From baf768a04956e028def6a436ee9fa7a5f97914b5 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 27 Apr 2021 23:44:09 +0300 Subject: [PATCH 01/11] Deprecate security implicitly disabled on trial/basic This change deprecates the behavior where security features are disabled implicitly when the license is basic or trial and the xpack.security.enabled setting is not explicitly set. The recommendation is to be explicit in the configuration and either enable or disable security in elasticsearch.yml. --- docs/reference/migration/index.asciidoc | 2 + .../reference/migration/migrate_7_14.asciidoc | 46 +++++++++++++ .../xpack/deprecation/DeprecationChecks.java | 41 +++++++----- .../deprecation/NodeDeprecationChecks.java | 62 ++++++++++++++---- .../TransportNodeDeprecationCheckAction.java | 7 +- .../NodeDeprecationChecksTests.java | 65 ++++++++++++------- .../support/SecurityStatusChangeListener.java | 14 ++++ .../SecurityStatusChangeListenerTests.java | 10 +++ 8 files changed, 191 insertions(+), 56 deletions(-) create mode 100644 docs/reference/migration/migrate_7_14.asciidoc diff --git a/docs/reference/migration/index.asciidoc b/docs/reference/migration/index.asciidoc index 422e22ae7eeb8..c053aa0c059a8 100644 --- a/docs/reference/migration/index.asciidoc +++ b/docs/reference/migration/index.asciidoc @@ -28,6 +28,7 @@ For more information about {minor-version}, see the <> and <>. For information about how to upgrade your cluster, see <>. +* <> * <> * <> * <> @@ -45,6 +46,7 @@ For information about how to upgrade your cluster, see <>. -- +include::migrate_7_14.asciidoc[] include::migrate_7_13.asciidoc[] include::migrate_7_12.asciidoc[] include::migrate_7_11.asciidoc[] diff --git a/docs/reference/migration/migrate_7_14.asciidoc b/docs/reference/migration/migrate_7_14.asciidoc new file mode 100644 index 0000000000000..38960ed52cf51 --- /dev/null +++ b/docs/reference/migration/migrate_7_14.asciidoc @@ -0,0 +1,46 @@ +[[migrating-7.14]] +== Migrating to 7.14 +++++ +7.14 +++++ + +This section discusses the changes that you need to be aware of when migrating +your application to {es} 7.14. + +See also <> and <>. + +// * <> +// * <> + +//NOTE: The notable-breaking-changes tagged regions are re-used in the +//Installation and Upgrade Guide + +//tag::notable-breaking-changes[] + +[discrete] +[[breaking-changes-7.14]] +=== Breaking changes + +The following changes in {es} 7.14 might affect your applications +and prevent them from operating normally. +Before upgrading to 7.13, review these changes and take the described steps +to mitigate the impact. + +NOTE: Breaking changes introduced in minor versions are +normally limited to security and bug fixes. +Significant changes in behavior are deprecated in a minor release and +the old behavior is supported until the next major release. +To find out if you are using any deprecated functionality, +enable <>. + +[discrete] +[[breaking_714_security_changes]] +==== Security deprecations + +[[implicitly-disabled-security]] +Currently, security features are disabled when operating on a basic or trial +license when `xpack.security.enabled` has not been explicitly set. + +This behavior is now deprecated. In version 8.0.0, security features will be +enabled by default for all licenses, unless explicitly disabled (by setting +`xpack.security.enabled: false`). diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index 3f8593b0343c3..6f0aaa97a6380 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -11,6 +11,7 @@ import org.elasticsearch.cluster.metadata.IndexMetadata; import org.elasticsearch.cluster.node.DiscoveryNode; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.deprecation.DeprecationInfoAction; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; @@ -19,7 +20,6 @@ import java.util.Collections; import java.util.List; import java.util.Objects; -import java.util.function.BiFunction; import java.util.function.Function; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -42,13 +42,14 @@ private DeprecationChecks() { )); - static final List> NODE_SETTINGS_CHECKS; + static final List> NODE_SETTINGS_CHECKS; static { - final Stream> legacyRoleSettings = DiscoveryNode.getPossibleRoles() + final Stream> legacyRoleSettings = + DiscoveryNode.getPossibleRoles() .stream() .filter(r -> r.legacySetting() != null) - .map(r -> (s, p) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p)); + .map(r -> (s, p, t) -> NodeDeprecationChecks.checkLegacyRoleSettings(r.legacySetting(), s, p)); NODE_SETTINGS_CHECKS = Stream.concat( legacyRoleSettings, Stream.of( @@ -58,33 +59,34 @@ private DeprecationChecks() { NodeDeprecationChecks::checkMissingRealmOrders, NodeDeprecationChecks::checkUniqueRealmOrders, NodeDeprecationChecks::checkImplicitlyDisabledBasicRealms, - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings), + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkThreadPoolListenerQueueSize(settings), + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkThreadPoolListenerSize(settings), NodeDeprecationChecks::checkClusterRemoteConnectSetting, NodeDeprecationChecks::checkNodeLocalStorageSetting, NodeDeprecationChecks::checkGeneralScriptSizeSetting, NodeDeprecationChecks::checkGeneralScriptExpireSetting, NodeDeprecationChecks::checkGeneralScriptCompileSettings, - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.ENRICH_ENABLED_SETTING), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.FLATTENED_ENABLED), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.INDEX_LIFECYCLE_ENABLED), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.MONITORING_ENABLED), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.ROLLUP_ENABLED), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.SNAPSHOT_LIFECYCLE_ENABLED), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.SQL_ENABLED), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.TRANSFORM_ENABLED), - (settings, pluginsAndModules) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, + (settings, pluginsAndModules, state) -> NodeDeprecationChecks.checkNodeBasicLicenseFeatureEnabledSetting(settings, XPackSettings.VECTORS_ENABLED), NodeDeprecationChecks::checkMultipleDataPaths, - NodeDeprecationChecks::checkDataPathsList + NodeDeprecationChecks::checkDataPathsList, + NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial ) ).collect(Collectors.toList()); } @@ -105,10 +107,15 @@ private DeprecationChecks() { * * @param checks The functional checks to execute using the mapper function * @param mapper The function that executes the lambda check with the appropriate arguments - * @param The signature of the check (BiFunction, Function, including the appropriate arguments) + * @param The signature of the check (TriFunction, BiFunction, Function, including the appropriate arguments) * @return The list of {@link DeprecationIssue} that were found in the cluster */ static List filterChecks(List checks, Function mapper) { return checks.stream().map(mapper).filter(Objects::nonNull).collect(Collectors.toList()); } + + @FunctionalInterface + public interface TriFunction { + R apply(F first, S second, T third); + } } diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index f47a70b08abb2..65338e0d8363c 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -7,6 +7,7 @@ package org.elasticsearch.xpack.deprecation; +import org.elasticsearch.Version; import org.elasticsearch.action.admin.cluster.node.info.PluginsAndModules; import