Deprecate security implicitly disabled on trial/basic

docs/reference/migration/index.asciidoc

@@ -28,6 +28,7 @@ For more information about {minor-version},
 see the <<release-highlights>> and <<es-release-notes>>.
 For information about how to upgrade your cluster, see <<setup-upgrade>>.
 
+* <<breaking-changes-7.14,Migrating to 7.14>>
 * <<breaking-changes-7.13,Migrating to 7.13>>
 * <<breaking-changes-7.12,Migrating to 7.12>>
 * <<breaking-changes-7.11,Migrating to 7.11>>
@@ -45,6 +46,7 @@ For information about how to upgrade your cluster, see <<setup-upgrade>>.
 
 --
 
+include::migrate_7_14.asciidoc[]
 include::migrate_7_13.asciidoc[]
 include::migrate_7_12.asciidoc[]
 include::migrate_7_11.asciidoc[]

docs/reference/migration/migrate_7_14.asciidoc

@@ -0,0 +1,50 @@
+[[migrating-7.14]]
+== Migrating to 7.14
+++++
+<titleabbrev>7.14</titleabbrev>
+++++
+
+This section discusses the changes that you need to be aware of when migrating
+your application to {es} 7.14.
+
+See also <<release-highlights>> and <<es-release-notes>>.
+
+// * <<breaking_714_blah_changes>>
+// * <<breaking_714_blah_changes>>
+
+//NOTE: The notable-breaking-changes tagged regions are re-used in the
+//Installation and Upgrade Guide
+
+//tag::notable-breaking-changes[]
+
+[discrete]
+[[breaking-changes-7.14]]
+=== Breaking changes
+
+The following changes in {es} 7.14 might affect your applications
+and prevent them from operating normally.
+Before upgrading to 7.14, review these changes and take the described steps
+to mitigate the impact.
+
+NOTE: Breaking changes introduced in minor versions are
+normally limited to security and bug fixes.
+Significant changes in behavior are deprecated in a minor release and
+the old behavior is supported until the next major release.
+To find out if you are using any deprecated functionality,
+enable <<deprecation-logging, deprecation logging>>.
+
+[discrete]
+[[breaking_714_security_changes]]
+==== Security deprecations
+
+[[implicitly-disabled-security]]
+.The default behavior of disabling security on basic and trial licenses is deprecated
+[%collapsible]
+====
+*Details* +
+Currently, security features are disabled when operating on a basic or trial
+license when `xpack.security.enabled` has not been explicitly set to `true`.
+This behavior is now deprecated. In version 8.0.0, security features will be
+enabled by default for all licenses, unless explicitly disabled (by setting
+`xpack.security.enabled` to `false`).
+====

x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java

@@ -11,6 +11,7 @@
 import org.elasticsearch.cluster.metadata.IndexMetadata;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.deprecation.DeprecationInfoAction;
 import org.elasticsearch.xpack.core.deprecation.DeprecationIssue;
@@ -19,7 +20,6 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
-import java.util.function.BiFunction;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -42,13 +42,14 @@ private DeprecationChecks() {
             ClusterDeprecationChecks::checkTemplatesWithMultipleTypes
         ));
 
-    static final List<BiFunction<Settings, PluginsAndModules, DeprecationIssue>> NODE_SETTINGS_CHECKS;
+    static final List<NodeDeprecationCheck<Settings, PluginsAndModules, XPackLicenseState, DeprecationIssue>> NODE_SETTINGS_CHECKS;
 
