From 56e6602c2cae1d7263d7e2e0ab76ecccdbdc51fc Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 22 Feb 2021 16:56:48 +1100 Subject: [PATCH 01/11] Deprecate the behaviour of implicitly disabling file/native realm. --- docs/reference/migration/index.asciidoc | 2 + .../reference/migration/migrate_7_13.asciidoc | 62 ++++++++++ .../core/security/authc/RealmSettings.java | 3 +- .../xpack/deprecation/DeprecationChecks.java | 1 + .../deprecation/NodeDeprecationChecks.java | 40 +++++++ .../NodeDeprecationChecksTests.java | 112 +++++++++++++++++- .../xpack/security/authc/Realms.java | 22 +++- .../xpack/security/authc/RealmsTests.java | 81 +++++++++++++ 8 files changed, 320 insertions(+), 3 deletions(-) create mode 100644 docs/reference/migration/migrate_7_13.asciidoc diff --git a/docs/reference/migration/index.asciidoc b/docs/reference/migration/index.asciidoc index 0e85abf93b10f..422e22ae7eeb8 100644 --- a/docs/reference/migration/index.asciidoc +++ b/docs/reference/migration/index.asciidoc @@ -28,6 +28,7 @@ For more information about {minor-version}, see the <> and <>. For information about how to upgrade your cluster, see <>. +* <> * <> * <> * <> @@ -44,6 +45,7 @@ For information about how to upgrade your cluster, see <>. -- +include::migrate_7_13.asciidoc[] include::migrate_7_12.asciidoc[] include::migrate_7_11.asciidoc[] include::migrate_7_10.asciidoc[] diff --git a/docs/reference/migration/migrate_7_13.asciidoc b/docs/reference/migration/migrate_7_13.asciidoc new file mode 100644 index 0000000000000..6e9bc7223fb08 --- /dev/null +++ b/docs/reference/migration/migrate_7_13.asciidoc @@ -0,0 +1,62 @@ +[[migrating-7.13]] +== Migrating to 7.13 +++++ +7.13 +++++ + +This section discusses the changes that you need to be aware of when migrating +your application to {es} 7.13. + +See also <> and <>. + +// * <> +// * <> + +//NOTE: The notable-breaking-changes tagged regions are re-used in the +//Installation and Upgrade Guide + +//tag::notable-breaking-changes[] + +//// +[discrete] +[[breaking-changes-7.13]] +=== Breaking changes + +The following changes in {es} 7.13 might affect your applications +and prevent them from operating normally. +Before upgrading to 7.13, review these changes and take the described steps +to mitigate the impact. + +NOTE: Breaking changes introduced in minor versions are +normally limited to security and bug fixes. +Significant changes in behavior are deprecated in a minor release and +the old behavior is supported until the next major release. +To find out if you are using any deprecated functionality, +enable <>. + +//// + +[discrete] +[[deprecated-7.13]] +=== Deprecations + +The following functionality has been deprecated in {es} 7.13 +and will be removed in 8.0 +While this won't have an immediate impact on your applications, +we strongly encourage you take the described steps to update your code +after upgrading to 7.13. + +NOTE: Significant changes in behavior are deprecated in a minor release and +the old behavior is supported until the next major release. +To find out if you are using any deprecated functionality, +enable <>. + +[discrete] +[[breaking_713_security_changes]] +==== Security deprecations + +[[implicitly-disabled-native-realms]] +Currently, if native and file realms are not configured, they are implicitly disabled if there +are other explicitly configured realms. This behaviour is deprecated. +In version 8.0.0, the native and file realms will always be enabled unless explicitly +disabled. diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmSettings.java index 874797ec9372a..17bd3fbae5140 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmSettings.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmSettings.java @@ -30,9 +30,10 @@ public class RealmSettings { public static final String PREFIX = "xpack.security.authc.realms."; + public static final String ENABLED_SETTING_KEY = "enabled"; public static final String ORDER_SETTING_KEY = "order"; - public static final Function> ENABLED_SETTING = affixSetting("enabled", + public static final Function> ENABLED_SETTING = affixSetting(ENABLED_SETTING_KEY, key -> Setting.boolSetting(key, true, Setting.Property.NodeScope)); public static final Function> ORDER_SETTING = affixSetting(ORDER_SETTING_KEY, key -> Setting.intSetting(key, Integer.MAX_VALUE, Setting.Property.NodeScope)); diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index 830015742e65c..15d0c68b122e2 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -47,6 +47,7 @@ private DeprecationChecks() { NodeDeprecationChecks::checkProcessors, NodeDeprecationChecks::checkMissingRealmOrders, NodeDeprecationChecks::checkUniqueRealmOrders, + NodeDeprecationChecks::checkImplicitlyDisabledNativeRealms, (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings), (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings), NodeDeprecationChecks::checkClusterRemoteConnectSetting, diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index ee8403721eab3..460d492410975 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -9,6 +9,7 @@ import org.elasticsearch.action.admin.cluster.node.info.PluginsAndModules; import org.elasticsearch.bootstrap.JavaVersion; +import org.elasticsearch.common.Strings; import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; @@ -19,8 +20,12 @@ import org.elasticsearch.threadpool.FixedExecutorBuilder; import org.elasticsearch.transport.RemoteClusterService; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; +import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; +import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; +import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; +import java.util.ArrayList; import java.util.List; import java.util.Locale; import java.util.Map; @@ -52,6 +57,7 @@ static DeprecationIssue checkMissingRealmOrders(final Settings settings, final P final Set orderNotConfiguredRealms = RealmSettings.getRealmSettings(settings).entrySet() .stream() .filter(e -> false == e.getValue().hasValue(RealmSettings.ORDER_SETTING_KEY)) + .filter(e -> e.getValue().getAsBoolean(RealmSettings.ENABLED_SETTING_KEY, true)) .map(e -> RealmSettings.realmSettingPrefix(e.getKey()) + RealmSettings.ORDER_SETTING_KEY) .collect(Collectors.toSet()); @@ -104,6 +110,40 @@ static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final Pl ); } + static DeprecationIssue checkImplicitlyDisabledNativeRealms(final Settings settings, final PluginsAndModules pluginsAndModules) { + final Map realmSettings = RealmSettings.getRealmSettings(settings); + if (realmSettings.isEmpty()) { + return null; + } + // If all configured realms are disabled, this equals to no realm is configured. The implicitly behaviour in this case + // is to add file and native realms. So we are good here. + if (false == realmSettings.entrySet().stream().anyMatch( + e -> e.getValue().getAsBoolean(RealmSettings.ENABLED_SETTING_KEY, true))) { + return null; + } + final List implicitlyDisabledNativeRealmTypes = + new ArrayList<>(org.elasticsearch.common.collect.List.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); + realmSettings.keySet().forEach(ri -> implicitlyDisabledNativeRealmTypes.remove(ri.getType())); + if (implicitlyDisabledNativeRealmTypes.isEmpty()) { + return null; + } + + final String details = String.format( + Locale.ROOT, + "Found implicitly disabled native %s: [%s]. %s disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled.", + implicitlyDisabledNativeRealmTypes.size() == 1 ? "realm" : "realms", + Strings.collectionToDelimitedString(implicitlyDisabledNativeRealmTypes, ","), + implicitlyDisabledNativeRealmTypes.size() == 1 ? "It is" : "They are"); + + return new DeprecationIssue( + DeprecationIssue.Level.CRITICAL, + "File and/or native realms cannot be implicitly disabled in next major release.", + "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/breaking-changes-7.13.html#implicitly-disabled-native-realms", + details + ); + } + static DeprecationIssue checkThreadPoolListenerQueueSize(final Settings settings) { return checkThreadPoolListenerSetting("thread_pool.listener.queue_size", settings); } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 1510bab295b01..cd3df97225fc2 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -123,6 +123,18 @@ public void testCheckMissingRealmOrders() { ), deprecationIssues.get(0)); } + public void testRealmOrderIsNotRequiredIfRealmIsDisabled() { + final RealmConfig.RealmIdentifier realmIdentifier = + new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); + final Settings