Deprecate certificate-based remote cluster security model#120806
Conversation
slobodanadamovic
added
>deprecation
:Security/Security
|
Hi @slobodanadamovic, I've created a changelog YAML for you. Note that since this PR is labelled |
|
Pinging @elastic/es-security (Team:Security) |
transport profile
…:slobodanadamovic/elasticsearch into sa-deprecate-certificate-based-rcs-model
bytebilly
left a comment
bytebilly
left a comment
There was a problem hiding this comment.
The approach LGTM 👍
for the code changes, I'll defer to engineers :)
|
Linking here docs preview pages: |
n1v0lg
left a comment
n1v0lg
left a comment
There was a problem hiding this comment.
Thanks for working on this! Briefly discussed on Slack: we also need to cover proxy connections and add a test for it. Few other nit comments, I'll take a quick look again once the changes are in.
docs/changelog/120806.yaml
Outdated
| The <<remote-clusters-api-key,*API key based security model*>> is preferred way to configure remote clusters, | ||
| as it allows to follow security best practices when setting up remote cluster connections | ||
| and defining fine-grained access control. | ||
| Users are encouraged to <<remote-clusters-migrate, migrate remote clusters from certificate to API key authentication>>. |
There was a problem hiding this comment.
Wonder if we want to make this a stronger statement by adding something like "since support for the certificate-based model will be removed in a future version."
There was a problem hiding this comment.
I've adjusted the changelog to state that it will be removed in future. Let me know if that makes sense: 71fd150
| [[remote-clusters-cert]] | ||
| === Add remote clusters using TLS certificate authentication | ||
|
|
||
| deprecated::[9.0.0,"Certificate based authentication is deprecated. Configure <<remote-clusters-api-key,API key authentication>> instead or follow a guide on how to <<remote-clusters-migrate,migrate remote clusters from certificate to API key authentication>>."] |
There was a problem hiding this comment.
I don't think we should tackle it in this PR, but cross cluster replication docs make a bunch of implicit references to the certificate-based model, e.g.,:
We probably want a follow up of some sorts to update the docs to focus on RCS 2.0 instead, and mention that RCS 1.0 is deprecated.
There was a problem hiding this comment.
For sure. There is a plan to do that with the help of docs team.
server/src/main/java/org/elasticsearch/transport/RemoteConnectionManager.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/transport/RemoteConnectionManager.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/elasticsearch/transport/RemoteConnectionManager.java
Show resolved
Hide resolved
…cate-certificate-based-rcs-model
Thanks for catching this! 👍 Please have another look. I've added deprecation logging when a node is connected using proxy mode. Also wrote an integration test which covers both proxy and sniff modes. |
| /** | ||
| * Tests the deprecation of RCS1.0 (certificate-based) security model. | ||
| */ | ||
| public class RemoteClusterSecurityRCS1DeprecationIT extends AbstractRemoteClusterSecurityTestCase { |
...tTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1DeprecationIT.java
Show resolved
Hide resolved
slobodanadamovic
added
the
auto-merge-without-approval
slobodanadamovic
removed
the
auto-merge-without-approval
4 participants
Today, Elasticsearch supports two models to establish secure connections
and trust between two Elasticsearch clusters:
This PR deprecates the Certificate based security model in favour of API key based security model.
The API key based security model is preferred way to configure remote clusters,
as it allows to follow security best practices when setting up remote cluster connections
and defining fine-grained access control.
Users are encouraged to migrate remote clusters from certificate to API key authentication.
Deprecation details:
The deprecation warning message is logged only at runtime, when a remote connection is first opened. This is in order to avoid overloading the deprecation logs. The logs are deduplicated by passing a key per remote cluster alias (
remote_cluster_certificate_access-<remote-cluster-alias>). Worth noting is that with this approach, the warning headers will not be returned to clients that execute a cross cluster search requests (e.g.POST /my_remote_cluster:*/_search). I think this is justifiable, given that end-clients are not the ones interested in such deprecations, but rather administrators of the cluster.The deprecation message will only be logged on local cluster. This is because there is no way to detect if an inbound connection on a remote cluster is originating from a cluster using certificate based auth. As a consequence, this means that there may be some old local clusters connecting to a new remote clusters using deprecated model, and there would be no deprecations logged at all.
There are no particular settings to be deprecated, because the certificate based model shares the same transport protocol/settings as the intra-cluster node-to-node communication.
Hence, we might log a deprecation message for remote connections that are simply missing credentials (. Edit: This is addressed by checking if the remote connection is usingcluster.remote.ALIAS.credentials)REMOTE_CLUSTER_PROFILE. The remote cluster profile is used only for the new port and transport connections that use new API key based security model.Note: If the approach makes sense, I will add more test coverage and update the docs.