Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce transport TLS on Basic with Security #42150

Merged
merged 4 commits into from
May 15, 2019

Conversation

tvernum
Copy link
Contributor

@tvernum tvernum commented May 15, 2019

If a basic license enables security, then we should also enforce TLS
on the transport interface.

This was already the case for Standard/Gold/Platinum licenses.

For Basic, security defaults to disabled, so some of the process
around checking whether security is actually enabled is more complex
now that we need to account for basic licenses.

If a basic license enables security, then we should also enforce TLS
on the transport interface.

This was already the case for Standard/Gold/Platinum licenses.

For Basic, security defaults to disabled, so some of the process
around checking whether security is actuallY enabled is more complex
now that we need to account for basic licenses.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

/**
* Returns <code>true</code> iff the license is a production licnese
*/
public boolean isProductionLicense() {
Copy link
Contributor Author

@tvernum tvernum May 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I replaced this with an explicit "is TLS required" method in XPackLicenseState.

I droppped the "production license" terminology, because it was a bit confusing (which is why this gap has only just been identified).
Why wasn't basic a production license before? Should it be one? It's perfectly fine to run basic in production, even though it doesn't have paid support.

I moved it from License to XPackLicenseState because

  1. All the "is XXX allowed" methods are there, so that seemed more reasonable from an appropriate compartmentalisation problem (and helps with discoverability of the code)
  2. To do the "is TLS required" method well it needs to look at whether security is explicitly enabled, for which all the logic is in XPackLicenseState.

Settings.builder().put("xpack.security.transport.ssl.enabled", false).build(), build)).getMessage());
}
, randomBoolean()).build(), MetaData.EMPTY_META_DATA)).isSuccess());
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The old method felt very much like it was using randomness to test a variety of scenarios, so I took the opportunity to split it out.

Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

if (XPackLicenseState.isTransportTlsRequired(license, context.settings())) {
return BootstrapCheckResult.failure("Transport SSL must be enabled if security is enabled on a [" +
license.operationMode().description() + "] license. " +
"Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting " +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it also be enough to not explicitly set xpack.security.enabled to true when in basic. I don't think it's worth trying to fit in the message cause I can't think of a way to not make the wording too confusing, but just raising in case you have any ideas around it

@jasontedor jasontedor merged commit 7e0ffae into elastic:master May 15, 2019
jasontedor pushed a commit that referenced this pull request May 15, 2019
If a basic license enables security, then we should also enforce TLS
on the transport interface.

This was already the case for Standard/Gold/Platinum licenses.

For Basic, security defaults to disabled, so some of the process
around checking whether security is actuallY enabled is more complex
now that we need to account for basic licenses.
jasontedor pushed a commit that referenced this pull request May 15, 2019
If a basic license enables security, then we should also enforce TLS
on the transport interface.

This was already the case for Standard/Gold/Platinum licenses.

For Basic, security defaults to disabled, so some of the process
around checking whether security is actuallY enabled is more complex
now that we need to account for basic licenses.
jasontedor pushed a commit that referenced this pull request May 15, 2019
If a basic license enables security, then we should also enforce TLS
on the transport interface.

This was already the case for Standard/Gold/Platinum licenses.

For Basic, security defaults to disabled, so some of the process
around checking whether security is actuallY enabled is more complex
now that we need to account for basic licenses.
gurkankaymak pushed a commit to gurkankaymak/elasticsearch that referenced this pull request May 27, 2019
If a basic license enables security, then we should also enforce TLS
on the transport interface.

This was already the case for Standard/Gold/Platinum licenses.

For Basic, security defaults to disabled, so some of the process
around checking whether security is actuallY enabled is more complex
now that we need to account for basic licenses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants