ignore default username when no password is set

fixes a regression introduced with the api_key support for xpack monitoring and management in #11864 which disabled the possibility to not use any authentication by relying on the default options and only enabling monitoring for example. It now ignores the default username option when no password is explicitly set.
2025-04-24 22:57:16 -04:00 · 2020-07-08 13:12:05 -04:00 · 2020-07-08 13:12:05 -04:00 · 556865ee88
commit 556865ee88
parent 05dbba780f
3 changed files with 20 additions and 24 deletions
--- a/x-pack/lib/helpers/elasticsearch_options.rb
+++ b/x-pack/lib/helpers/elasticsearch_options.rb
@ -67,9 +67,12 @@ module LogStash module Helpers
        opts['ssl'] = true
      end

-      # the username setting has a default value and should not be included when using another authentication
+      # the username setting has a default value and should not be included when using another authentication such as cloud_auth or api_key.
+      # it should also not be included when no password is set.
      # it is safe to silently remove here since all authentication verifications have been validated at this point.
-      if settings.set?("#{prefix}#{feature}.elasticsearch.cloud_auth") || settings.set?("#{prefix}#{feature}.elasticsearch.api_key")
+      if settings.set?("#{prefix}#{feature}.elasticsearch.cloud_auth") ||
+         settings.set?("#{prefix}#{feature}.elasticsearch.api_key") ||
+         (!settings.set?("#{prefix}#{feature}.elasticsearch.password") && !settings.set?("#{prefix}#{feature}.elasticsearch.username"))
        opts.delete('user')
      end

@ -201,15 +204,6 @@ module LogStash module Helpers
      authentication_count += 1 if provided_password
      authentication_count += 1 if provided_api_key

-      if authentication_count == 0
-        # when no explicit authentication is set it is relying on default username
-        # but without and explicit password set
-        raise(ArgumentError,
-          "With the default #{prefix}#{feature}.elasticsearch.username, " +
-          "#{prefix}#{feature}.elasticsearch.password must be set"
-        )
-      end
-
      if authentication_count > 1
        raise(ArgumentError, "Multiple authentication options are specified, please only use one of #{prefix}#{feature}.elasticsearch.username/password, #{prefix}#{feature}.elasticsearch.cloud_auth or #{prefix}#{feature}.elasticsearch.api_key")
      end
--- a/x-pack/spec/config_management/elasticsearch_source_spec.rb
+++ b/x-pack/spec/config_management/elasticsearch_source_spec.rb
@ -151,8 +151,12 @@ describe LogStash::ConfigManagement::ElasticsearchSource do
          }
        end

-        it "should raise an ArgumentError" do
-          expect { described_class.new(system_settings) }.to raise_error(ArgumentError)
+        it "will rely on username and password settings" do
+          # since cloud_id and cloud_auth are simply containers for host and username/password
+          # both could be set independently and if cloud_auth is not set then authn will be done
+          # using the provided username/password settings, which can be set or not if not auth is
+          # required.
+          expect { described_class.new(system_settings) }.to_not raise_error
        end
      end
    end
--- a/x-pack/spec/helpers/elasticsearch_options_spec.rb
+++ b/x-pack/spec/helpers/elasticsearch_options_spec.rb
@ -107,10 +107,11 @@ describe LogStash::Helpers::ElasticsearchOptions do
        }
      end

-      it "fails without password" do
-        expect {
-          test_class.es_options_from_settings_or_modules('monitoring', system_settings)
-        }.to raise_error(ArgumentError, /password must be set/)
+      it "ignores the implicit default username when no password is set" do
+        # when no explicit password is set then the default/implicit username should be ignored
+        es_options = test_class.es_options_from_settings_or_modules('monitoring', system_settings)
+        expect(es_options).to_not include("user")
+        expect(es_options).to_not include("password")
      end

      context "with cloud_auth" do
@ -296,13 +297,10 @@ describe LogStash::Helpers::ElasticsearchOptions do
      end

      context "when cloud_auth is not set" do
-
-        it "raises for invalid configuration" do
-          # if not other authn is provided it will assume basic auth using the default username
-          # but the password is missing.
-          expect {
-            test_class.es_options_from_settings_or_modules('monitoring', system_settings)
-          }.to raise_error(ArgumentError, /With the default.*?username,.*?password must be set/)
+        it "does not use authentication and ignores the default username" do
+          es_options = test_class.es_options_from_settings_or_modules('monitoring', system_settings)
+          expect(es_options).to include("cloud_id")
+          expect(es_options.keys).to_not include("hosts", "user", "password")
        end

        context 'username and password set' do