Adding deprecation info api checks for obsolete security settings (#76986)

masseyke · web-flow · commit 4603a291fe82 · 2021-09-01T16:34:12.000-05:00
This commit adds deprecation info API messages for three obsolete security settings which have been removed: "xpack.security.authc.accept_default_password", "xpack.security.authz.store.roles.index.cache.max_size", and "xpack.security.authz.store.roles.index.cache.ttl" Relates #42404 #40496
diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/DeprecationChecks.java
@@ -96,6 +96,9 @@ private DeprecationChecks() {
                     NodeDeprecationChecks::checkSingleDataNodeWatermarkSetting,
                     NodeDeprecationChecks::checkImplicitlyDisabledSecurityOnBasicAndTrial,
                     NodeDeprecationChecks::checkMonitoringExporterPassword,
+                    NodeDeprecationChecks::checkAcceptDefaultPasswordSetting,
+                    NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting,
+                    NodeDeprecationChecks::checkRolesCacheTTLSizeSetting,
                     NodeDeprecationChecks::checkClusterRoutingAllocationIncludeRelocationsSetting
                 )
             ).collect(Collectors.toList());
diff --git a/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java b/x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java
@@ -21,6 +21,7 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.jdk.JavaVersion;
 import org.elasticsearch.license.License;
@@ -31,6 +32,7 @@
 import org.elasticsearch.threadpool.FixedExecutorBuilder;
 import org.elasticsearch.transport.RemoteClusterService;
 import org.elasticsearch.xpack.core.XPackSettings;
+import org.elasticsearch.xpack.core.security.SecurityField;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
@@ -455,7 +457,13 @@ static DeprecationIssue checkRemovedSetting(final Settings settings,
             return null;
         }
         final String removedSettingKey = removedSetting.getKey();
-        final String value = removedSetting.get(settings).toString();
+        Object removedSettingValue = removedSetting.get(settings);
+        String value;
+        if (removedSettingValue instanceof TimeValue) {
+            value = ((TimeValue) removedSettingValue).getStringRep();
+        } else {
+            value = removedSettingValue.toString();
+        }
         final String message =
             String.format(Locale.ROOT, "setting [%s] is deprecated and will be removed in the next major version", removedSettingKey);
         final String details =
@@ -595,4 +603,38 @@ static DeprecationIssue checkClusterRoutingAllocationIncludeRelocationsSetting(f
             DeprecationIssue.Level.CRITICAL
         );
     }
+
+    static DeprecationIssue checkAcceptDefaultPasswordSetting(final Settings settings,
+                                                                                   final PluginsAndModules pluginsAndModules,
+                                                                                   final ClusterState clusterState,
+                                                                                   final XPackLicenseState licenseState) {
+        return checkRemovedSetting(settings,
+            Setting.boolSetting(SecurityField.setting("authc.accept_default_password"),true, Setting.Property.Deprecated),
+            "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes",
+            DeprecationIssue.Level.CRITICAL
+        );
+    }
+
+    static DeprecationIssue checkAcceptRolesCacheMaxSizeSetting(final Settings settings,
+                                                              final PluginsAndModules pluginsAndModules,
+                                                              final ClusterState clusterState,
+                                                              final XPackLicenseState licenseState) {
+        return checkRemovedSetting(settings,
+            Setting.intSetting(SecurityField.setting("authz.store.roles.index.cache.max_size"), 10000, Setting.Property.Deprecated),
+            "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes",
+            DeprecationIssue.Level.CRITICAL
+        );
+    }
+
+    static DeprecationIssue checkRolesCacheTTLSizeSetting(final Settings settings,
+                                                                final PluginsAndModules pluginsAndModules,
+                                                                final ClusterState clusterState,
+                                                                final XPackLicenseState licenseState) {
+        return checkRemovedSetting(settings,
+            Setting.timeSetting(SecurityField.setting("authz.store.roles.index.cache.ttl"), TimeValue.timeValueMinutes(20),
+                Setting.Property.Deprecated),
+            "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes",
+            DeprecationIssue.Level.CRITICAL
+        );
+    }
 }
diff --git a/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java b/x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java
@@ -21,9 +21,9 @@
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.core.Set;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.jdk.JavaVersion;
 import org.elasticsearch.license.License;
 import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.jdk.JavaVersion;
 import org.elasticsearch.node.Node;
 import org.elasticsearch.script.ScriptService;
 import org.elasticsearch.test.ESTestCase;
@@ -863,4 +863,56 @@ public void testImplicitlyConfiguredSecurityOnGoldPlus() {
         final List<DeprecationIssue> issues = getDeprecationIssues(settings, pluginsAndModules, licenseState);
         assertThat(issues, empty());
     }
+
+    private void checkSimpleSetting(String settingKey, String settingValue, String url, DeprecationChecks.NodeDeprecationCheck<Settings,
+        PluginsAndModules, ClusterState, XPackLicenseState, DeprecationIssue> checkFunction) {
+        final Settings nodeSettings =
+            Settings.builder().put(settingKey, settingValue).build();
+        final XPackLicenseState licenseState = new XPackLicenseState(Settings.EMPTY, () -> 0);
+        final ClusterState clusterState = ClusterState.EMPTY_STATE;
+        final DeprecationIssue expectedIssue = new DeprecationIssue(DeprecationIssue.Level.CRITICAL,
+            String.format(Locale.ROOT,
+                "setting [%s] is deprecated and will be removed in the next major version",
+                settingKey),
+            url,
+            String.format(Locale.ROOT,
+                "the setting [%s] is currently set to [%s], remove this setting",
+                settingKey,
+                settingValue),
+            false,null
+        );
+
+        assertThat(
+            checkFunction.apply(nodeSettings, null, clusterState, licenseState),
+            equalTo(expectedIssue)
+        );
+
+        final String expectedWarning = String.format(Locale.ROOT,
+            "[%s] setting was deprecated in Elasticsearch and will be removed in a future release! " +
+                "See the breaking changes documentation for the next major version.",
+            settingKey);
+
+        assertWarnings(expectedWarning);
+    }
+
+    public void testCheckAcceptDefaultPasswordSetting() {
+        String settingKey = "xpack.security.authc.accept_default_password";
+        String settingValue = String.valueOf(randomBoolean());
+        String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes";
+        checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptDefaultPasswordSetting);
+    }
+
+    public void testCheckAcceptRolesCacheMaxSizeSetting() {
+        String settingKey = "xpack.security.authz.store.roles.index.cache.max_size";
+        String settingValue = String.valueOf(randomIntBetween(1, 10000));
+        String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes";
+        checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkAcceptRolesCacheMaxSizeSetting);
+    }
+
+    public void testCheckRolesCacheTTLSizeSetting() {
+        String settingKey = "xpack.security.authz.store.roles.index.cache.ttl";
+        String settingValue = randomPositiveTimeValue();
+        String url = "https://www.elastic.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes";
+        checkSimpleSetting(settingKey, settingValue, url, NodeDeprecationChecks::checkRolesCacheTTLSizeSetting);
+    }
 }