org.elasticsearch.bootstrap.JavaVersion; import org.elasticsearch.cluster.node.DiscoveryNode; @@ -18,11 +19,14 @@ import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.common.util.set.Sets; import org.elasticsearch.env.Environment; +import org.elasticsearch.license.License; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.node.Node; import org.elasticsearch.node.NodeRoleSettings; import org.elasticsearch.script.ScriptService; import org.elasticsearch.threadpool.FixedExecutorBuilder; import org.elasticsearch.transport.RemoteClusterService; +import org.elasticsearch.xpack.core.XPackSettings; import org.elasticsearch.xpack.core.deprecation.DeprecationIssue; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; @@ -40,7 +44,8 @@ class NodeDeprecationChecks { - static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndModules pluginsAndModules) { + static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndModules pluginsAndModules, + XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -49,7 +54,8 @@ static DeprecationIssue checkPidfile(final Settings settings, final PluginsAndMo "https://www.elastic.co/guide/en/elasticsearch/reference/7.4/breaking-changes-7.4.html#deprecate-pidfile"); } - static DeprecationIssue checkProcessors(final Settings settings , final PluginsAndModules pluginsAndModules) { + static DeprecationIssue checkProcessors(final Settings settings , final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -58,7 +64,8 @@ static DeprecationIssue checkProcessors(final Settings settings , final PluginsA "https://www.elastic.co/guide/en/elasticsearch/reference/7.4/breaking-changes-7.4.html#deprecate-processors"); } - static DeprecationIssue checkMissingRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules) { + static DeprecationIssue checkMissingRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { final Set orderNotConfiguredRealms = RealmSettings.getRealmSettings(settings).entrySet() .stream() .filter(e -> false == e.getValue().hasValue(RealmSettings.ORDER_SETTING_KEY)) @@ -82,7 +89,8 @@ static DeprecationIssue checkMissingRealmOrders(final Settings settings, final P ); } - static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules) { + static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { final Map> orderToRealmSettings = RealmSettings.getRealmSettings(settings).entrySet() .stream() @@ -115,7 +123,28 @@ static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final Pl ); } - static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settings, final PluginsAndModules pluginsAndModules) { + static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Settings settings, + final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { + if ( settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) == false + && (licenseState.getOperationMode().equals(License.OperationMode.BASIC) + || licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) { + String details = "The behavior where the value of [xpack.security.enabled] setting is false for " + + licenseState.getOperationMode() + " licenses is deprecated and will be changed in a future version." + + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + + "setting [xpack.security.enabled] to false in elasticsearch.yml"; + return new DeprecationIssue( + DeprecationIssue.Level.WARNING, + "Security is enabled by default for all licenses in the next major version.", + "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/deprecated-7.14.html#implicitly-disabled-security", + details); + } + return null; + } + + static DeprecationIssue checkImplicitlyDisabledBasicRealms(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { final Map realmSettings = RealmSettings.getRealmSettings(settings); if (realmSettings.isEmpty()) { return null; @@ -185,7 +214,8 @@ private static DeprecationIssue checkThreadPoolListenerSetting(final String name "https://www.elastic.co/guide/en/elasticsearch/reference/7.x/breaking-changes-7.7.html#deprecate-listener-thread-pool"); } - public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings settings, final PluginsAndModules pluginsAndModules) { + public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -199,7 +229,8 @@ public static DeprecationIssue checkClusterRemoteConnectSetting(final Settings s ); } - public static DeprecationIssue checkNodeLocalStorageSetting(final Settings settings, final PluginsAndModules pluginsAndModules) { + public static DeprecationIssue checkNodeLocalStorageSetting(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { return checkRemovedSetting( settings, Node.NODE_LOCAL_STORAGE_SETTING, @@ -215,7 +246,8 @@ public static DeprecationIssue checkNodeBasicLicenseFeatureEnabledSetting(final ); } - public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings settings, final PluginsAndModules pluginsAndModules) { + public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -226,7 +258,8 @@ public static DeprecationIssue checkGeneralScriptSizeSetting(final Settings sett ); } - public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings settings, final PluginsAndModules pluginsAndModules) { + public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -237,7 +270,8 @@ public static DeprecationIssue checkGeneralScriptExpireSetting(final Settings se ); } - public static DeprecationIssue checkGeneralScriptCompileSettings(final Settings settings, final PluginsAndModules pluginsAndModules) { + public static DeprecationIssue checkGeneralScriptCompileSettings(final Settings settings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { return checkDeprecatedSetting( settings, pluginsAndModules, @@ -365,7 +399,7 @@ static DeprecationIssue checkRemovedSetting(final Settings settings, final Setti return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, message, url, details); } - static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModules plugins) { + static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModules plugins, final XPackLicenseState licenseState) { final JavaVersion javaVersion = JavaVersion.current(); if (javaVersion.compareTo(JavaVersion.parse("11")) < 0) { @@ -379,7 +413,8 @@ static DeprecationIssue javaVersionCheck(Settings nodeSettings, PluginsAndModule return null; } - static DeprecationIssue checkMultipleDataPaths(Settings nodeSettings, PluginsAndModules plugins) { + static DeprecationIssue checkMultipleDataPaths(final Settings nodeSettings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { List dataPaths = Environment.PATH_DATA_SETTING.get(nodeSettings); if (dataPaths.size() > 1) { return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, @@ -390,7 +425,8 @@ static DeprecationIssue checkMultipleDataPaths(Settings nodeSettings, PluginsAnd return null; } - static DeprecationIssue checkDataPathsList(Settings nodeSettings, PluginsAndModules plugins) { + static DeprecationIssue checkDataPathsList(final Settings nodeSettings, final PluginsAndModules pluginsAndModules, + final XPackLicenseState licenseState) { if (Environment.dataPathUsesList(nodeSettings)) { return new DeprecationIssue(DeprecationIssue.Level.CRITICAL, "[path.data] in a list is deprecated, use a string value", diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java index b0801e0a2c7e0..e6e19f889281e 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/TransportNodeDeprecationCheckAction.java @@ -14,6 +14,7 @@ import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.plugins.PluginsService; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.transport.TransportService; @@ -32,10 +33,11 @@ public class TransportNodeDeprecationCheckAction extends TransportNodesAction { private final Settings settings; + private final XPackLicenseState licenseState; private final PluginsService pluginsService; @Inject - public TransportNodeDeprecationCheckAction(Settings settings, ThreadPool threadPool, + public TransportNodeDeprecationCheckAction(Settings settings, ThreadPool threadPool, XPackLicenseState licenseState, ClusterService clusterService, TransportService transportService, PluginsService pluginsService, ActionFilters actionFilters) { super(NodesDeprecationCheckAction.NAME, threadPool, clusterService, transportService, actionFilters, @@ -45,6 +47,7 @@ public TransportNodeDeprecationCheckAction(Settings settings, ThreadPool threadP NodesDeprecationCheckAction.NodeResponse.class); this.settings = settings; this.pluginsService = pluginsService; + this.licenseState = licenseState; } @Override @@ -67,7 +70,7 @@ protected NodesDeprecationCheckAction.NodeResponse newNodeResponse(StreamInput i @Override protected NodesDeprecationCheckAction.NodeResponse nodeOperation(NodesDeprecationCheckAction.NodeRequest request) { List issues = DeprecationInfoAction.filterChecks(DeprecationChecks.NODE_SETTINGS_CHECKS, - (c) -> c.apply(settings, pluginsService.info())); + (c) -> c.apply(settings, pluginsService.info(), licenseState)); return new NodesDeprecationCheckAction.NodeResponse(transportService.getLocalNode(), issues); } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index ae905338b0cca..d3aafe12f9a42 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -15,6 +15,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.env.Environment; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.node.Node; import org.elasticsearch.script.ScriptService; import org.elasticsearch.test.ESTestCase; @@ -44,7 +45,7 @@ public class NodeDeprecationChecksTests extends ESTestCase { public void testCheckDefaults() { final Settings settings = Settings.EMPTY; final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); assertThat(issues, empty()); } @@ -52,7 +53,7 @@ public void testJavaVersion() { final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); final List issues = DeprecationChecks.filterChecks( DeprecationChecks.NODE_SETTINGS_CHECKS, - c -> c.apply(Settings.EMPTY, pluginsAndModules) + c -> c.apply(Settings.EMPTY, pluginsAndModules, null) ); final DeprecationIssue expected = new DeprecationIssue( @@ -74,7 +75,7 @@ public void testCheckPidfile() { final String pidfile = randomAlphaOfLength(16); final Settings settings = Settings.builder().put(Environment.PIDFILE_SETTING.getKey(), pidfile).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [pidfile] is deprecated in favor of setting [node.pidfile]", @@ -88,7 +89,7 @@ public void testCheckProcessors() { final int processors = randomIntBetween(1, 4); final Settings settings = Settings.builder().put(EsExecutors.PROCESSORS_SETTING.getKey(), processors).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [processors] is deprecated in favor of setting [node.processors]", @@ -112,7 +113,7 @@ public void testCheckMissingRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); assertEquals(1, deprecationIssues.size()); assertEquals(new DeprecationIssue( @@ -135,7 +136,7 @@ public void testRealmOrderIsNotRequiredIfRealmIsDisabled() { .put("xpack.security.authc.realms." + realmIdentifier.getType() + "." + realmIdentifier.getName() + ".enabled", "false") .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); assertTrue(deprecationIssues.isEmpty()); } @@ -160,7 +161,7 @@ public void testCheckUniqueRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); assertEquals(1, deprecationIssues.size()); assertEquals(DeprecationIssue.Level.CRITICAL, deprecationIssues.get(0).getLevel()); @@ -186,7 +187,7 @@ public void testCorrectRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); assertTrue(deprecationIssues.isEmpty()); } @@ -229,7 +230,7 @@ public void testCheckImplicitlyDisabledBasicRealms() { } final Settings settings = builder.build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); if (otherRealmConfigured && otherRealmEnabled) { if (false == fileRealmConfigured && false == nativeRealmConfigured) { @@ -298,7 +299,7 @@ public void testThreadPoolListenerQueueSize() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("thread_pool.listener.queue_size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [thread_pool.listener.queue_size] is deprecated and will be removed in the next major version", @@ -312,7 +313,7 @@ public void testThreadPoolListenerSize() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("thread_pool.listener.size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [thread_pool.listener.size] is deprecated and will be removed in the next major version", @@ -326,7 +327,7 @@ public void testGeneralScriptSizeSetting() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("script.cache.max_size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.cache.max_size] is deprecated in favor of grouped setting [script.context.*.cache_max_size]", @@ -341,7 +342,7 @@ public void testGeneralScriptExpireSetting() { final String expire = randomIntBetween(1, 4) + "m"; final Settings settings = Settings.builder().put("script.cache.expire", expire).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.cache.expire] is deprecated in favor of grouped setting [script.context.*.cache_expire]", @@ -356,7 +357,7 @@ public void testGeneralScriptCompileSettings() { final String rate = randomIntBetween(1, 100) + "/" + randomIntBetween(1, 200) + "m"; final Settings settings = Settings.builder().put("script.max_compilations_rate", rate).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.max_compilations_rate] is deprecated in favor of grouped setting [script.context.*.max_compilations_rate]", @@ -371,7 +372,7 @@ public void testClusterRemoteConnectSetting() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(RemoteClusterService.ENABLE_REMOTE_CLUSTERS.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [cluster.remote.connect] is deprecated in favor of setting [node.remote_cluster_client]", @@ -391,7 +392,7 @@ public void testNodeLocalStorageSetting() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(Node.NODE_LOCAL_STORAGE_SETTING.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [node.local_storage] is deprecated and will be removed in the next major version", @@ -419,7 +420,8 @@ public void testDeprecatedBasicLicenseSettings() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(deprecatedSetting.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [" + deprecatedSetting.getKey() + "] is deprecated and will be removed in the next major version", @@ -441,7 +443,8 @@ public void testLegacyRoleSettings() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(legacyRoleSetting.