From 68aa34da91a8f8cbc2a2b9f7f7a3f101a3e15960 Mon Sep 17 00:00:00 2001 From: Dan Hermann Date: Wed, 4 Mar 2020 11:11:21 -0600 Subject: [PATCH 1/2] remove deprecated AUTH_PASSWORD setting --- .../migration/migrate_8_0/settings.asciidoc | 8 +++ .../settings/monitoring-settings.asciidoc | 10 +-- .../exporter/http/HttpExporter.java | 70 ++----------------- .../exporter/http/HttpExporterTests.java | 18 ----- 4 files changed, 14 insertions(+), 92 deletions(-) diff --git a/docs/reference/migration/migrate_8_0/settings.asciidoc b/docs/reference/migration/migrate_8_0/settings.asciidoc index eec5c4add28e7..a88fff5a7ca7f 100644 --- a/docs/reference/migration/migrate_8_0/settings.asciidoc +++ b/docs/reference/migration/migrate_8_0/settings.asciidoc @@ -51,3 +51,11 @@ setting `cluster.remote.connect` is removed. In Elasticsearch 7.8.0, the setting `node.local_storage` was deprecated and beginning in Elasticsearch 8.0.0 all nodes will require local storage. Therefore, the `node.local_storage` setting has been removed. + +[float] +==== `auth.password` for HTTP monitoring is removed + +In Elasticsearch 7.7.0, the setting `xpack.monitoring.exporters..auth.password` +was deprecated in favor of setting `xpack.monitoring.exporters..auth.secure_password`. +In Elasticsearch 8.0.0, the setting `xpack.monitoring.exporters..auth.password` is +removed. diff --git a/docs/reference/settings/monitoring-settings.asciidoc b/docs/reference/settings/monitoring-settings.asciidoc index 7ccf510b253de..5c67685863afa 100644 --- a/docs/reference/settings/monitoring-settings.asciidoc +++ b/docs/reference/settings/monitoring-settings.asciidoc @@ -196,17 +196,11 @@ xpack.monitoring.exporters: `auth.username`:: -The username is required if `auth.secure_password` or `auth.password` is supplied. +The username is required if `auth.secure_password` is supplied. `auth.secure_password` (<>, <>):: -The password for the `auth.username`. Takes precedence over `auth.password` if it is also specified. - -`auth.password`:: - -The password for the `auth.username`. If `auth.secure_password` is also specified, this setting is ignored. - -deprecated[7.7.0, Use `auth.secure_password` instead.] +The password for the `auth.username`. `connection.timeout`:: diff --git a/x-pack/plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporter.java b/x-pack/plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporter.java index 1ca03d73349c8..25970ce6218c8 100644 --- a/x-pack/plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporter.java +++ b/x-pack/plugin/monitoring/src/main/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporter.java @@ -210,7 +210,6 @@ public void validate(final String username, final Map, Object> settin HttpExporter.AUTH_USERNAME_SETTING.getNamespace( HttpExporter.AUTH_USERNAME_SETTING.getConcreteSetting(key)); - // password must be specified along with username for any auth if (Strings.isNullOrEmpty(username) == false) { final String type = (String) settings.get(Exporter.TYPE_SETTING.getConcreteSettingForNamespace(namespace)); @@ -218,11 +217,6 @@ public void validate(final String username, final Map, Object> settin throw new SettingsException("username for [" + key + "] is set but type is [" + type + "]"); } } - - // it would be ideal to validate that just one of either AUTH_PASSWORD_SETTING or - // AUTH_SECURE_PASSWORD_SETTING were present here, but that is not currently possible with the settings - // validation framework. - // https://github.com/elastic/elasticsearch/issues/51332 } @Override @@ -241,52 +235,6 @@ public Iterator> settings() { Property.NodeScope, Property.Filtered), TYPE_DEPENDENCY); - /** - * Password for basic auth. - */ - public static final Setting.AffixSetting AUTH_PASSWORD_SETTING = - Setting.affixKeySetting("xpack.monitoring.exporters.","auth.password", - (key) -> Setting.simpleString(key, - new Setting.Validator() { - @Override - public void validate(String password) { - // no password validation that is independent of other settings - } - - @Override - public void validate(String password, Map, Object> settings) { - final String namespace = - HttpExporter.AUTH_PASSWORD_SETTING.getNamespace( - HttpExporter.AUTH_PASSWORD_SETTING.getConcreteSetting(key)); - final