-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reloadable secure settings for plugins #29135
Labels
Comments
albertzaharovits
added
>feature
:Core/Infra/Plugins
Plugin API and infrastructure
Meta
v7.0.0
v6.3.0
labels
Mar 19, 2018
Pinging @elastic/es-core-infra |
This was referenced Mar 26, 2018
This was referenced Apr 29, 2018
Closed
DaveCTurner
added a commit
to DaveCTurner/elasticsearch
that referenced
this issue
May 6, 2018
AWS supports the creation and use of credentials that are only valid for a fixed period of time. These credentials comprise three parts: the usual access key and secret key, together with a session token. This commit adds support for these three-part credentials to the EC2 discovery plugin and the S3 repository plugin. Note that session tokens are only valid for a limited period of time and yet there is no mechanism for refreshing or rotating them when they expire without restarting Elasticsearch. Nonetheless, this feature is already useful for nodes that need only run for a few days, such as for training, testing or evaluation. elastic#29135 tracks the work towards allowing these credentials to be refreshed at runtime. Resolves elastic#16428
This was referenced Jun 7, 2018
albertzaharovits
changed the title
Reloadable settings for plugins
Reloadable secure settings for plugins
Jun 16, 2018
DaveCTurner
added a commit
that referenced
this issue
Jul 3, 2018
AWS supports the creation and use of credentials that are only valid for a fixed period of time. These credentials comprise three parts: the usual access key and secret key, together with a session token. This commit adds support for these three-part credentials to the EC2 discovery plugin and the S3 repository plugin. Note that session tokens are only valid for a limited period of time and yet there is no mechanism for refreshing or rotating them when they expire without restarting Elasticsearch. Nonetheless, this feature is already useful for nodes that need only run for a few days, such as for training, testing or evaluation. #29135 tracks the work towards allowing these credentials to be refreshed at runtime. Resolves #16428
DaveCTurner
added a commit
that referenced
this issue
Jul 3, 2018
AWS supports the creation and use of credentials that are only valid for a fixed period of time. These credentials comprise three parts: the usual access key and secret key, together with a session token. This commit adds support for these three-part credentials to the EC2 discovery plugin and the S3 repository plugin. Note that session tokens are only valid for a limited period of time and yet there is no mechanism for refreshing or rotating them when they expire without restarting Elasticsearch. Nonetheless, this feature is already useful for nodes that need only run for a few days, such as for training, testing or evaluation. #29135 tracks the work towards allowing these credentials to be refreshed at runtime. Resolves #16428
ywelsch
pushed a commit
that referenced
this issue
Aug 1, 2018
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits
added a commit
that referenced
this issue
Aug 1, 2018
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits
added a commit
that referenced
this issue
Aug 23, 2018
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits
added a commit
that referenced
this issue
Aug 26, 2018
This is a minimal REST API spec and docs for the REST handler for the `_nodes/reload_secure_settings endpoint`. Relates #29135
albertzaharovits
added a commit
that referenced
this issue
Aug 26, 2018
This is a minimal REST API spec and docs for the REST handler for the `_nodes/reload_secure_settings endpoint`. Relates #29135
albertzaharovits
added a commit
that referenced
this issue
Aug 26, 2018
This is a minimal REST API spec and docs for the REST handler for the `_nodes/reload_secure_settings endpoint`. Relates #29135
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
EDITED:
The reload-secure-store-action branch tracks the progress of making some of the plugins' secure settings reloadable.
Passwords and access keys of the clients used internally for remote calls are stored as secure settings inside the
elasticsearch.keystore
file. The contents of this file are retrievable only after decryption, using a password. Currently, the password is only available during node initialization. This effectively renders these settings immutable, as they are read only once, during initialization.In the new proposed approach, plugins that are using internal clients (AWS, Azure, etc.) should not cache client instances but instead should require a client from a "Registry Service". There is one such service for each plugin. The client instance should be requested on each use (call to external system). Generally, it should be inexpensive for the "Registry Service" to service such demands. The "Registry Service", acting as a client cache, should allow for the clients' credentials to be changed. After the credentials change, subsequent client requests will return a new client constructed with the new credentials. Client instances that have been used before any credentials change will continue to be usable. The present implementation is of a best effort type. Currently, there is no way to wait for plugins to ditch the old settings and use only the new ones. In essence, this is because there is no strict rule of what reload means or what reload is complete means. It might be possible (high hanging fruit) for plugins to signal their completed reload.
The credentials change when the node rereads and decrypts the local keystore. For decryption it requires the password which is broadcasted by a
TransportNodesAction
action. The password should not be cached anywhere. When theTransportNodesAction
action has returned, the keystore is no longer readable.Too much noise already.
Plugins wishing to become "reloadable" should implement the
ReloadablePlugin
interface. They have to implementvoid reload(Settings settings) throws Exception
. Thesettings
parameter contains retrievableSecureSettings
, but only if accessed under thereload
call stack, i.e. don't pass thesettings
object to an async task and expect forSecureSettings
to be further retrievable. Once thereload
method has returned the keystore is sealed again.Tasks:
Secure settings are also used at these other places:
They might also benefit of this "reloadable" capability.
The text was updated successfully, but these errors were encountered: