diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java index 0121b1ba69ccf..ad81e2ae1d727 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java @@ -34,6 +34,7 @@ import org.elasticsearch.common.regex.Regex; import org.elasticsearch.common.settings.ClusterSettings; import org.elasticsearch.common.settings.IndexScopedSettings; +import org.elasticsearch.common.settings.SecureSettings; import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Setting.Property; import org.elasticsearch.common.settings.Settings; @@ -786,11 +787,22 @@ private static void addTribeSettings(Settings settings, Settings.Builder setting } // we passed all the checks now we need to copy in all of the x-pack security settings - settings.keySet().forEach(k -> { + SecureSettings secureSettings = Settings.builder().put(settings).getSecureSettings(); // hack to get at secure settings... + Set secureSettingKeys = secureSettings == null ? Collections.emptySet() : secureSettings.getSettingNames(); + List invalidSettings = new ArrayList<>(); + for (String k : settings.keySet()) { if (k.startsWith("xpack.security.")) { - settingsBuilder.copy(tribePrefix + k, k, settings); + if (secureSettingKeys.contains(k)) { + invalidSettings.add(k); + } else { + settingsBuilder.copy(tribePrefix + k, k, settings); + } } - }); + } + if (invalidSettings.isEmpty() == false) { + throw new IllegalArgumentException("Secure settings " + invalidSettings.toString() + + " cannot be used with tribe client node"); + } } Map realmsSettings = settings.getGroups(SecurityField.setting("authc.realms"), true); diff --git a/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java b/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java index edf725e53939a..7165877199382 100644 --- a/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java +++ b/x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java @@ -556,6 +556,22 @@ public void testTribeSettingNames() throws Exception { s, anyOf(startsWith("tribe.blocks"), startsWith("tribe.name"), startsWith("tribe.on_conflict")))); } + public void testNoTribeSecureSettings() throws Exception { + MockSecureSettings secureSettings = new MockSecureSettings(); + Path home = createTempDir(); + secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "dummypass"); + secureSettings.setString("xpack.security.authc.token.passphrase", "dummypass"); + Settings settings = Settings.builder().setSecureSettings(secureSettings) + .put("path.home", home) + .put("tribe.t1.cluster.name", "foo") + .put("xpack.security.enabled", true).build(); + Security security = new Security(settings, home.resolve("config")); + IllegalArgumentException e = expectThrows(IllegalArgumentException.class, security::additionalSettings); + // can't rely on order of the strings printed in the exception message + assertThat(e.getMessage(), containsString("xpack.security.http.ssl.keystore.secure_password")); + assertThat(e.getMessage(), containsString("xpack.security.authc.token.passphrase")); + } + private void assertTribeNodeHasAllIndices() throws Exception { assertBusy(() -> { Set indices = new HashSet<>();