Security: remove SSL settings fallback #36846
Conversation
This commit removes the fallback for SSL settings. While this may be seen as a non user friendly change, the intention behind this change is to simplify the reasoning needed to understand what is actually being used for a given SSL configuration. Each configuration now needs to be explicitly specified as there is no global configuration or fallback to some other configuration. Closes elastic#29797
|
Pinging @elastic/es-security |
|
I've added this to the list of things we should add deprecation checks for in #36024 - would you be able to either:
|
| @@ -1380,23 +1276,21 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for | |||
|
|
|||
There was a problem hiding this comment.
Shouldn't we move the PKCS11 related settings to the http/transport related settings ? These feel strangely placed as is
There was a problem hiding this comment.
I have them there as general information. @lcawl do you have a suggestion on where we should put this info?
There was a problem hiding this comment.
If I'm understanding correctly, that PKCS#11 already appears under the appropriate HTTP and Transport sections. So unless there are other contexts where there would be PKCS#11 settings, I think it can be removed from the "default values..." section.
There was a problem hiding this comment.
I think we reference PKCS#12 in those sections but not PKCS#11
There was a problem hiding this comment.
Scratch that. I am wrong, we already have it there. So it can be removed from the defaults section
| those configured in the `xpack.security.transport.ssl.truststore` and | ||
| `xpack.security.transport.ssl.certificate_authorities` settings. It also | ||
| includes certificates that are used for configuring server identity, such as | ||
| `xpack.security.transport.ssl.keystore` and |
There was a problem hiding this comment.
Should we use the http layer as an example for certficate and keystore so that it becomes (even more) obvious that certificates used in both layers will be returned ?
| @@ -231,14 +190,6 @@ private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConf | |||
| String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); | |||
| SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings); | |||
| return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm); | |||
| } else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null | |||
| @@ -123,19 +123,20 @@ public void testReadIdpMetadataFromHttps() throws Exception { | |||
| final Path path = getDataPath("idp1.xml"); | |||
| final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8); | |||
| final MockSecureSettings mockSecureSettings = new MockSecureSettings(); | |||
| mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); | |||
| mockSecureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); | |||
There was a problem hiding this comment.
Doesn't really affect anything but we could use xpack.security.http key since the produced SSLContext is used in a MockWebServer
| if (value == null) { | ||
| try { | ||
| if (key.startsWith("xpack.security.transport.ssl.")) { | ||
| byte[] file = Streams.readAll(secureSettings.getFile(key)); |
There was a problem hiding this comment.
Maybe move toBytesArray to ESTestCase and use this instead so that we don't introduce BC dependencies again?
| Settings settings2 = Settings.builder() | ||
| .put("xpack.ssl.key", keyPath) | ||
| .put("xpack.ssl.certificate", certPath) | ||
| .put("xpack.security.transport.ssl.key", keyPath) |
There was a problem hiding this comment.
same as above, just for being easy to the eye use the http layer settings for the MockWebServer
| try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null)) { | ||
| MockSecureSettings secureSettings = new MockSecureSettings(); | ||
| // We can't use the client created above for the server since it only defines a truststore | ||
| secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname"); | ||
| secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname"); |
There was a problem hiding this comment.
same as above, just for being easy to the eye use the http layer settings for the MockWebServer
Yes it was. So much that merging 6+ months worth of changes was better than starting fresh. |
|
run gradle build tests 1 |
* master: (28 commits) Introduce retention lease serialization (elastic#37447) Update Delete Watch to allow unknown fields (elastic#37435) Make finalize step of recovery source non-blocking (elastic#37388) Update the default for include_type_name to false. (elastic#37285) Security: remove SSL settings fallback (elastic#36846) Adding mapping for hostname field (elastic#37288) Relax assertSameDocIdsOnShards assertion Reduce recovery time with compress or secure transport (elastic#36981) Implement ccr file restore (elastic#37130) Fix Eclipse specific compilation issue (elastic#37419) Performance fix. Reduce deprecation calls for the same bulk request (elastic#37415) [ML] Use String rep of Version in map for serialisation (elastic#37416) Cleanup Deadcode in Rest Tests (elastic#37418) Mute IndexShardRetentionLeaseTests.testCommit elastic#37420 unmuted test Remove unused index store in directory service Improve CloseWhileRelocatingShardsIT (elastic#37348) Fix ClusterBlock serialization and Close Index API logic after backport to 6.x (elastic#37360) Update the scroll example in the docs (elastic#37394) Update analysis.asciidoc (elastic#37404) ...
Update the security configuration with the changes brought in elastic/elasticsearch#36846
Update the security configuration with the changes brought in elastic/elasticsearch#36846 Relates #12
This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.
Closes #29797