Enable limited OpenSSL support (#422)

(cherry picked from commit 663053a)

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java

@@ -52,12 +52,12 @@
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
 
+import io.netty.util.internal.PlatformDependent;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchSecurityException;
-import org.apache.lucene.util.Constants;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
@@ -126,14 +126,11 @@ public DefaultOpenDistroSecurityKeyStore(final Settings settings, final Path con
                 .getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true);
 
         if(!OpenDistroSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && (settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true) || settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true) )) {
-            String text = "Support for OpenSSL has been removed from Open Distro Security since Elasticsearch 7.4.0. Use JDK SSL instead\n";
-            if(Constants.JRE_IS_MINIMUM_JAVA11) {
-                text += "Since you are running Java "+Constants.JAVA_VERSION+" you should not experience any performance impact but maybe not all your ciphers are supported. If you experience problems upgrade to Java 11+";
+            if (PlatformDependent.javaVersion() < 12) {
+                log.warn("Support for OpenSSL with Java 11 or prior versions require using Netty allocator. Set 'es.unsafe.use_netty_default_allocator' system property to true");
             } else {
-                text += "You are running a very old version of Java ("+Constants.JAVA_VERSION+") so you may experience a performance impact and it is strongly advised to update to Java 11+";
+                log.warn("Support for OpenSSL with Java 12+ has been removed from Open Distro Security since Elasticsearch 7.4.0. Using JDK SSL instead.");
             }
-            System.out.println(text);
-            log.warn(text);
         }
 
         boolean openSSLInfoLogged = false;

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java

@@ -42,6 +42,7 @@
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.cluster.node.DiscoveryNodes;
 import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.common.Booleans;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.network.NetworkService;
@@ -82,8 +83,8 @@
 //For ES5 this class has only effect when SSL only plugin is installed
 public class OpenDistroSecuritySSLPlugin extends Plugin implements ActionPlugin, NetworkPlugin {
 
-    // Not supporting OPENSSL for ES7.4+
-    public static final boolean OPENSSL_SUPPORTED = false;
+    private static boolean USE_NETTY_DEFAULT_ALLOCATOR = Booleans.parseBoolean(System.getProperty("es.unsafe.use_netty_default_allocator"), false);
+    public static final boolean OPENSSL_SUPPORTED = (PlatformDependent.javaVersion() < 12) && USE_NETTY_DEFAULT_ALLOCATOR;
     protected final Logger log = LogManager.getLogger(this.getClass());
     protected static final String CLIENT_TYPE = "client.type";
     protected final boolean client;

src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenSSLTest.java

@@ -30,9 +30,11 @@
 import org.elasticsearch.node.Node;
 import org.elasticsearch.node.PluginAwareNode;
 import org.elasticsearch.transport.Netty4Plugin;
+import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.Assume;
 import org.junit.Before;
+import org.junit.BeforeClass;
 import org.junit.Test;
 
 import com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin;
@@ -44,6 +46,23 @@
 import io.netty.handler.ssl.OpenSsl;
 
 public class OpenSSLTest extends SSLTest {
+    private static final String USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY = "es.unsafe.use_netty_default_allocator";
+    private static String USE_NETTY_DEFAULT_ALLOCATOR;
+
+    @BeforeClass
+    public static void enableNettyDefaultAllocator() {
+        USE_NETTY_DEFAULT_ALLOCATOR = System.getProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY);
+        System.setProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY, "true");
+    }
+
+    @AfterClass
+    public static void restoreNettyDefaultAllocator() {
+        if (USE_NETTY_DEFAULT_ALLOCATOR != null) {
+            System.setProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY, USE_NETTY_DEFAULT_ALLOCATOR);
+        } else {
+            System.clearProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY);
+        }
+    }
 
     @Before
     public void setup() {