Enable limited OpenSSL support

[vrozov]

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov]

Codecov Report

Merging #422 into master will decrease coverage by 0.23%.
The diff coverage is 40.00%.

@@             Coverage Diff              @@
##             master     #422      +/-   ##
============================================
- Coverage     62.34%   62.11%   -0.24%     
+ Complexity     2874     2872       -2     
============================================
  Files           223      223              
  Lines         15992    16032      +40     
  Branches       2994     3008      +14     
============================================
- Hits           9971     9959      -12     
- Misses         4461     4503      +42     
- Partials       1560     1570      +10     

Impacted Files	Coverage Δ	Complexity Δ
...ecurity/ssl/DefaultOpenDistroSecurityKeyStore.java	65.89% <33.33%> (-7.59%)	68.00 <0.00> (ø)
...arch/security/ssl/OpenDistroSecuritySSLPlugin.java	81.81% <50.00%> (-0.42%)	24.00 <1.00> (ø)
...transport/OpenDistroSecuritySSLRequestHandler.java	50.00% <0.00%> (-6.42%)	7.00% <0.00%> (-1.00%)
...search/security/tools/OpenDistroSecurityAdmin.java	47.14% <0.00%> (-0.40%)	73.00% <0.00%> (-1.00%)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a989b28...8519585. Read the comment docs.

[debjanibnrj]

What does the es.unsafe.use_netty_default_allocator property do and why is it necessary for supporting node to node communication with OpenSSL?

[vrozov]

The es.unsafe.use_netty_default_allocator System property is used by NettyAllocator to determine which ByteBufAllocator to use. With this property set to true, ES will use native Netty allocator, otherwise, it will use its own NettyAllocator.NoDirectBuffers allocator that does not support direct buffers. As openssl is supported through netty and uses tcnative that needs direct buffers, it is necessary to configure ES to use Netty allocator if openssl is required/preferred.

[debjanibnrj]

Please elaborate on how you tested these changes.

[vrozov]

Tested using OpenSSLTest. Please let me know if this is not sufficient.

[debjanibnrj]

Tested using OpenSSLTest. Please let me know if this is not sufficient.

Would be useful to manually test out the changes as well. This can be done by spinning up cluster of nodes with elasticsearch oss (in this case for es 7.6) with the security plugin built with these changes. As far as I remember before we removed support for OpenSSL, the tests were still passing but inter-cluster communication between nodes was failing for Java version <12.

[vrozov]

There is a difference in the test environment introduced in #339 that explains why tests were passing while inter-cluster communication was failing for Java 11 or prior versions. In the past, tests were running on the docker image without openssl installed and tests that exercise openssl functionality were disabled on OpenSsl.isAvailable() condition. Those tests are now enabled and they won't pass without changes in this PR.

[debjanibnrj]

There is a difference in the test environment introduced in #339 that explains why tests were passing while inter-cluster communication was failing for Java 11 or prior versions. In the past, tests were running on the docker image without openssl installed and tests that exercise openssl functionality were disabled on OpenSsl.isAvailable() condition. Those tests are now enabled and they won't pass without changes in this PR.

Thanks for the explanation.