-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate the behaviour of implicitly disabling file/native realm #69320
Deprecate the behaviour of implicitly disabling file/native realm #69320
Conversation
Pinging @elastic/es-security (Team:Security) |
Please note this PR is for |
…lictly-disabling-file-native-7.x
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with two small nits.
...gin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
Outdated
Show resolved
Hide resolved
...gin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
Outdated
Show resolved
Hide resolved
PS: Do not forget to add the breaking notice in the #50892 PR. |
…lictly-disabling-file-native-7.x
...gin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
Outdated
Show resolved
Hide resolved
return null; | ||
} | ||
// If all configured realms are disabled, this equals to no realm is configured. The implicitly behaviour in this case | ||
// is to add file and native realms. So we are good here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we good?
What will this config do in 8.0?
xpack.security.authc.realms:
native.native_realm:
enabled: false
ldap.corp_ldap:
enabled: false
In 7.x it will result in both a file and native realm enabled (I think)
I believe the proposal is that in 8.x it will result in just a file realm.
Should we issue a deprecation warning (because the behaviour will change) in this case too?
(A separate PR is fine though)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. Yes this is indeed the proposal in the other PR #69096. I updated this PR to issue warning for this scenario as well. I'd like to mention that this change also means that the cluster will not automatically fallback to file/native realms when:
- The License is downgraded and
- The file or native realm is explicitly disabled
I don't know whether users rely on this "feature". I personally feel it is not something we should cater for because implicitly auto-enabling realms on the fly could be a security issue and also explicit behaviours are what we are after with these changes. All in all, if a realm is explicity disabled, I prefer it remain disabled at all times.
|
||
final String details = String.format( | ||
Locale.ROOT, | ||
"Found implicitly disabled native %s: [%s]. %s disabled because there are other explicitly configured realms." + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"native" here means "file or native" right?
Do we need a better word?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I struggled with this and could not find a better word. I used native
because that is what used in the Realms
class. I agree it is confusing. If possible, I would rename "native realm" to something like "index realm", but I think it would be a cognitive challenge for users. I also thought about the word "builtin" but all realms are kinda "builtin", i.e. part of default distribution. The word "internal" is also used for all realms. How about "basic"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed all places to use the term "basic".
…k/deprecation/NodeDeprecationChecks.java Co-authored-by: Tim Vernum <[email protected]>
…lictly-disabling-file-native-7.x
...gin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
Outdated
Show resolved
Hide resolved
…k/deprecation/NodeDeprecationChecks.java Co-authored-by: Tim Vernum <[email protected]>
#78405) * [DOCS] Always enable file and native realms by default Adds an 8.0 breaking change for PR #69096. The copy is based on the 7.13 deprecation notice added with PR #69320. * reword * Update docs/reference/migration/migrate_8_0/security.asciidoc Co-authored-by: Yang Wang <[email protected]> * Update docs/reference/migration/migrate_8_0/security.asciidoc Co-authored-by: Yang Wang <[email protected]> Co-authored-by: Yang Wang <[email protected]>
As a precursor for #50892, this PR deprecate the behaviour of file and/or native realm being implicitly disabled when there are other explicitly configured realms.
With this change, the recommend way of disabling file/native realm is to explicitly set
enabled
tofalse
, e.g.:This PR ensures that a warning is generated whenever file and/or native realm is implicitly disabled.
This change also brings a question about the
order
parameter. Currently, theorder
parameter is mandatory in 8.0 and gets a warning message if it is missing in 7.x. However, it makes sense to not specify theorder
parameter if the realm is disabled. So I also updated theorder
parameter related code to do just that.Relates: #50892