settings = + Settings.builder() + .put("xpack.security.authc.realms." + realmIdentifier.getType() + "." + realmIdentifier.getName() + ".enabled", "false") + .build(); + final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + assertTrue(deprecationIssues.isEmpty()); + } + public void testCheckUniqueRealmOrders() { final int order = randomInt(9999); @@ -168,7 +180,96 @@ public void testCorrectRealmOrders() { final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); - assertEquals(0, deprecationIssues.size()); + assertTrue(deprecationIssues.isEmpty()); + } + + public void testCheckImplicitlyDisabledNativeRealms() { + final Settings.Builder builder = Settings.builder(); + + final boolean otherRealmConfigured = randomBoolean(); + final boolean otherRealmEnabled = randomBoolean(); + if (otherRealmConfigured) { + final int otherRealmId = randomIntBetween(0, 9); + final String otherRealmName = randomAlphaOfLengthBetween(4, 12); + if (otherRealmEnabled) { + builder.put("xpack.security.authc.realms.type_" + otherRealmId + ".realm_" + otherRealmName + ".order", 1); + } else { + builder.put("xpack.security.authc.realms.type_" + otherRealmId + ".realm_" + otherRealmName + ".enabled", false); + } + } + final boolean fileRealmConfigured = randomBoolean(); + final boolean fileRealmEnabled = randomBoolean(); + if (fileRealmConfigured) { + final String fileRealmName = randomAlphaOfLengthBetween(4, 12); + // Configure file realm or explicitly disable it + if (fileRealmEnabled) { + builder.put("xpack.security.authc.realms.file." + fileRealmName + ".order", 10); + } else { + builder.put("xpack.security.authc.realms.file." + fileRealmName + ".enabled", false); + } + } + final boolean nativeRealmConfigured = randomBoolean(); + final boolean nativeRealmEnabled = randomBoolean(); + if (nativeRealmConfigured) { + final String nativeRealmName = randomAlphaOfLengthBetween(4, 12); + // Configure native realm or explicitly disable it + if (nativeRealmEnabled) { + builder.put("xpack.security.authc.realms.native." + nativeRealmName + ".order", 20); + } else { + builder.put("xpack.security.authc.realms.native." + nativeRealmName + ".enabled", false); + } + } + final Settings settings = builder.build(); + final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + + if (otherRealmConfigured && otherRealmEnabled) { + if (false == fileRealmConfigured && false == nativeRealmConfigured) { + assertCommonImplicitDisabledRealms(deprecationIssues); + assertEquals("Found implicitly disabled native realms: [file,native]. " + + "They are disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled.", + deprecationIssues.get(0).getDetails()); + } else if (false == fileRealmConfigured) { + assertCommonImplicitDisabledRealms(deprecationIssues); + assertEquals("Found implicitly disabled native realm: [file]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled.", + deprecationIssues.get(0).getDetails()); + } else if (false == nativeRealmConfigured) { + assertCommonImplicitDisabledRealms(deprecationIssues); + assertEquals("Found implicitly disabled native realm: [native]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled.", + deprecationIssues.get(0).getDetails()); + } else { + assertTrue(deprecationIssues.isEmpty()); + } + } else { + if (false == fileRealmConfigured && false == nativeRealmConfigured) { + assertTrue(deprecationIssues.isEmpty()); + } else if (false == fileRealmConfigured) { + if (nativeRealmEnabled) { + assertCommonImplicitDisabledRealms(deprecationIssues); + assertEquals("Found implicitly disabled native realm: [file]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled.", + deprecationIssues.get(0).getDetails()); + } else { + assertTrue(deprecationIssues.isEmpty()); + } + } else if (false == nativeRealmConfigured) { + if (fileRealmEnabled) { + assertCommonImplicitDisabledRealms(deprecationIssues); + assertEquals("Found implicitly disabled native realm: [native]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled.", + deprecationIssues.get(0).getDetails()); + } else { + assertTrue(deprecationIssues.isEmpty()); + } + } + } } public void testThreadPoolListenerQueueSize() { @@ -349,4 +450,13 @@ private List getDeprecationIssues(Settings settings, PluginsAn return issues; } + + private void assertCommonImplicitDisabledRealms(List deprecationIssues) { + assertEquals(1, deprecationIssues.size()); + assertEquals("File and/or native realms cannot be implicitly disabled in next major release.", + deprecationIssues.get(0).getMessage()); + assertEquals("https://www.elastic.co/guide/en/elasticsearch/reference" + + "/7.13/breaking-changes-7.13.html#implicitly-disabled-native-realms", + deprecationIssues.get(0).getUrl()); + } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index e86aed51edee3..1e51c06eec9e5 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -176,10 +176,16 @@ protected List initRealms() throws Exception { Map> nameToRealmIdentifier = new HashMap<>(); Set missingOrderRealmSettingKeys = new TreeSet<>(); Map> orderToRealmOrderSettingKeys = new HashMap<>(); + List implicitlyDisabledNativeRealmTypes = new ArrayList<>( + org.elasticsearch.common.collect.List.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); for (final Map.Entry entry: realmsSettings.entrySet()) { final RealmConfig.RealmIdentifier identifier = entry.getKey(); if (false == entry.getValue().hasValue(RealmSettings.ORDER_SETTING_KEY)) { - missingOrderRealmSettingKeys.add(RealmSettings.getFullSettingKey(identifier, RealmSettings.ORDER_SETTING)); + // If the realm is disabled, it is ok to have no order setting. This is only really useful for file/native realm. + // Because settings of other realms can just be entirely removed. + if (entry.getValue().getAsBoolean(RealmSettings.ENABLED_SETTING_KEY, true)) { + missingOrderRealmSettingKeys.add(RealmSettings.getFullSettingKey(identifier, RealmSettings.ORDER_SETTING)); + } } else { orderToRealmOrderSettingKeys.computeIfAbsent(entry.getValue().get(RealmSettings.ORDER_SETTING_KEY), k -> new TreeSet<>()) .add(RealmSettings.getFullSettingKey(identifier, RealmSettings.ORDER_SETTING)); @@ -189,6 +195,7 @@ protected List initRealms() throws Exception { throw new IllegalArgumentException("unknown realm type [" + identifier.getType() + "] for realm [" + identifier + "]"); } RealmConfig config = new RealmConfig(identifier, settings, env, threadContext); + implicitlyDisabledNativeRealmTypes.remove(identifier.getType()); if (config.enabled() == false) { if (logger.isDebugEnabled()) { logger.debug("realm [{}] is disabled", identifier); @@ -220,6 +227,7 @@ protected List initRealms() throws Exception { if (realms.isEmpty() == false) { Collections.sort(realms); + logDeprecationForImplicitlyDisabledNativeRealms(implicitlyDisabledNativeRealmTypes); } else { // there is no "realms" configuration, add the defaults addNativeRealms(realms); @@ -369,4 +377,16 @@ private void logDeprecationIfFound(Set missingOrderRealmSettingKeys, Map } } + private void logDeprecationForImplicitlyDisabledNativeRealms(List implicitlyDisabledNativeRealmTypes) { + if (implicitlyDisabledNativeRealmTypes.isEmpty()) { + return; + } + deprecationLogger.deprecate(DeprecationCategory.SECURITY, "implicitly_disabled_native_realms", + "Found implicitly disabled native {}: [{}]. {} disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled.", + implicitlyDisabledNativeRealmTypes.size() == 1 ? "realm" : "realms", + Strings.collectionToDelimitedString(implicitlyDisabledNativeRealmTypes, ","), + implicitlyDisabledNativeRealmTypes.size() == 1 ? "It is" : "They are" + ); + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index 1f7593a50cfd4..04394f2e7486c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -639,6 +639,87 @@ public void testWarningForMissingRealmOrder() throws Exception { + "In next major release, node will fail to start with missing realm order."); } + public void testWarningsForImplicitlyDisabledNativeRealms() throws Exception { + final Settings.Builder builder = Settings.builder() + .put("path.home", createTempDir()); + final boolean otherRealmConfigured = randomBoolean(); + final boolean otherRealmEnabled = randomBoolean(); + if (otherRealmConfigured) { + final int otherRealmId = randomIntBetween(0, randomRealmTypesCount - 1); + final String otherRealmName = randomAlphaOfLengthBetween(4, 12); + if (otherRealmEnabled) { + builder.put("xpack.security.authc.realms.type_" + otherRealmId + ".realm_" + otherRealmName + ".order", 1); + } else { + builder.put("xpack.security.authc.realms.type_" + otherRealmId + ".realm_" + otherRealmName + ".enabled", false); + } + } + final boolean fileRealmConfigured = randomBoolean(); + final boolean fileRealmEnabled = randomBoolean(); + if (fileRealmConfigured) { + final String fileRealmName = randomAlphaOfLengthBetween(4, 12); + // Configure file realm or explicitly disable it + if (fileRealmEnabled) { + builder.put("xpack.security.authc.realms.file." + fileRealmName + ".order", 10); + } else { + builder.put("xpack.security.authc.realms.file." + fileRealmName + ".enabled", false); + } + } + final boolean nativeRealmConfigured = randomBoolean(); + final boolean nativeRealmEnabled = randomBoolean(); + if (nativeRealmConfigured) { + final String nativeRealmName = randomAlphaOfLengthBetween(4, 12); + // Configure native realm or explicitly disable it + if (nativeRealmEnabled) { + builder.put("xpack.security.authc.realms.native." + nativeRealmName + ".order", 20); + } else { + builder.put("xpack.security.authc.realms.native." + nativeRealmName + ".enabled", false); + } + } + final Settings settings = builder.build(); + final Realms realms = + new Realms(settings, TestEnvironment.newEnvironment(settings), factories, licenseState, threadContext, reservedRealm); + + if (otherRealmConfigured && otherRealmEnabled) { + if (false == fileRealmConfigured && false == nativeRealmConfigured) { + assertWarnings("Found implicitly disabled native realms: [file,native]. " + + "They are disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled."); + } else if (false == fileRealmConfigured) { + assertWarnings("Found implicitly disabled native realm: [file]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled."); + } else if (false == nativeRealmConfigured) { + assertWarnings("Found implicitly disabled native realm: [native]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled."); + } + } else { + if (false == fileRealmConfigured && false == nativeRealmConfigured) { + // Default behaviour of implicitly enabling file and native realms + assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); + assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); + } else if (false == fileRealmConfigured) { + if (nativeRealmEnabled) { + assertWarnings("Found implicitly disabled native realm: [file]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled."); + } else { + assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); + assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); + } + } else if (false == nativeRealmConfigured) { + if (fileRealmEnabled) { + assertWarnings("Found implicitly disabled native realm: [native]. " + + "It is disabled because there are other explicitly configured realms." + + "In next major release, native realms will always be enabled unless explicitly disabled."); + } else { + assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); + assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); + } + } + } + } + static class DummyRealm extends Realm { DummyRealm(String type, RealmConfig config) { From 35af827d4e67d12cf53f93707c3ebca7f38e4dcd Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 22 Feb 2021 18:35:49 +1100 Subject: [PATCH 02/11] fix ci --- .../reference/migration/migrate_7_13.asciidoc | 2 -- .../deprecation/NodeDeprecationChecks.java | 2 +- .../NodeDeprecationChecksTests.java | 27 +++++++++++++------ .../xpack/security/authc/RealmsTests.java | 27 ++++++++++++++----- 4 files changed, 41 insertions(+), 17 deletions(-) diff --git a/docs/reference/migration/migrate_7_13.asciidoc b/docs/reference/migration/migrate_7_13.asciidoc index 6e9bc7223fb08..8f31df1f690e4 100644 --- a/docs/reference/migration/migrate_7_13.asciidoc +++ b/docs/reference/migration/migrate_7_13.asciidoc @@ -17,7 +17,6 @@ See also <> and <>. //tag::notable-breaking-changes[] -//// [discrete] [[breaking-changes-7.13]] === Breaking changes @@ -34,7 +33,6 @@ the old behavior is supported until the next major release. To find out if you are using any deprecated functionality, enable <>. -//// [discrete] [[deprecated-7.13]] diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 460d492410975..f0110324bafae 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -139,7 +139,7 @@ static DeprecationIssue checkImplicitlyDisabledNativeRealms(final Settings setti return new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "File and/or native realms cannot be implicitly disabled in next major release.", - "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/breaking-changes-7.13.html#implicitly-disabled-native-realms", + "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/deprecated-7.13.html#implicitly-disabled-native-realms", details ); } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index cd3df97225fc2..3aaeaab57ddfb 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -98,11 +98,13 @@ public void testCheckProcessors() { public void testCheckMissingRealmOrders() { final RealmConfig.RealmIdentifier invalidRealm = - new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); + new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final RealmConfig.RealmIdentifier validRealm = - new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); + new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.authc.realms.file.default_file.enabled", false) + .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." + invalidRealm.getType() + "." + invalidRealm.getName() + ".enabled", "true") .put("xpack.security.authc.realms." + validRealm.getType() + "." + validRealm.getName() + ".order", randomInt()) .build(); @@ -139,12 +141,14 @@ public void testCheckUniqueRealmOrders() { final int order = randomInt(9999); final RealmConfig.RealmIdentifier invalidRealm1 = - new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); + new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final RealmConfig.RealmIdentifier invalidRealm2 = - new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); + new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final RealmConfig.RealmIdentifier validRealm = - new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); + new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.authc.realms.file.default_file.enabled", false) + .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." + invalidRealm1.getType() + "." + invalidRealm1.getName() + ".order", order) .put("xpack.security.authc.realms." @@ -171,10 +175,12 @@ public void testCheckUniqueRealmOrders() { public void testCorrectRealmOrders() { final int order = randomInt(9999); final Settings settings = Settings.builder() + .put("xpack.security.authc.realms.file.default_file.enabled", false) + .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." - + randomAlphaOfLengthBetween(4, 12) + "." + randomAlphaOfLengthBetween(4, 12) + ".order", order) + + randomRealmTypeOtherThanFileOrNative() + "." + randomAlphaOfLengthBetween(4, 12) + ".order", order) .put("xpack.security.authc.realms." - + randomAlphaOfLengthBetween(4, 12) + "." + randomAlphaOfLengthBetween(4, 12) + ".order", order + 1) + + randomRealmTypeOtherThanFileOrNative() + "." + randomAlphaOfLengthBetween(4, 12) + ".order", order + 1) .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); @@ -456,7 +462,12 @@ private void assertCommonImplicitDisabledRealms(List deprecati assertEquals("File and/or native realms cannot be implicitly disabled in next major release.", deprecationIssues.get(0).getMessage()); assertEquals("https://www.elastic.co/guide/en/elasticsearch/reference" + - "/7.13/breaking-changes-7.13.html#implicitly-disabled-native-realms", + "/7.13/deprecated-7.13.html#implicitly-disabled-native-realms", deprecationIssues.get(0).getUrl()); } + + private String randomRealmTypeOtherThanFileOrNative() { + return randomValueOtherThanMany(t -> org.elasticsearch.common.collect.Set.of("file", "native").contains(t), + () -> randomAlphaOfLengthBetween(4, 12)); + } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index 04394f2e7486c..1726d3318e43c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -110,6 +110,7 @@ public void testWithSettings() throws Exception { builder.put("xpack.security.authc.realms.type_" + i + ".realm_" + i + ".order", orders.get(i)); orderToIndex.put(orders.get(i), i); } + disableFileAndNativeRealms(builder); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -150,6 +151,7 @@ public void testWithSettingsWhereDifferentRealmsHaveSameOrder() throws Exception // set same order for all realms builder.put("xpack.security.authc.realms.type_" + randomizedRealmId + ".realm_" + randomizedRealmName + ".order", 1); } + disableFileAndNativeRealms(builder); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -244,6 +246,7 @@ public void testUnlicensedWithOnlyCustomRealms() throws Exception { builder.put("xpack.security.authc.realms.type_" + i + ".realm_" + i + ".order", orders.get(i)); orderToIndex.put(orders.get(i), i); } + disableFileAndNativeRealms(builder); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -330,6 +333,7 @@ public void testUnlicensedWithInternalRealms() throws Exception { .