reta
commented
1 month ago It seems like it is supported already? See https://github.com/opensearch-project/security/issues/2414 please
Open spapadop opened 1 month ago
reta
commented
1 month ago It seems like it is supported already? See https://github.com/opensearch-project/security/issues/2414 please
spapadop
commented
1 month ago This question was raised during the relevant session on OpenSearchCon (presented by @DarshitChanpura and @derek-ho), who led me to raising this issue.
https://github.com/opensearch-project/security/issues/2414 and relevant issues discussions seem interesting, but still the feature is not supported. Going through these issues it seems like there was strong desire from the community to push this forward however it never truly got implemented.
cwperks
commented
1 month ago Its currently not possible to disable transport-level encryption. See comment here.
I would accept a PR that makes plugins.security.ssl.transport.enabled functional again. The main problem I see is that it would remove support for the nodes_dn list (See here or here) and there would be no security for what nodes can join a cluster.
cwperks
commented
4 weeks ago [Triage] This sounds like a good feature request that was not fully implemented in past PRs. Marking this as triaged.
Is your feature request related to a problem? We have deployed OpenSearch clusters behind a firewall. We do not need/want to have encryption on transport layer in order to prioritize performance. However, there is no
plugins.security.ssl.transport.enabledsetting, as you currently prefer to have it always enabled, I guess for security reasons. https://opensearch.org/docs/latest/security/configuration/index/#reconfigure-opensearchyml-to-use-your-certificatesWhat solution would you like? Make
plugins.security.ssl.transport.enabledconfigurable. Of course, it should be enabled by default, but still give us the option of disabling it.What alternatives have you considered? There are no alternatives.