Example 1 with KeyStoreWrapper
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class BootstrapTests method testLoadSecureSettings.
public void testLoadSecureSettings() throws Exception {
final Path configPath = env.configFile();
final SecureString seed;
try (KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create()) {
seed = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(keyStoreWrapper).build());
assertNotNull(seed);
assertTrue(seed.length() > 0);
keyStoreWrapper.save(configPath, new char[0]);
}
assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
try (SecureSettings secureSettings = Bootstrap.loadSecureSettings(env)) {
SecureString seedAfterLoad = KeyStoreWrapper.SEED_SETTING.get(Settings.builder().setSecureSettings(secureSettings).build());
assertEquals(seedAfterLoad.toString(), seed.toString());
assertTrue(Files.exists(configPath.resolve("opensearch.keystore")));
}
}
Also used :
Path(java.nio.file.Path)
SecureSettings(org.opensearch.common.settings.SecureSettings)
KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper)
SecureString(org.opensearch.common.settings.SecureString)
Example 2 with KeyStoreWrapper
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class TransportNodesReloadSecureSettingsAction method nodeOperation.
@Override
protected NodesReloadSecureSettingsResponse.NodeResponse nodeOperation(NodeRequest nodeReloadRequest) {
final NodesReloadSecureSettingsRequest request = nodeReloadRequest.request;
// We default to using an empty string as the keystore password so that we mimic pre 7.3 API behavior
final SecureString secureSettingsPassword = request.hasPassword() ? request.getSecureSettingsPassword() : new SecureString(new char[0]);
try (KeyStoreWrapper keystore = KeyStoreWrapper.load(environment.configFile())) {
// reread keystore from config file
if (keystore == null) {
return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), new IllegalStateException("Keystore is missing"));
}
// decrypt the keystore using the password from the request
keystore.decrypt(secureSettingsPassword.getChars());
// add the keystore to the original node settings object
final Settings settingsWithKeystore = Settings.builder().put(environment.settings(), false).setSecureSettings(keystore).build();
final List<Exception> exceptions = new ArrayList<>();
// broadcast the new settings object (with the open embedded keystore) to all reloadable plugins
pluginsService.filterPlugins(ReloadablePlugin.class).stream().forEach(p -> {
try {
p.reload(settingsWithKeystore);
} catch (final Exception e) {
logger.warn((Supplier<?>) () -> new ParameterizedMessage("Reload failed for plugin [{}]", p.getClass().getSimpleName()), e);
exceptions.add(e);
}
});
ExceptionsHelper.rethrowAndSuppress(exceptions);
return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), null);
} catch (final Exception e) {
return new NodesReloadSecureSettingsResponse.NodeResponse(clusterService.localNode(), e);
} finally {
secureSettingsPassword.close();
}
}
Also used :
ArrayList(java.util.ArrayList)
OpenSearchException(org.opensearch.OpenSearchException)
FailedNodeException(org.opensearch.action.FailedNodeException)
IOException(java.io.IOException)
Supplier(org.apache.logging.log4j.util.Supplier)
ParameterizedMessage(org.apache.logging.log4j.message.ParameterizedMessage)
KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper)
SecureString(org.opensearch.common.settings.SecureString)
Settings(org.opensearch.common.settings.Settings)
Example 3 with KeyStoreWrapper
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class UpgradeCliTests method assertKeystoreImported.
private void assertKeystoreImported(String passwd) throws IOException, GeneralSecurityException {
// assert keystore is created
KeyStoreWrapper keystore = KeyStoreWrapper.load(env.configFile());
assertNotNull(keystore);
// assert all keystore settings are imported
keystore.decrypt(passwd.toCharArray());
assertThat(keystore.getSettingNames(), hasItems(KeyStoreWrapper.SEED_SETTING.getKey(), "test.setting.key", "test.setting.file"));
assertThat(keystore.getString("test.setting.key").toString(), is("test.setting.value"));
InputStream is = keystore.getFile("test.setting.file");
byte[] bytes = new byte[is.available()];
assertThat(is.read(bytes), greaterThan(0));
String actual = StandardCharsets.UTF_8.decode(ByteBuffer.wrap(bytes)).toString();
String expected = "{\"some_key\": \"some_val\"}";
assertThat(actual, is(expected));
}
Also used :
InputStream(java.io.InputStream)
KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper)
Example 4 with KeyStoreWrapper
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class ImportKeystoreTask method accept.
