From ad171b16d2787f2e922b7c6dcec9c8179c8fc5ea Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Tue, 26 Oct 2021 07:57:10 -0700 Subject: [PATCH] Enforce license expiration (#79671) Licensed features in check the license state to determine if a feature is currently allowed. When the license expires, the feature should no longer work, falling back to any Basic licensed behavior. Historically though, some features have had lenient behavior, continuing to work indefinitely after the license has expired. This commit changes most of the existing licensed features that were lenient to enforce license expiration. The one exception is ip filtering, which will remain working. --- .../elasticsearch/license/LicensedFeature.java | 15 +++------------ .../xpack/core/security/SecurityField.java | 4 ++-- .../elasticsearch/xpack/security/Security.java | 18 +++++++++--------- 3 files changed, 14 insertions(+), 23 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicensedFeature.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicensedFeature.java index 6f3e18c825d09..56c8e87d1c502 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicensedFeature.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/license/LicensedFeature.java @@ -41,8 +41,8 @@ public boolean check(XPackLicenseState state) { * A Persistent feature is one that is tracked starting when the license is checked, and later may be untracked. */ public static class Persistent extends LicensedFeature { - private Persistent(String family, String name, License.OperationMode minimumOperationMode, boolean needsActive) { - super(family, name, minimumOperationMode, needsActive); + private Persistent(String family, String name, License.OperationMode minimumOperationMode) { + super(family, name, minimumOperationMode, true); } /** @@ -111,7 +111,7 @@ public static Momentary momentary(String family, String name, License.OperationM /** Create a persistent feature for the given license level */ public static Persistent persistent(String family, String name, License.OperationMode licenseLevel) { - return new Persistent(family, name, licenseLevel, true); + return new Persistent(family, name, licenseLevel); } /** @@ -123,15 +123,6 @@ public static Momentary momentaryLenient(String family, String name, License.Ope return new Momentary(family, name, licenseLevel, false); } - /** - * Creates a persistent feature, but one that is lenient as - * to whether the license needs to be active to allow the feature. - */ - @Deprecated - public static Persistent persistentLenient(String family, String name, License.OperationMode licenseLevel) { - return new Persistent(family, name, licenseLevel, false); - } - /** * Returns whether the feature is allowed by the current license * without affecting feature tracking. diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityField.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityField.java index fc1b42b984f5d..cd12fdcd79972 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityField.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityField.java @@ -23,9 +23,9 @@ public final class SecurityField { // Document and Field Level Security are Platinum+ private static final String DLS_FLS_FEATURE_FAMILY = "security-dls-fls"; public static final LicensedFeature.Momentary DOCUMENT_LEVEL_SECURITY_FEATURE = - LicensedFeature.momentaryLenient(DLS_FLS_FEATURE_FAMILY, "dls", License.OperationMode.PLATINUM); + LicensedFeature.momentary(DLS_FLS_FEATURE_FAMILY, "dls", License.OperationMode.PLATINUM); public static final LicensedFeature.Momentary FIELD_LEVEL_SECURITY_FEATURE = - LicensedFeature.momentaryLenient(DLS_FLS_FEATURE_FAMILY, "fls", License.OperationMode.PLATINUM); + LicensedFeature.momentary(DLS_FLS_FEATURE_FAMILY, "fls", License.OperationMode.PLATINUM); private SecurityField() { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 98cc4d0cc66e5..b8346464972cd 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -357,29 +357,29 @@ public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin, public static final LicensedFeature.Momentary IP_FILTERING_FEATURE = LicensedFeature.momentaryLenient(null, "security-ip-filtering", License.OperationMode.GOLD); public static final LicensedFeature.Momentary AUDITING_FEATURE = - LicensedFeature.momentaryLenient(null, "security-auditing", License.OperationMode.GOLD); + LicensedFeature.momentary(null, "security-auditing", License.OperationMode.GOLD); public static final LicensedFeature.Momentary TOKEN_SERVICE_FEATURE = - LicensedFeature.momentaryLenient(null, "security-token-service", License.OperationMode.STANDARD); + LicensedFeature.momentary(null, "security-token-service", License.OperationMode.STANDARD); private static final String REALMS_FEATURE_FAMILY = "security-realms"; // Builtin realms (file/native) realms are Basic licensed, so don't need to be checked or tracked // Some realms (LDAP, AD, PKI) are Gold+ public static final LicensedFeature.Persistent LDAP_REALM_FEATURE = - LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "ldap", License.OperationMode.GOLD); + LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "ldap", License.OperationMode.GOLD); public static final LicensedFeature.Persistent AD_REALM_FEATURE = - LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "active-directory", License.OperationMode.GOLD); + LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "active-directory", License.OperationMode.GOLD); public static final LicensedFeature.Persistent PKI_REALM_FEATURE = - LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "pki", License.OperationMode.GOLD); + LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "pki", License.OperationMode.GOLD); // SSO realms are Platinum+ public static final LicensedFeature.Persistent SAML_REALM_FEATURE = - LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "saml", License.OperationMode.PLATINUM); + LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "saml", License.OperationMode.PLATINUM); public static final LicensedFeature.Persistent OIDC_REALM_FEATURE = - LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "oidc", License.OperationMode.PLATINUM); + LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "oidc", License.OperationMode.PLATINUM); public static final LicensedFeature.Persistent KERBEROS_REALM_FEATURE = - LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "kerberos", License.OperationMode.PLATINUM); + LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "kerberos", License.OperationMode.PLATINUM); // Custom realms are Platinum+ public static final LicensedFeature.Persistent CUSTOM_REALMS_FEATURE = - LicensedFeature.persistentLenient(REALMS_FEATURE_FAMILY, "custom", License.OperationMode.PLATINUM); + LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "custom", License.OperationMode.PLATINUM); public static final LicensedFeature.Momentary DELEGATED_AUTHORIZATION_FEATURE = LicensedFeature.momentary(null, "security-delegated-authorization", License.OperationMode.PLATINUM);