Bind host all instead of just _site_ when needed #83145
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For security on by default we changed the interface where elasticsearch binds by default to be: - _site_ for the HTTP layer so that we have better chances that kibana can communicate to elasticsearch by default as they might not be running on the same host - _site_ for the transport layer when we could determine that there are other existing nodes of this cluster on different nodes. This commit changes the behavior so that we bind to 0.0.0.0 in these cases for the following reasons: - We don't expect hosts nowdays to have publicly routable IP addresses attached to any of their interfaces, and expect that the have a site local address behind some proxy/router. In that respect, binding to 0.0.0.0 doesn't expose elasticsearch to a greater network segment than binding to the site local address would - It is significantly easier to document, explain and argue about with users in the comments and our documentation.
jkakavas
added
>enhancement
:Security/Security
|
Pinging @elastic/es-security (Team:Security) |
|
Hi @jkakavas, I've created a changelog YAML for you. |
|
💚 CLA has been signed |
jkakavas
force-pushed
the
bind-transport-global
branch
from
b0ca0d4 to
d660a65
Compare
| @@ -882,9 +882,9 @@ protected static boolean anyRemoteHostNodeAddress(List<String> allNodesTransport | |||
|
|
|||
| protected String hostSettingValue(InetAddress[] allAddresses) { | |||
| if (Arrays.stream(allAddresses).anyMatch(InetAddress::isSiteLocalAddress)) { | |||
There was a problem hiding this comment.
Is the if condition required?
I think filling in 0.0.0.0 all the time is OK?
There was a problem hiding this comment.
That's true @albertzaharovits , thanks!
albertzaharovits
approved these changes
Feb 2, 2022
weizijun
added a commit
to weizijun/elasticsearch
that referenced
this pull request
Feb 9, 2022
* upstream/master: (166 commits) Bind host all instead of just _site_ when needed (elastic#83145) [DOCS] Fix min/max agg snippets for histograms (elastic#83695) [DOCS] Add deprecation notice for system indices (elastic#83688) Cache ILM policy name on IndexMetadata (elastic#83603) [DOCS] Fix 8.0 breaking changes sort order (elastic#83685) [ML] fix random sampling background query consistency (elastic#83676) Move internal APIs into their own namespace '_internal' Runtime fields core-with-mapped tests support tsdb (elastic#83577) Optimize calculating the presence of a quorum (elastic#83638) Use switch expressions in EnableAllocationDecider and NodeShutdownAllocationDecider (elastic#83641) Note libffi error message in tmpdir docs (elastic#83662) Fix TransportDesiredNodesActionsIT batch tests (elastic#83659) [DOCS] Remove unused upgrade doc files (elastic#83617) [ML] Wait for model process to stop in stop deployment (elastic#83644) [ML] Fix submit after shutdown in process worker service (elastic#83645) Remove req/resp classes associated with HLRC (elastic#83599) Introduce index.version.compatibility setting (elastic#83264) Rename InternalTestCluster#getMasterNodeInstance (elastic#83407) Mute TimeSeriesIndexSearcherTests testCollectInOrderAcrossSegments (elastic#83648) Add rollover add max_primary_shard_docs condition (elastic#80981) ... # Conflicts: # x-pack/plugin/rollup/build.gradle # x-pack/plugin/rollup/src/test/java/org/elasticsearch/xpack/rollup/v2/RollupActionSingleNodeTests.java
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For security on by default we changed the interface where
elasticsearch binds by default to be
_local_, _site_:kibana can communicate to elasticsearch by default as they might
not be running on the same host
there are other existing nodes of this cluster on different nodes.
This commit changes the behavior so that we bind to 0.0.0.0 in
these cases for the following reasons:
addresses attached to any of their interfaces, and expect that
the have a site local address behind some proxy/router. In that
respect, binding to 0.0.0.0 doesn't expose elasticsearch to a
greater network segment than binding to the site local address
would
with users in the comments and our documentation.
see: #80991
cc: @bytebilly