OpenSearch/elasticsearch/x-pack/shield
jaymode 773876caee security: ssl by default on the transport layer
This commit adds the necessary changes to make SSL work on the transport layer by default. A large
portion of the SSL configuration/settings was re-worked with this change. Some notable highlights
include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and
separate LDAP configuration.

The following is a list of specific items addressed:

* `SSLSettings` renamed to `SSLConfiguration`
* `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null)
* Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback
* JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting.
* We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting
* LDAP realms can now have their own SSL configurations
* HTTP can now have its own SSL configuration
* SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names.
* `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled`
* added Bouncy Castle info to NOTICE
* consolidated NOTICE and LICENSE files

Closes elastic/elasticsearch#14
Closes elastic/elasticsearch#34
Closes elastic/elasticsearch#1483
Closes elastic/elasticsearch#1933
Addresses security portion of elastic/elasticsearch#673

Original commit: elastic/x-pack-elasticsearch@7c359db90b
2016-04-29 12:50:07 -04:00
..
bin/x-pack Remove CONF_FILE from scripts 2016-03-30 11:17:15 +02:00
config/x-pack security: add support for main action 2016-04-07 09:25:21 -04:00
dev-tools Refactoring for 5.0 - phase 5 2016-02-11 21:34:38 +01:00
src security: ssl by default on the transport layer 2016-04-29 12:50:07 -04:00
README.asciidoc Moved shield, watcher, marvel and license plugin into common x-pack 2015-12-03 16:24:40 +01:00
TESTING.asciidoc Moved shield, watcher, marvel and license plugin into common x-pack 2015-12-03 16:24:40 +01:00
test-signatures.txt Moved shield, watcher, marvel and license plugin into common x-pack 2015-12-03 16:24:40 +01:00

README.asciidoc

= Elasticsearch Security Plugin

This plugins adds security features to elasticsearch

You can build the plugin with `mvn package`.

The documentation is put in the `docs/` directory.