         static {
-            final Stream<BiFunction<Settings, PluginsAndModules, DeprecationIssue>> legacyRoleSettings = DiscoveryNode.getPossibleRoles()
+            final Stream<NodeDeprecationCheck<Settings, PluginsAndModules, XPackLicenseState, DeprecationIssue>> legacyRoleSettings =
+                DiscoveryNode.getPossibleRoles()
                 .stream()
                 .filter(r -> r.legacySetting() != null)
-                .map(r -> (s, p) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p));
+                .map(r -> (s, p, t) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p));
             NODE_SETTINGS_CHECKS = Stream.concat(
                 legacyRoleSettings,
                 Stream.of(
@@ -58,33 +59,34 @@ private DeprecationChecks() {
                     NodeDeprecationChecks::checkMissingRealmOrders,
                     NodeDeprecationChecks::checkUniqueRealmOrders,
                     NodeDeprecationChecks::checkImplicitlyDisabledBasicRealms,
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings),
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings),
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings),
                     NodeDeprecationChecks::checkClusterRemoteConnectSetting,
                     NodeDeprecationChecks::checkNodeLocalStorageSetting,
                     NodeDeprecationChecks::checkGeneralScriptSizeSetting,
                     NodeDeprecationChecks::checkGeneralScriptExpireSetting,
                     NodeDeprecationChecks::checkGeneralScriptCompileSettings,
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.ENRICH_ENABLED_SETTING),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.FLATTENED_ENABLED),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.INDEX_LIFECYCLE_ENABLED),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.MONITORING_ENABLED),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.ROLLUP_ENABLED),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.SNAPSHOT_LIFECYCLE_ENABLED),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.SQL_ENABLED),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.TRANSFORM_ENABLED),
-                    (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
+                    (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
                         XPackSettings.VECTORS_ENABLED),
                     NodeDeprecationChecks::checkMultipleDataPaths,
                     NodeDeprecationChecks::checkDataPathsList,
+                    NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial,
                     NodeDeprecationChecks::checkBootstrapSystemCallFilterSetting
                 )
             ).collect(Collectors.toList());
@@ -106,10 +108,15 @@ private DeprecationChecks() {
      *
      * @param checks The functional checks to execute using the mapper function
      * @param mapper The function that executes the lambda check with the appropriate arguments
-     * @param <T> The signature of the check (BiFunction, Function, including the appropriate arguments)
+     * @param <T> The signature of the check (TriFunction, BiFunction, Function, including the appropriate arguments)
      * @return The list of {@link DeprecationIssue} that were found in the cluster
      */
     static <T> List<DeprecationIssue> filterChecks(List<T> checks, Function<T, DeprecationIssue> mapper) {
         return checks.stream().map(mapper).filter(Objects::nonNull).collect(Collectors.toList());
     }
+
+    @FunctionalInterface
+    public interface NodeDeprecationCheck<F, S, T, R> {
+        R apply(F first, S second, T third);
+    }
 }

x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java

@@ -7,6 +7,7 @@
 
 package org.elasticsearch.xpack.deprecation;
 
+import org.elasticsearch.Version;
 import org.elasticsearch.action.admin.cluster.node.info.PluginsAndModules;
 import org.elasticsearch.bootstrap.JavaVersion;
 import org.elasticsearch.cluster.node.DiscoveryNode;
@@ -19,11 +20,14 @@
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.license.License;
+import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.node.Node;
 import org.elasticsearch.node.NodeRoleSettings;
 import org.elasticsearch.script.ScriptService;
 import org.elasticsearch.threadpool.FixedExecutorBuilder;
 import org.elasticsearch.transport.RemoteClusterService;
+import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.deprecation.DeprecationIssue;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
@@ -41,7 +45,8 @@
 
 class NodeDeprecationChecks {
 
-    static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                         XPackLicenseState licenseState) {
         return checkDeprecatedSetting(
             settings,
             pluginsAndModules,
@@ -50,7 +55,8 @@ static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndMo
             "https://www.elastic.co/guide/en/elasticsearch/reference/7.4/breaking-changes-7.4.html#deprecate-pidfile");
     }
 
-    static DeprecationIssue checkProcessors(final Settings settings , final PluginsAndModules pluginsAndModules) {
+    static DeprecationIssue checkProcessors(final Settings settings , final PluginsAndModules pluginsAndModules,
+                                            final XPackLicenseState licenseState) {
         return checkDeprecatedSetting(
             settings,
             pluginsAndModules,
@@ -59,7 +65,8 @@ static DeprecationIssue checkProcessors(final Settings settings , final PluginsA
             "https://www.elastic.co/guide/en/elasticsearch/reference/7.4/breaking-changes-7.4.html#deprecate-processors");
     }
 
-    static DeprecationIssue checkMissingRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    static DeprecationIssue checkMissingRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                    final XPackLicenseState licenseState) {
         final Set<String> orderNotConfiguredRealms = RealmSettings.getRealmSettings(settings).entrySet()
                 .stream()
                 .filter(e -> false == e.getValue().hasValue(RealmSettings.ORDER_SETTING_KEY))
@@ -83,7 +90,8 @@ static DeprecationIssue checkMissingRealmOrders(final Settings settings, final P
         );
     }
 
-    static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                   final XPackLicenseState licenseState) {
         final Map<String, List<String>> orderToRealmSettings =
             RealmSettings.getRealmSettings(settings).entrySet()
                 .stream()
@@ -116,7 +124,29 @@ static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final Pl
         );
     }
 