String username = - (String) settings.get(AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(namespace)); - - // username is required for any auth - if (Strings.isNullOrEmpty(username)) { - if (Strings.isNullOrEmpty(password) == false) { - throw new IllegalArgumentException( - "[" + AUTH_PASSWORD_SETTING.getConcreteSettingForNamespace(namespace).getKey() + "] without [" + - AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(namespace).getKey() + "]"); - } - } - } - - @Override - public Iterator> settings() { - final String namespace = - HttpExporter.AUTH_PASSWORD_SETTING.getNamespace( - HttpExporter.AUTH_PASSWORD_SETTING.getConcreteSetting(key)); - final List> settings = List.of( - HttpExporter.AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(namespace)); - return settings.iterator(); - } - - }, - Property.Dynamic, - Property.NodeScope, - Property.Filtered, - Property.Deprecated), - TYPE_DEPENDENCY); /** * Secure password for basic auth. */ @@ -757,18 +705,8 @@ public static List loadSettings(Settings settings) { private static CredentialsProvider createCredentialsProvider(final Config config) { final String username = AUTH_USERNAME_SETTING.getConcreteSettingForNamespace(config.name()).get(config.settings()); - final String deprecatedPassword = AUTH_PASSWORD_SETTING.getConcreteSettingForNamespace(config.name()).get(config.settings()); final SecureString securePassword = SECURE_AUTH_PASSWORDS.get(config.name()); - final String password; - if (securePassword != null) { - password = securePassword.toString(); - if (Strings.isNullOrEmpty(deprecatedPassword) == false) { - logger.warn("exporter [{}] specified both auth.secure_password and auth.password. using auth.secure_password and " + - "ignoring auth.password", config.name()); - } - } else { - password = deprecatedPassword; - } + final String password = securePassword != null ? securePassword.toString() : null; final CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password)); @@ -934,9 +872,9 @@ public void doClose() { } public static List> getDynamicSettings() { - return Arrays.asList(HOST_SETTING, TEMPLATE_CREATE_LEGACY_VERSIONS_SETTING, AUTH_PASSWORD_SETTING, AUTH_USERNAME_SETTING, - BULK_TIMEOUT_SETTING, CONNECTION_READ_TIMEOUT_SETTING, CONNECTION_TIMEOUT_SETTING, PIPELINE_CHECK_TIMEOUT_SETTING, - PROXY_BASE_PATH_SETTING, SNIFF_ENABLED_SETTING, TEMPLATE_CHECK_TIMEOUT_SETTING, SSL_SETTING, HEADERS_SETTING); + return Arrays.asList(HOST_SETTING, TEMPLATE_CREATE_LEGACY_VERSIONS_SETTING, AUTH_USERNAME_SETTING, BULK_TIMEOUT_SETTING, + CONNECTION_READ_TIMEOUT_SETTING, CONNECTION_TIMEOUT_SETTING, PIPELINE_CHECK_TIMEOUT_SETTING, PROXY_BASE_PATH_SETTING, + SNIFF_ENABLED_SETTING, TEMPLATE_CHECK_TIMEOUT_SETTING, SSL_SETTING, HEADERS_SETTING); } public static List> getSecureSettings() { diff --git a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java index c033aba0f0776..0c26a71e54f4e 100644 --- a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java +++ b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java @@ -238,24 +238,6 @@ public void testExporterWithEmptyHeaders() { assertThat(exception.getMessage(), equalTo(expected)); } - public void testExporterWithPasswordButNoUsername() { - final String expected = - "[xpack.monitoring.exporters._http.auth.password] without [xpack.monitoring.exporters._http.auth.username]"; - final String prefix = "xpack.monitoring.exporters._http"; - final Settings settings = Settings.builder() - .put(prefix + ".type", HttpExporter.TYPE) - .put(prefix + ".host", "localhost:9200") - .put(prefix + ".auth.password", "_pass") - .build(); - - final IllegalArgumentException e = expectThrows( - IllegalArgumentException.class, - () -> HttpExporter.AUTH_PASSWORD_SETTING.getConcreteSetting(prefix + ".auth.password").get(settings)); - assertThat(e, hasToString(containsString(expected))); - assertWarnings("[xpack.monitoring.exporters._http.auth.password] setting was deprecated in Elasticsearch and will be removed " + - "in a future release! See the breaking changes documentation for the next major version."); - } - public void testExporterWithUnknownBlacklistedClusterAlerts() { final