Remove deprecated AUTH_PASSWORD setting (#54892)

Author: danhermann

docs/reference/migration/migrate_8_0/settings.asciidoc

@@ -52,6 +52,14 @@ In Elasticsearch 7.8.0, the setting `node.local_storage` was deprecated and
 beginning in Elasticsearch 8.0.0 all nodes will require local storage. Therefore,
 the `node.local_storage` setting has been removed.
 
+[float]
+==== `auth.password` for HTTP monitoring is removed
+
+In Elasticsearch 7.7.0, the setting `xpack.monitoring.exporters.<exporterName>.auth.password`
+was deprecated in favor of setting `xpack.monitoring.exporters.<exporterName>.auth.secure_password`.
+In Elasticsearch 8.0.0, the setting `xpack.monitoring.exporters.<exporterName>.auth.password` is
+removed.
+
 [float]
 ==== Option to disable basic license features is deprecated
 

docs/reference/monitoring/collecting-monitoring-data.asciidoc

@@ -143,7 +143,7 @@ Alternatively, use the
 <<built-in-users,`remote_monitoring_user` built-in user>>.
 
 ... Add the user ID and password settings to the HTTP exporter settings in the
-`elasticsearch.yml` file on each node. +
+`elasticsearch.yml` file and keystore on each node. +
 +
 --
 For example:
@@ -155,7 +155,7 @@ xpack.monitoring.exporters:
     type: http
     host: ["http://es-mon-1:9200", "http://es-mon2:9200"]
     auth.username: remote_monitoring_user
-    auth.password: YOUR_PASSWORD
+    # "xpack.monitoring.exporters.id1.auth.secure_password" must be set in the keystore
 --------------------------------------------------
 --
 
@@ -177,7 +177,7 @@ xpack.monitoring.exporters:
     host: ["https://es-mon1:9200", "https://es-mon2:9200"]
     auth:
       username: remote_monitoring_user
-      password: YOUR_PASSWORD
+      # "xpack.monitoring.exporters.id1.auth.secure_password" must be set in the keystore
     ssl:
       certificate_authorities: [ "/path/to/ca.crt" ]
 --------------------------------------------------
@@ -195,7 +195,7 @@ xpack.monitoring.exporters:
     host: ["https://es-mon1:9200", "https://es-mon2:9200"]
     auth:
       username: remote_monitoring_user
-      password: YOUR_PASSWORD
+      # "xpack.monitoring.exporters.id1.auth.secure_password" must be set in the keystore
     ssl:
       truststore.path: /path/to/file
       truststore.password: password

docs/reference/monitoring/http-export.asciidoc

@@ -42,7 +42,7 @@ xpack.monitoring.exporters:
     host: [ "10.1.2.3:9200", ... ] <3>
     auth: <4>
       username: my_username
-      password: changeme
+      # "xpack.monitoring.exporters.my_remote.auth.secure_password" must be set in the keystore
     connection:
       timeout: 6s
       read_timeout: 60s

docs/reference/settings/monitoring-settings.asciidoc

@@ -197,17 +197,11 @@ xpack.monitoring.exporters:
 
 `auth.username`::
 
-The username is required if `auth.secure_password` or `auth.password` is supplied.
+The username is required if `auth.secure_password` is supplied.
 
 `auth.secure_password` (<<secure-settings,Secure>>, <<reloadable-secure-settings,reloadable>>)::
 
-The password for the `auth.username`. Takes precedence over `auth.password` if it is also specified.
-
-`auth.password`::
-
-The password for the `auth.username`. If `auth.secure_password` is also specified, this setting is ignored.
-
-deprecated[7.7.0, Use `auth.secure_password` instead.]
+The password for the `auth.username`.
 
