Adding a warning header when a license is about to expire #64948
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine run elasticsearch-ci/bwc |
1 similar comment
|
@elasticmachine run elasticsearch-ci/bwc |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
…on to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves elastic#53161
jkakavas
reviewed
Nov 17, 2020
There was a problem hiding this comment.
I left a few comments. I also think we need to elaborate on the PR description ( it's not clear what through SECURITY_IP_FILTER means ) and add a couple of sentences on why we add the check on checkFeature and more especially why we think this is enough for solving the issue this PR is meant to.
We also need some tests that ensure we are indeed adding the warning header under the circumstances we expect it to be added
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
Outdated
Show resolved
Hide resolved
|
Pinging @elastic/es-security (Team:Security) |
BigPandaToo
added
the
:Security/License
…aml/metadata/{realm}
Related to elastic#49018
|
@elasticmachine update branch |
|
@elasticmachine update branch |
tvernum
reviewed
Dec 1, 2020
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
Outdated
Show resolved
Hide resolved
.../plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
Show resolved
Hide resolved
messages; changing "today" calculation; adding a test case for failing authN to make sure we remove the warning header
tvernum
approved these changes
Dec 3, 2020
...k/plugin/security/src/internalClusterTest/java/org/elasticsearch/license/LicensingTests.java
Outdated
Show resolved
Hide resolved
|
@elasticmachine update branch |
jkakavas
reviewed
Dec 4, 2020
.../plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
Show resolved
Hide resolved
x-pack/plugin/core/src/test/java/org/elasticsearch/test/SecuritySettingsSourceField.java
Show resolved
Hide resolved
...k/plugin/security/src/internalClusterTest/java/org/elasticsearch/license/LicensingTests.java
Show resolved
Hide resolved
...k/plugin/security/src/internalClusterTest/java/org/elasticsearch/license/LicensingTests.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
Show resolved
Hide resolved
...k/plugin/security/src/internalClusterTest/java/org/elasticsearch/license/LicensingTests.java
Outdated
Show resolved
Hide resolved
...k/plugin/security/src/internalClusterTest/java/org/elasticsearch/license/LicensingTests.java
Outdated
Show resolved
Hide resolved
@jkakavas Yes, it is intentional (see Tim's comment above). If Authentication fails it does make sense to not reveal any additional information |
|
@elasticmachine update branch |
BigPandaToo
added a commit
to BigPandaToo/elasticsearch
that referenced
this pull request
Dec 4, 2020
) * This change adds a warning header when a license is about to expire Resolves elastic#60562 * This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves elastic#53161 * Adding doc for the new API introduced by elastic#64517 - /_security/saml/metadata/{realm} Related to elastic#49018 * Adding a warning header when a license is about to expire Resolves elastic#60562 * Addressing the PR feedback * Switching back to adding the header during featureCheck to allow warnings when authentication is disabled as well. Adding filterHeader implementation to SecurityRestFilter exception handling to remove all the warnings if authentication fails. * Changing the wording for "expired" message to be consistent with the log messages; changing "today" calculation; adding a test case for failing authN to make sure we remove the warning header * Small changes in the way we verify header in tests * Nit changes Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
BigPandaToo
added a commit
that referenced
this pull request
Dec 5, 2020
) * Adding a warning header when a license is about to expire (#64948) * This change adds a warning header when a license is about to expire Resolves #60562 * This change adds realm name of the realm used to perform authentication to the responses of _security/oidc/authenticate and _security/oidc/authenticate APIs Resolves #53161 * Adding doc for the new API introduced by #64517 - /_security/saml/metadata/{realm} Related to #49018 * Adding a warning header when a license is about to expire Resolves #60562 * Addressing the PR feedback * Switching back to adding the header during featureCheck to allow warnings when authentication is disabled as well. Adding filterHeader implementation to SecurityRestFilter exception handling to remove all the warnings if authentication fails. * Changing the wording for "expired" message to be consistent with the log messages; changing "today" calculation; adding a test case for failing authN to make sure we remove the warning header * Small changes in the way we verify header in tests * Nit changes Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> * Resolving backporting issue: adding copyMapWithRemovedEntry() util function Fixing unused imports Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implementation will add the warning header
if the license is going to expire in less than
{
LICENSE_EXPIRATION_WARNING_PERIOD} days.The messages added:
Warning: 299 Elasticsearch-8.0.0-###"Your license will expire in [N] days. Contact your administrator or update your license for continued use of features"or
Warning: 299 Elasticsearch-8.0.0-### "Your license expires today. Contact your administrator or update your license for continued use of features"If license has expired less than
{
GRACE_PERIOD_DURATION} days ago followingwarning is added:
Warning: 299 Elasticsearch-8.0.0-### "Your license expired on ["EEEE, MMMM dd, yyyy" ]. Contact your administrator or update your license for continued use of features"Both {
LICENSE_EXPIRATION_WARNING_PERIOD}and {
GRACE_PERIOD_DURATION} are currently 7 days.The message will be added to each request unless
authentication fails.
Note: with this change all warning headers will be removed
from a response if authentication fails.
Resolves #60562