XPack: active_directory ssl.truststore.password (docs vs code) #41663

chriswhite199 · 2019-04-30T04:55:57Z

Bug Report:

Elasticsearch version 7.0.0
Plugins installed: []
JVM version (java -version):
OS version (uname -a if on a Unix-like system):
Description of the problem including expected versus actual behavior:

The docs note that to use a truststore paired with active_directory authentication realm, you should use the configuration suffix ssl.truststore.password, but this errors with unknown setting [xpack.security.authc.realms.active_directory.myrealm.ssl.truststore.password]

Instead, inspection of the code, and testing, shows that the property looked for is truststore.password, as can be seen at https://github.com/elastic/elasticsearch/blob/master/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java#L119:

public static final Function<String, Setting.AffixSetting<SecureString>> LEGACY_TRUST_STORE_PASSWORD_REALM = realmType ->
            Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "truststore.password",
                    LEGACY_TRUSTSTORE_PASSWORD_TEMPLATE);

The corresponding ssl.truststore.path can be seen to use the ssl prefix in the code (line 107):

public static final Function<String, Setting.AffixSetting<Optional<String>>> TRUST_STORE_PATH_REALM = realmType ->
            Setting.affixKeySetting("xpack.security.authc.realms." + realmType + ".", "ssl.truststore.path", TRUST_STORE_PATH_TEMPLATE);

Steps to reproduce:

Configure an active_directory realm with a truststore + password, as detailed using the documentation properties

xpack.security.authc.realms.active_directory.myrealm:
  ssl:
    verification_mode: full
    truststore:
      path: certs/cacerts.jks
      password: changeit

Where as currently, 7.0.0 requires this setup instead (contradictory to the docs), but then there is an error loading the keystore (password verification failed), which i can only assume is because the password is not being picked up - manual keytool verification works)

xpack.security.authc.realms.active_directory.myrealm:
  ssl:
    verification_mode: full
    truststore:
      path: certs/cacerts.jks
  truststore:
    password: changeit

The text was updated successfully, but these errors were encountered:

elasticmachine · 2019-04-30T09:16:56Z

Pinging @elastic/es-security

As part of elastic#30241 realm settings were changed to be true affix settings. In the process of this change, the "ssl." prefix was lost from the realm truststore password. It should be: xpack.security.authc.realms.<type>.<name>.ssl.truststore.password Due to a mismatch between the way we define SSL settings and load SSL contexts, there was no way to define this legacy password setting in a realm config. The settings validation would reject "ssl.truststore.password" but the SSL service would ignore "truststore.password" Resolves: elastic#41663

As part of #30241 realm settings were changed to be true affix settings. In the process of this change, the "ssl." prefix was lost from the realm truststore password. It should be: xpack.security.authc.realms.<type>.<name>.ssl.truststore.password Due to a mismatch between the way we define SSL settings and load SSL contexts, there was no way to define this legacy password setting in a realm config. The settings validation would reject "ssl.truststore.password" but the SSL service would ignore "truststore.password" Resolves: #41663

As part of elastic#30241 realm settings were changed to be true affix settings. In the process of this change, the "ssl." prefix was lost from the realm truststore password. It should be: xpack.security.authc.realms.<type>.<name>.ssl.truststore.password Due to a mismatch between the way we define SSL settings and load SSL contexts, there was no way to define this legacy password setting in a realm config. The settings validation would reject "ssl.truststore.password" but the SSL service would ignore "truststore.password" Resolves: elastic#41663 Backport of: elastic#42336

As part of elastic#30241 realm settings were changed to be true affix settings. In the process of this change, the "ssl." prefix was lost from the realm truststore password. It should be: xpack.security.authc.realms.<type>.<name>.ssl.truststore.password Due to a mismatch between the way we define SSL settings and load SSL contexts, there was no way to define this legacy password setting in a realm config. The settings validation would reject "ssl.truststore.password" but the SSL service would ignore "truststore.password" Resolves: elastic#41663

colings86 added the :Security/Security Security issues without another label label Apr 30, 2019

tvernum self-assigned this May 22, 2019

tvernum added the >bug label May 22, 2019

tvernum mentioned this issue May 22, 2019

Fix settings prefix for realm truststore password #42336

Merged

tvernum closed this as completed in #42336 May 22, 2019

tvernum mentioned this issue May 23, 2019

[Backport 7.2] Fix settings prefix for realm truststore password #42415

Merged

codebrain mentioned this issue Aug 5, 2019

[meta] 7.2 Release elastic/elasticsearch-net#3980

Closed

37 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XPack: active_directory ssl.truststore.password (docs vs code) #41663

XPack: active_directory ssl.truststore.password (docs vs code) #41663

chriswhite199 commented Apr 30, 2019

elasticmachine commented Apr 30, 2019

XPack: active_directory ssl.truststore.password (docs vs code) #41663

XPack: active_directory ssl.truststore.password (docs vs code) #41663

Comments

chriswhite199 commented Apr 30, 2019

Bug Report:

elasticmachine commented Apr 30, 2019