diff --git a/docs/reference/migration/migrate_7_14.asciidoc b/docs/reference/migration/migrate_7_14.asciidoc index a03530aae4c88..0af65fda6ed44 100644 --- a/docs/reference/migration/migrate_7_14.asciidoc +++ b/docs/reference/migration/migrate_7_14.asciidoc @@ -117,6 +117,19 @@ Discontinue use of the `type` parameter in `geo_bounding_box` queries. [[breaking_714_security_changes]] ==== Security deprecations +[discrete] +[[implicitly-disabled-security]] +.The default behavior of disabling security on basic and trial licenses is deprecated +[%collapsible] +==== +*Details* + +Currently, security features are disabled when operating on a basic or trial +license when `xpack.security.enabled` has not been explicitly set to `true`. +This behavior is now deprecated. In version 8.0.0, security features will be +enabled by default for all licenses, unless explicitly disabled (by setting +`xpack.security.enabled` to `false`). +==== + [[reserved-prefixed-realm-names]] .Configuring a realm name with a leading underscore is deprecated. [%collapsible] diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index 68922124ac050..2fb52c6b76e63 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -10,8 +10,8 @@ import org.elasticsearch.cluster.ClusterState; import org.elasticsearch.cluster.metadata.IndexMetadata; import org.elasticsearch.cluster.node.DiscoveryNode; -import org.elasticsearch.common.TriFunction; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.xpack.core.XPackSettings; import java.util.Arrays; @@ -41,14 +41,15 @@ private DeprecationChecks() { ClusterDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting )); - static final List> NODE_SETTINGS_CHECKS; + static final List> + NODE_SETTINGS_CHECKS; static { - final Stream> legacyRoleSettings = - DiscoveryNode.getPossibleRoles() - .stream() + final Stream> + legacyRoleSettings = + DiscoveryNode.getPossibleRoles().stream() .filter(r -> r.legacySetting() != null) - .map(r -> (s, p, cs) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p)); + .map(r -> (s, p, t, c) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p)); NODE_SETTINGS_CHECKS = Stream.concat( legacyRoleSettings, Stream.of( @@ -59,36 +60,40 @@ private DeprecationChecks() { NodeDeprecationChecks::checkUniqueRealmOrders, NodeDeprecationChecks::checkImplicitlyDisabledBasicRealms, NodeDeprecationChecks::checkReservedPrefixedRealmNames, - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkThreadPoolListenerSize(settings), NodeDeprecationChecks::checkClusterRemoteConnectSetting, NodeDeprecationChecks::checkNodeLocalStorageSetting, NodeDeprecationChecks::checkGeneralScriptSizeSetting, NodeDeprecationChecks::checkGeneralScriptExpireSetting, NodeDeprecationChecks::checkGeneralScriptCompileSettings, - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.ENRICH_ENABLED_SETTING), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.FLATTENED_ENABLED), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.INDEX_LIFECYCLE_ENABLED), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.MONITORING_ENABLED), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.ROLLUP_ENABLED), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.SNAPSHOT_LIFECYCLE_ENABLED), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.SQL_ENABLED), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.TRANSFORM_ENABLED), - (settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, - XPackSettings.VECTORS_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.ENRICH_ENABLED_SETTING), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.FLATTENED_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.INDEX_LIFECYCLE_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.MONITORING_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.ROLLUP_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + XPackSettings.SNAPSHOT_LIFECYCLE_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.SQL_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.TRANSFORM_ENABLED), + (settings, pluginsAndModules, clusterState, licenseState) -> + NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.VECTORS_ENABLED), NodeDeprecationChecks::checkMultipleDataPaths, NodeDeprecationChecks::checkDataPathsList, NodeDeprecationChecks::checkBootstrapSystemCallFilterSetting, NodeDeprecationChecks::checkSharedDataPathSetting, NodeDeprecationChecks::checkSingleDataNodeWatermarkSetting, + NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial, NodeDeprecationChecks::checkMonitoringExporterPassword, NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting ) @@ -113,11 +118,15 @@ private DeprecationChecks() { * * @param checks The functional checks to execute using the mapper function * @param mapper The function that executes the lambda check with the appropriate arguments - * @param The signature of the check (BiFunction, Function, including the appropriate arguments) + * @param The signature of the check (TriFunction, BiFunction, Function, including the appropriate arguments) * @return The list of {@link DeprecationIssue} that were found in the cluster */ static List filterChecks(List checks, Function mapper) { return checks.stream().map(mapper).filter(Objects::nonNull).collect(Collectors.toList()); } + @FunctionalInterface + public interface NodeDeprecationCheck { + R apply(A first, B second, C third, D fourth); + } } diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 84db7db2eabc6..20f112a267646 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.deprecation; +import org.elasticsearch.Version; import org.elasticsearch.action.admin.cluster.node.info.PluginsAndModules; import org.elasticsearch.bootstrap.BootstrapSettings; import org.elasticsearch.cluster.ClusterState; @@ -22,11 +23,14 @@ import org.elasticsearch.common.util.set.Sets; import org.elasticsearch.env.Environment; import org.elasticsearch.jdk.JavaVersion; +import org.elasticsearch.license.License; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.node.Node; import org.elasticsearch.node.NodeRoleSettings; import org.elasticsearch.script.ScriptService; import org.elasticsearch.threadpool.FixedExecutorBuilder; import org.elasticsearch.transport.RemoteClusterService; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; @@ -49,7 +53,7 @@ class NodeDeprecationChecks { static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -59,7 +63,7 @@ static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndMo } static DeprecationIssue checkProcessors(final Settings settings , final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -69,7 +73,7 @@ static DeprecationIssue checkProcessors(final Settings settings , final PluginsA } static DeprecationIssue checkMissingRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { final Set orderNotConfiguredRealms = RealmSettings.getRealmSettings(settings).entrySet() .stream() .filter(e -> false == e.getValue().hasValue(RealmSettings.ORDER_SETTING_KEY)) @@ -95,7 +99,7 @@ static DeprecationIssue checkMissingRealmOrders(final Settings settings, final P } static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { final Map> orderToRealmSettings = RealmSettings.getRealmSettings(settings).entrySet() .stream() @@ -129,8 +133,31 @@ static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final Pl ); } + static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + if ( XPackSettings.SECURITY_ENABLED.exists(settings) == false + && (licenseState.getOperationMode().equals(License.OperationMode.BASIC) + || licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) { + String details = "The default behavior of disabling security on " + licenseState.getOperationMode().description() + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + + "setting [xpack.security.enabled] to \"false\" in elasticsearch.yml"; + return new DeprecationIssue( + DeprecationIssue.Level.CRITICAL, + "Security is enabled by default for all licenses in the next major version.", + "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/migrating-7.14.html#implicitly-disabled-security", + details, + null); + } + return null; + } + static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { final Map realmSettings = RealmSettings.getRealmSettings(settings); if (realmSettings.isEmpty()) { return null; @@ -183,7 +210,7 @@ static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settin } static DeprecationIssue checkReservedPrefixedRealmNames(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { final Map realmSettings = RealmSettings.getRealmSettings(settings); if (realmSettings.isEmpty()) { return null; @@ -234,7 +261,7 @@ private static DeprecationIssue checkThreadPoolListenerSetting(final String name } public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -249,7 +276,7 @@ public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings s } public static DeprecationIssue checkNodeLocalStorageSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkRemovedSetting( settings, Node.NODE_LOCAL_STORAGE_SETTING, @@ -266,7 +293,7 @@ public static DeprecationIssue checkNodeBasicLicenseFeatureEnabledSetting(final } public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -278,7 +305,7 @@ public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings sett } public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -290,7 +317,7 @@ public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings se } public static DeprecationIssue checkGeneralScriptCompileSettings(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -323,7 +350,7 @@ public static DeprecationIssue checkLegacyRoleSettings( } static DeprecationIssue checkBootstrapSystemCallFilterSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { return checkRemovedSetting( settings, BootstrapSettings.SYSTEM_CALL_FILTER_SETTING, @@ -434,7 +461,8 @@ static DeprecationIssue checkRemovedSetting(final Settings settings, return new DeprecationIssue(deprecationLevel, message, url, details, null); } - static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModules plugins, final ClusterState clusterState) { + static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModules plugins, final ClusterState clusterState, + final XPackLicenseState licenseState) { final JavaVersion javaVersion = JavaVersion.current(); if (javaVersion.compareTo(JavaVersion.parse("11")) < 0) { @@ -449,7 +477,8 @@ static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModule return null; } - static DeprecationIssue checkMultipleDataPaths(Settings nodeSettings, PluginsAndModules plugins, final ClusterState clusterState) { + static DeprecationIssue checkMultipleDataPaths(Settings nodeSettings, PluginsAndModules plugins, final ClusterState clusterState, + final XPackLicenseState licenseState) { List dataPaths = Environment.PATH_DATA_SETTING.get(nodeSettings); if (dataPaths.size() > 1) { return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, @@ -461,7 +490,8 @@ static DeprecationIssue checkMultipleDataPaths(Settings nodeSettings, PluginsAnd return null; } - static DeprecationIssue checkDataPathsList(Settings nodeSettings, PluginsAndModules plugins, final ClusterState clusterState) { + static DeprecationIssue checkDataPathsList(Settings nodeSettings, PluginsAndModules plugins, final ClusterState clusterState, + final XPackLicenseState licenseState) { if (Environment.dataPathUsesList(nodeSettings)) { return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, "[path.data] in a list is deprecated, use a string value", @@ -472,7 +502,7 @@ static DeprecationIssue checkDataPathsList(Settings nodeSettings, PluginsAndModu } static DeprecationIssue checkSharedDataPathSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { if (Environment.PATH_SHARED_DATA_SETTING.exists(settings)) { final String message = String.format(Locale.ROOT, "setting [%s] is deprecated and will be removed in a future version", Environment.PATH_SHARED_DATA_SETTING.getKey()); @@ -485,7 +515,7 @@ static DeprecationIssue checkSharedDataPathSetting(final Settings settings, fina } static DeprecationIssue checkSingleDataNodeWatermarkSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, final XPackLicenseState licenseState) { if (DiskThresholdDecider.ENABLE_FOR_SINGLE_DATA_NODE.get(settings) == false && DiskThresholdDecider.ENABLE_FOR_SINGLE_DATA_NODE.exists(settings)) { String key = DiskThresholdDecider.ENABLE_FOR_SINGLE_DATA_NODE.getKey(); @@ -523,7 +553,8 @@ static DeprecationIssue checkSingleDataNodeWatermarkSetting(final Settings setti static DeprecationIssue checkMonitoringExporterPassword( final Settings settings, final PluginsAndModules pluginsAndModules, - ClusterState cs + ClusterState cs, + XPackLicenseState licenseState ) { // Mimic the HttpExporter#AUTH_PASSWORD_SETTING setting here to avoid a depedency on monitoring module: // (just having the setting prefix and suffic here is sufficient to check on whether this setting is used) @@ -553,7 +584,8 @@ static DeprecationIssue checkMonitoringExporterPassword( static DeprecationIssue checkClusterRoutingAllocationIncludeRelocationsSetting(final Settings settings, final PluginsAndModules pluginsAndModules, - final ClusterState clusterState) { + final ClusterState clusterState, + final