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.foo.order", "0") .put("xpack.security.authc.realms.type_0.custom.order", "1"); + disableFileAndNativeRealms(builder); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -399,6 +403,7 @@ public void testUnlicensedWithNativeRealmSettings() throws Exception { .put("path.home", createTempDir()) .put("xpack.security.authc.realms.ldap.foo.order", "0") .put("xpack.security.authc.realms." + type + ".native.order", "1"); + disableFileAndNativeRealms(builder); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -437,6 +442,7 @@ public void testUnlicensedWithNonStandardRealms() throws Exception { Settings.Builder builder = Settings.builder() .put("path.home", createTempDir()) .put("xpack.security.authc.realms." + selectedRealmType + ".foo.order", "0"); + disableFileAndNativeRealms(builder); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -490,6 +496,7 @@ public void testUnlicensedWithNonStandardRealms() throws Exception { public void testDisabledRealmsAreNotAdded() throws Exception { Settings.Builder builder = Settings.builder() .put("path.home", createTempDir()); + disableFileAndNativeRealms(builder); List orders = new ArrayList<>(randomRealmTypesCount); for (int i = 0; i < randomRealmTypesCount; i++) { orders.add(i); @@ -543,10 +550,11 @@ public void testDisabledRealmsAreNotAdded() throws Exception { } public void testAuthcAuthzDisabled() throws Exception { - Settings settings = Settings.builder() + Settings.Builder builder = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".realm_1.order", 0) - .build(); + .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".realm_1.order", 0); + disableFileAndNativeRealms(builder); + final Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -562,6 +570,7 @@ public void testUsageStats() throws Exception { .put("path.home", createTempDir()) .put("xpack.security.authc.realms.type_0.foo.order", "0") .put("xpack.security.authc.realms.type_0.bar.order", "1"); + disableFileAndNativeRealms(builder); Settings settings = builder.build(); Environment env = TestEnvironment.newEnvironment(settings); Realms realms = new Realms(settings, env, factories, licenseState, threadContext, reservedRealm); @@ -628,10 +637,11 @@ public void testInitRealmsFailsForMultipleKerberosRealms() throws IOException { public void testWarningForMissingRealmOrder() throws Exception { final int realmTypeId = randomIntBetween(0, randomRealmTypesCount - 1); final String realmName = randomAlphaOfLengthBetween(4, 12); - final Settings settings = Settings.builder() + final Settings.Builder builder = Settings.builder() .put("path.home", createTempDir()) - .put("xpack.security.authc.realms.type_" + realmTypeId + ".realm_" + realmName + ".enabled", true) - .build(); + .put("xpack.security.authc.realms.type_" + realmTypeId + ".realm_" + realmName + ".enabled", true); + disableFileAndNativeRealms(builder); + final Settings settings = builder.build(); new Realms(settings, TestEnvironment.newEnvironment(settings), factories, licenseState, threadContext, reservedRealm); assertWarnings("Found realms without order config: [xpack.security.authc.realms.type_" @@ -720,6 +730,11 @@ public void testWarningsForImplicitlyDisabledNativeRealms() throws Exception { } } + private void disableFileAndNativeRealms(Settings.Builder builder) { + builder.put("xpack.security.authc.realms.file.default_file.enabled", false) + .put("xpack.security.authc.realms.native.default_native.enabled", false); + } + static class DummyRealm extends Realm { DummyRealm(String type, RealmConfig config) { From cf73f6d1552acfe977676599a29435d381897675 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 1 Mar 2021 08:39:13 +1100 Subject: [PATCH 03/11] Address feedback --- .../xpack/deprecation/NodeDeprecationChecks.java | 4 ++-- .../xpack/deprecation/NodeDeprecationChecksTests.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index f0110324bafae..145fefa0c4da1 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -137,8 +137,8 @@ static DeprecationIssue checkImplicitlyDisabledNativeRealms(final Settings setti implicitlyDisabledNativeRealmTypes.size() == 1 ? "It is" : "They are"); return new DeprecationIssue( - DeprecationIssue.Level.CRITICAL, - "File and/or native realms cannot be implicitly disabled in next major release.", + DeprecationIssue.Level.WARNING, + "File and/or native realms are enabled by default in next major release.", "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/deprecated-7.13.html#implicitly-disabled-native-realms", details ); diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 3aaeaab57ddfb..e0c8ee6c6cd41 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -459,7 +459,7 @@ private List getDeprecationIssues(Settings settings, PluginsAn private void assertCommonImplicitDisabledRealms(List deprecationIssues) { assertEquals(1, deprecationIssues.size()); - assertEquals("File and/or native realms cannot be implicitly disabled in next major release.", + assertEquals("File and/or native realms are enabled by default in next major release.", deprecationIssues.get(0).getMessage()); assertEquals("https://www.elastic.co/guide/en/elasticsearch/reference" + "/7.13/deprecated-7.13.html#implicitly-disabled-native-realms", From 41a4320cbd7e48f98be62177a482629971553d13 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 14 Mar 2021 21:11:12 +1100 Subject: [PATCH 04/11] Update x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java Co-authored-by: Tim Vernum --- .../elasticsearch/xpack/deprecation/NodeDeprecationChecks.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 145fefa0c4da1..1078c5310132b 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -115,7 +115,7 @@ static DeprecationIssue checkImplicitlyDisabledNativeRealms(final Settings setti if (realmSettings.isEmpty()) { return null; } - // If all configured realms are disabled, this equals to no realm is configured. The implicitly behaviour in this case + // If all configured realms are disabled, this equals to no realm is configured. The implicit behaviour in this case // is to add file and native realms. So we are good here. if (false == realmSettings.entrySet().stream().anyMatch( e -> e.getValue().getAsBoolean(RealmSettings.ENABLED_SETTING_KEY, true))) { From 542e05af5a095c4d8c3ec8c4636d9c6b3b0752aa Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 14 Mar 2021 21:26:16 +1100 Subject: [PATCH 05/11] Address feedback about native realms wording --- .../reference/migration/migrate_7_13.asciidoc | 2 +- .../xpack/deprecation/DeprecationChecks.java | 2 +- .../deprecation/NodeDeprecationChecks.java | 20 +++++++++---------- .../NodeDeprecationChecksTests.java | 20 +++++++++---------- .../xpack/security/authc/Realms.java | 12 +++++------ .../xpack/security/authc/RealmsTests.java | 20 +++++++++---------- 6 files changed, 38 insertions(+), 38 deletions(-) diff --git a/docs/reference/migration/migrate_7_13.asciidoc b/docs/reference/migration/migrate_7_13.asciidoc index 8f31df1f690e4..528f90e9513c7 100644 --- a/docs/reference/migration/migrate_7_13.asciidoc +++ b/docs/reference/migration/migrate_7_13.asciidoc @@ -53,7 +53,7 @@ enable <>. [[breaking_713_security_changes]] ==== Security deprecations -[[implicitly-disabled-native-realms]] +[[implicitly-disabled-basic-realms]] Currently, if native and file realms are not configured, they are implicitly disabled if there are other explicitly configured realms. This behaviour is deprecated. In version 8.0.0, the native and file realms will always be enabled unless explicitly diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index 15d0c68b122e2..3573fa5c0e3cc 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -47,7 +47,7 @@ private DeprecationChecks() { NodeDeprecationChecks::checkProcessors, NodeDeprecationChecks::checkMissingRealmOrders, NodeDeprecationChecks::checkUniqueRealmOrders, - NodeDeprecationChecks::checkImplicitlyDisabledNativeRealms, + NodeDeprecationChecks::checkImplicitlyDisabledBasicRealms, (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings), (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings), NodeDeprecationChecks::checkClusterRemoteConnectSetting, diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 1078c5310132b..9e8fa36fa3b76 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -110,7 +110,7 @@ static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final Pl ); } - static DeprecationIssue checkImplicitlyDisabledNativeRealms(final Settings settings, final PluginsAndModules pluginsAndModules) { + static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settings, final PluginsAndModules pluginsAndModules) { final Map realmSettings = RealmSettings.getRealmSettings(settings); if (realmSettings.isEmpty()) { return null; @@ -121,25 +121,25 @@ static DeprecationIssue checkImplicitlyDisabledNativeRealms(final Settings setti e -> e.getValue().getAsBoolean(RealmSettings.ENABLED_SETTING_KEY, true))) { return null; } - final List implicitlyDisabledNativeRealmTypes = + final List implicitlyDisabledBasicRealmTypes = new ArrayList<>(org.elasticsearch.common.collect.List.