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, null); final String roles = DiscoveryNode.getRolesFromSettings(settings) .stream() .map(DiscoveryNodeRole::roleName) @@ -486,10 +489,11 @@ private static boolean isJvmEarlierThan11() { return JavaVersion.current().compareTo(JavaVersion.parse("11")) < 0; } - private List getDeprecationIssues(Settings settings, PluginsAndModules pluginsAndModules) { + private List getDeprecationIssues(Settings settings, PluginsAndModules pluginsAndModules, + XPackLicenseState licenseState) { final List issues = DeprecationChecks.filterChecks( DeprecationChecks.NODE_SETTINGS_CHECKS, - c -> c.apply(settings, pluginsAndModules) + c -> c.apply(settings, pluginsAndModules, null) ); if (isJvmEarlierThan11()) { @@ -515,7 +519,7 @@ private String randomRealmTypeOtherThanFileOrNative() { public void testMultipleDataPaths() { final Settings settings = Settings.builder().putList("path.data", Arrays.asList("d1", "d2")).build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null); + final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null); assertThat(issue, not(nullValue())); assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); assertThat( @@ -531,13 +535,13 @@ public void testMultipleDataPaths() { public void testNoMultipleDataPaths() { Settings settings = Settings.builder().put("path.data", "data").build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null); + final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null); assertThat(issue, nullValue()); } public void testDataPathsList() { final Settings settings = Settings.builder().putList("path.data", "d1").build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null); + final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null); assertThat(issue, not(nullValue())); assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); assertThat( @@ -553,7 +557,20 @@ public void testDataPathsList() { public void testNoDataPathsListDefault() { final Settings settings = Settings.builder().build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null); + final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null); assertThat(issue, nullValue()); } + + public void testImplicitlyDisabledSecurity() { + final DeprecationIssue issue = + NodeDeprecationChecks.checkImplicitlyDisabledSecurityOnBasicAndTrial(Settings.EMPTY, + null, + new XPackLicenseState(Settings.EMPTY, () -> 0)); + assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.WARNING)); + assertThat(issue.getMessage(), equalTo("Security is enabled by default for all licenses in the next major version.")); + assertNotNull(issue.getDetails()); + assertThat(issue.getDetails(), containsString("The behavior where the value of [xpack.security.enabled] setting is false for ")); + assertThat(issue.getUrl(), + equalTo("https://www.elastic.co/guide/en/elasticsearch/reference/7.14/deprecated-7.14.html#implicitly-disabled-security")); + } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java index da71f41bb8604..ddce6e229d080 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java @@ -10,6 +10,9 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.elasticsearch.Version; +import org.elasticsearch.common.logging.DeprecationCategory; +import org.elasticsearch.common.logging.DeprecationLogger; +import org.elasticsearch.license.License; import org.elasticsearch.license.LicenseStateListener; import org.elasticsearch.license.XPackLicenseState; @@ -22,11 +25,13 @@ public class SecurityStatusChangeListener implements LicenseStateListener { private final Logger logger; + private final DeprecationLogger deprecationLogger; private final XPackLicenseState licenseState; private Boolean securityEnabled; public SecurityStatusChangeListener(XPackLicenseState licenseState) { this.logger = LogManager.getLogger(getClass()); + this.deprecationLogger = DeprecationLogger.getLogger(getClass()); this.licenseState = licenseState; this.securityEnabled = null; } @@ -45,6 +50,15 @@ public synchronized void licenseStateChanged() { logger.warn("Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be " + "accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security."); + if (licenseState.getOperationMode().equals(License.OperationMode.BASIC) + || licenseState.getOperationMode().equals(License.OperationMode.TRIAL)) { + deprecationLogger.deprecate(DeprecationCategory.SECURITY, "security_implicitly_disabled", + "The behavior where the value of [xpack.security.enabled] setting defaults to false for " + + licenseState.getOperationMode() + " licenses is deprecated and will be changed in a future version. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + + "setting [xpack.security.enabled] to false in elasticsearch.yml"); + } } this.securityEnabled = newState; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index 4dffe7b93e4cf..58c30e0aa1023 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -126,4 +126,14 @@ public void testSecurityDisabledToEnabled() { logAppender.assertAllExpectationsMatched(); } + public void testWarningForImplicitlyDisabledSecurity() { + when(licenseState.isSecurityEnabled()).thenReturn(false); + when(licenseState.getOperationMode()).thenReturn(License.OperationMode.TRIAL); + listener.licenseStateChanged(); + assertWarnings("The behavior where the value of [xpack.security.enabled] setting defaults to false for TRIAL " + + "licenses is deprecated and will be changed in a future version. See " + + "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, or explicitly " + + "disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); + } + } From ad2b84ce825660c3880f02ce57099cebe1b1a636 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 28 Apr 2021 09:23:12 +0300 Subject: [PATCH 02/11] fix tests --- .../NodeDeprecationChecksTests.java | 77 +++++++++++++------ 1 file changed, 52 insertions(+), 25 deletions(-) diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index d3aafe12f9a42..d60ea0a48cc32 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -43,17 +43,19 @@ public class NodeDeprecationChecksTests extends ESTestCase { public void testCheckDefaults() { - final Settings settings = Settings.EMPTY; + final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertThat(issues, empty()); } public void testJavaVersion() { final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); final List issues = DeprecationChecks.filterChecks( DeprecationChecks.NODE_SETTINGS_CHECKS, - c -> c.apply(Settings.EMPTY, pluginsAndModules, null) + c -> c.apply(Settings.EMPTY, pluginsAndModules, licenseState) ); final DeprecationIssue expected = new DeprecationIssue( @@ -75,7 +77,8 @@ public void testCheckPidfile() { final String pidfile = randomAlphaOfLength(16); final Settings settings = Settings.builder().put(Environment.PIDFILE_SETTING.getKey(), pidfile).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [pidfile] is deprecated in favor of setting [node.pidfile]", @@ -89,7 +92,8 @@ public void testCheckProcessors() { final int processors = randomIntBetween(1, 4); final Settings settings = Settings.builder().put(EsExecutors.PROCESSORS_SETTING.getKey(), processors).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [processors] is deprecated in favor of setting [node.processors]", @@ -106,6 +110,7 @@ public void testCheckMissingRealmOrders() { new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms.file.default_file.enabled", false) .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." + invalidRealm.getType() + "." + invalidRealm.getName() + ".enabled", "true") @@ -113,7 +118,8 @@ public void testCheckMissingRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertEquals(1, deprecationIssues.size()); assertEquals(new DeprecationIssue( @@ -133,10 +139,13 @@ public void testRealmOrderIsNotRequiredIfRealmIsDisabled() { new RealmConfig.RealmIdentifier(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms." + realmIdentifier.getType() + "." + realmIdentifier.getName() + ".enabled", "false") .