Skip to content

Commit

Permalink
[7.x] Update security deprecation messages (#115241) (#115395)
Browse files Browse the repository at this point in the history 
* Update security deprecation messages (#115241)

* Fix Jest tests that were changed upstream

* Add missing deprecation levels for plugins' `enabled` config options

For the Security, Spaces, and ESO plugins.
  • Loading branch information
@jportner
jportner authored Oct 18, 2021
1 parent 62bdc2d commit 1933ed9
Show file tree
Hide file tree
Showing 8 changed files with 136 additions and 192 deletions.
8 changes: 4 additions & 4 deletions src/core/server/elasticsearch/elasticsearch_config.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ describe('deprecations', () => {
const { messages } = applyElasticsearchDeprecations({ username: 'elastic' });
expect(messages).toMatchInlineSnapshot(`
Array [
"Setting [${CONFIG_PATH}.username] to \\"elastic\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
"Kibana is configured to authenticate to Elasticsearch with the \\"elastic\\" user. Use a service account token instead.",
]
`);
});
Expand All @@ -302,7 +302,7 @@ describe('deprecations', () => {
const { messages } = applyElasticsearchDeprecations({ username: 'kibana' });
expect(messages).toMatchInlineSnapshot(`
Array [
"Setting [${CONFIG_PATH}.username] to \\"kibana\\" is deprecated. You should use the \\"kibana_system\\" user instead.",
"Kibana is configured to authenticate to Elasticsearch with the \\"kibana\\" user. Use a service account token instead.",
]
`);
});
Expand All @@ -321,7 +321,7 @@ describe('deprecations', () => {
const { messages } = applyElasticsearchDeprecations({ ssl: { key: '' } });
expect(messages).toMatchInlineSnapshot(`
Array [
"Setting [${CONFIG_PATH}.ssl.key] without [${CONFIG_PATH}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
"Use both \\"elasticsearch.ssl.key\\" and \\"elasticsearch.ssl.certificate\\" to enable Kibana to use Mutual TLS authentication with Elasticsearch.",
]
`);
});
Expand All @@ -330,7 +330,7 @@ describe('deprecations', () => {
const { messages } = applyElasticsearchDeprecations({ ssl: { certificate: '' } });
expect(messages).toMatchInlineSnapshot(`
Array [
"Setting [${CONFIG_PATH}.ssl.certificate] without [${CONFIG_PATH}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
"Use both \\"elasticsearch.ssl.certificate\\" and \\"elasticsearch.ssl.key\\" to enable Kibana to use Mutual TLS authentication with Elasticsearch.",
]
`);
});
Expand Down
86 changes: 60 additions & 26 deletions src/core/server/elasticsearch/elasticsearch_config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

import { schema, TypeOf } from '@kbn/config-schema';
import { readPkcs12Keystore, readPkcs12Truststore } from '@kbn/crypto';
import { i18n } from '@kbn/i18n';
import { Duration } from 'moment';
import { readFileSync } from 'fs';
import { ConfigDeprecationProvider } from 'src/core/server';
Expand Down Expand Up @@ -138,49 +139,82 @@ export const configSchema = schema.object({
});

const deprecations: ConfigDeprecationProvider = () => [
(settings, fromPath, addDeprecation) => {
(settings, fromPath, addDeprecation, { branch }) => {
const es = settings[fromPath];
if (!es) {
return;
}
if (es.username === 'elastic') {
addDeprecation({
configPath: `${fromPath}.username`,
message: `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`,
correctiveActions: {
manualSteps: [`Replace [${fromPath}.username] from "elastic" to "kibana_system".`],
},
});
} else if (es.username === 'kibana') {

if (es.username === 'elastic' || es.username === 'kibana') {
const username = es.username;
addDeprecation({
configPath: `${fromPath}.username`,
message: `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.`,
correctiveActions: {
manualSteps: [`Replace [${fromPath}.username] from "kibana" to "kibana_system".`],
},
});
}
if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) {
addDeprecation({
configPath: `${fromPath}.ssl.key`,
message: `Setting [${fromPath}.ssl.key] without [${fromPath}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
title: i18n.translate('core.deprecations.elasticsearchUsername.title', {
defaultMessage: 'Using "elasticsearch.username: {username}" is deprecated',
values: { username },
}),
message: i18n.translate('core.deprecations.elasticsearchUsername.message', {
defaultMessage:
'Kibana is configured to authenticate to Elasticsearch with the "{username}" user. Use a service account token instead.',
values: { username },
}),
level: 'warning',
documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${branch}/service-accounts.html`,
correctiveActions: {
manualSteps: [
`Set [${fromPath}.ssl.certificate] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
i18n.translate('core.deprecations.elasticsearchUsername.manualSteps1', {
defaultMessage:
'Use the elasticsearch-service-tokens CLI tool to create a new service account token for the "elastic/kibana" service account.',
}),
i18n.translate('core.deprecations.elasticsearchUsername.manualSteps2', {
defaultMessage: 'Add the "elasticsearch.serviceAccountToken" setting to kibana.yml.',
}),
i18n.translate('core.deprecations.elasticsearchUsername.manualSteps3', {
defaultMessage:
'Remove "elasticsearch.username" and "elasticsearch.password" from kibana.yml.',
}),
],
},
});
} else if (es.ssl?.certificate !== undefined && es.ssl?.key === undefined) {
}

const addSslDeprecation = (existingSetting: string, missingSetting: string) => {
addDeprecation({
configPath: `${fromPath}.ssl.certificate`,
message: `Setting [${fromPath}.ssl.certificate] without [${fromPath}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
configPath: existingSetting,
title: i18n.translate('core.deprecations.elasticsearchSSL.title', {
defaultMessage: 'Using "{existingSetting}" without "{missingSetting}" has no effect',
values: { existingSetting, missingSetting },
}),
message: i18n.translate('core.deprecations.elasticsearchSSL.message', {
defaultMessage:
'Use both "{existingSetting}" and "{missingSetting}" to enable Kibana to use Mutual TLS authentication with Elasticsearch.',
values: { existingSetting, missingSetting },
}),
level: 'warning',
documentationUrl: `https://www.elastic.co/guide/en/kibana/${branch}/elasticsearch-mutual-tls.html`,
correctiveActions: {
manualSteps: [
`Set [${fromPath}.ssl.key] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
i18n.translate('core.deprecations.elasticsearchSSL.manualSteps1', {
defaultMessage: 'Add the "{missingSetting}" setting to kibana.yml.',
values: { missingSetting },
}),
i18n.translate('core.deprecations.elasticsearchSSL.manualSteps2', {
defaultMessage:
'Alternatively, if you don\'t want to use Mutual TLS authentication, remove "{existingSetting}" from kibana.yml.',
values: { existingSetting },
}),
],
},
});
} else if (es.logQueries === true) {
};

if (es.ssl?.key !== undefined && es.ssl?.certificate === undefined) {
addSslDeprecation(`${fromPath}.ssl.key`, `${fromPath}.ssl.certificate`);
} else if (es.ssl?.certificate !== undefined && es.ssl?.key === undefined) {
addSslDeprecation(`${fromPath}.ssl.certificate`, `${fromPath}.ssl.key`);
}

if (es.logQueries === true) {
addDeprecation({
configPath: `${fromPath}.logQueries`,
message: `Setting [${fromPath}.logQueries] is deprecated and no longer used. You should set the log level to "debug" for the "elasticsearch.queries" context in "logging.loggers" or use "logging.verbose: true".`,
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/encrypted_saved_objects/server/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ export type { IsMigrationNeededPredicate } from './create_migration';

export const config: PluginConfigDescriptor = {
schema: ConfigSchema,
deprecations: ({ deprecate }) => [deprecate('enabled', '8.0.0')],
deprecations: ({ deprecate }) => [deprecate('enabled', '8.0.0', { level: 'critical' })],
};
export const plugin = (initializerContext: PluginInitializerContext) =>
new EncryptedSavedObjectsPlugin(initializerContext);
58 changes: 0 additions & 58 deletions x-pack/plugins/monitoring/server/deprecations.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,64 +68,6 @@ describe.skip('monitoring plugin deprecations', function () {
});
});

describe('elasticsearch.username', function () {
it('logs a warning if elasticsearch.username is set to "elastic"', () => {
const settings = { elasticsearch: { username: 'elastic' } };

const addDeprecation = jest.fn();
transformDeprecations(settings, fromPath, addDeprecation);
expect(addDeprecation).toHaveBeenCalled();
});

it('logs a warning if elasticsearch.username is set to "kibana"', () => {
const settings = { elasticsearch: { username: 'kibana' } };