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); - realmSettings.keySet().forEach(ri -> implicitlyDisabledNativeRealmTypes.remove(ri.getType())); - if (implicitlyDisabledNativeRealmTypes.isEmpty()) { + realmSettings.keySet().forEach(ri -> implicitlyDisabledBasicRealmTypes.remove(ri.getType())); + if (implicitlyDisabledBasicRealmTypes.isEmpty()) { return null; } final String details = String.format( Locale.ROOT, - "Found implicitly disabled native %s: [%s]. %s disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled.", - implicitlyDisabledNativeRealmTypes.size() == 1 ? "realm" : "realms", - Strings.collectionToDelimitedString(implicitlyDisabledNativeRealmTypes, ","), - implicitlyDisabledNativeRealmTypes.size() == 1 ? "It is" : "They are"); + "Found implicitly disabled basic %s: [%s]. %s disabled because there are other explicitly configured realms." + + "In next major release, basic realms will always be enabled unless explicitly disabled.", + implicitlyDisabledBasicRealmTypes.size() == 1 ? "realm" : "realms", + Strings.collectionToDelimitedString(implicitlyDisabledBasicRealmTypes, ","), + implicitlyDisabledBasicRealmTypes.size() == 1 ? "It is" : "They are"); return new DeprecationIssue( DeprecationIssue.Level.WARNING, "File and/or native realms are enabled by default in next major release.", - "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/deprecated-7.13.html#implicitly-disabled-native-realms", + "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/deprecated-7.13.html#implicitly-disabled-basic-realms", details ); } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index e0c8ee6c6cd41..c7e4398d51928 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -232,21 +232,21 @@ public void testCheckImplicitlyDisabledNativeRealms() { if (otherRealmConfigured && otherRealmEnabled) { if (false == fileRealmConfigured && false == nativeRealmConfigured) { assertCommonImplicitDisabledRealms(deprecationIssues); - assertEquals("Found implicitly disabled native realms: [file,native]. " + + assertEquals("Found implicitly disabled basic realms: [file,native]. " + "They are disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled.", + "In next major release, basic realms will always be enabled unless explicitly disabled.", deprecationIssues.get(0).getDetails()); } else if (false == fileRealmConfigured) { assertCommonImplicitDisabledRealms(deprecationIssues); - assertEquals("Found implicitly disabled native realm: [file]. " + + assertEquals("Found implicitly disabled basic realm: [file]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled.", + "In next major release, basic realms will always be enabled unless explicitly disabled.", deprecationIssues.get(0).getDetails()); } else if (false == nativeRealmConfigured) { assertCommonImplicitDisabledRealms(deprecationIssues); - assertEquals("Found implicitly disabled native realm: [native]. " + + assertEquals("Found implicitly disabled basic realm: [native]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled.", + "In next major release, basic realms will always be enabled unless explicitly disabled.", deprecationIssues.get(0).getDetails()); } else { assertTrue(deprecationIssues.isEmpty()); @@ -257,9 +257,9 @@ public void testCheckImplicitlyDisabledNativeRealms() { } else if (false == fileRealmConfigured) { if (nativeRealmEnabled) { assertCommonImplicitDisabledRealms(deprecationIssues); - assertEquals("Found implicitly disabled native realm: [file]. " + + assertEquals("Found implicitly disabled basic realm: [file]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled.", + "In next major release, basic realms will always be enabled unless explicitly disabled.", deprecationIssues.get(0).getDetails()); } else { assertTrue(deprecationIssues.isEmpty()); @@ -267,9 +267,9 @@ public void testCheckImplicitlyDisabledNativeRealms() { } else if (false == nativeRealmConfigured) { if (fileRealmEnabled) { assertCommonImplicitDisabledRealms(deprecationIssues); - assertEquals("Found implicitly disabled native realm: [native]. " + + assertEquals("Found implicitly disabled basic realm: [native]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled.", + "In next major release, basic realms will always be enabled unless explicitly disabled.", deprecationIssues.get(0).getDetails()); } else { assertTrue(deprecationIssues.isEmpty()); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index 1e51c06eec9e5..591827d1ee16e 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -176,7 +176,7 @@ protected List initRealms() throws Exception { Map> nameToRealmIdentifier = new HashMap<>(); Set missingOrderRealmSettingKeys = new TreeSet<>(); Map> orderToRealmOrderSettingKeys = new HashMap<>(); - List implicitlyDisabledNativeRealmTypes = new ArrayList<>( + List implicitlyDisabledBasicRealmTypes = new ArrayList<>( org.elasticsearch.common.collect.List.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); for (final Map.Entry entry: realmsSettings.entrySet()) { final RealmConfig.RealmIdentifier identifier = entry.getKey(); @@ -195,7 +195,7 @@ protected List initRealms() throws Exception { throw new IllegalArgumentException("unknown realm type [" + identifier.getType() + "] for realm [" + identifier + "]"); } RealmConfig config = new RealmConfig(identifier, settings, env, threadContext); - implicitlyDisabledNativeRealmTypes.remove(identifier.getType()); + implicitlyDisabledBasicRealmTypes.remove(identifier.getType()); if (config.enabled() == false) { if (logger.isDebugEnabled()) { logger.debug("realm [{}] is disabled", identifier); @@ -227,7 +227,7 @@ protected List initRealms() throws Exception { if (realms.isEmpty() == false) { Collections.sort(realms); - logDeprecationForImplicitlyDisabledNativeRealms(implicitlyDisabledNativeRealmTypes); + logDeprecationForImplicitlyDisabledNativeRealms(implicitlyDisabledBasicRealmTypes); } else { // there is no "realms" configuration, add the defaults addNativeRealms(realms); @@ -381,9 +381,9 @@ private void logDeprecationForImplicitlyDisabledNativeRealms(List implic if (implicitlyDisabledNativeRealmTypes.isEmpty()) { return; } - deprecationLogger.deprecate(DeprecationCategory.SECURITY, "implicitly_disabled_native_realms", - "Found implicitly disabled native {}: [{}]. {} disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled.", + deprecationLogger.deprecate(DeprecationCategory.SECURITY, "implicitly_disabled_basic_realms", + "Found implicitly disabled basic {}: [{}]. {} disabled because there are other explicitly configured realms." + + "In next major release, basic realms will always be enabled unless explicitly disabled.", implicitlyDisabledNativeRealmTypes.size() == 1 ? "realm" : "realms", Strings.collectionToDelimitedString(implicitlyDisabledNativeRealmTypes, ","), implicitlyDisabledNativeRealmTypes.size() == 1 ? "It is" : "They are" diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index 1726d3318e43c..02b174c53290b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -691,17 +691,17 @@ public void testWarningsForImplicitlyDisabledNativeRealms() throws Exception { if (otherRealmConfigured && otherRealmEnabled) { if (false == fileRealmConfigured && false == nativeRealmConfigured) { - assertWarnings("Found implicitly disabled native realms: [file,native]. " + + assertWarnings("Found implicitly disabled basic realms: [file,native]. " + "They are disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled."); + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else if (false == fileRealmConfigured) { - assertWarnings("Found