Remove heuristics that enable security on trial licenses (#38075)

In 6.3 trial licenses were changed to default to security
disabled, and ee added some heuristics to detect when security should
be automatically be enabled if `xpack.security.enabled` was not set.

This change removes those heuristics, and requires that security be
explicitly enabled (via the `xpack.security.enabled` setting) for
trial licenses.

Relates: #38009

docs/reference/migration/migrate_7_0/settings.asciidoc

@@ -145,6 +145,22 @@ You can enable TLS v1.0 by configuring the relevant `ssl.supported_protocols` se
 xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ]
 --------------------------------------------------
 
+[float]
+[[trial-explicit-security]]
+==== Security on Trial Licenses
+
+On trial licenses, `xpack.security.enabled` defaults to `false`.
+
+In prior versions, a trial license would automatically enable security if either
+
+* `xpack.security.transport.enabled` was `true`; _or_
+* the trial license was generated on a version of X-Pack from 6.2 or earlier.
+
+This behaviour has been now removed, so security is only enabled if:
+
+* `xpack.security.enabled` is `true`; _or_
+* `xpack.security.enabled` is not set, and a gold or platinum license is installed.
+
 [float]
 [[watcher-notifications-account-settings]]
 ==== Watcher notifications account settings

x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java

@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.license;
 
-import org.apache.logging.log4j.LogManager;
 import org.elasticsearch.Version;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
@@ -271,17 +270,11 @@ public class XPackLicenseState {
     private final boolean isSecurityExplicitlyEnabled;
 
     private Status status = new Status(OperationMode.TRIAL, true);
-    private boolean isSecurityEnabledByTrialVersion;
 
     public XPackLicenseState(Settings settings) {
         this.listeners = new CopyOnWriteArrayList<>();
         this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
-        // 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled
-        // we can interpret this as an explicit enabling of security if the security enabled
-        // setting is not explicitly set
-        this.isSecurityExplicitlyEnabled = isSecurityEnabled &&
-            (settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) || XPackSettings.TRANSPORT_SSL_ENABLED.get(settings));
-        this.isSecurityEnabledByTrialVersion = false;
+        this.isSecurityExplicitlyEnabled = isSecurityEnabled && settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey());
     }
 
     private XPackLicenseState(XPackLicenseState xPackLicenseState) {
@@ -289,7 +282,6 @@ public class XPackLicenseState {
         this.isSecurityEnabled = xPackLicenseState.isSecurityEnabled;
         this.isSecurityExplicitlyEnabled = xPackLicenseState.isSecurityExplicitlyEnabled;
         this.status = xPackLicenseState.status;
-        this.isSecurityEnabledByTrialVersion = xPackLicenseState.isSecurityEnabledByTrialVersion;
     }
 
     /**
@@ -304,16 +296,6 @@ public class XPackLicenseState {
     void update(OperationMode mode, boolean active, @Nullable Version mostRecentTrialVersion) {
         synchronized (this) {
             status = new Status(mode, active);
-            if (isSecurityEnabled == true && isSecurityExplicitlyEnabled == false && mode == OperationMode.TRIAL
-                && isSecurityEnabledByTrialVersion == false) {
-                // Before 6.3, Trial licenses would default having security enabled.
-                // If this license was generated before that version, then treat it as if security is explicitly enabled
-                if (mostRecentTrialVersion == null || mostRecentTrialVersion.before(Version.V_6_3_0)) {
-                    LogManager.getLogger(getClass()).info("Automatically enabling security for older trial license ({})",
-                        mostRecentTrialVersion == null ? "[pre 6.1.0]" : mostRecentTrialVersion.toString());
-                    isSecurityEnabledByTrialVersion = true;
-                }
-            }
         }
         listeners.forEach(LicenseStateListener::licenseStateChanged);
     }
@@ -345,7 +327,7 @@ public class XPackLicenseState {
     public synchronized boolean isAuthAllowed() {
         OperationMode mode = status.mode;
         final boolean isSecurityCurrentlyEnabled =
-            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
+            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
         return isSecurityCurrentlyEnabled && (mode == OperationMode.STANDARD || mode == OperationMode.GOLD
             || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
     }
@@ -356,7 +338,7 @@ public class XPackLicenseState {
     public synchronized boolean isIpFilteringAllowed() {
         OperationMode mode = status.mode;
         final boolean isSecurityCurrentlyEnabled =
-            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
+            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
         return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
     }
 
@@ -366,7 +348,7 @@ public class XPackLicenseState {
     public synchronized boolean isAuditingAllowed() {
         OperationMode mode = status.mode;
         final boolean isSecurityCurrentlyEnabled =
-            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
+            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
         return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
     }
 
@@ -395,7 +377,7 @@ public class XPackLicenseState {
     public synchronized boolean isDocumentAndFieldLevelSecurityAllowed() {
         OperationMode mode = status.mode;
         final boolean isSecurityCurrentlyEnabled =
-            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
+            isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
         return isSecurityCurrentlyEnabled && (mode == OperationMode.TRIAL || mode == OperationMode.PLATINUM);
     }
 
