Skip to content

Commit

Permalink
Adding deprecation info api checks for obsolete security settings (#7…
Browse files Browse the repository at this point in the history 
…6986)

This commit adds deprecation info API messages for three obsolete security settings which have been
removed: "xpack.security.authc.accept_default_password",
"xpack.security.authz.store.roles.index.cache.max_size", and "xpack.security.authz.store.roles.index.cache.ttl"
Relates #42404 #40496
  • Loading branch information
@masseyke
masseyke authored Sep 1, 2021
1 parent 121bd05 commit 4603a29
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 2 deletions.
3 changes: 3 additions & 0 deletions ...ugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,9 @@ private DeprecationChecks() {
NodeDeprecationChecks::checkSingleDataNodeWatermarkSetting,
NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial,
NodeDeprecationChecks::checkMonitoringExporterPassword,
NodeDeprecationChecks::checkAcceptDefaultPasswordSetting,
NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting,
NodeDeprecationChecks::checkRolesCacheTTLSizeSetting,
NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting
)
).collect(Collectors.toList());
Expand Down
44 changes: 43 additions & 1 deletion .../deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.env.Environment;
import org.elasticsearch.jdk.JavaVersion;
import org.elasticsearch.license.License;
Expand All @@ -31,6 +32,7 @@
import org.elasticsearch.threadpool.FixedExecutorBuilder;
import org.elasticsearch.transport.RemoteClusterService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
Expand Down Expand Up @@ -455,7 +457,13 @@ static DeprecationIssue checkRemovedSetting(final Settings settings,
return null;
}
final String removedSettingKey = removedSetting.getKey();
final String value = removedSetting.get(settings).toString();
Object removedSettingValue = removedSetting.get(settings);
String value;
if (removedSettingValue instanceof TimeValue) {
value = ((TimeValue) removedSettingValue).getStringRep();
} else {
value = removedSettingValue.toString();
}
final String message =
String.format(Locale.ROOT, "setting [%s] is deprecated and will be removed in the next major version", removedSettingKey);
final String details =
Expand Down Expand Up @@ -595,4 +603,38 @@ static DeprecationIssue checkClusterRoutingAllocationIncludeRelocationsSetting(f
DeprecationIssue.Level.CRITICAL
);
}

static DeprecationIssue checkAcceptDefaultPasswordSetting(final Settings settings,
final PluginsAndModules pluginsAndModules,
final ClusterState clusterState,
final XPackLicenseState licenseState) {
return checkRemovedSetting(settings,
Setting.boolSetting(SecurityField.setting("authc.accept_default_password"),true, Setting.Property.Deprecated),
"https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes",
DeprecationIssue.Level.CRITICAL
);
}

static DeprecationIssue checkAcceptRolesCacheMaxSizeSetting(final Settings settings,
final PluginsAndModules pluginsAndModules,
final ClusterState clusterState,
final XPackLicenseState licenseState) {
return checkRemovedSetting(settings,
Setting.intSetting(SecurityField.setting("authz.store.roles.index.cache.max_size"), 10000, Setting.Property.Deprecated),
"https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes",
DeprecationIssue.Level.CRITICAL
);
}

static DeprecationIssue checkRolesCacheTTLSizeSetting(final Settings settings,
final PluginsAndModules pluginsAndModules,
final ClusterState clusterState,
final XPackLicenseState licenseState) {
return checkRemovedSetting(settings,
Setting.timeSetting(SecurityField.setting("authz.store.roles.index.cache.ttl"), TimeValue.timeValueMinutes(20),
Setting.Property.Deprecated),
"https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes",
DeprecationIssue.Level.CRITICAL
);
}
}
54 changes: 53 additions & 1 deletion ...ecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.core.Set;
import org.elasticsearch.env.Environment;
import org.elasticsearch.jdk.JavaVersion;
import org.elasticsearch.license.License;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.jdk.JavaVersion;
import org.elasticsearch.node.Node;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.test.ESTestCase;
Expand Down Expand Up @@ -863,4 +863,56 @@ public void testImplicitlyConfiguredSecurityOnGoldPlus() {
final List<DeprecationIssue> issues = getDeprecationIssues(settings, pluginsAndModules, licenseState);
assertThat(issues, empty());
}

private void checkSimpleSetting(String settingKey, String settingValue, String url, DeprecationChecks.NodeDeprecationCheck<Settings,
PluginsAndModules, ClusterState, XPackLicenseState, DeprecationIssue> checkFunction) {
final Settings nodeSettings =
Settings.builder().put(settingKey, settingValue).build();
final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0);
final ClusterState clusterState = ClusterState.EMPTY_STATE;
final DeprecationIssue expectedIssue = new DeprecationIssue(DeprecationIssue.Level.CRITICAL,
String.format(Locale.ROOT,
"setting [%s] is deprecated and will be removed in the next major version",
settingKey),
url,
String.format(Locale.ROOT,
"the setting [%s] is currently set to [%s], remove this setting",
settingKey,
settingValue),
false,null
);

assertThat(
checkFunction.apply(nodeSettings, null, clusterState, licenseState),
equalTo(expectedIssue)
);

final String expectedWarning = String.format(Locale.ROOT,
"[%s] setting was deprecated in Elasticsearch and will be removed in a future release! " +
"See the breaking changes documentation for the next major version.",
settingKey);

assertWarnings(expectedWarning);
}

public void testCheckAcceptDefaultPasswordSetting() {
String settingKey = "xpack.security.authc.accept_default_password";
String settingValue = String.valueOf(randomBoolean());
String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes";
checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptDefaultPasswordSetting);
}

public void testCheckAcceptRolesCacheMaxSizeSetting() {
String settingKey = "xpack.security.authz.store.roles.index.cache.max_size";
String settingValue = String.valueOf(randomIntBetween(1, 10000));
String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes";
checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting);
}

public void testCheckRolesCacheTTLSizeSetting() {
String settingKey = "xpack.security.authz.store.roles.index.cache.ttl";
String settingValue = randomPositiveTimeValue();
String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes";
checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkRolesCacheTTLSizeSetting);
}
}

0 comments on commit 4603a29

Please sign in to comment.