Skip to content

Commit

Permalink
Tribe: Add error with secure settings copied to tribe
Browse files Browse the repository at this point in the history
This commit adds a clear error message when tribe setup attempts to copy
a secure setting into tribe settings. This behavior has never worked,
but the previous error message was very confusing, complaining about a
source key not being found later when trying to read the setting.

closes elastic#32117
  • Loading branch information
rjernst committed Jul 23, 2018
1 parent 3a6992c commit 182858b
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.IndexScopedSettings;
import org.elasticsearch.common.settings.SecureSettings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Setting.Property;
import org.elasticsearch.common.settings.Settings;
Expand Down Expand Up @@ -786,11 +787,16 @@ private static void addTribeSettings(Settings settings, Settings.Builder setting
}

// we passed all the checks now we need to copy in all of the x-pack security settings
settings.keySet().forEach(k -> {
SecureSettings secureSettings = Settings.builder().put(settings).getSecureSettings(); // hack to get at secure settings...
Set<String> secureSettingKeys = secureSettings == null ? Collections.emptySet() : secureSettings.getSettingNames();
for (String k : settings.keySet()) {
if (k.startsWith("xpack.security.")) {
if (secureSettingKeys.contains(k)) {
throw new IllegalArgumentException("Secure setting [" + k + "] cannot be used with tribe client node");
}
settingsBuilder.copy(tribePrefix + k, k, settings);
}
});
}
}

Map<String, Settings> realmsSettings = settings.getGroups(SecurityField.setting("authc.realms"), true);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -556,6 +556,20 @@ public void testTribeSettingNames() throws Exception {
s, anyOf(startsWith("tribe.blocks"), startsWith("tribe.name"), startsWith("tribe.on_conflict"))));
}

public void testNoTribeSecureSettings() throws Exception {
MockSecureSettings secureSettings = new MockSecureSettings();
Path home = createTempDir();
secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "dummypass");
Settings settings = Settings.builder().setSecureSettings(secureSettings)
.put("path.home", home)
.put("tribe.t1.cluster.name", "foo")
.put("xpack.security.enabled", true).build();
Security security = new Security(settings, home.resolve("config"));
IllegalArgumentException e = expectThrows(IllegalArgumentException.class, security::additionalSettings);
assertThat(e.getMessage(),
equalTo("Secure setting [xpack.security.http.ssl.keystore.secure_password] cannot be used with tribe client node"));
}

private void assertTribeNodeHasAllIndices() throws Exception {
assertBusy(() -> {
Set<String> indices = new HashSet<>();
Expand Down

0 comments on commit 182858b

Please sign in to comment.