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = + new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertTrue(deprecationIssues.isEmpty()); } @@ -150,6 +159,7 @@ public void testCheckUniqueRealmOrders() { final RealmConfig.RealmIdentifier validRealm = new RealmConfig.RealmIdentifier(randomRealmTypeOtherThanFileOrNative(), randomAlphaOfLengthBetween(4, 12)); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms.file.default_file.enabled", false) .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." @@ -161,7 +171,8 @@ public void testCheckUniqueRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertEquals(1, deprecationIssues.size()); assertEquals(DeprecationIssue.Level.CRITICAL, deprecationIssues.get(0).getLevel()); @@ -178,6 +189,7 @@ public void testCheckUniqueRealmOrders() { public void testCorrectRealmOrders() { final int order = randomInt(9999); final Settings settings = Settings.builder() + .put("xpack.security.enabled", true) .put("xpack.security.authc.realms.file.default_file.enabled", false) .put("xpack.security.authc.realms.native.default_native.enabled", false) .put("xpack.security.authc.realms." @@ -187,14 +199,16 @@ public void testCorrectRealmOrders() { .build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = + new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertTrue(deprecationIssues.isEmpty()); } public void testCheckImplicitlyDisabledBasicRealms() { final Settings.Builder builder = Settings.builder(); - + builder.put("xpack.security.enabled", true); final boolean otherRealmConfigured = randomBoolean(); final boolean otherRealmEnabled = randomBoolean(); if (otherRealmConfigured) { @@ -230,7 +244,9 @@ public void testCheckImplicitlyDisabledBasicRealms() { } final Settings settings = builder.build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = + new XPackLicenseState(settings, () -> 0); + final List deprecationIssues = getDeprecationIssues(settings, pluginsAndModules, licenseState); if (otherRealmConfigured && otherRealmEnabled) { if (false == fileRealmConfigured && false == nativeRealmConfigured) { @@ -299,7 +315,8 @@ public void testThreadPoolListenerQueueSize() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("thread_pool.listener.queue_size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [thread_pool.listener.queue_size] is deprecated and will be removed in the next major version", @@ -313,7 +330,8 @@ public void testThreadPoolListenerSize() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("thread_pool.listener.size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [thread_pool.listener.size] is deprecated and will be removed in the next major version", @@ -327,7 +345,8 @@ public void testGeneralScriptSizeSetting() { final int size = randomIntBetween(1, 4); final Settings settings = Settings.builder().put("script.cache.max_size", size).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.cache.max_size] is deprecated in favor of grouped setting [script.context.*.cache_max_size]", @@ -342,7 +361,8 @@ public void testGeneralScriptExpireSetting() { final String expire = randomIntBetween(1, 4) + "m"; final Settings settings = Settings.builder().put("script.cache.expire", expire).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.cache.expire] is deprecated in favor of grouped setting [script.context.*.cache_expire]", @@ -357,7 +377,8 @@ public void testGeneralScriptCompileSettings() { final String rate = randomIntBetween(1, 100) + "/" + randomIntBetween(1, 200) + "m"; final Settings settings = Settings.builder().put("script.max_compilations_rate", rate).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [script.max_compilations_rate] is deprecated in favor of grouped setting [script.context.*.max_compilations_rate]", @@ -372,7 +393,8 @@ public void testClusterRemoteConnectSetting() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(RemoteClusterService.ENABLE_REMOTE_CLUSTERS.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [cluster.remote.connect] is deprecated in favor of setting [node.remote_cluster_client]", @@ -392,7 +414,8 @@ public void testNodeLocalStorageSetting() { final boolean value = randomBoolean(); final Settings settings = Settings.builder().put(Node.NODE_LOCAL_STORAGE_SETTING.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [node.local_storage] is deprecated and will be removed in the next major version", @@ -421,7 +444,7 @@ public void testDeprecatedBasicLicenseSettings() { final Settings settings = Settings.builder().put(deprecatedSetting.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final DeprecationIssue expected = new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "setting [" + deprecatedSetting.getKey() + "] is deprecated and will be removed in the next major version", @@ -444,7 +467,7 @@ public void testLegacyRoleSettings() { final Settings settings = Settings.builder().put(legacyRoleSetting.getKey(), value).build(); final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); - final List issues = getDeprecationIssues(settings, pluginsAndModules, null); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); final String roles = DiscoveryNode.getRolesFromSettings(settings) .stream() .map(DiscoveryNodeRole::roleName) @@ -493,7 +516,7 @@ private List getDeprecationIssues(Settings settings, PluginsAn XPackLicenseState licenseState) { final List issues = DeprecationChecks.filterChecks( DeprecationChecks.NODE_SETTINGS_CHECKS, - c -> c.apply(settings, pluginsAndModules, null) + c -> c.apply(settings, pluginsAndModules, licenseState) ); if (isJvmEarlierThan11()) { @@ -519,7 +542,8 @@ private String randomRealmTypeOtherThanFileOrNative() { public void testMultipleDataPaths() { final Settings settings = Settings.builder().putList("path.data", Arrays.asList("d1", "d2")).build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, licenseState); assertThat(issue, not(nullValue())); assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); assertThat( @@ -535,13 +559,15 @@ public void testMultipleDataPaths() { public void testNoMultipleDataPaths() { Settings settings = Settings.builder().put("path.data", "data").build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkMultipleDataPaths(settings, null, licenseState); assertThat(issue, nullValue()); } public void testDataPathsList() { final Settings settings = Settings.builder().putList("path.data", "d1").build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, licenseState); assertThat(issue, not(nullValue())); assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); assertThat( @@ -557,7 +583,8 @@ public void testDataPathsList() { public void testNoDataPathsListDefault() { final Settings settings = Settings.builder().build(); - final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, null); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final DeprecationIssue issue = NodeDeprecationChecks.checkDataPathsList(settings, null, licenseState); assertThat(issue, nullValue()); } From 3238835bd59f48ea5f940e1267442f1eaad12579 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 4 May 2021 09:01:30 +0300 Subject: [PATCH 03/11] typo --- docs/reference/migration/migrate_7_14.