@Override
public void accept(final Tuple<TaskInput, Terminal> input) {
final TaskInput taskInput = input.v1();
final Terminal terminal = input.v2();
SecureString keyStorePassword = new SecureString(new char[0]);
try {
terminal.println("Importing keystore settings ...");
final KeyStoreWrapper esKeystore = KeyStoreWrapper.load(taskInput.getEsConfig(), ES_KEYSTORE_FILENAME);
if (esKeystore == null) {
terminal.println("No elasticsearch keystore settings to import.");
return;
}
KeyStoreWrapper openSearchKeystore = KeyStoreWrapper.load(taskInput.getOpenSearchConfig().resolve(OPENSEARCH_KEYSTORE_FILENAME));
if (openSearchKeystore == null) {
openSearchKeystore = KeyStoreWrapper.create();
}
if (esKeystore.hasPassword()) {
final char[] passwordArray = terminal.readSecret("Enter password for the elasticsearch keystore : ");
keyStorePassword = new SecureString(passwordArray);
}
esKeystore.decrypt(keyStorePassword.getChars());
for (String setting : esKeystore.getSettingNames()) {
if (setting.equals("keystore.seed")) {
continue;
}
if (!openSearchKeystore.getSettingNames().contains(setting)) {
InputStream settingIS = esKeystore.getFile(setting);
byte[] bytes = new byte[settingIS.available()];
settingIS.read(bytes);
KeystoreWrapperUtil.saveSetting(openSearchKeystore, setting, bytes);
}
}
openSearchKeystore.save(taskInput.getOpenSearchConfig(), keyStorePassword.getChars());
terminal.println("Success!" + System.lineSeparator());
} catch (Exception e) {
throw new RuntimeException("Error importing keystore settings from elasticsearch, " + e);
} finally {
keyStorePassword.close();
}
}
Also used :
InputStream(java.io.InputStream)
KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper)
SecureString(org.opensearch.common.settings.SecureString)
Terminal(org.opensearch.cli.Terminal)
SecureString(org.opensearch.common.settings.SecureString)
Example 5 with KeyStoreWrapper
use of org.opensearch.common.settings.KeyStoreWrapper in project OpenSearch by opensearch-project.
the class Bootstrap method loadSecureSettings.
static SecureSettings loadSecureSettings(Environment initialEnv) throws BootstrapException {
final KeyStoreWrapper keystore;
try {
keystore = KeyStoreWrapper.load(initialEnv.configFile());
} catch (IOException e) {
throw new BootstrapException(e);
}
SecureString password;
try {
if (keystore != null && keystore.hasPassword()) {
password = readPassphrase(System.in, KeyStoreAwareCommand.MAX_PASSPHRASE_LENGTH);
} else {
password = new SecureString(new char[0]);
}
} catch (IOException e) {
throw new BootstrapException(e);
}
try {
if (keystore == null) {
final KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create();
keyStoreWrapper.save(initialEnv.configFile(), new char[0]);
return keyStoreWrapper;
} else {
keystore.decrypt(password.getChars());
KeyStoreWrapper.upgrade(keystore, initialEnv.configFile(), password.getChars());
}
} catch (Exception e) {
throw new BootstrapException(e);
} finally {
password.close();
}
return keystore;
}
Also used :
KeyStoreWrapper(org.opensearch.common.settings.KeyStoreWrapper)
IOException(java.io.IOException)
SecureString(org.opensearch.common.settings.SecureString)
UserException(org.opensearch.cli.UserException)
CreationException(org.opensearch.common.inject.CreationException)
URISyntaxException(java.net.URISyntaxException)
OpenSearchException(org.opensearch.OpenSearchException)
IOException(java.io.IOException)
NodeValidationException(org.opensearch.node.NodeValidationException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Aggregations
KeyStoreWrapper (org.opensearch.common.settings.KeyStoreWrapper)5
SecureString (org.opensearch.common.settings.SecureString)4
IOException (java.io.IOException)2
InputStream (java.io.InputStream)2
OpenSearchException (org.opensearch.OpenSearchException)2
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
URISyntaxException (java.net.URISyntaxException)1
Path (java.nio.file.Path)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
ArrayList (java.util.ArrayList)1
ParameterizedMessage (org.apache.logging.log4j.message.ParameterizedMessage)1
Supplier (org.apache.logging.log4j.util.Supplier)1
FailedNodeException (org.opensearch.action.FailedNodeException)1
Terminal (org.opensearch.cli.Terminal)1
UserException (org.opensearch.cli.UserException)1
CreationException (org.opensearch.common.inject.CreationException)1
SecureSettings (org.opensearch.common.settings.SecureSettings)1
Settings (org.opensearch.common.settings.Settings)1
NodeValidationException (org.opensearch.node.NodeValidationException)1