SSLIOSessionStrategy sslStrategy = mock(SSLIOSessionStrategy.class); when(sslService.sslIOSessionStrategy(any(Settings.class))).thenReturn(sslStrategy); From 1c3374115fd4632cb796314adc6b81bae94ad170 Mon Sep 17 00:00:00 2001 From: Dan Hermann Date: Tue, 7 Apr 2020 12:30:06 -0500 Subject: [PATCH 2/2] fix docs and tests --- .../collecting-monitoring-data.asciidoc | 8 ++++---- docs/reference/monitoring/http-export.asciidoc | 2 +- .../exporter/http/HttpExporterIT.java | 1 - .../exporter/http/HttpExporterTests.java | 10 ++++------ .../SmokeTestMonitoringWithSecurityIT.java | 17 ++++++----------- 5 files changed, 15 insertions(+), 23 deletions(-) diff --git a/docs/reference/monitoring/collecting-monitoring-data.asciidoc b/docs/reference/monitoring/collecting-monitoring-data.asciidoc index b08cd776ef2c8..39ef657b7c6cc 100644 --- a/docs/reference/monitoring/collecting-monitoring-data.asciidoc +++ b/docs/reference/monitoring/collecting-monitoring-data.asciidoc @@ -143,7 +143,7 @@ Alternatively, use the <>. ... Add the user ID and password settings to the HTTP exporter settings in the -`elasticsearch.yml` file on each node. + +`elasticsearch.yml` file and keystore on each node. + + -- For example: @@ -155,7 +155,7 @@ xpack.monitoring.exporters: type: http host: ["http://es-mon-1:9200", "http://es-mon2:9200"] auth.username: remote_monitoring_user - auth.password: YOUR_PASSWORD + # "xpack.monitoring.exporters.id1.auth.secure_password" must be set in the keystore -------------------------------------------------- -- @@ -177,7 +177,7 @@ xpack.monitoring.exporters: host: ["https://es-mon1:9200", "https://es-mon2:9200"] auth: username: remote_monitoring_user - password: YOUR_PASSWORD + # "xpack.monitoring.exporters.id1.auth.secure_password" must be set in the keystore ssl: certificate_authorities: [ "/path/to/ca.crt" ] -------------------------------------------------- @@ -195,7 +195,7 @@ xpack.monitoring.exporters: host: ["https://es-mon1:9200", "https://es-mon2:9200"] auth: username: remote_monitoring_user - password: YOUR_PASSWORD + # "xpack.monitoring.exporters.id1.auth.secure_password" must be set in the keystore ssl: truststore.path: /path/to/file truststore.password: password diff --git a/docs/reference/monitoring/http-export.asciidoc b/docs/reference/monitoring/http-export.asciidoc index 0a12b7d44d882..ce859860fd01e 100644 --- a/docs/reference/monitoring/http-export.asciidoc +++ b/docs/reference/monitoring/http-export.asciidoc @@ -42,7 +42,7 @@ xpack.monitoring.exporters: host: [ "10.1.2.3:9200", ... ] <3> auth: <4> username: my_username - password: changeme + # "xpack.monitoring.exporters.my_remote.auth.secure_password" must be set in the keystore connection: timeout: 6s read_timeout: 60s diff --git a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterIT.java b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterIT.java index 3f2d9073e1587..6f274d366d0ab 100644 --- a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterIT.java +++ b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterIT.java @@ -174,7 +174,6 @@ public void testSecureSetting() throws Exception { final String authHeaderValue2 = Base64.encode(userName + ":" + securePassword2); Settings settings = secureSettings(securePassword1) - .put("xpack.monitoring.exporters._http.auth.password", "insecurePassword") // verify this password is not used .build(); PluginsService pluginsService = internalCluster().getInstances(PluginsService.class).iterator().next(); LocalStateMonitoring localStateMonitoring = pluginsService.filterPlugins(LocalStateMonitoring.class).iterator().next(); diff --git a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java index 0c26a71e54f4e..14ba931724b8e 100644 --- a/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java +++ b/x-pack/plugin/monitoring/src/test/java/org/elasticsearch/xpack/monitoring/exporter/http/HttpExporterTests.java @@ -314,8 +314,10 @@ public void testCreateRestClient() throws IOException { // use basic auth final boolean useBasicAuth = randomBoolean(); if (useBasicAuth) { - builder.put("xpack.monitoring.exporters._http.auth.username", "_user") - .put("xpack.monitoring.exporters._http.auth.password", "_pass"); + builder.put("xpack.monitoring.exporters._http.auth.username", "_user"); + MockSecureSettings