-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: remove SSL settings fallback #36846
Conversation
This commit removes the fallback for SSL settings. While this may be seen as a non user friendly change, the intention behind this change is to simplify the reasoning needed to understand what is actually being used for a given SSL configuration. Each configuration now needs to be explicitly specified as there is no global configuration or fallback to some other configuration. Closes elastic#29797
Pinging @elastic/es-security |
I've added this to the list of things we should add deprecation checks for in #36024 - would you be able to either:
|
@@ -1380,23 +1276,21 @@ a PKCS#12 container includes trusted certificate ("anchor") entries look for | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we move the PKCS11 related settings to the http/transport related settings ? These feel strangely placed as is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have them there as general information. @lcawl do you have a suggestion on where we should put this info?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm understanding correctly, that PKCS#11 already appears under the appropriate HTTP and Transport sections. So unless there are other contexts where there would be PKCS#11 settings, I think it can be removed from the "default values..." section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we reference PKCS#12 in those sections but not PKCS#11
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Scratch that. I am wrong, we already have it there. So it can be removed from the defaults section
those configured in the `xpack.security.transport.ssl.truststore` and | ||
`xpack.security.transport.ssl.certificate_authorities` settings. It also | ||
includes certificates that are used for configuring server identity, such as | ||
`xpack.security.transport.ssl.keystore` and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use the http layer as an example for certficate
and keystore
so that it becomes (even more) obvious that certificates used in both layers will be returned ?
@@ -231,14 +190,6 @@ private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConf | |||
String trustStoreAlgorithm = SETTINGS_PARSER.truststoreAlgorithm.get(settings); | |||
SecureString trustStorePassword = SETTINGS_PARSER.truststorePassword.get(settings); | |||
return new StoreTrustConfig(trustStorePath, trustStoreType, trustStorePassword, trustStoreAlgorithm); | |||
} else if (global == null && System.getProperty("javax.net.ssl.trustStore") != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@@ -123,19 +123,20 @@ public void testReadIdpMetadataFromHttps() throws Exception { | |||
final Path path = getDataPath("idp1.xml"); | |||
final String body = new String(Files.readAllBytes(path), StandardCharsets.UTF_8); | |||
final MockSecureSettings mockSecureSettings = new MockSecureSettings(); | |||
mockSecureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode"); | |||
mockSecureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't really affect anything but we could use xpack.security.http
key since the produced SSLContext is used in a MockWebServer
if (value == null) { | ||
try { | ||
if (key.startsWith("xpack.security.transport.ssl.")) { | ||
byte[] file = Streams.readAll(secureSettings.getFile(key)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe move toBytesArray
to ESTestCase and use this instead so that we don't introduce BC dependencies again?
Settings settings2 = Settings.builder() | ||
.put("xpack.ssl.key", keyPath) | ||
.put("xpack.ssl.certificate", certPath) | ||
.put("xpack.security.transport.ssl.key", keyPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above, just for being easy to the eye use the http
layer settings for the MockWebServer
try (HttpClient client = new HttpClient(settings, new SSLService(settings, environment), null)) { | ||
MockSecureSettings secureSettings = new MockSecureSettings(); | ||
// We can't use the client created above for the server since it only defines a truststore | ||
secureSettings.setString("xpack.ssl.secure_key_passphrase", "testnode-no-subjaltname"); | ||
secureSettings.setString("xpack.security.transport.ssl.secure_key_passphrase", "testnode-no-subjaltname"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above, just for being easy to the eye use the http layer settings for the MockWebServer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
It looks like it was a massive effort to work through all those tests.
Yes it was. So much that merging 6+ months worth of changes was better than starting fresh. |
run gradle build tests 1 |
* master: (28 commits) Introduce retention lease serialization (elastic#37447) Update Delete Watch to allow unknown fields (elastic#37435) Make finalize step of recovery source non-blocking (elastic#37388) Update the default for include_type_name to false. (elastic#37285) Security: remove SSL settings fallback (elastic#36846) Adding mapping for hostname field (elastic#37288) Relax assertSameDocIdsOnShards assertion Reduce recovery time with compress or secure transport (elastic#36981) Implement ccr file restore (elastic#37130) Fix Eclipse specific compilation issue (elastic#37419) Performance fix. Reduce deprecation calls for the same bulk request (elastic#37415) [ML] Use String rep of Version in map for serialisation (elastic#37416) Cleanup Deadcode in Rest Tests (elastic#37418) Mute IndexShardRetentionLeaseTests.testCommit elastic#37420 unmuted test Remove unused index store in directory service Improve CloseWhileRelocatingShardsIT (elastic#37348) Fix ClusterBlock serialization and Close Index API logic after backport to 6.x (elastic#37360) Update the scroll example in the docs (elastic#37394) Update analysis.asciidoc (elastic#37404) ...
Update the security configuration with the changes brought in elastic/elasticsearch#36846
Update the security configuration with the changes brought in elastic/elasticsearch#36846 Relates #12
This commit removes the fallback for SSL settings. While this may be
seen as a non user friendly change, the intention behind this change
is to simplify the reasoning needed to understand what is actually
being used for a given SSL configuration. Each configuration now needs
to be explicitly specified as there is no global configuration or
fallback to some other configuration.
Closes #29797