elastic/elasticsearch

Do not allow setting xpack.security.user when running as a node

Open

#29751 opened on Feb 10, 2017

View on GitHub
 (4 comments) (0 reactions) (0 assignees)Java (76,700 stars) (25,882 forks)batch import
:Security/Security>enhancementTeam:Securityhelp wanted

Description

Original comment by @jaymode:

I think we've thought about this but never did anything about it because we used shield.user in the test framework. In master we no longer use shield.user for node clients and we should probably fail on startup if someone sets shield.user and isn't running as a transport client.

Contributor guide

Tech stack
java
Domain
securitybackend
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Understanding of Elasticsearch node lifecycleFamiliarity with x pack settingsJava
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
The issue requests preventing setting xpack.security.user when not running as a transport client. To implement, locate where node settings are validated during startup. Look in the x pack security plugin, likely in classes like Security or Bootstrap. Check for existing validation of cluster settings. Consider adding a check in the node initialization that throws an exception if the setting is set and the node type is not transport client. Refer to the comment history for context, though there are no linked PRs.