diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 74f432d715..225ebe3f73 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -413,10 +413,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) log.info("Clustername: {}", settings.get("cluster.name", "opensearch")); - if (!transportSSLEnabled && !SSLConfig.isSslOnlyMode()) { - throw new IllegalStateException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED + " must be set to 'true'"); - } - if (!client) { final List filesWithWrongPermissions = AccessController.doPrivileged(new PrivilegedAction>() { @Override @@ -1255,7 +1251,9 @@ public Settings additionalSettings() { builder.put(super.additionalSettings()); if (!SSLConfig.isSslOnlyMode()) { - builder.put(NetworkModule.TRANSPORT_TYPE_KEY, "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport"); + if (transportSSLEnabled) { + builder.put(NetworkModule.TRANSPORT_TYPE_KEY, "org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport"); + } builder.put(NetworkModule.HTTP_TYPE_KEY, "org.opensearch.security.http.SecurityHttpServerTransport"); } return builder.build(); diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 4c1678783c..92eb3d60ae 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -146,7 +146,7 @@ protected OpenSearchSecuritySSLPlugin(final Settings settings, final Path config this.extendedKeyUsageEnabled = false; this.sslSettingsManager = null; this.configPath = null; - SSLConfig = new SSLConfig(false, false); + SSLConfig = new SSLConfig(false, false, false); AccessController.doPrivileged(new PrivilegedAction() { @Override diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java index ed06f312b6..36a84982cd 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java @@ -57,7 +57,7 @@ public Netty4HttpRequestHeaderVerifier(SecurityRestFilter restFilter, ThreadPool this.injectUserEnabled = settings.getAsBoolean(ConfigConstants.SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false); boolean disabled = settings.getAsBoolean(ConfigConstants.SECURITY_DISABLED, false); if (disabled) { - sslConfig = new SSLConfig(false, false); + sslConfig = new SSLConfig(false, false, false); } else { sslConfig = new SSLConfig(settings); } diff --git a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java index d30e45022a..3245fb3337 100644 --- a/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java +++ b/src/main/java/org/opensearch/security/ssl/transport/SSLConfig.java @@ -19,21 +19,30 @@ import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.SecuritySettings; +import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED; +import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT; + public class SSLConfig { private static final Logger logger = LogManager.getLogger(SSLConfig.class); private final boolean sslOnly; private volatile boolean dualModeEnabled; + private volatile boolean transportSSLEnabled; - public SSLConfig(final boolean sslOnly, final boolean dualModeEnabled) { + public SSLConfig(final boolean sslOnly, final boolean dualModeEnabled, final boolean transportSSLEnabled) { this.sslOnly = sslOnly; this.dualModeEnabled = dualModeEnabled; + this.transportSSLEnabled = transportSSLEnabled; logger.info("SSL dual mode is {}", isDualModeEnabled() ? "enabled" : "disabled"); } public SSLConfig(final Settings settings) { - this(settings.getAsBoolean(ConfigConstants.SECURITY_SSL_ONLY, false), SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings)); + this( + settings.getAsBoolean(ConfigConstants.SECURITY_SSL_ONLY, false), + SecuritySettings.SSL_DUAL_MODE_SETTING.get(settings), + settings.getAsBoolean(SECURITY_SSL_TRANSPORT_ENABLED, SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT) + ); } public void registerClusterSettingsChangeListener(final ClusterSettings clusterSettings) { @@ -57,4 +66,8 @@ public boolean isDualModeEnabled() { public boolean isSslOnlyMode() { return sslOnly; } + + public boolean isTransportSSLEnabled() { + return transportSSLEnabled; + } } diff --git a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java index 7002171595..bb1da91af2 100644 --- a/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java +++ b/src/main/java/org/opensearch/security/ssl/transport/SecuritySSLRequestHandler.java @@ -113,14 +113,9 @@ public final void messageReceived(T request, TransportChannel channel, Task task if (SSLConfig.isDualModeEnabled()) { log.info("Communication in dual mode. Skipping SSL handler check"); threadContext.putTransient(ConfigConstants.SECURITY_SSL_DUAL_MODE_SKIP_SECURITY, Boolean.TRUE); - messageReceivedDecorate(request, actualHandler, channel, task); - return; } - final String msg = "No ssl handler found (SG 11)"; - // log.error(msg); - final Exception exception = new OpenSearchException(msg); - channel.sendResponse(exception); - throw exception; + messageReceivedDecorate(request, actualHandler, channel, task); + return; } final Certificate[] peerCerts = sslhandler.engine().getSession().getPeerCertificates(); diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index 18c0c21282..b27ee42368 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -70,6 +70,7 @@ public class SecurityRequestHandler extends Security private final AuditLog auditLog; private final InterClusterRequestEvaluator requestEvalProvider; private final ClusterService cs; + private final SSLConfig SSLConfig; SecurityRequestHandler( String action, @@ -86,6 +87,7 @@ public class SecurityRequestHandler extends Security this.auditLog = auditLog; this.requestEvalProvider = requestEvalProvider; this.cs = cs; + this.SSLConfig = SSLConfig; } @Override @@ -265,7 +267,8 @@ protected void messageReceivedDecorate( String principal = null; - if ((principal = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null) { + if (SSLConfig.isTransportSSLEnabled() + && (principal = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null) { Exception ex = new OpenSearchSecurityException( "No SSL client certificates found for transport type " + transportChannel.getChannelType() @@ -286,9 +289,10 @@ protected void messageReceivedDecorate( // network intercluster request or cross search cluster request // CS-SUPPRESS-SINGLE: RegexpSingleline Used to allow/disallow TLS connections to extensions - if (!(HeaderHelper.isInterClusterRequest(getThreadContext()) - || HeaderHelper.isTrustedClusterRequest(getThreadContext()) - || HeaderHelper.isExtensionRequest(getThreadContext()))) { + if (SSLConfig.isTransportSSLEnabled() + && !(HeaderHelper.isInterClusterRequest(getThreadContext()) + || HeaderHelper.isTrustedClusterRequest(getThreadContext()) + || HeaderHelper.isExtensionRequest(getThreadContext()))) { // CS-ENFORCE-SINGLE final OpenSearchException exception = ExceptionUtils.clusterWrongNodeCertConfigException(principal); log.error(exception.toString());