Remove escape hatch permitting incompatible builds (#76513)

masseyke · web-flow · commit d7f992b8e108 · 2021-09-03T09:21:09.000-05:00
The system property "es.unsafely_permit_handshake_from_incompatible_builds" was deprecated and has been removed in 8.0. This adds a deprecation check for that property. Relates to #42404 and #65753.
diff --git a/server/src/main/java/org/elasticsearch/transport/TransportService.java b/server/src/main/java/org/elasticsearch/transport/TransportService.java
@@ -70,7 +70,7 @@ public class TransportService extends AbstractLifecycleComponent
 
     private static final Logger logger = LogManager.getLogger(TransportService.class);
 
-    private static final String PERMIT_HANDSHAKES_FROM_INCOMPATIBLE_BUILDS_KEY = "es.unsafely_permit_handshake_from_incompatible_builds";
+    public static final String PERMIT_HANDSHAKES_FROM_INCOMPATIBLE_BUILDS_KEY = "es.unsafely_permit_handshake_from_incompatible_builds";
     private static final boolean PERMIT_HANDSHAKES_FROM_INCOMPATIBLE_BUILDS;
 
     static {
diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java
@@ -12,6 +12,7 @@
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xpack.core.XPackSettings;
 
 import java.util.Arrays;
@@ -97,6 +98,10 @@ private DeprecationChecks() {
                     NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial,
                     NodeDeprecationChecks::checkSearchRemoteSettings,
                     NodeDeprecationChecks::checkMonitoringExporterPassword,
+                    NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting,
+                    (settings, pluginsAndModules, clusterState, licenseState) ->
+                        NodeDeprecationChecks.checkNoPermitHandshakeFromIncompatibleBuilds(settings, pluginsAndModules, clusterState,
+                            licenseState, () -> System.getProperty(TransportService.PERMIT_HANDSHAKES_FROM_INCOMPATIBLE_BUILDS_KEY)),
                     NodeDeprecationChecks::checkTransportClientProfilesFilterSetting,
                     NodeDeprecationChecks::checkDelayClusterStateRecoverySettings,
                     NodeDeprecationChecks::checkFixedAutoQueueSizeThreadpool,
diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
@@ -35,6 +35,7 @@
 import org.elasticsearch.threadpool.FixedExecutorBuilder;
 import org.elasticsearch.transport.RemoteClusterService;
 import org.elasticsearch.transport.SniffConnectionStrategy;
+import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.security.SecurityField;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
@@ -51,6 +52,7 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.function.BiFunction;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 import static org.elasticsearch.cluster.routing.allocation.DiskThresholdSettings.CLUSTER_ROUTING_ALLOCATION_INCLUDE_RELOCATIONS_SETTING;
@@ -666,6 +668,29 @@ static DeprecationIssue checkClusterRoutingAllocationIncludeRelocationsSetting(f
         );
     }
 
+    static DeprecationIssue checkNoPermitHandshakeFromIncompatibleBuilds(final Settings settings,
+                                                                         final PluginsAndModules pluginsAndModules,
+                                                                         final ClusterState clusterState,
+                                                                         final XPackLicenseState licenseState,
+                                                                         Supplier<String> permitsHandshakesFromIncompatibleBuildsSupplier) {
+        if (permitsHandshakesFromIncompatibleBuildsSupplier.get() != null) {
+            final String message = String.format(
+                Locale.ROOT,
+                "the [%s] system property is deprecated and will be removed in the next major release",
+                TransportService.PERMIT_HANDSHAKES_FROM_INCOMPATIBLE_BUILDS_KEY
+            );
+            final String details = String.format(
+                Locale.ROOT,
+                "allowing handshakes from incompatibile builds is deprecated and will be removed in the next major release; the [%s] " +
+                    "system property must be removed",
+                TransportService.PERMIT_HANDSHAKES_FROM_INCOMPATIBLE_BUILDS_KEY
+            );
+            String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_transport_changes";
+            return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, message, url, details, false, null);
+        }
+        return null;
+    }
+
     static DeprecationIssue checkTransportClientProfilesFilterSetting(
         final Settings settings,
         final PluginsAndModules pluginsAndModules,
diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java
@@ -21,6 +21,7 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.core.Set;
+import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.NodeEnvironment;
 import org.elasticsearch.gateway.GatewayService;
@@ -962,6 +963,27 @@ public void testImplicitlyConfiguredSecurityOnGoldPlus() {
         assertThat(issues, empty());
     }
 
+    @SuppressForbidden(reason = "sets and unsets es.unsafely_permit_handshake_from_incompatible_builds")
+    public void testCheckNoPermitHandshakeFromIncompatibleBuilds() {
+        final DeprecationIssue expectedNullIssue =
+            NodeDeprecationChecks.checkNoPermitHandshakeFromIncompatibleBuilds(Settings.EMPTY,
+                null,
+                ClusterState.EMPTY_STATE,
+                new XPackLicenseState(Settings.EMPTY, () -> 0),
+                () -> null);
+        assertEquals(null, expectedNullIssue);
+        final DeprecationIssue issue =
+            NodeDeprecationChecks.checkNoPermitHandshakeFromIncompatibleBuilds(Settings.EMPTY,
+                null,
+                ClusterState.EMPTY_STATE,
+                new XPackLicenseState(Settings.EMPTY, () -> 0),
+                () -> randomAlphaOfLengthBetween(1, 10));
+        assertNotNull(issue.getDetails());
+        assertThat(issue.getDetails(), containsString("system property must be removed"));
+        assertThat(issue.getUrl(),
+            equalTo("https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_transport_changes"));
+    }
+
     public void testCheckTransportClientProfilesFilterSetting() {
         final int numProfiles = randomIntBetween(1, 3);
         final String[] profileNames = new String[numProfiles];