implicitly disabled native realm: [file]. " + + assertWarnings("Found implicitly disabled basic realm: [file]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled."); + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else if (false == nativeRealmConfigured) { - assertWarnings("Found implicitly disabled native realm: [native]. " + + assertWarnings("Found implicitly disabled basic realm: [native]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled."); + "In next major release, basic realms will always be enabled unless explicitly disabled."); } } else { if (false == fileRealmConfigured && false == nativeRealmConfigured) { @@ -710,18 +710,18 @@ public void testWarningsForImplicitlyDisabledNativeRealms() throws Exception { assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); } else if (false == fileRealmConfigured) { if (nativeRealmEnabled) { - assertWarnings("Found implicitly disabled native realm: [file]. " + + assertWarnings("Found implicitly disabled basic realm: [file]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled."); + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else { assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); } } else if (false == nativeRealmConfigured) { if (fileRealmEnabled) { - assertWarnings("Found implicitly disabled native realm: [native]. " + + assertWarnings("Found implicitly disabled basic realm: [native]. " + "It is disabled because there are other explicitly configured realms." + - "In next major release, native realms will always be enabled unless explicitly disabled."); + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else { assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); From 10b488cf8f5e442be6f716041f46ef6d13ca0f62 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 14 Mar 2021 21:31:03 +1100 Subject: [PATCH 06/11] More rename --- .../java/org/elasticsearch/xpack/security/authc/Realms.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index 591827d1ee16e..c9e13f47017b1 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -227,7 +227,7 @@ protected List initRealms() throws Exception { if (realms.isEmpty() == false) { Collections.sort(realms); - logDeprecationForImplicitlyDisabledNativeRealms(implicitlyDisabledBasicRealmTypes); + logDeprecationForImplicitlyDisabledBasicRealms(implicitlyDisabledBasicRealmTypes); } else { // there is no "realms" configuration, add the defaults addNativeRealms(realms); @@ -377,7 +377,7 @@ private void logDeprecationIfFound(Set missingOrderRealmSettingKeys, Map } } - private void logDeprecationForImplicitlyDisabledNativeRealms(List implicitlyDisabledNativeRealmTypes) { + private void logDeprecationForImplicitlyDisabledBasicRealms(List implicitlyDisabledNativeRealmTypes) { if (implicitlyDisabledNativeRealmTypes.isEmpty()) { return; } From 5bf7ceafef04ea4f94a9c342d58d2be7a4b2e649 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 14 Mar 2021 23:02:18 +1100 Subject: [PATCH 07/11] Add warning for auto-enabled basic realms due to no realm --- .../reference/migration/migrate_7_13.asciidoc | 15 +++-- .../deprecation/NodeDeprecationChecks.java | 57 ++++++++++++------- .../NodeDeprecationChecksTests.java | 28 +++++++-- .../xpack/security/authc/Realms.java | 44 +++++++++----- .../xpack/security/authc/RealmsTests.java | 26 +++++++-- 5 files changed, 121 insertions(+), 49 deletions(-) diff --git a/docs/reference/migration/migrate_7_13.asciidoc b/docs/reference/migration/migrate_7_13.asciidoc index 528f90e9513c7..c3258fd7d8886 100644 --- a/docs/reference/migration/migrate_7_13.asciidoc +++ b/docs/reference/migration/migrate_7_13.asciidoc @@ -54,7 +54,14 @@ enable <>. ==== Security deprecations [[implicitly-disabled-basic-realms]] -Currently, if native and file realms are not configured, they are implicitly disabled if there -are other explicitly configured realms. This behaviour is deprecated. -In version 8.0.0, the native and file realms will always be enabled unless explicitly -disabled. +Currently, the file and native realms have following implicit behaviours: + +* If file and native realms are not configured, they are implicitly disabled +if there are other explicitly configured realms. +* If no realm is available due to either unconfigured, explicitly disabled +or disallowed by the license, the file and native realms are always enabled +even when they are explicitly disabled. + +Both of the above behaviours are deprecated. In version 8.0.0, the file and +native realms will always be enabled unless explicitly disabled. If they are +explicitly disabled, they remain disabled at all times. diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 9e8fa36fa3b76..2e2e2ff4346f2 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -14,6 +14,7 @@ import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.EsExecutors; +import org.elasticsearch.common.util.set.Sets; import org.elasticsearch.env.Environment; import org.elasticsearch.node.Node; import org.elasticsearch.script.ScriptService; @@ -26,6 +27,7 @@ import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; import java.util.ArrayList; +import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Map; @@ -115,33 +117,50 @@ static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settin if (realmSettings.isEmpty()) { return null; } - // If all configured realms are disabled, this equals to no realm is configured. The implicit behaviour in this case - // is to add file and native realms. So we are good here. - if (false == realmSettings.entrySet().stream().anyMatch( - e -> e.getValue().getAsBoolean(RealmSettings.ENABLED_SETTING_KEY, true))) { - return null; - } - final List implicitlyDisabledBasicRealmTypes = - new ArrayList<>(org.elasticsearch.common.collect.List.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); - realmSettings.keySet().forEach(ri -> implicitlyDisabledBasicRealmTypes.remove(ri.getType())); - if (implicitlyDisabledBasicRealmTypes.isEmpty()) { - return null; - } - final String details = String.format( - Locale.ROOT, - "Found implicitly disabled basic %s: [%s]. %s disabled because there are other explicitly configured realms." + - "In next major release, basic realms will always be enabled unless explicitly disabled.", - implicitlyDisabledBasicRealmTypes.size() == 1 ? "realm" : "realms", - Strings.collectionToDelimitedString(implicitlyDisabledBasicRealmTypes, ","), - implicitlyDisabledBasicRealmTypes.size() == 1 ? "It is" : "They are"); + boolean anyRealmEnabled = false; + final Set unconfiguredBasicRealms = + new HashSet<>(org.elasticsearch.common.collect.Set.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); + for (Map.Entry realmSetting: realmSettings.entrySet()) { + anyRealmEnabled = anyRealmEnabled || realmSetting.getValue().getAsBoolean(RealmSettings.ENABLED_SETTING_KEY, true); + unconfiguredBasicRealms.remove(realmSetting.getKey().getType()); + } + final String details; + if (false == anyRealmEnabled) { + final List explicitlyDisabledBasicRealms = + Sets.difference(org.elasticsearch.common.collect.Set.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE), + unconfiguredBasicRealms).stream().sorted().collect(Collectors.toList()); + if (explicitlyDisabledBasicRealms.isEmpty()) { + return null; + } + details = String.format( + Locale.ROOT, + "Found explicitly disabled basic %s: [%s]. But %s will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled.", + explicitlyDisabledBasicRealms.size() == 1 ? "realm" : "realms", + Strings.collectionToDelimitedString(explicitlyDisabledBasicRealms, ","), + explicitlyDisabledBasicRealms.size() == 1 ? "it" : "they" + ); + } else { + if (unconfiguredBasicRealms.isEmpty()) { + return null; + } + details = String.format( + Locale.ROOT, + "Found implicitly disabled basic %s: [%s]. %s disabled because there are other explicitly configured realms." + + "In next major release, basic realms will always be enabled unless explicitly disabled.", + unconfiguredBasicRealms.size() == 1 ? "realm" : "realms", + Strings.collectionToDelimitedString(unconfiguredBasicRealms, ","), + unconfiguredBasicRealms.size() == 1 ? "It is" : "They are"); + } return new DeprecationIssue( DeprecationIssue.Level.WARNING, "File and/or native realms are enabled by default in next major release.", "https://www.elastic.co/guide/en/elasticsearch/reference/7.13/deprecated-7.13.html#implicitly-disabled-basic-realms", details ); + } static DeprecationIssue checkThreadPoolListenerQueueSize(final Settings settings) { diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index