Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Settings #22475

Closed
4 of 8 tasks
rjernst opened this issue Jan 6, 2017 · 4 comments
Closed
4 of 8 tasks

Secure Settings #22475

rjernst opened this issue Jan 6, 2017 · 4 comments
Labels
:Core/Infra/Settings Settings infrastructure and APIs Meta Team:Core/Infra Meta label for core/infra team team-discuss

Comments

@rjernst
Copy link
Member

rjernst commented Jan 6, 2017
edited
Loading

This is a meta issue to track work on making sensitive settings secure in elasticsearch. The core infrastructure for this feature is added in #22335, which provides the elasticsearch-keystore tool. The following work is still necessary to consider the feature complete:

  • Convert existing settings (eg aws keys) to new infrastructure
  • Add password support to the keystore
  • Add reading password for start scripts (init.d and systemd)
  • Investigate best location for keystore file. Currently in config dir, which has read permissions for the life of the node, but could place somewhere with no SM permissions, since reading is done before SM is setup.

The following would be nice to haves:

  • Investigate only allowing reading secure settings registered by plugins (eg not allowing reading other plugin's secure settings)
  • [x ] Investigate setting explicit algorithm for PBE
  • Add support for private keys
  • Add support for certificates
  • Add support to read secure settings from Vault instead of keystore
@clintongormley clintongormley added the :Core/Infra/Settings Settings infrastructure and APIs label Jan 10, 2017
rjernst added a commit to rjernst/elasticsearch that referenced this issue Apr 7, 2017
@rjernst
Settings: Migrate ec2 discovery sensitive settings to elasticsearch k…
1200b76 
…eystore

This change adds secure settings for access/secret keys and proxy
username/password to ec2 discovery.  It adds the new settings with the
prefix `discovery.ec2`, copies other relevant ec2 client settings to the
same prefix, and deprecates all other settings (`cloud.aws.*` and
`cloud.aws.ec2.*`).  Note that this is simpler than the client configs
in repository-s3 because discovery is only initialized once for the
entire node, so there is no reason to complicate the configuration with
the ability to have multiple sets of client settings.

relates elastic#22475
@rjernst rjernst mentioned this issue Apr 7, 2017
Merged
rjernst added a commit that referenced this issue Apr 7, 2017
@rjernst
Settings: Migrate ec2 discovery sensitive settings to elasticsearch k…
d4c0ef0 
…eystore (#23961)

This change adds secure settings for access/secret keys and proxy
username/password to ec2 discovery.  It adds the new settings with the
prefix `discovery.ec2`, copies other relevant ec2 client settings to the
same prefix, and deprecates all other settings (`cloud.aws.*` and
`cloud.aws.ec2.*`).  Note that this is simpler than the client configs
in repository-s3 because discovery is only initialized once for the
entire node, so there is no reason to complicate the configuration with
the ability to have multiple sets of client settings.

relates #22475
rjernst added a commit that referenced this issue Apr 7, 2017
@rjernst
Settings: Migrate ec2 discovery sensitive settings to elasticsearch k…
725abd0 
…eystore (#23961)

This change adds secure settings for access/secret keys and proxy
username/password to ec2 discovery.  It adds the new settings with the
prefix `discovery.ec2`, copies other relevant ec2 client settings to the
same prefix, and deprecates all other settings (`cloud.aws.*` and
`cloud.aws.ec2.*`).  Note that this is simpler than the client configs
in repository-s3 because discovery is only initialized once for the
entire node, so there is no reason to complicate the configuration with
the ability to have multiple sets of client settings.

relates #22475
This was referenced Nov 28, 2017
Closed
Closed
@gmoskovicz gmoskovicz mentioned this issue Dec 28, 2017
Closed
@joshbressers
Copy link

I filed an issue to cover the specific feature of password protecting the keystore
#32691

@pdanysz
Copy link

pdanysz commented Mar 18, 2019

Dears,
I faced an issue with elasticsearch.keystore location when using Elastic on Kubernetes clusters and configuration are mounted via ConfigMaps. Due to this I have "read-only" fs of /etc/elasticsearch and because of that , ES is going to crash.

Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: java.nio.file.FileSystemException: /etc/elasticsearch/elasticsearch.keystore.tmp: Read-only file system
--
  | Likely root cause: java.nio.file.FileSystemException: /etc/elasticsearch/elasticsearch.keystore.tmp: Read-only file system
  | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:91)
  | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
  | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
  | at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
  | at java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:434)
  | at java.nio.file.Files.newOutputStream(Files.java:216)
  | at org.apache.lucene.store.FSDirectory$FSIndexOutput.<init>(FSDirectory.java:411)
  | at org.apache.lucene.store.FSDirectory$FSIndexOutput.<init>(FSDirectory.java:407)
  | at org.apache.lucene.store.FSDirectory.createOutput(FSDirectory.java:255)
  | at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:467)
  | at org.elasticsearch.bootstrap.Bootstrap.loadSecureSettings(Bootstrap.java:238)
  | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:295)
  | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159)
  | at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150)
  | at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
  | at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
  | at org.elasticsearch.cli.Command.main(Command.java:90)
  | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:116)
  | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93)
  | Refer to the log for complete error details.

It will be great to have a settings for keystore location in elasticsearch.yaml to set directory outside of /etc/elasticsearch.

Can you advice in this topic?

Thanks in advance,

@rjernst rjernst added the Team:Core/Infra Meta label for core/infra team label May 4, 2020
@rjernst rjernst added the needs:triage Requires assignment of a team area label label Dec 3, 2020
@gwbrown
Copy link
Contributor

gwbrown commented Dec 4, 2020

I'm labeling this team-discuss to determine which of the as-yet-incomplete "nice to have" tasks we still intend to complete. Once we do so, they should be promoted to individual issues and this issue closed, as the main thrust of this issue has been long since completed.

@gwbrown gwbrown added team-discuss and removed needs:triage Requires assignment of a team area label labels Dec 4, 2020
@rjernst
Copy link
Member Author

rjernst commented Mar 17, 2021

Since the core secure settings have been available for many years now, I don't think we need to keep this issue open. The nice to haves, if they become priorities, can be opened as their own issues.

@rjernst rjernst closed this as completed Mar 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Core/Infra/Settings Settings infrastructure and APIs Meta Team:Core/Infra Meta label for core/infra team team-discuss
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@clintongormley @rjernst @pdanysz @gwbrown @joshbressers