState(Settings settings) {
+        this.logger = LogManager.getLogger(getClass());
+        this.deprecationLogger = new DeprecationLogger(logger);
         this.listeners = new CopyOnWriteArrayList<>();
         this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
-        // 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled
-        // we can interpret this as an explicit enabling of security if the security enabled
-        // setting is not explicitly set
-        this.isSecurityExplicitlyEnabled = isSecurityEnabled &&
-            (settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) || XPackSettings.TRANSPORT_SSL_ENABLED.get(settings));
+        this.isSecurityExplicitlyEnabled = checkSecurityExplicitlyEnabled(settings);
         this.isSecurityEnabledByTrialVersion = false;
     }
 
+    /**
+     * 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled
+     * we can interpret this as an explicit enabling of security if the security enabled
+     * setting is not explicitly set.
+     * This behaviour is deprecated, and will be removed in 7.0
+     */
+    private boolean checkSecurityExplicitlyEnabled(Settings settings) {
+        if (isSecurityEnabled) {
+            if (settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey())) {
+                return true;
+            }
+            if (XPackSettings.TRANSPORT_SSL_ENABLED.get(settings)) {
+                deprecationLogger.deprecated("Automatically enabling security because [{}] is true. " +
+                        "This behaviour will be removed in a future version of Elasticsearch. " +
+                        "Please set [{}] to true",
+                    XPackSettings.TRANSPORT_SSL_ENABLED.getKey(),
+                    XPackSettings.SECURITY_ENABLED.getKey());
+                return true;
+            }
+        }
+        return false;
+    }
+
     private XPackLicenseState(XPackLicenseState xPackLicenseState) {
         this.listeners = xPackLicenseState.listeners;
         this.isSecurityEnabled = xPackLicenseState.isSecurityEnabled;
         this.isSecurityExplicitlyEnabled = xPackLicenseState.isSecurityExplicitlyEnabled;
         this.status = xPackLicenseState.status;
         this.isSecurityEnabledByTrialVersion = xPackLicenseState.isSecurityEnabledByTrialVersion;
+        this.logger = xPackLicenseState.logger;
+        this.deprecationLogger = xPackLicenseState.deprecationLogger;
     }
 
     /**
@@ -309,8 +337,12 @@ void update(OperationMode mode, boolean active, @Nullable Version mostRecentTria
                 // Before 6.3, Trial licenses would default having security enabled.
                 // If this license was generated before that version, then treat it as if security is explicitly enabled
                 if (mostRecentTrialVersion == null || mostRecentTrialVersion.before(Version.V_6_3_0)) {
-                    LogManager.getLogger(getClass()).info("Automatically enabling security for older trial license ({})",
+                    logger.info("Automatically enabling security for older trial license ({})",
                         mostRecentTrialVersion == null ? "[pre 6.1.0]" : mostRecentTrialVersion.toString());
+                    deprecationLogger.deprecated(
+                        "Automatically enabling security because the current trial license was generated before 6.3.0. " +
+                            "This behaviour will be removed in a future version of Elasticsearch. " +
+                            "Please set [{}] to true", XPackSettings.SECURITY_ENABLED.getKey());
                     isSecurityEnabledByTrialVersion = true;
                 }
             }

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

@@ -33,7 +33,7 @@ public class XPackLicenseStateTests extends ESTestCase {
     /** Creates a license state with the given license type and active state, and checks the given method returns expected. */
     void assertAllowed(OperationMode mode, boolean active, Predicate<XPackLicenseState> predicate, boolean expected) {
         XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
-        licenseState.update(mode, active, null);
+        licenseState.update(mode, active, Version.CURRENT);
         assertEquals(expected, predicate.test(licenseState));
     }
 
@@ -91,6 +91,9 @@ public void testSecurityDefaults() {
         assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
         assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
 
+        assertWarnings("Automatically enabling security because [xpack.security.transport.ssl.enabled] is true." +
+            " This behaviour will be removed in a future version of Elasticsearch. Please set [xpack.security.enabled] to true");
+
         licenseState = new XPackLicenseState(Settings.EMPTY);
         assertThat(licenseState.isAuthAllowed(), is(false));
         assertThat(licenseState.isIpFilteringAllowed(), is(false));
@@ -239,6 +242,9 @@ public void testOldTrialDefaultsSecurityOn() {
         assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
         assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
         assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
+
+        assertWarnings("Automatically enabling security because the current trial license was generated before 6.3.0." +
+            " This behaviour will be removed in a future version of Elasticsearch. Please set [xpack.security.enabled] to true");
     }
 
