From bab3c327f5d0dda98e89cb234495993426f2201a Mon Sep 17 00:00:00 2001 From: Keith Massey Date: Thu, 26 Aug 2021 09:58:22 -0500 Subject: [PATCH] Adding deprecation info api checks for obsolete security settings --- .../xpack/deprecation/DeprecationChecks.java | 3 ++ .../deprecation/NodeDeprecationChecks.java | 44 ++++++++++++++- .../NodeDeprecationChecksTests.java | 54 ++++++++++++++++++- 3 files changed, 99 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index dddccceb358ac..c4597fb955be7 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -95,6 +95,9 @@ private DeprecationChecks() { NodeDeprecationChecks::checkSingleDataNodeWatermarkSetting, NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial, NodeDeprecationChecks::checkMonitoringExporterPassword, + NodeDeprecationChecks::checkAcceptDefaultPasswordSetting, + NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting, + NodeDeprecationChecks::checkRolesCacheTTLSizeSetting, NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting ) ).collect(Collectors.toList()); diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 4968eea4ed60f..ff75f40e35d48 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -21,6 +21,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.common.util.set.Sets; +import org.elasticsearch.core.TimeValue; import org.elasticsearch.env.Environment; import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.license.License; @@ -31,6 +32,7 @@ import org.elasticsearch.threadpool.FixedExecutorBuilder; import org.elasticsearch.transport.RemoteClusterService; import org.elasticsearch.xpack.core.XPackSettings; +import org.elasticsearch.xpack.core.security.SecurityField; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; @@ -455,7 +457,13 @@ static DeprecationIssue checkRemovedSetting(final Settings settings, return null; } final String removedSettingKey = removedSetting.getKey(); - final String value = removedSetting.get(settings).toString(); + Object removedSettingValue = removedSetting.get(settings); + String value; + if (removedSettingValue instanceof TimeValue) { + value = ((TimeValue) removedSettingValue).getStringRep(); + } else { + value = removedSettingValue.toString(); + } final String message = String.format(Locale.ROOT, "setting [%s] is deprecated and will be removed in the next major version", removedSettingKey); final String details = @@ -595,4 +603,38 @@ static DeprecationIssue checkClusterRoutingAllocationIncludeRelocationsSetting(f DeprecationIssue.Level.CRITICAL ); } + + static DeprecationIssue checkAcceptDefaultPasswordSetting(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + return checkRemovedSetting(settings, + Setting.boolSetting(SecurityField.setting("authc.accept_default_password"),true, Setting.Property.Deprecated), + "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes", + DeprecationIssue.Level.CRITICAL + ); + } + + static DeprecationIssue checkAcceptRolesCacheMaxSizeSetting(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + return checkRemovedSetting(settings, + Setting.intSetting(SecurityField.setting("authz.store.roles.index.cache.max_size"), 10000, Setting.Property.Deprecated), + "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes", + DeprecationIssue.Level.CRITICAL + ); + } + + static DeprecationIssue checkRolesCacheTTLSizeSetting(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + return checkRemovedSetting(settings, + Setting.timeSetting(SecurityField.setting("authz.store.roles.index.cache.ttl"), TimeValue.timeValueMinutes(20), + Setting.Property.Deprecated), + "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes", + DeprecationIssue.Level.CRITICAL + ); + } } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 0886f0dfe28fd..20bbf506f8198 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -21,9 +21,9 @@ import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.core.Set; import org.elasticsearch.env.Environment; +import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.node.Node; import org.elasticsearch.script.ScriptService; import org.elasticsearch.test.ESTestCase; @@ -863,4 +863,56 @@ public void testImplicitlyConfiguredSecurityOnGoldPlus() { final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertThat(issues, empty()); } + + private void checkSimpleSetting(String settingKey, String settingValue, String url, DeprecationChecks.NodeDeprecationCheck checkFunction) { + final Settings nodeSettings = + Settings.builder().put(settingKey, settingValue).build(); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final ClusterState clusterState = ClusterState.EMPTY_STATE; + final DeprecationIssue expectedIssue = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + String.format(Locale.ROOT, + "setting [%s] is deprecated and will be removed in the next major version", + settingKey), + url, + String.format(Locale.ROOT, + "the setting [%s] is currently set to [%s], remove this setting", + settingKey, + settingValue), + false,null + ); + + assertThat( + checkFunction.apply(nodeSettings, null, clusterState, licenseState), + equalTo(expectedIssue) + ); + + final String expectedWarning = String.format(Locale.ROOT, + "[%s] setting was deprecated in Elasticsearch and will be removed in a future release! " + + "See the breaking changes documentation for the next major version.", + settingKey); + + assertWarnings(expectedWarning); + } + + public void testCheckAcceptDefaultPasswordSetting() { + String settingKey = "xpack.security.authc.accept_default_password"; + String settingValue = String.valueOf(randomBoolean()); + String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes"; + checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptDefaultPasswordSetting); + } + + public void testCheckAcceptRolesCacheMaxSizeSetting() { + String settingKey = "xpack.security.authz.store.roles.index.cache.max_size"; + String settingValue = String.valueOf(randomIntBetween(1, 10000)); + String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes"; + checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting); + } + + public void testCheckRolesCacheTTLSizeSetting() { + String settingKey = "xpack.security.authz.store.roles.index.cache.ttl"; + String settingValue = randomPositiveTimeValue(); + String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes"; + checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkRolesCacheTTLSizeSetting); + } }