From 961a0153b420b25740bafe1862ec9e6227a9cebd Mon Sep 17 00:00:00 2001 From: Tim Vernum Date: Mon, 4 Feb 2019 17:15:14 +1100 Subject: [PATCH] Deprecate implicit security on trial licenses In 6.x security is implicitly enabled on a trial license if transport SSL is enabled, or the trial is from pre-6.3. This is no longer true on 7.0, so this behaviour is now deprecated. Relates: #38009, #38075 --- .../license/XPackLicenseState.java | 44 ++++++++++++++++--- .../license/XPackLicenseStateTests.java | 8 +++- .../xpack/deprecation/DeprecationChecks.java | 1 + .../deprecation/NodeDeprecationChecks.java | 15 +++++++ .../NodeDeprecationChecksTests.java | 26 +++++++++++ 5 files changed, 87 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java index 6bccc2718e3ed..7eb4431f8f9cf 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java @@ -6,9 +6,11 @@ package org.elasticsearch.license; import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.elasticsearch.Version; import org.elasticsearch.common.Nullable; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.logging.DeprecationLogger; import org.elasticsearch.common.logging.LoggerMessageFormat; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.license.License.OperationMode; @@ -266,7 +268,10 @@ private static class Status { } } + private final Logger logger; + private final DeprecationLogger deprecationLogger; private final List listeners; + private final boolean isSecurityEnabled; private final boolean isSecurityExplicitlyEnabled; @@ -274,22 +279,45 @@ private static class Status { private boolean isSecurityEnabledByTrialVersion; public XPackLicenseState(Settings settings) { + this.logger = LogManager.getLogger(getClass()); + this.deprecationLogger = new DeprecationLogger(logger); this.listeners = new CopyOnWriteArrayList<>(); this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings); - // 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled - // we can interpret this as an explicit enabling of security if the security enabled - // setting is not explicitly set - this.isSecurityExplicitlyEnabled = isSecurityEnabled && - (settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) || XPackSettings.TRANSPORT_SSL_ENABLED.get(settings)); + this.isSecurityExplicitlyEnabled = checkSecurityExplicitlyEnabled(settings); this.isSecurityEnabledByTrialVersion = false; } + /** + * 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled + * we can interpret this as an explicit enabling of security if the security enabled + * setting is not explicitly set. + * This behaviour is deprecated, and will be removed in 7.0 + */ + private boolean checkSecurityExplicitlyEnabled(Settings settings) { + if (isSecurityEnabled) { + if (settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey())) { + return true; + } + if (XPackSettings.TRANSPORT_SSL_ENABLED.get(settings)) { + deprecationLogger.deprecated("Automatically enabling security because [{}] is true. " + + "This behaviour will be removed in a future version of Elasticsearch. " + + "Please set [{}] to true", + XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), + XPackSettings.SECURITY_ENABLED.getKey()); + return true; + } + } + return false; + } + private XPackLicenseState(XPackLicenseState xPackLicenseState) { this.listeners = xPackLicenseState.listeners; this.isSecurityEnabled = xPackLicenseState.isSecurityEnabled; this.isSecurityExplicitlyEnabled = xPackLicenseState.isSecurityExplicitlyEnabled; this.status = xPackLicenseState.status; this.isSecurityEnabledByTrialVersion = xPackLicenseState.isSecurityEnabledByTrialVersion; + this.logger = xPackLicenseState.logger; + this.deprecationLogger = xPackLicenseState.deprecationLogger; } /** @@ -309,8 +337,12 @@ void update(OperationMode mode, boolean active, @Nullable Version mostRecentTria // Before 6.3, Trial licenses would default having security enabled. // If this license was generated before that version, then treat it as if security is explicitly enabled if (mostRecentTrialVersion == null || mostRecentTrialVersion.before(Version.V_6_3_0)) { - LogManager.getLogger(getClass()).info("Automatically enabling security for older trial license ({})", + logger.info("Automatically enabling security for older trial license ({})", mostRecentTrialVersion == null ? "[pre 6.1.0]" : mostRecentTrialVersion.toString()); + deprecationLogger.deprecated( + "Automatically enabling security because the current trial license was generated before 6.3.0. " + + "This behaviour will be removed in a future version of Elasticsearch. " + + "Please set [{}] to true", XPackSettings.SECURITY_ENABLED.getKey()); isSecurityEnabledByTrialVersion = true; } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java index a46ea71829e8c..769e8eb25da47 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java @@ -33,7 +33,7 @@ public class XPackLicenseStateTests extends ESTestCase { /** Creates a license state with the given license type and active state, and checks the given method returns expected. */ void assertAllowed(OperationMode mode, boolean active, Predicate predicate, boolean