Fix ReloadSecureSettings API to consume password #54771
Conversation
The secure_settings_password was never taken into consideration in the ReloadSecureSettings API. This commit fixes that and adds necessary REST layer testing. Doing so, it also - Allows TestClusters to have a password protected keystore so that it can be set for tests. - Adds a parameter to the run task so that elastisearch can be run with a password protected keystore. -
jkakavas
added
>bug
:Delivery/Build
|
Pinging @elastic/es-core-infra (:Core/Infra/Build) |
|
Pinging @elastic/es-security (:Security/Security) |
| request.withContentOrSourceParamParserOrNull(parser -> { | ||
| if (parser != null) { | ||
| final NodesReloadSecureSettingsRequest nodesRequest = nodesRequestBuilder.request(); | ||
| final NodesReloadSecureSettingsRequest nodesRequest = PARSER.parse(parser, null); |
There was a problem hiding this comment.
This is the result of a master merge gone wrong in the feature branch : 4780880#diff-0187f4b109fbd7256c987cceae7691caL76
This is the actual fix and the only change necessary. If the buildSrc changes need further discussion, we could just merge the fix and the rest of the test changes when ready.
| if (keystorePassword != null && keystorePassword.length() > 0) { | ||
| try { | ||
| Files.write(esStdinFile, (keystorePassword + "\n").getBytes(StandardCharsets.UTF_8), StandardOpenOption.CREATE); | ||
| processBuilder.redirectInput(esStdinFile.toFile()); |
There was a problem hiding this comment.
nits: the redirectInput call can be placed outside of the try block.
There was a problem hiding this comment.
what do we gain by doing so? If Files#write throws, we would still fail with aTestClustersException before we reach redirectInput`
There was a problem hiding this comment.
It makes no difference in actual execution outcome for this particular scenario. It's a choice of style, keep error handling specific and accurate to what is targeting for. It's akin to formatting and method extraction, but a bit more: if future changes make the extra method calls throw the same exception, it will not be handled automatically and potentially unwanted by the broader-than-necessary try-catch block. It does not apply to this particular case, that's why I called it "nits". But woud anyhow prefer keeping any context as small as possible.
| "secure_settings_password": "s3cr3t" | ||
| } | ||
| -------------------------------------------------- | ||
| // NOTCONSOLE |
There was a problem hiding this comment.
Why are these NOTCONSOLE? They look console to me.
I realise it's existing, but it seems like this docs issue is due in part to these not being treated as testable snippets.
There was a problem hiding this comment.
Because I forgot to enable them :) When this was first introduced, I think NOTCONSOLE was there to cater for the fact that we couldn't set the keystore password in a proper way in the docs cluster
| } | ||
| }, | ||
| "body": { | ||
| "description": "The password for the elasticsearch keystore", |
There was a problem hiding this comment.
This implies that the body should be the raw password, I think we want something more like:
| "description": "The password for the elasticsearch keystore", | |
| "description": "An object containing password for the elasticsearch keystore", |
| - is_true: cluster_name | ||
| - match: { nodes.$node_id.reload_exception.type: "security_exception" } | ||
| - match: { nodes.$node_id.reload_exception.reason: "Provided keystore password was incorrect" } | ||
|
|
There was a problem hiding this comment.
Can we have a version with no password as well?
That should fail with the same error, but I think it's worth a test that it's not failing on "password is required" or a NPE, etc.
|
@mark-vieira , @williamrandolph I'm not sure what is the best way to set |
…luster that doesn't have transport TLS setup
|
Chatted with @rjernst about this, I will remove the keystore password from the core rest tests and I will add a new QA project with an ESRestTestCase test for reloading secure settings with a password protected keystore |
| @@ -0,0 +1,52 @@ | |||
| /* | |||
There was a problem hiding this comment.
The reason this is created in x-pack is that calling the reload settings api with a password require transport SSL to be configured. We could move this to qa and run with OSS too, if we limit this to an 1 node cluster
|
@elasticmachine update branch |
rjernst
left a comment
rjernst
left a comment
There was a problem hiding this comment.
A few suggestions, otherwise LGTM
| } | ||
|
|
||
| @Option( | ||
| option = "keystore-password", |
There was a problem hiding this comment.
While I'm not opposed to this, I wonder how useful it is in practice since we have no ability to set values in the keystore via the run task?
There was a problem hiding this comment.
Yes, I'm not sold on it either. And given that we currently don't have a way to set keystore properties in the run task, maybe it's not worth adding ? I don't know , it seemed like a good idea when I added it but I'm not so sure now
There was a problem hiding this comment.
I assume this is only relevant when compiled with the --data-dir option to point at an existing directory which might have a manually setup keystore?
|
|
||
| import java.util.Map; | ||
|
|
||
| public class ReloadSecureSettingsWithPasswordProtectedKeystoreRestIT extends ESRestTestCase { |
There was a problem hiding this comment.
I find these easier to write, debug and argue about so if you don't have a strong view on why we should make them a yaml test, I'd prefer to keep this
| @@ -0,0 +1,20 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
There was a problem hiding this comment.
I'm just curious: we used to generate these types of materials within build.gradle in other qa tests: why are we now committing them instead of generating on the fly?
There was a problem hiding this comment.
We used to depend on BouncyCastle to generate keys and certificates as JDK doesn't expose the necessary APIs for the certificate generation (https://bugs.openjdk.java.net/browse/JDK-8058778) and we removed BouncyCastle dependency as part of the FIPS 140 effort
|
@elasticmachine update branch |
|
@mark-vieira , @williamrandolph any thoughts on #54771 (comment) or any other feedback ? If not, I'll merge this since @rjernst LGTM'd it |
|
This looks good to me — thanks for adding this coverage! |
The secure_settings_password was never taken into consideration in the ReloadSecureSettings API. This commit fixes that and adds necessary REST layer testing. Doing so, it also - Allows TestClusters to have a password protected keystore so that it can be set for tests. - Adds a parameter to the run task so that elastisearch can be run with a password protected keystore from source.
The secure_settings_password was never taken into consideration in the ReloadSecureSettings API. This commit fixes that and adds necessary REST layer testing. Doing so, it also - Allows TestClusters to have a password protected keystore so that it can be set for tests. - Adds a parameter to the run task so that elastisearch can be run with a password protected keystore from source.
The secure_settings_password was never taken into consideration in the ReloadSecureSettings API. This commit fixes that and adds necessary REST layer testing. Doing so, it also: - Allows TestClusters to have a password protected keystore so that it can be set for tests. - Adds a parameter to the run task so that elastisearch can be run with a password protected keystore from source.
The secure_settings_password was never taken into consideration in the ReloadSecureSettings API. This commit fixes that and adds necessary REST layer testing. Doing so, it also: - Allows TestClusters to have a password protected keystore so that it can be set for tests. - Adds a parameter to the run task so that elastisearch can be run with a password protected keystore from source.
8 participants
The secure_settings_password was never taken into consideration in
the ReloadSecureSettings API. This commit fixes that and adds
necessary REST layer testing. Doing so, it also
so that it can be set for tests.
be run with a password protected keystore from source.