Skip to content

Commit

Permalink
Deprecate security implicitly disabled on trial/basic (elastic#72339)
Browse files Browse the repository at this point in the history
This change deprecates the behavior where security features are
disabled implicitly when the license is basic or trial and the
xpack.security.enabled setting is not explicitly set. The
recommendation is to be explicit in the configuration and either
enable or disable security in elasticsearch.yml.
  • Loading branch information
jkakavas authored Jul 15, 2021
1 parent a6aa2ef commit d841e79
Show file tree
Hide file tree
Showing 7 changed files with 258 additions and 90 deletions.
13 changes: 13 additions & 0 deletions docs/reference/migration/migrate_7_14.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,19 @@ Discontinue use of the `type` parameter in `geo_bounding_box` queries.
[[breaking_714_security_changes]]
==== Security deprecations

[discrete]
[[implicitly-disabled-security]]
.The default behavior of disabling security on basic and trial licenses is deprecated
[%collapsible]
====
*Details* +
Currently, security features are disabled when operating on a basic or trial
license when `xpack.security.enabled` has not been explicitly set to `true`.
This behavior is now deprecated. In version 8.0.0, security features will be
enabled by default for all licenses, unless explicitly disabled (by setting
`xpack.security.enabled` to `false`).
====

[[reserved-prefixed-realm-names]]
.Configuring a realm name with a leading underscore is deprecated.
[%collapsible]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.TriFunction;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.XPackSettings;

import java.util.Arrays;
Expand Down Expand Up @@ -41,14 +41,15 @@ private DeprecationChecks() {
ClusterDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting
));

static final List<TriFunction<Settings, PluginsAndModules, ClusterState, DeprecationIssue>> NODE_SETTINGS_CHECKS;
static final List<NodeDeprecationCheck<Settings, PluginsAndModules, ClusterState, XPackLicenseState, DeprecationIssue>>
NODE_SETTINGS_CHECKS;

static {
final Stream<TriFunction<Settings, PluginsAndModules, ClusterState, DeprecationIssue>> legacyRoleSettings =
DiscoveryNode.getPossibleRoles()
.stream()
final Stream<NodeDeprecationCheck<Settings, PluginsAndModules, ClusterState, XPackLicenseState, DeprecationIssue>>
legacyRoleSettings =
DiscoveryNode.getPossibleRoles().stream()
.filter(r -> r.legacySetting() != null)
.map(r -> (s, p, cs) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p));
.map(r -> (s, p, t, c) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p));
NODE_SETTINGS_CHECKS = Stream.concat(
legacyRoleSettings,
Stream.of(
Expand All @@ -59,36 +60,40 @@ private DeprecationChecks() {
NodeDeprecationChecks::checkUniqueRealmOrders,
NodeDeprecationChecks::checkImplicitlyDisabledBasicRealms,
NodeDeprecationChecks::checkReservedPrefixedRealmNames,
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkThreadPoolListenerSize(settings),
NodeDeprecationChecks::checkClusterRemoteConnectSetting,
NodeDeprecationChecks::checkNodeLocalStorageSetting,
NodeDeprecationChecks::checkGeneralScriptSizeSetting,
NodeDeprecationChecks::checkGeneralScriptExpireSetting,
NodeDeprecationChecks::checkGeneralScriptCompileSettings,
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.ENRICH_ENABLED_SETTING),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.FLATTENED_ENABLED),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.INDEX_LIFECYCLE_ENABLED),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.MONITORING_ENABLED),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.ROLLUP_ENABLED),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.SNAPSHOT_LIFECYCLE_ENABLED),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.SQL_ENABLED),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.TRANSFORM_ENABLED),
(settings, pluginsAndModules, cs) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.VECTORS_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.ENRICH_ENABLED_SETTING),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.FLATTENED_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.INDEX_LIFECYCLE_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.MONITORING_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.ROLLUP_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings,
XPackSettings.SNAPSHOT_LIFECYCLE_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.SQL_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.TRANSFORM_ENABLED),
(settings, pluginsAndModules, clusterState, licenseState) ->
NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.VECTORS_ENABLED),
NodeDeprecationChecks::checkMultipleDataPaths,
NodeDeprecationChecks::checkDataPathsList,
NodeDeprecationChecks::checkBootstrapSystemCallFilterSetting,
NodeDeprecationChecks::checkSharedDataPathSetting,
NodeDeprecationChecks::checkSingleDataNodeWatermarkSetting,
NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial,
NodeDeprecationChecks::checkMonitoringExporterPassword,
NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting
)
Expand All @@ -114,11 +119,15 @@ private DeprecationChecks() {
*
* @param checks The functional checks to execute using the mapper function
* @param mapper The function that executes the lambda check with the appropriate arguments
* @param <T> The signature of the check (BiFunction, Function, including the appropriate arguments)
* @param <T> The signature of the check (TriFunction, BiFunction, Function, including the appropriate arguments)
* @return The list of {@link DeprecationIssue} that were found in the cluster
*/
static <T> List<DeprecationIssue> filterChecks(List<T> checks, Function<T, DeprecationIssue> mapper) {
return checks.stream().map(mapper).filter(Objects::nonNull).collect(Collectors.toList());
}

@FunctionalInterface
public interface NodeDeprecationCheck<A, B, C, D, R> {
R apply(A first, B second, C third, D fourth);
}
}
Loading

0 comments on commit d841e79

Please sign in to comment.