c7e4398d51928..3f06d6c65b358 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -22,6 +22,8 @@ import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; +import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; +import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; import java.util.Collection; import java.util.Collections; @@ -189,7 +191,7 @@ public void testCorrectRealmOrders() { assertTrue(deprecationIssues.isEmpty()); } - public void testCheckImplicitlyDisabledNativeRealms() { + public void testCheckImplicitlyDisabledBasicRealms() { final Settings.Builder builder = Settings.builder(); final boolean otherRealmConfigured = randomBoolean(); @@ -255,24 +257,38 @@ public void testCheckImplicitlyDisabledNativeRealms() { if (false == fileRealmConfigured && false == nativeRealmConfigured) { assertTrue(deprecationIssues.isEmpty()); } else if (false == fileRealmConfigured) { + assertCommonImplicitDisabledRealms(deprecationIssues); if (nativeRealmEnabled) { - assertCommonImplicitDisabledRealms(deprecationIssues); assertEquals("Found implicitly disabled basic realm: [file]. " + "It is disabled because there are other explicitly configured realms." + "In next major release, basic realms will always be enabled unless explicitly disabled.", deprecationIssues.get(0).getDetails()); } else { - assertTrue(deprecationIssues.isEmpty()); + assertEquals("Found explicitly disabled basic realm: [native]. " + + "But it will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled.", + deprecationIssues.get(0).getDetails()); } } else if (false == nativeRealmConfigured) { + assertCommonImplicitDisabledRealms(deprecationIssues); if (fileRealmEnabled) { - assertCommonImplicitDisabledRealms(deprecationIssues); assertEquals("Found implicitly disabled basic realm: [native]. " + "It is disabled because there are other explicitly configured realms." + "In next major release, basic realms will always be enabled unless explicitly disabled.", deprecationIssues.get(0).getDetails()); } else { - assertTrue(deprecationIssues.isEmpty()); + assertEquals("Found explicitly disabled basic realm: [file]. " + + "But it will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled.", + deprecationIssues.get(0).getDetails()); + } + } else { + if (false == fileRealmEnabled && false == nativeRealmEnabled) { + assertCommonImplicitDisabledRealms(deprecationIssues); + assertEquals("Found explicitly disabled basic realms: [file,native]. " + + "But they will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled.", + deprecationIssues.get(0).getDetails()); } } } @@ -462,7 +478,7 @@ private void assertCommonImplicitDisabledRealms(List deprecati assertEquals("File and/or native realms are enabled by default in next major release.", deprecationIssues.get(0).getMessage()); assertEquals("https://www.elastic.co/guide/en/elasticsearch/reference" + - "/7.13/deprecated-7.13.html#implicitly-disabled-native-realms", + "/7.13/deprecated-7.13.html#implicitly-disabled-basic-realms", deprecationIssues.get(0).getUrl()); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index c9e13f47017b1..e702bb4fe8346 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -16,6 +16,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.CountDown; import org.elasticsearch.common.util.concurrent.ThreadContext; +import org.elasticsearch.common.util.set.Sets; import org.elasticsearch.env.Environment; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState.Feature; @@ -176,8 +177,8 @@ protected List initRealms() throws Exception { Map> nameToRealmIdentifier = new HashMap<>(); Set missingOrderRealmSettingKeys = new TreeSet<>(); Map> orderToRealmOrderSettingKeys = new HashMap<>(); - List implicitlyDisabledBasicRealmTypes = new ArrayList<>( - org.elasticsearch.common.collect.List.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); + Set unconfiguredBasicRealms = new HashSet<>( + org.elasticsearch.common.collect.Set.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE)); for (final Map.Entry entry: realmsSettings.entrySet()) { final RealmConfig.RealmIdentifier identifier = entry.getKey(); if (false == entry.getValue().hasValue(RealmSettings.ORDER_SETTING_KEY)) { @@ -195,7 +196,7 @@ protected List initRealms() throws Exception { throw new IllegalArgumentException("unknown realm type [" + identifier.getType() + "] for realm [" + identifier + "]"); } RealmConfig config = new RealmConfig(identifier, settings, env, threadContext); - implicitlyDisabledBasicRealmTypes.remove(identifier.getType()); + unconfiguredBasicRealms.remove(identifier.getType()); if (config.enabled() == false) { if (logger.isDebugEnabled()) { logger.debug("realm [{}] is disabled", identifier); @@ -225,9 +226,9 @@ protected List initRealms() throws Exception { realms.add(realm); } + logDeprecationForImplicitlyDisabledBasicRealms(realms, unconfiguredBasicRealms); if (realms.isEmpty() == false) { Collections.sort(realms); - logDeprecationForImplicitlyDisabledBasicRealms(implicitlyDisabledBasicRealmTypes); } else { // there is no "realms" configuration, add the defaults addNativeRealms(realms); @@ -377,16 +378,31 @@ private void logDeprecationIfFound(Set missingOrderRealmSettingKeys, Map } } - private void logDeprecationForImplicitlyDisabledBasicRealms(List implicitlyDisabledNativeRealmTypes) { - if (implicitlyDisabledNativeRealmTypes.isEmpty()) { - return; + private void logDeprecationForImplicitlyDisabledBasicRealms(List realms, Set unconfiguredBasicRealms) { + if (realms.isEmpty()) { // No available realm + final List explicitlyDisabledBasicRealms = + Sets.difference(org.elasticsearch.common.collect.Set.of(FileRealmSettings.TYPE, NativeRealmSettings.TYPE), + unconfiguredBasicRealms).stream().sorted().collect(Collectors.toList()); + if (explicitlyDisabledBasicRealms.isEmpty()) { + return; + } + deprecationLogger.deprecate(DeprecationCategory.SECURITY, "implicitly_disabled_basic_realms", + "Found explicitly disabled basic {}: [{}]. But {} will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled.", + explicitlyDisabledBasicRealms.size() == 1 ? "realm" : "realms", + Strings.collectionToDelimitedString(explicitlyDisabledBasicRealms, ","), + explicitlyDisabledBasicRealms.size() == 1 ? "it" : "they"); + } else { // There are configured and enabled realms + if (unconfiguredBasicRealms.isEmpty()) { + return; + } + deprecationLogger.deprecate(DeprecationCategory.SECURITY, "implicitly_disabled_basic_realms", + "Found implicitly disabled basic {}: [{}]. {} disabled because there are other explicitly configured realms. " + + "In next major release, basic realms will always be enabled unless explicitly disabled.", + unconfiguredBasicRealms.size() == 1 ? "realm" : "realms", + Strings.collectionToDelimitedString(unconfiguredBasicRealms, ","), + unconfiguredBasicRealms.size() == 1 ? "It is" : "They are" + ); } - deprecationLogger.deprecate(DeprecationCategory.SECURITY, "implicitly_disabled_basic_realms", - "Found implicitly disabled basic {}: [{}]. {} disabled because there are other explicitly configured realms." + - "In next major release, basic realms will always be enabled unless explicitly disabled.", - implicitlyDisabledNativeRealmTypes.size() == 1 ? "realm" : "realms", - Strings.collectionToDelimitedString(implicitlyDisabledNativeRealmTypes, ","), - implicitlyDisabledNativeRealmTypes.size() == 1 ? "It is" : "They are" - ); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index 02b174c53290b..1b3f32191fd86 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -649,7 +649,7 @@ public void testWarningForMissingRealmOrder() throws Exception { + "In next major release, node will fail to start with missing realm order."); } - public void testWarningsForImplicitlyDisabledNativeRealms() throws Exception { + public void testWarningsForImplicitlyDisabledBasicRealms() throws Exception { final Settings.Builder builder = Settings.builder() .put("path.home", createTempDir()); final boolean otherRealmConfigured = randomBoolean(); @@ -692,15 +692,15 @@ public void testWarningsForImplicitlyDisabledNativeRealms() throws Exception { if (otherRealmConfigured && otherRealmEnabled) { if (false == fileRealmConfigured && false == nativeRealmConfigured) { assertWarnings("Found implicitly disabled basic realms: [file,native]. " + - "They are disabled because there are other explicitly configured realms." + + "They are disabled because there are other explicitly configured realms. " + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else if (false == fileRealmConfigured) { assertWarnings("Found implicitly disabled