Add deprecation warnings for ssl config fallback #36847
Conversation
SSL configuration fallback has long been present in security but is a source of confusion due to the behavior. Ultimately, we plan to remove support for fallback in the next major version so this commit provides deprecation warnings for the current line of stable releases.
|
Pinging @elastic/es-security |
| @@ -96,7 +97,8 @@ | |||
|
|
|||
| private static final Function<String, Setting<SecureString>> TRUSTSTORE_PASSWORD_TEMPLATE = key -> | |||
| SecureSetting.secureString(key, LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE.apply(key.replace("truststore.secure_password", | |||
| "truststore.password"))); | |||
| "truststore.password")), | |||
| key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX) ? new Property[] { Property.Deprecated } : new Property[0]); | |||
There was a problem hiding this comment.
Shouldn't the legacy (non-secure) password always be deprecated? It looks like this just got missed/lost at some point.
There was a problem hiding this comment.
It is deprecated always. What you are seeing is the fallback setting being configured, which has its own properties; the properties here are the ones for the secure setting.
There was a problem hiding this comment.
Of course. It really is a bit of a mess isn't it.
| List<String> urls = realm.getAsList("url"); | ||
| if (urls.isEmpty() == false && urls.stream().anyMatch(s -> s.startsWith("ldaps://"))) { | ||
| return true; | ||
| } |
There was a problem hiding this comment.
SAML uses ssl if the metadata path points to a https URL.
https://github.com/elastic/elasticsearch/blob/6.6/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java#L515
|
|
||
| static final Function<String, Setting<SecureString>> LEGACY_KEYSTORE_KEY_PASSWORD_TEMPLATE = key -> new Setting<>(key, "", | ||
| SecureString::new, Setting.Property.Deprecated, Setting.Property.Filtered, Setting.Property.NodeScope); | ||
| static final Function<String, Setting<SecureString>> KEYSTORE_KEY_PASSWORD_TEMPLATE = key -> | ||
| SecureSetting.secureString(key, LEGACY_KEYSTORE_KEY_PASSWORD_TEMPLATE.apply(key.replace("keystore.secure_key_password", | ||
| "keystore.key_password"))); | ||
| "keystore.key_password")), | ||
| key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX) ? new Property[] { Property.Deprecated } : new Property[0]); |
There was a problem hiding this comment.
Per previous comment, we can probably make this deprecated in all cases.
There was a problem hiding this comment.
This property is for the secure setting and not the legacy value
| SecureSetting.secureString(key, LEGACY_KEY_PASSWORD_TEMPLATE.apply(key.replace("secure_key_passphrase", | ||
| "key_passphrase"))); | ||
| SecureSetting.secureString(key, LEGACY_KEY_PASSWORD_TEMPLATE.apply(key.replace("secure_key_passphrase", "key_passphrase")), | ||
| key.startsWith(XPackSettings.GLOBAL_SSL_PREFIX) ? new Property[] { Property.Deprecated } : new Property[0]); |
There was a problem hiding this comment.
This property is for the secure setting and not the legacy value
|
@tvernum I updated docs and added deprecation checks |
|
run gradle build tests 1 |
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java
Outdated
Show resolved
Hide resolved
| return false; | ||
| } | ||
|
|
||
| private void checkSSLConfigurationForFallback(String name, Settings settings, SSLConfiguration config) { |
There was a problem hiding this comment.
I think it might be nice to print the key missing from the actual config that falls back to the default value here instead of a descriptive name, but I'm not sure if it can be reliably computed and if it would actually make the deprecation log better, so I just bring it up for consideration
There was a problem hiding this comment.
I agree that it would be nice, but I think the effort to compute this would probably outweigh the benefits
| @@ -115,7 +117,7 @@ public void testThatConnectionToServerTypeConnectionWorks() throws IOException, | |||
| "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", | |||
| "testnode", | |||
| "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt", | |||
| Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); | |||
| Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt")); | |||
There was a problem hiding this comment.
👍 thanks for fixing these also
Co-Authored-By: jaymode <[email protected]>
|
run gradle build tests 2
|
|
run gradle build tests 2 |
SSL configuration fallback has long been present in security but is a
source of confusion due to the behavior. Ultimately, we plan to remove
support for fallback in the next major version so this commit provides
deprecation warnings for the current line of stable releases.
Relates #36846