[FEATURE] Allow to disable SSL/TLS communication

[reta]

Is your feature request related to a problem?
The security plugins comes with SSL/TLS communication out of the box. This certainly should be the default, but in certain environments which use other means of secure communication (for example, IPSec), it would be great to offer the option to disable SSL/TLS.

What solution would you like?
Offer the option to disable SSL/TLS.

What alternatives have you considered?
N/A

Do you have any additional context?
It might not be easy to do but preliminary discussion hinted it is feasible, in general.

[cwperks]

[Triage] @peternied Could you please provide some context around the limitations of the securityadmin tool relying on TLS/SSL?

[reta]

Could be unblocked by #2411

[peternied]

There is a functional concern that the security plugin depends on the admin certificate to authenticate a super admin user, without support for this there are many scenarios that are not possible. If the certificate was removed as a requirement for these APIs then this could be opened up.

Related issues

• [BUG] Opensearch 2.x (with security enabled) does not work with istio #2036
• plugins.security.ssl.http.enabled setting cannot be disabled on Rest layer as securityadmin.sh execution fails. #1952
• disable TLS for Transport, enable for Rest #37

[JaneJeon]

+1 for sure. To basically echo the sentiments of the original thread, #37, if you're already running all nodes and connections within a VPC, the SSL is redundant.

[peternied]

@reta With #2411 [1] merged, I think a large part of this issue is resolved - I am closing. If there are there other features that are not accessible, could you file issues on them or reopen with more details?

• [1] Rest admin permissions #2411

[cwperks]

@peternied From what I understand, the original intent of this request is to disable Transport level TLS (instead of REST-level TLS which the security plugin already supports disabling)

At one point it looks like this feature may have been under development (See #37 (comment)), but I'm not sure of the status of that.

The major concern pointed out here is that disabling Transport TLS has consequences for the logic around nodes joining the cluster securely. A major feature of the security plugin is either the static nodes_dn setting in opensearch.yml or the dynamic nodes_dn.yml file which is part of the security index. In order for a node to join the cluster securely it must present a certificate that matches a known node_dn.

There is a concept of "Dual Mode" which may help:

Dual mode feature will allow each node to communicate either in TLS or in plain-text based on the other node's response. (so moving from TLS disable to enable will become simple without any down time. )

PR where it was introduced: #712