-    static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Settings settings,
+                                                                           final PluginsAndModules pluginsAndModules,
+                                                                           final XPackLicenseState licenseState) {
+        if ( XPackSettings.SECURITY_ENABLED.exists(settings) == false
+            && (licenseState.getOperationMode().equals(License.OperationMode.BASIC)
+            || licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) {
+          String details = "The default behavior of disabling security on " + licenseState.getOperationMode().description()
+              + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" "
+              + "by default, regardless of the license level."
+              + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "."
+              + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by "
+              + "setting [xpack.security.enabled] to \"false\" in elasticsearch.yml";
+            return new DeprecationIssue(
+                DeprecationIssue.Level.CRITICAL,
+                "Security is enabled by default for all licenses in the next major version.",
+                "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/migrating-7.14.html#implicitly-disabled-security",
+                details);
+        }
+        return null;
+    }
+
+    static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                               final XPackLicenseState licenseState) {
         final Map<RealmConfig.RealmIdentifier, Settings> realmSettings = RealmSettings.getRealmSettings(settings);
         if (realmSettings.isEmpty()) {
             return null;
@@ -186,7 +216,8 @@ private static DeprecationIssue checkThreadPoolListenerSetting(final String name
             "https://www.elastic.co/guide/en/elasticsearch/reference/7.x/breaking-changes-7.7.html#deprecate-listener-thread-pool");
     }
 
-    public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                                    final XPackLicenseState licenseState) {
         return checkDeprecatedSetting(
             settings,
             pluginsAndModules,
@@ -200,7 +231,8 @@ public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings s
         );
     }
 
-    public static DeprecationIssue checkNodeLocalStorageSetting(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    public static DeprecationIssue checkNodeLocalStorageSetting(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                                final XPackLicenseState licenseState) {
         return checkRemovedSetting(
             settings,
             Node.NODE_LOCAL_STORAGE_SETTING,
@@ -216,7 +248,8 @@ public static DeprecationIssue checkNodeBasicLicenseFeatureEnabledSetting(final
         );
     }
 
-    public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                                 final XPackLicenseState licenseState) {
         return checkDeprecatedSetting(
             settings,
             pluginsAndModules,
@@ -227,7 +260,8 @@ public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings sett
         );
     }
 
-    public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                                   final XPackLicenseState licenseState) {
         return checkDeprecatedSetting(
             settings,
             pluginsAndModules,
@@ -238,7 +272,8 @@ public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings se
         );
     }
 
-    public static DeprecationIssue checkGeneralScriptCompileSettings(final Settings settings, final PluginsAndModules pluginsAndModules) {
+    public static DeprecationIssue checkGeneralScriptCompileSettings(final Settings settings, final PluginsAndModules pluginsAndModules,
+                                                                     final XPackLicenseState licenseState) {
         return checkDeprecatedSetting(
             settings,
             pluginsAndModules,
@@ -374,7 +409,7 @@ static DeprecationIssue checkRemovedSetting(final Settings settings, final Setti
         return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, message, url, details);
     }
 
-    static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModules plugins) {
+    static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModules plugins, final XPackLicenseState licenseState) {
         final JavaVersion javaVersion = JavaVersion.current();
 
         if (javaVersion.compareTo(JavaVersion.parse("11")) < 0) {
@@ -388,7 +423,8 @@ static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModule
         return null;
     }
 
-    static DeprecationIssue checkMultipleDataPaths(Settings nodeSettings, PluginsAndModules plugins) {
+    static DeprecationIssue checkMultipleDataPaths(final Settings nodeSettings, final PluginsAndModules pluginsAndModules,
+                                                   final XPackLicenseState licenseState) {
         List<String> dataPaths = Environment.PATH_DATA_SETTING.get(nodeSettings);
         if (dataPaths.size() > 1) {
             return new DeprecationIssue(DeprecationIssue.Level.CRITICAL,
@@ -399,7 +435,8 @@ static DeprecationIssue checkMultipleDataPaths(Settings nodeSettings, PluginsAnd
         return null;
     }
 
-    static DeprecationIssue checkDataPathsList(Settings nodeSettings, PluginsAndModules plugins) {
+    static DeprecationIssue checkDataPathsList(final Settings nodeSettings, final PluginsAndModules pluginsAndModules,
+                                               final XPackLicenseState licenseState) {
         if (Environment.dataPathUsesList(nodeSettings)) {
             return new DeprecationIssue(DeprecationIssue.Level.CRITICAL,
                 "[path.data] in a list is deprecated, use a string value",