basic realm: [file]. " + - "It is disabled because there are other explicitly configured realms." + + "It is disabled because there are other explicitly configured realms. " + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else if (false == nativeRealmConfigured) { assertWarnings("Found implicitly disabled basic realm: [native]. " + - "It is disabled because there are other explicitly configured realms." + + "It is disabled because there are other explicitly configured realms. " + "In next major release, basic realms will always be enabled unless explicitly disabled."); } } else { @@ -711,18 +711,32 @@ public void testWarningsForImplicitlyDisabledNativeRealms() throws Exception { } else if (false == fileRealmConfigured) { if (nativeRealmEnabled) { assertWarnings("Found implicitly disabled basic realm: [file]. " + - "It is disabled because there are other explicitly configured realms." + + "It is disabled because there are other explicitly configured realms. " + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else { + assertWarnings("Found explicitly disabled basic realm: [native]. " + + "But it will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled."); assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); } } else if (false == nativeRealmConfigured) { if (fileRealmEnabled) { assertWarnings("Found implicitly disabled basic realm: [native]. " + - "It is disabled because there are other explicitly configured realms." + + "It is disabled because there are other explicitly configured realms. " + "In next major release, basic realms will always be enabled unless explicitly disabled."); } else { + assertWarnings("Found explicitly disabled basic realm: [file]. " + + "But it will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled."); + assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); + assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); + } + } else { + if (false == fileRealmEnabled && false == nativeRealmEnabled) { + assertWarnings("Found explicitly disabled basic realms: [file,native]. " + + "But they will be enabled because no realm is configured or enabled. " + + "In next major release, explicitly disabled basic realms will remain disabled."); assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); } From 42e5b909d7e613c9337816878da5b5fa8c76e5fb Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 14 Mar 2021 23:12:45 +1100 Subject: [PATCH 08/11] checkstyle --- .../elasticsearch/xpack/deprecation/NodeDeprecationChecks.java | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 2e2e2ff4346f2..aef11cbf3d26a 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -26,7 +26,6 @@ import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; -import java.util.ArrayList; import java.util.HashSet; import java.util.List; import java.util.Locale; From 864e979fb5e7779699bbae366264c40da4323e65 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Sun, 14 Mar 2021 23:22:27 +1100 Subject: [PATCH 09/11] more checkstyle --- .../xpack/deprecation/NodeDeprecationChecksTests.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 3f06d6c65b358..867bc005cffdf 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -22,8 +22,6 @@ import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; -import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; -import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings; import java.util.Collection; import java.util.Collections; From f1bb799bb8262cc8ff8761101f0ca7b59f5fce99 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 15 Mar 2021 15:51:17 +1100 Subject: [PATCH 10/11] Update x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java Co-authored-by: Tim Vernum --- .../elasticsearch/xpack/deprecation/NodeDeprecationChecks.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index aef11cbf3d26a..d9b67209946f5 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -135,7 +135,7 @@ static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settin } details = String.format( Locale.ROOT, - "Found explicitly disabled basic %s: [%s]. But %s will be enabled because no realm is configured or enabled. " + + "Found explicitly disabled basic %s: [%s]. But %s will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled.", explicitlyDisabledBasicRealms.size() == 1 ? "realm" : "realms", Strings.collectionToDelimitedString(explicitlyDisabledBasicRealms, ","), From 3a3c261b3e87478409f73e698055c5bb4e96d3dd Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 15 Mar 2021 15:54:48 +1100 Subject: [PATCH 11/11] final tweak --- .../xpack/deprecation/NodeDeprecationChecksTests.java | 6 +++--- .../java/org/elasticsearch/xpack/security/authc/Realms.java | 2 +- .../org/elasticsearch/xpack/security/authc/RealmsTests.java | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 867bc005cffdf..f447111eaa6a3 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -263,7 +263,7 @@ public void testCheckImplicitlyDisabledBasicRealms() { deprecationIssues.get(0).getDetails()); } else { assertEquals("Found explicitly disabled basic realm: [native]. " + - "But it will be enabled because no realm is configured or enabled. " + + "But it will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled.", deprecationIssues.get(0).getDetails()); } @@ -276,7 +276,7 @@ public void testCheckImplicitlyDisabledBasicRealms() { deprecationIssues.get(0).getDetails()); } else { assertEquals("Found explicitly disabled basic realm: [file]. " + - "But it will be enabled because no realm is configured or enabled. " + + "But it will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled.", deprecationIssues.get(0).getDetails()); } @@ -284,7 +284,7 @@ public void testCheckImplicitlyDisabledBasicRealms() { if (false == fileRealmEnabled && false == nativeRealmEnabled) { assertCommonImplicitDisabledRealms(deprecationIssues); assertEquals("Found explicitly disabled basic realms: [file,native]. " + - "But they will be enabled because no realm is configured or enabled. " + + "But they will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled.", deprecationIssues.get(0).getDetails()); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java index e702bb4fe8346..88a66ddecec09 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/Realms.java @@ -387,7 +387,7 @@ private void logDeprecationForImplicitlyDisabledBasicRealms(List realms, return; } deprecationLogger.deprecate(DeprecationCategory.SECURITY, "implicitly_disabled_basic_realms", - "Found explicitly disabled basic {}: [{}]. But {} will be enabled because no realm is configured or enabled. " + + "Found explicitly disabled basic {}: [{}]. But {} will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled.", explicitlyDisabledBasicRealms.size() == 1 ? "realm" : "realms", Strings.collectionToDelimitedString(explicitlyDisabledBasicRealms, ","), diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java index 1b3f32191fd86..09b82bca60943 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/RealmsTests.java @@ -715,7 +715,7 @@ public void testWarningsForImplicitlyDisabledBasicRealms() throws Exception { "In next major release, basic realms will always be enabled unless explicitly disabled."); } else { assertWarnings("Found explicitly disabled basic realm: [native]. " + - "But it will be enabled because no realm is configured or enabled. " + + "But it will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled."); assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); @@ -727,7 +727,7 @@ public void testWarningsForImplicitlyDisabledBasicRealms() throws Exception { "In next major release, basic realms will always be enabled unless explicitly disabled."); } else { assertWarnings("Found explicitly disabled basic realm: [file]. " + - "But it will be enabled because no realm is configured or enabled. " + + "But it will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled."); assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME)); @@ -735,7 +735,7 @@ public void testWarningsForImplicitlyDisabledBasicRealms() throws Exception { } else { if (false == fileRealmEnabled && false == nativeRealmEnabled) { assertWarnings("Found explicitly disabled basic realms: [file,native]. " + - "But they will be enabled because no realm is configured or enabled. " + + "But they will be enabled because no other realms are configured or enabled. " + "In next major release, explicitly disabled basic realms will remain disabled."); assertNotNull(realms.realm(FileRealmSettings.DEFAULT_NAME)); assertNotNull(realms.realm(NativeRealmSettings.DEFAULT_NAME));