Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove deprecated SSL settings and simplify SSL configuration #213

Merged
merged 2 commits into from
Dec 16, 2024
Merged

Remove deprecated SSL settings and simplify SSL configuration #213

merged 2 commits into from
Dec 16, 2024

Conversation

donoghuc
Copy link
Contributor

@donoghuc donoghuc commented Nov 12, 2024
edited
Loading

Get rid of the deprecated parameters and document their removal. Ensure the integration and unit tests pass and that the removals are clearly documented.

Closes #210

@donoghuc
Copy link
Contributor Author

Got a failure on 7.x https://app.travis-ci.com/github/logstash-plugins/logstash-input-elasticsearch/jobs/628037127 that looked unrelated and suspiciously like a race condition. I reloaded that cell.

@donoghuc
Copy link
Contributor Author

For reviewer: I found reviewing this work to be very helpful in making sense of the removals https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/185/files

@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from 3f3d572 to cde2f75 Compare November 12, 2024 20:41
robbavey
robbavey requested changes Nov 13, 2024
View reviewed changes
Copy link
Contributor

@robbavey robbavey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial review while we finalize the exact wording in docs, but let's get started with marking old settings as obsolete before removal

lib/logstash/inputs/elasticsearch.rb Show resolved Hide resolved
@donoghuc
Copy link
Contributor Author

donoghuc commented Nov 14, 2024
edited
Loading

TODO:

donoghuc
donoghuc commented Nov 14, 2024
View reviewed changes
spec/inputs/elasticsearch_spec.rb
@@ -52,6 +52,19 @@
end
end

describe 'handling obsolete settings' do
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inspired by tests in logstash-plugins/logstash-input-http#182 credit @robbavey

@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch 3 times, most recently from c74627d to 6caee6d Compare November 14, 2024 17:30
@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch 2 times, most recently from 57654c7 to 9b1f74c Compare November 18, 2024 17:42
robbavey
robbavey reviewed Nov 21, 2024
View reviewed changes
docs/index.asciidoc Outdated
@@ -608,12 +610,12 @@ option when authenticating to the Elasticsearch server. If set to an
empty string authentication will be disabled.


[id="plugins-{type}s-{plugin}-deprecated-options"]
==== Elasticsearch Input deprecated configuration options
[id="plugins-{type}s-{plugin}-removed-options"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the docs update, let's follow the example in logstash-plugins/logstash-output-http@2fae93e#diff-cae5619b3d18ec99c5ccd0a9f6de0c6d3f53343c64692444551a7d29da6863e7

ie, remove all inline references to deprecated settings, and add a dedicated section at the bottom, above "common options", with a link to that section just before the config table.

cc @karenzone

@donoghuc donoghuc mentioned this pull request Nov 27, 2024
Merged
@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from 9b1f74c to c2bd0e6 Compare December 2, 2024 22:42
@donoghuc
Copy link
Contributor Author

donoghuc commented Dec 2, 2024

Rebased and updated documentation to match logstash-plugins/logstash-output-http#147

@donoghuc donoghuc requested a review from robbavey December 2, 2024 22:43
@donoghuc
Copy link
Contributor Author

donoghuc commented Dec 2, 2024

Corresponding docs PR elastic/logstash#16744 in LS

robbavey
robbavey requested changes Dec 3, 2024
View reviewed changes
Copy link
Contributor

@robbavey robbavey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy/paste error and a comment nit

docs/index.asciidoc Outdated Show resolved Hide resolved
lib/logstash/inputs/elasticsearch.rb Outdated Show resolved Hide resolved
@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from c2bd0e6 to 876bf13 Compare December 3, 2024 17:42
@donoghuc donoghuc requested a review from robbavey December 3, 2024 17:43
@robbavey
Copy link
Contributor

robbavey commented Dec 5, 2024

Should be good to go after a rebase

@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from 876bf13 to 69c6aac Compare December 5, 2024 21:20
@donoghuc
Copy link
Contributor Author

donoghuc commented Dec 5, 2024
edited
Loading

Pushed the rebase. I think outstanding work after merge is:

robbavey
robbavey approved these changes Dec 5, 2024
View reviewed changes
Copy link
Contributor

@robbavey robbavey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - over to you @karenzone to check out doc changes

@robbavey robbavey requested a review from karenzone December 5, 2024 22:49
@robbavey robbavey mentioned this pull request Dec 6, 2024
Closed
6 tasks
@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from 69c6aac to e0ff435 Compare December 10, 2024 23:06
karenzone
karenzone requested changes Dec 13, 2024
View reviewed changes
Copy link
Contributor

@karenzone karenzone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work on this, @donoghuc. I left suggestion inline.

docs/index.asciidoc Outdated Show resolved Hide resolved
@donoghuc
Copy link
Contributor Author

Thanks @karenzone I committed your suggestion.

@karenzone
Copy link
Contributor

@donoghuc, one more thing I noticed after I got the docs building successfully.
Looks like paragraph starting at line 633 was orphaned with removals.

Option to validate the server's certificate. Disabling this severely compromises security.
When certificate validation is disabled, this plugin implicitly trusts the machine
resolved at the given address without validating its proof-of-identity.
In this scenario, the plugin can transmit credentials to or process data from an untrustworthy
man-in-the-middle or other compromised infrastructure.
More information on the importance of certificate verification:
https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf.

Should it be deleted as part of ssl_certificate_verification?

@donoghuc
Mark deprecated SSL settings as obsolete
3cef0e3 
This commit updates SSL settings to be marked as obsolete:
- Replace `ssl` with `ssl_enabled`
- Replace `ca_file` with `ssl_certificate_authorities`
- Replace `ssl_certificate_verification` with `ssl_verification_mode`

`setup_ssl_params!` has been updated to only handle SSL inference
when not explicitly configured.
@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from 953aa8d to 3cef0e3 Compare December 13, 2024 18:24
@donoghuc
Copy link
Contributor Author

You are right! I just deleted that and squashed all the commits to clean up before merging :)

karenzone
karenzone approved these changes Dec 13, 2024
View reviewed changes
Copy link
Contributor

@karenzone karenzone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please delete duplicate note. Otherwise, LGTM!

docs/index.asciidoc Show resolved Hide resolved
donoghuc
donoghuc commented Dec 16, 2024
View reviewed changes
CHANGELOG.md Show resolved Hide resolved
@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from 4135b5c to c225e46 Compare December 16, 2024 19:26
@donoghuc
Fix accidental removal of changelog entry
cd2e2fd 
During a rebase the latest 4 series entry was deleted. This restores it.
@donoghuc donoghuc force-pushed the GH-210-remove-obsolet-ssl-settings branch from c225e46 to cd2e2fd Compare December 16, 2024 19:36
@donoghuc donoghuc merged commit 56d923f into logstash-plugins:main Dec 16, 2024
2 checks passed
@karenzone karenzone mentioned this pull request Dec 27, 2024
Closed
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karenzone karenzone karenzone approved these changes

@robbavey robbavey robbavey approved these changes

Assignees
No one assigned
Labels
breaking change status:needs-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove deprecated SSL settings from Elasticsearch input plugin
3 participants
@donoghuc @robbavey @karenzone