honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove heuristics that enable security on trial licenses (#38075) 

In 6.3 trial licenses were changed to default to security
disabled, and ee added some heuristics to detect when security should
be automatically be enabled if `xpack.security.enabled` was not set.

This change removes those heuristics, and requires that security be
explicitly enabled (via the `xpack.security.enabled` setting) for
trial licenses.

Relates: #38009
This commit is contained in:
Tim Vernum 2019-02-01 17:59:13 +11:00 committed by GitHub
parent 0a604e3b24
commit 6fcbd07420
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 40 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/reference/migration/migrate_7_0/settings.asciidoc
View File

@ -145,6 +145,22 @@ You can enable TLS v1.0 by configuring the relevant `ssl.supported_protocols` se
xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ] xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ]
-------------------------------------------------- --------------------------------------------------
[float]
[[trial-explicit-security]]
==== Security on Trial Licenses
On trial licenses, `xpack.security.enabled` defaults to `false`.
In prior versions, a trial license would automatically enable security if either
* `xpack.security.transport.enabled` was `true`; _or_
* the trial license was generated on a version of X-Pack from 6.2 or earlier.
This behaviour has been now removed, so security is only enabled if:
* `xpack.security.enabled` is `true`; _or_
* `xpack.security.enabled` is not set, and a gold or platinum license is installed.
[float] [float]
[[watcher-notifications-account-settings]] [[watcher-notifications-account-settings]]
==== Watcher notifications account settings ==== Watcher notifications account settings

44
x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
View File

@ -5,7 +5,6 @@
*/ */
package org.elasticsearch.license; package org.elasticsearch.license;
import org.apache.logging.log4j.LogManager;
import org.elasticsearch.Version; import org.elasticsearch.Version;
import org.elasticsearch.common.Nullable; import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
@ -271,17 +270,11 @@ public class XPackLicenseState {
private final boolean isSecurityExplicitlyEnabled; private final boolean isSecurityExplicitlyEnabled;
private Status status = new Status(OperationMode.TRIAL, true); private Status status = new Status(OperationMode.TRIAL, true);
private boolean isSecurityEnabledByTrialVersion;
public XPackLicenseState(Settings settings) { public XPackLicenseState(Settings settings) {
this.listeners = new CopyOnWriteArrayList<>(); this.listeners = new CopyOnWriteArrayList<>();
this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings); this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
// 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled this.isSecurityExplicitlyEnabled = isSecurityEnabled && settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey());
// we can interpret this as an explicit enabling of security if the security enabled
// setting is not explicitly set
this.isSecurityExplicitlyEnabled = isSecurityEnabled &&
(settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) || XPackSettings.TRANSPORT_SSL_ENABLED.get(settings));
this.isSecurityEnabledByTrialVersion = false;
} }
private XPackLicenseState(XPackLicenseState xPackLicenseState) { private XPackLicenseState(XPackLicenseState xPackLicenseState) {
@ -289,7 +282,6 @@ public class XPackLicenseState {
this.isSecurityEnabled = xPackLicenseState.isSecurityEnabled; this.isSecurityEnabled = xPackLicenseState.isSecurityEnabled;
this.isSecurityExplicitlyEnabled = xPackLicenseState.isSecurityExplicitlyEnabled; this.isSecurityExplicitlyEnabled = xPackLicenseState.isSecurityExplicitlyEnabled;
this.status = xPackLicenseState.status; this.status = xPackLicenseState.status;
this.isSecurityEnabledByTrialVersion = xPackLicenseState.isSecurityEnabledByTrialVersion;
} }
/** /**
@ -304,16 +296,6 @@ public class XPackLicenseState {
void update(OperationMode mode, boolean active, @Nullable Version mostRecentTrialVersion) { void update(OperationMode mode, boolean active, @Nullable Version mostRecentTrialVersion) {
synchronized (this) { synchronized (this) {
status = new Status(mode, active); status = new Status(mode, active);
if (isSecurityEnabled == true && isSecurityExplicitlyEnabled == false && mode == OperationMode.TRIAL
&& isSecurityEnabledByTrialVersion == false) {
// Before 6.3, Trial licenses would default having security enabled.
// If this license was generated before that version, then treat it as if security is explicitly enabled
if (mostRecentTrialVersion == null || mostRecentTrialVersion.before(Version.V_6_3_0)) {
LogManager.getLogger(getClass()).info("Automatically enabling security for older trial license ({})",
mostRecentTrialVersion == null ? "[pre 6.1.0]" : mostRecentTrialVersion.toString());
isSecurityEnabledByTrialVersion = true;
}
}
} }
listeners.forEach(LicenseStateListener::licenseStateChanged); listeners.forEach(LicenseStateListener::licenseStateChanged);
} }
@ -345,7 +327,7 @@ public class XPackLicenseState {
public synchronized boolean isAuthAllowed() { public synchronized boolean isAuthAllowed() {
OperationMode mode = status.mode; OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled = final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled); isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.STANDARD || mode == OperationMode.GOLD return isSecurityCurrentlyEnabled && (mode == OperationMode.STANDARD || mode == OperationMode.GOLD
|| mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL); || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
} }
@ -356,7 +338,7 @@ public class XPackLicenseState {
public synchronized boolean isIpFilteringAllowed() { public synchronized boolean isIpFilteringAllowed() {
OperationMode mode = status.mode; OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled = final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled); isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL); return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
} }
@ -366,7 +348,7 @@ public class XPackLicenseState {
public synchronized boolean isAuditingAllowed() { public synchronized boolean isAuditingAllowed() {
OperationMode mode = status.mode; OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled = final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled); isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL); return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
} }
@ -395,7 +377,7 @@ public class XPackLicenseState {
public synchronized boolean isDocumentAndFieldLevelSecurityAllowed() { public synchronized boolean isDocumentAndFieldLevelSecurityAllowed() {
OperationMode mode = status.mode; OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled = final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled); isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.TRIAL || mode == OperationMode.PLATINUM); return isSecurityCurrentlyEnabled && (mode == OperationMode.TRIAL || mode == OperationMode.PLATINUM);
} }
@ -412,7 +394,7 @@ public class XPackLicenseState {
*/ */
public synchronized AllowedRealmType allowedRealmType() { public synchronized AllowedRealmType allowedRealmType() {
final boolean isSecurityCurrentlyEnabled = final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled); isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
if (isSecurityCurrentlyEnabled) { if (isSecurityCurrentlyEnabled) {
switch (status.mode) { switch (status.mode) {
case PLATINUM: case PLATINUM:
@ -435,7 +417,7 @@ public class XPackLicenseState {
*/ */
public synchronized boolean isCustomRoleProvidersAllowed() { public synchronized boolean isCustomRoleProvidersAllowed() {
final boolean isSecurityCurrentlyEnabled = final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled); isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL) return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
&& status.active; && status.active;
} }
@ -446,7 +428,7 @@ public class XPackLicenseState {
*/ */
public synchronized boolean isAuthorizationRealmAllowed() { public synchronized boolean isAuthorizationRealmAllowed() {
final boolean isSecurityCurrentlyEnabled = final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled); isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL) return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
&& status.active; && status.active;
} }
@ -676,19 +658,17 @@ public class XPackLicenseState {
* @return true if security has been disabled by a trial license which is the case of the * @return true if security has been disabled by a trial license which is the case of the
* default distribution post 6.3.0. The conditions necessary for this are: * default distribution post 6.3.0. The conditions necessary for this are:
* <ul> * <ul>
* <li>A trial license generated in 6.3.0+</li> * <li>A trial license</li>
* <li>xpack.security.enabled not specified as a setting</li> * <li>xpack.security.enabled not specified as a setting</li>
* </ul> * </ul>
*/ */
public synchronized boolean isSecurityDisabledByTrialLicense() { public synchronized boolean isSecurityDisabledByTrialLicense() {
return status.mode == OperationMode.TRIAL && isSecurityEnabled return status.mode == OperationMode.TRIAL && isSecurityEnabled && isSecurityExplicitlyEnabled == false;
&& isSecurityExplicitlyEnabled == false
&& isSecurityEnabledByTrialVersion == false;
} }
private static boolean isSecurityEnabled(final OperationMode mode, final boolean isSecurityExplicitlyEnabled, private static boolean isSecurityEnabled(final OperationMode mode, final boolean isSecurityExplicitlyEnabled,
final boolean isSecurityEnabledByTrialVersion, final boolean isSecurityEnabled) { final boolean isSecurityEnabled) {
return mode == OperationMode.TRIAL ? (isSecurityExplicitlyEnabled || isSecurityEnabledByTrialVersion) : isSecurityEnabled; return mode == OperationMode.TRIAL ? isSecurityExplicitlyEnabled : isSecurityEnabled;
} }
/** /**