XPackLicenseState licenseState) { return checkRemovedSetting(settings, CLUSTER_ROUTING_ALLOCATION_INCLUDE_RELOCATIONS_SETTING, "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_allocation_changes", diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java index 1f29956b8d3d7..348ce7543d0bf 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java @@ -14,6 +14,7 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportService; @@ -27,10 +28,11 @@ public class TransportNodeDeprecationCheckAction extends TransportNodesAction { private final Settings settings; + private final XPackLicenseState licenseState; private final PluginsService pluginsService; @Inject - public TransportNodeDeprecationCheckAction(Settings settings, ThreadPool threadPool, + public TransportNodeDeprecationCheckAction(Settings settings, ThreadPool threadPool, XPackLicenseState licenseState, ClusterService clusterService, TransportService transportService, PluginsService pluginsService, ActionFilters actionFilters) { super(NodesDeprecationCheckAction.NAME, threadPool, clusterService, transportService, actionFilters, @@ -40,6 +42,7 @@ public TransportNodeDeprecationCheckAction(Settings settings, ThreadPool threadP NodesDeprecationCheckAction.NodeResponse.class); this.settings = settings; this.pluginsService = pluginsService; + this.licenseState = licenseState; } @Override @@ -62,7 +65,7 @@ protected NodesDeprecationCheckAction.NodeResponse newNodeResponse(StreamInput i @Override protected NodesDeprecationCheckAction.NodeResponse nodeOperation(NodesDeprecationCheckAction.NodeRequest request) { List issues = DeprecationInfoAction.filterChecks(DeprecationChecks.NODE_SETTINGS_CHECKS, - (c) -> c.apply(settings, pluginsService.info(), clusterService.state())); + (c) -> c.apply(settings, pluginsService.info(), clusterService.state(), licenseState)); return new NodesDeprecationCheckAction.NodeResponse(transportService.getLocalNode(), issues); } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 2f6eb82090fc0..02d0dcb9db5ab 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -21,6 +21,8 @@ import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.core.Set; import org.elasticsearch.env.Environment; +import org.elasticsearch.license.License; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.node.Node; import org.elasticsearch.script.ScriptService; @@ -46,21 +48,29 @@ import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.nullValue; import static org.hamcrest.Matchers.startsWith; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; public class NodeDeprecationChecksTests extends ESTestCase { public void testCheckDefaults() { final Settings settings = Settings.EMPTY; final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); - assertThat(issues, empty()); + final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); + + final DeprecationIssue issue = + NodeDeprecationChecks.checkImplicitlyDisabledSecurityOnBasicAndTrial(settings, pluginsAndModules, ClusterState.EMPTY_STATE, + licenseState); + assertThat(issues, hasItem(issue)); } public void testJavaVersion() { final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); final List issues = DeprecationChecks.filterChecks( DeprecationChecks.NODE_SETTINGS_CHECKS, - c -> c.apply(Settings.EMPTY, pluginsAndModules, ClusterState.EMPTY_STATE) + c -> c.apply(Settings.EMPTY, pluginsAndModules, ClusterState.EMPTY_STATE, licenseState) ); final DeprecationIssue expected = new DeprecationIssue( @@ -83,7 +93,8 @@ public void testCheckPidfile() { final String pidfile = randomAlphaOfLength(16); final Settings settings = Settings.builder().put(Environment.PIDFILE_SETTING.getKey(), pidfile).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [pidfile] is deprecated in favor of setting [node.pidfile]", @@ -97,7 +108,8 @@ public void testCheckProcessors() { final int processors = randomIntBetween(1, 4); final Settings settings = Settings.builder().put(EsExecutors.PROCESSORS_SETTING.getKey(), processors).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [processors] is deprecated in favor of setting [node.processors]", @@ -115,6 +127,7 @@ public void testCheckMissingRealmOrders() { new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms.file.default_file.enabled", false) .