From 2493f141c6462bf81e97c98c6a61aa1cec198050 Mon Sep 17 00:00:00 2001 From: Keith Massey Date: Thu, 26 Aug 2021 09:58:22 -0500 Subject: [PATCH 1/2] Adding deprecation info api checks for obsolete security settings --- .../xpack/deprecation/DeprecationChecks.java | 3 ++ .../deprecation/NodeDeprecationChecks.java | 44 ++++++++++++++- .../NodeDeprecationChecksTests.java | 54 ++++++++++++++++++- 3 files changed, 99 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index dddccceb358ac..c4597fb955be7 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -95,6 +95,9 @@ private DeprecationChecks() { NodeDeprecationChecks::checkSingleDataNodeWatermarkSetting, NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial, NodeDeprecationChecks::checkMonitoringExporterPassword, + NodeDeprecationChecks::checkAcceptDefaultPasswordSetting, + NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting, + NodeDeprecationChecks::checkRolesCacheTTLSizeSetting, NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting ) ).collect(Collectors.toList()); diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index 4968eea4ed60f..ff75f40e35d48 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -21,6 +21,7 @@ import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.common.util.set.Sets; +import org.elasticsearch.core.TimeValue; import org.elasticsearch.env.Environment; import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.license.License; @@ -31,6 +32,7 @@ import org.elasticsearch.threadpool.FixedExecutorBuilder; import org.elasticsearch.transport.RemoteClusterService; import org.elasticsearch.xpack.core.XPackSettings; +import org.elasticsearch.xpack.core.security.SecurityField; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.RealmSettings; import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings; @@ -455,7 +457,13 @@ static DeprecationIssue checkRemovedSetting(final Settings settings, return null; } final String removedSettingKey = removedSetting.getKey(); - final String value = removedSetting.get(settings).toString(); + Object removedSettingValue = removedSetting.get(settings); + String value; + if (removedSettingValue instanceof TimeValue) { + value = ((TimeValue) removedSettingValue).getStringRep(); + } else { + value = removedSettingValue.toString(); + } final String message = String.format(Locale.ROOT, "setting [%s] is deprecated and will be removed in the next major version", removedSettingKey); final String details = @@ -595,4 +603,38 @@ static DeprecationIssue checkClusterRoutingAllocationIncludeRelocationsSetting(f DeprecationIssue.Level.CRITICAL ); } + + static DeprecationIssue checkAcceptDefaultPasswordSetting(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + return checkRemovedSetting(settings, + Setting.boolSetting(SecurityField.setting("authc.accept_default_password"),true, Setting.Property.Deprecated), + "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes", + DeprecationIssue.Level.CRITICAL + ); + } + + static DeprecationIssue checkAcceptRolesCacheMaxSizeSetting(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + return checkRemovedSetting(settings, + Setting.intSetting(SecurityField.setting("authz.store.roles.index.cache.max_size"), 10000, Setting.Property.Deprecated), + "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes", + DeprecationIssue.Level.CRITICAL + ); + } + + static DeprecationIssue checkRolesCacheTTLSizeSetting(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + return checkRemovedSetting(settings, + Setting.timeSetting(SecurityField.setting("authz.store.roles.index.cache.ttl"), TimeValue.timeValueMinutes(20), + Setting.Property.Deprecated), + "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes", + DeprecationIssue.Level.CRITICAL + ); + } } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 0886f0dfe28fd..20bbf506f8198 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -21,9 +21,9 @@ import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.core.Set; import org.elasticsearch.env.Environment; +import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.node.Node; import org.elasticsearch.script.ScriptService; import org.elasticsearch.test.ESTestCase; @@ -863,4 +863,56 @@ public void testImplicitlyConfiguredSecurityOnGoldPlus() { final List issues = getDeprecationIssues(settings, pluginsAndModules, licenseState); assertThat(issues, empty()); } + + private void checkSimpleSetting(String settingKey, String settingValue, String url, DeprecationChecks.NodeDeprecationCheck checkFunction) { + final Settings nodeSettings = + Settings.builder().put(settingKey, settingValue).build(); + final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0); + final ClusterState clusterState = ClusterState.EMPTY_STATE; + final DeprecationIssue expectedIssue = new DeprecationIssue(DeprecationIssue.Level.CRITICAL, + String.format(Locale.ROOT, + "setting [%s] is deprecated and will be removed in the next major version", + settingKey), + url, + String.format(Locale.ROOT, + "the setting [%s] is currently set to [%s], remove this setting", + settingKey, + settingValue), + false,null + ); + + assertThat( + checkFunction.apply(nodeSettings, null, clusterState, licenseState), + equalTo(expectedIssue) + ); + + final String expectedWarning = String.format(Locale.ROOT, + "[%s] setting was deprecated in Elasticsearch and will be removed in a future release! " + + "See the breaking changes documentation for the next major version.", + settingKey); + + assertWarnings(expectedWarning); + } + + public void testCheckAcceptDefaultPasswordSetting() { + String settingKey = "xpack.security.authc.accept_default_password"; + String settingValue = String.valueOf(randomBoolean()); + String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes"; + checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptDefaultPasswordSetting); + } + + public void testCheckAcceptRolesCacheMaxSizeSetting() { + String settingKey = "xpack.security.authz.store.roles.index.cache.max_size"; + String settingValue = String.valueOf(randomIntBetween(1, 10000)); + String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes"; + checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting); + } + + public void testCheckRolesCacheTTLSizeSetting() { + String settingKey = "xpack.security.authz.store.roles.index.cache.ttl"; + String settingValue = randomPositiveTimeValue(); + String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes"; + checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkRolesCacheTTLSizeSetting); + } } From fcb0b1c47d309319e07bd03499d4e2dae351e223 Mon Sep 17 00:00:00 2001 From: Keith Massey Date: Thu, 26 Aug 2021 12:14:37 -0500 Subject: [PATCH 2/2] Adding a deprecation info check for node.max_local_storage_nodes --- .../xpack/deprecation/DeprecationChecks.java | 1 + .../xpack/deprecation/NodeDeprecationChecks.java | 12 ++++++++++++ .../deprecation/NodeDeprecationChecksTests.java | 9 +++++++++ 3 files changed, 22 insertions(+) diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java index c4597fb955be7..39429aeb21833 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java @@ -98,6 +98,7 @@ private DeprecationChecks() { NodeDeprecationChecks::checkAcceptDefaultPasswordSetting, NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting, NodeDeprecationChecks::checkRolesCacheTTLSizeSetting, + NodeDeprecationChecks::checkMaxLocalStorageNodesSetting, NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting ) ).collect(Collectors.toList()); diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java index ff75f40e35d48..5cfe6cb75e175 100644 --- a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java +++ b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java @@ -23,6 +23,7 @@ import org.elasticsearch.common.util.set.Sets; import org.elasticsearch.core.TimeValue; import org.elasticsearch.env.Environment; +import org.elasticsearch.env.NodeEnvironment; import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; @@ -637,4 +638,15 @@ static DeprecationIssue checkRolesCacheTTLSizeSetting(final Settings settings, DeprecationIssue.Level.CRITICAL ); } + + static DeprecationIssue checkMaxLocalStorageNodesSetting(final Settings settings, + final PluginsAndModules pluginsAndModules, + final ClusterState clusterState, + final XPackLicenseState licenseState) { + return checkRemovedSetting(settings, + NodeEnvironment.MAX_LOCAL_STORAGE_NODES_SETTING, + "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_node_changes", + DeprecationIssue.Level.CRITICAL + ); + } } diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java index 20bbf506f8198..30507dfec264b 100644 --- a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java +++ b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java @@ -21,6 +21,7 @@ import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.core.Set; import org.elasticsearch.env.Environment; +import org.elasticsearch.env.NodeEnvironment; import org.elasticsearch.jdk.JavaVersion; import org.elasticsearch.license.License; import org.elasticsearch.license.XPackLicenseState; @@ -915,4 +916,12 @@ public void testCheckRolesCacheTTLSizeSetting() { String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes"; checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkRolesCacheTTLSizeSetting); } + + public void testCheckMaxLocalStorageNodesSetting() { + String settingKey = NodeEnvironment.MAX_LOCAL_STORAGE_NODES_SETTING.getKey(); + String settingValue = Integer.toString(randomIntBetween(1, 100)); + String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_node_changes"; + checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkMaxLocalStorageNodesSetting); + } + }