Enforce license expiration (elastic#79671)

Licensed features in check the license state to determine if a feature is currently allowed. When the license expires, the feature should no longer work, falling back to any Basic licensed behavior. Historically though, some features have had lenient behavior, continuing to work indefinitely after the license has expired. This commit changes most of the existing licensed features that were lenient to enforce license expiration. The one exception is ip filtering, which will remain working.
lockewritesdocs · Oct 28, 2021 · 16f2314 · 16f2314
1 parent 15597b4
commit 16f2314
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 23 deletions.
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicensedFeature.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicensedFeature.java
@@ -41,8 +41,8 @@ public boolean check(XPackLicenseState state) {
      * A Persistent feature is one that is tracked starting when the license is checked, and later may be untracked.
      */
     public static class Persistent extends LicensedFeature {
-        private Persistent(String family, String name, License.OperationMode minimumOperationMode, boolean needsActive) {
-            super(family, name, minimumOperationMode, needsActive);
+        private Persistent(String family, String name, License.OperationMode minimumOperationMode) {
+            super(family, name, minimumOperationMode, true);
         }
 
         /**
@@ -111,7 +111,7 @@ public static Momentary momentary(String family, String name, License.OperationM
 
     /** Create a persistent feature for the given license level */
     public static Persistent persistent(String family, String name, License.OperationMode licenseLevel) {
-        return new Persistent(family, name, licenseLevel, true);
+        return new Persistent(family, name, licenseLevel);
     }
 
     /**
@@ -123,15 +123,6 @@ public static Momentary momentaryLenient(String family, String name, License.Ope
         return new Momentary(family, name, licenseLevel, false);
     }
 
-    /**
-     * Creates a persistent feature, but one that is lenient as
-     * to whether the license needs to be active to allow the feature.
-     */
-    @Deprecated
-    public static Persistent persistentLenient(String family, String name, License.OperationMode licenseLevel) {
-        return new Persistent(family, name, licenseLevel, false);
-    }
-
     /**
      * Returns whether the feature is allowed by the current license
      * without affecting feature tracking.

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityField.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityField.java
@@ -23,9 +23,9 @@ public final class SecurityField {
     // Document and Field Level Security are Platinum+
     private static final String DLS_FLS_FEATURE_FAMILY  = "security-dls-fls";
     public static final LicensedFeature.Momentary DOCUMENT_LEVEL_SECURITY_FEATURE =
-        LicensedFeature.momentaryLenient(DLS_FLS_FEATURE_FAMILY, "dls", License.OperationMode.PLATINUM);
+        LicensedFeature.momentary(DLS_FLS_FEATURE_FAMILY, "dls", License.OperationMode.PLATINUM);
     public static final LicensedFeature.Momentary FIELD_LEVEL_SECURITY_FEATURE =
-        LicensedFeature.momentaryLenient(DLS_FLS_FEATURE_FAMILY, "fls", License.OperationMode.PLATINUM);
+        LicensedFeature.momentary(DLS_FLS_FEATURE_FAMILY, "fls", License.OperationMode.PLATINUM);
 
 
     private SecurityField() {

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -357,29 +357,29 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin,
     public static final LicensedFeature.Momentary IP_FILTERING_FEATURE =
         LicensedFeature.momentaryLenient(null, "security-ip-filtering", License.OperationMode.GOLD);
     public static final LicensedFeature.Momentary AUDITING_FEATURE =
-        LicensedFeature.momentaryLenient(null, "security-auditing", License.OperationMode.GOLD);
+        LicensedFeature.momentary(null, "security-auditing", License.OperationMode.GOLD);
     public static final LicensedFeature.Momentary TOKEN_SERVICE_FEATURE =
-        LicensedFeature.momentaryLenient(null, "security-token-service", License.OperationMode.STANDARD);
+        LicensedFeature.momentary(null, "security-token-service", License.OperationMode.STANDARD);
 
     private static final String REALMS_FEATURE_FAMILY = "security-realms";
     // Builtin realms (file/native) realms are Basic licensed, so don't need to be checked or tracked
     // Some realms (LDAP, AD, PKI) are Gold+
     public static final LicensedFeature.Persistent LDAP_REALM_FEATURE =
-        LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "ldap", License.OperationMode.GOLD);
+        LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "ldap", License.OperationMode.GOLD);
     public static final LicensedFeature.Persistent AD_REALM_FEATURE =
-        LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "active-directory", License.OperationMode.GOLD);
+        LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "active-directory", License.OperationMode.GOLD);
     public static final LicensedFeature.Persistent PKI_REALM_FEATURE =
-        LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "pki", License.OperationMode.GOLD);
+        LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "pki", License.OperationMode.GOLD);
     // SSO realms are Platinum+
     public static final LicensedFeature.Persistent SAML_REALM_FEATURE =
-        LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "saml", License.OperationMode.PLATINUM);
+        LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "saml", License.OperationMode.PLATINUM);
     public static final LicensedFeature.Persistent OIDC_REALM_FEATURE =
-        LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "oidc", License.OperationMode.PLATINUM);
+        LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "oidc", License.OperationMode.PLATINUM);
     public static final LicensedFeature.Persistent KERBEROS_REALM_FEATURE =
-        LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "kerberos", License.OperationMode.PLATINUM);
+        LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "kerberos", License.OperationMode.PLATINUM);
     // Custom realms are Platinum+
     public static final LicensedFeature.Persistent CUSTOM_REALMS_FEATURE =
-        LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "custom", License.OperationMode.PLATINUM);
+        LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "custom", License.OperationMode.PLATINUM);
 
     public static final LicensedFeature.Momentary DELEGATED_AUTHORIZATION_FEATURE =
         LicensedFeature.momentary(null, "security-delegated-authorization", License.OperationMode.PLATINUM);