const addDeprecation = jest.fn();
transformDeprecations(settings, fromPath, addDeprecation);
expect(addDeprecation).toHaveBeenCalled();
});

it('does not log a warning if elasticsearch.username is set to something besides "elastic" or "kibana"', () => {
const settings = { elasticsearch: { username: 'otheruser' } };

const addDeprecation = jest.fn();
transformDeprecations(settings, fromPath, addDeprecation);
expect(addDeprecation).not.toHaveBeenCalled();
});

it('does not log a warning if elasticsearch.username is unset', () => {
const settings = { elasticsearch: { username: undefined } };

const addDeprecation = jest.fn();
transformDeprecations(settings, fromPath, addDeprecation);
expect(addDeprecation).not.toHaveBeenCalled();
});

it('logs a warning if ssl.key is set and ssl.certificate is not', () => {
const settings = { elasticsearch: { ssl: { key: '' } } };

const addDeprecation = jest.fn();
transformDeprecations(settings, fromPath, addDeprecation);
expect(addDeprecation).toHaveBeenCalled();
});

it('logs a warning if ssl.certificate is set and ssl.key is not', () => {
const settings = { elasticsearch: { ssl: { certificate: '' } } };

const addDeprecation = jest.fn();
transformDeprecations(settings, fromPath, addDeprecation);
expect(addDeprecation).toHaveBeenCalled();
});

it('does not log a warning if both ssl.key and ssl.certificate are set', () => {
const settings = { elasticsearch: { ssl: { key: '', certificate: '' } } };

const addDeprecation = jest.fn();
transformDeprecations(settings, fromPath, addDeprecation);
expect(addDeprecation).not.toHaveBeenCalled();
});
});

describe('xpack_api_polling_frequency_millis', () => {
it('should call rename for this renamed config key', () => {
const settings = { xpack_api_polling_frequency_millis: 30000 };
Expand Down
57 changes: 7 additions & 50 deletions x-pack/plugins/monitoring/server/deprecations.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,56 +66,13 @@ export const deprecations = ({
}
return config;
},
(config, fromPath, addDeprecation) => {
const es: Record<string, any> = get(config, 'elasticsearch');
if (es) {
if (es.username === 'elastic') {
addDeprecation({
configPath: 'elasticsearch.username',
message: `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana_system" user instead.`,
correctiveActions: {
manualSteps: [`Replace [${fromPath}.username] from "elastic" to "kibana_system".`],
},
});
} else if (es.username === 'kibana') {
addDeprecation({
configPath: 'elasticsearch.username',
message: `Setting [${fromPath}.username] to "kibana" is deprecated. You should use the "kibana_system" user instead.`,
correctiveActions: {
manualSteps: [`Replace [${fromPath}.username] from "kibana" to "kibana_system".`],
},
});
}
}
return config;
},
(config, fromPath, addDeprecation) => {
const ssl: Record<string, any> = get(config, 'elasticsearch.ssl');
if (ssl) {
if (ssl.key !== undefined && ssl.certificate === undefined) {
addDeprecation({
configPath: 'elasticsearch.ssl.key',
message: `Setting [${fromPath}.key] without [${fromPath}.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
correctiveActions: {
manualSteps: [
`Set [${fromPath}.ssl.certificate] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
],
},
});
} else if (ssl.certificate !== undefined && ssl.key === undefined) {
addDeprecation({
configPath: 'elasticsearch.ssl.certificate',
message: `Setting [${fromPath}.certificate] without [${fromPath}.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`,
correctiveActions: {
manualSteps: [
`Set [${fromPath}.ssl.key] in your kibana configs to enable TLS client authentication to Elasticsearch.`,
],
},
});
}
}
return config;
},
rename('xpack_api_polling_frequency_millis', 'licensing.api_polling_frequency'),

// TODO: Add deprecations for "monitoring.ui.elasticsearch.username: elastic" and "monitoring.ui.elasticsearch.username: kibana".
// TODO: Add deprecations for using "monitoring.ui.elasticsearch.ssl.certificate" without "monitoring.ui.elasticsearch.ssl.key", and
// vice versa.
// ^ These deprecations should only be shown if they are explicitly configured for monitoring -- we should not show Monitoring
// deprecations for these settings if they are inherited from the Core elasticsearch settings.
// See the Core implementation: src/core/server/elasticsearch/elasticsearch_config.ts
];
};
Loading

0 comments on commit 1933ed9

Please sign in to comment.