Skip to content

Don't allow secure settings in YML config (109115) #115779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 4, 2024
Merged

Don't allow secure settings in YML config (109115) #115779

merged 3 commits into from
Nov 4, 2024

Conversation

alexey-ivanov-es
Copy link
Contributor

Elasticsearch should refuse to start
if a secure setting is defined in elasticsearch.yml, in order to protect users from accidentally putting their secrets in a place where they are unexpectedly visible

Fixes #109115

@alexey-ivanov-es
Don't allow secure settings in YML config (109115)
7719118 
Elasticsearch should refuse to start
if a secure setting is defined in elasticsearch.yml,
in order to protect users from accidentally putting their secrets
in a place where they are unexpectedly visible

Fixes elastic#109115
@alexey-ivanov-es alexey-ivanov-es added >bug :Core/Infra/Settings Settings infrastructure and APIs v9.0.0 labels Oct 28, 2024
@elasticsearchmachine
Copy link
Collaborator

Hi @alexey-ivanov-es, I've created a changelog YAML for you.

@alexey-ivanov-es alexey-ivanov-es requested a review from a team October 28, 2024 18:01
@alexey-ivanov-es alexey-ivanov-es marked this pull request as ready for review October 28, 2024 18:01
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Oct 28, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

prdoyle
prdoyle approved these changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@prdoyle prdoyle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems straightforward

DaveCTurner
DaveCTurner previously requested changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@DaveCTurner DaveCTurner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hang on, I think this is a breaking change, we need to clear it with the breaking changes committee first and document it as breaking. I suspect we should be emitting warnings in 8.x as well to help folks avoid the problem before it actually takes effect.

@alexey-ivanov-es
Copy link
Contributor Author

@DaveCTurner I discussed this with @rjernst and he said: "I confirmed that we are ok to proceed with the above change. it's an edge case which is in a gray area we shouldn't need an explicit breaking change issue for."

@DaveCTurner DaveCTurner dismissed their stale review November 4, 2024 16:05

overruled :)

@DaveCTurner
Copy link
Contributor

Ok carry on then.

@alexey-ivanov-es alexey-ivanov-es merged commit de9851a into elastic:main Nov 4, 2024
16 checks passed
@alexey-ivanov-es alexey-ivanov-es deleted the fix/109115 branch November 4, 2024 16:29
jozala pushed a commit that referenced this pull request Nov 13, 2024
@alexey-ivanov-es @jozala
Don't allow secure settings in YML config (109115) (#115779)
06a3036 
* Don't allow secure settings in YML config (109115)

Elasticsearch should refuse to start
if a secure setting is defined in elasticsearch.yml,
in order to protect users from accidentally putting their secrets
in a place where they are unexpectedly visible

Fixes #109115
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prdoyle prdoyle prdoyle approved these changes

@DaveCTurner DaveCTurner DaveCTurner left review comments

Assignees
No one assigned
Labels
>bug :Core/Infra/Settings Settings infrastructure and APIs Team:Core/Infra Meta label for core/infra team v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure settings are permitted in elasticsearch.yml if also present in keystore
4 participants
@alexey-ivanov-es @elasticsearchmachine @DaveCTurner @prdoyle