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." + invalidRealm.getType() + "." + invalidRealm.getName() + ".enabled", "true") @@ -122,7 +135,8 @@ public void testCheckMissingRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertEquals(1, deprecationIssues.size()); assertEquals(new DeprecationIssue( @@ -143,10 +157,13 @@ public void testRealmOrderIsNotRequiredIfRealmIsDisabled() { new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms." + realmIdentifier.getType() + "." + realmIdentifier.getName() + ".enabled", "false") .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = + new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertTrue(deprecationIssues.isEmpty()); } @@ -160,6 +177,7 @@ public void testCheckUniqueRealmOrders() { final RealmConfig.RealmIdentifier validRealm = new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms.file.default_file.enabled", false) .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." @@ -171,7 +189,8 @@ public void testCheckUniqueRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertEquals(1, deprecationIssues.size()); assertEquals(DeprecationIssue.Level.CRITICAL, deprecationIssues.get(0).getLevel()); @@ -188,6 +207,7 @@ public void testCheckUniqueRealmOrders() { public void testCorrectRealmOrders() { final int order = randomInt(9999); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms.file.default_file.enabled", false) .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." @@ -197,14 +217,16 @@ public void testCorrectRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = + new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertTrue(deprecationIssues.isEmpty()); } public void testCheckImplicitlyDisabledBasicRealms() { final Settings.Builder builder = Settings.builder(); - + builder.put("xpack.security.enabled", true); final boolean otherRealmConfigured = randomBoolean(); final boolean otherRealmEnabled = randomBoolean(); if (otherRealmConfigured) { @@ -240,7 +262,9 @@ public void testCheckImplicitlyDisabledBasicRealms() { } final Settings settings = builder.build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = + new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); if (otherRealmConfigured && otherRealmEnabled) { if (false == fileRealmConfigured && false == nativeRealmConfigured) { @@ -338,9 +362,10 @@ public void testCheckReservedPrefixedRealmNames() { builder.put("xpack.security.authc.realms.type_" + otherRealmId + "." + otherRealmName + ".order", 0); } - final Settings settings = builder.build(); + final Settings settings = builder.put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertEquals(1, deprecationIssues.size()); @@ -359,7 +384,8 @@ public void testThreadPoolListenerQueueSize() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("thread_pool.listener.queue_size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [thread_pool.listener.queue_size] is deprecated and will be removed in the next major version", @@ -373,7 +399,8 @@ public void testThreadPoolListenerSize() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("thread_pool.listener.size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [thread_pool.listener.size] is deprecated and will be removed in the next major version", @@ -387,7 +414,8 @@ public void testGeneralScriptSizeSetting() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("script.cache.max_size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.cache.max_size] is deprecated in favor of grouped setting [script.context.*.cache_max_size]", @@ -402,7 +430,8 @@ public void testGeneralScriptExpireSetting() { final String expire = randomIntBetween(1, 4) + "m"; final Settings settings = Settings.builder().put("script.cache.expire", expire).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.cache.expire] is deprecated in favor of grouped setting [script.context.*.cache_expire]", @@ -417,7 +446,8 @@ public void testGeneralScriptCompileSettings() { final String rate = randomIntBetween(1, 100) + "/" + randomIntBetween(1, 200) + "m"; final Settings settings = Settings.builder().put("script.max_compilations_rate", rate).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.max_compilations_rate] is deprecated in favor of grouped setting [script.context.*.max_compilations_rate]", @@ -432,7 +462,8 @@ public void testClusterRemoteConnectSetting() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(RemoteClusterService.ENABLE_REMOTE_CLUSTERS.