Description
As noted in #37793 (comment), the Deprecation Info API uses the NodeInfo API to check for problems with settings. This means that issues involving filtered settings cannot be detected by the Deprecation Info API.
This issue was masked by the fact that we only have unit tests for the node deprecation checks, which do not go through the filtering process.
This impacts a few different checks:
watcherNotificationsSecureSettingsCheck, introduced in Watcher notification settings Upgrade checks #36907defaultSSLSettingsRemoved, introduced in Add deprecation warnings for ssl config fallback #36847tlsv1ProtocolDisabled, introduced in Add TLS version changes to deprecation checks #37793 (not yet merged)
We do not want to allow filtered settings to be accessed via the NodeInfo API, as there is a reason these settings are filtered: they typically contain sensitive information.
One possible solution is to change how the Deprecation API operates: instead of retrieving the settings from the nodes and performing the checks on the master node, we could have each node perform the checks on its own settings and send the results back to the master. This would allow filtered settings to be examined in deprecation checks, but add significant complexity and create problems in mixed clusters unless it is done carefully.
Another possible solution is to simply say that these issues cannot be detected via the Deprecation Info API, and the user will have to check the deprecation log to find out about these issues. We have done this for one potential issue, the changed file path for file-based discovery, which is not detectable through the NodeInfo API: #36190. If we go this route, we may want to consider returning a WARNING level issue (or resurrecting INFO) if Watcher/Security are enabled reminding users to check the deprecation logs and informing them of these changes we cannot detect.
/cc @bleskes for awareness