Tribe: Add error with secure settings copied to tribe (#32298)

This commit adds a clear error message when tribe setup attempts to copy
a secure setting into tribe settings. This behavior has never worked,
but the previous error message was very confusing, complaining about a
source key not being found later when trying to read the setting.

closes #32117

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -34,6 +34,7 @@
 import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.IndexScopedSettings;
+import org.elasticsearch.common.settings.SecureSettings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
@@ -811,11 +812,22 @@ private static void addTribeSettings(Settings settings, Settings.Builder setting
             }
 
             // we passed all the checks now we need to copy in all of the x-pack security settings
-            settings.keySet().forEach(k -> {
+            SecureSettings secureSettings = Settings.builder().put(settings).getSecureSettings(); // hack to get at secure settings...
+            Set<String> secureSettingKeys = secureSettings == null ? Collections.emptySet() : secureSettings.getSettingNames();
+            List<String> invalidSettings = new ArrayList<>();
+            for (String k : settings.keySet()) {
                 if (k.startsWith("xpack.security.")) {
-                    settingsBuilder.copy(tribePrefix + k, k, settings);
+                    if (secureSettingKeys.contains(k)) {
+                        invalidSettings.add(k);
+                    } else {
+                        settingsBuilder.copy(tribePrefix + k, k, settings);
+                    }
                 }
-            });
+            }
+            if (invalidSettings.isEmpty() == false) {
+                throw new IllegalArgumentException("Secure settings " + invalidSettings.toString() +
+                                                   " cannot be used with tribe client node");
+            }
         }
 
         Map<String, Settings> realmsSettings = settings.getGroups(SecurityField.setting("authc.realms"), true);

x-pack/qa/tribe-tests-with-security/src/test/java/org/elasticsearch/xpack/security/SecurityTribeTests.java

@@ -556,6 +556,22 @@ public void testTribeSettingNames() throws Exception {
                         s, anyOf(startsWith("tribe.blocks"), startsWith("tribe.name"), startsWith("tribe.on_conflict"))));
     }
 
+    public void testNoTribeSecureSettings() throws Exception {
+        MockSecureSettings secureSettings = new MockSecureSettings();
+        Path home = createTempDir();
+        secureSettings.setString("xpack.security.http.ssl.keystore.secure_password", "dummypass");
+        secureSettings.setString("xpack.security.authc.token.passphrase", "dummypass");
+        Settings settings = Settings.builder().setSecureSettings(secureSettings)
+            .put("path.home", home)
+            .put("tribe.t1.cluster.name", "foo")
+            .put("xpack.security.enabled", true).build();
+        Security security = new Security(settings, home.resolve("config"));
+        IllegalArgumentException e = expectThrows(IllegalArgumentException.class, security::additionalSettings);
+        // can't rely on order of the strings printed in the exception message
+        assertThat(e.getMessage(), containsString("xpack.security.http.ssl.keystore.secure_password"));
+        assertThat(e.getMessage(), containsString("xpack.security.authc.token.passphrase"));
+    }
+
     private void assertTribeNodeHasAllIndices() throws Exception {
         assertBusy(() -> {
             Set<String> indices = new HashSet<>();