Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require TLS for transport layer when security is enabled for Trial licenses #75292

Closed
jkakavas opened this issue Jul 13, 2021 · 4 comments · Fixed by #79602
Closed

Require TLS for transport layer when security is enabled for Trial licenses #75292

jkakavas opened this issue Jul 13, 2021 · 4 comments · Fixed by #79602
Labels
:Security/License License functionality for commercial features :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team v8.0.0-beta1

Comments

@jkakavas
Copy link
Member

Historically, we haven't enabled the transport TLS bootstrap check for trial licenses because:

  • We want to make the experience of trial license users as easy as possible and configuring transport TLS was considered cumbersome.
  • Trial licenses have a limited lifetime so that minimizes the impact of this potentially insecure configuration.

With security on by default project we are:

  • Enabling security by default for basic and trial licenses
  • We offer an easy, automated way for users to configure transport TLS
  • As a consequence, enabling by default this bootstrap check for basic licenses.

It doesn't make much sense for us to enforce the bootstrap check on basic licenses but not on trial and given that the concerns that were driving the original decision are not there or have been partly alleviated, we should also enable the transport TLS bootstrap check on trial
@jkakavas jkakavas added :Security/TLS SSL/TLS, Certificates :Security/License License functionality for commercial features v8.0.0 labels Jul 13, 2021
@elasticmachine elasticmachine added Team:Security Meta label for security team labels Jul 13, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

1 similar comment
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@jkakavas jkakavas mentioned this issue Jul 13, 2021
Merged
@albertzaharovits
Copy link
Contributor

We cannot allow Security without transport TLS because otherwise nodes without Security are then able to join the cluster, but we assume in several places that all nodes in the cluster have Security enabled (or not).

@jkakavas
Copy link
Member Author

jkakavas commented Aug 2, 2021

@albertzaharovits I assume the comment above was a 👍 to remove this leniency for trial licenses, right ?

@jkakavas jkakavas mentioned this issue Oct 21, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Security/License License functionality for commercial features :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team v8.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enforce Transport TLS check on all licenses. jkakavas/elasticsearch
4 participants
@jakelandis @albertzaharovits @jkakavas @elasticmachine