mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-06-30 02:13:33 -04:00
eb3c57b8eb
This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
113 lines
4 KiB
Text
113 lines
4 KiB
Text
[float]
|
|
[[breaking_80_security_changes]]
|
|
=== Security changes
|
|
|
|
//NOTE: The notable-breaking-changes tagged regions are re-used in the
|
|
//Installation and Upgrade Guide
|
|
|
|
//tag::notable-breaking-changes[]
|
|
|
|
// end::notable-breaking-changes[]
|
|
|
|
[float]
|
|
[[accept-default-password-removed]]
|
|
==== The `accept_default_password` setting has been removed
|
|
|
|
The `xpack.security.authc.accept_default_password` setting has not had any affect
|
|
since the 6.0 release of {es}. It has been removed and cannot be used.
|
|
|
|
[float]
|
|
[[roles-index-cache-removed]]
|
|
==== The `roles.index.cache.*` settings have been removed
|
|
|
|
The `xpack.security.authz.store.roles.index.cache.max_size` and
|
|
`xpack.security.authz.store.roles.index.cache.ttl` settings have
|
|
been removed. These settings have been redundant and deprecated
|
|
since the 5.2 release of {es}.
|
|
|
|
[float]
|
|
[[migrate-tool-removed]]
|
|
==== The `elasticsearch-migrate` tool has been removed
|
|
|
|
The `elasticsearch-migrate` tool provided a way to convert file
|
|
realm users and roles into the native realm. It has been deprecated
|
|
since 7.2.0. Users and roles should now be created in the native
|
|
realm directly.
|
|
|
|
[float]
|
|
[[separating-node-and-client-traffic]]
|
|
==== The `transport.profiles.*.xpack.security.type` setting has been removed
|
|
|
|
The `transport.profiles.*.xpack.security.type` setting has been removed since
|
|
the Transport Client has been removed and therefore all client traffic now uses
|
|
the HTTP transport. Transport profiles using this setting should be removed.
|
|
|
|
[float]
|
|
[[ssl-validation-changes]]
|
|
==== SSL/TLS configuration validation
|
|
|
|
[float]
|
|
===== The `xpack.security.transport.ssl.enabled` setting may be required
|
|
|
|
It is now an error to configure any SSL settings for
|
|
`xpack.security.transport.ssl` without also configuring
|
|
`xpack.security.transport.ssl.enabled`.
|
|
|
|
For example, the following configuration is invalid:
|
|
[source,yaml]
|
|
--------------------------------------------------
|
|
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
|
|
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
|
|
--------------------------------------------------
|
|
|
|
And must be configured as:
|
|
[source,yaml]
|
|
--------------------------------------------------
|
|
xpack.security.transport.ssl.enabled: true <1>
|
|
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
|
|
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
|
|
--------------------------------------------------
|
|
<1> or `false`.
|
|
|
|
[float]
|
|
===== The `xpack.security.http.ssl.enabled` setting may be required
|
|
|
|
It is now an error to configure any SSL settings for
|
|
`xpack.security.http.ssl` without also configuring
|
|
`xpack.security.http.ssl.enabled`.
|
|
|
|
For example, the following configuration is invalid:
|
|
[source,yaml]
|
|
--------------------------------------------------
|
|
xpack.security.http.ssl.certificate: elasticsearch.crt
|
|
xpack.security.http.ssl.key: elasticsearch.key
|
|
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
|
|
--------------------------------------------------
|
|
|
|
And must be configured as either:
|
|
[source,yaml]
|
|
--------------------------------------------------
|
|
xpack.security.http.ssl.enabled: true <1>
|
|
xpack.security.http.ssl.certificate: elasticsearch.crt
|
|
xpack.security.http.ssl.key: elasticsearch.key
|
|
xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
|
|
--------------------------------------------------
|
|
<1> or `false`.
|
|
|
|
[float]
|
|
===== The `xpack.security.transport.ssl` Certificate and Key may be required
|
|
|
|
It is now an error to enable SSL for the transport interface without also configuring
|
|
a certificate and key through use of the `xpack.security.transport.ssl.keystore.path`
|
|
setting or the `xpack.security.transport.ssl.certificate` and
|
|
`xpack.security.transport.ssl.key` settings.
|
|
|
|
[float]
|
|
===== The `xpack.security.http.ssl` Certificate and Key may be required
|
|
|
|
It is now an error to enable SSL for the HTTP (Rest) server without also configuring
|
|
a certificate and key through use of the `xpack.security.http.ssl.keystore.path`
|
|
setting or the `xpack.security.http.ssl.certificate` and
|
|
`xpack.security.http.ssl.key` settings.
|
|
|
|
|