Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reloadable secure settings for plugins #29135

Closed
6 tasks done
albertzaharovits opened this issue Mar 19, 2018 · 1 comment
Closed
6 tasks done

Reloadable secure settings for plugins #29135

albertzaharovits opened this issue Mar 19, 2018 · 1 comment
Assignees

Comments

@albertzaharovits
Copy link
Contributor

albertzaharovits commented Mar 19, 2018

EDITED:
The reload-secure-store-action branch tracks the progress of making some of the plugins' secure settings reloadable.

Passwords and access keys of the clients used internally for remote calls are stored as secure settings inside the elasticsearch.keystore file. The contents of this file are retrievable only after decryption, using a password. Currently, the password is only available during node initialization. This effectively renders these settings immutable, as they are read only once, during initialization.

In the new proposed approach, plugins that are using internal clients (AWS, Azure, etc.) should not cache client instances but instead should require a client from a "Registry Service". There is one such service for each plugin. The client instance should be requested on each use (call to external system). Generally, it should be inexpensive for the "Registry Service" to service such demands. The "Registry Service", acting as a client cache, should allow for the clients' credentials to be changed. After the credentials change, subsequent client requests will return a new client constructed with the new credentials. Client instances that have been used before any credentials change will continue to be usable. The present implementation is of a best effort type. Currently, there is no way to wait for plugins to ditch the old settings and use only the new ones. In essence, this is because there is no strict rule of what reload means or what reload is complete means. It might be possible (high hanging fruit) for plugins to signal their completed reload.

The credentials change when the node rereads and decrypts the local keystore. For decryption it requires the password which is broadcasted by a TransportNodesAction action. The password should not be cached anywhere. When the TransportNodesAction action has returned, the keystore is no longer readable.

Too much noise already.
Plugins wishing to become "reloadable" should implement the ReloadablePlugin interface. They have to implement void reload(Settings settings) throws Exception. The settings parameter contains retrievable SecureSettings, but only if accessed under the reload call stack, i.e. don't pass the settings object to an async task and expect for SecureSettings to be further retrievable. Once the reload method has returned the keystore is sealed again.

Tasks:

Secure settings are also used at these other places:

  • SSL Configuration
  • watcher notification integrations (hipchat, jira, pagerduty, slack)
  • LDAP and AD Realm bind password

They might also benefit of this "reloadable" capability.

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

This was referenced Apr 29, 2018
DaveCTurner added a commit to DaveCTurner/elasticsearch that referenced this issue May 6, 2018
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. elastic#29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves elastic#16428
@albertzaharovits albertzaharovits changed the title Reloadable settings for plugins Reloadable secure settings for plugins Jun 16, 2018
DaveCTurner added a commit that referenced this issue Jul 3, 2018
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. #29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves #16428
DaveCTurner added a commit that referenced this issue Jul 3, 2018
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. #29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves #16428
ywelsch pushed a commit that referenced this issue Aug 1, 2018
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits added a commit that referenced this issue Aug 1, 2018
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits added a commit that referenced this issue Aug 23, 2018
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits added a commit that referenced this issue Aug 26, 2018
This is a minimal REST API spec and docs for the REST handler
for the `_nodes/reload_secure_settings endpoint`.

Relates #29135
albertzaharovits added a commit that referenced this issue Aug 26, 2018
This is a minimal REST API spec and docs for the REST handler
for the `_nodes/reload_secure_settings endpoint`.

Relates #29135
albertzaharovits added a commit that referenced this issue Aug 26, 2018
This is a minimal REST API spec and docs for the REST handler
for the `_nodes/reload_secure_settings endpoint`.

Relates #29135
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants