Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Add the possibility of disabling encryption on Transport layer #4759

Open
spapadop opened this issue Sep 30, 2024 · 4 comments
Open
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@spapadop
Copy link

Is your feature request related to a problem?
We have deployed OpenSearch clusters behind a firewall. We do not need/want to have encryption on transport layer in order to prioritize performance. However, there is no plugins.security.ssl.transport.enabled setting, as you currently prefer to have it always enabled, I guess for security reasons.
https://opensearch.org/docs/latest/security/configuration/index/#reconfigure-opensearchyml-to-use-your-certificates

What solution would you like?
Make plugins.security.ssl.transport.enabled configurable. Of course, it should be enabled by default, but still give us the option of disabling it.

What alternatives have you considered?
There are no alternatives.

@spapadop spapadop added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Sep 30, 2024
@reta
Copy link
Collaborator

reta commented Sep 30, 2024

It seems like it is supported already? See #2414 please

@spapadop
Copy link
Author

This question was raised during the relevant session on OpenSearchCon (presented by @DarshitChanpura and @derek-ho), who led me to raising this issue.

#2414 and relevant issues discussions seem interesting, but still the feature is not supported. Going through these issues it seems like there was strong desire from the community to push this forward however it never truly got implemented.

@cwperks
Copy link
Member

cwperks commented Oct 3, 2024

Its currently not possible to disable transport-level encryption. See comment here.

I would accept a PR that makes plugins.security.ssl.transport.enabled functional again. The main problem I see is that it would remove support for the nodes_dn list (See here or here) and there would be no security for what nodes can join a cluster.

@cwperks cwperks added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Oct 7, 2024
@cwperks
Copy link
Member

cwperks commented Oct 7, 2024

[Triage] This sounds like a good feature request that was not fully implemented in past PRs. Marking this as triaged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Development

No branches or pull requests

3 participants