Deprecate using elasticsearch.ssl.certificate without elasticsearch.ssl.key and vice versa
#54392
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was used to log warnings messages. We have decided to deprecate the config settings instead of just logging warnings. So ElasticsearchConfig doesn't need to have a logger at all anymore.
jportner
added
release_note:deprecation
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
jportner
commented
Jan 10, 2020
kobelb
approved these changes
Jan 10, 2020
pgayvallet
approved these changes
Jan 11, 2020
The Elasticsearch config should error out if a PKCS12 keystore does not contain a key *or* a certificate. This was intended to be the functionality in PR elastic#53810, but it was overlooked. Changing it now since this PR is changing code in the same file.
Check for key existence, not key truthiness.
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
thomasneirynck
pushed a commit
to thomasneirynck/kibana
that referenced
this pull request
Jan 12, 2020
…h.ssl.key` and vice versa (elastic#54392)
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jan 13, 2020
* master: (69 commits) [Graph] Fix various a11y issues (elastic#54097) Add ApplicationService app status management (elastic#50223) logs in one time (elastic#54447) Deprecate using `elasticsearch.ssl.certificate` without `elasticsearch.ssl.key` and vice versa (elastic#54392) [Optimizer] Fix a stack overflow with watch_cache when it attempts to delete very large folders. (elastic#54457) Security - Role Mappings UI (elastic#53620) [SIEM] [Detection engine] Permission II (elastic#54292) Allow User to Cleanup Repository from UI (elastic#53047) [Detection engine] Some UX for rule creation (elastic#54471) share specific instances of some ui packages (elastic#54079) [ML] APM modules configs for RUM Javascript and NodeJS (elastic#53792) [APM] Delay rendering invalid license notification (elastic#53924) [Graph] Improve error message on graph requests (elastic#54230) [ILM] Kibana should allow a min_age setting of 0ms in ILM policy phases (elastic#53719) Unit Tests for common/lib (elastic#53736) [Graph] Only show explorable fields (elastic#54101) remove linting rule exception for markdown (elastic#54232) [Monitoring] Fetch shard data more efficiently (elastic#54028) [Maps] Add hiddenLayers option to embeddable map input (elastic#54355) Pass termOrder and hasTermsAgg properties to serializeThresholdWatch function (elastic#54391) ...
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jan 13, 2020
* master: (69 commits) [Graph] Fix various a11y issues (elastic#54097) Add ApplicationService app status management (elastic#50223) logs in one time (elastic#54447) Deprecate using `elasticsearch.ssl.certificate` without `elasticsearch.ssl.key` and vice versa (elastic#54392) [Optimizer] Fix a stack overflow with watch_cache when it attempts to delete very large folders. (elastic#54457) Security - Role Mappings UI (elastic#53620) [SIEM] [Detection engine] Permission II (elastic#54292) Allow User to Cleanup Repository from UI (elastic#53047) [Detection engine] Some UX for rule creation (elastic#54471) share specific instances of some ui packages (elastic#54079) [ML] APM modules configs for RUM Javascript and NodeJS (elastic#53792) [APM] Delay rendering invalid license notification (elastic#53924) [Graph] Improve error message on graph requests (elastic#54230) [ILM] Kibana should allow a min_age setting of 0ms in ILM policy phases (elastic#53719) Unit Tests for common/lib (elastic#53736) [Graph] Only show explorable fields (elastic#54101) remove linting rule exception for markdown (elastic#54232) [Monitoring] Fetch shard data more efficiently (elastic#54028) [Maps] Add hiddenLayers option to embeddable map input (elastic#54355) Pass termOrder and hasTermsAgg properties to serializeThresholdWatch function (elastic#54391) ...
chrisronline
pushed a commit
to chrisronline/kibana
that referenced
this pull request
Jan 13, 2020
…h.ssl.key` and vice versa (elastic#54392)
jkelastic
pushed a commit
to jkelastic/kibana
that referenced
this pull request
Jan 17, 2020
…h.ssl.key` and vice versa (elastic#54392)
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR deprecates using
elasticsearch.ssl.certificatewithoutelasticsearch.ssl.keyand vice versa. Either of these settings alone will have no effect, both should be used to enable TLS client authentication to Elasticsearch.I had added a warning for this in #53810, but we decided in #53810 (comment) that we should add a deprecation for this in 7.6 and throw an error starting in 8.0.
This PR does the following:
elasticsearch.usernameout of the Core config deprecations and into the Elasticsearch configNote: it would be easier to review this PR by checking each commit.