Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-pack endpoint lists confusing license information when disabling a feature #30036

Open
elasticmachine opened this issue Feb 10, 2017 · 7 comments
Open

x-pack endpoint lists confusing license information when disabling a feature #30036

elasticmachine opened this issue Feb 10, 2017 · 7 comments
Labels
>bug :Security/License License functionality for commercial features Team:Security Meta label for security team

Comments

@elasticmachine
Copy link
Collaborator

Original comment by @spinscale:

When a user disables a feature like xpack.security.enabled: false, then the _xpack output sets available and enabled to false, like this

GET /_xpack
{
  "build" : {
    "hash" : "${buildNumber}",
    "timestamp" : "NA"
  },
  "license" : {
    "uid" : "81fc2204-dd1a-44a1-a662-e4d5e690413b",
    "type" : "trial",
    "mode" : "trial",
    "status" : "active",
    "expiry_date_in_millis" : 1464274477370
  },
  "features" : {
    "graph" : {
      "description" : "Graph Data Exploration for the Elastic Stack",
      "available" : true,
      "enabled" : true
    },
    "monitoring" : {
      "description" : "Monitoring for the Elastic Stack",
      "available" : false,
      "enabled" : false
    },
    "security" : {
      "description" : "Security for the Elastic Stack",
      "available" : false,
      "enabled" : false
    },
    "watcher" : {
      "description" : "Alerting, Notification and Automation for the Elastic Stack",
      "available" : true,
      "enabled" : true
    }
  },
  "tagline" : "You know, for X"
}

I would expect available to be true and enabled to be false.
@elasticmachine
Copy link
Collaborator Author

Original comment by @spinscale:

the reason here, is that we try to be smart on initialization... For example in Security.nodeModules() we only initialize securityLicenseState when security has been enabled, otherwise this is null and we never know if the license is valid or not when the above response is created.

Same in GraphModule.configure(), in MonitoringModule.configure() and WatcherModule.configure.

Either we remove the available flag or we fix this by always instantiating licensees and use those

@elasticmachine
Copy link
Collaborator Author

Original comment by @jaymode:

I am a fan of available in the output. I also think we should always return all of the license acknowledgement messages, not just when a feature is enabled. It is all the same plugin, which implies initializing the licensees all the time or combining to a single licensee.

@elasticmachine
Copy link
Collaborator Author

Original comment by @skearns64:

What would we use available for? For Security, we might report available, but with a Gold license, FLS/DLS and custom realms would be unavailable, so the feature is really only partially available. For Monitoring with a Basic license, we report available, but multi-cluster, and configurable retention periods are not supported.

If we're just looking for a way to represent "at least some part of this feature is available," it seems like we might be able to represent that with just enabled?

@elasticmachine
Copy link
Collaborator Author

Original comment by @spinscale:

agreeing with steve here... as long as our feature set is only per module (security, monitoring, watcher, graph) instead of per feature (DLS, FLS, watcher-actions-only-between-8am-and-10am), available does not seem to make much sense to me? Well, even the definition of a feature set here is tricky...

@elasticmachine
Copy link
Collaborator Author

Original comment by @jaymode:

How I see it:

enabled: the feature is actively in use (well working/running)
available: the feature can be used based on your license

Yes at this level it is not the most useful because we do not know what sub feature sets are available or enabled. But @uboness plans to move this down to that level and it will become even more important.

I still think it has value at the current level. Why do I think this is useful? There have been numerous times where a user has installed shield and has said security doesn't work, I don't need credentials to use it. It turns out they were using a basic license. With enabled you don't get the detail that this module is not available to the user.

@elasticmachine
Copy link
Collaborator Author

Original comment by @skearns64:

There have been numerous times where a user has installed shield and has said security doesn't work, I don't need credentials to use it. It turns out they were using a basic license. With enabled you don't get the detail that this module is not available to the user.

Wouldn't enabled be false if they had a Basic license?

@elasticmachine
Copy link
Collaborator Author

Original comment by @jaymode:

Wouldn't enabled be false if they had a Basic license?

No it would not be false. Enabled is based on settings, not on the license state

@elasticmachine elasticmachine added :Security/License License functionality for commercial features >bug labels Apr 25, 2018
@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug :Security/License License functionality for commercial features Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rjernst @elasticmachine