Deprecate certificate-based remote cluster security model #120806
Conversation
slobodanadamovic added >deprecation :Security/Security 
| Hi @slobodanadamovic, I've created a changelog YAML for you. Note that since this PR is labelled |
| Pinging @elastic/es-security (Team:Security) |
transport profile
…:slobodanadamovic/elasticsearch into sa-deprecate-certificate-based-rcs-model
| Linking here docs preview pages: |
docs/changelog/120806.yaml Outdated
| The <<remote-clusters-api-key,*API key based security model*>> is preferred way to configure remote clusters, | ||
| as it allows to follow security best practices when setting up remote cluster connections | ||
| and defining fine-grained access control. | ||
| Users are encouraged to <<remote-clusters-migrate, migrate remote clusters from certificate to API key authentication>>. |
There was a problem hiding this comment.
Wonder if we want to make this a stronger statement by adding something like "since support for the certificate-based model will be removed in a future version."
There was a problem hiding this comment.
I've adjusted the changelog to state that it will be removed in future. Let me know if that makes sense: 71fd150
| [[remote-clusters-cert]] | ||
| === Add remote clusters using TLS certificate authentication | ||
| | ||
| deprecated::[9.0.0,"Certificate based authentication is deprecated. Configure <<remote-clusters-api-key,API key authentication>> instead or follow a guide on how to <<remote-clusters-migrate,migrate remote clusters from certificate to API key authentication>>."] |
There was a problem hiding this comment.
I don't think we should tackle it in this PR, but cross cluster replication docs make a bunch of implicit references to the certificate-based model, e.g.,:
We probably want a follow up of some sorts to update the docs to focus on RCS 2.0 instead, and mention that RCS 1.0 is deprecated.
There was a problem hiding this comment.
For sure. There is a plan to do that with the help of docs team.
server/src/main/java/org/elasticsearch/transport/RemoteConnectionManager.java Outdated Show resolved Hide resolved
server/src/main/java/org/elasticsearch/transport/RemoteConnectionManager.java Outdated Show resolved Hide resolved
server/src/main/java/org/elasticsearch/transport/RemoteConnectionManager.java Show resolved Hide resolved
…cate-certificate-based-rcs-model
Thanks for catching this! 👍 Please have another look. I've added deprecation logging when a node is connected using proxy mode. Also wrote an integration test which covers both proxy and sniff modes. |
| /** | ||
| * Tests the deprecation of RCS1.0 (certificate-based) security model. | ||
| */ | ||
| public class RemoteClusterSecurityRCS1DeprecationIT extends AbstractRemoteClusterSecurityTestCase { |
...tTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityRCS1DeprecationIT.java Show resolved Hide resolved
slobodanadamovic added the auto-merge-without-approval slobodanadamovic removed the auto-merge-without-approval 4 participants
Today, Elasticsearch supports two models to establish secure connections
and trust between two Elasticsearch clusters:
This PR deprecates the Certificate based security model in favour of API key based security model.
The API key based security model is preferred way to configure remote clusters,
as it allows to follow security best practices when setting up remote cluster connections
and defining fine-grained access control.
Users are encouraged to migrate remote clusters from certificate to API key authentication.
Deprecation details:
The deprecation warning message is logged only at runtime, when a remote connection is first opened. This is in order to avoid overloading the deprecation logs. The logs are deduplicated by passing a key per remote cluster alias (
remote_cluster_certificate_access-<remote-cluster-alias>). Worth noting is that with this approach, the warning headers will not be returned to clients that execute a cross cluster search requests (e.g.POST /my_remote_cluster:*/_search). I think this is justifiable, given that end-clients are not the ones interested in such deprecations, but rather administrators of the cluster.The deprecation message will only be logged on local cluster. This is because there is no way to detect if an inbound connection on a remote cluster is originating from a cluster using certificate based auth. As a consequence, this means that there may be some old local clusters connecting to a new remote clusters using deprecated model, and there would be no deprecations logged at all.
There are no particular settings to be deprecated, because the certificate based model shares the same transport protocol/settings as the intra-cluster node-to-node communication.
Hence, we might log a deprecation message for remote connections that are simply missing credentials (. Edit: This is addressed by checking if the remote connection is usingcluster.remote.ALIAS.credentials)REMOTE_CLUSTER_PROFILE. The remote cluster profile is used only for the new port and transport connections that use new API key based security model.Note: If the approach makes sense, I will add more test coverage and update the docs.