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [cluster.remote.connect] is deprecated in favor of setting [node.remote_cluster_client]", @@ -452,7 +483,8 @@ public void testNodeLocalStorageSetting() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(Node.NODE_LOCAL_STORAGE_SETTING.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [node.local_storage] is deprecated and will be removed in the next major version", @@ -480,7 +512,8 @@ public void testDeprecatedBasicLicenseSettings() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(deprecatedSetting.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [" + deprecatedSetting.getKey() + "] is deprecated and will be removed in the next major version", @@ -502,7 +535,8 @@ public void testLegacyRoleSettings() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(legacyRoleSetting.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final String roles = DiscoveryNode.getRolesFromSettings(settings) .stream() .map(DiscoveryNodeRole::roleName) @@ -523,11 +557,12 @@ public void testCheckBootstrapSystemCallFilterSetting() { final boolean boostrapSystemCallFilter = randomBoolean(); final Settings settings = Settings.builder().put(BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.getKey(), boostrapSystemCallFilter).build(); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); final PluginsAndModules pluginsAndModules = new PluginsAndModules(org.elasticsearch.core.List.of(), org.elasticsearch.core.List.of()); final List issues = DeprecationChecks.filterChecks(DeprecationChecks.NODE_SETTINGS_CHECKS, - c -> c.apply(settings, pluginsAndModules, ClusterState.EMPTY_STATE)); + c -> c.apply(settings, pluginsAndModules, ClusterState.EMPTY_STATE, licenseState)); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [bootstrap.system_call_filter] is deprecated and will be removed in the next major version", @@ -566,10 +601,11 @@ private static boolean isJvmEarlierThan11() { return JavaVersion.current().compareTo(JavaVersion.parse("11")) < 0; } - private List getDeprecationIssues(Settings settings, PluginsAndModules pluginsAndModules) { + private List getDeprecationIssues(Settings settings, PluginsAndModules pluginsAndModules, + XPackLicenseState licenseState) { final List issues = DeprecationChecks.filterChecks( DeprecationChecks.NODE_SETTINGS_CHECKS, - c -> c.apply(settings, pluginsAndModules, ClusterState.EMPTY_STATE) + c -> c.apply(settings, pluginsAndModules, ClusterState.EMPTY_STATE, licenseState) ); if (isJvmEarlierThan11()) { @@ -595,7 +631,8 @@ private String randomRealmTypeOtherThanFileOrNative() { public void testMultipleDataPaths() { final Settings settings = Settings.builder().putList("path.data", Arrays.asList("d1", "d2")).build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null, licenseState); assertThat(issue, not(nullValue())); assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); assertThat( @@ -611,13 +648,15 @@ public void testMultipleDataPaths() { public void testNoMultipleDataPaths() { Settings settings = Settings.builder().put("path.data", "data").build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null, licenseState); assertThat(issue, nullValue()); } public void testDataPathsList() { final Settings settings = Settings.builder().putList("path.data", "d1").build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null, licenseState); assertThat(issue, not(nullValue())); assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); assertThat( @@ -633,7 +672,8 @@ public void testDataPathsList() { public void testNoDataPathsListDefault() { final Settings settings = Settings.builder().build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null, licenseState); assertThat(issue, nullValue()); } @@ -641,8 +681,8 @@ public void testSharedDataPathSetting() { Settings settings = Settings.builder() .