search

elastic / elasticsearch-migration

This plugin will help you to check whether you can upgrade directly to the next major version of Elasticsearch, or whether you need to make changes to your data and cluster before doing so.
290 stars 32 forks source link

Plugin should describe migration options for Java keystore to PEM certs #89

Closed joshuar closed 7 years ago

joshuar commented 7 years ago

Currently, the migration seems to ignore settings like: shield.ssl.keystore.*. It should suggest migrating these config options to the new PEM based options (xpack.ssl.key, xpack.ssl.certificate and xpack.ssl.certificate_authorities)?

clintongormley commented 7 years ago

@jaymode could you provide more info about what settings should be migrated here?

jaymode commented 7 years ago

I went through the changes and I believe I've captured it all below.

Settings that map to a new setting:

Shield Setting X-Pack Setting Notes
shield.ssl xpack.security.transport.ssl.enabled
shield.ssl.ciphers xpack.ssl.cipher_suites
shield.ssl.hostname_verification xpack.ssl.verification_mode Values changed as well. true in shield maps to full and false maps to none
shield.transport.ssl.client.auth xpack.ssl.client_authentication No longer accepts true or false. One of required, optional, or none
shield.http.ssl xpack.security.http.ssl.enabled
shield.http.ssl.client.auth xpack.security.http.ssl.client_authentication No longer accepts true or false. One of required, optional, or none
transport.profiles.$PROFILE.shield.ssl transport.profiles.$PROFILE.xpack.security.ssl.enabled
transport.profiles.$PROFILE.shield.ciphers transport.profiles.$PROFILE.xpack.security.ssl.cipher_suites
transport.profiles.$PROFILE.shield.hostname_verification transport.profiles.$PROFILE.xpack.security.ssl.verification_mode See note above on verification mode
transport.profiles.$PROFILE.shield.ssl.client.auth transport.profiles.$PROFILE.xpack.security.ssl.client_authentication No longer accepts true or false. One of required, optional, or none
shield.authc.realms.$REALM_NAME.hostname_verification xpack.security.authc.realms.$REALM_NAME.ssl.verification_mode See note above on verification mode

The following settings have been removed:

For the other settings under shield.ssl., these have simply been renamed to xpack.ssl.

Migrating from keystores to the PEM files is probably ok to leave out of the migration tool as it is not necessary but the changes above are.

clintongormley commented 7 years ago

thanks @jaymode

Closed by f5beadd4541bed49a07658d2cc2c64f4c87f4b67