Skip to content

Commit

Permalink
Remove heuristics that enable security on trial licenses (#38075)
Browse files Browse the repository at this point in the history 
In 6.3 trial licenses were changed to default to security
disabled, and ee added some heuristics to detect when security should
be automatically be enabled if `xpack.security.enabled` was not set.

This change removes those heuristics, and requires that security be
explicitly enabled (via the `xpack.security.enabled` setting) for
trial licenses.

Relates: #38009
  • Loading branch information
@tvernum
tvernum authored Feb 1, 2019
1 parent 0a604e3 commit 6fcbd07
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 69 deletions.
16 changes: 16 additions & 0 deletions docs/reference/migration/migrate_7_0/settings.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,22 @@ You can enable TLS v1.0 by configuring the relevant `ssl.supported_protocols` se
xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ]
--------------------------------------------------

[float]
[[trial-explicit-security]]
==== Security on Trial Licenses

On trial licenses, `xpack.security.enabled` defaults to `false`.

In prior versions, a trial license would automatically enable security if either

* `xpack.security.transport.enabled` was `true`; _or_
* the trial license was generated on a version of X-Pack from 6.2 or earlier.

This behaviour has been now removed, so security is only enabled if:

* `xpack.security.enabled` is `true`; _or_
* `xpack.security.enabled` is not set, and a gold or platinum license is installed.

[float]
[[watcher-notifications-account-settings]]
==== Watcher notifications account settings
Expand Down
44 changes: 12 additions & 32 deletions x-pack/plugin/core/src/main/java/org/elasticsearch/license/XPackLicenseState.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
*/
package org.elasticsearch.license;

import org.apache.logging.log4j.LogManager;
import org.elasticsearch.Version;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
Expand Down Expand Up @@ -271,25 +270,18 @@ private static class Status {
private final boolean isSecurityExplicitlyEnabled;

private Status status = new Status(OperationMode.TRIAL, true);
private boolean isSecurityEnabledByTrialVersion;

public XPackLicenseState(Settings settings) {
this.listeners = new CopyOnWriteArrayList<>();
this.isSecurityEnabled = XPackSettings.SECURITY_ENABLED.get(settings);
// 6.0+ requires TLS for production licenses, so if TLS is enabled and security is enabled
// we can interpret this as an explicit enabling of security if the security enabled
// setting is not explicitly set
this.isSecurityExplicitlyEnabled = isSecurityEnabled &&
(settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey()) || XPackSettings.TRANSPORT_SSL_ENABLED.get(settings));
this.isSecurityEnabledByTrialVersion = false;
this.isSecurityExplicitlyEnabled = isSecurityEnabled && settings.hasValue(XPackSettings.SECURITY_ENABLED.getKey());
}

private XPackLicenseState(XPackLicenseState xPackLicenseState) {
this.listeners = xPackLicenseState.listeners;
this.isSecurityEnabled = xPackLicenseState.isSecurityEnabled;
this.isSecurityExplicitlyEnabled = xPackLicenseState.isSecurityExplicitlyEnabled;
this.status = xPackLicenseState.status;
this.isSecurityEnabledByTrialVersion = xPackLicenseState.isSecurityEnabledByTrialVersion;
}

/**
Expand All @@ -304,16 +296,6 @@ private XPackLicenseState(XPackLicenseState xPackLicenseState) {
void update(OperationMode mode, boolean active, @Nullable Version mostRecentTrialVersion) {
synchronized (this) {
status = new Status(mode, active);
if (isSecurityEnabled == true && isSecurityExplicitlyEnabled == false && mode == OperationMode.TRIAL
&& isSecurityEnabledByTrialVersion == false) {
// Before 6.3, Trial licenses would default having security enabled.
// If this license was generated before that version, then treat it as if security is explicitly enabled
if (mostRecentTrialVersion == null || mostRecentTrialVersion.before(Version.V_6_3_0)) {
LogManager.getLogger(getClass()).info("Automatically enabling security for older trial license ({})",
mostRecentTrialVersion == null ? "[pre 6.1.0]" : mostRecentTrialVersion.toString());
isSecurityEnabledByTrialVersion = true;
}
}
}
listeners.forEach(LicenseStateListener::licenseStateChanged);
}
Expand Down Expand Up @@ -345,7 +327,7 @@ public synchronized boolean isActive() {
public synchronized boolean isAuthAllowed() {
OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.STANDARD || mode == OperationMode.GOLD
|| mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
}
Expand All @@ -356,7 +338,7 @@ public synchronized boolean isAuthAllowed() {
public synchronized boolean isIpFilteringAllowed() {
OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
}

Expand All @@ -366,7 +348,7 @@ public synchronized boolean isIpFilteringAllowed() {
public synchronized boolean isAuditingAllowed() {
OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.GOLD || mode == OperationMode.PLATINUM || mode == OperationMode.TRIAL);
}

Expand Down Expand Up @@ -395,7 +377,7 @@ public synchronized boolean isStatsAndHealthAllowed() {
public synchronized boolean isDocumentAndFieldLevelSecurityAllowed() {
OperationMode mode = status.mode;
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
isSecurityEnabled(mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (mode == OperationMode.TRIAL || mode == OperationMode.PLATINUM);
}

Expand All @@ -412,7 +394,7 @@ public enum AllowedRealmType {
*/
public synchronized AllowedRealmType allowedRealmType() {
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
if (isSecurityCurrentlyEnabled) {
switch (status.mode) {
case PLATINUM:
Expand All @@ -435,7 +417,7 @@ public synchronized AllowedRealmType allowedRealmType() {
*/
public synchronized boolean isCustomRoleProvidersAllowed() {
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
&& status.active;
}
Expand All @@ -446,7 +428,7 @@ public synchronized boolean isCustomRoleProvidersAllowed() {
*/
public synchronized boolean isAuthorizationRealmAllowed() {
final boolean isSecurityCurrentlyEnabled =
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabledByTrialVersion, isSecurityEnabled);
isSecurityEnabled(status.mode, isSecurityExplicitlyEnabled, isSecurityEnabled);
return isSecurityCurrentlyEnabled && (status.mode == OperationMode.PLATINUM || status.mode == OperationMode.TRIAL)
&& status.active;
}
Expand Down Expand Up @@ -676,19 +658,17 @@ public synchronized boolean isSecurityAvailable() {
* @return true if security has been disabled by a trial license which is the case of the
* default distribution post 6.3.0. The conditions necessary for this are:
* <ul>
* <li>A trial license generated in 6.3.0+</li>
* <li>A trial license</li>
* <li>xpack.security.enabled not specified as a setting</li>
* </ul>
*/
public synchronized boolean isSecurityDisabledByTrialLicense() {
return status.mode == OperationMode.TRIAL && isSecurityEnabled
&& isSecurityExplicitlyEnabled == false
&& isSecurityEnabledByTrialVersion == false;
return status.mode == OperationMode.TRIAL && isSecurityEnabled && isSecurityExplicitlyEnabled == false;
}

private static boolean isSecurityEnabled(final OperationMode mode, final boolean isSecurityExplicitlyEnabled,
final boolean isSecurityEnabledByTrialVersion, final boolean isSecurityEnabled) {
return mode == OperationMode.TRIAL ? (isSecurityExplicitlyEnabled || isSecurityEnabledByTrialVersion) : isSecurityEnabled;
final boolean isSecurityEnabled) {
return mode == OperationMode.TRIAL ? isSecurityExplicitlyEnabled : isSecurityEnabled;
}

/**
Expand Down
49 changes: 12 additions & 37 deletions x-pack/plugin/core/src/test/java/org/elasticsearch/license/XPackLicenseStateTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,38 +81,23 @@ public void testSecurityDefaults() {
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));

licenseState = new XPackLicenseState(Settings.EMPTY);
assertSecurityNotAllowed(licenseState);
}

public void testTransportSslDoesNotAutomaticallyEnableSecurityOnTrialLicense() {
final XPackLicenseState licenseState;
licenseState =
new XPackLicenseState(Settings.builder().put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), true).build());
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));

licenseState = new XPackLicenseState(Settings.EMPTY);
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertSecurityNotAllowed(licenseState);
}

public void testSecurityBasic() {
XPackLicenseState licenseState = new XPackLicenseState(randomFrom(Settings.EMPTY,
Settings.builder().put(XPackSettings.SECURITY_ENABLED.getKey(), true).build()));
licenseState.update(BASIC, true, null);

assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(false));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.NONE));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
assertSecurityNotAllowed(licenseState);
}

public void testSecurityBasicExpired() {
Expand Down Expand Up @@ -218,6 +203,10 @@ public void testNewTrialDefaultsSecurityOff() {
licenseState.update(TRIAL, true, VersionUtils.randomVersionBetween(random(), Version.V_6_3_0, Version.CURRENT));

assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(true));
assertSecurityNotAllowed(licenseState);
}

private void assertSecurityNotAllowed(XPackLicenseState licenseState) {
assertThat(licenseState.isAuthAllowed(), is(false));
assertThat(licenseState.isIpFilteringAllowed(), is(false));
assertThat(licenseState.isAuditingAllowed(), is(false));
Expand All @@ -227,20 +216,6 @@ public void testNewTrialDefaultsSecurityOff() {
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(false));
}

public void testOldTrialDefaultsSecurityOn() {
XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY);
licenseState.update(TRIAL, true, rarely() ? null : VersionUtils.randomVersionBetween(random(), Version.V_6_0_0, Version.V_6_2_4));

assertThat(licenseState.isSecurityDisabledByTrialLicense(), is(false));
assertThat(licenseState.isAuthAllowed(), is(true));
assertThat(licenseState.isIpFilteringAllowed(), is(true));
assertThat(licenseState.isAuditingAllowed(), is(true));
assertThat(licenseState.isStatsAndHealthAllowed(), is(true));
assertThat(licenseState.isDocumentAndFieldLevelSecurityAllowed(), is(true));
assertThat(licenseState.allowedRealmType(), is(XPackLicenseState.AllowedRealmType.ALL));
assertThat(licenseState.isCustomRoleProvidersAllowed(), is(true));
}

public void testSecurityAckBasicToNotGoldOrStandard() {
OperationMode toMode = randomFrom(OperationMode.values(), mode -> mode != GOLD && mode != STANDARD);
assertAckMesssages(XPackField.SECURITY, BASIC, toMode, 0);
Expand Down

0 comments on commit 6fcbd07

Please sign in to comment.