Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discuss] Remove insecure cluster warning #125364

Closed
legrego opened this issue Feb 11, 2022 · 3 comments
Closed

[Discuss] Remove insecure cluster warning #125364

legrego opened this issue Feb 11, 2022 · 3 comments
Labels
chore discuss Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Feb 11, 2022

We started warning users in the 7.10 release when they were running Kibana/ES without security enabled (via #78545). This was especially important because stack security features were opt-in, rather than opt-out.

Another benefit of this warning was to educate users of our OSS distribution that the Default distribution came with free security features. We no longer ship an OSS distribution, so this is no longer needed.

Starting in 8.0, security features are enabled by default, and we require that administrators explicitly opt-out of security by setting xpack.security.enabled: false in Elasticsearch.

Now that security is opt-out instead of opt-in, I think the usefulness of the Insecure Cluster Warning is greatly diminished. I could see some value in keeping it in (e.g., in the case of accidental misconfiguration), but I'm not sure it's worth maintaining that code for this scenario.

cc @arisonl @bytebilly

@legrego legrego added discuss chore Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Feb 11, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@bytebilly
Copy link
Contributor

@legrego if we look at it from a different angle, which is the main reason to remove?
I'd personally prefer to keep, since insecure clusters may still happen one way or another — and we really need to prevent them — unless it has clear drawbacks.

Do you expect that you need to put relevant engineering work in the future to keep it working? Are there other concerns?

@legrego
Copy link
Member Author

legrego commented Feb 11, 2022

@bytebilly I don't have a strong motivation to remove this - it isn't causing us any pain at the moment. I was grooming the backlog and came across #114049, which got me thinking about the feature in general.

@legrego legrego closed this as completed Mar 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chore discuss Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

No branches or pull requests

3 participants