Block updates to log level for org.apache.http if less specific than INFO

[mosche]

The apache http client supports logging detailed information about requests, including authorization information, if logging
at DEBUG, TRACE, ... . This PR prevents setting the log level to anything less specific than INFO for a number of restricted loggers (currently org.apache.http only).

There's a couple of ways to do so:

• Setting the level directly, e.g. for org.apache.http or org.apache.http.client: This might trigger a validation error when attempting to update the setting.
• Setting the level indirectly through an ancestor, e.g. org.apache or simply the root logger. If necessary the restriction will be enforced by explicitly setting restricted loggers to INFO level.
• And finally, if setting the default level to anything less specific than INFO. This case is similar to above.

[elasticsearchmachine]

Pinging @elastic/es-core-infra (Team:Core/Infra)

[ldematte]

Looks good, but it seems you need to adjust some tests/assertions/mocks (e.g. OpenIdConnectAuthenticatorTests)

[rjernst]

This looks pretty good. I left a few nits.

[DaveCTurner]

See this comment: if org.elasticsearch.transport.NetworkTraceFlag#TRACE_ENABLED is set (i.e. -Des.insecure_network_trace_enabled=true) then we should still permit this level of detailed logging.

Also this definitely needs to be mentioned in the docs, it's going to cause surprises otherwise.

Also should we block the AWS SDK request logging mentioned here (unless -Des.insecure_network_trace_enabled=true)?

elasticsearch/docs/reference/snapshot-restore/repository-s3.asciidoc

Lines 565 to 567 in 552d2f5

	from the logs emitted by the storage system, configure {es} to log every
	request it makes to the S3 API by <<configuring-logging-levels,setting the
	logging level>> of the `com.amazonaws.request` logger to `DEBUG`:

Also we link to some AWS docs that specifically say to enable wire tracing here, so should also mention that this requires -Des.insecure_network_trace_enabled=true:

elasticsearch/docs/reference/snapshot-restore/repository-s3.asciidoc

Lines 583 to 586 in 552d2f5

	problem. See the
	https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-logging.html[AWS Java SDK]
	documentation for further information, including details about other loggers
	that can be used to obtain even more verbose logs. When you have finished

[mosche]

Also this definitely needs to be mentioned in the docs, it's going to cause surprises otherwise.

@DaveCTurner WDYT, are the changes to the docs sufficient or would you like me to be more specific. Can you think of any other place where this should be mentioned?

[DaveCTurner]

Docs changes look good; however I think we can't simply start rejecting previously-valid settings for bwc reasons.

[DaveCTurner]

I think it's ok to reject attempts to configure these loggers via the API, or to start a node with an invalid (static) config, and also to ignore any invalid (dynamic) config, we just can't reject the config as invalid if it's already there in the cluster state.

[rjernst]

we just can't reject the config as invalid if it's already there in the cluster state.

We could ignore the cluster state in this case, converting the typical error to a warning log message?

[mosche]

we just can't reject the config as invalid if it's already there in the cluster state.

We could ignore the cluster state in this case, converting the typical error to a warning log message?

Just verifying I understood this right, so in case the cluster state already contains a persistent setting violating some logger restrictions (e.g. org.apache.http at DEBUG) we log a warning that the logger configuration is ignored.
If, however, a user wants to set org.apache.http to DEBUG using the cluster settings API or start a node with that setting, it fails.

Any recommendations how to best approach this? It looks like that requires a Settings update consumer that is aware of the current cluster metadata, so make that a ClusterStateListener and hook it up in NodeConstruction? Or is there a simpler, less intrusive way to achieve this?

[mark-vieira]

I'm not a huge fan of introducing another test task here. What exaclty does the es.insecure_network_trace_enabled system property do?