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir()) .put(Environment.PATH_SHARED_DATA_SETTING.getKey(), createTempDir()).build(); - - DeprecationIssue issue = NodeDeprecationChecks.checkSharedDataPathSetting(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + DeprecationIssue issue = NodeDeprecationChecks.checkSharedDataPathSetting(settings, null, null, licenseState); final String expectedUrl = "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/breaking-changes-7.13.html#deprecate-shared-data-path-setting"; assertThat(issue, equalTo( @@ -657,9 +697,8 @@ public void testSingleDataNodeWatermarkSettingExplicit() { Settings settings = Settings.builder() .put(DiskThresholdDecider.ENABLE_FOR_SINGLE_DATA_NODE.getKey(), false) .build(); - List issues = DeprecationChecks.filterChecks(DeprecationChecks.NODE_SETTINGS_CHECKS, c -> c.apply(settings, - null, ClusterState.EMPTY_STATE)); + null, ClusterState.EMPTY_STATE, new XPackLicenseState(Settings.EMPTY, () -> 0))); final String expectedUrl = "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/" + @@ -685,10 +724,10 @@ public void testSingleDataNodeWatermarkSettingDefault() { Collections.singleton(DiscoveryNodeRole.MASTER_ROLE), Version.CURRENT); ClusterStateCreationUtils.state(node1, node1, node1); - + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); final List issues = DeprecationChecks.filterChecks(DeprecationChecks.NODE_SETTINGS_CHECKS, c -> c.apply(Settings.EMPTY, - null, ClusterStateCreationUtils.state(node1, node1, node1))); + null, ClusterStateCreationUtils.state(node1, node1, node1), licenseState)); final String expectedUrl = "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/" + @@ -705,15 +744,15 @@ public void testSingleDataNodeWatermarkSettingDefault() { assertThat(issues, hasItem(deprecationIssue)); assertThat(NodeDeprecationChecks.checkSingleDataNodeWatermarkSetting(Settings.EMPTY, null, ClusterStateCreationUtils.state(master - , master, master)), + , master, master), licenseState), nullValue()); assertThat(NodeDeprecationChecks.checkSingleDataNodeWatermarkSetting(Settings.EMPTY, null, ClusterStateCreationUtils.state(node1, - node1, node1, node2)), + node1, node1, node2), licenseState), nullValue()); assertThat(NodeDeprecationChecks.checkSingleDataNodeWatermarkSetting(Settings.EMPTY, null, ClusterStateCreationUtils.state(node1, - master, node1, master)), + master, node1, master), licenseState), equalTo(deprecationIssue)); } @@ -727,8 +766,8 @@ public void testMonitoringExporterPassword() { b.put("xpack.monitoring.exporters." + exporterNames[k] + ".auth.password", "_pass"); } final Settings settings = b.build(); - - DeprecationIssue issue = NodeDeprecationChecks.checkMonitoringExporterPassword(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + DeprecationIssue issue = NodeDeprecationChecks.checkMonitoringExporterPassword(settings, null, null , licenseState); final String expectedUrl = "https://www.elastic.co/guide/en/elasticsearch/reference/7.7/monitoring-settings.html#http-exporter-settings"; final String joinedNames = Arrays @@ -752,7 +791,7 @@ public void testMonitoringExporterPassword() { ), null))); // test for absence of deprecated exporter passwords - issue = NodeDeprecationChecks.checkMonitoringExporterPassword(Settings.builder().build(), null, null); + issue = NodeDeprecationChecks.checkMonitoringExporterPassword(Settings.builder().build(), null, null, licenseState); assertThat(issue, nullValue()); } @@ -760,6 +799,7 @@ public void testClusterRoutingAllocationIncludeRelocationsSetting() { boolean settingValue = randomBoolean(); String settingKey = CLUSTER_ROUTING_ALLOCATION_INCLUDE_RELOCATIONS_SETTING.getKey(); final Settings nodeSettings = Settings.builder().put(settingKey, settingValue).build(); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); final ClusterState clusterState = ClusterState.EMPTY_STATE; final DeprecationIssue expectedIssue = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, String.format(Locale.ROOT, @@ -774,7 +814,7 @@ public void testClusterRoutingAllocationIncludeRelocationsSetting() { ); assertThat( - NodeDeprecationChecks.checkClusterRoutingAllocationIncludeRelocationsSetting(nodeSettings, null, clusterState), + NodeDeprecationChecks.checkClusterRoutingAllocationIncludeRelocationsSetting(nodeSettings, null, clusterState, licenseState), equalTo(expectedIssue) ); @@ -785,4 +825,39 @@ public void testClusterRoutingAllocationIncludeRelocationsSetting() { assertWarnings(expectedWarning); } + public void testImplicitlyDisabledSecurityWarning() { + final DeprecationIssue issue = + NodeDeprecationChecks.checkImplicitlyDisabledSecurityOnBasicAndTrial(Settings.EMPTY, + null, + ClusterState.EMPTY_STATE, + new XPackLicenseState(Settings.EMPTY, () -> 0)); + assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); + assertThat(issue.getMessage(), equalTo("Security is enabled by default for all licenses in the next major version.")); + assertNotNull(issue.getDetails()); + assertThat(issue.getDetails(), containsString("The