Open Tim-Brooks opened 5 years ago
Pinging @elastic/es-security
Very useful enhancement. @tbrooks8 , so except SSL, update xpack.security.enabled config also needs full cluster restart? Do we have plan to enhance this part?
Seems like #39532 has been closed, I understand this will not be done. Has then this enhancement been discarded as well?
It is very unlikely that we will continue with this approach, but we have not entirely abandoned the idea of rolling upgrades to security.
Pinging @elastic/es-security (Team:Security)
Support rolling upgrades to enable security
Currently it is impossible to upgrade a non-secured cluster to a secured cluster due to the need to enable TLS. We would like to enable a way for cluster nodes to speak both TLS and plaintext during a rolling restart.
Requirements
xpack.security.transport.ssl.dual_stack.enabled
setting to allow TLS nodes to open and accept plaintext connections (#39532)SSLEngine
(#39532)dual_stack
enabled (#39532)dual_stack
enableddual_stack
enableddual_stack
enableddual_stack
setting is updated to disabled39532 handles this for connections accepted by the netty transport.
Considerations
http
connections?dual_stack
is accidentally left enabled?dual_stack
(requires propagating settings through nodes) and plaintext connections being closed? This should not be a common scenario because you should normally only be disabling this setting once all nodes have security enabled.