Add setting to restrict license types #49418

tvernum · 2019-11-21T07:09:10Z

This adds a new "xpack.license.upload.types" setting that restricts
which license types may be uploaded to a cluster.

By default all types are allowed (excluding basic, which can only be
generated and never uploaded).
This setting does not restrict APIs that generate licenses such as the
start trial API.

This setting is not documented as it is intended to be set by
orchestrators and not end users.

Closes: #48508

This adds a new "xpack.license.upload.types" setting that restricts which license types may be uploaded to a cluster. By default all types are allowed (excluding basic, which can only be generated and never uploaded). This setting does not restrict APIs that generate licenses such as the start trial API. This setting is not documented as it is intended to be set by orchestrators and not end users.

elasticmachine · 2019-11-21T07:09:12Z

Pinging @elastic/es-security (:Security/License)

jkakavas · 2019-11-26T09:54:31Z

x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java

@@ -193,11 +203,21 @@ public void on(License license) {
     */
    public void registerLicense(final PutLicenseRequest request, final ActionListener<PutLicenseResponse> listener) {
        final License newLicense = request.license();
+        final License.LicenseType licenseType;
+        try {
+            licenseType = License.LicenseType.resolve(newLicense);


We should not consume any part of the license before we validate its signature first

jkakavas · 2019-11-26T10:29:16Z

x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicenseService.java

@@ -64,6 +64,9 @@
        return SelfGeneratedLicense.validateSelfGeneratedType(type);
    }, Setting.Property.NodeScope);

+    public static final Setting<List<License.LicenseType>> ALLOWED_LICENSE_TYPES = Setting.listSetting("xpack.license.upload.types",
+        License.LicenseType.ALL_TYPE_NAMES, License.LicenseType::parse, Setting.Property.NodeScope);


We do handle basic explicitly in all places, but should we exclude it from the default value of xpack.license.upload.types too ?

jkakavas

LGTM!

jkakavas · 2019-11-29T07:03:19Z

@elasticmachine run elasticsearch-ci/1

(failed to download ml artifact, transient network issue )

tvernum · 2019-12-10T04:58:10Z

@elasticmachine update branch

This adds a new "xpack.license.upload.types" setting that restricts which license types may be uploaded to a cluster. By default all types are allowed (excluding basic, which can only be generated and never uploaded). This setting does not restrict APIs that generate licenses such as the start trial API. This setting is not documented as it is intended to be set by orchestrators and not end users. Backport of: elastic#49418

This adds a new "xpack.license.upload.types" setting that restricts which license types may be uploaded to a cluster. By default all types are allowed (excluding basic, which can only be generated and never uploaded). This setting does not restrict APIs that generate licenses such as the start trial API. This setting is not documented as it is intended to be set by orchestrators and not end users. Backport of: #49418

This adds a new "xpack.license.upload.types" setting that restricts which license types may be uploaded to a cluster. By default all types are allowed (excluding basic, which can only be generated and never uploaded). This setting does not restrict APIs that generate licenses such as the start trial API. This setting is not documented as it is intended to be set by orchestrators and not end users.

tvernum added >enhancement :Security/License License functionality for commercial features v8.0.0 v7.6.0 labels Nov 21, 2019

tvernum requested a review from jkakavas November 21, 2019 07:09

tvernum added 2 commits November 22, 2019 11:30

Merge branch 'master' into restrict-license-type

c7bebd9

Fix resolution of v1 style licenses

b08cde5

jkakavas requested changes Nov 26, 2019

View reviewed changes

tvernum added 2 commits November 29, 2019 12:34

Merge branch 'master' into restrict-license-type

c42b309

Address feedback

0098f8e

tvernum requested a review from jkakavas November 29, 2019 04:57

jkakavas approved these changes Nov 29, 2019

View reviewed changes

pebrc mentioned this pull request Dec 1, 2019

7.6 support elastic/cloud-on-k8s#2197

Closed

2 tasks

Merge branch 'master' into restrict-license-type

3f76e49

tvernum merged commit a6351d6 into elastic:master Dec 10, 2019

tvernum added the backport pending label Dec 10, 2019

pebrc mentioned this pull request Dec 12, 2019

>=7.6.0: set allowed license upload types elastic/cloud-on-k8s#2257

Merged

tvernum mentioned this pull request Dec 16, 2019

[Backport 7.x] Add setting to restrict license types #50252

Merged

tvernum removed the backport pending label Dec 17, 2019

This was referenced Feb 3, 2020

[meta] 7.6 release elastic/elasticsearch-net#4340

Closed

[meta] 7.6 release elastic/elasticsearch-net#4341

Closed

jakelandis added v8.0.0-alpha1 and removed v8.0.0 labels Jul 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add setting to restrict license types #49418

Add setting to restrict license types #49418

tvernum commented Nov 21, 2019

elasticmachine commented Nov 21, 2019

jkakavas Nov 26, 2019

jkakavas Nov 26, 2019

jkakavas left a comment

jkakavas commented Nov 29, 2019

tvernum commented Dec 10, 2019

Add setting to restrict license types #49418

Add setting to restrict license types #49418

Conversation

tvernum commented Nov 21, 2019

elasticmachine commented Nov 21, 2019

jkakavas Nov 26, 2019

Choose a reason for hiding this comment

jkakavas Nov 26, 2019

Choose a reason for hiding this comment

jkakavas left a comment

Choose a reason for hiding this comment

jkakavas commented Nov 29, 2019

tvernum commented Dec 10, 2019