49
x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
View File

@ -81,24 +81,15 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL)); assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
licenseState = new XPackLicenseState(Settings.EMPTY);
assertSecurityNotAllowed(licenseState);
}
public void testTransportSslDoesNotAutomaticallyEnableSecurityOnTrialLicense() {
final XPackLicenseState licenseState;
licenseState = licenseState =
new XPackLicenseState(Settings.builder().put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), true).build()); new XPackLicenseState(Settings.builder().put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), true).build());
assertThat(licenseState.isAuthAllowed(), is(true)); assertSecurityNotAllowed(licenseState);
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
licenseState = new XPackLicenseState(Settings.EMPTY);
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
} }
public void testSecurityBasic() { public void testSecurityBasic() {
@ -106,13 +97,7 @@ public class XPackLicenseStateTests extends ESTestCase {
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build())); Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(BASIC, true, null); licenseState.update(BASIC, true, null);
assertThat(licenseState.isAuthAllowed(), is(false)); assertSecurityNotAllowed(licenseState);
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
} }
public void testSecurityBasicExpired() { public void testSecurityBasicExpired() {
@ -218,6 +203,10 @@ public class XPackLicenseStateTests extends ESTestCase {
licenseState.update(TRIAL, true, VersionUtils.randomVersionBetween(random(), Version.V_6_3_0, Version.CURRENT)); licenseState.update(TRIAL, true, VersionUtils.randomVersionBetween(random(), Version.V_6_3_0, Version.CURRENT));
assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(true)); assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(true));
assertSecurityNotAllowed(licenseState);
}
private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
assertThat(licenseState.isAuthAllowed(), is(false)); assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false)); assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false)); assertThat(licenseState.isAuditingAllowed(), is(false));
@ -227,20 +216,6 @@ public class XPackLicenseStateTests extends ESTestCase {
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false)); assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
} }
public void testOldTrialDefaultsSecurityOn() {
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(TRIAL, true, rarely() ? null : VersionUtils.randomVersionBetween(random(), Version.V_6_0_0, Version.V_6_2_4));
assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(false));
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
}
public void testSecurityAckBasicToNotGoldOrStandard() { public void testSecurityAckBasicToNotGoldOrStandard() {
OperationMode toMode = randomFrom(OperationMode.values(), mode -> mode != GOLD && mode != STANDARD); OperationMode toMode = randomFrom(OperationMode.values(), mode -> mode != GOLD && mode != STANDARD);
assertAckMesssages(XPackField.SECURITY, BASIC, toMode, 0); assertAckMesssages(XPackField.SECURITY, BASIC, toMode, 0);