Deprecation of some security configuration settings

Versions - OS and OS Dashboards 2.14.0

Describe the issue:
Running a command in DEV Tools, GET _cluster/settings?include_defaults=true
See an output:
Deprecation: [plugins.security.ssl.transport.enforce_hostname_verification]
Deprecation: [node.max_local_storage_nodes]
Deprecation: [node.data]
Deprecation: [node.master]
Deprecation: [cluster.initial_master_nodes]
Deprecation: [reindex.remote.whitelist]

Configuration:
opensearch_version: “2.14.0”
opensearch_config:
network.host: “{{ ansible_default_ipv4.address }}”
cluster.name: “elk”
cluster.initial_master_nodes:
- my_node
discovery.seed_hosts:
- my_node
cluster.routing.allocation.disk.threshold_enabled: true
cluster.routing.allocation.disk.watermark.low: “87%”
cluster.routing.allocation.disk.watermark.high: “90%”
cluster.routing.allocation.disk.watermark.flood_stage: “95%”
cluster.routing.allocation.allow_rebalance: “always”
cluster.info.update.interval: “1m”
cluster.routing.allocation.node_concurrent_recoveries: 30
cluster.routing.allocation.node_initial_primaries_recoveries: 20
cluster.max_shards_per_node: “1250”
indices.recovery.max_concurrent_file_chunks: 3
indices.recovery.max_bytes_per_sec: “125mb”
node.data: true
node.master: true
bootstrap.memory_lock: true
plugins.security.audit.type: internal_opensearch
plugins.security.audit.config.disabled_rest_categories: NONE
plugins.security.audit.config.disabled_transport_categories: NONE
plugins.security.audit.config.resolve_bulk_requests: true
plugins.security.ssl.transport.enabled_protocols:
- “TLSv1.2”
plugins.security.ssl.transport.pemcert_filepath: ssl/certs/
plugins.security.ssl.transport.pemkey_filepath: ssl/private
plugins.security.ssl.transport.pemtrustedcas_filepath: ssl/certs/
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.enabled_protocols:
- “TLSv1.2”
plugins.security.ssl.http.pemcert_filepath: ssl/certs/
plugins.security.ssl.http.pemkey_filepath: ssl/private/
plugins.security.ssl.http.pemtrustedcas_filepath: ssl/certs/
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.nodes_dn:
- “my_security”
plugins.security.authcz.admin_dn:
- “my_security”
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.cache.ttl_minutes: 60
node.max_local_storage_nodes: 1
reindex.remote.whitelist: “ip:9200”
path.repo: [“/etc/backup/”]
opensearch_heap_size: “40g”

Additional Info:
I found out that the following settings can be renamed to
cluster.initial_master_nodes → cluster.initial_cluster_manager_nodes
reindex.remote.whitelist → reindex.remote.allowlist

But what regarding others?
Also, according to this documentation, Security settings - OpenSearch Documentation
setting
plugins.security.ssl.transport.enforce_hostname_verification
is still up to date.

Hi @StanisLav,

When/if upgrading your cluster make sure to check: Breaking changes - OpenSearch Documentation

I would expect all the breaking changes to be documented there before they are effective.

Best,
mj

Hey,
I’ve already checked this documentation and this documentation only explains the following parameters:
cluster.initial_master_nodes → cluster.initial_cluster_manager_nodes
reindex.remote.whitelist → reindex.remote.allowlist

but it doesn’t explain what the new parameters are for the:
plugins.security.ssl.transport.enforce_hostname_verification
node.max_local_storage_nodes
node.data
node.master (could be smth like node.cluster_manager)

instead of

node.data: true
node.master: true

you should be using

node.roles: [ "cluster_manager", "data", "ingest"]

Regarding node.max_local_storage_nodes I believe this setting is just going away. But you are using value of 1 which I think is the default already, so just drop that line.

Thank you for the provided information.