[mosche]

@mark-vieira I'm absolutely on the same page with you, I just don't see much of an alternative. Also, I admit, having test depend on testNetworkTraceNotEnabled is broken. If you run :server:test --tests XYZ the dependency would still run ...

es.insecure_network_trace_enabled sets this flag, which gates the behavior added in this PR. Goal of the PR is to prevent setting dangerous loggers that might leak sensitive information. However, in order to investigate test failures, we are enabling this flag for most tests including :server:test

public class NetworkTraceFlag {

    private NetworkTraceFlag() {
        // no instances;
    }

    public static final String PROPERTY_NAME = "es.insecure_network_trace_enabled";

    public static final boolean TRACE_ENABLED;

    static {
        final var propertyValue = System.getProperty(PROPERTY_NAME);
        if (propertyValue == null) {
            TRACE_ENABLED = false;
        } else if ("true".equals(propertyValue)) {
            TRACE_ENABLED = true;
        } else {
            throw new IllegalArgumentException(
                Strings.format("system property [%s] may only be set to [true], but was [%s]", PROPERTY_NAME, propertyValue)
            );
        }
    }
}

[mark-vieira]

Hmm, is there anyway we can finagle this in a way that would allow updating this property inside specific tests? Initializing statics makes this tricky but perhaps some way to "reinitialize" this flag dynamically?

We definitely don't want test tasks depending on other test tasks. At worst we'd have check depend on this additional task.

[mosche]

Hmm, is there anyway we can finagle this in a way that would allow updating this property inside specific tests? Initializing statics makes this tricky but perhaps some way to "reinitialize" this flag dynamically?

IMHO that would pretty much defeat the purpose of that flag.

An alternative to a separate test task (using a different configuration) might be to extend the test runner to support forking tests into a new JVM. Though, while convenient, something like would probably be quickly adopted all around with a terrible impact on test run performance :/

[DaveCTurner]

I wonder if we're overthinking this. AIUI we are trying to run the entire test suite twice, to ensure coverage of both states of this flag. That seems unnecessary to me, I think we only really need to run a few specific tests with tracing on (or off) and the rest of the test suite needn't care either way. We could make a dedicated suite in /qa for the otherwise-untested state. Or we could randomize it in :server:test and have two dedicated suites in /qa just for the tests that need it switched on or off.

[DaveCTurner]

Note that we have some other :qa suites that are similarly tightly-focussed, e.g. :qa:unconfigured-node-name and :qa:custom-rest-controller.

[mosche]

AIUI we are trying to run the entire test suite twice, to ensure coverage of both states of this flag. That seems unnecessary to me, I think we only really need to run a few specific tests with tracing on (or off) and the rest of the test suite needn't care either way.

Only the three test cases below are included when running testNetworkTraceNotEnabled. And none of these will run during test as their assumption fails. Though, we're obviously still scanning the entire test classpath twice to find test cases...

  filter {
    // following test require es.insecure_network_trace_enabled to NOT be enabled
    includeTestsMatching "org.elasticsearch.common.logging.LoggersTests.testCheckRestrictedLoggers"
    includeTestsMatching "org.elasticsearch.common.logging.LoggersTests.testSetLevelWithRestrictions"
    includeTestsMatching "org.elasticsearch.action.admin.cluster.settings.ClusterUpdateSettingsRequestTests.testValidateLoggers"
  }

But I like the idea of adding a focused :qa suite. Thanks for the pointer @DaveCTurner , I'll have a look at that.

[mark-vieira]

+1 to having an explicit QA project for this.

[mosche]

@rjernst I think this is a good compromise: In 7f57feb I've moved the tests to :qa:restricted-loggers. But I am also keeping similar tests in :server that are using an internal API allowing to explicitly pass restricted loggers. This should address your concern to keep tests close by the code. And at the same time we don't have to compromise on the static / final initialization of TRACE_ENABLED / RESTRICTED_LOGGERS.

[mosche]

@elasticmachine update branch

[mosche]

@DaveCTurner any more feedback from your side?

[DaveCTurner]

Nothing to add, no. Thanks for the ping, sorry I didn't realise I was still blocking this.

[mosche]

@elasticmachine update branch

[rjernst]

LGTM. I left one very minor nit, just thinking ahead to when we can isolate logging config, I want to keep internals as private as possible to aid in that future work.

[rjernst]

This test could be in o.e.c.logging, then Loggers.RESTRICTED_LOGGERS could be package private?

[mosche]

👍