Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reloadable secure settings for plugins #29135

Closed
6 tasks done
albertzaharovits opened this issue Mar 19, 2018 · 1 comment
Closed
6 tasks done

Reloadable secure settings for plugins #29135

albertzaharovits opened this issue Mar 19, 2018 · 1 comment
Assignees
@albertzaharovits
Labels
:Core/Infra/Plugins Plugin API and infrastructure >feature Meta v6.4.0 v7.0.0-beta1

Comments

@albertzaharovits
Copy link
Contributor

albertzaharovits commented Mar 19, 2018
edited
Loading

EDITED:
The reload-secure-store-action branch tracks the progress of making some of the plugins' secure settings reloadable.

Passwords and access keys of the clients used internally for remote calls are stored as secure settings inside the elasticsearch.keystore file. The contents of this file are retrievable only after decryption, using a password. Currently, the password is only available during node initialization. This effectively renders these settings immutable, as they are read only once, during initialization.

In the new proposed approach, plugins that are using internal clients (AWS, Azure, etc.) should not cache client instances but instead should require a client from a "Registry Service". There is one such service for each plugin. The client instance should be requested on each use (call to external system). Generally, it should be inexpensive for the "Registry Service" to service such demands. The "Registry Service", acting as a client cache, should allow for the clients' credentials to be changed. After the credentials change, subsequent client requests will return a new client constructed with the new credentials. Client instances that have been used before any credentials change will continue to be usable. The present implementation is of a best effort type. Currently, there is no way to wait for plugins to ditch the old settings and use only the new ones. In essence, this is because there is no strict rule of what reload means or what reload is complete means. It might be possible (high hanging fruit) for plugins to signal their completed reload.

The credentials change when the node rereads and decrypts the local keystore. For decryption it requires the password which is broadcasted by a TransportNodesAction action. The password should not be cached anywhere. When the TransportNodesAction action has returned, the keystore is no longer readable.

Too much noise already.
Plugins wishing to become "reloadable" should implement the ReloadablePlugin interface. They have to implement void reload(Settings settings) throws Exception. The settings parameter contains retrievable SecureSettings, but only if accessed under the reload call stack, i.e. don't pass the settings object to an async task and expect for SecureSettings to be further retrievable. Once the reload method has returned the keystore is sealed again.

Tasks:

Secure settings are also used at these other places:

  • SSL Configuration
  • watcher notification integrations (hipchat, jira, pagerduty, slack)
  • LDAP and AD Realm bind password

They might also benefit of this "reloadable" capability.
@albertzaharovits albertzaharovits self-assigned this Mar 19, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

This was referenced Mar 26, 2018
Closed
Closed
@albertzaharovits albertzaharovits mentioned this issue Mar 30, 2018
Merged
This was referenced Apr 29, 2018
Closed
Closed
DaveCTurner added a commit to DaveCTurner/elasticsearch that referenced this issue May 6, 2018
@DaveCTurner
Add support for AWS session tokens
2ccaeaa 
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. elastic#29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves elastic#16428
@DaveCTurner DaveCTurner mentioned this issue May 6, 2018
Merged
@albertzaharovits albertzaharovits mentioned this issue May 17, 2018
Merged
@tlrx tlrx mentioned this issue May 22, 2018
Closed
@albertzaharovits albertzaharovits mentioned this issue May 31, 2018
Merged
This was referenced Jun 7, 2018
Merged
Merged
Merged
@albertzaharovits albertzaharovits mentioned this issue Jun 16, 2018
Merged
@albertzaharovits albertzaharovits changed the title Reloadable settings for plugins Reloadable secure settings for plugins Jun 16, 2018
@albertzaharovits albertzaharovits mentioned this issue Jun 21, 2018
Merged
@scottsom scottsom mentioned this issue Jun 29, 2018
Closed
@albertzaharovits albertzaharovits mentioned this issue Jul 2, 2018
Merged
DaveCTurner added a commit that referenced this issue Jul 3, 2018
@DaveCTurner
Add support for AWS session tokens (#30414)
4108722 
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. #29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves #16428
DaveCTurner added a commit that referenced this issue Jul 3, 2018
@DaveCTurner
Add support for AWS session tokens (#30414)
45ac820 
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. #29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves #16428
ywelsch pushed a commit that referenced this issue Aug 1, 2018
@albertzaharovits
[DOCS] Reloadable Secure Settings (#31713)
2d87287 
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits added a commit that referenced this issue Aug 1, 2018
@albertzaharovits
[DOCS] Reloadable Secure Settings (#31713)
89a25a6 
Docs on reloadable secure settings for plugins #29135 .
@albertzaharovits albertzaharovits mentioned this issue Aug 20, 2018
Merged
albertzaharovits added a commit that referenced this issue Aug 23, 2018
@albertzaharovits
[DOCS] Reloadable Secure Settings (#31713)
e3e69ae 
Docs on reloadable secure settings for plugins #29135 .
albertzaharovits added a commit that referenced this issue Aug 26, 2018
@albertzaharovits
Reload Secure Settings REST specs & docs (#32990)
fbe609d 
This is a minimal REST API spec and docs for the REST handler
for the `_nodes/reload_secure_settings endpoint`.

Relates #29135
albertzaharovits added a commit that referenced this issue Aug 26, 2018
@albertzaharovits
Reload Secure Settings REST specs & docs (#32990)
db75566 
This is a minimal REST API spec and docs for the REST handler
for the `_nodes/reload_secure_settings endpoint`.

Relates #29135
albertzaharovits added a commit that referenced this issue Aug 26, 2018
@albertzaharovits
Reload Secure Settings REST specs & docs (#32990)
a533427 
This is a minimal REST API spec and docs for the REST handler
for the `_nodes/reload_secure_settings endpoint`.

Relates #29135
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@albertzaharovits albertzaharovits

Labels
:Core/Infra/Plugins Plugin API and infrastructure >feature Meta v6.4.0 v7.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@colings86 @bleskes @albertzaharovits @elasticmachine