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/migration/migrate_7_14.asciidoc b/docs/reference/migration/migrate_7_14.asciidoc index 38960ed52cf51..de6a398e0c392 100644 --- a/docs/reference/migration/migrate_7_14.asciidoc +++ b/docs/reference/migration/migrate_7_14.asciidoc @@ -23,7 +23,7 @@ See also <> and <>. The following changes in {es} 7.14 might affect your applications and prevent them from operating normally. -Before upgrading to 7.13, review these changes and take the described steps +Before upgrading to 7.14, review these changes and take the described steps to mitigate the impact. NOTE: Breaking changes introduced in minor versions are @@ -39,8 +39,8 @@ enable <>. [[implicitly-disabled-security]] Currently, security features are disabled when operating on a basic or trial -license when `xpack.security.enabled` has not been explicitly set. +license when `xpack.security.enabled` has not been explicitly set to `true`. This behavior is now deprecated. In version 8.0.0, security features will be enabled by default for all licenses, unless explicitly disabled (by setting -`xpack.security.enabled: false`). +`xpack.security.enabled` to `false`). From e5e9e2a5c13c18603cb1bd895cfcdc503d1e2df2 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 4 May 2021 12:06:18 +0300 Subject: [PATCH 04/11] Address feedback --- .../xpack/deprecation/DeprecationChecks.java | 6 ++-- .../deprecation/NodeDeprecationChecks.java | 2 +- .../NodeDeprecationChecksTests.java | 35 +++++++++++++++++-- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index 6f0aaa97a6380..86dd9eea21ad3 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -42,10 +42,10 @@ private DeprecationChecks() { )); - static final List> NODE_SETTINGS_CHECKS; + static final List> NODE_SETTINGS_CHECKS; static { - final Stream> legacyRoleSettings = + final Stream> legacyRoleSettings = DiscoveryNode.getPossibleRoles() .stream() .filter(r -> r.legacySetting() != null) @@ -115,7 +115,7 @@ static List filterChecks(List checks, Function { + public interface NodeDeprecationCheck { R apply(F first, S second, T third); } } diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 65338e0d8363c..a5c8d051fa3e9 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -126,7 +126,7 @@ static DeprecationIssue checkUniqueRealmOrders(final Settings settings, final Pl static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Settings settings, final PluginsAndModules pluginsAndModules, final XPackLicenseState licenseState) { - if ( settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) == false + if ( XPackSettings.SECURITY_ENABLED.exists(settings) == false && (licenseState.getOperationMode().equals(License.OperationMode.BASIC) || licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) { String details = "The behavior where the value of [xpack.security.enabled] setting is false for " + diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index d60ea0a48cc32..2013df3dd28bc 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -15,6 +15,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.env.Environment; +import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.node.Node; import org.elasticsearch.script.ScriptService; @@ -39,15 +40,20 @@ import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.nullValue; import static org.hamcrest.Matchers.startsWith; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; public class NodeDeprecationChecksTests extends ESTestCase { public void testCheckDefaults() { - final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build(); + final Settings settings = Settings.EMPTY; final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); final XPackLicenseState licenseState = new XPackLicenseState(settings, () -> 0); final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); - assertThat(issues, empty()); + + final DeprecationIssue issue = + NodeDeprecationChecks.checkImplicitlyDisabledSecurityOnBasicAndTrial(settings, pluginsAndModules, licenseState); + assertThat(issues, hasItem(issue)); } public void testJavaVersion() { @@ -588,7 +594,7 @@ public void testNoDataPathsListDefault() { assertThat(issue, nullValue()); } - public void testImplicitlyDisabledSecurity() { + public void testImplicitlyDisabledSecurityWarning() { final DeprecationIssue issue = NodeDeprecationChecks.checkImplicitlyDisabledSecurityOnBasicAndTrial(Settings.EMPTY, null, @@ -600,4 +606,27 @@ public void testImplicitlyDisabledSecurity() { assertThat(issue.getUrl(), equalTo("https://www.elastic.co/guide/en/elasticsearch/reference/7.14/deprecated-7.14.html#implicitly-disabled-security")); } + + public void testExplicitlyConfiguredSecurityOnBasicAndTrial() { + final boolean enabled = randomBoolean(); + final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), enabled).build(); + final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final XPackLicenseState licenseState = mock(XPackLicenseState.class); + when(licenseState.getOperationMode()).thenReturn(randomFrom(License.OperationMode.BASIC, License.OperationMode.TRIAL)); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); + assertThat(issues, empty()); + } + + public void testImplicitlyConfiguredSecurityOnGoldPlus() { + final boolean enabled = randomBoolean(); + final Settings settings = Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), enabled).build(); + final PluginsAndModules pluginsAndModules = new PluginsAndModules(Collections.emptyList(), Collections.emptyList()); + final XPackLicenseState licenseState = mock(XPackLicenseState.class); + when(licenseState.getOperationMode()) + .thenReturn(randomValueOtherThanMany((m -> m.equals(License.OperationMode.BASIC) || m.equals(License.OperationMode.TRIAL)), + () -> randomFrom(License.OperationMode.values()))); + final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); + assertThat(issues, empty()); + } + } From 11c5dc2f043d502f8414dbfbcb15e166e9264061 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 00:47:09 +0300 Subject: [PATCH 05/11] Adust deprecation criticality and message --- .../xpack/deprecation/NodeDeprecationChecks.java | 13 +++++++------ .../deprecation/NodeDeprecationChecksTests.java | 4 ++-- .../support/SecurityStatusChangeListener.java | 11 ++++++----- .../support/SecurityStatusChangeListenerTests.java | 9 +++++---- 4 files changed, 20 insertions(+), 17 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index a5c8d051fa3e9..f37c8e88b745b 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -129,13 +129,14 @@ static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Set if ( XPackSettings.SECURITY_ENABLED.exists(settings) == false && (licenseState.getOperationMode().equals(License.OperationMode.BASIC) || licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) { - String details = "The behavior where the value of [xpack.security.enabled] setting is false for " + - licenseState.getOperationMode() + " licenses is deprecated and will be changed in a future version." + - "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + - Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + - "setting [xpack.security.enabled] to false in elasticsearch.yml"; + String details = "The default behavior of disabling security on " + licenseState.getOperationMode().description() + + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " + + "for all licenses and enable security by default." + + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + + "setting [xpack.security.enabled] to false in