Description
In #6022 we added salt generation to the demo security configuration and introduced Salt.validateSaltSettings() which throws an OpenSearchException if the default compliance salt is used outside of demo/test environments. However, this validation is currently commented out to avoid breaking existing deployments:
// TODO: Uncomment for 4.0 - enforce that the default compliance salt is not used outside of demo configuration
// Salt.validateSaltSettings(settings);
In OpenSearch 4.0, we should uncomment this line in OpenSearchSecurityPlugin.java to enforce that cluster administrators configure a custom salt for field masking unless plugins.security.allow_unsafe_democertificates is set to true. Perhaps it would also make sense to rename that setting to allow_demo_configuration?
Tasks
Description
In #6022 we added salt generation to the demo security configuration and introduced
Salt.validateSaltSettings()which throws anOpenSearchExceptionif the default compliance salt is used outside of demo/test environments. However, this validation is currently commented out to avoid breaking existing deployments:In OpenSearch 4.0, we should uncomment this line in
OpenSearchSecurityPlugin.javato enforce that cluster administrators configure a custom salt for field masking unlessplugins.security.allow_unsafe_democertificatesis set to true. Perhaps it would also make sense to rename that setting toallow_demo_configuration?Tasks
Salt.validateSaltSettings(settings)inOpenSearchSecurityPlugin.javaplugins.security.compliance.saltbefore upgrading to 4.0