opensearch-project
[BUG] plugins.security.ssl.transport.enforce_hostname_verification marked as deprecated without documentation
What is the bug? Starting the OpenSearch (2.17.1) prints following message:
"[plugins.security.ssl.transport.enforce_hostname_verification] setting was deprecated in OpenSearch and will be removed in a future release! See the breaking changes documentation for the next major version."
I found questions about this issue on forum and it seems it was not resolved (both of them are 2.14.0): https://forum.opensearch.org/t/query-regarding-warning-message-in-os-version-2-14/20194 https://forum.opensearch.org/t/deprecation-of-some-security-configuration-settings/20324
This change is not mentioned neither in configuring security documentation nor in breaking changes
How can one reproduce the bug? Start OpenSearch
What is the expected behavior? Replacement for this setting is documented and described or deprecated message is removed.
What is your host/environment?
- Version: 2.17.1
[Triage] Thank you for filing this issue @patrykmatys. Since this setting was marked as deprecated it can be removed on the main branch to prevent this from being logged in 3.0.0.
@cwperks does it mean that this particular setting is already deprecated and there is no replacement for it?
@patrykmatys From https://github.com/opensearch-project/security/pull/4119/files I believe that
# deprecated
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
Now it's:
# new
transport.ssl.enforce_hostname_verification: false
transport.ssl.resolve_hostname: false
But indeed it would be nice to add it either as a clearer log message or in the docs because these settings are not updated yet: https://opensearch.org/docs/latest/install-and-configure/configuring-opensearch/network-settings/ and there is no single mention in https://opensearch.org/docs/latest/security/configuration/tls/#advanced-hostname-verification-and-dns-lookup that the settings are deprecated :(