     public void testSecurityAckBasicToNotGoldOrStandard() {

x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java

@@ -52,6 +52,7 @@ private DeprecationChecks() {
             NodeDeprecationChecks::gcsRepositoryChanges,
             NodeDeprecationChecks::fileDiscoveryPluginRemoved,
             NodeDeprecationChecks::defaultSSLSettingsRemoved,
+            NodeDeprecationChecks::transportSslEnabledWithoutSecurityEnabled,
             NodeDeprecationChecks::watcherNotificationsSecureSettingsCheck,
             NodeDeprecationChecks::auditIndexSettingsCheck
         ));

x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java

@@ -15,6 +15,8 @@
 import static org.elasticsearch.discovery.DiscoveryModule.DISCOVERY_HOSTS_PROVIDER_SETTING;
 import static org.elasticsearch.discovery.DiscoveryModule.DISCOVERY_TYPE_SETTING;
 import static org.elasticsearch.discovery.zen.SettingsBasedHostsProvider.DISCOVERY_ZEN_PING_UNICAST_HOSTS_SETTING;
+import static org.elasticsearch.xpack.core.XPackSettings.SECURITY_ENABLED;
+import static org.elasticsearch.xpack.core.XPackSettings.TRANSPORT_SSL_ENABLED;
 
 /**
  * Node-specific deprecation checks
@@ -189,4 +191,17 @@ static DeprecationIssue defaultSSLSettingsRemoved(Settings nodeSettings, Plugins
         }
         return null;
     }
+
+    static DeprecationIssue transportSslEnabledWithoutSecurityEnabled(Settings nodeSettings, PluginsAndModules plugins) {
+        if (TRANSPORT_SSL_ENABLED.get(nodeSettings) && nodeSettings.hasValue(SECURITY_ENABLED.getKey()) == false) {
+            return new DeprecationIssue(DeprecationIssue.Level.CRITICAL,
+                "TLS/SSL in use, but security not explicitly enabled",
+                "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" +
+                    "#trial-explicit-security",
+                "security should be explicitly enabled (with [" + SECURITY_ENABLED.getKey() +
+                    "]), it will no longer be automatically enabled when transport SSL is enabled ([" +
+                    TRANSPORT_SSL_ENABLED.getKey() + "])");
+        }
+        return null;
+    }
 }

x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java

@@ -20,6 +20,7 @@
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.VersionUtils;
 import org.elasticsearch.xpack.core.deprecation.DeprecationIssue;
+import org.hamcrest.Matchers;
 import org.junit.Before;
 
 import java.util.Collections;
@@ -65,6 +66,17 @@ null, null, null, null, new FsInfo(0L, null, paths), null, null, null,
         assertEquals(singletonList(expected), issues);
     }
 
+    private void assertNoIssue(Settings settings) {
+        Settings nodeSettings = Settings.builder()
+            .put(settings)
+            .put(CLUSTER_NAME_SETTING.getKey(), "elasticsearch")
+            .put(NODE_NAME_SETTING.getKey(), "node_check")
+            .put(DISCOVERY_TYPE_SETTING.getKey(), "single-node") // Needed due to NodeDeprecationChecks#discoveryConfigurationCheck
+            .build();
+        List<DeprecationIssue> issues = DeprecationChecks.filterChecks(NODE_SETTINGS_CHECKS, c -> c.apply(nodeSettings, pluginsAndModules));
+        assertThat(issues, Matchers.empty());
+    }
+
     public void testHttpEnabledCheck() {
         DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL,
             "HTTP Enabled setting removed",
@@ -303,4 +315,18 @@ public void testDefaultSSLSettingsCheck() {
         assertSettingsAndIssue("xpack.ssl.certificate_authorities",
             Strings.arrayToCommaDelimitedString(randomArray(1, 4, String[]::new, () -> randomAlphaOfLengthBetween(4, 16))), expected);
     }
+
+    public void testTransportSslEnabledWithoutSecurityEnabled() {
+        DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL,
+            "TLS/SSL in use, but security not explicitly enabled",
+            "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" +
+                "#trial-explicit-security",
+            "security should be explicitly enabled (with [xpack.security.enabled])," +
+                " it will no longer be automatically enabled when transport SSL is enabled ([xpack.security.transport.ssl.enabled])");
+        assertSettingsAndIssue("xpack.security.transport.ssl.enabled", "true", expected);
+        assertNoIssue(Settings.builder()
+            .put("xpack.security.enabled", randomBoolean())
+            .put("xpack.security.transport.ssl.enabled", randomBoolean())
+            .build());
+    }
 }