mockSecureSettings = new MockSecureSettings(); + mockSecureSettings.setString("xpack.monitoring.exporters._http.auth.secure_password", "securePassword"); + builder.setSecureSettings(mockSecureSettings); } // use headers @@ -328,10 +330,6 @@ public void testCreateRestClient() throws IOException { // doesn't explode HttpExporter.createRestClient(config, sslService, listener).close(); - if (useBasicAuth) { - assertWarnings("[xpack.monitoring.exporters._http.auth.password] setting was deprecated in Elasticsearch and will be " + - "removed in a future release! See the breaking changes documentation for the next major version."); - } } public void testCreateSnifferDisabledByDefault() { diff --git a/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityIT.java b/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityIT.java index c89e889e813b9..3a0f5a959dbf4 100644 --- a/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityIT.java +++ b/x-pack/qa/smoke-test-plugins-ssl/src/test/java/org/elasticsearch/smoketest/SmokeTestMonitoringWithSecurityIT.java @@ -26,6 +26,7 @@ import org.elasticsearch.cluster.health.ClusterHealthStatus; import org.elasticsearch.common.Priority; import org.elasticsearch.common.io.PathUtils; +import org.elasticsearch.common.settings.MockSecureSettings; import org.elasticsearch.common.settings.SecureString; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; @@ -149,18 +150,20 @@ protected Settings restClientSettings() { @Before public void enableExporter() throws Exception { + MockSecureSettings secureSettings = new MockSecureSettings(); + secureSettings.setString("xpack.monitoring.exporters._http.auth.secure_password", "x-pack-test-password"); Settings exporterSettings = Settings.builder() .put("xpack.monitoring.collection.enabled", true) .put("xpack.monitoring.exporters._http.enabled", true) .put("xpack.monitoring.exporters._http.type", "http") .put("xpack.monitoring.exporters._http.host", "https://" + randomNodeHttpAddress()) .put("xpack.monitoring.exporters._http.auth.username", "monitoring_agent") - .put("xpack.monitoring.exporters._http.auth.password", "x-pack-test-password") .put("xpack.monitoring.exporters._http.ssl.verification_mode", "full") .put("xpack.monitoring.exporters._http.ssl.certificate_authorities", "testnode.crt") + .setSecureSettings(secureSettings) .build(); ClusterUpdateSettingsResponse response = newHighLevelClient().cluster().putSettings( - new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), getRequestOptions()); + new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), RequestOptions.DEFAULT); assertTrue(response.isAcknowledged()); } @@ -172,22 +175,14 @@ public void disableExporter() throws IOException { .putNull("xpack.monitoring.exporters._http.type") .putNull("xpack.monitoring.exporters._http.host") .putNull("xpack.monitoring.exporters._http.auth.username") - .putNull("xpack.monitoring.exporters._http.auth.password") .putNull("xpack.monitoring.exporters._http.ssl.verification_mode") .putNull("xpack.monitoring.exporters._http.ssl.certificate_authorities") .build(); ClusterUpdateSettingsResponse response = newHighLevelClient().cluster().putSettings( - new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), getRequestOptions()); + new ClusterUpdateSettingsRequest().transientSettings(exporterSettings), RequestOptions.DEFAULT); assertTrue(response.isAcknowledged()); } - private RequestOptions getRequestOptions() { - String deprecationWarning = "[xpack.monitoring.exporters._http.auth.password] setting was deprecated in Elasticsearch and will " + - "be removed in a future release! See the breaking changes documentation for the next major version."; - return RequestOptions.DEFAULT.toBuilder().setWarningsHandler(warnings -> warnings.size() != 1 || - warnings.get(0).equals(deprecationWarning) == false).build(); - } - private boolean getMonitoringUsageExportersDefined() throws Exception { RestHighLevelClient client = newHighLevelClient(); final XPackUsageResponse usageResponse = client.xpack().usage(new XPackUsageRequest(), RequestOptions.DEFAULT);