Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update security deprecation message #82128

Merged
merged 11 commits into from
Jan 18, 2022
Merged

Update security deprecation message #82128

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
f660698
Update security deprecation message
bytebilly Dec 29, 2021
6d1c24f
Fix copying
bytebilly Dec 29, 2021
3b7385d
Fix style
bytebilly Dec 29, 2021
896868d
Fix tests
bytebilly Dec 29, 2021
1416ef9
Fix style
bytebilly Dec 29, 2021
3ba2d8a
Update deprecation link
bytebilly Jan 17, 2022
b891912
Update tests
bytebilly Jan 17, 2022
6e4769e
Fix link
bytebilly Jan 17, 2022
e7c4847
Fix link
bytebilly Jan 17, 2022
32e0d48
Fix link
bytebilly Jan 17, 2022
475cd12
Merge branch '7.17' into update-security-deprecation-message
elasticmachine Jan 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions .../deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,13 +208,14 @@ static DeprecationIssue checkImplicitlyDisabledSecurityOnBasicAndTrial(
if (XPackSettings.SECURITY_ENABLED.exists(settings) == false
&& (licenseState.getOperationMode().equals(License.OperationMode.BASIC)
|| licenseState.getOperationMode().equals(License.OperationMode.TRIAL))) {
String details = "Security will no longer be disabled by default for Trial licenses in 8.0. The [xpack.security.enabled] "
+ "setting will always default to \"true\". See https://ela.st/es-deprecation-7-security-minimal-setup to secure your "
+ "cluster. To explicitly disable security, set [xpack.security.enabled] to \"false\" (not recommended).";
String details = "In Elasticsearch 8.0 the [xpack.security.enabled] setting will always default to true. "
+ "In your environment, the value is not set and you need to set it before upgrading, along with other required "
+ "security settings. See https://ela.st/es-deprecation-7-security-basic-setup to secure your cluster. "
+ "To explicitly disable security, set [xpack.security.enabled] to \"false\" (not recommended).";
return new DeprecationIssue(
DeprecationIssue.Level.CRITICAL,
"Security is enabled by default for all licenses",
"https://ela.st/es-deprecation-7-implicitly-disabled-security",
"Security features are enabled by default for all licenses in versions 8.0 and later",
"https://ela.st/es-deprecation-7-security-basic-setup",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure about that change?
Our standard behaviour is for these to link to the migration guide which can then include links to other setup instructions. I'm not sure we should link straight to the basic setup guide.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current link points to the migration guide line:

The default behavior of disabling security on basic and trial licenses is deprecated

If users figure out that this line can be expanded by clicking on the bullet point arrow (that I don't feel is so straightforward if you are not familiar with our migration guide), they will get:

Currently, security features are disabled when operating on a basic or trial license when xpack.security.enabled has not been explicitly set to true. This behavior is now deprecated. In version 8.0.0, security features will be enabled by default for all licenses, unless explicitly disabled (by setting xpack.security.enabled to false).

I don't feel that this is enough to:

  • raise awareness that security features must be enabled explicitly by the user, and where to go to get more instructions
  • discourage disabling security, that would be the simplest option from this message otherwise

I'm not strongly opposed to link the migration guide, even if I found that other deprecation entries link directly to documentation so I'm not sure about the standard guideline.
If this is our choice, we should ensure that the migration guide text is solving the two issues above.

What do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should put effort into fixing the migration guide so it tells people what they need to know, rather than bypassing it.

I agree that this section of the migration guide actually doesn't provide the right information, but I would hope we can fix that and then continue link to it from the deprecation logs.

The deprecation logs tell you something is changing. The "more info" section should link to something that explains what is changing and how to resolve it. The security setup instructions aren't that.

Copy link
Contributor Author

@bytebilly bytebilly Jan 17, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, we can improve the migration guide in a follow up PR. I restored the original link.

details,
false,
null
Expand Down
6 changes: 3 additions & 3 deletions ...ecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1021,10 +1021,10 @@ public void testImplicitlyDisabledSecurityWarning() {
new XPackLicenseState(Settings.EMPTY, () -> 0)
);
assertThat(issue.getLevel(), equalTo(DeprecationIssue.Level.CRITICAL));
assertThat(issue.getMessage(), equalTo("Security is enabled by default for all licenses"));
assertThat(issue.getMessage(), equalTo("Security features are enabled by default for all licenses in versions 8.0 and later"));
assertNotNull(issue.getDetails());
assertThat(issue.getDetails(), containsString("Security will no longer be disabled by default"));
assertThat(issue.getUrl(), equalTo("https://ela.st/es-deprecation-7-implicitly-disabled-security"));
assertThat(issue.getDetails(), containsString("In Elasticsearch 8.0 the [xpack.security.enabled] setting will always "));
assertThat(issue.getUrl(), equalTo("https://ela.st/es-deprecation-7-security-basic-setup"));
}

public void testExplicitlyConfiguredSecurityOnBasicAndTrial() {
Expand Down