@@ -412,7 +394,7 @@ public class XPackLicenseState {
      */
     public synchronized AllowedRealmType allowedRealmType() {
         final boolean isSecurityCurrentlyEnabled =
-            isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
+            isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
         if (isSecurityCurrentlyEnabled) {
             switch (status.mode) {
                 case PLATINUM:
@@ -435,7 +417,7 @@ public class XPackLicenseState {
      */
     public synchronized boolean isCustomRoleProvidersAllowed() {
         final boolean isSecurityCurrentlyEnabled =
-            isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
+            isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
         return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
                 && status.active;
     }
@@ -446,7 +428,7 @@ public class XPackLicenseState {
      */
     public synchronized boolean isAuthorizationRealmAllowed() {
         final boolean isSecurityCurrentlyEnabled =
-            isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
+            isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
         return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
             && status.active;
     }
@@ -676,19 +658,17 @@ public class XPackLicenseState {
      * @return true if security has been disabled by a trial license which is the case of the
      *         default distribution post 6.3.0. The conditions necessary for this are:
      *         <ul>
-     *             <li>A trial license generated in 6.3.0+</li>
+     *             <li>A trial license</li>
      *             <li>xpack.security.enabled not specified as a setting</li>
      *         </ul>
      */
     public synchronized boolean isSecurityDisabledByTrialLicense() {
-        return status.mode == OperationMode.TRIAL && isSecurityEnabled
-            && isSecurityExplicitlyEnabled == false
-            && isSecurityEnabledByTrialVersion == false;
+        return status.mode == OperationMode.TRIAL && isSecurityEnabled && isSecurityExplicitlyEnabled == false;
     }
 
     private static boolean isSecurityEnabled(final OperationMode mode, final boolean isSecurityExplicitlyEnabled,
-                                             final boolean isSecurityEnabledByTrialVersion, final boolean isSecurityEnabled) {
-        return mode == OperationMode.TRIAL ? (isSecurityExplicitlyEnabled || isSecurityEnabledByTrialVersion) : isSecurityEnabled;
+                                             final boolean isSecurityEnabled) {
+        return mode == OperationMode.TRIAL ? isSecurityExplicitlyEnabled : isSecurityEnabled;
     }
 
     /**

x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java

@@ -81,24 +81,15 @@ public class XPackLicenseStateTests extends ESTestCase {
         assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
         assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
 
+        licenseState = new XPackLicenseState(Settings.EMPTY);
+        assertSecurityNotAllowed(licenseState);
+    }
+
+    public void testTransportSslDoesNotAutomaticallyEnableSecurityOnTrialLicense() {
+        final XPackLicenseState licenseState;
         licenseState =
             new XPackLicenseState(Settings.builder().put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), true).build());
-        assertThat(licenseState.isAuthAllowed(), is(true));
-        assertThat(licenseState.isIpFilteringAllowed(), is(true));
-        assertThat(licenseState.isAuditingAllowed(), is(true));
-        assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
-        assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
-        assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
-        assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
-
-        licenseState = new XPackLicenseState(Settings.EMPTY);
-        assertThat(licenseState.isAuthAllowed(), is(false));
-        assertThat(licenseState.isIpFilteringAllowed(), is(false));
-        assertThat(licenseState.isAuditingAllowed(), is(false));
-        assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
-        assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
-        assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
-        assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
+        assertSecurityNotAllowed(licenseState);
     }
 
     public void testSecurityBasic() {
@@ -106,13 +97,7 @@ public class XPackLicenseStateTests extends ESTestCase {
                 Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
         licenseState.update(BASIC, true, null);
 
-        assertThat(licenseState.isAuthAllowed(), is(false));
-        assertThat(licenseState.isIpFilteringAllowed(), is(false));
-        assertThat(licenseState.isAuditingAllowed(), is(false));
-        assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
-        assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
-        assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
-        assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
+        assertSecurityNotAllowed(licenseState);
     }
 
     public void testSecurityBasicExpired() {
@@ -218,6 +203,10 @@ public class XPackLicenseStateTests extends ESTestCase {
         licenseState.update(TRIAL, true, VersionUtils.randomVersionBetween(random(), Version.V_6_3_0, Version.CURRENT));
 
         assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(true));
+        assertSecurityNotAllowed(licenseState);
+    }
+
+    private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
         assertThat(licenseState.isAuthAllowed(), is(false));
         assertThat(licenseState.isIpFilteringAllowed(), is(false));
         assertThat(licenseState.isAuditingAllowed(), is(false));
@@ -227,20 +216,6 @@ public class XPackLicenseStateTests extends ESTestCase {
         assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
     }
 
-    public void testOldTrialDefaultsSecurityOn() {
-        XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
-        licenseState.update(TRIAL, true, rarely() ? null : VersionUtils.randomVersionBetween(random(), Version.V_6_0_0, Version.V_6_2_4));
-
-        assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(false));
-        assertThat(licenseState.isAuthAllowed(), is(true));
-        assertThat(licenseState.isIpFilteringAllowed(), is(true));
-        assertThat(licenseState.isAuditingAllowed(), is(true));
-        assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
-        assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
-        assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
-        assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
-    }
-
     public void testSecurityAckBasicToNotGoldOrStandard() {
         OperationMode toMode = randomFrom(OperationMode.values(), mode -> mode != GOLD && mode != STANDARD);
         assertAckMesssages(XPackField.SECURITY, BASIC, toMode, 0);