Documenting http filtering settings defaults and inherit from transport filtering settings #41790
Description
Elasticsearch version (bin/elasticsearch --version):
7.0.1 (official docker image used but it's not version or installation specific)
Steps to reproduce
2 scenarios :
A. Scenario with elasticsearch.yml
- On 3 nodes cluster (fourth IP is kibana's), on elasticsearch.yml use :
xpack.security.transport.filter.enabled: true
xpack.security.transport.filter.allow: [ "172.18.0.2/32", "172.18.0.3/32", "172.18.0.4/32", "172.18.0.5/32"]
xpack.security.transport.filter.deny: "_all"
- Observe that GET _cluster/settings?include_defaults shows http filtering is now in place in defaults cluster settings:
(...) "security" : {
"dls_fls" : {
"enabled" : "true"
},
"transport" : {
"filter" : {
"allow" : [
"172.18.0.2/32", (...)
"http" : {
"filter" : {
"allow" : [
"172.18.0.2/32",
This also is working per those settings transport AND http filtering are active
B. Scenario with cluster settings update API (potentially more confusing)
1- Start a 3 node clusters (no ip filtering)
2- Add IP filtering :
PUT _cluster/settings
{
"persistent": {
"xpack.security.transport.filter.enabled": true,
"xpack.security.transport.filter.allow": [
"172.18.0.2/32",
"172.18.0.3/32",
"172.18.0.4/32",
"172.18.0.5/32"
],
"xpack.security.transport.filter.deny": "_all"
}
}
3- Check the output of cluster settings :
GET _cluster/settings?include_defaults
-> Nothing will clearly indicate that http filtering is in place (defaults shows no filtering and persistent settings shows only transport filtering), yet ip filtering is active for http.
To be able to disable http filtering, it will be necessary to define it :
PUT _cluster/settings
{
"persistent": {
"xpack.security.http.filter.enabled": false
}
}
The behaviour is not clear from current documentation