Standardize and add SSL settings #1118
Conversation
edmocosta
force-pushed
the
standardize_ssl_settings
branch
from
96eb956 to
03e6d71
Compare
docs/index.asciidoc
Outdated
| [id="plugins-{type}s-{plugin}-keystore"] | ||
| ===== `keystore` | ||
| deprecated[8.8.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_path>>] | ||
|
|
There was a problem hiding this comment.
I think should refer to the plugin's version (11.14.10). Given such big change, I would think to bump at 12.0.0.
This comment is valid for all the following deprecated[8.8.0, changes
There was a problem hiding this comment.
Yes, I initially thought about it as well but given it is backward compatible I ended up increasing only the minor 11.14.0. Do you think we should bump at 12.0.0? Even if it does not break/change any existing behavior?
There was a problem hiding this comment.
Backwards compatible changes do not require a major bump. This is additive, and all configurations that work under 11.13.x will continue to work without modification in 11.14.0.
| ssl_options[:client_key] = ssl_key | ||
| elsif !!ssl_certificate || !!ssl_key | ||
| raise(LogStash::ConfigurationError, 'You must set both "ssl_certificate" and "ssl_key" for client authentication') | ||
| end |
There was a problem hiding this comment.
Message is a bit unclear (you don't actually have to set either, because you can use a keystore), and catches two distinct cases:
- using
ssl_certificaterequiresssl_keyAND - using
ssl_keyrequiresssl_certificate
I prefer declaring it in a way that centers the single config that "activates" the feature, in this case ssl_certificate:
- using
ssl_certificaterequires anssl_key - an
ssl_certificateis required when using anssl_key
docs/index.asciidoc
Outdated
| | <<plugins-{type}s-{plugin}-sniffing_path>> |<<string,string>>|No | ||
| | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No | ||
| | <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|No | ||
| | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__ |
There was a problem hiding this comment.
I would prefer not to leave the deprecated settings in this table, and perhaps to have a separate section with them and their detailed blocks, so that we can reduce the noise new users of the plugin encounter while still ensuring that the deprecated options are still discoverable to those who are looking for documentation for options currently in their pipeline configs.
edmocosta
force-pushed
the
standardize_ssl_settings
branch
from
82ed184 to
185cbe3
Compare
| @@ -1,3 +1,19 @@ | |||
| ## 11.14.0 | |||
| - Added SSL settings for: [#1115](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1115) | |||
| - `ssl_truststore_type`: The format of the truststore file | |||
There was a problem hiding this comment.
Is this PR in the changelog correct? Shouldn't it be a link to this PR (#1118)?
There was a problem hiding this comment.
Yes, you're right, it should be #1118. I'll submit a fix! Thanks for the heads up!
There was a problem hiding this comment.
Thanks, @edmo. Remember that the link will be wrong for any release notes that include 11.14.0, and will require a manual fix. :-)
| Elasticsearch documentation. | ||
|
|
||
| [id="plugins-{type}s-{plugin}-deprecated-options"] | ||
| ==== Elasticsearch Output Deprecated Configuration Options |
There was a problem hiding this comment.
Deviation from the way we typically handle deprecations in plugins. (See https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html#plugins-inputs-beats-options.)
Standards can change over time, but the change needs to be deliberate and communicated clearly.
There was a problem hiding this comment.
Nevermind. I see where this came from: #1118 (comment).
This is definitely better for new users, but isn't very nice to our existing users who are scanning an alphabetical list or descriptions for a specific setting in their config.
|
Hello, I might not post in the correct issue but we saw a deprecation on the setting This value Could this be implemented in a future update? Shoud we open a separated issue for this? Thank you. Regards, |
|
Hi @whyyouwannaknow! Thank you for reaching out! Unfortunately, the underline HTTP library this plugin uses does not fully support the We're working on standardising the SSL/TLS configs and features across plugins (elastic/logstash#14905), and that project's second phase also includes adding support to the Thank you! |
What this PR does?
Added the following SSL settings:
ssl_truststore_type: The format of the truststore filessl_keystore_type: The format of the keystore filessl_certificate: OpenSSL-style X.509 certificate file to authenticate the clientssl_key: OpenSSL-style RSA private key that corresponds to thessl_certificatessl_cipher_suites: The list of cipher suitesReviewed and deprecated the following SSL settings to comply with Logstash's naming convention:
sslin favor ofssl_enabledcacertin favor ofssl_certificate_authoritieskeystorein favor ofssl_keystore_pathkeystore_passwordin favor ofssl_keystore_passwordtruststorein favor ofssl_truststore_pathtruststore_passwordin favor ofssl_truststore_passwordssl_certificate_verificationin favor ofssl_verification_modeThe behavior standardization across plugins, such as the accepted certificate formats, default values, etc will be tackled in future PRs.
Closes elastic/logstash#14924
Closes #404
Closes #672
Closes #676