elasticmachine
commented
5 years ago Pinging @elastic/es-security
Open Tim-Brooks opened 5 years ago
elasticmachine
commented
5 years ago Pinging @elastic/es-security
howardhuanghua
commented
5 years ago Very useful enhancement. @tbrooks8 , so except SSL, update xpack.security.enabled config also needs full cluster restart? Do we have plan to enhance this part?
jgimenez
commented
3 years ago Seems like #39532 has been closed, I understand this will not be done. Has then this enhancement been discarded as well?
tvernum
commented
3 years ago It is very unlikely that we will continue with this approach, but we have not entirely abandoned the idea of rolling upgrades to security.
elasticsearchmachine
commented
2 years ago Pinging @elastic/es-security (Team:Security)
Support rolling upgrades to enable security
Currently it is impossible to upgrade a non-secured cluster to a secured cluster due to the need to enable TLS. We would like to enable a way for cluster nodes to speak both TLS and plaintext during a rolling restart.
Requirements
xpack.security.transport.ssl.dual_stack.enabledsetting to allow TLS nodes to open and accept plaintext connections (#39532)SSLEngine(#39532)dual_stackenabled (#39532)dual_stackenableddual_stackenableddual_stackenableddual_stacksetting is updated to disabled39532 handles this for connections accepted by the netty transport.
Considerations
httpconnections?dual_stackis accidentally left enabled?dual_stack(requires propagating settings through nodes) and plaintext connections being closed? This should not be a common scenario because you should normally only be disabling this setting once all nodes have security enabled.