-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce transport TLS on Basic with Security #42150
Conversation
If a basic license enables security, then we should also enforce TLS on the transport interface. This was already the case for Standard/Gold/Platinum licenses. For Basic, security defaults to disabled, so some of the process around checking whether security is actuallY enabled is more complex now that we need to account for basic licenses.
Pinging @elastic/es-security |
/** | ||
* Returns <code>true</code> iff the license is a production licnese | ||
*/ | ||
public boolean isProductionLicense() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I replaced this with an explicit "is TLS required" method in XPackLicenseState.
I droppped the "production license" terminology, because it was a bit confusing (which is why this gap has only just been identified).
Why wasn't basic a production license before? Should it be one? It's perfectly fine to run basic in production, even though it doesn't have paid support.
I moved it from License to XPackLicenseState
because
- All the "is XXX allowed" methods are there, so that seemed more reasonable from an appropriate compartmentalisation problem (and helps with discoverability of the code)
- To do the "is TLS required" method well it needs to look at whether security is explicitly enabled, for which all the logic is in XPackLicenseState.
Settings.builder().put("xpack.security.transport.ssl.enabled", false).build(), build)).getMessage()); | ||
} | ||
, randomBoolean()).build(), MetaData.EMPTY_META_DATA)).isSuccess()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The old method felt very much like it was using randomness to test a variety of scenarios, so I took the opportunity to split it out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
if (XPackLicenseState.isTransportTlsRequired(license, context.settings())) { | ||
return BootstrapCheckResult.failure("Transport SSL must be enabled if security is enabled on a [" + | ||
license.operationMode().description() + "] license. " + | ||
"Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it also be enough to not explicitly set xpack.security.enabled
to true
when in basic. I don't think it's worth trying to fit in the message cause I can't think of a way to not make the wording too confusing, but just raising in case you have any ideas around it
If a basic license enables security, then we should also enforce TLS on the transport interface. This was already the case for Standard/Gold/Platinum licenses. For Basic, security defaults to disabled, so some of the process around checking whether security is actuallY enabled is more complex now that we need to account for basic licenses.
If a basic license enables security, then we should also enforce TLS on the transport interface. This was already the case for Standard/Gold/Platinum licenses. For Basic, security defaults to disabled, so some of the process around checking whether security is actuallY enabled is more complex now that we need to account for basic licenses.
If a basic license enables security, then we should also enforce TLS on the transport interface. This was already the case for Standard/Gold/Platinum licenses. For Basic, security defaults to disabled, so some of the process around checking whether security is actuallY enabled is more complex now that we need to account for basic licenses.
If a basic license enables security, then we should also enforce TLS on the transport interface. This was already the case for Standard/Gold/Platinum licenses. For Basic, security defaults to disabled, so some of the process around checking whether security is actuallY enabled is more complex now that we need to account for basic licenses.
If a basic license enables security, then we should also enforce TLS
on the transport interface.
This was already the case for Standard/Gold/Platinum licenses.
For Basic, security defaults to disabled, so some of the process
around checking whether security is actually enabled is more complex
now that we need to account for basic licenses.