Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't implicitly enable security when TLS is enabled #38009

Closed
tvernum opened this issue Jan 30, 2019 · 2 comments
Closed

Don't implicitly enable security when TLS is enabled #38009

tvernum opened this issue Jan 30, 2019 · 2 comments
Assignees
@tvernum
Labels
>breaking :Security/Security Security issues without another label

Comments

@tvernum
Copy link
Contributor

tvernum commented Jan 30, 2019

Because TLS is currently considered part of the security feature, we currently assume that if you enable TLS (e.g. xpack.security.transport.ssl.enabled: true) then you are opting-in to security features, and security is automatically enabled, even on trial license (where it is otherwise off by default).

We want to break the link between TLS and other security features (authc/authz), so we should stop doing this in 7.0

We should also deprecate this behaviour for 6.7
@tvernum tvernum added >breaking :Security/Security Security issues without another label labels Jan 30, 2019
@tvernum tvernum self-assigned this Jan 30, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@joshbressers joshbressers mentioned this issue Jan 30, 2019
Closed
@tvernum tvernum mentioned this issue Jan 31, 2019
Merged
tvernum added a commit that referenced this issue Feb 1, 2019
@tvernum
Remove heuristics that enable security on trial licenses (#38075)
6fcbd07 
In 6.3 trial licenses were changed to default to security
disabled, and ee added some heuristics to detect when security should
be automatically be enabled if `xpack.security.enabled` was not set.

This change removes those heuristics, and requires that security be
explicitly enabled (via the `xpack.security.enabled` setting) for
trial licenses.

Relates: #38009
tvernum added a commit to tvernum/elasticsearch that referenced this issue Feb 4, 2019
@tvernum
Deprecate implicit security on trial licenses
961a015 
In 6.x security is implicitly enabled on a trial license if transport
SSL is enabled, or the trial is from pre-6.3.

This is no longer true on 7.0, so this behaviour is now deprecated.

Relates: elastic#38009, elastic#38075
@tvernum tvernum mentioned this issue Feb 4, 2019
Merged
tvernum added a commit that referenced this issue Feb 5, 2019
@tvernum
Deprecate implicit security on trial licenses (#38295)
34aede6 
In 6.x security is implicitly enabled on a trial license if transport
SSL is enabled, or the trial is from pre-6.3.

This is no longer true on 7.0, so this behaviour is now deprecated.

Relates: #38009, #38075
@tvernum
Copy link
Contributor Author

tvernum commented Feb 5, 2019

Resolved by #38075 and #38295

@tvernum tvernum closed this as completed Feb 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tvernum tvernum

Labels
>breaking :Security/Security Security issues without another label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tvernum @elasticmachine