default behavior of disabling security on ")); + assertThat(issue.getUrl(), + equalTo("https://www.elastic.co/guide/en/elasticsearch/reference/7.14/migrating-7.14.html#implicitly-disabled-security")); + } + + public void testExplicitlyConfiguredSecurityOnBasicAndTrial() { + final boolean enabled = randomBoolean(); + final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), enabled).build(); + final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final XPackLicenseState licenseState = mock(XPackLicenseState.class); + when(licenseState.getOperationMode()).thenReturn(randomFrom(License.OperationMode.BASIC, License.OperationMode.TRIAL)); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); + assertThat(issues, empty()); + } + + public void testImplicitlyConfiguredSecurityOnGoldPlus() { + final boolean enabled = randomBoolean(); + final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), enabled).build(); + final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final XPackLicenseState licenseState = mock(XPackLicenseState.class); + when(licenseState.getOperationMode()) + .thenReturn(randomValueOtherThanMany((m -> m.equals(License.OperationMode.BASIC) || m.equals(License.OperationMode.TRIAL)), + () -> randomFrom(License.OperationMode.values()))); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); + assertThat(issues, empty()); + } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java index da71f41bb8604..a6ffd52bfeac9 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java @@ -10,6 +10,9 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.elasticsearch.Version; +import org.elasticsearch.common.logging.DeprecationCategory; +import org.elasticsearch.common.logging.DeprecationLogger; +import org.elasticsearch.license.License; import org.elasticsearch.license.LicenseStateListener; import org.elasticsearch.license.XPackLicenseState; @@ -22,11 +25,13 @@ public class SecurityStatusChangeListener implements LicenseStateListener { private final Logger logger; + private final DeprecationLogger deprecationLogger; private final XPackLicenseState licenseState; private Boolean securityEnabled; public SecurityStatusChangeListener(XPackLicenseState licenseState) { this.logger = LogManager.getLogger(getClass()); + this.deprecationLogger = DeprecationLogger.getLogger(getClass()); this.licenseState = licenseState; this.securityEnabled = null; } @@ -45,6 +50,16 @@ public synchronized void licenseStateChanged() { logger.warn("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); + if (licenseState.getOperationMode().equals(License.OperationMode.BASIC) + || licenseState.getOperationMode().equals(License.OperationMode.TRIAL)) { + deprecationLogger.deprecate(DeprecationCategory.SECURITY, "security_implicitly_disabled", + "The default behavior of disabling security on " + licenseState.getOperationMode().description() + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + + "setting [xpack.security.enabled] to false in elasticsearch.yml"); + } } this.securityEnabled = newState; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index 4dffe7b93e4cf..6dd32b472b639 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -81,6 +81,11 @@ public void testSecurityEnabledToDisabled() { "Active license is now [BASIC]; Security is disabled" )); listener.licenseStateChanged(); + assertWarnings("The default behavior of disabling security on basic" + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); logAppender.assertAllExpectationsMatched(); } @@ -104,6 +109,11 @@ public void testSecurityDisabledToEnabled() { Version.CURRENT.minor + "/security-minimal-setup.html to enable security." )); listener.licenseStateChanged(); + assertWarnings("The default behavior of disabling security on trial" + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); logAppender.addExpectation(new MockLogAppender.UnseenEventExpectation( @@ -126,4 +136,15 @@ public void testSecurityDisabledToEnabled() { logAppender.assertAllExpectationsMatched(); } + public void testWarningForImplicitlyDisabledSecurity() { + when(licenseState.isSecurityEnabled()).thenReturn(false); + when(licenseState.getOperationMode()).thenReturn(License.OperationMode.TRIAL); + listener.licenseStateChanged(); + assertWarnings("The default behavior of disabling security on trial" + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); + } + }