Add warnings for invalid realm order config (#51195) #51515
Conversation
Issue warnings for both missing realm order and duplicated realm orders. The changes are to help users prepare for migration to next major release.
|
@elasticmachine run elasticsearch-ci/default-distro |
| return new DeprecationIssue( | ||
| DeprecationIssue.Level.CRITICAL, | ||
| "Realm order will be required in next major release.", | ||
| "", |
There was a problem hiding this comment.
Not sure what url should be used here. The breaking change page will only be available once 8.0 is released?
There was a problem hiding this comment.
There should be a link to the deprecation snippet, which is still to be added in this PR, seee my other comment #51515 (comment) .
|
My understanding is that these changes make the |
Good point, I missed mentioning this in #51195 (comment) . This PR should also deprecate the lack of an For more info, here's a recent piece by Gordon https://github.com/elastic/elasticsearch-team/blob/master/onboarding-and-how-we-work/how-to-make-a-breaking-change.md . |
Yes the deprecation API returns warnings for both of the followings:
Thanks for mentioning the docs. I almost forgot about it. And I guess the updated docs will provide the URLs for |
| static DeprecationIssue checkMissingRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules) { | ||
| final String orderNotConfiguredRealms = RealmSettings.getRealmSettings(settings).entrySet() | ||
| .stream() | ||
| .filter(e -> Objects.isNull(e.getValue().get(RealmSettings.ORDER_SETTING_KEY))) |
There was a problem hiding this comment.
I think you want to use Settings.hasValue instead here.
...gin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
Outdated
Show resolved
Hide resolved
| .stream() | ||
| .filter(e -> Objects.isNull(e.getValue().get(RealmSettings.ORDER_SETTING_KEY))) | ||
| .map(e -> e.getKey().getName()) | ||
| .collect(Collectors.joining("; ")); |
There was a problem hiding this comment.
I'd prefer to collect them in a Set instead of a String. No signficant reason, it just seems "cleaner" to me.
| return new DeprecationIssue( | ||
| DeprecationIssue.Level.CRITICAL, | ||
| "Realm order will be required in next major release.", | ||
| "", |
There was a problem hiding this comment.
Per comments on the PR itself, we'll need to provide a URL here.
There was a problem hiding this comment.
Updated the doc file and added the corresponding URL here.
| @@ -60,4 +62,48 @@ public void testCheckProcessors() { | |||
| assertSettingDeprecationsAndWarnings(new Setting<?>[]{EsExecutors.PROCESSORS_SETTING}); | |||
| } | |||
|
|
|||
| public void testCheckMissingRealmOrders() { | |||
There was a problem hiding this comment.
I'd like an inverse test as well - that realms with an order don't trigger an issue.
There was a problem hiding this comment.
Added one test for correct realm order configs (2 realms of different orders)
| .put("xpack.security.authc.realms." | ||
| + randomAlphaOfLengthBetween(4, 12) + "." + randomAlphaOfLengthBetween(4, 12) + ".order", order) | ||
| .put("xpack.security.authc.realms." | ||
| + randomAlphaOfLengthBetween(4, 12) + "." + randomAlphaOfLengthBetween(4, 12) + ".order", order) |
There was a problem hiding this comment.
Can we add another realm with order + 1 and verify that it isn't reported.
There was a problem hiding this comment.
Yes we should. The test cases are not exhaustive. I have updated them to have better coverage.
|
This needs an area label as well ( |
I think we should do one or the other. @gwbrown - thoughts? |
…k/deprecation/NodeDeprecationChecks.java Co-Authored-By: Tim Vernum <[email protected]>
…earch into es-37614-realm-order-7.x
|
Add breaking/deprecation notes for v8.0.0 realm order changes. Just dropped the WIP label. This is now a formal PR. |
albertzaharovits
added
the
:Security/Authentication
|
Pinging @elastic/es-security (:Security/Authentication) |
There was a problem hiding this comment.
LGTM .
Although I would prefer we always log deprecation messages even if they overlap with the API, to signal sooner that the configuration is deprecated; otherwise the API might only be called just before the upgrade and the user's experience would be as if all deprecations have been introduced in the last minor version.
|
Thanks @albertzaharovits |
|
Sorry for the delay in replying here.
We generally do both - log and add to the deprecation info API if possible. This does result in some duplication, but I think that's okay given that the logs are timestamped and it's more painful to miss that some functionality is deprecated than to sort through a few duplicated warnings. If it's a pain to log, then I don't think we need to (there are several conditions where it's difficult to log), but if it's straightforward to do so then I don't think there's much harm in both adding it to the API and emitting a log message. Tim said something about periodically checking and logging - while I haven't taken the time to truly understand what the invalid config we're checking for is here, emitting a log either on startup or when the config is loaded would be a good way to go. |
| .sorted() | ||
| .collect(Collectors.toList()); | ||
| if (false == duplicatedRealmOrderSettingKeys.isEmpty()) { | ||
| new DeprecationLogger(logger).deprecated("Found multiple realms configured with the same order: [{}]. " + |
There was a problem hiding this comment.
One comment if we keep this: Generally we create one static DeprecationLogger for each class similar to the regular logger. It's not too much overhead to create new ones but it's still creating a few unnecessary objects.
My concern is twofold
I think we ought to be planned about this, and decide on what we want, and do it centrally rather than ad-hoc. |
|
Thanks all for the feedback. I do agree there is code and logic duplication when implementing both API check and logging. It's great to see we do have plan to tackle them so that this will not be an issue in future. In the meantime, I'd keep the logging code for this PR for following reasons:
We should definitely have one formal way of doing this. Is #46106 going to cover all the concerns (it doesn't mention anything about running deprecation API on launch time)? If not, we could create another issue for it. |
Plus, the Deprecation Info API is Elastic-licensed, and tying all deprecation warnings (or as many as we can) to Elastic-licensed code would create a much worse experience for users of the Apache2 distribution (vs. today where deprecation warnings are written into the Apache2 code as well). That matters less in this and similar cases where all involved code is Elastic-licensed, but that's one reason why we don't want to centralize on putting as much in only the Deprecation Info API code as possible.
I agree, but we'll have to deal with that in several cases already when we get around to actually implementing #46106 (and also the follow-on #46107, plus the UI for it, which I don't think even has an open issue for it yet), and there will be already be a number of cases where we have to deduplicate log messages emitted multiple times. While I think #46106/#46107 are (very) good ideas, I think there's a long way to go before it gets to the point of actually becoming something we present alongside the standard Deprecation Info API, and we'll likely need to rethink some fairly low-level things about how we do deprecation logging for it to work smoothly enough that duplicated information between the Deprecation Info API and log messages is the most serious usability concern.
This is a fantastic idea, and I would love to see us sit down and fundamentally rethink how we want to do deprecation warnings, but that doesn't seem to be something that's going to happen in the immediate future (if you know otherwise, please enlighten me! I would love to be wrong) so for now I think we should follow the patterns we have been for the past few releases. |
|
It took me sometime to understand your point, so let me spell it out for anyone who is as slow to catch on as I was.
That makes sense, I withdraw my concerns. Please continue to have both logging and API checks. |
Thanks Tim. I also missed the issue around OSS release. It's quite amazing to see how many different releases that we support. |
The changes are to help users prepare for migration to next major
release (v8.0.0) regarding to the break change of realm order config.
Warnings are added for when:
The warning messages are added to both deprecation API and loggings.
The main reasons for doing this are: 1) there is currently no automatic relay
between the two; 2) deprecation API is under basic and we need logging
for OSS.