Skip to content

Adding deprecation info API check for misconfigured or ambiguous SSL settings #77092

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 3, 2021
Merged

Adding deprecation info API check for misconfigured or ambiguous SSL settings #77092

merged 3 commits into from
Sep 3, 2021

Conversation

@masseyke
Copy link
Member

@masseyke masseyke commented Aug 31, 2021

In 8.0 we prevent the server from starting up if certain SSL properties are misconfigured or ambiguous. Specifically:

  1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path nor ssl.key/ssl.certificate are configured)
  2. The server has some ssl configuration, but ssl.enabled is not specified.

This commit adds a check to the deprecation info API for these changes.
Relates #42404 #45892

@masseyke masseyke requested review from jbaiera and tvernum August 31, 2021 22:49
@elasticmachine elasticmachine added the Team:Data Management Meta label for data/management team label Aug 31, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Aug 31, 2021

Pinging @elastic/es-data-management (Team:Data Management)

jbaiera
jbaiera approved these changes Sep 2, 2021
View reviewed changes
Copy link
Member

@jbaiera jbaiera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Just one note about message wording that tripped my brain up.

...gin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java Outdated
keystorePathSettingKey, keyPathSettingKey, certificatePathSettingKey, enabledSettingKey);
details.add(detail);
} else if (keystorePathSettingExists && keyPathSettingExists && certificatePathSettingExists) {
String detail = String.format(Locale.ROOT, "all of [%s], [%s], and [%s] are set. Only [%s] or [%s] and [%s] can be " +
Copy link
Member

@jbaiera jbaiera Sep 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"x or y and z" scans a little strangely when reading for me. Maybe we rephrase to "Either x must be set or y and z must be set"

Copy link
Member Author

@masseyke masseyke Sep 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the wording to make it more clear.

@masseyke masseyke merged commit a98df4e into elastic:7.x Sep 3, 2021
@masseyke masseyke deleted the feature/deprecation-info-ssl-config branch September 3, 2021 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbaiera jbaiera jbaiera approved these changes

@tvernum tvernum Awaiting requested review from tvernum

Assignees

No one assigned

Labels

>non-issue Team:Data Management Meta label for data/management team v7.16.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@masseyke @elasticmachine @jbaiera @danhermann @elasticsearchmachine