 `connection.timeout`::
 

x-pack/plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporter.java

@@ -210,19 +210,13 @@ public void validate(final String username, final Map<Setting<?>, Object> settin
                                     HttpExporter.AUTH_USERNAME_SETTING.getNamespace(
                                         HttpExporter.AUTH_USERNAME_SETTING.getConcreteSetting(key));
 
-                                // password must be specified along with username for any auth
                                 if (Strings.isNullOrEmpty(username) == false) {
                                     final String type =
                                         (String) settings.get(Exporter.TYPE_SETTING.getConcreteSettingForNamespace(namespace));
                                     if ("http".equals(type) == false) {
                                         throw new SettingsException("username for [" + key + "] is set but type is [" + type + "]");
                                     }
                                 }
-
-                                // it would be ideal to validate that just one of either AUTH_PASSWORD_SETTING or
-                                // AUTH_SECURE_PASSWORD_SETTING were present here, but that is not currently possible with the settings
-                                // validation framework.
-                                // https://github.com/elastic/elasticsearch/issues/51332
                             }
 
                             @Override
@@ -241,52 +235,6 @@ public Iterator<Setting<?>> settings() {
                         Property.NodeScope,
                         Property.Filtered),
                     TYPE_DEPENDENCY);
-    /**
-     * Password for basic auth.
-     */
-    public static final Setting.AffixSetting<String> AUTH_PASSWORD_SETTING =
-            Setting.affixKeySetting("xpack.monitoring.exporters.","auth.password",
-                    (key) -> Setting.simpleString(key,
-                        new Setting.Validator<String>() {
-                            @Override
-                            public void validate(String password) {
-                                // no password validation that is independent of other settings
-                            }
-
-                            @Override
-                            public void validate(String password, Map<Setting<?>, Object> settings) {
-                                final String namespace =
-                                    HttpExporter.AUTH_PASSWORD_SETTING.getNamespace(
-                                        HttpExporter.AUTH_PASSWORD_SETTING.getConcreteSetting(key));
-                                final String username =
-                                    (String) settings.get(AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(namespace));
-
-                                // username is required for any auth
-                                if (Strings.isNullOrEmpty(username)) {
-                                    if (Strings.isNullOrEmpty(password) == false) {
-                                        throw new IllegalArgumentException(
-                                            "[" + AUTH_PASSWORD_SETTING.getConcreteSettingForNamespace(namespace).getKey() + "] without [" +
-                                                AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(namespace).getKey() + "]");
-                                    }
-                                }
-                            }
-
-                            @Override
-                            public Iterator<Setting<?>> settings() {
-                                final String namespace =
-                                    HttpExporter.AUTH_PASSWORD_SETTING.getNamespace(
-                                        HttpExporter.AUTH_PASSWORD_SETTING.getConcreteSetting(key));
-                                final List<Setting<?>> settings = List.of(
-                                    HttpExporter.AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(namespace));
-                                return settings.iterator();
-                            }
-
-                        },
-                        Property.Dynamic,
-                        Property.NodeScope,
-                        Property.Filtered,
-                        Property.Deprecated),
-                    TYPE_DEPENDENCY);
     /**
      * Secure password for basic auth.
      */
@@ -757,18 +705,8 @@ public static List<String> loadSettings(Settings settings) {
     private static CredentialsProvider createCredentialsProvider(final Config config) {
         final String username = AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(config.name()).get(config.settings());
 
-        final String deprecatedPassword = AUTH_PASSWORD_SETTING.getConcreteSettingForNamespace(config.name()).get(config.settings());
         final SecureString securePassword = SECURE_AUTH_PASSWORDS.get(config.name());
-        final String password;
-        if (securePassword != null) {
-            password = securePassword.toString();
-            if (Strings.isNullOrEmpty(deprecatedPassword) == false) {
-                logger.warn("exporter [{}] specified both auth.secure_password and auth.password.  using auth.secure_password and " +
-                    "ignoring auth.password", config.name());
-            }
-        } else {
-            password = deprecatedPassword;
-        }
+        final String password = securePassword != null ? securePassword.toString() : null;
 
         final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
         credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
@@ -934,9 +872,9 @@ public void doClose() {
     }
 
     public static List<Setting.AffixSetting<?>> getDynamicSettings() {
-        return Arrays.asList(HOST_SETTING, TEMPLATE_CREATE_LEGACY_VERSIONS_SETTING, AUTH_PASSWORD_SETTING, AUTH_USERNAME_SETTING,
-                BULK_TIMEOUT_SETTING, CONNECTION_READ_TIMEOUT_SETTING, CONNECTION_TIMEOUT_SETTING, PIPELINE_CHECK_TIMEOUT_SETTING,
-                PROXY_BASE_PATH_SETTING, SNIFF_ENABLED_SETTING, TEMPLATE_CHECK_TIMEOUT_SETTING, SSL_SETTING, HEADERS_SETTING);
+        return Arrays.asList(HOST_SETTING, TEMPLATE_CREATE_LEGACY_VERSIONS_SETTING, AUTH_USERNAME_SETTING, BULK_TIMEOUT_SETTING,
+                CONNECTION_READ_TIMEOUT_SETTING, CONNECTION_TIMEOUT_SETTING, PIPELINE_CHECK_TIMEOUT_SETTING, PROXY_BASE_PATH_SETTING,
+                SNIFF_ENABLED_SETTING, TEMPLATE_CHECK_TIMEOUT_SETTING, SSL_SETTING, HEADERS_SETTING);
     }
 
     public static List<Setting.AffixSetting<?>> getSecureSettings() {

x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterIT.java

@@ -174,7 +174,6 @@ public void testSecureSetting() throws Exception {
         final String authHeaderValue2 = Base64.encode(userName + ":" + securePassword2);
 
         Settings settings = secureSettings(securePassword1)
-            .put("xpack.monitoring.exporters._http.auth.password", "insecurePassword") // verify this password is not used
             .build();
         PluginsService pluginsService = internalCluster().getInstances(PluginsService.class).iterator().next();
         LocalStateMonitoring localStateMonitoring = pluginsService.filterPlugins(LocalStateMonitoring.class).iterator().next();

x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java

@@ -238,24 +238,6 @@ public void testExporterWithEmptyHeaders() {
         assertThat(exception.getMessage(), equalTo(expected));
     }
 
-    public void testExporterWithPasswordButNoUsername() {
-        final String expected =
-                "[xpack.monitoring.exporters._http.auth.password] without [xpack.monitoring.exporters._http.auth.username]";
-        final String prefix = "xpack.monitoring.exporters._http";
-        final Settings settings = Settings.builder()
-            .put(prefix + ".type", HttpExporter.TYPE)
-            .put(prefix + ".host", "localhost:9200")
-            .put(prefix + ".auth.password", "_pass")
-            .build();
-
-        final IllegalArgumentException e = expectThrows(
-            IllegalArgumentException.class,
-            () -> HttpExporter.AUTH_PASSWORD_SETTING.getConcreteSetting(prefix + ".auth.password").get(settings));
-        assertThat(e, hasToString(containsString(expected)));
-        assertWarnings("[xpack.monitoring.exporters._http.auth.password] setting was deprecated in Elasticsearch and will be removed " +
-            "in a future release! See the breaking changes documentation for the next major version.");
-    }
-
     public void testExporterWithUnknownBlacklistedClusterAlerts() {
         final SSLIOSessionStrategy sslStrategy = mock(SSLIOSessionStrategy.class);
         when(sslService.sslIOSessionStrategy(any(Settings.class))).thenReturn(sslStrategy);
@@ -332,8 +314,10 @@ public void testCreateRestClient() throws IOException {
         // use basic auth
         final boolean useBasicAuth = randomBoolean();
         if (useBasicAuth) {
-            builder.put("xpack.monitoring.exporters._http.auth.username", "_user")
-                   .put("xpack.monitoring.exporters._http.auth.password", "_pass");
+            builder.put("xpack.monitoring.exporters._http.auth.username", "_user");
+            MockSecureSettings mockSecureSettings  = new MockSecureSettings();
+            mockSecureSettings.setString("xpack.monitoring.exporters._http.auth.secure_password", "securePassword");
+            builder.setSecureSettings(mockSecureSettings);
         }
 
         // use headers
@@ -346,10 +330,6 @@ public void testCreateRestClient() throws IOException {
 
         // doesn't explode
         HttpExporter.createRestClient(config, sslService, listener).close();
-        if (useBasicAuth) {
-            assertWarnings("[xpack.monitoring.exporters._http.auth.password] setting was deprecated in Elasticsearch and will be " +
-                "removed in a future release! See the breaking changes documentation for the next major version.");
-        }
     }
 
     public void testCreateSnifferDisabledByDefault() {

x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityIT.java

@@ -26,6 +26,7 @@
 import org.elasticsearch.cluster.health.ClusterHealthStatus;
 import org.elasticsearch.common.Priority;
 import org.elasticsearch.common.io.PathUtils;
+import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -149,18 +150,20 @@ protected Settings restClientSettings() {
 
     @Before
     public void enableExporter() throws Exception {
+        MockSecureSettings secureSettings = new MockSecureSettings();
+        secureSettings.setString("xpack.monitoring.exporters._http.auth.secure_password", "x-pack-test-password");
         Settings exporterSettings = Settings.builder()
             .put("xpack.monitoring.collection.enabled", true)
             .put("xpack.monitoring.exporters._http.enabled", true)
             .put("xpack.monitoring.exporters._http.type", "http")
             .put("xpack.monitoring.exporters._http.host", "https://" + randomNodeHttpAddress())
             .put("xpack.monitoring.exporters._http.auth.username", "monitoring_agent")
-            .put("xpack.monitoring.exporters._http.auth.password", "x-pack-test-password")
             .put("xpack.monitoring.exporters._http.ssl.verification_mode", "full")
             .put("xpack.monitoring.exporters._http.ssl.certificate_authorities", "testnode.crt")
+            .setSecureSettings(secureSettings)
             .build();
         ClusterUpdateSettingsResponse response = newHighLevelClient().cluster().putSettings(
-            new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), getRequestOptions());
+            new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), RequestOptions.DEFAULT);
         assertTrue(response.isAcknowledged());
     }
 
@@ -172,22 +175,14 @@ public void disableExporter() throws IOException {
             .putNull("xpack.monitoring.exporters._http.type")
             .putNull("xpack.monitoring.exporters._http.host")
             .putNull("xpack.monitoring.exporters._http.auth.username")
-            .putNull("xpack.monitoring.exporters._http.auth.password")
             .putNull("xpack.monitoring.exporters._http.ssl.verification_mode")
             .putNull("xpack.monitoring.exporters._http.ssl.certificate_authorities")
             .build();
         ClusterUpdateSettingsResponse response = newHighLevelClient().cluster().putSettings(
-            new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), getRequestOptions());
+            new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), RequestOptions.DEFAULT);
         assertTrue(response.isAcknowledged());
     }
 
-    private RequestOptions getRequestOptions() {
-        String deprecationWarning = "[xpack.monitoring.exporters._http.auth.password] setting was deprecated in Elasticsearch and will " +
-            "be removed in a future release! See the breaking changes documentation for the next major version.";
-        return RequestOptions.DEFAULT.toBuilder().setWarningsHandler(warnings -> warnings.size() != 1 ||
-            warnings.get(0).equals(deprecationWarning) == false).build();
-    }
-
     private boolean getMonitoringUsageExportersDefined() throws Exception {
         RestHighLevelClient client = newHighLevelClient();
         final XPackUsageResponse usageResponse = client.xpack().usage(new XPackUsageRequest(), RequestOptions.DEFAULT);