expected) { XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY); - licenseState.update(mode, active, null); + licenseState.update(mode, active, Version.CURRENT); assertEquals(expected, predicate.test(licenseState)); } @@ -91,6 +91,9 @@ public void testSecurityDefaults() { assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true)); + assertWarnings("Automatically enabling security because [xpack.security.transport.ssl.enabled] is true." + + " This behaviour will be removed in a future version of Elasticsearch. Please set [xpack.security.enabled] to true"); + licenseState = new XPackLicenseState(Settings.EMPTY); assertThat(licenseState.isAuthAllowed(), is(false)); assertThat(licenseState.isIpFilteringAllowed(), is(false)); @@ -239,6 +242,9 @@ public void testOldTrialDefaultsSecurityOn() { assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true)); + + assertWarnings("Automatically enabling security because the current trial license was generated before 6.3.0." + + " This behaviour will be removed in a future version of Elasticsearch. Please set [xpack.security.enabled] to true"); } public void testSecurityAckBasicToNotGoldOrStandard() { diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index 6a22f694771dc..f4a7c605752c4 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -51,6 +51,7 @@ private DeprecationChecks() { NodeDeprecationChecks::gcsRepositoryChanges, NodeDeprecationChecks::fileDiscoveryPluginRemoved, NodeDeprecationChecks::defaultSSLSettingsRemoved, + NodeDeprecationChecks::transportSslEnabledWithoutSecurityEnabled, NodeDeprecationChecks::watcherNotificationsSecureSettingsCheck, NodeDeprecationChecks::auditIndexSettingsCheck )); diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index c88345466962a..e97a06f434d36 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -15,6 +15,8 @@ import static org.elasticsearch.discovery.DiscoveryModule.DISCOVERY_HOSTS_PROVIDER_SETTING; import static org.elasticsearch.discovery.DiscoveryModule.DISCOVERY_TYPE_SETTING; import static org.elasticsearch.discovery.zen.SettingsBasedHostsProvider.DISCOVERY_ZEN_PING_UNICAST_HOSTS_SETTING; +import static org.elasticsearch.xpack.core.XPackSettings.SECURITY_ENABLED; +import static org.elasticsearch.xpack.core.XPackSettings.TRANSPORT_SSL_ENABLED; /** * Node-specific deprecation checks @@ -189,4 +191,17 @@ static DeprecationIssue defaultSSLSettingsRemoved(Settings nodeSettings, Plugins } return null; } + + static DeprecationIssue transportSslEnabledWithoutSecurityEnabled(Settings nodeSettings, PluginsAndModules plugins) { + if (TRANSPORT_SSL_ENABLED.get(nodeSettings) && nodeSettings.hasValue(SECURITY_ENABLED.getKey()) == false) { + return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "TLS/SSL in use, but security not explicitly enabled", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#trial-explicit-security", + "security should be explicitly enabled (with [" + SECURITY_ENABLED.getKey() + + "]), it will no longer be automatically enabled when transport SSL is enabled ([" + + TRANSPORT_SSL_ENABLED.getKey() + "])"); + } + return null; + } } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 915edbbfb71bc..cfc9fa2445f58 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -20,6 +20,7 @@ import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.VersionUtils; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; +import org.hamcrest.Matchers; import org.junit.Before; import java.util.Collections; @@ -65,6 +66,17 @@ null, null, null, null, new FsInfo(0L, null, paths), null, null, null, assertEquals(singletonList(expected), issues); } + private void assertNoIssue(Settings settings) { + Settings nodeSettings = Settings.builder() + .put(settings) + .put(CLUSTER_NAME_SETTING.getKey(), "elasticsearch") + .put(NODE_NAME_SETTING.getKey(), "node_check") + .put(DISCOVERY_TYPE_SETTING.getKey(), "single-node") // Needed due to NodeDeprecationChecks#discoveryConfigurationCheck + .build(); + List issues = DeprecationChecks.filterChecks(NODE_SETTINGS_CHECKS, c -> c.apply(nodeSettings, pluginsAndModules)); + assertThat(issues, Matchers.empty()); + } + public void testHttpEnabledCheck() { DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, "HTTP Enabled setting removed", @@ -303,4 +315,18 @@ public void testDefaultSSLSettingsCheck() { assertSettingsAndIssue("xpack.ssl.certificate_authorities", Strings.arrayToCommaDelimitedString(randomArray(1, 4, String[]::new, () -> randomAlphaOfLengthBetween(4, 16))), expected); } + + public void testTransportSslEnabledWithoutSecurityEnabled() { + DeprecationIssue expected = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + "TLS/SSL in use, but security not explicitly enabled", + "https://www.elastic.co/guide/en/elasticsearch/reference/master/breaking-changes-7.0.html" + + "#trial-explicit-security", + "security should be explicitly enabled (with [xpack.security.enabled])," + + " it will no longer be automatically enabled when transport SSL is enabled ([xpack.security.transport.ssl.enabled])"); + assertSettingsAndIssue("xpack.security.transport.ssl.enabled", "true", expected); + assertNoIssue(Settings.builder() + .put("xpack.security.enabled", randomBoolean()) + .put("xpack.security.transport.ssl.enabled", randomBoolean()) + .build()); + } }