elasticsearch.yml"; return new DeprecationIssue( - DeprecationIssue.Level.WARNING, + DeprecationIssue.Level.CRITICAL, "Security is enabled by default for all licenses in the next major version.", "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/deprecated-7.14.html#implicitly-disabled-security", details); diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 2013df3dd28bc..5462b861c7614 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -599,10 +599,10 @@ public void testImplicitlyDisabledSecurityWarning() { NodeDeprecationChecks.checkImplicitlyDisabledSecurityOnBasicAndTrial(Settings.EMPTY, null, new XPackLicenseState(Settings.EMPTY, () -> 0)); - assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.WARNING)); + assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL)); assertThat(issue.getMessage(), equalTo("Security is enabled by default for all licenses in the next major version.")); assertNotNull(issue.getDetails()); - assertThat(issue.getDetails(), containsString("The behavior where the value of [xpack.security.enabled] setting is false for ")); + assertThat(issue.getDetails(), containsString("The default behavior of disabling security on ")); assertThat(issue.getUrl(), equalTo("https://www.elastic.co/guide/en/elasticsearch/reference/7.14/deprecated-7.14.html#implicitly-disabled-security")); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java index ddce6e229d080..5709c560082a3 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java @@ -53,11 +53,12 @@ public synchronized void licenseStateChanged() { if (licenseState.getOperationMode().equals(License.OperationMode.BASIC) || licenseState.getOperationMode().equals(License.OperationMode.TRIAL)) { deprecationLogger.deprecate(DeprecationCategory.SECURITY, "security_implicitly_disabled", - "The behavior where the value of [xpack.security.enabled] setting defaults to false for " + - licenseState.getOperationMode() + " licenses is deprecated and will be changed in a future version. " + - "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + - Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + - "setting [xpack.security.enabled] to false in elasticsearch.yml"); + "The default behavior of disabling security on " + licenseState.getOperationMode().description() + + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " + + "for all licenses and enable security by default." + + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + + "setting [xpack.security.enabled] to false in elasticsearch.yml"); } } this.securityEnabled = newState; diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index 58c30e0aa1023..551828f378c25 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -130,10 +130,11 @@ public void testWarningForImplicitlyDisabledSecurity() { when(licenseState.isSecurityEnabled()).thenReturn(false); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.TRIAL); listener.licenseStateChanged(); - assertWarnings("The behavior where the value of [xpack.security.enabled] setting defaults to false for TRIAL " + - "licenses is deprecated and will be changed in a future version. See " + - "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, or explicitly " + - "disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); + assertWarnings("The default behavior of disabling security on trial" + + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " + + "for all licenses and enable security by default." + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); } } From 59b85d7937050d0d11b948ad5185577302f80a0d Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 16:20:54 +0300 Subject: [PATCH 06/11] Address feedback --- docs/reference/migration/migrate_7_14.asciidoc | 6 +++++- .../xpack/deprecation/NodeDeprecationChecks.java | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/reference/migration/migrate_7_14.asciidoc b/docs/reference/migration/migrate_7_14.asciidoc index de6a398e0c392..034b6b9fe376b 100644 --- a/docs/reference/migration/migrate_7_14.asciidoc +++ b/docs/reference/migration/migrate_7_14.asciidoc @@ -38,9 +38,13 @@ enable <>. ==== Security deprecations [[implicitly-disabled-security]] +.The default behavior of disabling security on basic and trial licenses is deprecated +[%collapsible] +==== +*Details* + Currently, security features are disabled when operating on a basic or trial license when `xpack.security.enabled` has not been explicitly set to `true`. - This behavior is now deprecated. In version 8.0.0, security features will be enabled by default for all licenses, unless explicitly disabled (by setting `xpack.security.enabled` to `false`). +==== diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index f37c8e88b745b..38ebaeebd06fa 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -134,11 +134,11 @@ static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Set + "for all licenses and enable security by default." + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " - + "setting [xpack.security.enabled] to false in elasticsearch.yml"; + + "setting [xpack.security.enabled] to "\false\" in elasticsearch.yml"; return new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "Security is enabled by default for all licenses in the next major version.", - "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/deprecated-7.14.html#implicitly-disabled-security", + "https://www.elastic.co/guide/en/elasticsearch/reference/7.14/migrating-7.14.html#implicitly-disabled-security", details); } return null; From aa2df0f03db3e5d27161df37153b138a3178958b Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 16:24:55 +0300 Subject: [PATCH 07/11] fix string --- .../elasticsearch/xpack/deprecation/NodeDeprecationChecks.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 38ebaeebd06fa..a1d75a780ecc6 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -134,7 +134,7 @@ static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Set + "for all licenses and enable security by default." + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " - + "setting [xpack.security.enabled] to "\false\" in elasticsearch.yml"; + + "setting [xpack.security.enabled] to \"false\" in elasticsearch.yml"; return new DeprecationIssue( DeprecationIssue.Level.CRITICAL, "Security is enabled by default for all licenses in the next major version.", From b55993157c2584705482ad92869c96f1ebd5f1d7 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 5 May 2021 16:31:16 +0300 Subject: [PATCH 08/11] update text matcher --- .../xpack/deprecation/NodeDeprecationChecksTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 5462b861c7614..3c3f14865918a 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -604,7 +604,7 @@ public void testImplicitlyDisabledSecurityWarning() { assertNotNull(issue.getDetails()); assertThat(issue.getDetails(), containsString("The default behavior of disabling security on ")); assertThat(issue.getUrl(), - equalTo("https://www.elastic.co/guide/en/elasticsearch/reference/7.14/deprecated-7.14.html#implicitly-disabled-security")); + equalTo("https://www.elastic.co/guide/en/elasticsearch/reference/7.14/migrating-7.14.html#implicitly-disabled-security")); } public void testExplicitlyConfiguredSecurityOnBasicAndTrial() { From 50570d5a079330c9f7f798afb825fa15cd276564 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 11 May 2021 01:04:30 +0300 Subject: [PATCH 09/11] address feedback --- .../elasticsearch/xpack/deprecation/NodeDeprecationChecks.java | 2 +- .../xpack/security/support/SecurityStatusChangeListener.java | 2 +- .../security/support/SecurityStatusChangeListenerTests.java | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 3c30d54a7bfb5..ea95b8e35138d 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -132,7 +132,7 @@ static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Set || licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) { String details = "The default behavior of disabling security on " + licenseState.getOperationMode().description() + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "for all licenses and enable security by default." + + "by default, regardless of the license level." + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + "setting [xpack.security.enabled] to \"false\" in elasticsearch.yml"; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java index 5709c560082a3..1d10f6956f01b 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java @@ -55,7 +55,7 @@ public synchronized void licenseStateChanged() { deprecationLogger.deprecate(DeprecationCategory.SECURITY, "security_implicitly_disabled", "The default behavior of disabling security on " + licenseState.getOperationMode().description() + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "for all licenses and enable security by default." + + "by default, regardless of the license level." + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + "setting [xpack.security.enabled] to false in elasticsearch.yml"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index 551828f378c25..3636962c92f45 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -132,7 +132,7 @@ public void testWarningForImplicitlyDisabledSecurity() { listener.licenseStateChanged(); assertWarnings("The default behavior of disabling security on trial" + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "for all licenses and enable security by default." + + "by default, regardless of the license level." + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); } From 9207bac74264571d82c26429d4a79ca7fcf2fa8a Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 9 Jun 2021 00:52:10 +0300 Subject: [PATCH 10/11] fix test --- .../support/SecurityStatusChangeListenerTests.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index 3636962c92f45..d96fe463a2c67 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -81,6 +81,11 @@ public void testSecurityEnabledToDisabled() { "Active license is now [BASIC]; Security is disabled" )); listener.licenseStateChanged(); + assertWarnings("The default behavior of disabling security on basic" + + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " + + "by default, regardless of the license level." + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); logAppender.assertAllExpectationsMatched(); } @@ -104,6 +109,11 @@ public void testSecurityDisabledToEnabled() { Version.CURRENT.minor + "/security-minimal-setup.html to enable security." )); listener.licenseStateChanged(); + assertWarnings("The default behavior of disabling security on trial" + + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " + + "by default, regardless of the license level." + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); logAppender.addExpectation(new MockLogAppender.UnseenEventExpectation( From 1ea2f738d5c0ebbdac3a25573f72928b7110884c Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 15 Jul 2021 17:01:03 +0300 Subject: [PATCH 11/11] Finalize wording for deprecation message --- .../deprecation/NodeDeprecationChecks.java | 4 ++-- .../support/SecurityStatusChangeListener.java | 4 ++-- .../SecurityStatusChangeListenerTests.java | 18 +++++++++--------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 6ec60fff0cf3a..20f112a267646 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -141,8 +141,8 @@ static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(final Set && (licenseState.getOperationMode().equals(License.OperationMode.BASIC) || licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) { String details = "The default behavior of disabling security on " + licenseState.getOperationMode().description() - + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "by default, regardless of the license level." + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + "setting [xpack.security.enabled] to \"false\" in elasticsearch.yml"; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java index 1d10f6956f01b..a6ffd52bfeac9 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListener.java @@ -54,8 +54,8 @@ public synchronized void licenseStateChanged() { || licenseState.getOperationMode().equals(License.OperationMode.TRIAL)) { deprecationLogger.deprecate(DeprecationCategory.SECURITY, "security_implicitly_disabled", "The default behavior of disabling security on " + licenseState.getOperationMode().description() - + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "by default, regardless of the license level." + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + "See https://www.elastic.co/guide/en/elasticsearch/reference/" + Version.CURRENT.major + "." + Version.CURRENT.minor + "/security-minimal-setup.html to enable security, or explicitly disable security by " + "setting [xpack.security.enabled] to false in elasticsearch.yml"); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java index d96fe463a2c67..f3156c91cf0c4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/SecurityStatusChangeListenerTests.java @@ -82,9 +82,9 @@ public void testSecurityEnabledToDisabled() { )); listener.licenseStateChanged(); assertWarnings("The default behavior of disabling security on basic" - + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "by default, regardless of the license level." - + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.15/security-minimal-setup.html to enable security, " + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); logAppender.assertAllExpectationsMatched(); @@ -110,9 +110,9 @@ public void testSecurityDisabledToEnabled() { )); listener.licenseStateChanged(); assertWarnings("The default behavior of disabling security on trial" - + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "by default, regardless of the license level." - + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.15/security-minimal-setup.html to enable security, " + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); when(licenseState.getOperationMode()).thenReturn(License.OperationMode.BASIC); @@ -141,9 +141,9 @@ public void testWarningForImplicitlyDisabledSecurity() { when(licenseState.getOperationMode()).thenReturn(License.OperationMode.TRIAL); listener.licenseStateChanged(); assertWarnings("The default behavior of disabling security on trial" - + " licenses is deprecated. A later version of Elasticsearch will set [xpack.security.enabled] to \"true\" " - + "by default, regardless of the license level." - + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.14/security-minimal-setup.html to enable security, " + + " licenses is deprecated. In a later version of Elasticsearch, the value of [xpack.security.enabled] will " + + "default to \"true\" , regardless of the license level. " + + "See https://www.elastic.co/guide/en/elasticsearch/reference/7.15/security-minimal-setup.html to enable security, " + "or explicitly disable security by setting [xpack.security.enabled] to false in elasticsearch.yml"); }